Hey guys! I know its a long shot since pretty much everyone abandoned this game, but maybe someone still lurks.
I found a privat server running 5095, it is a garbage, greedy server. I want to hack it, start with a bot, maybe aimbot later. Not that I wanna play the game, just to try myself creating one.
Nothing I write here is with confidence, I am not sure about anything at this point.
I found the ws2_32.send function and traced it back. It seems like it is running in a loop, checking if there is something in the buffer waiting to be sent and sends it if there is. Otherwise the loop skips the send function. I tried tracking back, to see where the buffer is coming from but I couldn’t find it. I did find the blowfish key tho.
So then I tried going the other way. I found the coords of the player and tracked it to the function that is responsible for handling player actions (walk, jump, sit etc..). Now I could try to hook these action function separately, put the destination coords in the memory(found no args, just buffer populated again somewhere else). But I am thinking that it would probably be way easier in the long run to find the function that prepares these packets. Well I am having trouble with that.
I have been at it a few days now, but I keep hitting wall after wall.
If anyone got any tips or willing to give me his discord, that would be much appreciated.
I would suggest downloading the leaked eudemon C++ source which the older conquer versions are more less based on (5065, 5095).
Each packet sent from client basically follows the same structure: the CNetMsg::Create method is called followed by CNetMsg::Send. Here is the walk packet code from the EO source that is sent to server:
Create:
Code:
BOOL CMsgWalk::Create(OBJID idPlayer, int nDir, int nScondDir /*= -1*/)
{
// param check
if (idPlayer == ID_NONE)
return false;
// init
this->Init();
// fill info now
m_unMsgSize =sizeof(MSG_Info);
m_unMsgType =_MSG_WALK;
m_pInfo->idUser =idPlayer;
m_pInfo->ucDir =nDir;
m_pInfo->ucRun =nScondDir;
return true;
}
Quickest way to find CMsgWalk::Create in the 5095 de-compiled exe (I'm using IDA) would be to search for the packet type (1005). In IDA this would take me here:
It's important to note that the EO C++ source won't always map 1:1 to the 5095 exe structure.
You would assume func call sub_50701F to be msg.Send() but if you drill down in IDA, it takes you to a preliminary function. Within it you'll see a call to Address 0x004DCBD0 which is your CNetMsg::Send func.
If you check all the references to sub_4DCBD0 in IDA, you'll see that it's called from a lot of places. The actual packet data is stored in m_bufMsg which is a member of the CNetMsg class (all packets inherit from). The m_unMsgSize is the size of the packet. The g_objNetwork.SendMsg is the actual function that sends the packet to the server.
It's a lot to take in at once but if you study the leaked EO source and try to find the matching sections in the 5095 de-compiled exe, it'll all start to click. Let me know if you have any questions.
Wow! Thank you for your taking the time and for the detailed answear!
I will give it a go using x32dbg, since it isn't detected by whatever anticheat the game uses. I know there are ways to bypass it, but figured if that works why take the time. Might give IDA a try if I can't get it to work, see if that get's detected.
Hey guys! I know its a long shot since pretty much everyone abandoned this game, but maybe someone still lurks.
I found a privat server running 5095, it is a garbage, greedy server. I want to hack it, start with a bot, maybe aimbot later. Not that I wanna play the game, just to try myself creating one.
Nothing I write here is with confidence, I am not sure about anything at this point.
I found the ws2_32.send function and traced it back. It seems like it is running in a loop, checking if there is something in the buffer waiting to be sent and sends it if there is. Otherwise the loop skips the send function. I tried tracking back, to see where the buffer is coming from but I couldn’t find it. I did find the blowfish key tho.
So then I tried going the other way. I found the coords of the player and tracked it to the function that is responsible for handling player actions (walk, jump, sit etc..). Now I could try to hook these action function separately, put the destination coords in the memory(found no args, just buffer populated again somewhere else). But I am thinking that it would probably be way easier in the long run to find the function that prepares these packets. Well I am having trouble with that.
I have been at it a few days now, but I keep hitting wall after wall.
If anyone got any tips or willing to give me his discord, that would be much appreciated.
Thank you!
I used to make bots and hacks for this game a really long time ago (like almost 20 years ago).
a well kept secret that only a few people knew about is that if you send a position coordinate far away, the game knows you can't actually reach that coordinate and nothing happens
HOWEVER if you send a coordinate in which there's an object there that you can't otherwise get to (like a tree) the game teleports you to the next closest coordinate
you can use that info to literally teleport across the entire game quickly (you can't use it though to teleport from one map to the next, but you can use it to teleport to the next closest map connection quickly)
hopefully that info helps I'm your quest to making a bot
I used to make bots and hacks for this game a really long time ago (like almost 20 years ago).
a well kept secret that only a few people knew about is that if you send a position coordinate far away, the game knows you can't actually reach that coordinate and nothing happens
HOWEVER if you send a coordinate in which there's an object there that you can't otherwise get to (like a tree) the game teleports you to the next closest coordinate
you can use that info to literally teleport across the entire game quickly (you can't use it though to teleport from one map to the next, but you can use it to teleport to the next closest map connection quickly)
hopefully that info helps I'm your quest to making a bot
This won't work if there are server sided checks for jump distance and/or tile access.
This won't work if there are server sided checks for jump distance and/or tile access.
I'm not telling you a hypothetical, i'm telling you something that you can ACTUALLY do and works. I was one of the first people to write up a bot for this game and inject code before/after the packet encryption/decryption so that you can send your own packets as well as making one of the first clientless bots for this game. I know what i'm talking about. this was one of those secrets I discovered that I never made public or made a tool for it public
I know for a fact it at least used to work on the official servers up until like a year after ninjas were added. (around the time I stopped playing the game)
there are server side checks for jump distance, but there was a bug where it conflicted with a valid tile check. so while the distance was too far, the server would first check if it was a valid tile, and if not, it would instead change your location to the next closest valid tile
I created a whole bot based on that exploit to farm refined items from that one quest that gives you a refined item (forgot the name of the quest) so that I can merge them into my talisman for free, I could do the quest in literally seconds
i'm not sure what version most private servers are using, but if they're using a version that's around the time of or before ninjas were introduced and they haven't fixed that server side check in the code, I guarantee you, it'll still work there
std::function of a function returning an std::function 11/11/2013 - C/C++ - 19 Replies Nun muss ich nach langer Zeit auch mal wieder einen Thread erstellen, weil mir Google nicht mehr weiterhelfen kann.
Ich verzweifle an Folgendem Vorhaben:
#include <Windows.h>
#include <string>
#include <iostream>
using namespace std;
Running Function 2 after Function 1 finished 09/15/2013 - AutoIt - 3 Replies Hey, its me again.
Im stuck on a problem since yesterday and as much as i hate to ask for help, i really dont know what else to try. I want Function 2 to run after Function 1 has finished. I tried GuiCtrlSetOnEvent and MsgLoop, but i dont really understand it. I tried to read tutorials but they didnt help at all.
The line that are underline is what im talking about. I want gamestart() to run first and when its finished, i want iniviteteam() to run.
#AutoIt3Wrapper_UseX64=n...
[VIP-function] ToxicSYS [VIP-function] 08/14/2010 - WarRock Hacks, Bots, Cheats & Exploits - 1 Replies heeeey E-pvpers :pimp:
this is a new hack by TSYS
Status : UNDETECTED
Functions (VIDEO) :
YouTube - WarRock - Bikini event VIP hack
Hshield send function hook 10/11/2008 - Kal Online - 12 Replies ey kann mir wer nen tipp geben wie man die addressen rauskriegt von int vom hshield für recv und send funktion damit die gehooked wird??
