[Tutorial] Call a function inside Neuz (melee attack example)
Discussion on [Tutorial] Call a function inside Neuz (melee attack example) within the Flyff Hacks, Bots, Cheats, Exploits & Macros forum part of the Flyff category.
[Tutorial] Call a function inside Neuz (melee attack example)
Hello sexy cheaters
I decided to make a little “tutorial” to explain you how to do some hacks like greyb1t’s last hack for Insanity which can be found here:
1. Introduction
The first thing i want to say, I am not a teacher as I am not enough skilled in coding and I usually do not produce proper code. But I will try to comment my code so you can understand it.
This “tutorial” can be used to make other hacks in flyff if you understand it correctly and can do more powerful things, I let you imagine what can be done
This is only for education purpose so please do not do it against the rules or make sure to have permission to do it..
This hack will be patched soon as it is easy to fix but as I said, you can do it for other hacks if the game server does not check your calls.
We will do this test in [Krona Flyff] client.
Quote:
Note that I will not release any code that kills many mobs at the same time just to not see nabs aoeing the hole spawn. If you know how to find the mobs in the camera view then you can code it by yourself but I do not recommend it xD
2. How does it work?
What we will do is to call a function inside the game client (Neuz.exe). This function is:
Quote:
void CDPClient::SendMeleeAttack( OBJMSG dwAtkMsg, OBJID objid, int nParam2, int nParam3, FLOAT fVal )
As you can see, it is member of the CDPClient class which means that it can be called by our game client.
So, we will need to find in "Neuz.exe" the following few things:
The client address
The “SendMeleeAttack()” method address
The parameters values to pass to our function
Different ways can be used to get these addresses but a fast method is to search for “Referenced strings” with CE or with your preferred debugger.
Quote:
Note that Krona has an anti-debugger protection and I only succeeded to bypass it with CE “VEH” debugger. x32dbg and olly are detected and close immediately when a software breakpoint is reached.
After CE finishes the processing, search for the string “DoAttackMelee” => you will find an unique address, then click it and you will get somewhere here:
OBJMSG dwAtkMsg: this is an integer and it has the value 29 (or 0x1D in hexadecimals)
OBJID objid: this is the mob ID (i.e session ID and not to be confused with the fixed constant player_id). This can be found by selecting different mobs in the game and using the Dissect Data/Structure feature of CE => See below to know how to find this value...
int nParam2: always equal to 0
int nParam3: always equal to 0x10000 (or 65536 in decimals)
FLOAT fVal: this is the equipped weapon attack speed. This value can be found by calling another method called GetActiveHandItemProp() which applies to the class CMover. => Let’s do not do it for the moment and just use a hardcoded value. The values can be found using your debugger:
- For the sword: the attack speed is 0.08500000089f
- For the knux: 0.0700000003f
If you can find a pointer to the current Equipped Weapon structure then you can get the attack speed which is at offset 0x130.
You also can get this value on the fly using "thread context and debug registers" method by setting a hardware breakpoint in your code at a certain position:
Neuz.exe+14F21E - F3 0F10 82 30010000 - movss xmm0,[edx+00000130]
and get the EAX value but this will be for advanced users only.
3. How to find the target ID address?
If you have no idea how to find the target ID I will explain it to you using CE but of course you can find it using another way in CE or even using other tools (for example if you have a packet editor, which can be done using my tutorial by the way , you can read the target ID by hooking the send() function that sends a packet to the server when you select a target...)
1 - Put a breakpoint at the function start (Press F5)
2 - Hit a mob using a melee attack
3 - Go back to CE and check the Stack frame and save the target ID value in notepad
Example for "Insanity FlyFF", target ID = 0x015767F5 (hexadecimal)
5 - In most cases, the first address is the correct one but be sure the address is not static (not green). Here it is 0x035976D0
6 - Add the address 0x035976D0 to the list and right-click "Find out what accesses this address"
7 - Select the same mob 2 or 3 times and you will see that the accessor is 0x035973E0 with offset 0x2F0
This means that the session ID of the selected target is at offset 0x2F0 and the "entity" address representing our mob is at address 0x035973E0
8 - Now we need to find a static pointer (green address) for our target 0x035973E0 so we can find it every time we run Neuz...
9 - Select the same mob and Scan for 0x035973E0, hex button checked of course.
10 - Unselect the mob and you will see 2 values changing to 00000000
11 - The second address is the correct one (or you can test both to find the correct one). Add the address 0x278EBBB0 to the list and do "Find out what writes to this address"
15 - To test it, add a pointer manually in CE:
Address = "Neuz.exe" + B6AF90 (it is eaqual to 0x015EAF90 for me but this changes all the time so always use relative address starting from "Neuz.exe")
Offset 1 = 0x20
Offset 2 = 0x2F0
Note that g_DPlay is the pointer to our client: (void*) means a pointer to anything.
This means that the function we are going to call is called by a pointer to our client so you will need to add the parameter “(void*)client” when you call it.
The other parts of the code are easy to understand so there is nothing special to explain here (I am tired of writing )
#pragma once #define win32_lean_and_mean #include <windows.h> #include <stdio.h> #include <fcntl.h> // for the console stuff #include <io.h> // #include <TlHelp32.h> // for the module operations
// Note that the __thiscall calling is **very important** typedef void (__thiscall * SendMeleeAttack_t)(void * client, unsigned int dwAtkMsg, unsigned int objid, int nParam2, int nParam3, float fVal);
SendMeleeAttack_t pSendMeleeAttack ; // pointer to our main function
HANDLE CreateConsole(); // for logging DWORD g_threadID; // Thread ID HMODULE g_hModule; // Instance of the current injected DLL module HMODULE g_hExeModule; // Entry point of "Neuz.exe" module HMODULE g_hCrashReport ;// evil module to get rid of => this is loaded in Krona FlyFF, not in all other Flyff versions!!
DWORD g_DPlay = 0x0; // Pointer to our client (for Krona, it is Neuz.exe+9FDA70) => it can be found at ECX register at the function start DWORD SelectedBase = 0x0 ;// target base address unsigned int dwAtkMsg = 0x1D; // 29 (1D in hexa) unsigned int SelectedID = 0x0; // will be computed everytime the hack is called int nParam2 = 0; // 0x0 int nParam3 = 0x10000; // 0x10000 float fItemAttakSpeed = 0.0f; // currently equipped weapon attack speed boolean bExecuted = false; // was the hack executed?
DWORD WINAPI MyThread(LPVOID); // The thread that executes the hack
void printLastExecution(); // used for printing some crap
unsigned long get_module(unsigned long pid, char *module_name, unsigned long *size) ;// used only to remove the CrashRpt.dll module
// used to find Dma Addy with multi level pointers (found somewhere in the dark net) DWORD FindDmaAddy(int PointerLevel, DWORD Offsets[], DWORD BaseAddress);
// Entry point of our DLL module INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved) { switch (Reason) { case DLL_PROCESS_ATTACH: g_hModule = hDLL; DisableThreadLibraryCalls(hDLL); CreateConsole();
g_hExeModule = GetModuleHandle("Neuz.exe"); // get the module base address of Neuz.exe printf_s("[INFO]: g_hExeModule address: 0x%x\n", g_hExeModule); // print it :)
// The base address of the target object => can be found easily with CE or with any other debugger SelectedBase = (DWORD)g_hExeModule + 0x9CC37C; //Neuz.exe+9CC37C printf_s("[INFO]: SelectedBase address: 0x%x\n", SelectedBase);
// Create the main thread that will execute the hack CreateThread(NULL, NULL, &MyThread, NULL, NULL, &g_threadID); break; case DLL_THREAD_ATTACH: case DLL_PROCESS_DETACH: case DLL_THREAD_DETACH: break; } return TRUE; }
// Main Thread DWORD WINAPI MyThread(LPVOID) {
// remove evil tool to hide our hacks from being sent to the game server in case of a crash while (g_hCrashReport == NULL) { unsigned long size; g_hCrashReport = (HMODULE)get_module(GetCurrentProcessId(), "CrashRpt1402.dll", &size); if (g_hCrashReport != NULL) // we found it xD { printf_s("[INFO]: CrashRpt1402.dll found at Handle: 0x%x\n", g_hCrashReport); break; } }
DWORD hackOffsetsTargetID[] = {0x20, 0x2f4}; // Offsets of the mob ID
BOOL unloaded = false;
// Loop while (true) { //Sleep(200); //system("cls"); // Remove the console logging //printf("...::[Krona FlyFF] Send Melee Attack hack (made by cookie69)::...\n"); //printf("1. Select a mob in the game\n"); //printf("2. Press F2 to hit the mob 1 time\n"); //bExecuted? printLastExecution() : printf("");
if (GetAsyncKeyState(VK_F2) & 0x8000) // Press F2 { // unload the evil module if(!unloaded) { unloaded = FreeLibrary(g_hCrashReport);// go to hell mofo spy tool unloaded ? printf_s("[INFO]: CrashRpt1402.dll was unloaded successfully xD\n") : printf_s("[ERROR]: Unable to unload the DLL CrashRpt1402.dll!!\n"); // => unloading a module like this one is very bad => you may crash your client! }
bExecuted? printLastExecution() : printf(""); bExecuted = true; Beep(0x0FFF,1000); // Beeps to tell us that the hack was called. (frequency is 0x25 through 0x7FFF).
// Find the Targeted Mob ID if(DWORD addy = FindDmaAddy(2, hackOffsetsTargetID, SelectedBase)) { SelectedID = *(unsigned int*)addy; }
// hard coded values => I didnt find a pointer to the current weapon attack speed so I used a hardcoded value // there is also another way to do it: set a break point at Neuz.exe+14F21 and read "EDX +130" value, follow in dump and transform it to float type. //Neuz.exe+14F21E - F3 0F10 82 30010000 - movss xmm0,[edx+00000130]
// Only send attack if there is a selected mob to avoid crash if(SelectedID != NULL) { pSendMeleeAttack((void*)g_DPlay, dwAtkMsg , SelectedID , nParam2 , nParam3,fItemAttakSpeed); }else{ printf_s("[ERROR]: You must select a mob before calling the function!\n"); } } else if (GetAsyncKeyState(VK_F3) & 0x8000) { printf_s("__Hack DLL was unloaded from Neuz__\n"); MessageBox(0, "DLL unloaded!", "", 0); break; } Sleep(100); } FreeLibraryAndExitThread(g_hModule, 0); return 0; }
// It does some printing void printLastExecution() { printf("-----------------------Results ---------------------\n"); printf("[INFO]: g_DPlay: 0x%x\n", g_DPlay); printf("[INFO]: dwAtkMsg: 0x%x\n", dwAtkMsg); SelectedID == NULL? printf("[ERROR]: No selected mob in the game!\n") : printf("[INFO]: SelectedID: 0x%x\n", SelectedID); printf("[INFO]: nParam2: 0x%x\n", nParam2); printf("[INFO]: nParam3: 0x%x\n", nParam3); printf("[INFO]: fItemAttakSpeed: %f\n", fItemAttakSpeed); printf("----------------------------------------------------\n"); }
// Not mine, it was found in the internet DWORD FindDmaAddy(int PointerLevel, DWORD Offsets[], DWORD BaseAddress) { //DEFINES OUR ADDRESS to write to //if statements are crucial to make sure that the address is valid to write //otherwise we crash. Address will not be valid when things like map changes or game loads are happening DWORD Ptr = *(DWORD*)(BaseAddress); //Base Address if(Ptr == 0) return NULL;//prevent crash
//this is done to allow us to have pointers up to many levels e.g.10 for(int i = 0; i < PointerLevel; i ++) { //if it = PointerLevel-1 then it reached the last element of the array //therefore check if that address plus the offset is valid and leave the loop if(i == PointerLevel-1) { //!!make sure the last address doesnt have the asterisk on DWORD otherwise incoming crash Ptr = (DWORD)(Ptr+Offsets[i]); //Add the final offset to the pointer if(Ptr == 0) return NULL;//prevent crash //we here return early because when it hits the last element //we want to leave the loop, specially adapted for offsets of 1 return Ptr; } else { //if its just a normal offset then add it to the address Ptr = *(DWORD*)(Ptr+Offsets[i]); //Add the offsets if(Ptr == 0) return NULL;//prevent crash } } return Ptr; }
// From xsh detour hack HANDLE CreateConsole() { int hConHandle = 0; HANDLE lStdHandle = 0; FILE *fp = 0;
// It returns the module handle loaded in the specified process unsigned long get_module(unsigned long pid, char *module_name, unsigned long *size) { void *snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid); MODULEENTRY32 me32; me32.dwSize = sizeof(MODULEENTRY32);
while (Module32Next(snapshot, &me32)) { if (strcmp(me32.szModule, module_name) == 0) { if (size != 0) *size = me32.modBaseSize; return (unsigned long)me32.modBaseAddr; } } return NULL; }
VirusTotal
The full solution was made with Visual Studio 2012 and is attached to this thread. You have all the permissions to use or modify it…
If you need any help and if I can then I will reply to you otherwise please don't blame me.
If this helped someone then please push the thanks button.
Its my idea or its just like a range hack? You can do more than a single target at the same time? Good work btw
It is like a range hack and the mob will hit you anyway as you are sending a melee attack.
I am not sure that you can send a melee attack for many targets at the same time exactly (I have not checked), but I was talking about making a loop through the mobs in the camera view and sending the attack to them (like you do when you make a memory but that uses AOE mode)
Thank you for taking your time to help complete strangers
Im a complete novice in programming but is the attached file currently working on kronaflyff? If so, how do I make it work there doesnt seem to be an .exe file.,
any one know how to use speedhack using CE? not like activating the "enable speedhack" button. i mean just edit the code or something.
This is very basic cheating question.
For CE help, just search in youtube and you can find thousands of tutorials.
For pservers, just use CE to find your speed address like you do to find your HP, etc.. and edit it. For example you can equip/unequip a cape that gives you more speed and find the address with CE...
If you are playing in the official server, I think that you can edit the data*.res files to increase the default speed factor => search for the threads in elitepvpers that talk about editing the data files. Or find a hidden CE and use the first method above.
Third option (hard) is to code a packet handler and send a packet to increase the speed factor (maybe SNAPSHOTTYPE_SET_SPEED_FACTOR). But I am not even sure that you can bypass server checks in the offi.
Fourth option is to not speed hack as it is against the game rules
Quote:
Originally Posted by CheeseBites1234567
Thank you for taking your time to help complete strangers
Im a complete novice in programming but is the attached file currently working on kronaflyff? If so, how do I make it work there doesnt seem to be an .exe file.,
This thread is more for people who have some basic knowledge in hacking and are at least beginners in c/c++ programming.
As you asked for a .exe, without figuring out that there is a c++ code that you need to modify/compile and generate a DLL that you will need to inject later into Krona game client, I think that you need more training before to use it
Could have some fun, but where did you find the prototype of this function ? do you have any doc / header file ? Maybe i'll do something with it :3
Thanks
Could have some fun, but where did you find the prototype of this function ? do you have any doc / header file ? Maybe i'll do something with it :3
Thanks
can be found in the source code or you can decompile your Neuz client (if you target a special server) with IDA or any debugger (xdbg,ollydbg,..)
No -_- Aren't u a hacker? lol, Noob hacker.
And u are begging me to give u the programs.
Also I'm not open to sell or give any of my programs or bots to anyone
[TOOL] 1.5-2x attack speed 4 melee s 06/05/2010 - RFO Hacks, Bots, Cheats, Exploits & Guides - 15 Replies because i play with warior char n envious with launcher 10x hack attack speed
here is attack speed for melee weapon
altough just 1.5-2x but really helpful for me
this file already edited with pot hack too
extract this file to datatable in your rf folder
Download: Item.edf.rar | xup.in
no virus: here
[release]1.5-2x attack speed for melee 11/24/2008 - RFO Hacks, Bots, Cheats, Exploits & Guides - 155 Replies because i play with warior char n envious with launcher 10x hack attack speed
here is attack speed for melee weapon :D
altough just 1.5-2x but really helpful for me
this file already edited with pot hack too :cool:
extract this file to datatable in your rf folder
RapidShare: 1-Click Webhosting
sory for my bad english :p
press thanx button ^^
10x Melee attack sped or any better speed attack than 2x 05/27/2008 - RF Online - 5 Replies I tested All Guides of melee Speed attack, and nothing work correctly ...
Maybe i cant setup or This dont function -_-''
So... SomeBody can explain the correctly type to Get 10x Speed melee Attack
, YaRFBOT get 1.5~2x speed...