Need help to understand long range waithack

[sad666]

Hi I'm trying to increase waithack range.
I currently attack mobs around using the sendbattle function I know there is a distance check function in server side so I tried send move packet with attack but this only affects the observers. Can anyone help me please ?

Also this empty area is my waithack range

 Spoiler

[ones-and-zer0es.mpeg]

Quote:

Originally Posted by sad666

Hi I'm trying to increase waithack range.
I currently attack mobs around using the sendbattle function I know there is a distance check function in server side so I tried send move packet with attack but this only affects the observers. Can anyone help me please ?

Also this empty area is my waithack range

 Spoiler

Can u post some code?

[Drakulax]

.

[MrCrisp]

Quote:

Originally Posted by sad666

Hi I'm trying to increase waithack range.
I currently attack mobs around using the sendbattle function I know there is a distance check function in server side so I tried send move packet with attack but this only affects the observers. Can anyone help me please ?

Also this empty area is my waithack range

 Spoiler

Do you directly send the packet or do you invoke the function by a function pointer?

[sad666]

Quote:

Originally Posted by MrCrisp

Do you directly send the packet or do you invoke the function by a function pointer?

I am calling SendAttackPacket function in CPythonNetworkManager class.I checked TPacketCGAttack structure but I couldn't see important variable to change.Doesn't that packet define with arguments from the SendAttackPacket function ?

Code:

auto mobList = Entity::GetMobList();
for (Instance* mob : mobList)
{
    CPythonNetworkManager::GetInstance()->SendAttackPacket(0, mob->GetVid());
}

[ones-and-zer0es.mpeg]

Quote:

Originally Posted by sad666

I am calling SendAttackPacket function in CPythonNetworkManager class.I checked TPacketCGAttack structure but I couldn't see important variable to change.Doesn't that packet define with arguments from the SendAttackPacket function ?

Code:

auto mobList = Entity::GetMobList();
for (Instance* mob : mobList)
{
    CPythonNetworkManager::GetInstance()->SendAttackPacket(0, mob->GetVid());
}

you have to teleport to the mob before attacking

[sad666]

Sorry guys I think I messed up move position on my first try. Now its working correctly using state packet

[ones-and-zer0es.mpeg]

Quote:

Originally Posted by sad666

I saw this video from xAdr1an Multihack topic

It seems like doesn't teleport at least client side and I tried SendStatePacket for move but nothing change.

*It seems like doesn't teleport at least client side* it doesn't thats correct, check with second character - aslong as

Code:

inline float DISTANCE_SQRT(long dx, long dy) {
	return sqrt((float)dx * dx + (float)dy * dy);
}

is less then 40 when you're on a mount or 25 when not

Code:

NEW_GetPixelPosition(main_instance, &main_pos);
NEW_GetPixelPosition(target, &dest_pos);
float xDiff = dest_pos.x - main_pos.x;
float yDiff = dest_pos.y - main_pos.y;
float fDist = DISTANCE_SQRT((main_pos.x - dest_pos.x) / 100, (main_pos.y - dest_pos.y) / 100);
if ((ChrMgr::i().IsMounted() && fDist < 40.f) || fDist < 25.f) {
	SendCharacterStatePacket(dest_pos, 10.f, 0, 0);
	SendAttackPacket(target);
	SendCharacterStatePacket(main_pos, 10.f, 0, 0);
}

[sad666]

Thank you for helping me I just realized I made a mistake sending position info now working correctly

[baba4507]

hello how can I put the codes given above in the targetdamag, can you help me?

Quote:

Originally Posted by ones-and-zer0es.mpeg

*It seems like doesn't teleport at least client side* it doesn't thats correct, check with second character - aslong as

Code:

inline float DISTANCE_SQRT(long dx, long dy) {
	return sqrt((float)dx * dx + (float)dy * dy);
}

is less then 40 when you're on a mount or 25 when not

Code:

NEW_GetPixelPosition(main_instance, &main_pos);
NEW_GetPixelPosition(target, &dest_pos);
float xDiff = dest_pos.x - main_pos.x;
float yDiff = dest_pos.y - main_pos.y;
float fDist = DISTANCE_SQRT((main_pos.x - dest_pos.x) / 100, (main_pos.y - dest_pos.y) / 100);
if ((ChrMgr::i().IsMounted() && fDist < 40.f) || fDist < 25.f) {
	SendCharacterStatePacket(dest_pos, 10.f, 0, 0);
	SendAttackPacket(target);
	SendCharacterStatePacket(main_pos, 10.f, 0, 0);
}

 Spoiler

// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"

#include <Windows.h>



bool SendBattleAttack(int vId)

{

DWORD NetPointer = *(DWORD*)0x09738F0;

DWORD BattleCall = 0x05D2850;

__asm

{
mov ecx, NetPointer
push vId
push 0
call BattleCall

}
return 0;
}



void Target()

{

while (true)
{
DWORD GetTargetVID = (*(DWORD*)(*(DWORD*)0x0973994 + 0x00198C4));
SendBattleAttack(GetTargetVID);
Sleep(30);
}

}



BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)

{

switch (ul_reason_for_call)

{

case DLL_PROCESS_ATTACH:

CreateThread(NULL, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(Target), hModule, 0, NULL);

}

return TRUE;

}

[ones-and-zer0es.mpeg]

Quote:

Originally Posted by baba4507

hello how can I put the codes given above in the targetdamag, can you help me?

 Spoiler

// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"

#include <Windows.h>



bool SendBattleAttack(int vId)

{

DWORD NetPointer = *(DWORD*)0x09738F0;

DWORD BattleCall = 0x05D2850;

__asm

{
mov ecx, NetPointer
push vId
push 0
call BattleCall

}
return 0;
}



void Target()

{

while (true)
{
DWORD GetTargetVID = (*(DWORD*)(*(DWORD*)0x0973994 + 0x00198C4));
SendBattleAttack(GetTargetVID);
Sleep(30);
}

}



BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)

{

switch (ul_reason_for_call)

{

case DLL_PROCESS_ATTACH:

CreateThread(NULL, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(Target), hModule, 0, NULL);

}

return TRUE;

}

I can't really help you, you have to reverse these functions, that's nothing i can do for you. Get a public client source and search for the function defintions by searching for the names used in my snippet.

[oatuh998]

Quote:

Originally Posted by ones-and-zer0es.mpeg

I can't really help you, you have to reverse these functions, that's nothing i can do for you. Get a public client source and search for the function defintions by searching for the names used in my snippet.

can we dump functions like SendCharacterStatePacket in python and convert them to c ++ for using without python sdk ?

[martinx1]

Quote:

Originally Posted by oatuh998

can we dump functions like SendCharacterStatePacket in python and convert them to c ++ for using without python sdk ?

There is no SendCharacterStatePacket in python sdk, you have to find the function in the binary, to makes things easy, i will give you the pattern for oficial game servers:
Pattern: "\x55\x8b\xec\x83\xec\x00\x89\x4d\x00\xc6\x45\x00\ x00\x8d\x45\x00\x50\x8b\x4d\x00\xe8\x00\x00\x00\x0 0\x0f\xb6\x00\x85\xc9\x75\x00\x32\xc0\xe9\x00\x00\ x00\x00\x8b\x4d\x00\xe8\x00\x00\x00\x00\x0f\xb6\x0 0\x85\xd2\x75\x00\xb0\x00\xe9\x00\x00\x00\x00\xd9\ x45"
Mask: "xxxxx?xx?xx??xx?***?x????xx?***?***????xx?x????xx ?***?x?x????xx"

In order to call this function you need to also find the NetworkClassPointer, and pass it in the ECX register, i will let you figure out this part