[Release & Source] Flyff Webzen Bow Hack

Page 1 of 5 1 23 Last »
05/20/2019 19:10 Omdi#1
When using this hack you will always attack with charged bow.

Usage:
Code:
BINARIES REMOVED
Hotkeys:
Code:
BINARIES REMOVED
Source:
Code:
bool AlreadyHooked = false;
UINT32 gRWXBuf = NULL;
UINT32 gSendActMsgOrig = NULL;
UINT32 gStrongBowEnabled = NULL;
void BowHack()
{
	auto GameBase = GetBaseAddress();
	if (!GameBase)
	{
		return;
	}

	// SendActMsg: Neuz.exe + 19B780 | 55 8B EC F6 41 08 08 74 ??
	// Inject shellcode if not already done
	if (!AlreadyHooked)
	{
		// Get CActionMover Object
		UINT32 Ptr1 = *(UINT32*)(GameBase + 0x004FFA94);
		if (Ptr1)
		{
			UINT32 CActionMoverObj = *(UINT32*)(Ptr1 + 0x33C);
			if (CActionMoverObj)
			{
				DbgPrint("CActionMoverObj @ %X\n", CActionMoverObj);

				// First 16 Bytes used for Shadow VMT
				UINT32 CActionMoverObjVtable = *(UINT32*)CActionMoverObj;
				if (CActionMoverObjVtable)
				{
					DbgPrint("CActionMoverObjVtable: %X\n", CActionMoverObjVtable);

					// Allocate space for vmt & shellcode
					/*
					16 bytes - ShadowVMT
					4  bytes - Used for Settings
					?  bytes - Shellcode
					*/
					if (gRWXBuf == NULL)
					{
						SIZE_T RWXBufSize = PAGE_SIZE;
						fZwAllocateVirtualMemory(NtCurrentProcess(), (PVOID*)&gRWXBuf, 0, &RWXBufSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
						DbgPrint("gRWXBuf @ %X\n", gRWXBuf);
					}

					memcpy((void*)gRWXBuf, (void*)CActionMoverObjVtable, 16);

					// Save SendActMsg 
					gSendActMsgOrig = *(UINT32*)(CActionMoverObjVtable + 4);
					DbgPrint("gSendActMsgOrig @ %X\n", gSendActMsgOrig);

					// Save gStrongBowEnabled Ptr
					gStrongBowEnabled = (UINT32)(gRWXBuf + 16);

					// Setup shellcode
					unsigned char Shellcode[] =
					{
						0x50,				// push eax
						0x8B, 0x45, 0xDC,	// mov eax, [ebp-0x24] | eax now holds dwItemId
						0x83, 0xF8, 0x00,	// cmp eax, 0
						0x75, 0x11,			// jne $JMPBACK

						0xA1, 0xAA, 0xAA, 0xAA, 0xAA, // mov eax, [StrongBowEnabled]
						0x83, 0xF8, 0x01,   // cmp eax, 1

						0x75, 0x07,			// jne $JMPBACK
						0xC7, 0x45, 0xDC, 0x04, 0x00, 0x00, 0x00, // mov [ebp-0x24], 4

						// $JMPBACK
						0x58,  // pop eax
						0xE9, 0xBB, 0xBB, 0xBB, 0xBB, // jmp [gSendActMsgOrig]
					};

					*(UINT32*)(Shellcode + 10) = (UINT32)gStrongBowEnabled; // StrongBowEnabled
					*(UINT32*)(Shellcode + 28) = (UINT32)(gSendActMsgOrig - (gRWXBuf + 47) - 5); // jmp back

					// Copy Shellcode
					memcpy((void*)(gRWXBuf + 20), Shellcode, sizeof(Shellcode));
                                        
					// Patch VMT Ptr
                                        *(UINT32*)(gRWXBuf + 4) = (UINT32)(gRWXBuf + 20);
					*(UINT32*)(CActionMoverObj) = gRWXBuf;
					DbgPrint("VMT Hook placed :)\n");

					AlreadyHooked = true;
				}
			}
		}
		
	}

	if (AlreadyHooked)
	{
		if (gItems.bowAlwaysStrongAttack)
			*(UINT32*)gStrongBowEnabled = 1;
		else
			*(UINT32*)gStrongBowEnabled = 0;
	}

}
Thanks to @[Only registered and activated users can see links. Click Here To Register...]
I hope you guys learn from my source :)
05/20/2019 23:08 devil1485#2
nicee work! tested and works like a charm!

if u could add range hack it would be awesome ^^
05/20/2019 23:11 Jakob121#3
-
05/23/2019 23:15 Omdi#4
Please note:
You will not be able to use the Hotkey if Flyff is started in Fullscreen (Switch to Desktop or press F10 before you start Flyff).
To avoid BSOD you should update to the most recent Win10 version. This is a Proof of Concept so feel free to port this to usermode (probably more stable). Source is available, should be rather easy to port.
05/25/2019 01:02 Viktor89#5
What this douse exactly?
05/25/2019 04:39 buglyff#6
will this work in playpark flyff? :D hoping you will make one for playpark flyff if its not working :D thanks though :D
06/04/2019 10:27 aavmrm#7
[Only registered and activated users can see links. Click Here To Register...]

I try to do it on the official flyff but I have this error, I have Windows 7
06/04/2019 14:25 cookie69#8
@[Only registered and activated users can see links. Click Here To Register...] is there any reason to go ring0 for gg? You can use manual mapping to inject at process suspended status and resume.
06/04/2019 15:02 Omdi#9
Quote:
Originally Posted by cookie69 View Post
@[Only registered and activated users can see links. Click Here To Register...] is there any reason to go ring0 for gg? You can use manual mapping to inject at process suspended status and resume.
I just went ring0 as a PoC, there is actually in this case no reason to do so. You could also most likely manual map into lsass.exe and use its handle to the game process instead to allocate & write to it.
06/04/2019 19:48 itatchi42#10
Thank you for your work!
To be comprehensive, are there any other pservers that this has been tested to work on?
06/04/2019 22:18 cookie69#11
Quote:
Originally Posted by itatchi42 View Post
Thank you for your work!
To be comprehensive, are there any other pservers that this has been tested to work on?
If you ask the question that means you did not understand what he did...
Of course this would work in all/most pservers (but you need to find the addresses and offsets) because he hooked a virtual method that is present in all flyff sources.

It is just another way of hooking the in-game functions that seems to be not detected by GG.

Code:
virtual int		SendActMsg( OBJMSG dwMsg, int nParam1 = 0, int nParam2 = 0, int nParam3 = 0, int nParam4 = 0, int nParam5 = 0 );
You can hook with Microsoft Detours or any other hooking method (check google for that) but I guess @[Only registered and activated users can see links. Click Here To Register...] used the VMT hook because it is not detected by gg (I may be wrong about the real reason for using VMT hook).
06/04/2019 23:10 Omdi#12
Quote:
Originally Posted by cookie69 View Post
If you ask the question that means you did not understand what he did...
Of course this would work in all/most pservers (but you need to find the addresses and offsets) because he hooked a virtual method that is present in all flyff sources.

It is just another way of hooking the in-game functions that seems to be not detected by GG.

Code:
virtual int		SendActMsg( OBJMSG dwMsg, int nParam1 = 0, int nParam2 = 0, int nParam3 = 0, int nParam4 = 0, int nParam5 = 0 );
You can hook with Microsoft Detours or any other hooking method (check google for that) but I guess @[Only registered and activated users can see links. Click Here To Register...] used the VMT hook because it is not detected by gg (I may be wrong about the real reason for using VMT hook).
You are correct, VMT hooks are undetected that's why I used them :)
06/05/2019 00:05 itatchi42#13
You're right--I'm not yet skilled in this area but am actively learning.
I appreciate your responses, cookie69 and Omdi
06/14/2019 09:57 nicenickman#14
i need how to find hack value no charger with CE
06/15/2019 11:13 iSuperman#15
For the noobs.. : How are we supposed to use this?
Page 1 of 5 1 23 Last »