Kal-Programmierung

//////////////////////////////////////////////////////////////////////
// ClientCore.cpp
// -------------------------------------------------------------------
// Default Client Dll entrypoint.
//////////////////////////////////////////////////////////////////////
#include <stdio.h>

#include "CommonStructs.h"

#define	EXPORT 	__declspec( dllexport ) __cdecl
#define PRIVATE 	__cdecl

#define BIND_TO_SERVER(x) server->##x##=(fn##x##)GetProcAddress(hModule,#x ##);

extern "C" {
BOOL EXPORT OnGameCommandLine(char* argv[], int argc);
WORD EXPORT OnPacketBeforeSent(LPBYTE pbPacket, WORD wLen);
WORD EXPORT OnPacketBeforeRecv(LPBYTE pbPacket, WORD wLen);
BYTE EXPORT OnGameKeyUp(BYTE iKeyCode);
VOID EXPORT OnUnitSelect(GAMEUNIT GameUnit);
BOOL EXPORT OnMapClick(PGAMEUNITCOORDS cClick);
}
BOOL PRIVATE OnClientStop();
BOOL PRIVATE OnClientStart();

#pragma comment(lib, "shlwapi.lib")
#include <shlwapi.h>
//////////////////////////////////////////////////////////////////////
// Global server struct holding pointers to exported functions
//////////////////////////////////////////////////////////////////////
FUNCTIONENTRYPOINTS 	*server;
HMODULE   g_hModule;  	// New Global
char   g_szModuleDir[MAX_PATH];	// New Global

//////////////////////////////////////////////////////////////////////
// Dll entry/exit
//////////////////////////////////////////////////////////////////////
BOOL APIENTRY DllMain(HMODULE hinstModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
	
	char	szTemp[MAX_PATH];


	BOOL hResult = TRUE;
  switch (ul_reason_for_call)
	{
 case DLL_PROCESS_ATTACH:
 	
 	// initiate client
 	g_hModule = (HMODULE)hinstModule;
  GetModuleFileName( g_hModule, szTemp, sizeof(szTemp) );
 	PathRemoveFileSpec(szTemp);
  sprintf( g_szModuleDir, szTemp );

 	// Create server/me struct 	
 	server	= new FUNCTIONENTRYPOINTS;
 	// Bind exported functions from server
 	HMODULE hModule;
 	hModule = (HMODULE)GetModuleHandle("KalHackIt");
 	if(!hModule)
 	{
  MessageBox(0,"Unable to find KalHackIt.dll in process",0,0);
  return FALSE;
 	}
 	// Macros make this look a lot nicer :)
 	BIND_TO_SERVER(GameCommandLine);
 	BIND_TO_SERVER(GameCommandLinef);

 	BIND_TO_SERVER(GamePrintString);
 	BIND_TO_SERVER(GamePrintInfo);
 	BIND_TO_SERVER(GamePrintError);

 	BIND_TO_SERVER(GamePrintStringf);
 	BIND_TO_SERVER(GamePrintInfof);
 	BIND_TO_SERVER(GamePrintErrorf);

 	BIND_TO_SERVER(ClientSendPacketToServer);
 	BIND_TO_SERVER(ClientSendPacketToClient);
 	BIND_TO_SERVER(UserSendPacketToServer);
 	BIND_TO_SERVER(UserSendPacketToClient);

 	BIND_TO_SERVER(EnumUnits);
 	BIND_TO_SERVER(FindUnitByID);
 	BIND_TO_SERVER(FindUnitByName);
 	BIND_TO_SERVER(GetUnitName);
 	BIND_TO_SERVER(GetUnitID);
 	BIND_TO_SERVER(GetUnitCoord);
 	BIND_TO_SERVER(GetUnitType);
 	BIND_TO_SERVER(GetNextMonster);
 	BIND_TO_SERVER(GetPlayerUnit);
 	BIND_TO_SERVER(GetPlayerInfoStruct);

 	BIND_TO_SERVER(GetUnitLife);
 	BIND_TO_SERVER(GetUnitMaxLife);
 	BIND_TO_SERVER(GetPlayerLife);
 	BIND_TO_SERVER(GetPlayerMaxLife);

 	BIND_TO_SERVER(GetHeight);
 	BIND_TO_SERVER(teleport);
 	BIND_TO_SERVER(serverteleport);

 	BIND_TO_SERVER(GetSocket);

 	hResult = OnClientStart();
 	break;
 case DLL_PROCESS_DETACH:

 	// kill client
 	hResult = OnClientStop();
 	delete[] server;
 	break;
  } 
  return hResult;
}

//////////////////////////////////////////////////////////////////////
// Stubfunctions for 'property get' functions.
//////////////////////////////////////////////////////////////////////
// OnClientCommandLine
// -------------------------------------------------------------------
// The modules own extension of the command line interface. Any custom
// commands you add are parsed here.
//
// Return value should be TRUE, but it is not used at this 
// time.
//
// Arguments when we get here:
// argv[0] 	Name of module
// argv[1] 	Name of command (If supplied)
// argv[2 ... n]	The rest
//
// Syntax in the game: .<module> <arguments>
//////////////////////////////////////////////////////////////////////
BOOL EXPORT OnGameCommandLine(char* argv[], int argc)
{
	// Check if user supplied anything at all, if not assume help...
	if (argc==1)
 argv[argc++]="help";


	MODULECOMMANDSTRUCT* mcs=ModuleCommands;

	while (mcs->szName) {
 if (!stricmp(mcs->szName, argv[1]))
 	break;
 mcs++;
	}

	char *p,*t,*msg,*fMsg;
	fMsg=new char[256];
	//
	// Is this a built-in function ?
	if (mcs->szName) {
 //
 // If functions returns false, show usage help
 if (!mcs->pFunc(argv, argc)) {
 	t=new char[strlen(mcs->szUsage)+1];
 	server->GamePrintInfo("Usage:");
 	sprintf((char*)t, "%s", mcs->szUsage);
 	if (strlen((char*)t))
 	{
  msg=p=t;
  while (*p != 0) {
  	if (*p == '\n') 
  	{
   *(p++) = 0;
   sprintf(fMsg, ".%s %s", argv[0], msg);
   server->GamePrintInfo((char*)fMsg);
  	if (*p != 0)
   msg = p;
  	} else
   p++;
  	}
  sprintf(fMsg, ".%s %s", argv[0], msg);
  server->GamePrintInfo((char*)fMsg);
 	}
 	delete t;
 }
	} else {
	// Unknown command, show catch-all help phraze.
	t=new char[128];
	sprintf(t, "Unknown command '%s %s' - try '.%s help' to get help.",
 argv[0], argv[1], argv[0]);
	server->GamePrintError(t);
	delete t;
	}
	delete fMsg;
	return TRUE;
}


//////////////////////////////////////////////////////////////////////
// OnClientCommandHelp
// -------------------------------------------------------------------
// Our default help function.
//
// Syntax in the game: .<module> <arguments>
//////////////////////////////////////////////////////////////////////
BOOL PRIVATE OnGameCommandHelp(char** argv, int argc)
{
	// If command line is longer than 2, show usage for 'help'
	if (argc>2) return FALSE;

	char t[1024];
	sprintf(t, "Available commands for %s:", argv[0]);
	server->GamePrintInfo(t);

	// Loop through ModuleCommands[] and print their names
	for (int i=0; ModuleCommands[i].szName != NULL; i++)
	{
 sprintf(t, ".%s %s", argv[0], ModuleCommands[i].szName);
 server->GamePrintInfo(t);
	}

	sprintf(t, "For help on a specific command, type .%s <command> help", argv[0]);
	server->GamePrintInfo(t);
	return TRUE;
}

#include <string>
#include <windows.h>

#define MAXWAIT 10000

bool insertDll(DWORD procID, std::string dll)
{

HMODULE hLocKernel32 = GetModuleHandle("Kernel32");
FARPROC hLocLoadLibrary = GetProcAddress(hLocKernel32, "LoadLibraryA");


HANDLE hToken;
TOKEN_PRIVILEGES tkp;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, 0, &tkp, sizeof(tkp), NULL, NULL);
}


HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);


dll += '\0';
LPVOID hRemoteMem = VirtualAllocEx(hProc, NULL, dll.size(), MEM_COMMIT, PAGE_READWRITE);


DWORD numBytesWritten;
WriteProcessMemory(hProc, hRemoteMem, dll.c_str(), dll.size(), &numBytesWritten);


HANDLE hRemoteThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)hLocLoadLibrary, hRemoteMem, 0, NULL);

cout << hRemoteThread << endl;


bool res = false;
if (hRemoteThread)
res = (bool)WaitForSingleObject(hRemoteThread, MAXWAIT) != WAIT_TIMEOUT;


VirtualFreeEx(hProc, hRemoteMem, dll.size(), MEM_RELEASE);


CloseHandle(hProc);

return res;
}

function InjectLibrary(dwProcessID: DWord; pLibraryName: PChar): Boolean; stdcall;
var
dwProcessID2 : DWord;
dwMemSize  : DWord;
dwWritten  : DWord;
dwThreadID  : DWord;
pLLA     : Pointer;
pTargetMemory: Pointer;
begin
Result := False;

dwProcessID2 := OpenProcess(PROCESS_ALL_ACCESS,false,dwProcessID);
if (dwProcessID2 <> 0) then
 dwProcessID := dwProcessID2;

dwMemSize := Length(pLibraryName)+1;
pTargetMemory := VirtualAllocExX(dwProcessID,nil,dwMemSize, MEM_COMMIT or MEM_RESERVE,PAGE_EXECUTE_READWRITE);
pLLA := GetProcAddress(GetModuleHandleA('kernel32.dll'),'LoadLibraryA');
if (pLLA <> nil) and (pTargetMemory <> nil) and (pLibraryName <> nil) then
begin
 if WriteProcessMemory(dwProcessID,pTargetMemory,pLibraryName,dwMemSize,dwWritten) and
  (dwWritten = dwMemSize) then
 Result := CreateRemoteThreadX(dwProcessID,nil,0,pLLA,pTargetMemory,0,dwThreadID) <> 0;
end;
if (dwProcessID2 <> 0) then
 CloseHandle(dwProcessID2);
end;

#pragma once
#include <windows.h>

typedef struct playerinfostruct_t
{
	BYTE bDummy1;
	BYTE bDummy2;
	BYTE bClass;
	BYTE bLevel;
	DWORD dwDummy3;
	BYTE bStrength;
	BYTE bHealth;
	BYTE bIntelligence;
	BYTE bWisdom;
	BYTE bAgility;
	BYTE bDummy4;
	BYTE bDummy5;
	BYTE bDummy6;
	BYTE bAbsorptionRate;
	BYTE bFireResistance;
	BYTE bIceResistance;
	BYTE bLightningResistance;
	BYTE bNonElementalResistance;
	BYTE bCurseResistance;
	WORD wDummy7;
	WORD wDummy8;
	WORD wDummy9;
	WORD wContributionPoints;
	WORD wDummy10;
	WORD wOnTargetPoint;
	WORD wDummy11;
	WORD wEvasionPoint;
	WORD wDummy12;
	WORD wDefense;
	WORD wDummy13;
	WORD wMinAttackPoint;
	WORD wDummy14;
	WORD wMaxAttackPoint;
	WORD wDummy15;
	WORD wMinMagicAttackPoint;
	WORD wDummy16;
	WORD wMaxMagicAttackPoint;
	WORD wDummy17;
	WORD wPoint;
	WORD wSkillPoint;
	WORD aDummy19;
	DWORD dwMoney;
	DWORD aDummy20;
	BOOL bRunState;
	DWORD aDummy21[7];
	BOOL bDuelling;
	DWORD aDummy22[34];
	DWORD dwCurrentMagicPoint;
	DWORD dwMaxHealthPoint;
	DWORD dwMaxMagicPoint;
	BOOL bCannotRun;
	DWORD aDummy23[34];
	CHAR lpszCharName[16];
	BYTE bNameLength;
}PLAYERINFOSTRUCT, *PPLAYERINFOSTRUCT;

typedef DWORD	GAMEUNIT,*PGAMEUNIT;

typedef char	CCOLOR;
enum ChatColor {
	C_WHITE = NULL,
	C_GREEN = '&',
	C_RED = '#',
	C_LIGHTBLUE = '$',
	C_PINK = '~',
	C_BROWN = '*',
};

typedef struct tagGameUnitCoords
{
	int	x;
	int	z;
	int	y;
} GAMEUNITCOORDS, *PGAMEUNITCOORDS;

typedef BOOL (CALLBACK *fnEnumUnitProc)(GAMEUNIT unit);


typedef BOOL	(__cdecl *fnGamePrintInfof)(LPCSTR lpszFormat, ...); // Convenient string route
typedef BOOL	(__cdecl *fnGamePrintErrorf)(LPCSTR lpszFormat, ...);
typedef BOOL	(__cdecl *fnGamePrintStringf)(LPCSTR lpszFormat, ...);

typedef BOOL	(__cdecl *fnGamePrintString)(LPCSTR pszType,CCOLOR cColor,LPCSTR pszMessage);
typedef BOOL	(__cdecl *fnGamePrintInfo)(LPCSTR pszMessage);
typedef BOOL	(__cdecl *fnGamePrintError)(LPCSTR pszMessage);
typedef	BOOL	(__cdecl *fnClientSendPacketToServer)(LPBYTE pbPacket, WORD wLen);
typedef	BOOL	(__cdecl *fnClientSendPacketToClient)(LPBYTE pbPacket, WORD wLen);
typedef	BOOL	(__cdecl *fnUserSendPacketToServer)(LPBYTE pbPacket, WORD wLen);
typedef	BOOL	(__cdecl *fnUserSendPacketToClient)(LPBYTE pbPacket, WORD wLen);

typedef BOOL	(__cdecl *fnGameCommandLine)(char* pszCommandLine);
typedef BOOL	(__cdecl *fnGameCommandLinef)(LPCSTR lpszFormat, ...);
typedef BOOL 	(__cdecl *fnEnumUnits)(fnEnumUnitProc lpfnEnumUnitProc);
typedef GAMEUNIT (__cdecl *fnFindUnitByID)(DWORD dwUnitID);
typedef GAMEUNIT (__cdecl *fnFindUnitByName)(LPSTR	lpszUnitName);
typedef LPSTR 	(__cdecl *fnGetUnitName)(GAMEUNIT unit);
typedef DWORD 	(__cdecl *fnGetUnitID)(GAMEUNIT unit);
typedef LPDWORD 	(__cdecl *fnGetUnitLife)(GAMEUNIT unit);
typedef LPDWORD 	(__cdecl *fnGetUnitMaxLife)(GAMEUNIT unit);
typedef LPDWORD 	(__cdecl *fnGetPlayerLife)();
typedef LPDWORD 	(__cdecl *fnGetPlayerMaxLife)();
typedef PGAMEUNITCOORDS (__cdecl *fnGetUnitCoord)(GAMEUNIT unit);
typedef BYTE 	(__cdecl *fnGetUnitType)(GAMEUNIT unit);
typedef GAMEUNIT (__cdecl *fnGetPlayerUnit)();
typedef GAMEUNIT (__cdecl *fnGetNextMonster)();
typedef PPLAYERINFOSTRUCT (__cdecl *fnGetPlayerInfoStruct)();
typedef SOCKET (__cdecl *fnGetSocket)();
typedef int	(__cdecl *fnGetHeight)(DWORD x,DWORD y);
typedef VOID (__cdecl *fnteleport)(PGAMEUNITCOORDS dst);
typedef VOID (__cdecl *fnserverteleport)(PGAMEUNITCOORDS dst);

typedef struct functionentrypoints_t
{
	fnGameCommandLine  GameCommandLine;
	fnGameCommandLinef  GameCommandLinef;

	fnGamePrintString  GamePrintString;
	fnGamePrintInfo  	GamePrintInfo;
	fnGamePrintError  GamePrintError;

	fnGamePrintStringf  GamePrintStringf;
	fnGamePrintInfof  GamePrintInfof;
	fnGamePrintErrorf  GamePrintErrorf;

	fnClientSendPacketToServer ClientSendPacketToServer;
	fnClientSendPacketToClient ClientSendPacketToClient;
	fnUserSendPacketToServer UserSendPacketToServer;
	fnUserSendPacketToClient UserSendPacketToClient;

	fnGetSocket   GetSocket;

	fnEnumUnits   EnumUnits;
	fnFindUnitByID  	FindUnitByID;
	fnFindUnitByName  FindUnitByName;
	fnGetUnitName  	GetUnitName;
	fnGetUnitID   GetUnitID;
	fnGetUnitCoord  	GetUnitCoord;
	fnGetUnitType  	GetUnitType;
	fnGetPlayerUnit  	GetPlayerUnit;
	fnGetPlayerInfoStruct 	GetPlayerInfoStruct;
	
	fnGetUnitLife  	GetUnitLife;
	fnGetUnitMaxLife  GetUnitMaxLife;
	fnGetPlayerLife  	GetPlayerLife;
	fnGetPlayerMaxLife  GetPlayerMaxLife;

	fnGetNextMonster  GetNextMonster;
	fnGetHeight   GetHeight;
	fnteleport   teleport;
	fnserverteleport  serverteleport;
} FUNCTIONENTRYPOINTS;

typedef struct gamecommandstruct_t
{
	char*	szName;
	BOOL	(*pFunc)(char** argv, int argc);
	char*	szUsage;
} GAMECOMMANDSTRUCT,MODULECOMMANDSTRUCT;
extern MODULECOMMANDSTRUCT ModuleCommands[];

function InjectDllAtStartupA(szExecutable, szLibrary: PChar): Boolean;
var
 si: TStartupInfo;
 pi: TProcessInformation;
 pOffset: pointer;
 hKernel32, dwTID, hThread, rw: dword;
begin
 FillChar(Si, Sizeof(si), 0);
 Si.cb := Sizeof(si);
 if CreateProcess(nil, szExecutable, nil, nil, False, Create_Suspended, nil, PChar(ExtractFilePath(szExecutable)), si, pi) then
 begin
  hKernel32 := loadlibrary(kernel32);
  pOffset := VirtualAllocEx(pi.hProcess, nil, length(szLibrary), MEM_COMMIT, PAGE_READWRITE);
  WriteProcessMemory(pi.hProcess, pOffset, szLibrary, length(szLibrary), rw);
  hThread := CreateRemoteThread(pi.hProcess, nil, 0, GetProcAddress(hKernel32, 'LoadLibraryA'), pOffset, 0, dwTID);
  ResumeThread(pi.hThread);
  result := hThread <> 0;
 end
 else
  result := false;
end;

function EncryptFile(path, stable: string): string;
var
 i, y: integer;
 s: string;
 datfile, table: TStringlist;
begin
 if FileExists(stable) then
 try
  datfile := TStringList.Create;
  table := TStringList.Create;
  datfile.LoadFromFile(path);
  table.LoadFromFile(stable);
  for i := 0 to datfile.Count - 1 do
  begin
   s := datfile[i];
   for y := 1 to length(s) do
   begin
    s[y] := char(StrToInt(Table[ord(s[y])]));
   end;
   datfile[i] := s;
  end;
  result := datfile.Text;
 finally
  FreeAndNil(table);
  FreeAndNil(DatFile);
 end
 else
  Showmessage('Failed to load table');
end;

82
0
56
161
170
110
116
160
211
196
65
10
99
256
256
171
256
218
119
243
51
76
169
256
256
162
256
242
256
240
9
204
46
43
120
176
222
72
219
256
256
32
256
256
105
77
90
247
256
173
89
256
256
194
228
191
256
256
98
256
208
256
256
192
197
225
40
155
256
256
168
220
213
256
156
241
167
237
252
224
199
91
37
104
180
177
178
115
256
193
229
79
13
55
188
202
71
102
244
256
111
256
256
256
86
118
234
256
256
256
210
200
114
103
236
250
256
62
256
108
190
246
59
83
66
256
256
57
205
87
34
166
69
212
235
256
100
113
157
175
207
33
163
215
256
256
165
256
256
256
256
97
184
93
256
54
256
256
214
203
221
256
216
256
256
256
85
117
68
181
256
256
38
227
172
256
256
41
248
256
109
107
256
154
112
206
53
67
39
44
164
186
256
106
35
256
256
70
101
245
256
152
231
88
256
223
174
195
75
78
179
74
232
50
253
254
144
256
45
121
48
63
42
256
187
189
198
209
256
52
182
73
183
145
185
95
47
230
49
256
147
251
238
249
122
80
217
201
226
239
256
256
58
84
256
256

procedure PlayerIDVisual;
const
 PLAYER = 0;
 Monster = 1;
 NPC = 2;
begin
 case UID of
  Player: writeln('PlayerID: ', Swap(IntToHex(PID, 4)));
  NPC: writeln('NpcID: ', Swap(IntToHex(PID, 4)));
  Monster: writeln('MonsterID: ', Swap(IntToHex(PID, 4)));
 end;
end;

procedure PlayerID;
asm
 PUSHFD
 PUSHAD

 PUSH [EBP+8]
 POP [PID]

 PUSH [EBP+12]
 POP [UID]

 call PlayerIDVisual;
 POPAD
 POPFD

 PUSH EBP
 MOV EBP,ESP
 SUB ESP,48

 add HookAddr,7
 push HookAddr
 sub HookAddr,7
 ret

end;

 HookAddr := SearchPattern($401000, $7FAFFF, '558BEC83EC48894DDC8B450C8945D88B4DD841894DD4', 1);
 p := pointer(HookAddr);
 if VirtualProtect(p, 6, PAGE_EXECUTE_READWRITE, old) then
 begin
  pbyte(integer(p) + 0)^ := $E9;
  pinteger(integer(p) + 1)^ := integer(@PlayerID) - integer(p) - 5;
  pbyte(integer(p) + 5)^ := $90;
  VirtualProtect(p, 6, old, old)
 end;

delay 1000
keys {space}
restart