Trying to hook the Attack Function

Reivein · 02/12/2014, 00:25

Hi!
Im trying to make a small bot as I said in my last post (asking for "despawn"). For the moment, the bot only saves the players and mobs that are in the "range" of my player (distance <= 18) and jump to a specific coords. Now I'm trying to hook the attack function, but I don't get it. I hope you can help me.

This is the Attack Function in Conquer.exe:

(I dont know why it doesn't show the image, it is between the [IMG] tags :l

And debugging it I see this:

Code:

MOV ECX,ESI
CALL 0064E35A //Seems like a bool function, because two lines after it's looking at the value of AL to make a jump, but im not sure what the function does (it differences two types of attack but I don't know the second (type 1C))
LEA ECX,[EBP-440]
TEST AL,AL //If 0, goes by the first way, else, the second way
JNZ SHORT 00674D66

CALL 00735E3A //First way function call. Takes the values for the packet function call?
MOV DWORD PTR SS:[EBP-4],0F
MOV EAX,DWORD PTR DS:[ESI+0D8]

PUSH 0 //6 Argument
PUSH DWORD PTR SS:[EBP-18] //5 Argument: Y coord of the hero
LEA ECX,[EBP-440]
PUSH DWORD PTR SS:[EBP-14] //4 Argument: X coord of the hero
PUSH DWORD PTR DS:[ESI+24C]//3 Argument: UID of the mob
PUSH EAX //2 Argument: UID of the hero
PUSH 2 //1 Argument: Action type (for the packet)
CALL 00736039 //First way func call that makes the action packet (Type 0x02 = 2)

JMP SHORT 00674D92

CALL 00735E3A //Second function call. Takes the values for the packet function call?
MOV DWORD PTR SS:[LOCAL.73],10

PUSH DWORD PTR DS:[ESI+26C]
MOV EAX,DWORD PTR DS:[ESI+0D8]
PUSH DWORD PTR DS:[ESI+24C]
LEA ECX,[LOCAL.344]
PUSH EAX
PUSH 1C
CALL 00735FA8 //Second way func call that makes the action packet (Type 0x1C = 28)

TEST EAX,EAX
JZ SHORT 00674DA1
LEA ECX,[EBP-440]
CALL 0073626C //Function that does different things. The last one is to send the packet
OR DWORD PTR SS:[EBP-4],FFFFFFFF
LEA ECX,[EBP-440]
CALL 00735E76 //This makes different things, not sure what exactly. Maybe makes the animation? (I found an address from a frameFunction). It also can call a system protect function (IsDebuggerPresent and TerminateProcess)
MOV DWORD PTR DS:[ESI+274],1

After a while, I see that there were so much code that I could delete, so I started to delete code until I get this (that works if you try it ingame):

Code:

LEA ECX,[EBP-440]
CALL 00735E3A //Take the values for the next function (maybe?)

PUSH 0 //6 Argument
PUSH DWORD PTR SS:[EBP-18] //5 Argument: Y coord of the hero
LEA ECX,[EBP-440]
PUSH DWORD PTR SS:[EBP-14] //4 Argument: X coord of the hero
PUSH DWORD PTR DS:[ESI+24C]//3 Argument: UID of the mob
PUSH EAX //2 Argument: UID of the hero
PUSH 2 //1 Argument: Action type (for the packet)
CALL 00736039 //Makes the packet

LEA ECX,[EBP-440]
CALL 0073626C //Send the packet

But now I have a problem: How I take the local vars? I made that to see if it would work, and it seems that it sends the packet, but after say "Control 3" in my console, the client crashes

(Maybe for the local vars?)

PHP Code:


			
void CO2Farm::Attack(int UID)
{
    int X = entMap->myHero.hCoords.X;
    int Y = entMap->myHero.hCoords.X;
    int hUID = entMap->myHero.UID;
    int cEBP = 0x0018FB00 - 0x440;

    __asm
    {
        MOV ECX,cEBP
        CALL Properties::Attack_Function_Address_2
    }
    cout << "Control 1" << endl;
    __asm
    {
        PUSH 0
        PUSH Y
        MOV ECX,cEBP
        PUSH X
        PUSH UID
        PUSH hUID
        PUSH 2
        CALL Properties::Attack_Function_Address_3

    }
    cout << "Control 2" << endl;
    __asm
    {
        MOV ECX,cEBP
        CALL Properties::Attack_Function_Address_4
    }
    cout << "Control 3" << endl;
}

BTW:

Code:

MOV ECX,cEBP

it's an attempt to make

Code:

LEA ECX,[EBP-440]

Thx for read it, hope you know what happens

{ Angelius } · 02/12/2014, 02:25

You are over complicating things here...

Why would you have the client build the packet for you as long as you can build it yourself and why are you hooking all those useless functions... just to send an attack packet to the client? Well if thats the case... all you need is the send packet address and a Length/pointer to the constructed packet...

PHP Code:


			
char* Packet = new char[Packet_Length];
//You can even use inline asm to build the packet on the fly

__asm
{
      MOV EDI, DWORD PTR DS:[Packet]
      MOV ECX, 0x2C
      MOV WORD PTR DS:[EDI],CX
      MOV ECX, 0x3FE
      MOV WORD PTR DS:[EDI+ 0x2], CX
//etc
}
__asm
{
      PUSH Packet_Length//Lebgth
      PUSH DWORD PTR DS:[Packet]//A pointer to the packet buffer
      MOV ECX, NetworkClass
      CALL SendPacketAddress
}

Reivein · 02/12/2014, 05:31

Quote:

Originally Posted by { Angelius }

You are over complicating things here...

Why would you have the client build the packet for you as long as you can build it yourself and why are you hooking all those useless functions... just to send an attack packet to the client? Well if thats the case... all you need is the send packet address and a Length/pointer to the constructed packet...

I tried but the client crashes when execute the ASM code I don't know why... And it's exactly the same, because I followed your tuts for the send/recv packets hooking and I'm using the NetworkClass and the SendPacketOriginalAddress. I tried to change the SendPacketAddres by the address of the hook function, but it crashes too

Maybe is for the packet?
This is the code that I'm using:

PHP Code:


			
//Searching Address and Patching - This is located on the DllMain

unsigned char Send_Packet_Bytes[] = { 0x8D, 0x46, 0x04, 0x0F, 0xB7, 0x08, 0x51, 0x50};

int Send_Packet_Address = ASM::FindPattern(0x006B43F3, 0x00783106, Send_Packet_Bytes, 8);

ByteBuffer Buffer((LPVOID)(Send_Packet_Address + 9), 4);

Properties::NetworkClass = Buffer.ReadUint32(0);

Properties::Send_Packet_Original_Address = ASM::Extract_Address(Send_Packet_Address + 13, Send_Packet_Address + 14);

ASM::PatchAddress(Send_Packet_Address + 13, Client->myHooks->SendPacketHook, 0);



//And this is located on the client 

void CO2Farm::AttackMob(int mUID, int X, int Y)

{

    FILETIME FileTime;

    GetSystemTimeAsFileTime(&FileTime);

    uint64_t TimeStamp = (uint64_t)FileTime.dwLowDateTime + ((uint64_t)(FileTime.dwHighDateTime) << 32LL);



    ByteBuffer Packet(45);

    Packet.WriteUInt16(44, 0);

    Packet.WriteUInt16(1022, 2);

    Packet.WriteUInt64(TimeStamp, 4);

    Packet.WriteUInt32(entMap->myHero.UID, 12);

    Packet.WriteUInt32(mUID, 16);

    Packet.WriteUInt16(entMap->myHero.hCoords.X, 20);

    Packet.WriteUInt16(entMap->myHero.hCoords.Y, 22);

    Packet.WriteByte(2, 24);



    ReadPacket(Packet);



    uint8_t* NewPacket = Packet.GetBuffer();

    SendToServer(NewPacket, 44);

    cout << "ATTACK SEND" << endl;

}



Naked void CO2Farm::SendToServer(uint8_t* Packet, int PLength)

{

    cout << hex << "Sending... NetworkClass: " << Properties::NetworkClass << " Send_Packet_Original_Address: " << Properties::Send_Packet_Original_Address << endl;

    __asm

    {

        PUSH PLength

        PUSH DWORD PTR DS:[Packet]

        MOV ECX, Properties::NetworkClass

        CALL Properties::Send_Packet_Original_Address

    }

    cout << "Sent." << endl;

}

ReadPacket() function it's just to write the packet on the console. The TimeStamp I'm probably doing it wrong... But the structure of the packet seems good. Today I spent literally all day trying to get my bot attack the mobs, but I couldn't get it

I hope you can help me with that, and thx for help and reading ^^

---------EDIT------------

Solved. Debugging the function I see that the PUSH didn't push what i wan't, but in the call of my function was well, so I did that:

PHP Code:


			
Naked void CO2Farm::SendToServer(uint8_t* Packet, int PLength)

{

    int return_addr;

    __asm

    {

        POP return_addr

        MOV ECX, Properties::NetworkClass

        CALL Properties::Send_Packet_Original_Address

        PUSH return_addr

        RET

    }

}

But now I have a problem, the bot does not attack always... I think it's because I jump before calling the attack function, and the hero is not near the mob. May be that?

~~pro4never~~ · 02/13/2014, 22:08

Quote:

Originally Posted by Reivein

But now I have a problem, the bot does not attack always... I think it's because I jump before calling the attack function, and the hero is not near the mob. May be that?

Seems likely. Synchronizing your actions can be one of the more annoying parts of writing a bot simply because if actions are performed too closely together in certain orders they will often trigger disconnects. Refining everything to run as quickly and smoothly as the server will allow takes time and careful planning imo.

It's usually easiest to write a single logic loop which runs every X ms. I always found it easiest to switch based on what my last action was (jump, attack, skill, etc). I can then choose my next ideal action (I jumped, am I near a monster now? If so attack, if not we need to move again, etc) and use simple timestamps to spread out actions (EG: We attacked 5 ms ago, don't jump away just yet)

ha.ho.a · 02/13/2014, 23:51

can someone give me a hint on how to transform my melee with normal jumps to the melee with fatal strike movement,,,

~~pro4never~~ · 02/14/2014, 00:39

Quote:

Originally Posted by ha.ho.a

can someone give me a hint on how to transform my melee with normal jumps to the melee with fatal strike movement,,,

That's just packet spoofing (client side only).

You send jump packets to server (gen action subtype 127 iirc) and fatal strike packets to client (gen action subtype 156 iirc)

Note: I prob have the subtypes wrong, it's been years since I looked at conquer and they've changed them a few times.

ha.ho.a · 02/14/2014, 00:47

Quote:

Originally Posted by pro4never

That's just packet spoofing (client side only).

You send jump packets to server (gen action subtype 127 iirc) and fatal strike packets to client (gen action subtype 156 iirc)

Note: I prob have the subtypes wrong, it's been years since I looked at conquer and they've changed them a few times.

so is the jump attack i need to modify to make the melee faster,,, since fatal strike is just the client side effect right ,,,

so the teleport to the monster is gained with a fast jump or is litterally teleporting to the mob and then attacking?(if this is the case i have to send teleport packet and then attack packet ) (the teleport packet is the same it uses to teleport from one npc to another right?,,,just have to change destination to the mob?)

thanks for the response btw

~~pro4never~~ · 02/14/2014, 15:19

Quote:

Originally Posted by ha.ho.a

so is the jump attack i need to modify to make the melee faster,,, since fatal strike is just the client side effect right ,,,

so the teleport to the monster is gained with a fast jump or is litterally teleporting to the mob and then attacking?(if this is the case i have to send teleport packet and then attack packet ) (the teleport packet is the same it uses to teleport from one npc to another right?,,,just have to change destination to the mob?)

thanks for the response btw

What exactly is it you're trying to accomplish here?

The server has to be able to validate all your actions so you'll only be able to jump once per ~750 ms without finding a working speedhack exploit.

Sending jump packets to the server will NOT update the client so you need to be able to sync its position. This is easily done through 'shift' packets which display the fatal strike dash effect to the client.

Once you've jumped in range of a target, you want to send attack packets to the server and then use your preferred logic to determine when to move on (fixed # of hits, attack packet w/ subtype 'kill', mob density equation for AOE skills, etc)

There historically has been a number of ways to move around the map faster. Sending attack packets with an invalid target ID and an X/Y would teleport you to that location (but DC you if you moved more than I think 6/6 coords at a time) and that could be sent every ~50/60ms without disconnect. Alternatively a properly written speedhack system would allow you to still use jump packets but send them more often.

majick · 02/14/2014, 16:37

Quote:

Originally Posted by pro4never

What exactly is it you're trying to accomplish here?

The server has to be able to validate all your actions so you'll only be able to jump once per ~750 ms without finding a working speedhack exploit.

Sending jump packets to the server will NOT update the client so you need to be able to sync its position. This is easily done through 'shift' packets which display the fatal strike dash effect to the client.

Once you've jumped in range of a target, you want to send attack packets to the server and then use your preferred logic to determine when to move on (fixed # of hits, attack packet w/ subtype 'kill', mob density equation for AOE skills, etc)

There historically has been a number of ways to move around the map faster. Sending attack packets with an invalid target ID and an X/Y would teleport you to that location (but DC you if you moved more than I think 6/6 coords at a time) and that could be sent every ~50/60ms without disconnect. Alternatively a properly written speedhack system would allow you to still use jump packets but send them more often.

if at first you don't succeed but matt's bot CO2FARM is now ConquerAI ^^

Reivein · 02/16/2014, 20:40

Quote:

Originally Posted by pro4never

Seems likely. Synchronizing your actions can be one of the more annoying parts of writing a bot simply because if actions are performed too closely together in certain orders they will often trigger disconnects. Refining everything to run as quickly and smoothly as the server will allow takes time and careful planning imo.

It's usually easiest to write a single logic loop which runs every X ms. I always found it easiest to switch based on what my last action was (jump, attack, skill, etc). I can then choose my next ideal action (I jumped, am I near a monster now? If so attack, if not we need to move again, etc) and use simple timestamps to spread out actions (EG: We attacked 5 ms ago, don't jump away just yet)

Yeah, the problem now is that while a loop or Sleep() function is activated the client freezes, so I'm learning how to use multithreading, but I don't know if that is the method that you use for it or there are a better method...
Could you give me a clue about how is a bot hierarchically programmed?

Thx ^^

~~pro4never~~ · 02/18/2014, 21:58

Quote:

Originally Posted by Reivein

Yeah, the problem now is that while a loop or Sleep() function is activated the client freezes, so I'm learning how to use multithreading, but I don't know if that is the method that you use for it or there are a better method...
Could you give me a clue about how is a bot hierarchically programmed?

Thx ^^

There's a lot of ways you could write it honestly and that all boils down to your personal preference.

Generally speaking you want a timed logic 'tick' which then flows through possible actions and chooses the correct one based on situation, previous actions and proper delays between them.

That tick can be done on its own thread, through a timer, etcetc. It's the logic that matters. If I were you then I'd probably set up a timer so you don't have to deal with cross thread calls or anything really that involves multi threading. It would be the simplest quick fix so you can start working on your actual bot logic.