|
You last visited: Today at 14:16
Advertisement
[CODE]Ingame Functions( POST YOUR FINDINGS HERE )
Discussion on [CODE]Ingame Functions( POST YOUR FINDINGS HERE ) within the Aura Kingdom forum part of the MMORPGs category.
02/14/2014, 23:09
|
#16
|
elite*gold: 0 
Join Date: Sep 2013
Posts: 216
Received Thanks: 6
|
my classmate is a software engineer i would like to ask what programming language i need to use to make a clientless bot? i want to ask him but he ask me what programming language coz hes not familiar with botting in online game
|
|
|
|
02/14/2014, 23:43
|
#17
|
elite*gold: 1371
Join Date: Apr 2010
Posts: 13,777
Received Thanks: 15,040
|
I am using C++ but you can use any language like C# as well.
|
|
|
|
|
02/14/2014, 23:53
|
#18
|
elite*gold: 0
Join Date: Sep 2013
Posts: 216
Received Thanks: 6
|
do you think he can make a bot for aura kingdom? can you give me some hints or things i will tell him so that he can understand me what i want him to do
|
|
|
|
|
02/15/2014, 01:06
|
#19
|
elite*gold: 0
Join Date: Aug 2012
Posts: 381
Received Thanks: 562
|
Ok, I spent 3 hours writing this basic piece of C code...
This was for me a needed step to make sure I have the correct base address of the game before coding anything.
PHP Code:
#include <windows.h>
#include <TlHelp32.h>
#include <iostream>
#include <tchar.h>
using namespace std;
DWORD FindProcessByName(const std::wstring& processName)
{
HANDLE hProcessSnap;
//HANDLE hProcess;
PROCESSENTRY32 pe32;
//DWORD dwPriorityClass;
// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
return( FALSE );
}
// Set the size of the structure before using it.
pe32.dwSize = sizeof( PROCESSENTRY32 );
// Retrieve information about the first process,
// and exit if unsuccessful
if( !Process32First( hProcessSnap, &pe32 ) )
{
CloseHandle( hProcessSnap ); // clean the snapshot object
return( FALSE );
}
// Now walk the snapshot of processes, and
// display information about each process in turn
do
{
if ( !processName.compare(pe32.szExeFile) )
{
CloseHandle(hProcessSnap);
return pe32.th32ProcessID;
}
} while( Process32Next( hProcessSnap, &pe32 ) );
CloseHandle( hProcessSnap );
return( 0 );
}
DWORD dwGetModuleBaseAddress(DWORD dwProcessIdentifier, TCHAR *lpszModuleName)
{
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessIdentifier);
DWORD dwModuleBaseAddress = 0;
if(hSnapshot != INVALID_HANDLE_VALUE)
{
MODULEENTRY32 ModuleEntry32 = {0};
ModuleEntry32.dwSize = sizeof(MODULEENTRY32);
if(Module32First(hSnapshot, &ModuleEntry32))
{
do
{
if(_tcscmp(ModuleEntry32.szModule, lpszModuleName) == 0)
{
dwModuleBaseAddress = (DWORD)ModuleEntry32.modBaseAddr;
break;
}
}
while(Module32Next(hSnapshot, &ModuleEntry32));
}
CloseHandle(hSnapshot);
}
return dwModuleBaseAddress;
}
struct PlayerData
{
DWORD unk1;//0
DWORD unk2;//4
DWORD currentHP;//8
DWORD unk3;//C
DWORD level;//10
DWORD unk4;//14
DWORD speedmove;//18
DWORD critrate;//1C
DWORD speed;//20
DWORD HPmax;//24
DWORD def;//28
DWORD eva;//2C
DWORD critval;//30
DWORD acc;//34
DWORD regen;//38
DWORD unk5;//3C
DWORD unk6;//40
DWORD unk7;//44
DWORD dmg;//48
//DWORD score;//54
//DWORD currentExp;//68
};
int main()
{
DWORD pID = FindProcessByName(L"game.bin"); //Get PID of Process
if( pID == 0 )
{
printf("Process not found!\n");
return 0;
}
DWORD staticOffset = 0x0141CBBC;// base address got from CE
HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);
DWORD baseAddr = dwGetModuleBaseAddress(pID, L"game.bin");
// Example : Read name and HP
{
DWORD Addr;
PlayerData PD;
DWORD HP, HPmax, level;
ReadProcessMemory(handle, (LPCVOID)(baseAddr+staticOffset), &Addr, 4, NULL);
ReadProcessMemory(handle, (LPCVOID)(Addr+0x710), &Addr, 4, NULL);
ReadProcessMemory(handle, (LPCVOID)(Addr+0xc), &Addr, 4, NULL);
ReadProcessMemory(handle, (LPCVOID)(Addr+0x40), &Addr, 4, NULL);
ReadProcessMemory(handle, (LPCVOID)(Addr+0x3bc), &Addr, 4, NULL);
DWORD offset = 0;
ReadProcessMemory(handle, (LPCVOID)(Addr+offset), &PD, sizeof(PlayerData), NULL);
char name[100];
int it = -1;
do
{
ReadProcessMemory(handle, (LPCVOID)(Addr+offset+0x100+it), &(name[++it]), 1, NULL);
} while(name[it] != 0x0);
printf("%s lvl %d\nHP : %d/%d\n", name, PD.level, PD.currentHP, PD.HPmax);
}
CloseHandle(handle);
return 0;
}
Now, the first thing I ask myself is : is the base address the same depending the server ? I know that I have the french version of the game (only one french server available ig), but I don't know if this fact is data-only driven or if the client exe is different from another country version, meaning that maybe the base address is not the same.
Could someone verify its base address with CE or simply by outputing the hp value in my code and verifying it works ?
I'll try to get some usefull offsets with CE before coding some bot logic, and will come back later with usefull things as ntKid did in the first post.
edit :
I tried to reverse the entire player data where I got the hp previously. Here is what I deduced :
PHP Code:
struct PlayerData
{
DWORD unk1;//0
DWORD unk2;//4
DWORD currentHP;//8
DWORD unk3;//C
DWORD level;//10
DWORD unk4;//14
DWORD speedmove;//18
DWORD critrate;//1C
DWORD speed;//20
DWORD HPmax;//24
DWORD def;//28
DWORD eva;//2C
DWORD critval;//30
DWORD acc;//34
DWORD regen;//38
DWORD unk5;//3C
DWORD unk6;//40
DWORD unk7;//44
DWORD dmg;//48
//DWORD score;//54
//DWORD currentExp;//68
};
edit 2014/02/16 : Updated the code with what is this time a static base address.
|
|
|
|
|
02/15/2014, 01:21
|
#20
|
elite*gold: 0
Join Date: Nov 2008
Posts: 181
Received Thanks: 465
|
[UPDATE]( 1 ) ( CHECK FIRST POST )
-Added SelectNearestTarget function using game engine( without sending tab key ) to my research
-Linked AlainProvist research on post #19 to first post.
|
|
|
|
|
02/15/2014, 02:26
|
#21
|
elite*gold: 0
Join Date: Aug 2012
Posts: 381
Received Thanks: 562
|
I edited my previous post with a reversed player data (still not completely reversed).
|
|
|
|
|
02/15/2014, 03:06
|
#22
|
elite*gold: 0
Join Date: Nov 2008
Posts: 181
Received Thanks: 465
|
Quote:
Originally Posted by AlainProvist
I edited my previous post with a reversed player data (still not completely reversed).
|
Very nice Alain but i still think you are making your life very hard by not being in the process context, if you are using C/C++ why not perform a DLL injection?
|
|
|
|
|
02/15/2014, 03:47
|
#23
|
elite*gold: 0
Join Date: Aug 2011
Posts: 3,465
Received Thanks: 1,312
|
Quote:
Originally Posted by Oriya9
That'd be a game-changing event. would **** love to see the encryption algorithm released.
will you also release the source of such packet sniffer?
|
****, the Silkroad exploid *** is playing AK too..
Well people be ready for some sick hacks/dupes soon i guess 
|
|
|
|
|
02/15/2014, 05:15
|
#24
|
elite*gold: 0
Join Date: Jan 2013
Posts: 9
Received Thanks: 0
|
**** this community is progressing pretty fast compared to a few days ago, I feel pretty **** for not being able to contribute.
|
|
|
|
|
02/15/2014, 05:15
|
#25
|
elite*gold: 0
Join Date: Sep 2013
Posts: 12
Received Thanks: 0
|
geezzz....
this BOTTING things make me sorry for join graphic designer college 
|
|
|
|
|
02/15/2014, 05:56
|
#26
|
elite*gold: 0
Join Date: May 2012
Posts: 10
Received Thanks: 0
|
Quote:
Originally Posted by AlainProvist
Ok, I spent 3 hours writing this basic piece of C code...
This was for me a needed step to make sure I have the correct base address of the game before coding anything.
PHP Code:
#include <windows.h>
#include <TlHelp32.h>
#include <iostream>
#include <tchar.h>
using namespace std;
DWORD FindProcessByName(const std::wstring& processName)
{
HANDLE hProcessSnap;
//HANDLE hProcess;
PROCESSENTRY32 pe32;
//DWORD dwPriorityClass;
// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
return( FALSE );
}
// Set the size of the structure before using it.
pe32.dwSize = sizeof( PROCESSENTRY32 );
// Retrieve information about the first process,
// and exit if unsuccessful
if( !Process32First( hProcessSnap, &pe32 ) )
{
CloseHandle( hProcessSnap ); // clean the snapshot object
return( FALSE );
}
// Now walk the snapshot of processes, and
// display information about each process in turn
do
{
if ( !processName.compare(pe32.szExeFile) )
{
CloseHandle(hProcessSnap);
return pe32.th32ProcessID;
}
} while( Process32Next( hProcessSnap, &pe32 ) );
CloseHandle( hProcessSnap );
return( 0 );
}
DWORD dwGetModuleBaseAddress(DWORD dwProcessIdentifier, TCHAR *lpszModuleName)
{
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessIdentifier);
DWORD dwModuleBaseAddress = 0;
if(hSnapshot != INVALID_HANDLE_VALUE)
{
MODULEENTRY32 ModuleEntry32 = {0};
ModuleEntry32.dwSize = sizeof(MODULEENTRY32);
if(Module32First(hSnapshot, &ModuleEntry32))
{
do
{
if(_tcscmp(ModuleEntry32.szModule, lpszModuleName) == 0)
{
dwModuleBaseAddress = (DWORD)ModuleEntry32.modBaseAddr;
break;
}
}
while(Module32Next(hSnapshot, &ModuleEntry32));
}
CloseHandle(hSnapshot);
}
return dwModuleBaseAddress;
}
int main()
{
DWORD pID = FindProcessByName(L"game.bin"); //Get PID of Process
if( pID == 0 )
{
printf("Process not found!\n");
return 0;
}
DWORD staticOffset = 0x00B509D4;// base address got from CE
HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);
DWORD baseAddr = dwGetModuleBaseAddress(pID, L"game.bin");
// Example : Read Current HP
{
DWORD Addr;
DWORD HP, HPmax;
ReadProcessMemory(handle, (LPCVOID)(baseAddr+staticOffset), &Addr, 4, NULL);
ReadProcessMemory(handle, (LPCVOID)(Addr+0x7b4), &Addr, 4, NULL);
ReadProcessMemory(handle, (LPCVOID)(Addr+0x7e8), &Addr, 4, NULL);
ReadProcessMemory(handle, (LPCVOID)(Addr+0x478), &Addr, 4, NULL);
ReadProcessMemory(handle, (LPCVOID)(Addr+0x28), &Addr, 4, NULL);
ReadProcessMemory(handle, (LPCVOID)(Addr+0x7fc+0x8), &HP, 4, NULL);
ReadProcessMemory(handle, (LPCVOID)(Addr+0x7fc+0x24), &HPmax, 4, NULL);
char name[100];
int it = -1;
do
{
ReadProcessMemory(handle, (LPCVOID)(Addr+0x7fc+0x100+it), &(name[++it]), 1, NULL);
} while(name[it] != 0x0);
printf("%s\nHP : %d/%d\n", name, HP, HPmax);
}
CloseHandle(handle);
return 0;
}
Now, the first thing I ask myself is : is the base address the same depending the server ? I know that I have the french version of the game (only one french server available ig), but I don't know if this fact is data-only driven or if the client exe is different from another country version, meaning that maybe the base address is not the same.
Could someone verify its base address with CE or simply by outputing the hp value in my code and verifying it works ?
I'll try to get some usefull offsets with CE before coding some bot logic, and will come back later with usefull things as ntKid did in the first post.
edit :
I tried to reverse the entire player data where I got the hp previously. Here is what I deduced :
PHP Code:
struct PlayerData
{
DWORD unk1;//0
DWORD unk2;//4
DWORD currentHP;//8
DWORD unk3;//C
DWORD level;//10
DWORD unk4;//14
DWORD speedmove;//18
DWORD critrate;//1C
DWORD speed;//20
DWORD HPmax;//24
DWORD def;//28
DWORD eva;//2C
DWORD critval;//30
DWORD acc;//34
DWORD regen;//38
DWORD unk5;//3C
DWORD unk6;//40
DWORD unk7;//44
DWORD dmg;//48
//DWORD score;//54
//DWORD currentExp;//68
};
|
CAN I USE MICROSOFT C++ ?
it Says..........
Compiling...
Cpp1.cpp
c:\documents and settings\ghenalenser\my documents\cpp1.cpp(37) : error C2664: 'int __thiscall std::basic_string<unsigned short,struct std::char_traits<unsigned short>,class std::allocator<unsigned short> >::compare(const class std::basic_string<uns
igned short,struct std::char_traits<unsigned short>,class std::allocator<unsigned short> > &) const' : cannot convert parameter 1 from 'char [260]' to 'const class std::basic_string<unsigned short,struct std::char_traits<unsigned short>,class std::a
llocator<unsigned short> > &'
Reason: cannot convert from 'char [260]' to 'const class std::basic_string<unsigned short,struct std::char_traits<unsigned short>,class std::allocator<unsigned short> >'
No constructor could take the source type, or constructor overload resolution was ambiguous
c:\documents and settings\ghenalenser\my documents\cpp1.cpp(85) : error C2664: 'dwGetModuleBaseAddress' : cannot convert parameter 2 from 'unsigned short [9]' to 'char *'
Types pointed to are unrelated; conversion requires reinterpret_cast, C-style cast or function-style cast
Error executing cl.exe.
Cpp1.exe - 2 error(s), 0 warning(s)
|
|
|
|
|
02/15/2014, 07:39
|
#27
|
elite*gold: 0
Join Date: Sep 2013
Posts: 216
Received Thanks: 6
|
Quote:
Originally Posted by Shane¸
you're pretty impatient
|
sorry sempai, this anticipation and excitement is killing me lol
|
|
|
|
|
02/15/2014, 08:26
|
#28
|
elite*gold: 0
Join Date: Feb 2014
Posts: 27
Received Thanks: 0
|
Guys do have any sites that offer tutorials on C++? I was an IT student when I was still on my first 2 years in uni so I quite know the basics but I've forgotten some things. So if anyone wants to share sites that are useful I would appreciate it. And I could also use the tools that you are using like compilers and such.
|
|
|
|
|
02/15/2014, 10:20
|
#29
|
elite*gold: 0
Join Date: Aug 2012
Posts: 381
Received Thanks: 562
|
Quote:
Originally Posted by ntKid
Very nice Alain but i still think you are making your life very hard by not being in the process context, if you are using C/C++ why not perform a DLL injection?
|
I'm not sure dll injection could make this easier. Deducing data structure from CE will be the same, accessing memory will be pretty similar, and I will gain access to opcode to modify it with hook/detouring functions but I'm not very skilled with this last point cause asm is not my cup of tea  . I can read some basics instructions in asm and understand partial things but there is no way I write something in asm ^^.
@lensur13 : I compiled it with my old VS2008. No offense, but if you are not able to fix some small compilation errors like these ones, I assume that this code won't bring you anything since it's just reading the stats of your player for now.
Quote:
Originally Posted by NF725GM
Guys do have any sites that offer tutorials on C++? I was an IT student when I was still on my first 2 years in uni so I quite know the basics but I've forgotten some things. So if anyone wants to share sites that are useful I would appreciate it. And I could also use the tools that you are using like compilers and such.
|
Unfortunatly I know a very good website with the greatest tuto I've ever seen (better than a real teacher actually), but it's in french only :'(.
edit: Holy crap !!! my offsets are no more valid ! I must have failed finding the base offset xD shame on me...
|
|
|
|
|
02/15/2014, 13:37
|
#30
|
elite*gold: 0
Join Date: Nov 2008
Posts: 181
Received Thanks: 465
|
[UPDATE]( 1 ) ( CHECK FIRST POST )
-Added SelectNearestTarget function using game engine( without sending tab key ) to my research
-Linked AlainProvist research on post #19 to first post.
[UPDATE]( 2 ) ( CHECK FIRST POST )
-Added basic editable LUA multiclient bot example using AFKLoader and the published functions.
|
|
|
|
Similar Threads
|
Python Functions von Mt2 per C++ Code Inject ausführen?
12/02/2011 - C/C++ - 5 Replies
Hallo, wollte fragen, ob mir eventuell jemand beantworten kann, wie man Python Functions nützt, welche in den Metin2 - pack Files gespeichert sind.
Und ob das überhaupt so wie ich mir das vorstelle möglich ist.
|
[Code / C++] Basic hooking of API Functions
07/19/2010 - Coding Tutorials - 2 Replies
Global:
typedef BOOL (__stdcall * ReadProcessMemory_t)(HANDLE hProcess,LPVOID lpBaseAddress,LPCVOID lpBuffer,SIZE_T nSize,SIZE_T *lpNumberOfBytesRead);
ReadProcessMemory_t pReadProcessMemory;
Functions:
//Credits to GD ; You can do it manually, too.
|
SOX findings, place ur sox findiings here
06/04/2007 - Silkroad Online - 8 Replies
place ur sox finds here :D
i just found a sos lvl 8 glaive =P
<hr>Append on Jun 4 2007, 01:11<hr> 20 mins later i find another sos chest.. lvl 13
|
All times are GMT +1. The time now is 14:18.
|
|
![[CODE]Ingame Functions( POST YOUR FINDINGS HERE )](https://www.elitepvpers.com/forum/iconimages/aura-kingdom/code-ingame-functions-post-your-findings-here_ltr.gif){kind=small}
