Memory bot ‘send’ function

[megaphag]

Hey guys! I know its a long shot since pretty much everyone abandoned this game, but maybe someone still lurks.

I found a privat server running 5095, it is a garbage, greedy server. I want to hack it, start with a bot, maybe aimbot later. Not that I wanna play the game, just to try myself creating one.

Nothing I write here is with confidence, I am not sure about anything at this point.

I found the ws2_32.send function and traced it back. It seems like it is running in a loop, checking if there is something in the buffer waiting to be sent and sends it if there is. Otherwise the loop skips the send function. I tried tracking back, to see where the buffer is coming from but I couldn’t find it. I did find the blowfish key tho.

So then I tried going the other way. I found the coords of the player and tracked it to the function that is responsible for handling player actions (walk, jump, sit etc..). Now I could try to hook these action function separately, put the destination coords in the memory(found no args, just buffer populated again somewhere else). But I am thinking that it would probably be way easier in the long run to find the function that prepares these packets. Well I am having trouble with that.

I have been at it a few days now, but I keep hitting wall after wall.

If anyone got any tips or willing to give me his discord, that would be much appreciated.

Thank you!

[Relic]

I would suggest downloading the leaked eudemon C++ source which the older conquer versions are more less based on (5065, 5095).
Each packet sent from client basically follows the same structure: the CNetMsg::Create method is called followed by CNetMsg::Send. Here is the walk packet code from the EO source that is sent to server:

Create:

Code:

BOOL CMsgWalk::Create(OBJID idPlayer, int nDir, int nScondDir /*= -1*/)
{
	// param check
	if (idPlayer == ID_NONE)
		return false;

	// init
	this->Init();

	// fill info now
	m_unMsgSize	=sizeof(MSG_Info);
	m_unMsgType	=_MSG_WALK;

	m_pInfo->idUser		=idPlayer;
	m_pInfo->ucDir		=nDir;
	m_pInfo->ucRun		=nScondDir;
	return true;
}

Usage:

Code:

case _ACTION_WALKL:
	case _ACTION_WALKR:
		{
			if(m_Info.posActionBegin.x != m_Info.posActionEnd.x ||
				m_Info.posActionBegin.y != m_Info.posActionEnd.y)
			{
				CMyPos posHero;
				this->GetPos(posHero);
				CMsgWalk msg;
				if(msg.Create(this->GetID(),this->GetDir()+8*::RandGet(31)))
					msg.Send();
			}
		}
		break;

Quickest way to find CMsgWalk::Create in the 5095 de-compiled exe (I'm using IDA) would be to search for the packet type (1005). In IDA this would take me here:

Code:

    
Address: 0x00506FA7

int __thiscall sub_506FA7(int this, int a2, char a3, int a4, char a5)
{
  int v7; // ecx

  if ( !a2 )
    return 0;
  sub_4DCB22(this);
  v7 = *(_DWORD *)(this + 1028);
  *(_WORD *)(this + 4) = 16;
  *(_WORD *)(this + 6) = 1005;
  *(_DWORD *)(v7 + 4) = a2;
  *(_BYTE *)(*(_DWORD *)(this + 1028) + 8) = a3;
  *(_BYTE *)(*(_DWORD *)(this + 1028) + 9) = a5;
  *(_DWORD *)(*(_DWORD *)(this + 1028) + 12) = a4;
  return 1;
}

If you go up the call chain it should take you to:

Code:

Address: 0x004C7F12

if ( sub_506FA7((int)v33, v17, v16 + 8 * v18, v26, v30) )
        sub_50701F(v33);

It's important to note that the EO C++ source won't always map 1:1 to the 5095 exe structure.
You would assume func call sub_50701F to be msg.Send() but if you drill down in IDA, it takes you to a preliminary function. Within it you'll see a call to Address 0x004DCBD0 which is your CNetMsg::Send func.

IDA:

Code:

void *__thiscall sub_4DCBD0(int this)
{
  return sub_4DC9A3(dword_5DECB0, (void *)(this + 4), *(unsigned __int16 *)(this + 4));
}

EO Source:

Code:

void CNetMsg::Send(void)
{
#ifdef _MYDEBUG
	::LogMsg("SendMsg:%d, size:%d", m_unMsgType, m_unMsgSize);

#endif

    g_objNetwork.SendMsg(m_bufMsg, m_unMsgSize);
}

If you check all the references to sub_4DCBD0 in IDA, you'll see that it's called from a lot of places. The actual packet data is stored in m_bufMsg which is a member of the CNetMsg class (all packets inherit from). The m_unMsgSize is the size of the packet. The g_objNetwork.SendMsg is the actual function that sends the packet to the server.

It's a lot to take in at once but if you study the leaked EO source and try to find the matching sections in the 5095 de-compiled exe, it'll all start to click. Let me know if you have any questions.

[megaphag]

Wow! Thank you for your taking the time and for the detailed answear!

I will give it a go using x32dbg, since it isn't detected by whatever anticheat the game uses. I know there are ways to bypass it, but figured if that works why take the time. Might give IDA a try if I can't get it to work, see if that get's detected.

[Relic]

You should be using a tool like IDA or Ghidra for static analysis. x32dbg is more so used for dynamic debugging aka analyzing runtime behavior.

[megaphag]

Yeah it's really helpful, just need to get the hang of it.

I think I managed to find the Send call, it is called in a lot of places.

Code:

int __thiscall sub_4D16E6(unsigned __int16 *this)
{
  return sub_4D14B9(this + 2, this[2]);
}

EDIT: Just tested in x32dbg, I am pretty sure this is the Send. This is the data it is called with:

Code:

0019F57C  1C 00 F2 03 23 79 A9 04 1D 6B E6 00 AF 02 47 02  
0019F58C  AF 02 44 02 00 00 85 00 00 00 00 00 00 00 00 00

[todo286]

Quote:

Originally Posted by megaphag

Hey guys! I know its a long shot since pretty much everyone abandoned this game, but maybe someone still lurks.

I found a privat server running 5095, it is a garbage, greedy server. I want to hack it, start with a bot, maybe aimbot later. Not that I wanna play the game, just to try myself creating one.

Nothing I write here is with confidence, I am not sure about anything at this point.

I found the ws2_32.send function and traced it back. It seems like it is running in a loop, checking if there is something in the buffer waiting to be sent and sends it if there is. Otherwise the loop skips the send function. I tried tracking back, to see where the buffer is coming from but I couldn’t find it. I did find the blowfish key tho.

So then I tried going the other way. I found the coords of the player and tracked it to the function that is responsible for handling player actions (walk, jump, sit etc..). Now I could try to hook these action function separately, put the destination coords in the memory(found no args, just buffer populated again somewhere else). But I am thinking that it would probably be way easier in the long run to find the function that prepares these packets. Well I am having trouble with that.

I have been at it a few days now, but I keep hitting wall after wall.

If anyone got any tips or willing to give me his discord, that would be much appreciated.

Thank you!

I used to make bots and hacks for this game a really long time ago (like almost 20 years ago).

a well kept secret that only a few people knew about is that if you send a position coordinate far away, the game knows you can't actually reach that coordinate and nothing happens

HOWEVER if you send a coordinate in which there's an object there that you can't otherwise get to (like a tree) the game teleports you to the next closest coordinate

you can use that info to literally teleport across the entire game quickly (you can't use it though to teleport from one map to the next, but you can use it to teleport to the next closest map connection quickly)

hopefully that info helps I'm your quest to making a bot

[Relic]

Quote:

Originally Posted by todo286

I used to make bots and hacks for this game a really long time ago (like almost 20 years ago).

a well kept secret that only a few people knew about is that if you send a position coordinate far away, the game knows you can't actually reach that coordinate and nothing happens

HOWEVER if you send a coordinate in which there's an object there that you can't otherwise get to (like a tree) the game teleports you to the next closest coordinate

you can use that info to literally teleport across the entire game quickly (you can't use it though to teleport from one map to the next, but you can use it to teleport to the next closest map connection quickly)

hopefully that info helps I'm your quest to making a bot

This won't work if there are server sided checks for jump distance and/or tile access.

[todo286]

Quote:

Originally Posted by Relic

This won't work if there are server sided checks for jump distance and/or tile access.

I'm not telling you a hypothetical, i'm telling you something that you can ACTUALLY do and works. I was one of the first people to write up a bot for this game and inject code before/after the packet encryption/decryption so that you can send your own packets as well as making one of the first clientless bots for this game. I know what i'm talking about. this was one of those secrets I discovered that I never made public or made a tool for it public

I know for a fact it at least used to work on the official servers up until like a year after ninjas were added. (around the time I stopped playing the game)

there are server side checks for jump distance, but there was a bug where it conflicted with a valid tile check. so while the distance was too far, the server would first check if it was a valid tile, and if not, it would instead change your location to the next closest valid tile

I created a whole bot based on that exploit to farm refined items from that one quest that gives you a refined item (forgot the name of the quest) so that I can merge them into my talisman for free, I could do the quest in literally seconds

i'm not sure what version most private servers are using, but if they're using a version that's around the time of or before ninjas were introduced and they haven't fixed that server side check in the code, I guarantee you, it'll still work there