[CODE]Ingame Functions( POST YOUR FINDINGS HERE )

ken12 · 12/28/2014, 18:34

I use olly a lot more than IDA, since olly, for me is the easiest way to read functions etc. etc. =) Btw do you have any idea how'd you do the teleport thing? Like click to teleport.

Daifoku · 12/28/2014, 18:43

nope sorry, cant help you with that :| all my functions are old, I stopped reversing functions for a bot, I even stopped playing xD I'm just trying to learn more from all of you ^^

ken12 · 12/28/2014, 18:47

XD That function. Darn. >.< Btw gotta go sleep now. =) See yah tomorrow.

AlainProvist · 12/28/2014, 19:18

Guys you should use asm to push parameters and call functions. The last update changed all the call convensions, optimised parameters and because of this changed the way ecx was used.

There are functions that were using ecx as "this pointer" that are now using either another register (eax or edx) or eventually are now pushed on the stack as parameters. Some functions do the exact opposite. Because of this, using C function pointers and letting the compiler call functions will generally result in a different disasm code than the one used in the game's code.

Daifoku · 12/28/2014, 21:49

actually you do not change a "call convensions" since this was set by intel as a standard ^.^ but i get what you mean and i also encountered that scenario

I was used to have stdcalls but then, there suddenly was a fastcall and I didn't know how to handle those. I always got debug errors, stating, that i failed at preserving EDI. From my point of view, everything was fine until I looked up the "this call". the Object(this pointer) was pushed to the stack AND added to EDX. After some reading, I found out more about "Calling Convetions" and "caller-saved registers" (EAX, ECX, EDX)

fastcalls tend to use a template like fastcall(ecx,edx). That's how one could identify em

I really love working with asm, it's always cool to learn new things

still I need more exercise ;-)

SO, any Idea how to validate an address in asm ? I need to know, if e.g. 0x7000000 is writable / readable / Accesible
I tried to to something like:

Code:

mov eax, 0x7000000;
TEST eax,eax
JZ errorLabel;

but it was not working :c

AlainProvist · 12/28/2014, 23:33

What is the purpose of this test exactly ? I wrote my own memory browser to find my pattern used in my bot. I don't know if this is what you need but microsoft standard libs provide such functions :

Code:

HMODULE hmod = GetModuleHandle((LPCSTR)"game.bin");
	if(hmod == 0)
		return false;
	MEMORY_BASIC_INFORMATION info;
	// Start at PE32 header
	SIZE_T len = VirtualQuery(hmod, &info, sizeof(info));
	BYTE* processBase = (BYTE*)info.AllocationBase;
	BYTE* address = processBase;
	SIZE_T size = 0;
	for (;;) 
	{
		len = VirtualQuery(address, &info, sizeof(info));
		if (info.AllocationBase != processBase) 
			break;
		address = (BYTE*)info.BaseAddress + info.RegionSize;
		size += info.RegionSize;
	}

I used this simply to know the start and the end of the browsable memory of the game but you can get lots of additionnal information about each segment.

Daifoku · 12/28/2014, 23:46

Well, I just want to read a multi level pointer which may not be in a valid memory region. depends on the state of the game. If I just add the offsets one after another and the resulting address is not valid, I would get an error and the game crashes.

There must be a way to check this with just asm code, right ? I tought about TEST reg, reg because this will jsut result in zero, if every bit of reg is 0... but that was the wrong way to go.

ken12 · 12/29/2014, 00:58

the one you did Daifoku you

Code:

DWORD address;
	address = *(DWORD*)(0x00C22194); 
	if (!address) return -1;
	address = *(DWORD*)(address + 0x2fc);
	if (!address) return -1;
	address = *(DWORD*)(address + pukNum * 0x4);
	if (!address) return -1;
	address = *(DWORD*)(address +  0x32c);
	return address;

But some pointers are invalid but still usable, like for example the SKILL ID, the value of the pointer that points to the skill id is unknown, but the address is there. >.<

Edit:

@Alain
Yeah I thought of that as well, but its just test for my functions I will use ASM once everything are set. =)

BTW calling a thiscall function having a "ampersand" (&) on your parameter causes the ECX to be re-written making your function to malfunction.

e.x.

Code:

__asm mov ecx, 0x10
((int(WINAPI*)(void*)0x0400000))((void*)&MyObj);

this call in asm shows like 

mov ecx, 0x10
lea ecx, [EBP+0xX] // Stores the address of MyObj to ECX
push ECX
call 0x0400000

AlainProvist · 12/29/2014, 11:57

Yes. This probably depends on the compiler you use and even maybe the optimisation rules you set. That's why I prefer using full asm to mimic the game's code : then I'm sure that the compiled code of my bot will be exactly the same as the one used in the game, no matter the compiler and the rules I used.

In your case I can write :

Code:

lea ecx, [EBP+0xX] // Stores the address of MyObj to ECX
push ECX
mov ecx, 0x10
call 0x0400000

In this specific order or use any register I want supposing the original way the function you want to call was requiring eax or edx already set with a specific value. You have full control over all registers.

ken12 · 12/29/2014, 14:04

Yeah that's why full ASM coding is still best in calling functions, if and only if, they require some sort of pointer in a registry. But for others, like stdcalls, Its very easy to use the other way. =)

Btw, I've got everything except for 1 thing. The walk function!! =D All codes are working except that shitty. >.< I assume its crashing everytime i call the walk function multiple times or maybe when the function is currently executing then another function is executed...

Im using a timer control to execute everything. So maybe that's the reason. @.@

I got this code...

Code:

void Form1::timer1_tick(etcetc){
               if (chHeal->Checked){
			if (PlayerData->CurrentHP <= PlayerData->MaxHP * .8)
			{
				SendSkill(7);
				Sleep(700); // CHANGE IT TO CAST TIME IN GUI
				SendSkill(8);
				Sleep(3000); // CHANGE IT TO CAST TIME IN GUI
			}
		}
		if (chBot->Checked){
			if (CurrentTargetHealth <= 0){
				if (Post_Attack){
					SendSkill(18);
					Post_Attack = false;
					Pre_Attack = true;
				}
				if (CS_SelectMonTimer + 1000 < GetTickCount())
					SelectMonster();

				if (!CurrentTargetHealth)
					CS_SelectMonTimer = GetTickCount();
				else
					CS_WalkToTimer = GetTickCount();
			}
			else if (CurrentTargetHealth > 0){
				if (EnemyDistance > 25 && CS_WalkToTimer + 1000 < GetTickCount()){
					if (Check_EnemyDistance == EnemyDistance)
						WalkToMonster(EnemyAxis->X, EnemyAxis->Y);
					else if (Check_EnemyDistance != EnemyDistance)
						Check_EnemyDistance = EnemyDistance;


					CS_WalkToTimer = GetTickCount();
				}
				else if (CS_MainTimer + 1000 < GetTickCount() && EnemyDistance <= 25){
					if (Pre_Attack){
						SendSkill(17);
						Pre_Attack = false;
						Post_Attack = true;
					}
					int Skills[] = { 1, 2, 3, 4, 5, 6, 9, 10, 11, 12 };
					int iRand = Skills[rand() % 10];
					if (SendSkill(iRand))
						CS_MainTimer = GetTickCount();
					CS_WalkToTimer = GetTickCount();
					CS_SelectMonTimer = GetTickCount();
				}
			}
		}

		if (chRet->Checked){
			float DestX = (Convert::ToDouble(inpX->Text));
			float DestY = (Convert::ToDouble(inpY->Text));
			float LimitRadius = (Convert::ToDouble(inpRad->Text));
			DestinationDistance = GetLineDistance(DestX, DestY, PlayerAxis->X, PlayerAxis->Y);

			if (DestinationDistance > LimitRadius){
				if (CurrentTargetHealth <= 0 && GetTickCount() > ReturnTimer + 3000){
					if (Check_DestinationDistance == DestinationDistance)
						WalkToPath(DestX, DestY);
					else if (Check_DestinationDistance != DestinationDistance)
						Check_DestinationDistance = DestinationDistance;
					ReturnTimer = GetTickCount();
				}
			}
		}
}

AlainProvist · 12/29/2014, 17:16

Someone told me once there are 2 function moveToPosition(), one always successful allowing to move from one map to another, but crashing when called a second time while being used, and the second one only valid on the current map, often failing when colliding some edges of the landscape, but never crashing when called multiple times.

I personnally use only the second one and never tested the 1st one. But I suppose it could be the one you're using and possibly could explain your crash.

ken12 · 12/29/2014, 17:38

Actually there are 3, but I use both you mentioned, using the second when moving to the monster if they are far away. And the first one when moving from 1 map to another map, or when returning to location (farming location) I wonder what makes it crash @.@

mistree · 12/30/2014, 22:22

anyone know if the warp function still works? was trying to write to that address, but not working.

ken12 · 12/31/2014, 05:04

Teleporting is a server sided hack, if you wanna hack, try playing with the packets. =)

ken12 · 01/01/2015, 14:59

Anyone here knows how the packets are being sent? Are there any checks or something before it gets send?

This is how i send a packet

1. Of course the packet like for example 0x04 0x00 0x2D 0x00 0x07 0x00 with a size of 6
2. I'll call the encryption function (So no need for xor tables or what)
3. I will send the encrypted packet to either WSASend or send() API functions..

When I send it there is no response from the game and its freaking me out >.<