[Release] KalClient Hookbase (Int+Ps)

syntex · 01/13/2011, 19:13

Hello everyone

This Source is for learning purpose only. If you have any questions just write them down.

If you like to extend this source - please upload your changes and share with the community.

Have fun

Greetings:
ZeroTen
Kealy aka Sun

hehepwnz · 01/13/2011, 19:22

i will check this out, thx

edit:

Code:

if(GetAsyncKeyState(VK_F3 & 1)) // HotKey F3
		{
			KalClient::Chat(lightblue," DWORD: %d - INT: %i - STRING: %s",25000,25,"STRING");
			Sleep(500); // avoid keyspam
		}

Also ich mag Sleep nicht soooo, wie wäre es mit:

Code:

if(GetAsyncKeyState(VK_F3 & 1)) // HotKey F3
{
KalClient::Chat(lightblue," DWORD: %d - INT: %i - STRING: %s",25000,25,"STRING");
			
                        while(GetAsyncKeyState(VK_F3)) // HotKey F3
                        {
                        }
}

:P

syntex · 01/13/2011, 19:31

ah its pretty clean written and easy to implenent in already excisting projects.

Currently it has Chat,Notice,Datopen ptr hook.

If anyone has wishes tell me and I add them. I might try to code a hackshield proof hook, dunno how they detect detours on normal funcs (maybe patternscan or return check who knows?)

@edit,
it was just for example (to execute the functions I hooked).

If we could hook Opendat for example I would like to do smth like that:
if("Login")
QuickSendHook(Login)
if("Login2")
QuickSendHook(Login2)

you could handle dat actions ingame with own functions, would be useful but hooks get detected thou hackshield (opcode check , or return check I dunno). I need more creativity on hooks ;p

th3hitman · 01/13/2011, 21:12

Nice Release michi!Didnt know u where releasing so soon

Thiesius · 01/13/2011, 22:44

HackShield-Scanner loads the memory and then creates CRC from it. If generatedCRC != correctCRC -> Notify engine message callback -> Memory manipulation detected -> Exit Process.
The CRC function is checked by Themida's Integrity check and probably even some kind of HackShield's self-integrity-check. Also altering engine callback is not good idea as you won't be able to respond to 0x03 packet.

As far I remember the CRC was generated from 0x1000 big memory chunks inside engine.exe (Including packet functions etc.).

Anyways -> good job on finding function calls.

#EDIT:
This is basically the output of hackshield if you are detected.
(ModName: engine.exe(00400000h) Addr:00573000h, 6364F81Bh != F9C775AAh)

[Addr] = Start address of checked region. So modification is probably between 00573000h and 00574000h in this example.
[n0 != n1] = CRC is not obviously matching

syntex · 01/13/2011, 23:10

Quote:

Originally Posted by Thiesius

HackShield-Scanner loads the memory and then creates CRC from it. If generatedCRC != correctCRC -> Notify engine message callback -> Memory manipulation detected -> Exit Process.
The CRC function is checked by Themida's Integrity check and probably even some kind of HackShield's self-integrity-check. Also altering engine callback is not good idea as you won't be able to respond to 0x03 packet.

As far I remember the CRC was generated from 0x1000 big memory chunks inside engine.exe (Including packet functions etc.).

Anyways -> good job on finding function calls.

#EDIT:
This is basically the output of hackshield if you are detected.
(ModName: engine.exe(00400000h) Addr:00573000h, 6364F81Bh != F9C775AAh)

[Addr] = Start address of checked region. So modification is probably between 00573000h and 00574000h in this example.
[n0 != n1] = CRC is not obviously matching

what about let it scan the real engine and use another one to work with?!

~~Fremo.~~ · 01/13/2011, 23:17

syntex released was

Heutn' besonderer tag oder wat ;D

Thiesius · 01/13/2011, 23:18

I'm not sure what do you mean.

However my bypass was inline asm hook, that checked read location and if the Hackshield was just about to read the region I switched the pointer to original bytes (backup) instead modified and after that I switched the pointer back to engine. However the integrity check had to be cracked too.

But atm there are like 3 checks (or maybe more) that has to be modified (not easy stuff ofcourse -> Themida is not cheap protection)

syntex · 01/13/2011, 23:27

Quote:

Originally Posted by Thiesius

I'm not sure what do you mean.

However my bypass was inline asm hook, that checked read location and if the Hackshield was just about to read the region I switched the pointer to original bytes (backup) instead modified and after that I switched the pointer back to engine. However the integrity check had to be cracked too.

But atm there are like 3 checks (or maybe more) that has to be modified (not easy stuff ofcourse -> Themida is not cheap protection)

yea its alot of work finding those and crack them , not worth it while IAT/EAT hooks work without any issues

I dont need those hooks but they would be useful to have.

bloodx · 01/14/2011, 00:36

hmmm Look's quit good... gogo make more :P

syntex · 01/14/2011, 12:44

I gonna add cooldown for skills when I find some sparetime

if you have more wishes I add them, im thinkin of adding quicksend and recv hook but dunno what you guys think... if you made something new just add it and reupp I will add it on first page.

pamz12 · 01/14/2011, 13:47

dude what happened to you? you sound like you're supporting leechers all sudden ^^^^ hehe

syntex · 01/14/2011, 14:09

its time to quit

it might be useful for newbies to start learning ..

hehepwnz · 01/14/2011, 14:41

time to quit?
blocked? :P

bloodx · 01/14/2011, 14:42

time to Release things ;D Let's **** up kal hehehehehehe :]