[Question] Memory based bot. How to start?

[itachi26]

Hello,

in order to make my very own little bot, I tried differents ways. First, I made a pixel bot, it was a success for myself, I've added lots of features but because it was only a pixel bot, it wasn't really efficient and adding advanced functions were very very hard.

After that, I tried to go further with another type of bot : proxies. The problem was, I was trying to code withtou basics knowledge and AutoIt is not really advised for that kind of bots. Thanks to pro4never, I achieved to build a little part of my proxy, that means that it was able to connect to the conquer server, and I was able to see every (encrypted) datas running between both client/server. Anyway, it was useless because my knowledge in encryption was and still be limited...

Now I'm back for a new type of bots, memory based bots. Why does it attract me? At the moment I'm learning C++ and I've passed the pointer's chapter. I've been doing for three days now a little "tool hack" for an offline game, and it looks like it works perfectly. I'm more familiar with pointers and I want to go further. The problem is, for online game it's different. Every datas are updated by the server and that's so difficult.

Why do I post? I really want to code my own bot, that's my project but I need your help. Lots of people are good in coding and I know it, I would appreciate if some of them would help me.

I don't want you to give me an entire explained fully working code, but just some links, explanations about that subject, the thoery. With knowledge and google, I should achieve my project, but dunno where to go,where to start...

Thanks a lot, at least for reading.

[IAmHawtness]

I would like to help you, but I need to know what kind of experience you got first and what kind of bot you want to make.
Are we talking an "internal" bot, like a DLL or an "external" one that just reads memory from the target process and executes code remotely inside the target process?

[itachi26]

Hello, (sorry for my late answer, it seems like I was a little bit busy...)

First of all, thank you for your pretty fast answer, and your future help.

About my experiencies, everything is on the first post, what kind of bots I tried, why did I stop etc... Why do I ask on memory based bot? Because I made a little hack for "NFS Underground 2", which works very fine. I read lots of guides about finding pointers, offsets, how to use them. In the end, 't was cool to see my own "hack" working on the game without bugs...

Now, "internal" or "external", I don't know that both ways and why should I choose one and not the other? This a topic question and looking for some answers, I'll be glad if you would able to give me some reading on these subjects

Thanks again!

[IAmHawtness]

Quote:

Originally Posted by itachi26

Hello, (sorry for my late answer, it seems like I was a little bit busy...)

First of all, thank you for your pretty fast answer, and your future help.

About my experiencies, everything is on the first post, what kind of bots I tried, why did I stop etc... Why do I ask on memory based bot? Because I made a little hack for "NFS Underground 2", which works very fine. I read lots of guides about finding pointers, offsets, how to use them. In the end, 't was cool to see my own "hack" working on the game without bugs...

Now, "internal" or "external", I don't know that both ways and why should I choose one and not the other? This a topic question and looking for some answers, I'll be glad if you would able to give me some reading on these subjects

Thanks again!

Okay, so you made a "little hack for NFS Underground 2". I'm assuming you're familiar with Read/WriteProcessMemory then. How familiar are you with reversing and the assembly language?

When I wanted to make hacks/bots, I started out by writing small programs that could read/write the memory of another process, like reading the HP/coordinates/name/etc of your character.
Then I learnt how to do remote code execution inside another process using CreateRemoteThread and WriteProcessMemory. ( was a great guide for me)

[itachi26]

Reading/writting process memory : At the moment, it looks like I'm not bad for little tasks like that.

Now, reverssing and ASM, gosh. Never tried, but it looks like that I must learn it. Problem is, why do I need to read/code ASM and where do I have to start?

Quote:

Originally Posted by IAmHawtness

When I wanted to make hacks/bots, I started out by writing small programs that could read/write the memory of another process, like reading the HP/coordinates/name/etc of your character.

At the moment, I'm not meeting problem on that point. The hardest part was to find multi-level pointer and use them, but now I did it !

Quote:

Originally Posted by IAmHawtness

Then I learnt how to do remote code execution inside another process using CreateRemoteThread and WriteProcessMemory. (Three Ways to Inject Your Code into Another Process - CodeProject was a great guide for me)

Didn't understand a word, I'm gonna take a look at your URL.

Thanks!

[IAmHawtness]

Quote:

Originally Posted by itachi26

Reading/writting process memory : At the moment, it looks like I'm not bad for little tasks like that.

Now, reverssing and ASM, gosh. Never tried, but it looks like that I must learn it. Problem is, why do I need to read/code ASM and where do I have to start?



At the moment, I'm not meeting problem on that point. The hardest part was to find multi-level pointer and use them, but now I did it !



Didn't understand a word, I'm gonna take a look at your URL.

Thanks!

Learning, or at least understanding, the assembly language is an essential skill you'll need if you want to make more complicated bots for games. The assembly language is what all programs exist of (some are compiled into some intermediate language which is then translated into assembly, but forget about those), so once you understand it, you'll be able to "reverse" programs.

What that means is, you can look at the compiled assembly code using a disassembler (like Ollydbg) which translates all the assembly byte code into human readable assembly opcodes and you can start tracing functions inside programs. Like, for example, Conquer has a function to encrypt a packet (data between the server and client) and send it to the server, which might look something like

Code:

bool SendPacket(char* msg, int length)
{
    // Encrypt message
    // Send message to the server
}

Once you've learned how to reverse a program, you'll be able to trace a function like the "SendPacket", and then you'll know the location in memory of that function. Once you know the location in memory of that function, you'll be able to execute that function either remotely using an "external" program that uses CreateRemoteThread for instance, or inside of the program itself using an "internal" program -a DLL injected into the program that shares its memory with the program.

That means you can then send packets to the server without knowing anything about the encryption TQ uses for their packets. You could of course also reverse the encryption and make a proxy, if you wanted. Point is though, you can do anything really. You could call the "Jump" function that makes your character jump to X,Y, you could call the "Walk" function, etc.

Edit:


I released a "hooking library" some time ago. There's a working bot in the ConquerTestBot.rar if you want to take a look at it. It doesn't really show anything about how you actually do the hooking, read/write memory, execute code remotely, etc. since the Hooking.dll is just a sort of wrapper for some more complicated stuff, but it might still be good to look at while trying to learn more about the topic

[itachi26]

Well, listen, I'm gonna read again your post tomorow and the link you sent me because it's a bit late, and it will be useless to read and don't understand :laugh:

Thanks a lot because its freaking clear and enjoying! Oh, I was thinking, do you have some "practise"? I mean, some ideas or websites which propose reversing exercices.

[IAmHawtness]

Quote:

Originally Posted by itachi26

Well, listen, I'm gonna read again your post tomorow and the link you sent me because it's a bit late, and it will be useless to read and don't understand :laugh:

Thanks a lot because its freaking clear and enjoying! Oh, I was thinking, do you have some "practise"? I mean, some ideas or websites which propose reversing exercices.

Haha, probably a good idea.

is most likely some of the best reversing tutorials you'll find on the Internet.

[InfamousNoone]

I really hated lena's tutorials. I found them to be way too dry, but that's just me >.<

[itachi26]

How did you do so? (To learn reversing)

[IAmHawtness]

Quote:

Originally Posted by InfamousNoone

I really hated lena's tutorials. I found them to be way too dry, but that's just me >.<

Really? I've never found any tutorials that were more useful

[itachi26]

Hum, I think that i won't be able to be as present as I wanted... That being said, I'm learning really deeply C++ and I enjoy it, I'm trying to use OllyDBG but it still is very hard for me.

I'll up that topic when I'll get some interesting news. Thanks for your help 'cuz you really helped, hope that you'll be there when I'll get back.

Thanks again!

[itachi26]

#UP

Here I am for new adventures more questions about CO .exe.

At the moment, I'm learning as deeply, surely as I can C++, without burning steps. To do that, I'm making my own console games. Something very cool and totally new for me. Hope that it'll help me in the future.

So... I didn't read a lot about ASM, and DLL injection but I have got questions making fun of me so I must have answers.

BUT, if you see that my questions are really (really) easy and should be find in the posts above or quoted URLs, just tell me and I'll read the whole stuffs... Now let's start :

1 multi-clients and statics adresses : I can't even understand how memory based bots run with at least 2 clients. For me, static adress is where you will find EVERYTIME the same type of value, for exemple HP. But, if you have two conquer clients with two chars, you won't be able to read both HP? How does it work?

hooking receiving/sending clients : About receiving, I really don't know how to do that, no idea, if you want to point me, I'll kiss you, if you don't, don't mind. But, I want you to give me your opinion about the sending function. I think it's not bad, but only YOU will be able to correct me, here we go!

My thougts : "Hmm, if I was a CO2 developper, how would I send packets without being ****** by botters? I probably would change my "to send" value in another adress with complicated pointers. 'kay, now I'm done!"

"Hmm, if I was a skilled hacker, how would I retrieve that **** sending adress? I would send a team message with my char and then search for text datas into my client with CE."

and guess what? I found a static adress! WOUAW. Then, I type another message to send, , CE's adress has been updated. So I decided to attach debbuger and I had like ten differents things accessing to that adress... Was like : "erf..., owned". Then, I went to bed, too sad.

Now, I'm thinking, my text must be send afterwards. I plan to take each adress which access to my text and then see what's going on, etc etc...

What do you think about that, am I on the right way? Or am I running after my death?
Of course, didn't think about mutliclients...

Hope you will understand me, and then guide me!

Love ya all! Thanks!

EDIT : think that I'gonna do some tests about these two questions

[tanelipe]

First of all I would recommend using OllyDBG 1.10 (or newer 2.01b2, if you wish) if you are not doing so already. I find it much easier to use than CE.

About hooking:

I personally was able to hook the send function by applying my knowledge of the data packets that Conquer sends between client and server. What I did was that I searched for constant values within the Conquer that represented the packet types (IDs if you wish, such as 3EAh (1002 decimal), these have of course changed but you said you had some experience with doing proxy so you could get the new types). When I searched for these constant values I received multiple places where they were used and basically breakpointed them all untill I found the correct one which represented building of the specific packet.

When I found the function that represented the specific packet I just traced it down to see where it was sent (or I suspected it was sent) and checked this with other packets too, if the same place got called again.

I can try to see if I could find some of my old source codes when I get home, should provide you with basic hooking abilities.

EDIT: You can check my signature for some links about detouring (essentially hooking functions) and doing some basic tasks with OllyDBG (outdated)

EDIT2: Forgot to mention how I found the receive function address. To be honest, I don't quite remember how I did this. I imagine that I tracked the code back from WS2_32.recv function, from there to the part where data was decrypted and from there to the point where it was processed by the program.

[itachi26]

I have it on my computer, but on the contrary, find it more complicated than CE haha!

Hum, I think that I'll have to forget that type of IDs, because my little experience in proxy was not very fancy, I just made a programm which was able to receive the connexion, connect to the server and then see all the ENCRYPTED datas during the game...

Now source codes will be useful for the other, because you work with packets type, soemthing that i won't be able to do, and I code in C++, not C#. That being said, if you're a C++ coder, your codes will be very useful for me also.

I'l got to work with some tutorials with OllyDBG. I didn't start to read the links from IAmHawtness which look very cool and full of informations. I will try to check out your links also.

Okay well, didn't understand how you did with the recv function but nevermind, I think that if I work hard with tutorials, and if I read about conquer process, I should have a positive results. But now, with the time that I'll have in like two weeks, I won't be able to do anything...

By the way, thanks for telling me your method, and I really hope that you'll show pieces or entire source codes, it'll must help, at least a little bit.

Thanks again, have a nice day!