[Release & Source] Flyff Webzen Bow Hack

[Omdi]

When using this hack you will always attack with charged bow.

Usage:

Code:

BINARIES REMOVED

Hotkeys:

Code:

BINARIES REMOVED

Source:

Code:

bool AlreadyHooked = false;
UINT32 gRWXBuf = NULL;
UINT32 gSendActMsgOrig = NULL;
UINT32 gStrongBowEnabled = NULL;
void BowHack()
{
	auto GameBase = GetBaseAddress();
	if (!GameBase)
	{
		return;
	}

	// SendActMsg: Neuz.exe + 19B780 | 55 8B EC F6 41 08 08 74 ??
	// Inject shellcode if not already done
	if (!AlreadyHooked)
	{
		// Get CActionMover Object
		UINT32 Ptr1 = *(UINT32*)(GameBase + 0x004FFA94);
		if (Ptr1)
		{
			UINT32 CActionMoverObj = *(UINT32*)(Ptr1 + 0x33C);
			if (CActionMoverObj)
			{
				DbgPrint("CActionMoverObj @ %X\n", CActionMoverObj);

				// First 16 Bytes used for Shadow VMT
				UINT32 CActionMoverObjVtable = *(UINT32*)CActionMoverObj;
				if (CActionMoverObjVtable)
				{
					DbgPrint("CActionMoverObjVtable: %X\n", CActionMoverObjVtable);

					// Allocate space for vmt & shellcode
					/*
					16 bytes - ShadowVMT
					4  bytes - Used for Settings
					?  bytes - Shellcode
					*/
					if (gRWXBuf == NULL)
					{
						SIZE_T RWXBufSize = PAGE_SIZE;
						fZwAllocateVirtualMemory(NtCurrentProcess(), (PVOID*)&gRWXBuf, 0, &RWXBufSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
						DbgPrint("gRWXBuf @ %X\n", gRWXBuf);
					}

					memcpy((void*)gRWXBuf, (void*)CActionMoverObjVtable, 16);

					// Save SendActMsg 
					gSendActMsgOrig = *(UINT32*)(CActionMoverObjVtable + 4);
					DbgPrint("gSendActMsgOrig @ %X\n", gSendActMsgOrig);

					// Save gStrongBowEnabled Ptr
					gStrongBowEnabled = (UINT32)(gRWXBuf + 16);

					// Setup shellcode
					unsigned char Shellcode[] =
					{
						0x50,				// push eax
						0x8B, 0x45, 0xDC,	// mov eax, [ebp-0x24] | eax now holds dwItemId
						0x83, 0xF8, 0x00,	// cmp eax, 0
						0x75, 0x11,			// jne $JMPBACK

						0xA1, 0xAA, 0xAA, 0xAA, 0xAA, // mov eax, [StrongBowEnabled]
						0x83, 0xF8, 0x01,   // cmp eax, 1

						0x75, 0x07,			// jne $JMPBACK
						0xC7, 0x45, 0xDC, 0x04, 0x00, 0x00, 0x00, // mov [ebp-0x24], 4

						// $JMPBACK
						0x58,  // pop eax
						0xE9, 0xBB, 0xBB, 0xBB, 0xBB, // jmp [gSendActMsgOrig]
					};

					*(UINT32*)(Shellcode + 10) = (UINT32)gStrongBowEnabled; // StrongBowEnabled
					*(UINT32*)(Shellcode + 28) = (UINT32)(gSendActMsgOrig - (gRWXBuf + 47) - 5); // jmp back

					// Copy Shellcode
					memcpy((void*)(gRWXBuf + 20), Shellcode, sizeof(Shellcode));
                                        
					// Patch VMT Ptr
                                        *(UINT32*)(gRWXBuf + 4) = (UINT32)(gRWXBuf + 20);
					*(UINT32*)(CActionMoverObj) = gRWXBuf;
					DbgPrint("VMT Hook placed :)\n");

					AlreadyHooked = true;
				}
			}
		}
		
	}

	if (AlreadyHooked)
	{
		if (gItems.bowAlwaysStrongAttack)
			*(UINT32*)gStrongBowEnabled = 1;
		else
			*(UINT32*)gStrongBowEnabled = 0;
	}

}

Thanks to @
I hope you guys learn from my source

[devil1485]

nicee work! tested and works like a charm!

if u could add range hack it would be awesome ^^

[Jakob121]

-

[Omdi]

Please note:
You will not be able to use the Hotkey if Flyff is started in Fullscreen (Switch to Desktop or press F10 before you start Flyff).
To avoid BSOD you should update to the most recent Win10 version. This is a Proof of Concept so feel free to port this to usermode (probably more stable). Source is available, should be rather easy to port.

[Viktor89]

What this douse exactly?

[buglyff]

will this work in playpark flyff? hoping you will make one for playpark flyff if its not working thanks though

[aavmrm]

I try to do it on the official flyff but I have this error, I have Windows 7

[cookie69]

@ is there any reason to go ring0 for gg? You can use manual mapping to inject at process suspended status and resume.

[Omdi]

Quote:

Originally Posted by cookie69

@ is there any reason to go ring0 for gg? You can use manual mapping to inject at process suspended status and resume.

I just went ring0 as a PoC, there is actually in this case no reason to do so. You could also most likely manual map into lsass.exe and use its handle to the game process instead to allocate & write to it.

[itatchi42]

Thank you for your work!
To be comprehensive, are there any other pservers that this has been tested to work on?

[cookie69]

Quote:

Originally Posted by itatchi42

Thank you for your work!
To be comprehensive, are there any other pservers that this has been tested to work on?

If you ask the question that means you did not understand what he did...
Of course this would work in all/most pservers (but you need to find the addresses and offsets) because he hooked a virtual method that is present in all flyff sources.

It is just another way of hooking the in-game functions that seems to be not detected by GG.

Code:

virtual int		SendActMsg( OBJMSG dwMsg, int nParam1 = 0, int nParam2 = 0, int nParam3 = 0, int nParam4 = 0, int nParam5 = 0 );

You can hook with Microsoft Detours or any other hooking method (check google for that) but I guess @ used the VMT hook because it is not detected by gg (I may be wrong about the real reason for using VMT hook).

[Omdi]

Quote:

Originally Posted by cookie69

If you ask the question that means you did not understand what he did...
Of course this would work in all/most pservers (but you need to find the addresses and offsets) because he hooked a virtual method that is present in all flyff sources.

It is just another way of hooking the in-game functions that seems to be not detected by GG.

Code:

virtual int		SendActMsg( OBJMSG dwMsg, int nParam1 = 0, int nParam2 = 0, int nParam3 = 0, int nParam4 = 0, int nParam5 = 0 );

You can hook with Microsoft Detours or any other hooking method (check google for that) but I guess @ used the VMT hook because it is not detected by gg (I may be wrong about the real reason for using VMT hook).

You are correct, VMT hooks are undetected that's why I used them

[itatchi42]

You're right--I'm not yet skilled in this area but am actively learning.
I appreciate your responses, cookie69 and Omdi

[nicenickman]

i need how to find hack value no charger with CE

[iSuperman]

For the noobs.. : How are we supposed to use this?