[AutoIT3] Get HP Using Hooks (works with v5128+)

clintonselke · 05/23/2009, 07:28

Ok, calling some functions with CreateRemoteThread() has been crashing with me since the new patch. So here is another way to get the current HP for use in an autopotter.

This method hooks the gethp() function of the new version of co, instead of calling it.

VERY IMPORTANT
Run This First at the Log On Screen to make sure the code does not execute over the coding being replaced while its being replaced (This needs to be done because i write the code byte by byte)

Other than that, the next time u run it on the same conquer process, it will recognize the hook was already established and will not overwrite the hook (it will make use of it instead)

Also note, this is currently configured to press F10 when ur HP is less than 1000.

PHP Code:


			
#include "NomadMemory.au3"



$PID = ProcessExists("Conquer.exe")

If $PID == 0 Then

    MsgBox(0, "Error", "Conquer must be running first.")

    Exit

EndIf

$MemID = _MemoryOpen($PID)



Global $HP_ADDR

If _MemoryRead(0x0056953E, $MemID, "byte") == -23 Then

    $num = _MemoryRead(0x0056953F, $MemID, 'dword')

    $HP_ADDR = BitAnd($num + 0x0056953E + 5, 0xFFFFFFFF) - 4

Else

    $HP_ADDR = AllocMemory(24, $PID)

    

    ; Fill in the code we're gonna overwrite in the cave.

    $Code =         "0f84" & RelativePos($HP_ADDR+5, 0x00569554)  ; je 00569554

    $Code = $Code & "48"                                          ; dec eax

    $Code = $Code & "0f84" & RelativePos($HP_ADDR+5+StringLen($Code)/2, 0x00569549) ; je 00569549



    ; Put in our copy code (to copy the HP value)

    $Code = $Code & "8915" & Int2Hex($HP_ADDR, 8) ; mov [$HP_ADDR],edx



    ; Then our jump back code

    $Code = $Code & "e9" & RelativePos($HP_ADDR+23, 0x00569543) ; jmp 00569543

    

    ; Write our code

    For $i = 0 To StringLen($Code)/2-1

        _MemoryWrite($HP_ADDR+4+$i, $MemID, Dec(StringMid($Code, $i * 2 + 1, 2)), "byte")

    Next



    ; Patch the jump

    $Code = "e9" & RelativePos(0x0056953E, $HP_ADDR+4)

    For $i = 0 To StringLen($Code)/2-1

        _MemoryWrite(0x0056953E+$i, $MemID, Dec(StringMid($Code, $i * 2 + 1, 2)), "byte")

    Next

EndIf



HotKeySet("!x", "ExitProg")



While 1

    $HP = _MemoryRead($HP_ADDR, $MemID)

    ToolTip(Hex($HP_ADDR) & ":AutoPotter Running (" & $HP & "). Alt+X to exit.", 20, 20)

    If $HP < 1000 Then

        Send("{F10}")

    EndIf

    Sleep(500)

WEnd



Exit(0)



Func ExitProg()

    _MemoryClose($PID)

    Exit(0)

EndFunc



Func AllocMemory($Size, $PID)

    Const $PAGE_EXECUTE_READWRITE = 0x40

    Const $MEM_COMMIT = 0x1000

    Const $MEM_DECOMMIT = 0x4000

    Const $MEM_RELEASE = 0x8000

    Const $PROCESS_ALL_ACCESS = 0x1F0FFF

    Local $kernel32, $hProcess

    Local $result

    Local $pRemoteMem

    

    $kernel32 = DllOpen("kernel32.dll")



    $hProcess = DllCall($kernel32, "int", "OpenProcess", "int", $PROCESS_ALL_ACCESS, "int", 0, "int", $pid)

    If IsArray($hProcess) And $hProcess[0] <> 0 Then

        $hProcess = $hProcess[0]

    Else

        ConsoleWrite("error -4");

        SetError(-4)

        Return False

    EndIf

    

    ; Allocate romote memory to sit the code

    $pRemoteMem = DllCall($kernel32, "ptr", "VirtualAllocEx", "int", $hProcess, "ptr", 0, "int", $Size, "int", $MEM_COMMIT, "int", $PAGE_EXECUTE_READWRITE)

    If IsArray($pRemoteMem) And $pRemoteMem[0] <> 0 Then

        $pRemoteMem = $pRemoteMem[0]

    Else

        ConsoleWrite("error -5");

        SetError(-5)

        Return False

    EndIf



    

    DllCall($kernel32, "int", "CloseHandle", "int", $hProcess)



    DllClose($kernel32)

    

    Return $pRemoteMem

EndFunc



Func FreeMemory($pMem, $PID)

    Const $PAGE_EXECUTE_READWRITE = 0x40

    Const $MEM_COMMIT = 0x1000

    Const $MEM_DECOMMIT = 0x4000

    Const $MEM_RELEASE = 0x8000

    Const $PROCESS_ALL_ACCESS = 0x1F0FFF

    Local $kernel32, $hProcess

    Local $result

    

    $kernel32 = DllOpen("kernel32.dll")

    $hProcess = DllCall($kernel32, "int", "OpenProcess", "int", $PROCESS_ALL_ACCESS, "int", 0, "int", $pid)

    If IsArray($hProcess) And $hProcess[0] <> 0 Then

        $hProcess = $hProcess[0]

    Else

        ConsoleWrite("error -4");

        SetError(-4)

        Return False

    EndIf

    

    DllCall($kernel32, "ptr", "VirtualFreeEx", "hwnd", $hProcess, "ptr", $pMem, "int", 0, "int", $MEM_RELEASE)

    

    DllCall($kernel32, "int", "CloseHandle", "int", $hProcess)



    DllClose($kernel32)

EndFunc



Func Int2Hex($Value, $n)

    Local $tmp1, $tmp2, $i 

    $tmp1 = StringRight("0000000" & Hex($Value), $n) 

    For $i = 0 To StringLen($tmp1) / 2 - 1 

        $tmp2 = $tmp2 & StringMid($tmp1, StringLen($tmp1) - 1 - 2 * $i, 2)

    Next

    Return $tmp2

EndFunc



Func RelativePos($src_addr, $dst_addr)

    $num = BitAnd($dst_addr + BitXOR($src_addr+5, 0xFFFFFFFF) + 1, 0xFFFFFFFF)

    Return Int2Hex($num, 8)

EndFunc

ace_heart · 05/23/2009, 14:47

it's good i try use ur code on Spanish version and find address and change it ur code but still can't read HP can help me , i think problem when write code in empty address !!

clintonselke · 05/23/2009, 17:19

Thats funny, i ran it just now again and it suddenly stopped working... something must not be static and this is not ready for release.

#request delete

ace_heart · 05/23/2009, 17:32

i test it on English version 6 times wok fine in 4 and 2 times fail, i don't need u make another for Spanish
i just need tell me what my wrong after i change a memory , i need learn not get tool

clintonselke · 05/23/2009, 18:04

Well, what i did for it was i used CE to find the HP memory address using a binary search. Then after finding this (non-static) value, i went right click "Find was accesses this address", and it gave me a line of assembly from the conquer process "MOV EDX,[EDI]", and i added a breakpoint to that line, and i noticed it was being executed once per frame. So i used autoit to allocate some memory, write some code into that allocated memory that restores the assembly instructions that my 5 byte jump will overwrite as well as storing the HP value in a static location, then at the end of the code in the allocated memory i had another jmp instruction that jumps back to just after my jump to my ram code. That way i was hooking that EDX value to retrieve the current HP... but its not working 100% of the time, so i was wrong to assume that the conquer code will always cross that path every frame.

~~IAmHawtness~~ · 05/23/2009, 21:32

Quote:

Originally Posted by clintonselke

#request delete

To delete this thread, go to the first post -> press edit -> press "Delete"

clintonselke · 05/24/2009, 08:56

Quote:

Originally Posted by IAmHawtness

To delete this thread, go to the first post -> press edit -> press "Delete"

Just had a look... and... its not there xD ... i swear i saw that delete button b4.
Maybe can't delete a thread after someone else has posted on it???

clintonselke · 05/28/2009, 17:32

Never mind that hooks method, I think the following is static

$ID=_MemoryOpen(ProcessExists("conquer.exe"))
$PlayerBase = _MemoryRead(0x0064FF48, $ID)

$Base2 = _MemoryRead($PlayerBase + 0x800, $ID)

$CurrentHP = _MemoryRead($Base2 + 0x1D00, $ID)

BigSoltan22 · 05/30/2009, 10:56

plz thats nice but iam new at the foroum and i dont know how too use that file