[Release] Advanced hooking

[pro4never]

Quote:

Originally Posted by IAmHawtness

You can easily find memory addresses using CheatEngine. Even though some values aren't fixed, it's easy to find pointers, like the PlayerBaseAddressPointer that points to the base of your character, which holds all kind of information about your character like id, name, coordinates, hp, mp, stamina, etc.

Unfortunately, you can only place 4 hardware breakpoints since that's what modern processors are limited to . So you've got to be creative when placing breakpoints on functions. You could of course use memory breakpoints, but these alter the memory of the executable directly, so gotta be careful

Interesting. Before this lil ol' experiment I had absolutely 0 exp dealing with memory so it will be fun getting down 'n dirty :P

Chances are I really will end up sticking mostly with packets but it's nice to dream ahaha.

[IAmHawtness]

Quote:

Originally Posted by pro4never

Interesting. Before this lil ol' experiment I had absolutely 0 exp dealing with memory so it will be fun getting down 'n dirty :P

Chances are I really will end up sticking mostly with packets but it's nice to dream ahaha.

Hahahaha, yeah well.. I'm hooking the send/recv functions and then the "shift-click function" for my targeting system and the "limit fps function" for my fps unlocker

[pro4never]

Quote:

Originally Posted by IAmHawtness

Hahahaha, yeah well.. I'm hooking the send/recv functions and then the "shift-click function" for my targeting system and the "limit fps function" for my fps unlocker

After reading your guide I now am less of a dumbass and realize that I can read from memory without actually hooking a function.

IE: I was about to try to make a hook to pull the character name instead of simply using the readstring method you already added.

/facepalm


After searching my intelligence for longer than I care to admit I got the Name/ID showing in my fancy select process list (I hate using windows forums with a passion... Consoles are just so warm and cozy! :P)

Not used to not being able to create fancy little structs/classes for holding data (IE: Character Name/Process ID) and using that for my selection system. And yes, I'm well aware I could google a bit and enlighten myself but using string formatting works nicely enough for me (Yes... I'm being lame and doing PID: Name and then using Split(':')[0] to pull the PID lol!)

Now to actually write some botting stuff! Maybe if I feel ambitious I can finally do a Map HUD. Always wanted to do one but been too terrified of windows forums to attempt it ahaha.


<edit>

ok so I'm running into a slight issue...

Is there some reason why I cannot re-attach to a debuggee even after I've used DetachDebugger();?

Essentially what I'm doing is when I open the program or click the refresh button I'm running my refresh code to populate my dropdown menu of clients running on the computer.

Code:

 public void RefreshList()
        {
            Debuggee Me;
             PIDList.Items.Clear();
             foreach (Process ID in Process.GetProcessesByName("Conquer"))
             { 
                 Me = new Debuggee(ID.Id);
                 Me.AttachDebugger();
                 string Text = ID.Id + ": ";
                 string Add = Me.ReadString(0x8D5D66, (uint)16).Replace("/0", "");
                 if (Add.Length > 1)
                     Text += Add;
                 else
                     Text += "Not Loaded";
                 PIDList.Items.Add(Text);
                 Me.DetachDebugger();
             }
             if (PIDList.Items.Count > 0)
                 PIDList.Text = "Select a Process";
             else
                 PIDList.Text = "No Client Found";
        }

Using that code works perfectly fine. It frees up the process unlike if I use the COClient code posted. Obviously that's cause it's hooking the send/receive function meaning if I force close the bot it will close out the client and inversely if I hook without setting up my event handlers it won't send/receive packets so cannot connect. I understand that part. What I don't understand is why when using the DetachDebugger() I cannot then re-attach later say... if I click the refresh button.



So basically... I open the client and login then open the bot and it will show the Process ID: Char Name without issue... if I open the client, open the bot and then log in it will still say Process ID: Not Loaded.

<edit again>

Hmm... client likes to crash now randomly. After about 30-60 seconds of being logged in it just dies. Good times :P

I changed the way I was reading packets so that it creates a copy of the packet just incase I was unintentionally editing it causing crashy crash issues lol.

I'm not sending any packets at all so it's not an issue with that.

Yay for debugging w/o my handy dandy console :P

<edit for the last time... I swear (not)>

So I'm failwhail.

The crashing was caused by the hooker not detaching from the original list. If I log into the game fully and THEN run the selector, select my character and open up the botting window it seems to work perfectly fine.

For now I'm gonna remove the hooking code in the selector and try again cause much of my code is still packet based so I wanna be able to read those packets during login.

<Going to bed after this edit>

So now that it's not crashing I decided to start adding in some botting code. I got a bunch of gui stuff added and stuff but am running into an issue sending packets.

Obviously the posted examples don't contain a send packet method so I'm attempting to write my own but not having done anything with memory edits before I have no clue what I'm doing.

I tried using the WriteByteArray method but it seems to crash the client (going to bed so I haven't messed with it much but w/e).

Example packet attempt

Code:

public static void LootItem(Client C, GroundItem I)
        {
           byte[] Pack = new byte[32];
            PacketHandler.WriteUInt16((ushort)(Pack.Length - 8), 0, Pack);
            PacketHandler.WriteUInt16(1101, 2, Pack);
            PacketHandler.WriteUInt32(I.UID, 4, Pack);
            PacketHandler.WriteUInt32(C.UID, 8, Pack);
            PacketHandler.WriteUInt16(I.X, 12, Pack);
            PacketHandler.WriteUInt16(I.Y, 14, Pack);
            PacketHandler.WriteUInt16(3, 18, Pack);
            PacketHandler.WriteString("TQClient", 24, Pack);
            C.Owner.Hooked.Dbg.WriteByteArray(Pack, 0x688F46);
        }

I assumed (incorrectly it seems) that I could just write to memory at the send function. But obviously it's not as simple as that :P

[fireTQ]

i can;t handel this this is insane O_O Can;t believe you ImHawt you crazy ....
how you fiuger out this OH my *** damnt man .... thanks for share :P

[Matic^]

Hello, sorry maybe it will sound stupid, but am new at things like that. So this library works for specific programming language, or there is no different?

[pro4never]

The .dll should work with any .net language.

The example is in VB and it already has some C# implementation posted. I suppose you could also run through some of the other C# code I posted using it although I haven't posted anything up to where it actually... DOES something lol. It's a great tool, just wish I knew how to send packets using memory addresses ^^

[IAmHawtness]

Quote:

Originally Posted by pro4never

Obviously the posted examples don't contain a send packet method so I'm attempting to write my own but not having done anything with memory edits before I have no clue what I'm doing.

I tried using the WriteByteArray method but it seems to crash the client (going to bed so I haven't messed with it much but w/e).

Example packet attempt

Code:

public static void LootItem(Client C, GroundItem I)
        {
           byte[] Pack = new byte[32];
            PacketHandler.WriteUInt16((ushort)(Pack.Length - 8), 0, Pack);
            PacketHandler.WriteUInt16(1101, 2, Pack);
            PacketHandler.WriteUInt32(I.UID, 4, Pack);
            PacketHandler.WriteUInt32(C.UID, 8, Pack);
            PacketHandler.WriteUInt16(I.X, 12, Pack);
            PacketHandler.WriteUInt16(I.Y, 14, Pack);
            PacketHandler.WriteUInt16(3, 18, Pack);
            PacketHandler.WriteString("TQClient", 24, Pack);
            C.Owner.Hooked.Dbg.WriteByteArray(Pack, 0x688F46);
        }

I assumed (incorrectly it seems) that I could just write to memory at the send function. But obviously it's not as simple as that :P

Oh damn no, that's wrong. What you want to do is "call" the SendPacket method using the ExecuteCode method. The current SendPacket method (0x68B0B2) takes two parameters, packet address and packet size.

The approach is something like this:
Edit: Fuck it, I re-uploaded a new sample with a working SendPacket function.

Note that I'm using a delegate and BeginInvoke to send packets asynchronously, since I figured people want to be able to do something like:

Code:

private void _OnClientJump()
{
	SendPacket(new JumpPacket(Id, Coordinates, MapId)).BuildPacket();
}

Or whatever. It's just that, you can't execute code directly in your event handlers, so you have to do it asynchronously. It's because the ExecuteCode function waits until the code is finished running, blocking the thread because it interfers with the debug loop that listens for debug events - because the ExecuteCode function creates a debug event.

You might also wanna download the new AdvancedHooking.dll since I changed and fixed the ExecuteCode function

Edit:
Yes, I realize that using delegates for this is retarded, and a packet queue or something similar would be a lot more efficient, since using delegates with BeginInvoke is slow and cpu intensive as hell.

[darkopp]

Can any 1 tell me what is this and what can to do with Advanced Hooking.
HOW TO USE ?

[ImFlamedCOD]

It is a tool used to hook onto the send(), and recv() functions of the client. You can use the send() and recv() functions to make a bot or hack. You have to know about packets, and how to build them. Its virtually a limitless botting foundation.

[IAmHawtness]

Quote:

Originally Posted by ImFlamedCOD

It is a tool used to hook onto the send(), and recv() functions of the client. You can use the send() and recv() functions to make a bot or hack. You have to know about packets, and how to build them. Its virtually a limitless botting foundation.

It can hook more than just the send/recv functions though. Even though those two functions would be the most obvious to hook

[pro4never]

Quote:

Originally Posted by IAmHawtness

Oh damn no, that's wrong. What you want to do is "call" the SendPacket method using the ExecuteCode method. The current SendPacket method (0x68B0B2) takes two parameters, packet address and packet size.

The approach is something like this:
Edit: Fuck it, I re-uploaded a new sample with a working SendPacket function.

Note that I'm using a delegate and BeginInvoke to send packets asynchronously, since I figured people want to be able to do something like:

Code:

private void _OnClientJump()
{
	SendPacket(new JumpPacket(Id, Coordinates, MapId)).BuildPacket();
}

Or whatever. It's just that, you can't execute code directly in your event handlers, so you have to do it asynchronously. It's because the ExecuteCode function waits until the code is finished running, blocking the thread because it interfers with the debug loop that listens for debug events - because the ExecuteCode function creates a debug event.

You might also wanna download the new AdvancedHooking.dll since I changed and fixed the ExecuteCode function

Edit:
Yes, I realize that using delegates for this is retarded, and a packet queue or something similar would be a lot more efficient, since using delegates with BeginInvoke is slow and cpu intensive as hell.

Yah I knew it was just me being stupid ^^.

As I said, never worked with memory before so I'm used to being able to just be like "SEND THIS DAMN PACKET NAOOOO!!"

And yes, Packet queues are incredibly sexy

[Ian*]

Quote:

Originally Posted by IAmHawtness

It can hook more than just the send/recv functions though. Even though those two functions would be the most obvious to hook

I also hook the jump function in my bot, just because.. i don't like to use the ninja step or the refresh packet to update my characters position on my screen :P that's just preference though, sometimes i like to watch my bots lol

Edit:

@p4n you can just use a send the damn packet method lol.

Mine looks like this

Code:

unsafe public void SendPacket(byte[] packet)
        {
            int packetAdr = AllocMem(packet.Length);
            Write(packetAdr, packet);
            byte[] buffer = new byte[] { 

                0x68, 0x00, 0x00, 0x00, 0x00,    // PUSH 0 ; Size
                0x68, 0x00, 0x00, 0x00, 0x00,    // PUSH 0 ; Packet
                0xB9, 0x60, 0x12, 0x80, 0x00,    // MOV ECX, SendPacketEcx
                0xB8, 0x00, 0x00, 0x00, 0x00,    // MOV EAX, SendPacketFn
                0xFF, 0xD0,                        // CALL EAX
                0xC3,                            // RET
             };
            fixed (byte* ptr = buffer)
            {
                *((int*)(ptr + 1)) = packet.Length;
                *((int*)(ptr + 6)) = packetAdr;
                *((int*)(ptr + 11)) = SendPacketEcx;
                *((int*)(ptr + 16)) = SendPacketFn;
            }
            Execute(buffer);
            FreeMem(packetAdr);
        }

I just call SendPacket with a byte array as an argument and send it in, some may argue this is inefficient or whatever but I've never had any trouble with it : >

[stickray]

Good old Melee days might return?

Somehow i cant attach it to the Client.

Error: Failed to attach to client

hmmmz, its a official Client not edited.

<edit>
Ok i could attach it, it was a Windows 7 Account Rights restriction, just openin up the file with adminrights dealed with the issue.

But still information like CharName and Packets arent workings.

[pro4never]

Quote:

Originally Posted by stickray

Good old Melee days might return?

Somehow i cant attach it to the Client.

Error: Failed to attach to client

hmmmz, its a official Client not edited.

<edit>
Ok i could attach it, it was a Windows 7 Account Rights restriction, just openin up the file with adminrights dealed with the issue.

But still information like CharName and Packets arent workings.

Simply attaching to the client won't give you that information. How are you trying to read it?

There's a few ways.

#1: Read from memory.

-Use cheat engine to find the character name address (seems to be a fixed address so that's always nice.)

#2: Hook before logging in and then read it from the heroinformation packet

-Simple to do but requires you to hook BEFORE logging in.

@ the packet example.

I'll probably give that a shot today.

I attempted to use the new example project run through a vb>C# converter but was running into an issue with the delegate (IE: it bitchslapped me and I got bored :P)

Quote:

Originally Posted by Ian*

I also hook the jump function in my bot, just because.. i don't like to use the ninja step or the refresh packet to update my characters position on my screen :P that's just preference though, sometimes i like to watch my bots lol

Edit:

@p4n you can just use a send the damn packet method lol.

Mine looks like this

Code:

unsafe public void SendPacket(byte[] packet)
        {
            int packetAdr = AllocMem(packet.Length);
            Write(packetAdr, packet);
            byte[] buffer = new byte[] { 

                0x68, 0x00, 0x00, 0x00, 0x00,    // PUSH 0 ; Size
                0x68, 0x00, 0x00, 0x00, 0x00,    // PUSH 0 ; Packet
                0xB9, 0x60, 0x12, 0x80, 0x00,    // MOV ECX, SendPacketEcx
                0xB8, 0x00, 0x00, 0x00, 0x00,    // MOV EAX, SendPacketFn
                0xFF, 0xD0,                        // CALL EAX
                0xC3,                            // RET
             };
            fixed (byte* ptr = buffer)
            {
                *((int*)(ptr + 1)) = packet.Length;
                *((int*)(ptr + 6)) = packetAdr;
                *((int*)(ptr + 11)) = SendPacketEcx;
                *((int*)(ptr + 16)) = SendPacketFn;
            }
            Execute(buffer);
            FreeMem(packetAdr);
        }

I just call SendPacket with a byte array as an argument and send it in, some may argue this is inefficient or whatever but I've never had any trouble with it : >

So this then begs the question of course of...

SendPacketEcx;
SendPacketFn;

YAY for noob p4n!

I'm guessing the sendpacketfn would be const int SendPacketAddress = 0x68b0b2; but no idea what sendpacketecx would be (I am GUESSING that it's the actual packet to be sent... which I'm phail and seem to not be able to find ^^

[phize]

Quote:

Originally Posted by pro4never

So this then begs the question of course of...

SendPacketEcx;
SendPacketFn;

YAY for noob p4n!

I'm guessing the sendpacketfn would be const int SendPacketAddress = 0x68b0b2; but no idea what sendpacketecx would be (I am GUESSING that it's the actual packet to be sent... which I'm phail and seem to not be able to find ^^

When ECX is being set before a function call it usually means it's a class function (__thiscall), where ECX is the "this" pointer, aka pointer to the class instance from which the function is being called.

You can find this address with a debugger, set a breakpoint on the function start and check the ECX register when you land there, then search for address in Cheat Engine and find a static pointer to it, that's the way I do it.

Edit: that's for C++