questions zu decrypt and basepointer

[Tatzuya]

i'm new to autoit too but lemme try if i understand this part of your prog right:
(the first 2 lines are obvious so i wont comment those)

$Mem_Address5 = 0x00980DCC ;players name <--hmm ok the memory address of your char?
$Mem_Read5 = _MemoryRead($Mem_Address5, $Mem_Open) <--memoryread reads whats saved in 0x00980DCC....why reading it if you know its your characters name?
GUICtrlSetData($txt_test,BinaryToString(Binary($Me m_Read5),4))<--binary() converts your characters name to binary...according to wiki the "4" means your Binary data is considered UTF8..and finally BinaryToString converts it back to a string

well now you know how i understand this programm. the reasone it gives you only 4 chars might be the 4. maybe your data isnt UTF8?

please explain how you solved the problem with the HP?

[wurstbrot123]

1:

Use Cheat Engine to get the Address and than try using OllyDBG
and attach to the game. If it doesnt work, try using the
"Attach anyway" plugin. If you still cant, try to run the game with
OllyDBG. If you are able to attach / run the game, make a rightclick
in the Hex Dump window and choose go to --> expression
and type in the Address you have from CE. After that click ok.
Now in the Hex dump, you should land at this address,
do a rightclick at the first byte and choose Hardware Breakpoint
--> On acces. Now, if it doesnt already break, do something that
changes your HP or MP. It will probly break. Now in the Code Window,
look 1 line above. You should see something like this -->
MOV EAX, DWORD PTR DS:[ebx+50].
0x50 is than the OFFSET and EBX will be the pointer.
Now you can simply search for the address EBX contains in Cheat engine
and should find the Base address (remind the address in EBX is in HEX).

3:

This requires reversing knowledge. To find the encryption routine
you can do the following:
While the game and OllyDBG is running choose plugins -->
command line --> command line. Than in the new window
that pops up, write BP Send. This will place a breakpoint
on Send. If it breaks, remove the breakpoint with a doubleclick
on the red marked line. Than, do a rightclick at the first line at
the system stack (the window downright) and choose follow in
dissambler. After you did that you are just 1 line under the call
to the Send function. Click run (F3) and take a look at the Calls
above. And place breakpoints on them (doubleclick the line or
press F2) three calls above should be fine. The function start
before looks like this:

Code:

/$  55                          PUSH EBP
|.  8BEC                        MOV EBP,ESP

If you see this, you dont have to place more breakpoints above.
Now switch to the game and type something i the Chat (if it breaks
before, just click RUN). Now when its breaking at the calls, take a look
at the register (eax ebx etc) rightclick them and choose follow in dump.
You should than see at one of the calls, your packet in the hexdump.
And you should also see than the message in ASCII. If you see it,
step over the call and check if the Packetdata is different now.
If it is, the encryption routine SHOULD be inside the call.
Now you could step into next time you break there, and take a look
at the Code. You may find the place where it changes the packet
data while stepping and taking a look at the Dump. To know how
its currently encrypting, it requires Assembler and reversing knowledge.

[Tatzuya]

wow this sounds like it needs a lot of time if you do such a thing the first time. since i gatta study for exams now i'll try this in about 2 weeks i think.

thx a lot for the detailed explanation. i'll definitly look into it as soon as i have a bit more time

[1ranger]

Well the graphic is kinda outdated to say it with nice words.. but well if someone plans to do something here are the most important offsets + structures:

Code: Select all
Base 0x0097B880
Char_struct +0x8

Curr HP +0x4
Max HP +0x48

Curr MP +0x8
Max MP +0x4c

[bustasnipe]

I am running windows 7. I run the game and cheat engine as admin and everytime I try to set a breakpoint the game crashes when it triggers it. I have also tried using t-search, but get the same result. I can use the debugger and trigger breakpoints in any other game just fine.. Grand Fantasia for some reason freezes up.. the process stays open but its frozen. I also tried running the game and CE in xp compatability mode..same thing.

I don't think those addresses are still valid 1ranger.

[bustasnipe]

Ok so GF has "Themida" code built into it to prevent virtual machines and basically protects from cracking, also there is code that prevents memory manipulation like breakpoints. If anyone is able to actually breakpoint this game without it crashing please let me know which OS you are running. I am gonna install xp (32bit) on my other comp and see if It crashes still.

[Samsusi]

Quote:

Originally Posted by 1ranger

Well the graphic is kinda outdated to say it with nice words.. but well if someone plans to do something here are the most important offsets + structures:

Code: Select all
Base 0x0097B880
Char_struct +0x8

Curr HP +0x4
Max HP +0x48

Curr MP +0x8
Max MP +0x4c

Well these Addresses are from - they were related to the CB (wont work for me)

Quote:

Originally Posted by Tatzuya

i'm new to autoit too but lemme try if i understand this part of your prog right:
(the first 2 lines are obvious so i wont comment those)

$Mem_Address5 = 0x00980DCC ;players name <--hmm ok the memory address of your char?
$Mem_Read5 = _MemoryRead($Mem_Address5, $Mem_Open) <--memoryread reads whats saved in 0x00980DCC....why reading it if you know its your characters name?
GUICtrlSetData($txt_test,BinaryToString(Binary($Me m_Read5),4))<--binary() converts your characters name to binary...according to wiki the "4" means your Binary data is considered UTF8..and finally BinaryToString converts it back to a string

well now you know how i understand this programm. the reasone it gives you only 4 chars might be the 4. maybe your data isnt UTF8?

please explain how you solved the problem with the HP?

I changed the method for name resolving...

Code:

$Playersname_result = _MemoryRead($Mem_Playersname, $Mem_Open,"double")	
GUICtrlSetData($txt_name,BinaryToString($Playersname_result) )

And yes my data isn't UTF8 - its type [4 byte] =X
(read 8 char long names now )


My Method for finding the HP values was to find all Pointers which address the current HP Memory Address (keep list open).
Then restart the client and research in your (previous) Pointer list for the actual memory address


I've uploaded a pic of my current progress (sry for german button labels but im german ^_^)

[bustasnipe]

Can you please post all the addresses as you have Samsusi. I don't know how to find the dma without using breakpoints. I just wanna read hp,mp and stuff instead of lame pixel detection which im currently using. Thanks, keep it up man.

[Tatzuya]

Quote:

Originally Posted by Samsusi

My Method for finding the HP values was to find all Pointers which address the current HP Memory Address (keep list open).
Then restart the client and research in your (previous) Pointer list for the actual memory address

how did you find the pointer? CE and t-search just crash the game if i try to find what accesses the address

also i see in your pic that you found the x and y coordiantes. how did you find them? (i tried to search for float with CE and failed)

Edit: as i said i didnt have the time to try worstbrot's method as it obviously will need much time for noob me to do. so i dont know if it would prevent the crashing...but i'm still interested in your method Samsusi cause it sounds much easier.
(hope we wont have to search for the pointers after every maintance...weekly)

[FeonDust]

I hope you guys keep going with a bot..there ar a LOT of bot reports on the official forums so someone's spreading a bot around..I can't find it anywhere though.

[Samsusi]

Here they are...hope u can find some more
....drives me crazy to find HP pointer of targets HP or EXP needed to next level




*why i cant just upload a single CT*

Edit:

just 1 thx ?! ..ehm no
i wont share anything i have if u even can't thx..then u have to wait until i have release my bot

U can find out more address by yourself.

[Tatzuya]

looking good. and you got the pointer by using only CE?
i'll try to search again and see if i can get it right
after messing with CE a bit i think i understand a bit how you did it. after you found the addres, instead of "find out what accesses this address" you click "pointer scan for this address"?
i started the scan now..takes ages to scan but i stopped it because my PC made funny noises
let me know if i do something wrong pls

[Samsusi]

"looking good. and you got the pointer by using only CE?"
yes - I only used CE for that

"instead of "find out what accesses this address" you click "pointer scan for this address"?"
yes - this is right

"i started the scan now..takes ages to scan but i stopped it because my PC made funny noises let me know if i do something wrong pls"

..it takes ages yes (think my pc is more worse than yours and much slower)..for that reason i gave you my pointers that we can find MORE together
but your doing the right way so far

hope u get targets HP or something

[Tatzuya]

reason why i'm trying the same values as you did is to see if i'm doing it right
i'll try again tommorow but i'm worried about the noises my PC did..certainly didnt sound healthy (maybe i should have leave my PC alone while it was searching for pointers?)

Edit: i think i got the coordinates but i get maaaaany addresses for x and y coordiantes. you had many too?
also can you tell me how i see the pointers address for use in coding pls? i dont see how to check it in CE. CE just shows me where the pointer points to. i'm sure i'm missing something here

[Samsusi]

"reason why i'm trying the same values as you did is to see if i'm doing it right
i'll try again tommorow but i'm worried about the noises my PC did..certainly didnt sound healthy (maybe i should have leave my PC alone while it was searching for pointers?)"
little bit worried..but maybe its just the cooling fan?

"CE just shows me where the pointer points to"
yes..You have to use the first pointer and using the offsets to get the pointer which is pointing to..so u ever get the right values



Tatzuya check your pm