|
You last visited: Today at 19:50
Advertisement
Ignite Flyff Bot (Abusing their own implementation)
Discussion on Ignite Flyff Bot (Abusing their own implementation) within the Flyff Hacks, Bots, Cheats, Exploits & Macros forum part of the Flyff category.
08/13/2018, 22:08
|
#1
|
elite*gold: 70 
Join Date: Apr 2015
Posts: 421
Received Thanks: 1,029
|
Ignite Flyff Bot (Abusing their own implementation)
PATCHED
Introduction Hey
A while back, I was playing on a server so called 'Ignite Flyff' with a couple of my friends. It was the first time we came together to enjoy the same server for once. The server grew very quickly and reached a good player count peak.
The chance of other players botting was extremely low due to their protection against cheating. In other words, me and my friends would get an great advantage over everyone by botting with multiple characters. Making money, having fun...
Until the day karma hit. In the process of creating the bot and bypassing their protection, each attempt resulted in a network packet being sent to the server saying that this user was attempting to cheat. Due to that, after quite a long time, the staff seemed to finally check me out to see what I was doing. At that time I was botting and they noticed it because the bot automatically stopped while the staff were close to me invisible. Then the ban hammer struck down on me and my friends as well.
It was actually quite fun to experience it. I believe every single staff member of Ignite came online to see what was going on. It felt like they were surprised and could not believe their eyes. Hehe.
Moral of the story is that when you are doing something you are not supposed to, ensure that none knows about it or none knows that you are the one doing it. I sadly learned that the hard way.
I am sure you are wondering why I even made this thread. Well, after we got banned my friends wanted revenge on the server and told me to release the bot. I told them no, I'd rather keep it private.
However, I recently acquired an idea from the developers themselves on a very simple way to create a bot for the server. The idea was gotten from watching They have made a bot themselves which is coded into the flyff client. I thought, why not use that? So I did.
After some reversing I have found out the following:- Their bot is controlled by a command written into the chat.
Command Format:
Code:
/FB seconds entity_index
seconds = -1 // Farms forever until you stop it
entity_index = -1 // Farms any monster close to it
I found out that it used two arguments by reversing the following function. I documented it for clarity.
Code:
signed int __cdecl sub_33D950(char *fb_input)
{
unsigned int ms; // edi
__int32 entity_index; // ST00_4
char *unk_1; // eax
// Reads the first value and converts to int
ms = sub_2E4550(fb_input, 0);
// Reads the second value and converts to int
entity_index = sub_2E4550(fb_input, 0);
// Allocate some value in memory to hold the farming data?
unk_1 = sub_2C4790(&unk_6D4800);
BeginFarming(unk_1, entity_index, 1000 * ms);
return 1;
}
- The usage for the two input arguments was found out by looking through the whole big crazy function that select the closest entity and some other crap like saving a log. Warning: Only slightly documented code.
Code:
Code:
void __cdecl sub_45AA20(int a1)
{
int v1; // ecx
int v2; // ebx
DWORD v3; // eax
int v4; // eax
bool is_any_object_blocking2; // zf
int v6; // eax
const char *v7; // eax
int v8; // eax
int v9; // eax
int v10; // eax
int v11; // eax
int v12; // eax
int v13; // eax
int v14; // eax
const CHAR *v15; // eax
int v16; // eax
int v17; // eax
int v18; // eax
int v19; // eax
_DWORD *v20; // eax
_DWORD *v21; // esi
int v22; // edi
int v23; // eax
int v24; // eax
int v25; // eax
int **v26; // eax
int *j; // eax
int i; // eax
char *v29; // esi
char v30; // al
struct_entity *local_player; // ebx
float last_distance; // xmm3_4
int v33; // edi
int v34; // ecx
int v35; // esi
__m128i *v36; // edx
int v37; // edi
int v38; // eax
__int32 v39; // ecx
int v40; // eax
int v41; // eax
int v42; // eax
int v43; // eax
int v44; // ecx
int v45; // esi
int v46; // ecx
int v47; // edi
const char *v48; // eax
int v49; // eax
struct_entity **v50; // esi
unsigned int v51; // eax
unsigned int v52; // edi
int v53; // eax
int v54; // ecx
struct_entity *entity; // edi
int v56; // eax
signed int is_any_object_blocking1; // eax
struct_entity *v58; // ebx
float *v59; // ebx
int v60; // eax
signed int v61; // eax
void *v62; // eax
FILE *v63; // et0
signed __int32 v64; // edx
signed __int32 v65; // eax
const CHAR *v66; // [esp+Eh] [ebp-4130h]
const CHAR *v67; // [esp+12h] [ebp-412Ch]
const char *v68; // [esp+16h] [ebp-4128h]
const char *v69; // [esp+1Ah] [ebp-4124h]
const char *v70; // [esp+1Eh] [ebp-4120h]
FILE *v71; // [esp+22h] [ebp-411Ch]
const CHAR *v72; // [esp+26h] [ebp-4118h]
int v73; // [esp+36h] [ebp-4108h]
char v74; // [esp+3Ah] [ebp-4104h]
int v75; // [esp+7Ah] [ebp-40C4h]
char v76; // [esp+7Fh] [ebp-40BFh]
int v77; // [esp+82h] [ebp-40BCh]
char v78; // [esp+86h] [ebp-40B8h]
FILE *v79; // [esp+8Ah] [ebp-40B4h]
char v80; // [esp+96h] [ebp-40A8h]
const char *v81; // [esp+DEh] [ebp-4060h]
float v82; // [esp+E2h] [ebp-405Ch]
int v83; // [esp+E6h] [ebp-4058h]
int v84; // [esp+EAh] [ebp-4054h]
struct_entity *lpCriticalSection; // [esp+EEh] [ebp-4050h]
int v86; // [esp+F2h] [ebp-404Ch]
int v87; // [esp+F6h] [ebp-4048h]
int v88; // [esp+FAh] [ebp-4044h]
__m128i *v89; // [esp+FEh] [ebp-4040h]
float distance; // [esp+102h] [ebp-403Ch]
int v91; // [esp+106h] [ebp-4038h]
int v92; // [esp+10Ah] [ebp-4034h]
__int64 v93; // [esp+4122h] [ebp-1Ch]
float v94; // [esp+412Ah] [ebp-14h]
int v95; // [esp+4132h] [ebp-Ch]
int v96; // [esp+4136h] [ebp-8h]
int v97; // [esp+413Ah] [ebp-4h]
int vars0; // [esp+413Eh] [ebp+0h]
int retaddr; // [esp+4142h] [ebp+4h]
signed __int32 retaddr_4; // [esp+4146h] [ebp+8h]
signed __int32 v101; // [esp+414Eh] [ebp+10h]
v2 = v1;
v91 = v1;
if ( sub_32C4E0(v1 + 24, *(v1 + 28)) )
{
v71 = 1;
v70 = 1536;
v69 = -1;
v68 = 0;
v67 = "Bot done";
*(v2 + 16) = 0;
sub_3D5220(v67, v68, v69, v70, v71);
sub_238B90(1);
v97 = 0;
CMFCRestoredTabInfo::CMFCRestoredTabInfo(&v88);
LOBYTE(v97) = 1;
v3 = GetTickCount();
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format(&v88, "BotLog_%d.txt", v3);
v4 = _CIP<IBindStatusCallback,&_GUID const IID_IBindStatusCallback>::operator IBindStatusCallback *(&v88);
is_any_object_blocking2 = sub_23E980(v4, 2, 64) == 0;
v71 = 0;
v6 = *(v73 + 4);
if ( is_any_object_blocking2 )
std::basic_ios<char,std::char_traits<char>>::setstate(&v73 + v6, 2, v71);
else
std::basic_ios<char,std::char_traits<char>>::clear(&v73 + v6, 0, v71);
if ( v79 )
{
CMFCRestoredTabInfo::CMFCRestoredTabInfo(&v89);
v71 = *(v2 + 36);
LOBYTE(v97) = 2;
v70 = *(v2 + 32);
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format(&v89, "%I64d", v70, v71);
v71 = sub_238A70;
v70 = *&g_local_player->gap34C[940];
v69 = " ";
v68 = sub_29C0F0(g_local_player);
v7 = sub_2869D0(g_local_player, 0);
v8 = sub_238800(&v73, v7);
v9 = sub_238800(v8, " ");
v10 = std::basic_ostream<char,std::char_traits<char>>::operator<<(v9);
v11 = sub_238800(v10, v68);
v12 = std::basic_ostream<char,std::char_traits<char>>::operator<<(v11);
std::basic_ostream<char,std::char_traits<char>>::operator<<(v12);
v71 = sub_238A70;
v70 = *(v2 + 12);
v13 = sub_238800(&v73, "Monsters killed: ");
v14 = std::basic_ostream<char,std::char_traits<char>>::operator<<(v13, v70, sub_238A70);
std::basic_ostream<char,std::char_traits<char>>::operator<<(v14);
v15 = _CIP<IBindStatusCallback,&_GUID const IID_IBindStatusCallback>::operator IBindStatusCallback *(&v89);
v16 = sub_32C2C0(&v91, v15);
LOBYTE(v97) = 3;
v70 = ATL::CSimpleStringT<char,1>::GetBuffer(v16, sub_238A70);
v17 = sub_238800(&v73, "Penya dropped: ");
v18 = sub_238800(v17, v70);
std::basic_ostream<char,std::char_traits<char>>::operator<<(v18);
LOBYTE(v97) = 2;
CMFCRibbonInfo::XID::~XID(&v91);
v71 = sub_238A70;
v19 = sub_238800(&v73, "Items:");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v19);
v20 = *(v2 + 40);
v21 = *v20;
if ( *v20 != v20 )
{
do
{
v22 = v21[4];
v91 = v21[4];
sub_249400(&dword_6D4A14, &lpCriticalSection, &v91);
if ( lpCriticalSection == dword_6D4A14 )
{
v71 = 63;
v70 = "ignite::bot::CBotManager::ProcessTarget";
sub_32BB30("CProject::GetItemProp() %d %s %d", v22);
}
else if ( lpCriticalSection != -16 )
{
v71 = sub_238A70;
v70 = v21[5];
v23 = sub_238800(&v73, &lpCriticalSection->rtl_critical_section0.SpinCount);
v24 = sub_238800(v23, " x ");
v25 = std::basic_ostream<char,std::char_traits<char>>::operator<<(v24, v70, sub_238A70);
std::basic_ostream<char,std::char_traits<char>>::operator<<(v25);
}
if ( !*(v21 + 13) )
{
v26 = v21[2];
if ( *(v26 + 13) )
{
for ( i = v21[1]; !*(i + 13); i = *(i + 4) )
{
if ( v21 != *(i + 8) )
break;
v21 = i;
}
v21 = i;
}
else
{
v21 = v21[2];
for ( j = *v26; !*(j + 13); j = *j )
v21 = j;
}
}
}
while ( v21 != *(v2 + 40) );
}
v29 = &v74;
if ( v79 )
{
v30 = sub_23E6C0(&v74);
v71 = v79;
if ( !v30 )
v29 = 0;
if ( fclose(v71) )
v29 = 0;
}
else
{
v29 = 0;
}
v78 = 0;
v76 = 0;
std::basic_streambuf<char,std::char_traits<char>>::_Init(&v74);
v79 = 0;
v77 = dword_586604;
v75 = 0;
if ( !v29 )
{
v71 = 0;
v70 = 2;
std::basic_ios<char,std::char_traits<char>>::setstate(&v73 + *(v73 + 4), 2, 0);
}
CMFCRibbonInfo::XID::~XID(&v89);
}
else
{
sub_3D5220("Failed to create output file", 0, 0xFFFFFFFF, 0x600u, 1);
}
CMFCRibbonInfo::XID::~XID(&v88);
sub_238D90(&v80);
std::basic_ios<char,std::char_traits<char>>::~basic_ios<char,std::char_traits<char>>(&v80);
return;
}
local_player = g_local_player;
last_distance = 9000000.0;
lpCriticalSection = 0;
v33 = *g_local_player->world;
v89 = *g_local_player->world;
v82 = 9000000.0;
if ( dword_686668 )
{
v34 = *(v33 + 20);
v94 = *(dword_686668 + 12);
v93 = *(dword_686668 + 4);
v34 <<= 7;
v87 = 0;
v35 = *&v93 / v34;
v36 = v89;
v37 = v94 / v34;
v38 = *&v93 / v34;
v39 = v89[4].m128i_i32[3];
v40 = v38 - v39;
if ( v40 < 0 )
v40 = v87;
v83 = v40;
v41 = v37 - v39;
v87 = 0;
if ( v37 - v39 < 0 )
v41 = v87;
v88 = v41;
v42 = v89->m128i_i32[1];
v86 = v39 + v35;
if ( v39 + v35 >= v42 )
v86 = v42 - 1;
v43 = v89->m128i_i32[2];
v44 = v37 + v39;
v87 = v44;
if ( v44 >= v43 )
{
v44 = v43 - 1;
v87 = v43 - 1;
}
v45 = v88;
if ( v88 <= v44 )
{
v46 = v86;
v47 = v83;
do
{
v48 = v47;
v81 = v47;
if ( v47 <= v46 )
{
do
{
v49 = *(v36[1].m128i_i32[2] + 4 * &v48[v45 * v36->m128i_i32[1]]);
if ( v49 )
{
v50 = *(v49 + 2120);
v51 = *(v49 + 2124);
v92 = 0;
v52 = (v51 - v50 + 3) >> 2;
if ( v50 > v51 )
v52 = 0;
v84 = v52;
if ( v52 )
{
v53 = 0;
v54 = v52;
do
{
entity = *v50;
if ( !*v50
|| entity->rtl_critical_section0.LockCount & 1
|| entity == local_player
|| entity->is_npc_maybe
|| entity->active_attack_or_belligerence == 1 )
{
goto LABEL_64;
}
if ( !(~*(entity->motion + 4) & 0x8000000) )
{
if ( entity->hp )
{
v56 = *(v91 + 20);
// I think this blocks it
if ( v56 == -1 || entity->dw_index == v56 )
{
distance = (((entity->x - local_player->x) * (entity->x - local_player->x))
+ ((entity->y - local_player->y) * (entity->y - local_player->y)))
+ ((entity->z - local_player->z) * (entity->z - local_player->z));
if ( last_distance > distance )
{
// Check if there is an object blocking inbetween the straight line of the entity and local player
is_any_object_blocking1 = IntersectObjLine(
v36,
v36,
0.0,
&local_player->x,
&entity->x,
0,
0,
1);
local_player = g_local_player;
is_any_object_blocking2 = is_any_object_blocking1 == 0;
v54 = v84;
v36 = v89;
v53 = v92;
if ( is_any_object_blocking2 )
{
last_distance = distance;
v82 = distance;
lpCriticalSection = entity;
}
else
{
last_distance = v82;
}
goto LABEL_64;
}
v54 = v84;
}
}
}
v53 = v92;
LABEL_64:
++v53;
++v50;
v92 = v53;
}
while ( v53 != v54 );
}
v45 = v88;
}
v46 = v86;
v48 = v81 + 1;
v81 = v48;
}
while ( v48 <= v86 );
v47 = v83;
}
v88 = ++v45;
}
while ( v45 <= v87 );
v58 = lpCriticalSection;
// Maybe a call to virtualized code to select an entity
if ( lpCriticalSection )
{
v63 = __readeflags();
v71 = v63;
v68 = v48;
v70 = 727;
v69 = v36;
v64 = _InterlockedExchange(&v69, &v68);
v70 = &loc_8CC6F4 + 3;
v69 = v48;
v68 = v58;
v67 = v72;
v66 = v72;
v65 = _InterlockedExchange(&v66, &v68);
vars0 = a1;
v97 = a1;
v96 = v64;
v95 = v47;
retaddr_4 = v65;
v101 = _InterlockedExchange(&v97, &retaddr);
v97 = v65;
v96 = v45;
_InterlockedExchange(&v97, &vars0);
v97 = vars0;
_InterlockedExchange(&v97, &retaddr);
JUMPOUT(&loc_8E8E5F);
}
}
}
sub_3D5220("No target found", 0, 0xFFFFFFFF, 0x600u, 1);
v59 = v91;
LOBYTE(v60) = sub_2A8C80(g_local_player, v91, 50.0);
if ( !v60 )
{
CMFCRestoredTabInfo::CMFCRestoredTabInfo(&v86);
v61 = v59[2];
v97 = 9;
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format(
&v86,
"/teleport %d %d %d",
**g_local_player->world,
*v59,
v61);
v62 = _CIP<IBindStatusCallback,&_GUID const IID_IBindStatusCallback>::operator IBindStatusCallback *(&v86);
sub_48E950(&dword_6CB4E8, v62);
CMFCRibbonInfo::XID::~XID(&v86);
}
}
-
- Another issue that had to be taken care of was that I was not able to use the /FB command without some effort. It requires the user to be a GM or higher authority.
Unfortunately they have virtualized code that is preventing me from modifying the authority value. Instead of attempting to bypass that, I took another route which was a lot easier.
I located the assembly code responsible for comparing the authority value while typing the /FB command into the chat. I simply just noped one specific jump to let me execute the command as a GM or higher.
-
- Now I was finally able to use the command without any issues.
I have attached a zip file that contains a executable which basically bypasses it for you. After you have used that software with the client, you can use the /FB command.
Virus Total: 
Notes They will most likely fix this very quickly, so use it while you can. Be aware that there is always of risk of getting banned. Be careful.
Showcase Video:
|
|
|
|
08/13/2018, 22:41
|
#2
|
|
Trade Restricted
elite*gold: 0
Join Date: May 2011
Posts: 551
Received Thanks: 336
|
thx for the bot but whats up with the make up on the ingame character? thats gay bro 
|
|
|
|
|
08/13/2018, 22:46
|
#3
|
elite*gold: 70
Join Date: Apr 2015
Posts: 421
Received Thanks: 1,029
|
Quote:
Originally Posted by Devisory
thx for the bot but whats up with the make up on the ingame character? thats gay bro |
I could not agree more 
|
|
|
|
|
08/13/2018, 23:02
|
#4
|
elite*gold: 0
Join Date: Nov 2009
Posts: 627
Received Thanks: 688
|
Nice work! As usual.
Their admins are the most hated ones in the flyff world.
They banned me for botting but I know how to unban myself and they dont know it :P (hardware ban).
They have good protections against botters but I believe it can be bypassed for any experienced cheater (I think about a bot using a packet to select the target).
|
|
|
|
|
08/13/2018, 23:09
|
#5
|
elite*gold: 70
Join Date: Apr 2015
Posts: 421
Received Thanks: 1,029
|
Quote:
Originally Posted by cookie69
Nice work! As usual.
Their admins are the most hated ones in the flyff world.
They banned me for botting but I know how to unban myself and they dont know it :P (hardware ban).
They have good protections against botters but I believe it can be bypassed for any experienced cheater (I think about a bot using a packet to select the target).
|
****, I was unaware that they were the most hated ones. Good to know.
Yeah, they are banning your computer as well as the account. The account is the worst part. The computer and IP can be bypassed with ease.
I agree, they do have good protection against it. There are still several ways you can create an undetected bot for the server. It is all about being creative. That is the fun part of cheating.
|
|
|
|
|
08/14/2018, 08:41
|
#6
|
elite*gold: 0
Join Date: Dec 2014
Posts: 11
Received Thanks: 0
|
instant ban, do not use anymore 
|
|
|
|
|
08/14/2018, 09:43
|
#7
|
elite*gold: 70
Join Date: Apr 2015
Posts: 421
Received Thanks: 1,029
|
Quote:
Originally Posted by jayceediaz1
instant ban, do not use anymore |
Well, it was expected. I just did not think it'd happen this quick.
@ Close this please. It has been patched.
|
|
|
|
|
08/14/2018, 19:12
|
#8
|
wild wild son
elite*gold: 0
Join Date: Feb 2011
Posts: 5,994
Received Thanks: 3,389
|
#closed [as requested]
|
|
|
|
All times are GMT +1. The time now is 19:50.
|
|
