[Release]INT Hack Example

bloodx · 01/16/2011, 20:26

Ok first thing i don't have test if it is working....

With this Basic you can Send Packet's & Recive Packets .....

You can make a Proxy dll with this source..

Working Send
Working Recv
CommandHandleThread
Behade all Mobs
Pick up drop's around you

PHP Code:


			
#include <WinSock2.h>
#include "detours.h"
#include <Windows.h>
#include <iostream>
#include <io.h>
#include <fcntl.h>


#pragma comment(lib, "detours.lib")
#pragma comment(lib, "ws2_32.lib")

#pragma pack(push, 1)

void InitConsole() {
    AllocConsole();

    int HandleIn = _open_osfhandle((long)GetStdHandle(STD_INPUT_HANDLE), _O_TEXT);
    int HandleOut = _open_osfhandle((long)GetStdHandle(STD_OUTPUT_HANDLE), _O_TEXT);

    FILE *In = _fdopen(HandleIn, "r");
    FILE *Out = _fdopen(HandleOut, "w");

    *stdin = *In;
    *stdout = *Out;

    SetConsoleTitleA("KalOnline Reloaded 2011.....");
}
bool bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
    for(;*szMask;++szMask,++pData,++bMask)
        if(*szMask=='x' && *pData!=*bMask )
            return false;
    return (*szMask) == NULL;
}

DWORD dwFindPattern(DWORD dwAddress,DWORD dwLen, BYTE *bMask, char * szMask) {
    for(DWORD i=0;i<dwLen;i++)
        if( bDataCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )
            return (DWORD)(dwAddress+i);
    return NULL;
}

DWORD dwFakeSend = dwFindPattern(0x401000,0x2bc000,(BYTE*)"\x55\x8B\xEC\x83\xEC\x18\x83\x3D\x00\x00\x00\x00\x00\x00\x00\x33\xC0","xxxxxxxx???????xx");
DWORD dwRealSendNoCrypt = dwFindPattern(dwFakeSend+1,0x2bc000,(BYTE*)"\x55\x8B\xEC\x83\xEC\x18\x83\x3D\x00\x00\x00\x00\x00\x00\x00\x33\xC0","xxxxxxxx???????xx");
DWORD dwSendBack = dwRealSendNoCrypt+0x06;


int (__stdcall *DetourRecv)(SOCKET Socket, char *Buffer, int Length, int Flags);
__declspec(naked) int __cdecl SendPacket (BYTE bHeader , LPCSTR szFormat , ... ){
    __asm{
        push ebp
            mov ebp, esp
            sub esp, 18h
    }
    __asm{JMP dwSendBack};
}


void PlayerAppear(char *szBuffer){
    // --- --- ---
}
void MonsterAppear(char *szBuffer){
    DWORD dwMonsterIID = *(DWORD*)&szBuffer[5];
        int imX = *(DWORD*)&szBuffer[9];
        int imY = *(DWORD*)&szBuffer[13];
}
void Item(char *szBuffer){
    DWORD dwIID = *(DWORD*)&szBuffer[5];
        int iX = *(DWORD*)&szBuffer[5+4];
        int iY = *(DWORD*)&szBuffer[5+4+4];
        SendPacket(0x1D,"ddd",dwIID,iX/32,iY/32);
}
void MonsterDie(char *szBuffer){
    DWORD dwMonsterBehade = *(DWORD*)&szBuffer[3];
        SendPacket(0x0D,"bbd",1,1,dwMonsterBehade);
}

void MyRecv(char *szBuffer, int iLength) {
    switch(szBuffer[2])
    {
    case 0x32://Player Appear
        PlayerAppear(szBuffer);    
        break;
    case 0x33://Monster Appear
        MonsterAppear(szBuffer);
        break;
    case 0x36://Item Drop
        Item(szBuffer);
        break;
    case 0x3d://Mob Died
        MonsterDie(szBuffer);
        break;
    default:
        int iSize = *(int*)&szBuffer[2];
        for(int iPack=0;iPack<=iSize,iPack++;)
        {
            std::wcout << "%02x " << (BYTE)szBuffer[iPack] << std::endl;
        }
        std::wcout << "\n" << std::endl;
        break;
    }
}
/***********************************
Credits to .....?! I don't know o.O
************************************/
int ASyncPos = 0;
int FinalSize = 0;
int WINAPI FilterRecv(SOCKET Socket,char *Buffer, int iLength, int iFlags)
{
        if (ASyncPos==FinalSize && FinalSize>0)
    {
        MyRecv(Buffer, ASyncPos);

        ASyncPos = 0;
    }
    int RecvRET = DetourRecv(Socket, Buffer, iLength, iFlags);
    if (RecvRET<0)
    {
        return RecvRET;
    }
    if (ASyncPos==0)
        FinalSize = *((short int*) Buffer);
    ASyncPos+=RecvRET;
    
    return RecvRET;
}


DWORD WINAPI CommandHandle(LPVOID) {

    wchar_t Handler[255] = {0};

    while(true) {

    std::wcin >> Handler;

            if(std::wcscmp(Handler, L"Info") == 0) {

                std::wcout << "KalOnline Reloaded...2011....\n\n" << std::endl;
            }

    }
}
DWORD WINAPI MainThread(LPVOID) {

    // Init Command Prompt
    InitConsole();

    // Init Command Handle Thread
    CreateThread(NULL,0,CommandHandle,NULL,0,NULL);

    // Init Recv
    DetourRecv = (int (__stdcall *)(SOCKET, char *, int, int))DetourFunction((PBYTE)recv, (PBYTE)FilterRecv);

    ExitThread(0);
}

BOOL WINAPI DllMain(HINSTANCE hInst,DWORD dwReason,LPVOID) {

    switch(dwReason) {
        
    case DLL_PROCESS_ATTACH:
            CreateThread(NULL,0,MainThread,NULL,0,NULL);
        break;
    case DLL_PROCESS_DETACH:
        break;

    }
}

|||||||||||||||||||||||||||||||||||||||||||||||||| ||||||

more thing's you can add ->

PHP Code:


			
BYTE bBotInstance;
void MonsterAttackPlayer(char *szBuffer, BYTE bType)
{
    switch(bType)
    {
    case 1: //Skill Attack
        if(bBotInstance==1)
        {
        DWORD dwAttackedPlayerID = *(DWORD*)&szBuffer[8];
        DWORD dwAttackMonsterID = *(DWORD*)&szBuffer[4];
        }
        break;
    case 2: //Normal Attack
        if(bBotInstance==1)
        {
        DWORD dwAttackedPlayerID = *(DWORD*)&szBuffer[7];
        DWORD dwAttackMonsterID = *(DWORD*)&szBuffer[3];
        }
        break;
    }
}

PHP Code:


			
case 0x3f://Monster -> Player Skill Attack
        MonsterAttackPlayer(Buffer,1);
        break;
    case 0x3e://Someone attacks someone
        MonsterAttackPlayer(Buffer,2);
        break;

||||||||||||||||||||||||||||||||||||||||||||||

PHP Code:


			
case 0x45://State Changed
            switch(szBuffer[3])
            {
                case 0x19://Exp Increase
                    DWORD dwGetExp = *(DWORD*)&szBuffer[12];
                                        std::wcout << "%d " << dwGetExp << std::endl;
                break;
            }
    break;

||||||||||||||||||||||||||||||||||||

PHP Code:


			
if(std::wcscmp(Handler, L"og") == 0) {
            for(int i = 0;i<100;i++){
                Sleep(1);
            SendPacket(0x12,"bbb",0,0,-129);
            }
        }
        if(std::wcscmp(Handler, L"ug") == 0) {
            for(int i = 0;i<100;i++){
                Sleep(1);
            SendPacket(0x12,"bbb",0,0,129);
            }
        }

||||||||||||||||||||||||||||||||||||

PHP Code:


			
SendPacket(0x15,"dbbww",Npc ID,100,1,ItemIndex,1);


NpcID you can get from Recv or send..

ItemIndex from config.pk/uce/item lists..

~~Fremo.~~ · 01/16/2011, 20:29

Danke Dafür

Schade das ich nur pserver spiele und kein int xD

PS:
Haste ne dll oder so für Packet UG Hack?Per uce hängt mein pc immer dann verbuggt sich meine char D:

strik3r2k5 · 01/16/2011, 20:34

Muss man das packet entschlüßeln wenn mans mit Send ausgibt?

bloodx · 01/16/2011, 20:39

Recv Exp Packet added...
Monster Attack Player Skill + Normal added
UG/OG added....

@striker wie meinst du das o.O?!

strik3r2k5 · 01/16/2011, 20:44

Sorry dumme Frage...hab nur seit es pserver gibt nicht mehr auf Int gezockt xD..
Ja ich meins so dass wenn er bspw. das Attack Packet sendet, ich die MID auslesen könnte?Oder müsste ich diese entschlüßeln...
Seh grad das kein SendHook gemacht wird...Geht das überhaupt einfach so?

bloodx · 01/16/2011, 20:47

Kla geht das

wozu etwas hooken wenn du davon eh nichts "liest" :P

MID kannst du auslesen wenn du die function hookst..

aber kannst sie auch über Recv Mob Appear/move usw auslesen halt..

strik3r2k5 · 01/16/2011, 20:49

Also könnte ich den Send hooken ohne dass ich mehr machen muss wie beim Recv?
Hab da noch ne Funk. die ich testen will & dafür bräuchte ich send

thekingisback · 01/16/2011, 20:54

where can i write those commands C++ or what? and how

sry i know ... i want much

bloodx · 01/16/2011, 21:00

IDE like Visual Studio....

~~Fremo.~~ · 01/16/2011, 21:31

Blood haste auch noch was für PServer?Also zB so ein simplen UG Hack per kackets für Pserver?

thekingisback · 01/16/2011, 21:47

x i have visual studio but ... i mean i open kal 1st then i select the file or what?
and thx for answering

bloodx · 01/16/2011, 21:52

u need to Inject it with Dll injector...

or you make your own Proxy dll with this.. Thiesius made a tutorial about that.

DrogenViech · 01/16/2011, 22:14

Grr, und wieder wird mir klar: Ich muss Assembler lernen!
Danke fuer die source ;D

RunzelEier · 01/17/2011, 00:08

bluberkaka, da ist kein asm drin -.-

bloodx · 01/17/2011, 00:15

You want to buy any item from npc?

SendPacket(0x15,"dbbww",Npc ID,100,1,ItemIndex,1);

NpcID you can get from Recv or send..

ItemIndex from config.pk/uce/item lists..