PacketTut

[chibis]

coz of too much flaming, ill just tell the rest of epvpers,whom didnt understand yet, how to sniff/send packets...
First of all, im nor a pro, neither a newb, so pls dont flame anymore

Before beginning, download NetFramework 3.5 and Microsoft VC++ 2008 (maybe also Microsoft SDKs)
, here you get everything...

Then download in attached files the source (Its the one wich was posted by bloodx, so thanks to him and all the other people)

PACKET

A packet is an easy thing. In kal packets look like this :

PHP Code:

0x?? 


For example, the ExecuteSkillPacket :

PHP Code:

0x10 


But this is not all ... it also has some more information, for example the stormpacket :

PHP Code:

0x10,"bdd",43,42133,34213 


What it means? 43 stands for the Thunder Storm (mage-43, as far as i know)
the first number is the x-coordinate, the second is the y-coordinate,where u want to place the storm.
There are ofc lots of packet, wich I dont want to mention, so ill show you have to get or better to say, how to sniff the packet.

PACKET SNIFFING

Very very easy, you dont even have to do anything.
You downloaded Framework 3.5, VC++ and the attached source. Now open
KalHack VC++ Project. On the left side you see the header and source files ( Send.h, Recv.h, Stuff.h, dll.cpp )
Click on Send.h and look for this lines

PHP Code:

int Naked SendDetour(DWORD type,LPCSTR format,...)
{
   __asm
{
push ebp
mov ebp, esp
sub esp, 14h
}    

        if (type == 0x02)
        {
            //(c) by ZeroTen
            Intercept(INST_CALL,0x004F203D,0x0052E330,5);
        }




        
     //printf(SendText,type,format);
        
        
        va_list args; 


We only need the part

PHP Code:

//printf(SendText,type,format); 


. Just delte the // before printf, so it look likes this

PHP Code:

printf(SendText,type,format); 


. Also, to sniff the full information of the packet, u also have to go here :

PHP Code:

          case 'b': //BYTE
              temp=va_arg( args, BYTE);
             
        
              //printf("%d %d \n",i+1,temp);
                 
              
             

            break;

          case 'd': //DWORD
               temp =(DWORD)va_arg( args, DWORD);
            
               //printf(" %d: %d\n",i+1,temp);
               

              if ((i==0)&&(type == 0x1a))
              {
              dropID = temp;
              //printf("ItemID(Dropped): %d\n",dropID);
              }
            
              if(type == 0x41)
              {
                  wearID = temp;
              }
              if(type == 0x42)
              {
                  unwearID = temp;
              }
              if(type == 0x21)
              {
                  useID = temp;
              }
                            if(type == 0x1d)
              {
                  mobdropID = temp;
              }
            break;

        case 'w': //WORD

               //  printf(" %d: %d\n",i+1,(WORD)va_arg( args, DWORD));

            break;

          case 's': //STRING

                    something=va_arg( args, char*);

                  //printf(" %d: %s\n",i+1,something);



            break;

            case 'm':
        
            //printf(" %d: %s\n",i+1,(DWORD)va_arg( args, DWORD));
            
            break; 


Also here, delete the //, but only if they are infront of printf!!

Why do we delete them?
// means, that the code wont be involved in your hack, that means, the // delete the code behind it.

What means printf?

printf(""); means, that something will be shown in the console, for example
printf("Hello");, now Hello will be written in your console.

After you did everything, on top of ur monitor is "Erstellen"(dunno how is called in english, its the 5th from the left), click on it and go on "KalHack neu erstellen" ( dunno in english, its the 5th from above ). Now hack getting created. If it looks like this :

PHP Code:

KalHack - 0 Fehler, 0 Warnung(en)
========== Alles neu erstellen: 1 erfolgreich, Fehler bei 0, 0 übersprungen ========== 


Just look @ the Errors, if you got no error, its compiled, if not you have to look wich mistakes you made (if there are warnings, it doenst matter)
Now go to folder Debug or Release, where "winmm.dll" is. That is your hack and ur packet sniffer. Put it in your KalFolder and start Kal, a cmd should pop up. (if kal dont start, rename the dll for example hack.dll and inject it via injector, for example KLOAD)
Now ingame you see the packets. They look like above ( for example if u sit down :

PHP Code:

PACKET TYPE:0x1f FORMAT:b 


Now under this, u also see :

PHP Code:

1: 0 


That means that the BYTE (b; the one after FORMAT) is 0.

Storm packet

PHP Code:

PACKET TYPE:0x10 FORMAT:bdd
1:43
2:32141
3:24123 


So you see, there are three information send (b,d,d). b is 43(thunder storm) and the other 2 numbers are x and y coordinates.

Voila, do whatever you want ingame and you see the packet in the cmd window

PACKET SENDING

Packet Sending is also very easy. Ill show you an example on bloodx hack :

dll.cpp

PHP Code:

    if (strcmp(input,"D1") == 0)
{
                    printf("Dancehack Started\n");
                    dancehack=1;
} 


Recv.h

PHP Code:

if (packet[2] == 0x32)
{
    
DWORD id;
memcpy((void*)&id,(void*)((DWORD)packet+3),4);
char name[255]={0};
memcpy((void*)&name,(void*)((DWORD)packet+7),16);

    if (dancehack == 1)
    {
            int i;
            for (i=0;i<6;i++)
            {
            SendDetour(0x3d,"db",id,14);
            }

    }

    } 


The first code from dll.cpp means, that if u write D1 into console, "Dancehack started" will be written in console and dancehack will be set on (dancehack=1). What happens now?
Because dancehack is now =1, that means its on, the prog jump the the second code (Recv.h).

"If packet=0x32" means, that if a player come in your rage, his player name and his id will be sniffed.

PHP Code:

            int i;
            for (i=0;i<6;i++)
            { 


This is just a loop, it means, the packet will be send 6 times (u can change the 6 to 100, so the packet will be sent 100 times)
Now you see "SendDetour(0x3d,"db",id,14);". SendDetour is our detour to send packets, and after it you see the packet and his information
Here it comes to packet sending.

Ill show u how to make your own hack.

We make a very very easy packet send, wich isnt even a hack.

You go to dll.cpp and write there

PHP Code:

 if (strcmp(input,"packethack") == 0)
{
                    printf("Packet getting sent\n");
                    packethack=1;
} 


Go to Recv.h and write there

PHP Code:

    if (packethack == 1)
            {
            SendDetour(0x1f,"b",1);
            } 


Voila, go ingame and write into console "packethack" and your char will sit down
One more thing if u write your hacks :
If u want to send a packet, for example stormpacket, u have to declare the BYTEs and DWORDs.
It wont work like this :

PHP Code:

SendDetour(0x10,"bdd"); 


It have to look like this :

PHP Code:

SendDetour(0x10,"bdd",43,12321,24123); 


So, for every "b" and "d" u have to give it "information".

Also, you do it like this :

PHP Code:

SendDetour(0x10,"bdd",43,xcoordinate,ycoordinate); 


But now u think, what means xcoordinate and ycoordinate?
U have to give xcordiante and ycoordinate the information. This is easy too. A good method is to use the "scanf" method.
How u give xcoordinate and ycoordinates information?
Letz make a hack where you can storm with coordinates, that means you can storm wherever you want

dll.cpp

PHP Code:

 if (strcmp(input,"setstorm") == 0)
{
                    printf("Enter X\n");
                    scanf("%d%*c",&xcoordinate);
                    printf("Enter Y\n");
                    scanf("%d%*c",&ycoordinate);
                    shack=1;
} 


Here you see, if u write setstorm in console, then in console stands"Enter X".
Now, the hack wait for you, because scanf means, that you have to enter something. Here you should enter the x coordiante, where u want to storm.
For example, u enter 12345, now xcoordinate is 12345. Then u have to enter
the y coordinate and shack(our stormhack) will be set =1 and the prog jumps to this code:

PHP Code:

if (shack == 1)
            {
               int i;
               for (i=0;i<10;i++)
                     {
                        SendDetour(0x10,"bdd",43,xcoordinate,ycoordinate);
                     }
    } 


Now u storm 10 times on to the coordinates u entered

ATTENTION: if you make things like "xcoordinate" or "ycoordinate", you have to declare them as a DWORD. Very easy. Just go to the top of dll.cpp and Recv.h and enter :

PHP Code:

DWORD xcoordinate;
DWORD ycoordinate; 


Thats all from me, if u have questions feel free to ask

[lovvb9b]

big thx, but can u tell me how i get my coordinates ?

[Shorty x3]

./coordinates or coordinate pointer
thx for tut <3

[DieMage]

/coordinates in chat

[lovvb9b]

if i write /coordinates, nothing happens
im playing on unknown server

[chibis]

i made pointer some days ago, look in a thread from vairis some days ago

[AkemyciN]

Geile Sache. Weißt du vllt auch, wi es geht, dass das Prog automatisch im quadrat um dich rum stormt (falls das überhaupt geht)?

Ach ja noch was:
Was ist der Unterschied zwischen der Funktion std:: cout und printf bzw. std::cin und scanf?
Und Erstellen kann man gut mit Create übersetzen

[xErzi2K]

mhmm if tryed that really easy sit "hack " but there is still a mistake witch i cant find... does i made a hart mistake?

PHP Code:


if (packet[2] == 0x32)
{
    
DWORD id;
memcpy((void*)&id,(void*)((DWORD)packet+3),4);
char name[255]={0};
memcpy((void*)&name,(void*)((DWORD)packet+7),16);

    if (Sit == 1)
    {
            int i;
            for (i=0;i<1;i++)
            { 
            SendDetour(0x1f,"b",0);
            } 

    }

    } 


[natinet]

lol works on int?

[meak1]

kla geht das mit dem quadrat um dich glaube du musst einfache nen pointer zu deiner x und y position haben und dann in den code schreiben da x+10 y+10 und dann nochmal x+10 y-10 undso weita glaube ;E

[AkemyciN]

fu, ey ich find den source von bloodx nicht kann mir vllt einer den link geben=?

lol, bin ich blöd, die war ja angehängt xD

[syntex]

to bad you dont know what you are writing .


0x10 is not the Storm packet , it is the packet for SkillExecute.
0x2b is the packet for the Skill animation.

here a small list for you guys :P

Code:

                 0x0b:  == CPlayer::GameStart ( BOOL set - dwZcoord )
		 0x0c:  == if (SYSTEM_GUILDWAR_SIEGEGUN) jumps always to return ( dummy )
		 0x0d:  == if (SYSTEM_GUILDWAR_SIEGEGUN) jumps always to return ( dummy )
		 0x0e:  == if (SYSTEM_GUILDWAR_SIEGEGUN) jumps always to return ( dummy )
		 0x0f:  == CPlayer::Attack
		 0x10:  == CPlayerSkill::ExcuteSkill
		 0x11:  == CPlayer::ProcessMsg ( chat )
		 0x12:  == CPlayer::OnTeleport ( set height after respawn / town teleport )
		 0x13:  == CPlayer::Write 0x1D ( select char )
		 0x14:  == CSMap::MovePlayer
		 0x15:  == CSMap::MovePlayer and stop
		 0x16:  == CNPC::Reply
		 0x17:  == CCastle::GetCastle ( get npc tax )
		 0x18:  == CPlayer::BuyItemEx
		 0x19:  == CPlayer::SellItem/
		 0x1a:  == CPlayer::DropItem
		 0x1b:  == CPlayer::Write 0x5D ( quit game )
		 0x1c:  == CPlayer::ShowOffItem ( put into tradewindow is meant^^ )
		 0x1d:  == CChar::WriteInSight packet 0x3D ( animation state )
		 0x1e:  == CPlayer::GetNeedPoint (set stat point)
		 0x1f:  == CPlayer::Rest GState 0x04
		 0x20:  == CSMap::PickUpItem
		 0x21:  == CPlayer::UseItem
		 0x22:  == CPlayer::AskTrade
		 0x23:  == CPlayer::OnAskTrade
		 0x24:  == CPlayer::CancelTrade
		 0x25:  == GameServ.CPlayer::Revival
		 0x26:  == if (SYSTEM_GUILDWAR_SIEGEGUN) CPlayer::SiegeGunProcess ( FALSE )
		 0x27:  == if (SYSTEM_GUILDWAR_SIEGEGUN) CPlayer::SiegeGunProcess ( TRUE )
		 0x28:  == if (SYSTEM_GUILDWAR_SIEGEGUN) CPlayer::SiegeGunControl
		 0x29:  == CPlayerSkill::LearnSkill
		 0x2a:  == CPlayerSkill::SkillUp
		 0x2b:  == CPlayerSkill::PreSkill ( SkillAnimation )
		 0x2c:  == CPlayer::AskParty
		 0x2d:  == CPlayer::OnAskParty
		 0x2e:  == CGuild
		 0x2f:  == CPlayer::LeaveParty
		 0x30:  == CPlayer::ExileParty ( 30 - dwPlayerID -> kick player)
		 0x31:  == CPlayer::PutInStorage
		 0x32:  == CPlayer::PutOutStorage
		 0x33:  == CQuest::CallProcess ( 33 ** 00 2e 23 jobchange ) (33 03 00 71 17 fishing -> GState 0x20)
		 0x34:  == CPlayer::StorageInfo
		 0x35:  == always jumps 2 return.. dumb! ( was bird event )
		 0x36:  == if (SYSTEM_GUILDWAR) CAuthSocket::Write 0x10 -> CDBSocket::Write 0x4D
		 0x37:  == Invalid packet type at CPlayer::Process()
		 0x38:  == CPlayer::SaveRevivalPt ( town statue )
		 0x39:  == CPlayer::EnchantItem ( tali over item )
		 0x3a:  == CPlayer::SetStallInfo ( stall = shop^^, info = sell item )
		 0x3b:  == CPlayer::RemoveItem use StoneOfJob (not for Naraeha/Hanin)
		 0x3c:  == CPlayer::RemoveItem use HighGradeSoC (not for Naraeha/Hanin)
		 0x3d:  == CChar::WriteInSight packet 0x18 (its dance)
		 0x3e:  == CPlayer::TradeAgreed
		 0x3f:  == CPlayer::TrashItem ( destroy )
		 0x40:  == CPlayer::FRDProcess ( FRD= friend stuff )
		 0x41:  == CPlayer::PutOnItem
		 0x42:  == CPlayer::PutOffItem
		 0x43:  == CPlayer::SwitchStall ( switch state.. 0 = end, 1 = start )
		 0x44:  == CPlayer::ProcessEvent (GambleSystem (dice) not running on hanin/naraeha)
		 0x45:  == remove GState 0x60 (10 20 30 40 50 60) send2client 2e pID GState (stop fishing / cooking)
		 0x46:  == CPlayer::GetStallInfo
		 0x47:  == CPlayer::BuyItemAtStall
		 0x48:  == CPlayer::EventSetMora if (EVENT_SPONSOR) packet 0x0E - (MasterOfPaper-Rock-Scissores) 4303 start
		 0x49:  == CPlayer::IsCooking GState 0x40
		 0x4a:  == CPlayer::RevivalSkill ( Accept MageRevive )
		 0x4b:  == CPlayerSkill::Redistribute -> CPlayer::RemoveItem ( use StoneOfChance)
		 0x4c:  == CPlayer::ExchangeBoddariToItem ( 4c02 - AddEState 0x200 | 4c00 if EState 0x200 use GoldenLuckyPouch | 4c** (not 02) use Silver~
		 0x4d:  == CPlayer::ExchangeDanjiToItem ( 4d02 - AddEState 0x400 | 4d00 if EState 0x400 use GoldenPot | 4d** (not 02) use Silver~
		 0x4e:  == CPlayer::InitStat use StoneofBirth
		 0x4f:  == if (SYSTEM_LOCAL_TEST) CPlayer::PKBulletinInfoSend (GetAssaList)
		 0x50:  == CPlayer::AskPvP
		 0x51:  == CPlayer::OnAskPvP
		 0x52:  == CPlayer::Transform
		 0x53:  == CPlayer::Bless
		 0x54:  == CPlayerSkill::ExcuteTransformSkill
		 0x55:  == CPlayer::MLMProcess Teacher/Student
		 0x56:  == Invalid packet type at CPlayer::Process()
		 0x57:  == Invalid packet type at CPlayer::Process()
		 0x58:  == BOOL(byte) Parameter[0] remove/add GState 0x800
		 0x59:  == CPlayer::Shortcut ( skillbar )
		 0x5a:  == CPlayer::SetMyTelPt ( use saving / moving scroll )
		 0x5b:  == CPlayer::UpgradeItem ( 0,id -> make revs | 1,id -> increase % | 2,id -> upgrade )
		 0x5c:  == CPlayer::MAILProcess ( message system )
		 0x5d:  == CMonster::FindMonster as UNIT ( cancel opening woodenbox )
		 0x5e:  == CMonster::FindMonster as UNIT ( open woodenbox )
		 0x5f:  == CPlayer::ChangeGuildName ( GuildNameChangeScroll )
		 0x60:  == CPlayer::ChangePlayerName ( NameChangeScroll )
		 0x61:  == CPlayer::NPCProcess ( goto fishisle / D4 door (as npc) open oO? )
		 0x62:  == CPlayer::EnforceItem lvl 1 | CPlayer::MixItem | CPlayer::EnforceItem lvl 2
		 0x63:  == [BeadOfFire - dwId] [armor - dwId]

[Mahatma]

Quote:

Originally Posted by xErzi2K

mhmm if tryed that really easy sit "hack " but there is still a mistake witch i cant find... does i made a hart mistake?

PHP Code:


if (packet[2] == 0x32)
{
    
DWORD id;
memcpy((void*)&id,(void*)((DWORD)packet+3),4);
char name[255]={0};
memcpy((void*)&name,(void*)((DWORD)packet+7),16);

    if (Sit == 1)
    {
            int i;
            for (i=0;i<1;i++)
            { 
            SendDetour(0x1f,"b",0);
            } 

    }

    } 


SendDetour(0x1f,"b",0); // --> stand up
SendDetour(0x1f,"b",1); // --> sit down

Quote:

Originally Posted by chibis

PHP Code:

0x10,"bdd",43,42133,34213 


What it means? 43 stands for the Thunder Skill (mage-43, as far as i know)

hab das tut nur überflogen aber sieht nett aus^^
erm...thunderstorm is mage-41so let's say 43 is just for the skill thunder

[hello123456]

Quote:

Originally Posted by xErzi2K

mhmm if tryed that really easy sit "hack " but there is still a mistake witch i cant find... does i made a hart mistake?

PHP Code:


if (packet[2] == 0x32)
{
    
DWORD id;
memcpy((void*)&id,(void*)((DWORD)packet+3),4);
char name[255]={0};
memcpy((void*)&name,(void*)((DWORD)packet+7),16);

    if (Sit == 1)
    {
            int i;
            for (i=0;i<1;i++)
            { 
            SendDetour(0x1f,"b",0);
            } 

    }

    } 


maybe post the code from ur dll.cpp too?^^

[meak1]

xd geht das auf int kann auf int die dll injecten aber keiner der commands geht auf int oda mache was falsch ^^