[Proof of Concept]Why not to trust a public multi-client (bananasplit in asm)

[*M*]

Patch 5063

Now this is only designed for you to input the command but could just as easily be modified to do the same if someone says it to you. This guide only explains the un-equipping phase.

First I start here:

This is a subfunction of the Sendtext function, during this function EAX stores the current text about to be sent from the chat box to a packet, at 00457E85 EAX changes so I will make my hook just before here, 00457E7D has a large enough command to be changed to a JMP so this will do just fine.

This could be caved anywhere but for now ill put it at the end of the exe - so LEA EDI,DWORD PTR DS:[ESI+FA8] becomes JMP 00524BAE


And now for the code:

In english, this checks to see if the text you just sent matches a set codeword and if so, un equips all your gear, like I said this could easily be made so that if someone says the codeword to you, everything will unequip, I wont tell you how to do it, but the information is right there with a little modding its easily possible.

[_fobos_]

Now thats why i dont trust multi's by others haha,
Also glad theres the lock function!

So i tried this,
tho without success, well the only success is that my hat got unequiped,
I tripple checked everything how does this look like do you see if I made a mistake or was it meant to only unequip hat?
If so why the other calls?

Code:

0045DF4A             . /E9 B1230D00       JMP Conquer.00530300
0045DF4F               |90                NOP
0045DF50             > |8BCF              MOV ECX,EDI                                ;  ntdll.7C910208

Code:

00530300             > 8DBE A80F0000     LEA EDI,DWORD PTR DS:[ESI+FA8]
00530306             .  8BD0              MOV EDX,EAX
00530308             .  BB 41035300       MOV EBX,Conquer.00530341                   ;  ASCII "bananasplit"
0053030D             .  52                PUSH EDX                                   ; /s2 = "ÍxA4$"
0053030E             .  53                PUSH EBX                                   ; |s1 = ""
0053030F             .  E8 68A5FCFF       CALL <JMP.&MSVCRT.strcmp>                  ; strcmp
00530314             .  58                POP EAX                                    ;  kernel32.7C817067
00530315             .  75 23             JNZ SHORT Conquer.0053033A
00530317             .  E8 822BF2FF       CALL Conquer.00452E9E
0053031C             .  E8 A22BF2FF       CALL Conquer.00452EC3
00530321             .  E8 C22BF2FF       CALL Conquer.00452EE8
00530326             .  E8 E22BF2FF       CALL Conquer.00452F0D
0053032B             .  E8 022CF2FF       CALL Conquer.00452F32
00530330             .  E8 222CF2FF       CALL Conquer.00452F57
00530335             .  E8 422CF2FF       CALL Conquer.00452F7C
0053033A             >^ E9 11DCF2FF       JMP Conquer.0045DF50
0053033F                00                DB 00
00530340                00                DB 00
00530341             .  62 61 6E 61 6E 61>ASCII "bananasplit",0

[*M*]

Go into the calls to unequip slots and you'll see theres a JNZ or something, nop those jumps and it should work, that happened to me as well when I first did it but it seems to work without it for me now.

[soymadmax]

Correct me if im noob saying this lol

But would not be enough to check orignal conquer.exe file and downloaded one size?
I always do it if I download multi and i suposse your asm lines added would increase size

[*M*]

Quote:

Originally Posted by soymadmax

Correct me if im noob saying this lol

But would not be enough to check orignal conquer.exe file and downloaded one size?
I always do it if I download multi and i suposse your asm lines added would increase size

Nope, this code is done inside the exe so there is no change in size.

[_fobos_]

Got it, i have to admit, very nice haha.
Now, the spot where you set your jmp aint a good spot,
When u try to whisper you will crash haha.

If I can find the jmp to a emote now THAT would be nice,
perhaps you can help me find the jmp to the kneel emote

[emmanication]

so lets say unequip is possible, ummm itemlock?

[_fobos_]

Quote:

Originally Posted by emmanication

so lets say unequip is possible, ummm itemlock?

Thats not the point tho (besides that everyone has a seller), I think *M* meant this to proof that it can be done.

[unknownone]

Quote:

Originally Posted by emmanication

so lets say unequip is possible, ummm itemlock?

It doesn't matter what the hack does, the point *M* has made with this post, is anyone can modify the client to do anything. It doesn't even need to be an in game thing, but you could modify the client to run/control other applications on your machine, and it would go past any antivirus or firewall you have installed. If you download any binary from anyone, you're running the risk of losing control of your machine, so why bother, when you could just follow a simple guide and make the multi-client yourself?

[_fobos_]

Ive patched the pathfinding button with this, I like it better, that button useless anyway.

[Ian*]

Someone could release a loader that modifies the client to do this as well ;o

[*M*]

Quote:

Originally Posted by unknownone

It doesn't matter what the hack does, the point *M* has made with this post, is anyone can modify the client to do anything. It doesn't even need to be an in game thing, but you could modify the client to run/control other applications on your machine, and it would go past any antivirus or firewall you have installed. If you download any binary from anyone, you're running the risk of losing control of your machine, so why bother, when you could just follow a simple guide and make the multi-client yourself?

Yeah what he said.
Imagine hooking CO's anti-virus to delete all the files its supposed to scan, easily possible and would probably break Windows.

Quote:

Originally Posted by _fobos_

Got it, i have to admit, very nice haha.
Now, the spot where you set your jmp aint a good spot,
When u try to whisper you will crash haha.

If I can find the jmp to a emote now THAT would be nice,
perhaps you can help me find the jmp to the kneel emote

Ya I know it crashes whisper, that just seemed like a good place for the jump considering the mod isnt made for gameplay, however this can be used for functionality also, you can build in commands to help you, unequiping all items at once has its uses, you could also build in things like speedhack etc via command. I will try later to find the kneel function, I have some ideas of where to start(GraphicD.GameDataSetQuery comes to mind).

[_fobos_]

Quote:

Originally Posted by *M*

Yeah what he said.
Imagine hooking CO's anti-virus to delete all the files its supposed to scan, easily possible and would probably break Windows.



Ya I know it crashes whisper, that just seemed like a good place for the jump considering the mod isnt made for gameplay, however this can be used for functionality also, you can build in commands to help you, unequiping all items at once has its uses, you could also build in things like speedhack etc via command. I will try later to find the kneel function, I have some ideas of where to start(GraphicD.GameDataSetQuery comes to mind).

I will look for it aswell and yes, certainly it will have uses I tried to find the emotes i set breakpoints on all the BtnClick.wav and i hit a bp when i opened it, it just didnt get me far so i gave up, then i searched the same way for pathfinding only instead i put a bpon all NDSound.DXPlaySound and that got me further and got me to patch the pathfinding button to unequip all.

[darkirax]

hi i'm having troubles in this edit. i'm noob in asm I try to found LEA EDI,DWORD PTR DS:[ESI+FA8] to edit and put de JMP but i can't find LEA EDI,DWORD PTR DS:[ESI+FA8] the addres isn't the same and i try with Control+F but it say unckown identifier.

can anybody help me?

[_fobos_]

Quote:

Originally Posted by darkirax

hi i'm having troubles in this edit. i'm noob in asm I try to found LEA EDI,DWORD PTR DS:[ESI+FA8] to edit and put de JMP but i can't find LEA EDI,DWORD PTR DS:[ESI+FA8] the addres isn't the same and i try with Control+F but it say unckown identifier.

can anybody help me?

Id say get a copy of the older exe (by downloading the older patch and install it in a new folder then rename the exe to Conquer1.exe or somethin and copy it to ur co folder), look for it look for something familiar and the info is out there really, lil searching in both exe's will get u there.
Like i said all info needed is there, only need to update.