Register for your free account! | Forgot your password?

Go Back   elitepvpers > MMORPGs > Kal Online > Kal Hacks, Bots, Cheats & Exploits
You last visited: Today at 10:17

  • Please register to post and access all features, it's quick, easy and FREE!


[TUTORIAL] Creating a simple DLL Cheat/Hack

Discussion on [TUTORIAL] Creating a simple DLL Cheat/Hack within the Kal Hacks, Bots, Cheats & Exploits forum part of the Kal Online category.

Reply
 
Old   #1
 
elite*gold: 0
Join Date: Feb 2009
Posts: 256
Received Thanks: 470
[TUTORIAL] Creating a simple DLL Cheat/Hack

HOW TO CREATE YOUR OWN DLL HACK

Hello guys,
In recent days, I recieved many questions about how to use the pointers posted in one specific thread.


So here is guide for creating the basic Proxy-DLL skeleton + hack. I will try to explain it to details.


Requirements
1] Some C++ and UCE (memory and such stuff) knowladge
2] Some Time
3] Common sense

1] [THEORY]
So our first question is „How do I even get some piece of my code into the game process?“
There are many possible ways, I also don’t know all possibilities, but for our Kal-Online purposes, we might use Proxy-DLL solution (It isn’t only solution ofcourse).
Let me explain how it works: We know, that Kal-Online imports some functions from dlls (dll – dynamic linked library). So we will one of those libraries, from which Kal-Online needs to load the imports and we will basicly create library with same name, then we will export all functions with same name as in original library and all needed functions code will be loaded from the original library.
Yea… Now you’re like “WTF is he talking about”. Well I will try to create little, shitty scheme.



It’s possible that you still don’t get it – read - you may understand it later in tutorial.
So… Because we are lazy guys and there are simply too many exports to write it by hand, we will use wrapper which will help us to create Proxy-Dll skeleton for us in no time.
(IT'S IN THE ATTACHMENTS)

2] [CREATING PROXY DLL]
So, let’s copy all needed files into one folder. Let’s say it’s C:/ProxyDLL/. Copy the wrappit and the original library, from which will wrap the exports. I will copy d3dx9_29.dll in this case.

1. Step:
We will obtain the export list by using Visual Studio command prompt command. Open it from program files, or from Start/All apps/Microsoft Visual Studio xxxx/Visual Studio Tools/Visual Studio Command Prompt (xxxx).


2. Step:
Change dir to our ProxyDLL folder. And type into command prompt: “DUMPBIN /EXPORTS d3dx9_29.dll > EXPORTS.txt “without the quotes. This should create in our folder a file with needed export information.

3. Step:
Now let’s rename the original library into something else, like “favourite” d3dx9_29_.dll or BadAss_Lib.dll.

4. Step:
We are ready to use wrapper now. The syntax for using it is <dll> <txt> <convention> <new dll name> <cpp> <def> . Where the <dll> is old name of original lib, <txt> exports dump in the textfile, <convention> function calling convention, <new dll name> the name we assigned to original lib, <cpp> the name of cpp file which will be generated and <def> name of definition file which will be generated. So it will be: wrappit.exe d3dx9_29.dll EXPORTS.txt __stdcall d3dx9_29_.dll d3dx9_29.cpp Exports_Def.def

5. Step:
Now your folder should contain 2 new files: d3dx9_29.cpp and Exports_Def.def
If yes, then congratulations… You have just created Proxy-DLL skeleton…

3] [Creating Cheat]
1] Project Setup
Now create new empty dll project in the Visual Studio and add existing item into source, d3dx9_29.cpp . You can name that project with whatever name, but if you are not experienced, then I recommend naming it d3dx9_29. Now right-click on project and select Properties. First of all, although it’s not really necessary, change the character set to multi-byte, as I don’t want to read cry posts about “My compiler gives me error about strings”. Switch to Linker/Input and Module definition file will be Exports_Def.def. Save the properties and return to the project.

Code:
#include <windows.h>
#pragma pack(1)


HINSTANCE hLThis = 0;
HINSTANCE hL = 0;
FARPROC p[332] = {0};

BOOL WINAPI DllMain(HINSTANCE hInst,DWORD reason,LPVOID)
	{
	if (reason == DLL_PROCESS_ATTACH)
		{
		hLThis = hInst;
		hL = LoadLibrary(".\\d3dx9_29_.dll");
		if (!hL) return false;


		p[0] = GetProcAddress(hL,"D3DXAssembleShader");
		p[1] = GetProcAddress(hL,"D3DXAssembleShaderFromFileA");
		p[2] = GetProcAddress(hL,"D3DXAssembleShaderFromFileW");
		p[3] = GetProcAddress(hL,"D3DXAssembleShaderFromResourceA");
		p[4] = GetProcAddress(hL,"D3DXAssembleShaderFromResourceW");
		p[5] = GetProcAddress(hL,"D3DXBoxBoundProbe");
		p[6] = GetProcAddress(hL,"D3DXCheckCubeTextureRequirements");
		p[7] = GetProcAddress(hL,"D3DXCheckTextureRequirements");

……
Notice LoadLibrary(".\\d3dx9_29_.dll");
It may contain other name which you specified when we was creating proxy-dll skeleton (Like “BadAss-Lib.dll”).
Short explain: You can see main function of dll. On initialization the original library is loaded and all original function addresses are obtained. Read more at: GetProcAddress Function (Windows)

2] Cheat Setup
Let’s finally add the cheat…
You might need pattern scanner aswell, I will explain why later. I don’t fancy releasing mine yet, use the BakaBug’s one. What it does? It searches for bytes in preset order, inside the process, from specified address to specified address. If such byte order is found, then address of first byte is returned.
Also you should add a MemCpyEx. What’s that? It’s extension of memcpy. The bonus feature is that it calls VirtualProtect before memcpy. That’s the whole magic.
Those two functions are included in this source and also other sources around.
Let’s create our hacking function. This source will use console as we won’t control that hack by GUI (It would make the source more difficult to read). So let’s add Command Console function. In the source it will be called void CommandComm()
You will have to include new headers for the console: io.h ; stdio.h and fcntl.h
We will also add a function, which will handle the commands typed into command console.
void CommandHandler()
How does it work is explained in the comments in the source.
You can also add a simple function, which will print available commands.
It’s called void Menu() in the source.
So let’s create our main cheat function. Call it whatever you like… In source it will be called void CheatMain()
So what will CheatMain do? It will be created as a new Thread and then we need the function that will delay execution a litte, otherwise the INT anti-hacking tricks at start will free it (FreeConsole). The Sleep function will be helpful. Then you can load your Command box… Now you can also change the title by calling SetConsoleTitle.Then display available commands by calling Menu(). We will printf them… We can also use cout, but we have stdio.h already included so why should we include iostream? The rest of the source is commented.
So how do we exactly use the collected information from UCE/Dbg/Whatever?
Well let’s declare new global double word variable, which will store the baseaddress of pointer you found. Also declare the offsets and our pointers, which will point to speed, x, y, z, whatever.
Code:
DWORD g_dwBasePointerAddress =  0/* INPUT YOUR FOUND ADDRESS HERE INSTEAD OF ZERO */;
DWORD g_dwSpeedOffset =  0; // Set here offsets, which you found
DWORD g_dwZCoordOffset = 0;
DWORD* g_pdwSpeed = 0;
DWORD* g_pdwCoordZ = 0;
In our command handling function, we will create procedure for setting up speed.

Code:
if (strcmp ( chCommand , ".setspeed" ) == 0) //If string stored in chCommand is .setspeed , then execute commands
		{
			DWORD dwSpeedValue = 0;
			DWORD dwBuffer = 0; // Temporary storage for memory copied from basepointer address.
			
			printf_s("Enter desired value: ");
			scanf_s("%d%*c",&dwSpeedValue);
		
			MemCpyEx((LPVOID)&dwBuffer, (LPVOID)g_dwBasePointerAddress, 4); // Copies memory from the value stored in g_dwBasePointerAddress (In our case, it's the basepointeraddress) to dwBuffer address.
			g_pdwSpeed = (DWORD*)(dwBuffer + g_dwSpeedOffset); // dwBuffer contains the pointer now. We have to add offset to it.
			*g_pdwSpeed = dwSpeedValue; // Sets value pointed by this pointer to dwSpeedValue - Desired value.
			
			printf_s("\nEnter Command: ");
		}
That’s pretty much whole trick.

3] Pattern Solution
I promised I will return to SearchPattern function. I think you already noticed Search for array of bytes in your UCE. So that’s it. You can use it to find the basepointer address. You will have to extract some bytes which are unique and they have some relation to basepointer or something else you are trying to figure out. For example you found, that this pattern unique pattern (I just pulled this one out my ass) “EB 4A 5C 2A 54 85 44 AC 6F 7B 7B 7B 00 00 AA 4C 1A 12” is always 0x50 bytes far from basepointer.

Example:
In the .setspeed procedure ->
Code:
....
		DWORD dwFar = 0x75;   // Its 0x75 bytes far from pattern. 0x is prefix for hexdecimal number
		if( g_dwBasePointerAddress == 0 ) 
		{
			g_dwBasePointerAddress = dwFar + (SearchPattern("EB 4A 5C 2A 54 85 44 AC 6F 7B 7B 7B 00 00 AA 4C 1A 12", 0x00400000, 0x007FFFFFF));

			if( g_dwBasePointerAddress != 0 && g_dwBasePointerAddress != dwFar)
			{
				printf_s("Everything went smoothly. g_dwBasePointerAddress was set");
			}
			else
			{
				printf_s("Something went wrong. g_dwBasePointerAddress will be set to zero");
				g_dwBasePointerAddress = 0;
			}
		}

		if( g_dwBasePointerAddress != 0)
		{
			....
			SAME AS THE CODE I WRITTEN BEFORE
			....
		}
...

CREDITS:
Bakabug - SearchPattern and his sources from which I learnt a lot from.
Bloodx - His INT hack source structure (Command Handler etc.) was used, as it is newbie friendly
Chourdakis Michael - For his Proxy-Dll wrapper
If everyone feels, I forgot to credit him, then ask...


PS:
You will have to add the source files to your project, because not all of you would be able to open VS2010 Solution. Also If you don't understand some windows function, then look onto MSDN...

I hope you finally got the idea, how to put some easy hack together… I tried to write the source more userfriendly, so I tried to not use any confusing function. I know, this tutorial isn’t much newbie friendly, but it still took me some time to write all this shit, as the English isn’t my native language. Maybe I wrote some bullcrap - you can correct me. I hope I didn't forgot something...

©Thiesius
HAPPY HACKING


UPDATE 15.04.2010 BY BLOODX:

Quote:
Originally Posted by bloodx View Post
Well, u posted SRC from Proxy so i give ppl a send + recv method. hehe.


SendFunction
PHP Code:
DWORD PBACK  =  0x000000;// <- U need to get the Back Adress with IDA etc. Or do it with SearchPattern.
#define SendASM __asm{ push ebp };__asm{ mov ebp, esp };__asm{ sub esp, 18h};__asm{ JMP PBACK};
__declspec(nakedint __cdecl SendPacket (BYTE Header LPCSTR Format , ... ){SendASM;} 
RecvFunction
PHP Code:
int DetouredRecv(SOCKET Socketchar *Bufferint Lengthint Flags);
int (__stdcall *PacketRecv)(SOCKET Socketchar *Bufferint Lengthint Flags);

void Recv()
{
    
PacketRecv = (int (__stdcall *)(SOCKETchar *, intint))DetourFunction((PBYTE)recv, (PBYTE)DetouredRecv);

PHP Code:
int DetouredRecv(SOCKET Socketchar *Bufferint Lengthint Flags)
{
    switch(
Buffer[2])
    {
    case 
0x36//item drop
        
break;
    
    }
    return 
PacketRecv(SocketBufferLengthFlags);

RecvHandling Method2 by ILikeItEasy:

Code:
int ASyncPos=0;
int FinalSize=0;

int WINAPI __stdcall MyMagicRecv(SOCKET s, const unsigned char* buf, int len, int flags)
{

	if (ASyncPos==FinalSize && FinalSize>0)
	{
		HandlePacket(buf, ASyncPos);
		ASyncPos = 0;
	}
	int ret = OrigRecv(s,buf,len,flags);
	if (ret<0)
	{
		return ret;
	}
	if (ASyncPos==0)
		FinalSize = *((short int*) buf);
	ASyncPos+=ret;
	return ret;
}
I have similiar method to send packets, but suit yourself
I guess I might find time in this week, to include offsets and address for PServers and pattern for + offsets for INT. And maybe I will also show you, how to extract pattern...
Attached Images
File Type: jpg Proxy-DLL.jpg (196.4 KB, 4753 views)
File Type: jpg cmd-prompt.jpg (32.3 KB, 4890 views)
Attached Files
File Type: rar wrappit.rar (7.9 KB, 2719 views)
File Type: rar src.rar (11.0 KB, 2737 views)



Thiesius is offline  
Thanks
101 Users
Old 03/10/2010, 22:39   #2
 
elite*gold: 0
Join Date: Aug 2006
Posts: 128
Received Thanks: 18
thanks !


Staviko is offline  
Old 03/10/2010, 22:43   #3
 
elite*gold: 281
Join Date: Oct 2007
Posts: 6,248
Received Thanks: 883
pretty nice work!

#moved into release section
#sticky
Mahatma is offline  
Old 03/10/2010, 23:16   #4
 
elite*gold: 0
Join Date: Aug 2006
Posts: 128
Received Thanks: 18
ok i understood every thing but |: i can find adress of speed and etc and edit them with my UCE why i need this ?


Staviko is offline  
Old 03/11/2010, 00:05   #5
 
elite*gold: 0
Join Date: Feb 2009
Posts: 256
Received Thanks: 470
The Proxy-DLL is multipurpose. You can hook and pretty much operate from inside of process. And once you will use Pattern Search, then you don't have to use UCE anymore - your basepointer should be working even after updates so you don't have to search for new UCE everytime the HShield updates to get correct offsets again.
And to be honest - One time you will create some hack and release it, there will be probably function menu. Will you just write under speed options: "Open a UCE and search it yourself"? One time some of you will also try to get packets... You can hook from inside and read non-encrypted data or hook some HShield function to fool it. Or you will just collect them from outside and stare at encrypted data (Unless you know Decryption algorithm)?

I'm planning to release working PacketHack for PServers in near future (As I slowly return from PServers to INT again).

I'm just trying to teach you, that UCE isn't everything. There are still many possibilities waiting for you. Memory poking is just a one chapter of gamehacking and cheat engine is very nice tool indeed, but the newbies should try to not rely on the work of others (in this case it's UCE's - as most of newbies cannot create a working UCE themself). The more experienced gamehackers would lough if you tell them "I'm Hacker - but I use only UCE"
I will extend this tutorial a little when I have time to show show you what I mean.
Thiesius is offline  
Thanks
7 Users
Old 03/11/2010, 03:54   #6
 
elite*gold: 0
Join Date: Dec 2009
Posts: 24
Received Thanks: 2
Nice work thanks
82ndbravo is offline  
Thanks
1 User
Old 03/11/2010, 07:25   #7
 
elite*gold: 0
Join Date: Aug 2006
Posts: 128
Received Thanks: 18
Thiesius ok bro thanks !
Staviko is offline  
Thanks
1 User
Old 03/11/2010, 15:23   #8
 
elite*gold: 0
Join Date: Feb 2008
Posts: 1,086
Received Thanks: 184
Thanks, i think this will greatly help me for a start, really nice that you took your time, for us normal mortals xD ty again
pamz12 is offline  
Old 03/11/2010, 17:18   #9
 
elite*gold: 20
Join Date: Apr 2008
Posts: 820
Received Thanks: 177
i already knew everything, but it's very good ... keep going!
chibis is offline  
Old 03/11/2010, 18:17   #10
 
elite*gold: 220
Join Date: Jun 2007
Posts: 3,767
Received Thanks: 1,120
i saw it right? that we can make speed pointer without change every week ;D?
meak1 is offline  
Thanks
2 Users
Old 03/11/2010, 18:18   #11
 
elite*gold: 281
Join Date: Oct 2007
Posts: 6,248
Received Thanks: 883
Quote:
Originally Posted by meak1 View Post
i saw it right? that we can make speed pointer without change every week ;D?
ofcourse
Mahatma is offline  
Old 03/11/2010, 21:24   #12
 
elite*gold: 0
Join Date: Jan 2010
Posts: 124
Received Thanks: 3
Quote:
Originally Posted by Thiesius View Post
[B][CENTER]

1. Step:
We will obtain the export list by using Visual Studio command prompt command. Open it from program files, or from Start/All apps/Microsoft Visual Studio xxxx/Visual Studio Tools/Visual Studio Command Prompt (xxxx).
werhe i get visual studio tools dont have it can somebody iupload it here...

oder kp ob ich habs also so wies da steht nicht kann dran liegen das ich kp hab wie das programm in deutsch heißt
Gohsti is offline  
Old 03/11/2010, 21:33   #13
 
elite*gold: 0
Join Date: Feb 2008
Posts: 539
Received Thanks: 82
i have one question, is this source the same as Int hack Source somewhere here in forums?
i mean does this source comes with detection bypass or is it still detected until you make a bypass yourself?
zilvis69 is offline  
Old 03/11/2010, 22:00   #14
 
elite*gold: 0
Join Date: Aug 2007
Posts: 33
Received Thanks: 6
it's undetected but you don't have pocket sniffer here (it's impossible to add Intercepts from old Int Hack source - HS detection).

I had problem with starting Kal (yeah cmd was starting after 10 second but it freezed kal - fixed atm). Hmm but now i have other problem. When i type command in window it closing kal.
YourFear is offline  
Old 03/11/2010, 22:03   #15
 
elite*gold: 0
Join Date: Feb 2008
Posts: 539
Received Thanks: 82
Quote:
Originally Posted by YourFear View Post
it's undetected but you don't have pocket sniffer here (it's impossible to add Intercepts from old Int Hack source - HS detection).

I had problem with starting Kal (yeah cmd was starting after 10 second but it freezed kal - fixed atm). Hmm but now i have other problem. When i type command in window it closing kal.
so u mean if i have no packet sniffer i cant send packets? sorry for stupid questions


zilvis69 is offline  
Reply



« Working DiTTo | [Service] Cheat Server »

Similar Threads
[Guide] Creating a Simple Loader with Injected DLL for Silkroad
02/02/2016 - SRO Coding Corner - 37 Replies
This next article in my series is a very important one for anyone wanting to get started with client modifications or understanding the client itself. This is the base article that will be used for all my future articles that explain various Silkroad development concepts. Like my previous article, there is nothing terribly exciting with this one as we have to get through the necessary boring stuff first before we can have any real fun. Unfortunately, this article is very heavy text wise and...
1 Hit Hack Cheat Engine Tutorial Request
05/27/2010 - Metin2 - 1 Replies
Hi there, I know how to change Atk Speed, Mov Speed, Range & Type Weapon with CE But i have never find the way to get the 1hit hack like Multihacks. Someone can teach me how to get it with Cheat Engine ??? Thanks
[Intermediate] Creating a strong but simple cipher
08/31/2008 - CO2 Programming - 9 Replies
Basically, here's the idea, we have a 'key' that contains every value a byte supports (0 to 255). When you encrypt a byte for instance 171 (0xAB) it creates an "x" using the first 4 bits of the byte, and "y" using the last for bits of the byte Value = 171 (0xAB) X = 10 (0xA) Y = 11 (0xB) Then in the output of the encrypt routine, it it'll fill that index as Key Here's an illustration to make it simpler; http://img120.imageshack.us/img120/3282/cipheran4 .gif



All times are GMT +2. The time now is 10:17.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

BTC: 3KeUpz52VCbhmLwuwydqxu6U1xsgbT8YT5
ETH: 0xc6ec801B7563A4376751F33b0573308aDa611E05

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2019 elitepvpers All Rights Reserved.