Rappelz Bot Development

Hi everyone

i am trying to code new rappelz bot for users.
i unpacked sframe.exe i think we can make gameguard bypass and emulate it. and we could make functional rappelz bot.
everyone can join me for develop for this bot.

first milestone is : remove gameguard from game..

here is the unpacked exe : [Only registered and activated users can see links. Click Here To Register...]

Here is the i found some gameguard call functions

CPU Disasm
Address Hex dump Command Comments
0082A5B4 |> \68 3CE8B600 PUSH 00B6E83C ; /Arg1 = ASCII "use_nprotect"
0082A5B9 |. E8 E2530400 CALL 0086F9A0 ; |
0082A5BE |. 8BC8 MOV ECX,EAX ; |
0082A5C0 |. E8 5B510400 CALL 0086F720 ; \SFrame.0086F720
0082A5C5 |. 85C0 TEST EAX,EAX
0082A5C7 |. 74 0D JE SHORT 0082A5D6
0082A5C9 |. E8 32350000 CALL 0082DB00 ; [SFrame.0082DB00

What about AutoIt???
Still working for me and even easy to configure....

AutoIt is good choice.however if we could remove gameguard and bypass its herthbeat packets we could send data to rappelz servers from exe memory thread.and we could hack all client side controls also we could develop more effiency and stable bot than autoIT

use_nprotect is used by hackshield, not by gameguard.

aswell even if you did undo- the gameguard it would not work the server sided content needs also to have gameguard disabled. else if you did not connect at first it will still crash you.

Quote:

Originally Posted by misterd use_nprotect is used by hackshield, not by gameguard.

INCA nProtect are the programers of Gameguard. Anything calling out nPortect is referring to Gameguard.

Hackshield is programmed by AhnLab.

use_nprotect is using by gameguard you can download unpacked exe its clean exe and you can reasearch

no need for research the .exe, i already have a gameguard manipulator. and i have all gameguard server files.... use_nprotect is only for hackshield (which is/ and still is) used becouse this is the 'ping' check if a user is there or not to respond.

//NProtect GameGuard
#define CS_NPROTECT_REQ (CS_MAP + 0x0940)
#define CS_NPROTECT_ACK (CS_MAP + 0x0941)

// gameguard auth data
typedef struct _GG_AUTH_DATA
{
DWORD dwIndex;
DWORD dwValue1;
DWORD dwValue2;
DWORD dwValue3;
} GG_AUTH_DATA, *PGG_AUTH_DATA;

#ifdef __cplusplus
extern "C" {
#endif

NPGAMEDLL_API DWORD __cdecl CheckNPGameMon();
NPGAMEDLL_API BOOL __cdecl CloseNPGameMon();
NPGAMEDLL_API DWORD __cdecl InitNPGameMon();
NPGAMEDLL_API void __cdecl SetHwndToGameMon(HWND hWnd);
NPGAMEDLL_API DWORD __cdecl PreInitNPGameMonA(LPCSTR szGameName);
NPGAMEDLL_API DWORD __cdecl PreInitNPGameMonW(LPCWSTR szGameName);
NPGAMEDLL_API BOOL __cdecl SendUserIDToGameMonA(LPCSTR szUserID);
NPGAMEDLL_API BOOL __cdecl SendUserIDToGameMonW(LPCWSTR szUserID);
NPGAMEDLL_API BOOL __cdecl SendCSAuthToGameMon(DWORD dwAuth);
NPGAMEDLL_API BOOL __cdecl SendCSAuth2ToGameMon(PGG_AUTH_DATA pAuth);
NPGAMEDLL_API LPSTR __cdecl NPDect(LPSTR lpszString);
NPGAMEDLL_API BOOL __cdecl NPGuardData(LPVOID lpData, DWORD dwSize);
NPGAMEDLL_API BOOL __cdecl NPReleaseData(LPVOID lpData, DWORD dwSize);
NPGAMEDLL_API LPCSTR __cdecl GetInfoFromGameMon();
NPGAMEDLL_API LPBYTE __cdecl GetHackInfoFromGameMon(DWORD* dwSize);
NPGAMEDLL_API BOOL __cdecl ResourceAuthA(LPCSTR lpszFilename, bool bCheckFilename /* = true */ );
NPGAMEDLL_API BOOL __cdecl ResourceAuthW(LPCWSTR lpszFilename, bool bCheckFilename /* = true */ );
NPGAMEDLL_API BOOL __cdecl CheckD3DDevice(LPVOID lpD3DDevice, LPSTR lpszDll);
NPGAMEDLL_API DWORD __cdecl GGGetLastError(); // 2009.07.27
NPGAMEDLL_API BOOL __cdecl SetRunGGerror(); // 2009.10.12

NPGAMEDLL_API DWORD __cdecl InitPacketProtect(LPCSTR lpszUserKey);
NPGAMEDLL_API DWORD __cdecl EncryptPacket(LPVOID lpData, DWORD dwLength);
NPGAMEDLL_API DWORD __cdecl DecryptPacket(LPVOID lpData, DWORD dwLength);
NPGAMEDLL_API DWORD __cdecl EncryptPeerPacket(LPVOID lpData, DWORD dwLength);
NPGAMEDLL_API DWORD __cdecl DecryptPeerPacket(LPVOID lpData, DWORD dwLength);
NPGAMEDLL_API DWORD __cdecl PPGetLastError();

NPGAMEDLL_API BOOL __cdecl FixVC80DEP();

typedef BOOL (CALLBACK *NPGMCALLBACK)(DWORD dwMsg, DWORD dwArg);
NPGAMEDLL_API void __cdecl SetCallbackToGameMon(NPGMCALLBACK fnCallback);

NPGAMEDLL_API DWORD __cdecl SetModulePathA(LPCSTR szModulePath); // 2008.10.31
NPGAMEDLL_API DWORD __cdecl SetModulePathW(LPCWSTR szModulePath); // 2008.10.31

NPGAMEDLL_API BOOL __cdecl IsAdminPrivilege(); // 2009.02.25

#ifdef __cplusplus
}
#endif

goodluck.

Don't know if this helps, but managed to bypass game guard in a different way. It's not a perfect solution but hey it works, it bypasses crc checks from game guard and still allows it to do it's pings.

I suspend the game guard processes, modify all the sframe code that i need to log all the sent packets from the game before they are encrypted and allows me to send packets. I suspend it for about 30 seconds or so. Then i restore all the original code and resume the game guard processes so that it can do it's crc check and send the ping packet. Put it in a loop.. Works fine at the moment

If you really get rappelz hacked.... good job!
Some friends of mine and me tried to hack rappelz a long time ago, it wasn't that easy xD
It isn't impossible but you really need to be skilled as hell.
Some tries ended in a server crash....

Have somebody checkd this Sframe.exe ?

"Hacking" Rappelz is "impossible" cause its all serverside. So good luck hacking DB ;)
But you can simply hide your bot.. (Easy as fuck :P )
Or code a full emu :P

Yes it's know rappelz don't send packet.... And you can't touch them...

BTW don't try to troll if you are genius like an oyster...

Hello! I wish I could help but I have no valuable knowledge in this. Looking forword to see if you guys get it!! Good luck!

Edit: quick question, if you guys do make a bot will it be free?

Bla bla De...l.DLL not found

hi everyone i play rappelz in middle east , and i am wondering is there are any way to hack the game by increasing rupes and point , If any one know about that any thing please reply urgently.