|
You last visited: Today at 23:12
Advertisement
[Release] Advanced hooking
Discussion on [Release] Advanced hooking within the CO2 Programming forum part of the Conquer Online 2 category.
03/03/2012, 22:06
|
#136
|
elite*gold: 0 
Join Date: Feb 2012
Posts: 16
Received Thanks: 2
|
Hi. I guess I am using the right address because I can see the packets but I cannot send packets.
I am using:
PHP Code:
const int SendPacketAddress = 0x7155FD;
const int RecvPacketAddress = 0x7158D2;
int NetworkClass = 0;
NetworkClass is updated on at PacketHandler and I know it's working properly.
I have two send functions presented on this thread.
The first one crashes my client:
PHP Code:
private void SendPacketFunction(byte[] Packet)
{
ushort PacketType = BitConverter.ToUInt16(Packet, 2);
uint PacketAddress = Dbg.AllocateMemory((uint)Packet.Length);
if (PacketAddress > 0)
{
Dbg.WriteByteArray(Packet, (int) PacketAddress);
MemoryStream ByteCode = new MemoryStream();
BinaryWriter CodeWriter = new BinaryWriter(ByteCode);
//mov edx, packettype
CodeWriter.Write(Convert.ToByte(0xba));
CodeWriter.Write(Convert.ToInt32(PacketType));
//push packetsize
CodeWriter.Write(Convert.ToByte(0x68));
CodeWriter.Write(Convert.ToInt32(Packet.Length));
//push packetaddress
CodeWriter.Write(Convert.ToByte(0x68));
CodeWriter.Write(Convert.ToInt32(PacketAddress));
//mov esi, networkclass
CodeWriter.Write(Convert.ToByte(0xbe));
CodeWriter.Write(Convert.ToInt32(NetworkClass));
//mov ecx, [esi+14]
CodeWriter.Write(new byte[] {
0x8b,
0x4e,
0x14
});
//mov eax, sendpacketfunction
CodeWriter.Write(Convert.ToByte(0xb8));
CodeWriter.Write(Convert.ToInt32(SendPacketAddress));
//call eax
CodeWriter.Write(new byte[] {
0xff,
0xd0
});
//ret
CodeWriter.Write(Convert.ToByte(0xc3));
//write to the underlying stream
CodeWriter.Flush();
//execute the code
Dbg.ExecuteCode(ByteCode.ToArray());
//free memory afterwards
Dbg.FreeMemory((int)PacketAddress);
}
}
The second one doesn't crash the client but doesn't produce output
PHP Code:
public void SendPacket(byte[] packet)
{
int packetAddr = (int)this.Dbg.AllocateMemory((uint)packet.Length);
this.Dbg.WriteByteArray(packet, (int)packetAddr);
using (MemoryStream ms = new MemoryStream())
using (BinaryWriter writer = new BinaryWriter(ms))
{
// push packet size
writer.Write((byte)0x68);
writer.Write(packet.Length);
// push packet address
writer.Write((byte)0x68);
writer.Write(packetAddr);
// store NetWorkClass address in ECX
writer.Write((byte)0xB9);
writer.Write(NetworkClass);
// store SendPacket() address in EAX
writer.Write((byte)0xB8);
writer.Write(SendPacketAddress);
// call function stored in EAX
writer.Write(new byte[] { 0xFF, 0xD0 });
// return
writer.Write((byte)0xC3);
this.Dbg.ExecuteCode(ms.ToArray());
}
this.Dbg.FreeMemory(packetAddr);
}
For testing I am trying to jump in TC from (487,424) to (500,427) with:
PHP Code:
byte[] Packet = new byte[38];
//Size
Packets.WriteUInt16(38, 0, Packet);
Packets.WriteUInt16(10010, 2, Packet);
//UID
Packets.WriteUInt32(2621234, 4, Packet);
//Packets.WriteUInt16(30, 6, Packet);
//Dest
Packets.WriteUInt16(500, 8, Packet);
Packets.WriteUInt16(427, 10, Packet);
//
Packets.WriteUInt16(0, 12, Packet);
Packets.WriteUInt16(0, 14, Packet);
//
Packets.WriteUInt32((UInt32)Environment.TickCount , 16 , Packet);
//
Packets.WriteUInt16(137, 20, Packet);
Packets.WriteUInt16(0, 22, Packet);
//
Packets.WriteUInt16(487, 24, Packet);
Packets.WriteUInt16(424, 26, Packet);
Packets.WriteUInt16(1002, 28, Packet);
Packets.WriteUInt16(0, 30, Packet);
Packets.WriteUInt16(65535, 32, Packet);
Packets.WriteUInt16(65535, 34, Packet);
Packets.WriteUInt16(0, 36, Packet);
SelectedClient.SendPacket(Packet);
Could anyone help me? What am I doing wrong?
|
|
|
|
03/03/2012, 23:37
|
#137
|
elite*gold: 0
Join Date: Aug 2010
Posts: 992
Received Thanks: 1,110
|
Use this one
PHP Code:
public void SendPacket(byte[] packet)
{
int packetAddr = (int)this.Dbg.AllocateMemory((uint)packet.Length);
this.Dbg.WriteByteArray(packet, (int)packetAddr);
using (MemoryStream ms = new MemoryStream())
using (BinaryWriter writer = new BinaryWriter(ms))
{
// push packet size
writer.Write((byte)0x68);
writer.Write(packet.Length);
// push packet address
writer.Write((byte)0x68);
writer.Write(packetAddr);
// store NetWorkClass address in ECX
writer.Write((byte)0xB9);
writer.Write(NetworkClass);
// store SendPacket() address in EAX
writer.Write((byte)0xB8);
writer.Write(SendPacketAddress);
// call function stored in EAX
writer.Write(new byte[] { 0xFF, 0xD0 });
// return
writer.Write((byte)0xC3);
this.Dbg.ExecuteCode(ms.ToArray());
}
this.Dbg.FreeMemory(packetAddr);
}
And try something like this for the jump packet
PHP Code:
byte[] Buffer = new byte[38];
Packets.WriteUInt16(38, 0, Buffer);
Packets.WriteUInt16(10010, 2, Buffer);
Packets.WriteUInt32(ClientUID, 4, Buffer);
Packets.WriteUInt16(487, 8, Buffer;//ToX,
Packets.WriteUInt16(424, 10, Buffer);//ToY
Packets.WriteUInt32(0, 12, Buffer);
Packets.WriteUInt32((uint)Environment.TickCount, 16, Buffer);
Packets.WriteUInt32(137, 20, Buffer);
Packets.WriteUInt16(500, 24, Buffer);//Client.X
Packets.WriteUInt16(427, 26, Buffer);//Client.Y
SelectedClient.SendPacket(Buffer);
PS. make sure you are not calling the send packet function while reading the process memory.
Thats just what i can think of and if its still not working then IAmHawtness is the one :P
|
|
|
|
|
03/04/2012, 05:59
|
#138
|
elite*gold: 0
Join Date: Feb 2012
Posts: 16
Received Thanks: 2
|
I can't make it work :S
I already tried with chat packets but no use. I can't make it work. If anyone wants to help I can send my code via PM.
Edit:
I don't know what can be wrong. After I try to send the packet the handleSentPacket function should be called but it is not so I guess the function this.Dbg.ExecuteCode(ms.ToArray()) is not working properly.
I returns me 259, but I guess it should return -1 in case of faillure as it returns when not hooked at the client.
Thx
|
|
|
|
|
03/12/2012, 12:58
|
#139
|
elite*gold: 0
Join Date: Feb 2009
Posts: 12
Received Thanks: 0
|
Request
Hello, can some upload AdvancedHooking library Source code in c# .
if can someone make some tutorial about how to get SendPacket Address using ollydbg .
|
|
|
|
|
03/12/2012, 14:48
|
#140
|
elite*gold: 0
Join Date: Feb 2012
Posts: 16
Received Thanks: 2
|
Just read the thread. Belth said how to do it and so have i
|
|
|
|
|
03/12/2012, 17:56
|
#141
|
elite*gold: 0
Join Date: Feb 2009
Posts: 12
Received Thanks: 0
|
Quote:
Originally Posted by ruievmonteiro
Just read the thread. Belth said how to do it and so have i
|
I have read the whole thread searching for tutorial about how to get the SendPacket and RecPacket address, I couldn't find anything useful, actually someone said search for Reverse Engineer .
but this is not what i mean't, I want someone show us how get those address .
Thanks,
Great work guys
|
|
|
|
|
03/12/2012, 20:03
|
#142
|
elite*gold: 0
Join Date: Feb 2012
Posts: 16
Received Thanks: 2
|
What about 2nd Belth comment at page 11?
Read these tuts about reverse engineering:
|
|
|
|
|
03/12/2012, 20:22
|
#143
|
elite*gold: 0
Join Date: Feb 2009
Posts: 12
Received Thanks: 0
|
Quote:
Originally Posted by ruievmonteiro
What about 2nd Belth comment at page 11?
Read these tuts about reverse engineering:
|
thanks
|
|
|
|
|
03/16/2012, 20:47
|
#144
|
elite*gold: 0
Join Date: Feb 2009
Posts: 12
Received Thanks: 0
|
Hello guys, i have found the new address to the new client .
but i have a new problem, I don't know why my cpu loaded 100% .
So i need help with that .
PS: sorry for my bad english .
|
|
|
|
|
03/17/2012, 12:22
|
#145
|
elite*gold: 0
Join Date: Aug 2010
Posts: 992
Received Thanks: 1,110
|
Quote:
Originally Posted by kudo2002
Hello guys, i have found the new address to the new client .
but i have a new problem, I don't know why my cpu loaded 100% .
So i need help with that .
PS: sorry for my bad english .
|
Happens when you hook Conquer.exe not all the time but it does happen, Conquer starts to run really slow and the cpu usage jumps up.
I`m not sure but i think its related to the AdvancedHooking Library it self So many Exceptions/access validations/etc
And the only way to fix that is by making some changes to the debug loop inside the dll.
Not sure its just a theory. it happens that i`m coding my own hooker lib and same thing happened cept that after handling those Exceptions it went away.
|
|
|
|
|
03/17/2012, 16:58
|
#146
|
elite*gold: 0
Join Date: Apr 2008
Posts: 1,152
Received Thanks: 321
|
So do any of you guys have the Send Packet Adress?
|
|
|
|
|
03/17/2012, 23:04
|
#147
|
elite*gold: 0
Join Date: Dec 2007
Posts: 108
Received Thanks: 42
|
Quote:
Originally Posted by { Angelius }
Happens when you hook Conquer.exe not all the time but it does happen, Conquer starts to run really slow and the cpu usage jumps up.
I`m not sure but i think its related to the AdvancedHooking Library it self So many Exceptions/access validations/etc
And the only way to fix that is by making some changes to the debug loop inside the dll.
Not sure its just a theory. it happens that i`m coding my own hooker lib and same thing happened cept that after handling those Exceptions it went away.
|
I've noticed this exact same thing among other issues; some related to the library and some (I assume) related to anti-debugging routines in the client. See my earlier post:
P. S. I've also created my own library which resolved some of these issues.
|
|
|
|
|
03/18/2012, 15:04
|
#148
|
elite*gold: 0
Join Date: Aug 2010
Posts: 992
Received Thanks: 1,110
|
Quote:
Originally Posted by -Shunsui-
So do any of you guys have the Send Packet Adress?
|
private const int SendPacketAddress = 0x7155FD;
private const int NetworkClass = 0x9E34C0;
|
|
|
|
|
03/18/2012, 21:04
|
#149
|
elite*gold: 0
Join Date: Apr 2008
Posts: 1,152
Received Thanks: 321
|
Quote:
Originally Posted by { Angelius }
private const int SendPacketAddress = 0x7155FD;
private const int NetworkClass = 0x9E34C0;
|
Thanks,
I got this Jump Function Some what working, Thing is it does not update my client i have no clue why,
But it works.
Quote:
DataPacket jump = new DataPacket();
jump.Identifier = Player.Identifier;
jump.Type = DataPacket.DataTypes.Jump;
jump.TimeStamp = Native.TIME.Now.Time;
jump.dwParam = NewX;
jump.dwParam10 = NewY;
jump.wParam1 = Player.X;
jump.wParam2 = Player.Y;
jump.Map = Player.Map;
//jump.wParam3 = 0xFFFFFFFF;
Player.Hooker.SendPacket((Byte[])jump);
|
anyone knows what im missing to send?
|
|
|
|
|
03/20/2012, 01:59
|
#150
|
elite*gold: 0
Join Date: Dec 2007
Posts: 108
Received Thanks: 42
|
The server's response to the jump packet does not update the the coords you see on screen. Most people use the "FatalStrikeStep" packet to update the client.
Code:
bw.Write(this.Size); // 0 - 1
bw.Write(this.Type); // 2 - 3
bw.Write(this.EntityId); // 4 - 7
bw.Write(this.NewMapId); // 8 - 9
bw.BaseStream.Position = 20;
bw.Write((ushort)156); // 20 - 21
bw.BaseStream.Position = 24;
bw.Write(this.NewX); // 24 - 25
bw.Write(this.NewY); // 26 - 27
|
|
|
|
 |
|
Similar Threads
|
[RELEASE] Make a more Advanced NPC
02/02/2011 - CO2 PServer Guides & Releases - 55 Replies
This guide will show you how to make a NPC. I will update this post daily with new things to add to your NPC.
First. We are going to take this NPC from Paralyzer and modify this a little bit. here is the link if you have never made a simple NPC.
http://www.elitepvpers.com/forum/co2-pserver-guide s-releases/492901-release-how-code-decent-npc-npcs -txt-entry.html
Easiest stuff first.
How to make an NPC check for a specific level.
To make an NPC check for a level we can do this by adding...
|
Advanced Tribalwars Bot Release
05/31/2010 - Browsergames - 20 Replies
Ein Bot für das Browsergame "Die Stämme".
Features:
Multiaccountfähig
baut Dörfer selbstständig aus
Bot merkt sich, wann ein Gebäude gebaut werden kann, bzw. wann es fertiggestellt ist
Information: Bei "Server" z.B. de60.die-staemme.de o.ä. eingeben.
|
ReViSiOn [Advanced Public Release]
02/13/2009 - WarRock Hacks, Bots, Cheats & Exploits - 5 Replies
http://i295.photobucket.com/albums/mm150/gfx_forum s/revvv3.png
ReViSiOn Public Beta 1.2
_____
Working features:
No Recoil
No Spread
|
All times are GMT +1. The time now is 23:13.
|
|
![[Release] Advanced hooking](https://www.elitepvpers.com/forum/iconimages/co2-programming/release-advanced-hooking_ltr.gif){kind=small}
