Aura Kingdom Bot

botgramming · 07/14/2014, 18:23

Quote:

Originally Posted by JuJuBoSc1

To me, pixel reading is just **** ... at least go for memory reading, + the game is piece of cake to reverse.

(And yeah, I gonna release a descent bot soon aswell )

Do whatever u want

Pixel reading suits our purpose well, it es realy easy to do and will probably work forever without needing any patch. We do some OCR to read the coordinates and others than that you don't need much.

JuJuBoSc1 · 07/14/2014, 20:11

I wonder how you can get descent movements with only pixel reading

botgramming · 07/14/2014, 21:27

Quote:

Originally Posted by JuJuBoSc1

I wonder how you can get descent movements with only pixel reading

We read the coordinates on the map an click where we want to go

~~pureleech~~ · 07/14/2014, 22:37

Quote:

Originally Posted by JuJuBoSc1

(And yeah, I gonna release a descent bot soon aswell )

i heard that one few months ago

JuJuBoSc1 · 07/15/2014, 01:29

Quote:

Originally Posted by pureleech

i heard that one few months ago

Yep, in fact we released it to some people already

AlainProvist · 07/15/2014, 11:03

I don't know what you reversed to say it is a piece of cake, but after reversing the function behind the tab press (to change target), in order to make a better one not based on the fov, and the way the skill cooldownsworks, I definitly say it is a nightmare to reverse (and I'm not alone to say this)...

Oriya9 · 07/15/2014, 12:35

Quote:

Originally Posted by AlainProvist

Yep !

My only concern is about crashes. The game creates a dump and zip it with logs and additionnal informations when restarting the launcher. I usually delete the dump before restarting the launcher but end users won't when using a dll-injection-based bot. At the end they probably have the information that a dll has been injected but they probably don't care about this and just discard the crash report (more likely because aeria is just an editor that bought a licence from the real developpers, and devs don't really care about account bans).

You have a good point. we should actually check it out.
I don't know what their privacy policy says about sending it to them without the user's approval but I assume the user must press "Send" on that small window that is popping up when there's an unhandled exception.

(

)

If they do send it even without the user's approval (say.. when you re-launch the game or something) then yes, this is indeed a problem.
first things first, we need to find out if the client really send it or not because we can just get rid of that.
but if the goal is to stop it from dumping stuff regardless, then we can hook the function that is being used to create a dump file and just kill the client when it's called.
but what if somehow the hook itself fails and generates an error? this is where the most secure way to solve this is to just edit the executable with RETN on the dump creation function.
it's possible because it's a function, it's not in the heap, it's in the actual code. in our case, it's in the executable ("game.bin").
and a return is just one or three bytes to edit (depends on what type of RETN), can even be done with an HEX editor.

Here's an example on how to stop "game.dmp" creations:
in "game.bin" (the actual file, no need to run it) search for:

PHP Code:


			
55 8B EC 81 EC 08 01 00 00 53 56 57 68 03 01 00 00

and change the first byte to C3 (RETN) and voila, no "game.dmp" will be created anymore.
* if you want to try it and you're using the game's launcher to launch the game, you'll have to make "game.bin" read-only (otherwise the launcher will replace it due to CRC mismatch), you'll get 2 errors with the launcher but it will still work.

As for logs, there is more than one function, I've got most of them but there are some issues with a few of them, I might look deeper into it later this week.
but you've actually opened my eyes about this, I didn't even think about it and I should've.

Cheers!
Oriya.

JuJuBoSc1 · 07/15/2014, 12:44

Quote:

Originally Posted by AlainProvist

I don't know what you reversed to say it is a piece of cake, but after reversing the function behind the tab press (to change target), in order to make a better one not based on the fov, and the way the skill cooldownsworks, I definitly say it is a nightmare to reverse (and I'm not alone to say this)...

Well I reversed pretty much everything needed, inventory stuff, entity, well, feel free to add me on skype (jujubosc) I can show you some stuff.

AlainProvist · 07/15/2014, 13:19

Quote:

Originally Posted by Oriya9

You have a good point. we should actually check it out.
I don't know what their privacy policy says about sending it to them without the user's approval but I assume the user must press "Send" on that small window that is popping up when there's an unhandled exception.

()

If they do send it even without the user's approval (say.. when you re-launch the game or something) then yes, this is indeed a problem.
first things first, we need to find out if the client really send it or not because we can just get rid of that.
but if the goal is to stop it from dumping stuff regardless, then we can hook the function that is being used to create a dump file and just kill the client when it's called.
but what if somehow the hook itself fails and generates an error? this is where the most secure way to solve this is to just edit the executable with RETN on the dump creation function.
it's possible because it's a function, it's not in the heap, it's in the actual code. in our case, it's in the executable ("game.bin").
and a return is just one or three bytes to edit (depends on what type of RETN), can even be done with an HEX editor.

Here's an example on how to stop "game.dmp" creations:
in "game.bin" (the actual file, no need to run it) search for:

PHP Code:

55 8B EC 81 EC 08 01 00 00 53 56 57 68 03 01 00 00

and change the first byte to C3 (RETN) and voila, no "game.dmp" will be created anymore.
* if you want to try it and you're using the game's launcher to launch the game, you'll have to make "game.bin" read-only (otherwise the launcher will replace it due to CRC mismatch), you'll get 2 errors with the launcher but it will still work.

As for logs, there is more than one function, I've got most of them but there are some issues with a few of them, I might look deeper into it later this week.
but you've actually opened my eyes about this, I didn't even think about it and I should've.

Cheers!
Oriya.

Good job on finding the dump creation location

.
I'll add it to my bot (live memory opcode replacement when injecting the dll).

From what I've seen the game creates a dump, a screenshot and updates multiple log files when crashing. Then it pop the crash handler windows that probably zip everything and send it to the devs.
Where the funny part comes is that if you killed the process to prevent any send, and then restart the launcher, it seems that it checks something (takes so long time), and during this, zips the crash files and probably sends them oO.

@JuJuBoSc1 : Thanks for proposing, but I'm nearly retired (and tired lol) with this game. We created a dev section some month ago to share knowledge and pieces of code. But the only active devs there are retired now. We reversed multiple things together from data structures (entity, skills, cooldown, inventory, objects, fishing interface, targeting stuffs), to game functions (go to location, inventory usage/discard/salvage, use skill from bar/id, check skill cooldown, target anything (objects/mobs/npc), custom targeting methods, eudemon talk stuffs, npc talk (repair wnd call) and so on...). But now I don't have sufficient free time and motivation to continue the work.

JuJuBoSc1 · 07/15/2014, 13:31

Well still, feel free to contact me to talk

looks like you are french too (according to your nickname

)

Or anyone else that wanna talk about reversing this game for the fun

AlainProvist · 07/15/2014, 14:11

@JuJu : je t'ai ajouté

@Oriya9 : I finally put my ret 2 functions over the dumper one (search for 50 64 89 25 00 00 00 00 83 EC 2C 56 57 8D 45 F3). No more crash handling at all = nor more logs + dump creation = no more waste of time on the launcher on next start

.

ntKid · 07/15/2014, 14:17

You guys getting expensive with offsets =P just Detour CreateFileA and CreateFileW API's and check if lpFileName matches one of the logs you want to avoid, if so return INVALID_FILE_HANDLE and its done.

BTW nice to see you are still alive Alain and Oriya9.

AlainProvist · 07/15/2014, 14:25

Heeey ntKid ! Nice to see you alive too bro ^^ (I really thought you were retired

).

You're right about offset but i'm still unsure about how the launcher detects a crash occured last time (tried to remove all files created but nothing changes about the time required for the launcher to pop the launch button). With this ret instruction, I remove any sin from the root ^^.

jetrenz45 · 07/15/2014, 14:42

It has been a long time since someone release a good one tho. Hope you guys release stuffs again, big fan anyway

. Cheers.

ntKid · 07/15/2014, 14:51

Quote:

Originally Posted by AlainProvist

Heeey ntKid ! Nice to see you alive too bro ^^ (I really thought you were retired ).

You're right about offset but i'm still unsure about how the launcher detects a crash occured last time (tried to remove all files created but nothing changes about the time required for the launcher to pop the launch button). With this ret instruction, I remove any sin from the root ^^.

I "retired" from Aura for a while( playing Defiance while aura doesnt have a proper content patch ), i pretty much achieved all my coding goals on Aura.. my idea of adding AngelScript and Packet support to the BOT got me boosting the development speed by 100% -.-'( no recompile 500 times to test new code and no stupid double precision floating point support converted integers like lua was doing ). Have a friend that already automated entire dungeons and daily quests on the new map by AngelScript.

I will be here on the future to share the pain of finding those offsets with you guys =P

Cheers.