[question]Windowless Skill lvler

[One Tap]

-

[elvis1002]

This is just me taking a guess here, but I think as long as you get past the client protection - you can hook the send function before packet encryption happens - if you're making a memory based macro. In other words, encryption doesn't really matter too much unless you plan on making something that's proxy based.

[One Tap]

Quote:

Originally Posted by elvis1002

This is just me taking a guess here, but I think as long as you get past the client protection - you can hook the send function before packet encryption happens - if you're making a memory based macro. In other words, encryption doesn't really matter too much unless you plan on making something that's proxy based.

Yeah well, i decided to try it first on a private server, wich happens to have far less protection

 Spoiler

0049B09B |> FF75 0C PUSH DWORD PTR SS:[EBP+0C] ; /Arg2 => [ARG.EBP+0C]
0049B09E |. 8B4E 14 MOV ECX,DWORD PTR DS:[ESI+14] ; |
0049B0A1 |. 8365 FC 00 AND DWORD PTR SS:[EBP-4],00000000 ; |
0049B0A5 |. 57 PUSH EDI ; |Arg1
0049B0A6 |. E8 F70D0000 CALL 0049BEA2 ; \Conquer.0049BEA2

[elvis1002]

Quote:

Originally Posted by One Tap

Yeah well, i decided to try it first on a private server, which happens to have far less protection

 Spoiler

0049B09B |> FF75 0C PUSH DWORD PTR SS:[EBP+0C] ; /Arg2 => [ARG.EBP+0C]
0049B09E |. 8B4E 14 MOV ECX,DWORD PTR DS:[ESI+14] ; |
0049B0A1 |. 8365 FC 00 AND DWORD PTR SS:[EBP-4],00000000 ; |
0049B0A5 |. 57 PUSH EDI ; |Arg1
0049B0A6 |. E8 F70D0000 CALL 0049BEA2 ; \Conquer.0049BEA2

Since you've been posting assembly and addresses (I don't know what they're for - and I don't really care [whatever it is -it's not the send function]), I'm assuming you're making a memory based macro. In which case, I'll just flat out tell you that hooking the send function has nothing to do with the client's encryption.

How it was done in the past:

1. Get conquer to run in a debugger without it self terminating (you might need to get rid things). *Fingers crossed on not getting bot jailed when you login*

2. In your debugger, look for calls that use the WS2 library. Look for a destination name of "WS2_32.send"

3. Add breakpoints to areas that call the WS2_32.send, then make the client interact with the server in order to send packets. It should make it relatively clear which one is the send function. Hint: The function should take an argument to a pointer and the packet length.
3a. You can verify by looking at the hex dump, you'll know when you find it because the CO2 packet structure doesn't really change often.

4.Take note of the address of the last call of the send function. Hint: In the send function there should be lines that push the two arguments to the stack. The call you're looking for should be located after those lines.

5.Write a program to actually make use of the information you just gathered.


Final answer: Yes, hooking the send function is still possible. Good luck!

Edit: I'm sure It's still possible, just not with the method above (see post below) . Once again, good luck.

[KraHen]

Quote:

Yes, hooking the send function is still possible. Good luck!

Not with this method, at least not on retail, this will get you banned.

[One Tap]

Quote:

Originally Posted by KraHen

Not with this method, at least not on retail, this will get you banned.

I see, well i'm guessing the 'other' method isn't avaible for the public otherwise we would have seen some bots.

i'm doing it on a client 5017 following angelius 'make a memory based bot' it's pretty much spoonfeeding but yeah..