[source & release] Bow hack (webzen only)

[cookie69]

Quote:

Originally Posted by CrxTer

What do you exactly mean by "Open a command prompt and go to the location where you have the binaries (BowHack.dll and ManualInject.exe)" What do I have to type into the command prompt?

 Spoiler

1. go to the folder where you have the injector and the dll


2.
Type "cmd" in the path url and hit enter


3. the command prompt will open and will be set on that location


4. call the command: Manualinject Bowhack.dll <process_id>
and hit enter

[admi]

Checking the file via URL on Virustotal it shows it's clean
But downloading the zip, uploading it to Virustotal and checking it again, it shows 17 findings (most of them say Trojan)

How come?

[netHoxInc]

Quote:

Originally Posted by admi

Checking the file via URL on Virustotal it shows it's clean
But downloading the zip, uploading it to Virustotal and checking it again, it shows 17 findings (most of them say Trojan)

How come?

Because it injects a dll into another program, therefore heuristic scans will trigger

[cookie69]

Quote:

Originally Posted by admi

Checking the file via URL on Virustotal it shows it's clean
But downloading the zip, uploading it to Virustotal and checking it again, it shows 17 findings (most of them say Trojan)

How come?

you have the source code
injectors are detected by your anti-vir because a malware can inject itself inside other processes that's why injection code is detected by default.
But you are absolutely right to ask

[admi]

Was more confused about the fact that checking the same file via 2 different methods results differently but thank you for the answers ♥

[miniman06]

I applaud the sharing of the source but ill give some points to clean up the code a bit and make it more modern:

Code:

#define MODULE_NAME L"Neuz.exe"

should be

Code:

const wchar_t module_name[] = L"Neuz.exe";

Code:

BOOLEAN bHackRunning = TRUE;

void MySleep(double d_delay);
DWORD dwMainWinThread, dwBowHackThread;
HANDLE hBowHack, hMainWin;
HMODULE g_hModule;
HWND g_hWnd;
BOOLEAN bowAlwaysStrongAttack;

bool AlreadyHooked = false;
ULONG_PTR gRWXBuf = NULL;
ULONG_PTR gSendActMsgOrig = NULL;
ULONG_PTR gStrongBowEnabled = NULL;

you are using both g and g_ prefixes while either are them are fine but why not be consistent,also if you are not using them out of the scope(cpp file) you should prefix them with "static".

Code:

		hMainWin = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&MainWin, g_hModule, NULL, &dwMainWinThread);

		// Bow hack thread
		hBowHack = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&thBowHack, NULL, NULL, &dwBowHackThread);

calling CreateThread directly is a bad practice better use _beginthread or even much better std::thread.

Code:

WaitForSingleObject(hBowHack, INFINITE);

could be easly replaced with thread::join.

Code:

void LogErrorMessageA(const char* pszFormat, ...) {
	static char s_acBuf[2048]; // this here is a caveat!
	va_list args;
	va_start(args, pszFormat);
	vsprintf(s_acBuf, pszFormat, args);
	OutputDebugStringA(s_acBuf);
	va_end(args);
	MessageBoxA(g_hWnd, s_acBuf, "Error", MB_ICONERROR);
}

use stream buffers no real need for va args here same with the other functions.

Code:

	char sig[] = "\x5E\x85\xC0\x74\x17\x50\xA1\x00\x00\x00\x00\x8B\x88\x00\x03\x00\x00\x51\xB9";
	char mask[] = "xxxxxxx????xx?xxxxx";

static const should be used here and in FindActionMoverOffset().

Code:

/*
	Replace Sleep(ms) function
*/
void MySleep(double d_delay)
{
	DWORD start = GetTickCount();
	DWORD control = GetTickCount();
	while (control < (start + d_delay)) {
		control = GetTickCount();
	}
}

WHY?
not sure why you would use that over Sleep but even as is it is written badly

Code:

void MySleep(const DWORD dwDelay)
{
	const DWORD dwStart = GetTickCount();
	DWORD dwControl = dwStart ;
	while ((dwControl - dwStart) < dwDelay ) {
		dwControl  = GetTickCount();
	}
}

The shell code itself is really not needed just use a standard _thiscall with a tiny __asm block of whatever you have to recover from the stack, then you would not need that horrific executable page code.

[Play4life]

Doesnt work anymore since last patch.

flyff will close if you try to inject the .dll

[drazula]

hi can u update? now cant used bcz flyff is update /sad

[amaterasubj]

bow hack is not working update it pls

[cyan95]

cookie , please could you update it ? thanks

[Kamsahamnida]

Quote:

Originally Posted by cyan95

cookie , please could you update it ? thanks

It's working for me, dunno what ur talking about. Just use your head and stop behaving like a baby

['P!nkBeatzz']

Quote:

Originally Posted by cyan95

cookie , please could you update it ? thanks

This source has been released with a reason.
The reason is to learn how things are done and to update it yourself.

[netHoxInc]

Yep. When i was showing omdi the specific game function he decided it to be open source. If learning those stuff is not in ur interest or you feel too unskilled, you will most likely wait for someone to spoonfeed you.

Alternatively you might need to pay someone to do it for you, or buy an application that is supporting it. (*cough* Anubis *cough*) (sry for the semi ad, but its topic related)

Even tho updating this tool is as easy as finding ur players level or name... The source is given so its up to you.

Cheers, net

[cheesekimbap]

Can someone make some video tutorial please?

[netHoxInc]

Quote:

Originally Posted by cheesekimbap

Can someone make some video tutorial please?

At this point i feel like #requestclose if TE does not want to update.