[Guide] Lets make a memory based bot

[iore2008]

Is this program works now?

[majick]

Quote:

Originally Posted by iore2008

Is this program works now?

[iore2008]

I'm sorry I do not speak English and use the Google translation ...perhaps it will be impossible to work with this program, because the explanation in the videos I can not translate it, and when I tried to follow the steps i found a big difference in the codes and this beginning of the first video ... maybe because the video is old and has updates many The game,or because I did not understand the explanation.... i need this program strongly because I have no money even to buy a good copy of the bot and the good boot is not available ... all i have the time and an old computer and an Internet connection bad ... hehehehe so... Thanks for the reply and attention majick

[shitboi]

Hi Angelius,

I saw your tutorial for the first time today, and tried following it. Shortly after I began the quest, I was hit with a problem that I do not know how to conquer.

First off,

Conquer version: 5918
Ollydbg version: 2.01 ( i noticed some UI difference between my copy of olly and yours, but i think it doesn't matter)

Based on the instructions from your tutorials, after setting up the udd folder and the exception ignore range (00000000 to ffffffff)
I opened the Conquer.exe using ollydbg. Took a while to load, but finally instead of getting the "terminated" status. I got a "paused" status.


Since asm and olly is not my field, i do not know how to proceed from here.
Can you advise on how to move on from here?

Thanks

Edit: I did attempt to hit F9 to continue, but it didn't proceed as show in [Tutorial 1]

Edit: I have made a new post with more details. please .

[EpvpIsAJoke]

Quote:

Originally Posted by shitboi

Hi Angelius,

I saw your tutorial for the first time today, and tried following it. Shortly after I began the quest, I was hit with a problem that I do not know how to conquer.

First off,

Conquer version: 5918
Ollydbg version: 2.01 ( i noticed some UI difference between my copy of olly and yours, but i think it doesn't matter)

Based on the instructions from your tutorials, after setting up the udd folder and the exception ignore range (00000000 to ffffffff)
I opened the Conquer.exe using ollydbg. Took a while to load, but finally instead of getting the "terminated" status. I got a "paused" status.


Since asm and olly is not my field, i do not know how to proceed from here.
Can you advise on how to move on from here?

Thanks

F9

[shitboi]

Quote:

Originally Posted by EpvpIsAJoke

F9

Ermm, yes i did do F9, it proceeds differently, and I will end up at a different state than him. So i am mainly worried about the difference in the version of Conquer.exe and how it responded to olly.

[EpvpIsAJoke]

Quote:

Originally Posted by shitboi

Ermm, yes i did do F9, it proceeds differently, and I will end up at a different state than him. So i am mainly worried about the difference in the version of Conquer.exe and how it responded to olly.

Well yeah, this guide is more than a year old, lots of stuff has happened with the Conquer.exe file since then ...

[shitboi]

I tried deleting the olly and restarted afresh.

Here is a quick run through of what happened.

1. Extracted olly and set to run as admin.
2. [Olly options] Added exception ignore range 00000000 - FFFFFFFF
3. [Olly options] Set up udd/udl/plugin folders
4. Open Conquer.exe

5. Initially it paused, but i managed to get past it by hitting F9


6. Then the status bar flashes between yellow and grey. In the picture it shows Access Violation when reading [00000000] - passed to application
I am guessing that this is the reason for adding exception ignore range.


7. The prompt for Please run Play.exe file came out. I suppose that is normal since executing Conquer.exe without "blacknull" parameter will result in this msg being triggered. So i think Olly is still trying to run Conquer.exe. Therefore I hit ok on the dialogue box to continue running.


8. The process from step 6 re-iterated.. and after a long while i finally hit the "terminated" state. Looking at the stack window, I am quite close to what is shown in [Tutorial 1].


9. In the stack window I selected RETURN from ntdll.RtlExitUserPRocess to Kernel32.ExitProcess+15. Then I noticed the difference in the op code window. Looks like the same function, but op codes are different. But that's alright, I continued to place a HWBP on that address, and attempted to re-run the process.


10. At last it paused in a similar screen as shown in [Tutorial 1], BUT the HWBP wasn't triggered. I didn't give up, i tried F9ing and repeated the same steps as described above. I have not hit that HWBP that I have placed.


I am guessing that the TQ has changed some of the implementation for Conquer.exe resulting in the differencs.
I would appreciate any suggestions to overcome this problem. I want to be able to follow through a successful scenario of removing checks, and finding the send/recv functions.

Again,
Conquer Version: 5918
Ollydbg version: 2.01


Thanks

[dusica]

Quote:

Originally Posted by shitboi

I tried deleting the olly and restarted afresh.

Here is a quick run through of what happened.

1. Extracted olly and set to run as admin.
2. [Olly options] Added exception ignore range 00000000 - FFFFFFFF
3. [Olly options] Set up udd/udl/plugin folders
4. Open Conquer.exe

5. Initially it paused, but i managed to get past it by hitting F9


6. Then the status bar flashes between yellow and grey. In the picture it shows Access Violation when reading [00000000] - passed to application
I am guessing that this is the reason for adding exception ignore range.


7. The prompt for Please run Play.exe file came out. I suppose that is normal since executing Conquer.exe without "blacknull" parameter will result in this msg being triggered. So i think Olly is still trying to run Conquer.exe. Therefore I hit ok on the dialogue box to continue running.


8. The process from step 6 re-iterated.. and after a long while i finally hit the "terminated" state. Looking at the stack window, I am quite close to what is shown in [Tutorial 1].


9. In the stack window I selected RETURN from ntdll.RtlExitUserPRocess to Kernel32.ExitProcess+15. Then I noticed the difference in the op code window. Looks like the same function, but op codes are different. But that's alright, I continued to place a HWBP on that address, and attempted to re-run the process.


10. At last it paused in a similar screen as shown in [Tutorial 1], BUT the HWBP wasn't triggered. I didn't give up, i tried F9ing and repeated the same steps as described above. I have not hit that HWBP that I have placed.


I am guessing that the TQ has changed some of the implementation for Conquer.exe resulting in the differencs.
I would appreciate any suggestions to overcome this problem. I want to be able to follow through a successful scenario of removing checks, and finding the send/recv functions.

Again,
Conquer Version: 5918
Ollydbg version: 2.01


Thanks

Well i m guessing that instead of terminating the process, the anti debug system now sends a packet to the server, telling it that you are using a debugger and it gives you 1 day ban. The anti debug functions were located in TQanp and AntiRobot dlls when this tutorial was made. So i m guessing that its still the same thing and you just need to skip the IsDebuggerPresent function in these 2 dlls. Btw this is just a guess, i m a noob reverser and i doubt that any of the "pros" here will help you

Edit: you can attach to the process with olly and the server wont kick if you re not doing anything, bu t if you start placing breakpoints and stuff, then it kicks you immediately

[shitboi]

so... any help from the community? It is not about getting to a working hack. it's about the process of learning how to use olly to find and send/recv functions, then programmatically hook onto these functions

[Freszone]

From my most recent experiences debugging Conquer, they indeed do check if you have a debugger attached and if so they just give you a one day restriction within few minutes. Shouldn't be too hard to patch if you really want to do live debugging, myself I don't see the need for that.

As for hooking recv/send, it's not just that simple. At least if you want to do more than just packet monitoring, since when I last looked into the anti-bot they at least keep count of each packet type sent and received, both client and server. Then they check if the packet counts on the server match the ones on client and if they don't you'll get restricted/banned.
So unless you want to dig into the anti-bot packets that contain the packet counts and spoof those I would suggest you to use directly the functions in the client to perform actions.

I also suggest you to learn to use IDA instead of OllyDbg, so much more efficient and easier. No need to even have Conquer running to find most of the stuff so you don't have to worry about getting restricted.

[AndrewMMTop]

Hi,

Not sure if you are answering questions or not, but i was trying to follow your guide and i got stuck at the end of the 2nd part.

I got the following:
LEA EAX,[ECX+4]
MOVZX ECX,WORD PTR DS:[ECX+4]

That was extracted from the Conquer.exe file, but when i try to run it through the program, the client simply crashes. I did pop the stack and everything, and it still crashes.

This is NOT for retail, it is just for a server that i am running on my local machine.

Edit: This is NOT for retail Conquer, it is just for a test server i am running on my local machine, just trying to figure out how things work.

What would you recommend doing at that point.

Thank you.

[beciosmarkjo]

HELLO BRO..CAN YOU MAKE A WRITTEN TUTORIAL FOR DISABLING SECURITY IN CLIENT...THANK YOU IN ADVANCE