Need help to understand long range waithack

02/10/2021 02:46 sad666#1

Hi I'm trying to increase waithack range.
I currently attack mobs around using the sendbattle function I know there is a distance check function in server side so I tried send move packet with attack but this only affects the observers. Can anyone help me please ?

Also this empty area is my waithack range

Spoiler

02/10/2021 23:47 ones-and-zer0es.mpeg#2

Quote:

Originally Posted by sad666

Hi I'm trying to increase waithack range.
I currently attack mobs around using the sendbattle function I know there is a distance check function in server side so I tried send move packet with attack but this only affects the observers. Can anyone help me please ?

Also this empty area is my waithack range

Spoiler

[Only registered and activated users can see links. Click Here To Register...]

Can u post some code?

02/11/2021 00:01 Drakulax#3

02/11/2021 00:42 MrCrisp#4

Quote:

Originally Posted by sad666

Hi I'm trying to increase waithack range.
I currently attack mobs around using the sendbattle function I know there is a distance check function in server side so I tried send move packet with attack but this only affects the observers. Can anyone help me please ?

Also this empty area is my waithack range

Spoiler

[Only registered and activated users can see links. Click Here To Register...]

Do you directly send the packet or do you invoke the function by a function pointer?

02/11/2021 02:01 sad666#5

Quote:

Originally Posted by MrCrisp

Do you directly send the packet or do you invoke the function by a function pointer?

I am calling SendAttackPacket function in CPythonNetworkManager class.I checked TPacketCGAttack structure but I couldn't see important variable to change.Doesn't that packet define with arguments from the SendAttackPacket function ?

Code:

auto mobList = Entity::GetMobList();
for (Instance* mob : mobList)
{
    CPythonNetworkManager::GetInstance()->SendAttackPacket(0, mob->GetVid());
}

02/11/2021 02:17 ones-and-zer0es.mpeg#6

Quote:
Originally Posted by sad666
I am calling SendAttackPacket function in CPythonNetworkManager class.I checked TPacketCGAttack structure but I couldn't see important variable to change.Doesn't that packet define with arguments from the SendAttackPacket function ?
Code:
auto mobList = Entity::GetMobList();
for (Instance* mob : mobList)
{
    CPythonNetworkManager::GetInstance()->SendAttackPacket(0, mob->GetVid());
}

you have to teleport to the mob before attacking

02/11/2021 02:42 sad666#7

Sorry guys I think I messed up move position on my first try. Now its working correctly using state packet

02/11/2021 03:08 ones-and-zer0es.mpeg#8

Quote:

Originally Posted by sad666

I saw this video from xAdr1an Multihack topic
[Only registered and activated users can see links. Click Here To Register...]
It seems like doesn't teleport at least client side and I tried SendStatePacket for move but nothing change.

*It seems like doesn't teleport at least client side* it doesn't thats correct, check with second character - aslong as

Code:

inline float DISTANCE_SQRT(long dx, long dy) {
	return sqrt((float)dx * dx + (float)dy * dy);
}

is less then 40 when you're on a mount or 25 when not

Code:

NEW_GetPixelPosition(main_instance, &main_pos);
NEW_GetPixelPosition(target, &dest_pos);
float xDiff = dest_pos.x - main_pos.x;
float yDiff = dest_pos.y - main_pos.y;
float fDist = DISTANCE_SQRT((main_pos.x - dest_pos.x) / 100, (main_pos.y - dest_pos.y) / 100);
if ((ChrMgr::i().IsMounted() && fDist < 40.f) || fDist < 25.f) {
	SendCharacterStatePacket(dest_pos, 10.f, 0, 0);
	SendAttackPacket(target);
	SendCharacterStatePacket(main_pos, 10.f, 0, 0);
}

02/11/2021 03:25 sad666#9

Thank you for helping me I just realized I made a mistake sending position info now working correctly

02/13/2021 21:24 baba4507#10

hello how can I put the codes given above in the targetdamag, can you help me?

Quote:

Originally Posted by ones-and-zer0es.mpeg

*It seems like doesn't teleport at least client side* it doesn't thats correct, check with second character - aslong as

Code:

inline float DISTANCE_SQRT(long dx, long dy) {
	return sqrt((float)dx * dx + (float)dy * dy);
}

is less then 40 when you're on a mount or 25 when not

Code:

NEW_GetPixelPosition(main_instance, &main_pos);
NEW_GetPixelPosition(target, &dest_pos);
float xDiff = dest_pos.x - main_pos.x;
float yDiff = dest_pos.y - main_pos.y;
float fDist = DISTANCE_SQRT((main_pos.x - dest_pos.x) / 100, (main_pos.y - dest_pos.y) / 100);
if ((ChrMgr::i().IsMounted() && fDist < 40.f) || fDist < 25.f) {
	SendCharacterStatePacket(dest_pos, 10.f, 0, 0);
	SendAttackPacket(target);
	SendCharacterStatePacket(main_pos, 10.f, 0, 0);
}

Spoiler

02/14/2021 01:37 ones-and-zer0es.mpeg#11

Quote:

Originally Posted by baba4507

hello how can I put the codes given above in the targetdamag, can you help me?

Spoiler

// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"

#include <Windows.h>

bool SendBattleAttack(int vId)

{

DWORD NetPointer = *(DWORD*)0x09738F0;

DWORD BattleCall = 0x05D2850;

__asm

{
mov ecx, NetPointer
push vId
push 0
call BattleCall

}
return 0;
}

void Target()

{

while (true)
{
DWORD GetTargetVID = (*(DWORD*)(*(DWORD*)0x0973994 + 0x00198C4));
SendBattleAttack(GetTargetVID);
Sleep(30);
}

}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)

{

switch (ul_reason_for_call)

{

case DLL_PROCESS_ATTACH:

CreateThread(NULL, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(Target), hModule, 0, NULL);

}

return TRUE;

}

I can't really help you, you have to reverse these functions, that's nothing i can do for you. Get a public client source and search for the function defintions by searching for the names used in my snippet.

02/17/2021 17:08 oatuh998#12

Quote:

Originally Posted by ones-and-zer0es.mpeg

I can't really help you, you have to reverse these functions, that's nothing i can do for you. Get a public client source and search for the function defintions by searching for the names used in my snippet.

can we dump functions like SendCharacterStatePacket in python and convert them to c ++ for using without python sdk ?

02/21/2021 15:30 martinx1#13

Quote:

Originally Posted by oatuh998

can we dump functions like SendCharacterStatePacket in python and convert them to c ++ for using without python sdk ?

There is no SendCharacterStatePacket in python sdk, you have to find the function in the binary, to makes things easy, i will give you the pattern for oficial game servers:
Pattern: "\x55\x8b\xec\x83\xec\x00\x89\x4d\x00\xc6\x45\x00\ x00\x8d\x45\x00\x50\x8b\x4d\x00\xe8\x00\x00\x00\x0 0\x0f\xb6\x00\x85\xc9\x75\x00\x32\xc0\xe9\x00\x00\ x00\x00\x8b\x4d\x00\xe8\x00\x00\x00\x00\x0f\xb6\x0 0\x85\xd2\x75\x00\xb0\x00\xe9\x00\x00\x00\x00\xd9\ x45"
Mask: "xxxxx?xx?xx??xx?xxx?x????xx?xxx?xxx????xx?x????xx ?xxx?x?x????xx"

In order to call this function you need to also find the NetworkClassPointer, and pass it in the ECX register, i will let you figure out this part :)