|
You last visited: Today at 16:20
Advertisement
ASM / hook / walk - Help
Discussion on ASM / hook / walk - Help within the Nostale forum part of the MMORPGs category.
06/30/2021, 16:37
|
#1
|
elite*gold: 0 
Join Date: Sep 2020
Posts: 10
Received Thanks: 0
|
ASM / hook / walk - Help
Hi guys,
I know that many people don't want to share or explain in detail how to use ASM functions and especially the walk function, but I wondered if anyone could explain to me how to do it easily.
I've found many tutorials about hooking functions but it takes too much time to get results. Moreover, in each case, the game is different so it is slower than asking someone.
So if someone can explain exactly, to me or to the community, how he does it, it will be great.
Here is my discord, if you prefer to chat in private:
Twittos#3336
Maybe it exists a discord where people can ask questions about this topic?
|
|
|
|
06/30/2021, 16:39
|
#2
|
elite*gold: 0
Join Date: Jun 2021
Posts: 36
Received Thanks: 9
|
Quote:
Originally Posted by testesttesttest
Hi guys,
I know that many people don't want to share or explain in detail how to use ASM functions and especially the walk function, but I wondered if anyone could explain to me how to do it easily.
I've found many tutorials about hooking functions but it takes too much time to get results. Moreover, in each case, the game is different so it is slower than asking someone.
So if someone can explain exactly, to me or to the community, how he does it, it will be great.
Here is my discord, if you prefer to chat in private:
Twittos#3336
Maybe it exists a discord where people can ask questions about this topic?
|
Have a discord that people (normally beginners) asking for questions.
Enviado desde mi M2003J15SC mediante Tapatalk
|
|
|
|
|
06/30/2021, 17:58
|
#3
|
elite*gold: 0
Join Date: May 2020
Posts: 369
Received Thanks: 448
|
Quote:
Originally Posted by testesttesttest
Hi guys,
I know that many people don't want to share or explain in detail how to use ASM functions and especially the walk function, but I wondered if anyone could explain to me how to do it easily.
I've found many tutorials about hooking functions but it takes too much time to get results. Moreover, in each case, the game is different so it is slower than asking someone.
So if someone can explain exactly, to me or to the community, how he does it, it will be great.
Here is my discord, if you prefer to chat in private:
Twittos#3336
Maybe it exists a discord where people can ask questions about this topic?
|
Calling a function and hooking it are different things. When you hook a function what you do is to place a jump instruction into the start of the function that jumps into your code, executes your code and then jump back to the original function.
If you want to call game functions since Nostale is a 32 bit game you can use the __asm macro to execute asm code. If the game is 64 bit you won't be able to use the asm macro so what you have to do in that case is create a function prototype with the calling convention of the function, then create a function with that prototype and assign the address of the game function.
On an old post Pumba said that Nostale was written in Delphi and parameters are passed into EAX, EDX, ECX. If the function has more parameters they're pushed into the stack. The return value is passed into EAX.
For the calling conventions:
Here you have an example I posted of the pet/partner walk function using the asm macro (addresses are outdated):
|
|
|
|
|
06/30/2021, 23:18
|
#4
|
elite*gold: 0
Join Date: Sep 2020
Posts: 10
Received Thanks: 0
|
Quote:
Originally Posted by ZroIsHere
|
Thanks for the fast answer and the disc link.
Quote:
Originally Posted by Hatz~
Calling a function and hooking it are different things. When you hook a function what you do is to place a jump instruction into the start of the function that jumps into your code, executes your code and then jump back to the original function.
If you want to call game functions since Nostale is a 32 bit game you can use the __asm macro to execute asm code. If the game is 64 bit you won't be able to use the asm macro so what you have to do in that case is create a function prototype with the calling convention of the function, then create a function with that prototype and assign the address of the game function.
|
Thanks for the explanations and the URL.
I think I need more explanations.
Maybe you can answer some questions:
- I see how to use CheatEngine, but how can you find the walk function? Even by looking for it, I found more instructions than the typical ones found on the internet:
Code:
NostaleClientX.exe+145309 - 6A 01 - push 01
NostaleClientX.exe+14530B - 33 C9 - xor ecx,ecx
NostaleClientX.exe+14530D - 8B 55 FC - mov edx,[ebp-04]
NostaleClientX.exe+145310 - A1 88B78600 - mov eax,[NostaleClientX.exe+46B788] { (0E2AADD0) }
NostaleClientX.exe+145315 - E8 2653FFFF - call NostaleClientX.exe+13A640
(old addresses)
- How can you call game functions? How can you make a bridge between the function call and a bot/software?
Thanks
|
|
|
|
|
07/01/2021, 09:21
|
#5
|
elite*gold: 0
Join Date: May 2020
Posts: 369
Received Thanks: 448
|
Quote:
Originally Posted by testesttesttest
- I see how to use CheatEngine, but how can you find the walk function? Even by looking for it, I found more instructions than the typical ones found on the internet:
Code:
NostaleClientX.exe+145309 - 6A 01 - push 01
NostaleClientX.exe+14530B - 33 C9 - xor ecx,ecx
NostaleClientX.exe+14530D - 8B 55 FC - mov edx,[ebp-04]
NostaleClientX.exe+145310 - A1 88B78600 - mov eax,[NostaleClientX.exe+46B788] { (0E2AADD0) }
NostaleClientX.exe+145315 - E8 2653FFFF - call NostaleClientX.exe+13A640
(old addresses)
Thanks |
To find the function you'll need some reverse engineering skills, at least you should be familiar with finding pointers with Cheat Engine. You normally want to search for a value that you know it will be modified before/after calling the function then check what writes to that address with cheat engine and debug it till you find it. For example you can make an hypothesis that your coordinates will be changed inside the walk function, the walk function might look something like this:
Code:
void Walk(int x, int y, Player player)
{
// Do stuff
player.setX(x)
player.setY(y)
// Do stuff
}
So in this scenario the steps for finding the function will be:
1. Find the X/Y coordinate
2. Check what instructions write to that address
3. Debug the code till the return and check if the actual function is the one you're looking for.
4. If it's not correct keep debugging or make a new hypothesis and repeat all the steps.
Quote:
Originally Posted by testesttesttest
- How can you call game functions? How can you make a bridge between the function call and a bot/software?
|
You should use a dll written in C++ that is injected into the game. When you inject a dll into a process the code that is running in the dll shares the same memory as the process so you'll be able to read/write the memory of that process and call the functions inside that process
|
|
|
|
|
07/01/2021, 12:20
|
#6
|
elite*gold: 50
Join Date: Jul 2014
Posts: 1,700
Received Thanks: 1,165
|
Here you have all information you need
|
|
|
|
|
07/01/2021, 18:07
|
#7
|
elite*gold: 0
Join Date: Sep 2020
Posts: 10
Received Thanks: 0
|
Quote:
Originally Posted by FI0w
Here you have all information you need
|
Thanks for the URL.
Quote:
Originally Posted by Hatz~
So in this scenario the steps for finding the function will be:
1. Find the X/Y coordinate
2. Check what instructions write to that address
3. Debug the code till the return and check if the actual function is the one you're looking for.
4. If it's not correct keep debugging or make a new hypothesis and repeat all the steps.
You should use a dll written in C++ that is injected into the game. When you inject a dll into a process the code that is running in the dll shares the same memory as the process so you'll be able to read/write the memory of that process and call the functions inside that process
|
Very useful to know that, thanks.
I'm gonna try to find the function in my own way and then ask you more questions about the coding implementation.
Don't hesitate to share more stuff/advice if you have one.
|
|
|
|
|
07/05/2021, 14:26
|
#8
|
elite*gold: 0
Join Date: Sep 2020
Posts: 10
Received Thanks: 0
|
Quote:
Originally Posted by Hatz~
Here you have an example I posted of the pet/partner walk function using the asm macro (addresses are outdated): |
Re,
I don't understand this line:
Code:
DWORD petObject = *(DWORD*)(*(DWORD*)(entryPoint + 0x4997C4) + 0x3C);
In my case, the instructions for the pet walk that I've found are :
Code:
NostaleClientX.exe+14FAD6 - 6A 01 - push 01
NostaleClientX.exe+14FAD8 - 6A 00 - push 00
NostaleClientX.exe+14FADA - 33 C9 - xor ecx,ecx
NostaleClientX.exe+14FADC - 8B 53 08 - mov edx,[ebx+08]
NostaleClientX.exe+14FADF - 8B C3 - mov eax,ebx
NostaleClientX.exe+14FAE1 - E8 52F9FFFF - call NostaleClientX.exe+14F438
Or also in this way:
Code:
NostaleClientX.exe+1593DA - 6A 01 - push 01
NostaleClientX.exe+1593DC - 6A 01 - push 01
NostaleClientX.exe+1593DE - 33 C9 - xor ecx,ecx
NostaleClientX.exe+1593E0 - 8B 54 24 0C - mov edx,[esp+0C]
NostaleClientX.exe+1593E4 - 8B C6 - mov eax,esi
NostaleClientX.exe+1593E6 - E8 4D60FFFF - call NostaleClientX.exe+14F438
In my case if I put a break point at "NostaleClientX.exe+14FADC" I've EBX = 0F938F20
So to find the petObject I should do this :
Code:
DWORD petObject = *(DWORD*)(*(DWORD*)(0x0F938F20) + 0x08);
I guess I'm wrong because it doesn't work.
Can you tell me why? (I think I don't get what is exactly pointing to the petObject line and the 0x3C).
For the walk function of the character, I've also found the function (same as the above comment) but I need to understand the pet walk implementation before going further.
|
|
|
|
|
07/05/2021, 15:56
|
#9
|
elite*gold: 0
Join Date: May 2020
Posts: 369
Received Thanks: 448
|
Quote:
Originally Posted by testesttesttest
Re,
I don't understand this line:
Code:
DWORD petObject = *(DWORD*)(*(DWORD*)(entryPoint + 0x4997C4) + 0x3C);
|
What I did in that line is to get the pet object from a static pointer (green address in CE). That pointer was not wrong at all since it was giving me the correct address but It was not correct at all since the value stored on it was sometimes changing to your partner aswell.
To correctly call the function what you have to do first is to find the addresses of the objects in game. To do that everytime without having to manually type the address you'll need to find a static pointer (green address) that points to the address you're looking for. Then what you have to do is to move the addresses into the registers and call the function. If you are not familiar with finding pointers and that kind of stuff you can do the cheat engine tutorial or check some guides like this one:
|
|
|
|
|
07/05/2021, 21:20
|
#10
|
elite*gold: 0
Join Date: Sep 2020
Posts: 10
Received Thanks: 0
|
Quote:
Originally Posted by Hatz~
To correctly call the function what you have to do first is to find the addresses of the objects in game. To do that everytime without having to manually type the address you'll need to find a static pointer (green address) that points to the address you're looking for. Then what you have to do is to move the addresses into the registers and call the function. If you are not familiar with finding pointers and that kind of stuff you can do the cheat engine tutorial or check some guides like this one: |
Hmm I've found the address but I don't know why it doesn't work :
Code:
DWORD petWalkFunc = entryPoint + 0x14F438;
DWORD petObject = *(DWORD*)(*(DWORD*)(*(DWORD*)(entryPoint + 0x49D944) + 0x04)) + 0x08;
DWORD position = (y << 16) | x;
_asm
{
push 1
xor ecx, ecx
mov edx, position
mov eax, petObject
call petWalkFunc;
}
I also tried with another push 1 but didn't work ...
I also installed AAmaker plugin but I don't know what kind of signature info I'm looking for (signature info).
|
|
|
|
|
07/05/2021, 21:26
|
#11
|
elite*gold: 0
Join Date: May 2012
Posts: 1,342
Received Thanks: 1,498
|
That xor ecx,ecx is useless there btw, can be removed.
|
|
|
|
|
07/05/2021, 22:05
|
#12
|
elite*gold: 0
Join Date: May 2020
Posts: 369
Received Thanks: 448
|
Quote:
Originally Posted by testesttesttest
Hmm I've found the address but I don't know why it doesn't work :
Code:
DWORD petWalkFunc = entryPoint + 0x14F438;
DWORD petObject = *(DWORD*)(*(DWORD*)(*(DWORD*)(entryPoint + 0x49D944) + 0x04)) + 0x08;
DWORD position = (y << 16) | x;
_asm
{
push 1
xor ecx, ecx
mov edx, position
mov eax, petObject
call petWalkFunc;
}
I also tried with another push 1 but didn't work ...
I also installed AAmaker plugin but I don't know what kind of signature info I'm looking for (signature info). |
You're very close, the function is the correct one you are just missing a push 1 at the beginning. The function is not working because you're not passing a valid "pet object" to the function. To check if the object you are passing is the correct one try to print the value in the console before the asm code and then put a break point in the CE function and check what is the real value.
Code:
printf("Pet object addy = %x\n", petObject);
You are almost there, just need to figure out the correct pet object value.
Quote:
Originally Posted by SilverEmerald
That xor ecx,ecx is useless there btw, can be removed.
|
Maybe for that function it works without the "xor ecx, ecx" but ecx is the third parameter passed to the function and it is used inside the function so I'd always recommend to use that code.
|
|
|
|
|
07/05/2021, 22:19
|
#13
|
elite*gold: 0
Join Date: Sep 2020
Posts: 10
Received Thanks: 0
|
Quote:
Originally Posted by Hatz~
You're very close, the function is the correct one you are just missing a push 1 at the beginning. The function is not working because you're not passing a valid "pet object" to the function. To check if the object you are passing is the correct one try to print the value in the console before the asm code and then put a break point in the CE function and check what is the real value.
Code:
printf("Pet object addy = %x\n", petObject);
You are almost there, just need to figure out the correct pet object value.
Maybe for that function it works without the "xor ecx, ecx" but ecx is the third parameter passed to the function and it is used inside the function so I'd always recommend to use that code. |
Ok, my bad, I saw my mistake haha. It works fine now.
Thanks again!
I'll come back for further questions, I think 
For those who want to understand my mistake:
I took the pos value instead of the object (I believe)
So it's not
Code:
DWORD petObject = *(DWORD*)(*(DWORD*)(*(DWORD*)(entryPoint + 0x49D944) + 0x04)) + 0x08;
but
Code:
DWORD petObject = *(DWORD*)(*(DWORD*)(*(DWORD*)(entryPoint + 0x49D944) + 0x04));
Ok, so new question now.
As I want to use again my old python bot, is that possible to use the dll with python.
Call the function by knowing the name of the function?
If someone knows how to do it , let me know...
|
|
|
|
|
07/21/2021, 23:33
|
#14
|
elite*gold: 0
Join Date: Sep 2020
Posts: 10
Received Thanks: 0
|
Addresses signature issues
Hi again,
I wanted to get the address thanks to their signature, but I only succeed to have the walk function address with this method.
However, I didn't succeed to have the Character Object address with this method.
Maybe someone can enlighten me.
|
|
|
|
|
07/21/2021, 23:36
|
#15
|
elite*gold: 50
Join Date: Jul 2014
Posts: 1,700
Received Thanks: 1,165
|
Quote:
Originally Posted by testesttesttest
Hi again,
I wanted to get the address thanks to their signature, but I only succeed to have the walk function address with this method.
However, I didn't succeed to have the Character Object address with this method.
Maybe someone can enlighten me.
|
Nostale has a static address that points to the character object you could check the forum I sent you earlier if the pattern there still works
Else you could get it with the scenemanager
|
|
|
|
Similar Threads
|
How to walk in kalOnline with walk animation.
07/28/2016 - Kal Online - 8 Replies
Hello guys.
before anything i used search function to find what i want but i just found this topic http://www.elitepvpers.com/forum/kal-hacks-bots-ch eats-exploits/236214-tut-walk-packets.html
and as all see this is't complete topic.
maybe the supplement of this topic in German language and i translated it .
and i read Bakabug kalhack11 source code and i understood how it work.
but i was trying to find walk function with ollydbg to make realtime walk. but really its seems hard thing.
i...
|
WarRock Direct3D [16.05.2012] ( ASM Bullets, ASM, OPK / SVP , ASM UNL AMMO )
05/17/2012 - WarRock Hacks, Bots, Cheats & Exploits - 8 Replies
Direct3D Hook
85% Credits to BlackLegend - helping me alot.
Viva la Revolución
http://www.abload.de/img/wr31lmaex.png
http://www.abload.de/img/wr3253bzf.png
Virustotal ( Packed / Compressed )
Click
|
All times are GMT +1. The time now is 16:22.
|
|
