[Release/Guide] Bot

SimSir · 02/02/2012, 14:19

i can use detours api.. I can think 0x03 Hack shield send some security info ^^ and server check this info after expel ^^

PHP Code:


			
typedef void (WINAPI *pSend)(BYTE bHeader , LPCSTR szFormat , ... );
int __cdecl SendPacket (BYTE bHeader , LPCSTR szFormat , ... );

PHP Code:


			
DWORD dwFakeSend = dwFindPattern(0x401000,0x2bc000,(BYTE*)"\x55\x8B\xEC\x83\xEC\x18\x83\x3D\x00\x00\x00\x00\x00\x00\x00\x33\xC0","xxxxxxxx???????xx");
DWORD dwRealSendNoCrypt = dwFindPattern(dwFakeSend+1,0x2bc000,(BYTE*)"\x55\x8B\xEC\x83\xEC\x18\x83\x3D\x00\x00\x00\x00\x00\x00\x00\x33\xC0","xxxxxxxx???????xx");
DWORD dwSendBack = dwRealSendNoCrypt+0x06; // Send Addresss
pSend SendFunction = (pSend)(dwRealSendNoCrypt); // Send Function Deoturs

//Memory manupulation Check need send detours
DWORD dwMemCheck =    dwFindPattern(0x401000,0xb70000,(BYTE*)"\xE9\x00\x00\x00\x00\x81\xBD\x00\x00\x00\x00\x05\x07\x01\x00\x0F\x84\x00\x00\x00\x00","x????xx????xxxxxx????");
DWORD dwMemCheckReal = dwMemCheck+15;

PHP Code:


			
//Memory Manupulation Secure Bypass;
    DWORD oldProtect=NULL;
    BYTE NOP[6]={90,90,90,90,90,90};
    VirtualProtect((LPVOID)dwMemCheckReal, 6,PAGE_EXECUTE_READWRITE, &oldProtect);
    memcpy((LPVOID)dwMemCheckReal,&NOP,6);
    VirtualProtect((LPVOID)dwMemCheckReal, 6,oldProtect, NULL);

    //Send Detours Start
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourAttach(&(PVOID&)SendFunction, SendPacket);

PHP Code:


			
int __declspec(naked) __cdecl SendPacket (BYTE bHeader , LPCSTR szFormat , ... ){

        __asm{
                push ebp
                mov ebp, esp
                sub esp, 18h
        }
    
            printf("PACKET TYPE:0x%02x FORMAT:%s\n",bHeader,szFormat);
            __asm{JMP dwSendBack};
        
    
}

~~MoepMeep~~ · 02/02/2012, 14:53

Quite sure it won't work :P

SimSir · 02/02/2012, 15:17

oke how i found Send Header and format ^^

SimSir · 02/09/2012, 10:23

Npc Selling packet only working Npc near?

meak1 · 02/09/2012, 11:16

@moepmoep sure u can hooking send but u need the new crypt table in engine^^
i was trying clientless sooner but the 0x03 packet is to hard ;X

@SimSir jeah only near NPC

~~MoepMeep~~ · 02/09/2012, 14:39

Ye sure, you can hook send at that point. But afaik hackshield detects that, wasnt on int for a few months now

DerKleineDarky · 02/09/2012, 18:41

hmm hs dont detect my sendhook xD

SimSir · 02/09/2012, 19:32

i can hooking send packer after player appear packets ^^ but only working 1-2 min

~~MoepMeep~~ · 02/09/2012, 19:39

Quote:

Originally Posted by DerKleineDarky

hmm hs dont detect my sendhook xD

Talking about the one silentius made for you?

RunzelEier · 02/09/2012, 23:24

unhook on hackshield packet <-- syntex made it that way

DerKleineDarky · 02/10/2012, 03:24

Quote:

Originally Posted by MoepMeep

Talking about the one silentius made for you?

well silentius is doing the most parts of that hackit, but only the parts where you dont need any "hacking" skills

he is by far a better coder than me, but important things for kalhacks are kinda differend to the stuff he does

well working with him is pretty nice, btw also i would have to give credits to alex and even to kevin (he got me with his crappy source doing my own xD)
even you and meak could be mentioned, for giving some packets when i needed them, also i got to give credits to sandro...
so all in all, my hackit is pretty well, i bet much better than from anybody else here (dont count sandro

) because i were able to ask for help when i needed it

if i forgot somebody, feel mentioned.

~~MoepMeep~~ · 02/10/2012, 03:26

Mine was better.

SimSir · 02/10/2012, 08:34

Some Packet Donate

^^

Get Inventory List

Packet Header: 0x04

PHP Code:


			
void Inventory(char *szBuffer, int iLength){
    cout << "Inventory Scanning" << endl;
    //Byte XX.XXXX.00000.XXXX ItemIndex.ItemID.00000.Amount
    for(int i=4; i<=iLength-16;i++){
        if (szBuffer[i] != 0x00 && szBuffer[i+2] != 0x00 && szBuffer[i+6]==0x00 &&
            szBuffer[i+7]==0x00 && szBuffer[i+8] == 0x00 && szBuffer[i+9]==0x00 &&
            szBuffer[i+10]==0x00 && szBuffer[i+11]!=0x00){

            WORD ItemIndexID    = *(WORD*)&szBuffer[i];
            DWORD ItemID        = *(DWORD*)&szBuffer[i+2];
            DWORD Amount        = *(DWORD*)&szBuffer[i+2+4+5];
            cout <<"["<<Items[ItemIndexID].ItemName << "] Amount ["<<Amount <<"] ID: " << ItemID << endl;
        }


    }

}

Maybe need get medicine id ^^ for using

Put On Off item
Header 0x05 On - 0x06 Off

PHP Code:


			
void PutOnOffItem(char *szBuffer,bool State){
    DWORD ItemID        = *(DWORD *)&szBuffer[7];
    WORD ItemIndexID    = *(WORD *)&szBuffer[11];

    if (State==0){
        cout <<"[" <<Items[ItemIndexID].ItemName << "] Put on (" << ItemID <<")" << endl;
    }else{
        cout <<"[" <<Items[ItemIndexID].ItemName << "] Put off (" << ItemID <<")" << endl;
    }

}

Player Stat (Max Hp, Current Hp, Max Mp, Current Mp) Loading Get This Packet Not State Change ^^

Header 0x42

PHP Code:


			
void PlayerStat (char *szBuffer){
    PMe.curHp    = *(WORD *)&szBuffer[18];
    PMe.maxHP    = *(WORD *)&szBuffer[20];
    PMe.curMp    = *(WORD *)&szBuffer[22];
    PMe.maxMP    = *(WORD *)&szBuffer[24];
    cout << "Cur HP: " << PMe.curHp << " Max Hp: " << PMe.maxHP << " Cur Mp: " << PMe.curMp << " Max Mp: " << PMe.maxMP << endl;
}

Roronoa Z. · 02/10/2012, 13:26

Quote:

Originally Posted by SimSir

i can hooking send packer after player appear packets ^^ but only working 1-2 min

Use a good way to detour ws2_32.send() call and you got it...
I used it ~1year ago and my source still work on Int...Ofc you need the right pattern for the crypt, but that shouldn't be that hard, just look at the ROAM source which goes around.

~~MoepMeep~~ · 02/20/2012, 16:08

I guess tax isn't 100 then