[ask] Making an Autopot in general
 

Sorry for making a thread for other game here, but since I only know people from this section, please let me ask about it here, it could be useful too for starters :handsdown:

I'm trying to make an autopot for Ran Online, maybe some of you also play it and have any resources for it to begin with, please share :handsdown: . I used MHS coz CheatEngine is detected by the gameguard, is there any tool for changing its md5 file identity and wintitle like MHS ?

So far I can only find hp/maxhp address, but I dunno how to read it using autoit which I'm gonna use for making the autopot. Does every game have a base address and offsets to point a location in memory so an autopot can be made ?

I'll post screenshots later for further questions after maintenance is done, please help if anyone visits this thread :handsdown:

thanks in advance.

if I have this memread, it says 'int' in there, is it integer ? the hp value uses 'short' type which has different value from integer type, do I have to change it or what ?
-----edit------



This is what it looks like, I searched HP value in short type and got 3 addresses, then I tried to search the pointer of that address range and got 15 results, most tutorial I found on google showed me that step should give me one or fewer result and could be used to determine the pointer, but this gave me 15 results which is confusing.
[Only registered and activated users can see links. Click Here To Register...]


if I choose [Find out what writes to this address] , which in PW gives HP offset directly, it crashes for this game (must be the game guard), but it gave me something with the assembler thing, is there anything useful in there ?
[Only registered and activated users can see links. Click Here To Register...]

I don't know that game, but I do know this :

Either you have static addresses, or you have structures and thus base address and offsets.

Short is a signed 2 byte datatype.

Also, you can protect CE from GG's eyes by changing name of kernel driver and making it undetected (there are loads of guides on internet on how to, a bit of Delphi knowladge is recommended though).

Maybe if Fyyre is lurking around here, she could give you a hand with GG, she is an epic master in this type of stuff.

Cheers

thanks for the brief explanation, I guess it's structured so it should have base add and offsets, too bad it's GG'ed so can't experiment much on it with my limited knowledge :(

if anyone recognize the game and have any info on it or can give a short step by step base address/pointer searching in general for making a simple tool like autopot, please post it here :handsdown:

Nope, don't change any of the 'int's as they are required for the ReadProcessMemory API call. If you want to read a 16 bit value, call your memread() function using either 'short' for a signed short or 'USHORT' for an unsigned short integer as the second argument. It's the DllStructCreate API call that needs this.
[Only registered and activated users can see links. Click Here To Register...]

Example:
Edit: Just noticed Swoosh has 666 posts :awesome:

And you stole 10 gold from somewhere :D



(667!!)

Haha it was kindly donated to me ^_^
No bloody idea what it's for or what to do with it though :confused:
Can't be arsed to look it up :D

I'm curious about that elite gold too, anything with gold interests everyone lol :p

btw, got cheatengine working after hex editing everything in the exe that says 'cheat' and replaced it with 'abcde' , and the debugger crashing wasn't really caused by the publisher's game guarding software, it's the client itself that can detect if a debugger was attached to it. DBVM debugger from CE is really awesome, the [find what writes to this address] is working now though my computer froze after a few minutes the last time I tried it.

Awesome :)

CE is a lot more convenient than MHS with these things lol.

Are you sure it was GG in the first place? I know for a fact that GG cannot be defeated by simply editing strings, which are by the way encrypted in GG and not viewable with hex editor. It will simply re-download once MD5/SHA check is not passed. They probably detoured some function , used IsDebuggerPresent (lol) , some int3 tricks or other things you can do to make debugging a pain.

Yea and with both it's more convenient for us to use :D , MHS has many tools in the menu. Without the data type converters built in MHS, I wouldn't know that I had to search the value in short type for this game, using unknown value took a lot of time. It's useful for beginners :p

I think it's not GameGuard™ but more like a proprietary game guarding software by the publisher/developer, coz there is a game.exe shared by local Indonesian hacking forum that can be run directly without using launcher.exe so it bypasses the 'game guard' but the game still crashed everytime I clicked [find out what writes to this address], mhs debugger/CE's veh debugger/CE's windows debugger all failed, only CE's kernelmode debugger worked but not for long, it gave me a BSOD last time I tried, haven't got the time to try again, it's really painful for noob ><, have to learn how to find a base address for a game first and react quickly before BSOD happened.

a specialized game protection software like GG or HackShield is really powerful (only when it's running :D), I once played an fps game called PointBlank that used HackShield, when I tried to dual login even from another windows account, it could even still detect that the game was already running in my PC, I was like "damn, seriously?" at that time and played normally :p , but a bypass for it was already around now.

That's cause of the heartbeat packets gameguard sends to server to indicate it is still running - one of the steps to counter this would be to strip the exe and write heartbeat emulator. But since this isn't gameguard, it may be simpler. Since you already have access to a stripped version, you should have it fairly easy . What are the differences? Open both in IDA/Olly or whatever and compare :)

Cheers

I have thought about that but the exe file is packed and has 4 megabytes difference in size from the original.

I won't play multiple chars on this game though, keeping a lot of chars is time consuming, I only need autopotting for this game. I'll try to follow a youtube tutorial later first because it looks like the pointer is multileveled and not an easy task to find like PW which by clicking [find what writes to this address] shows us the offset directly.

I'll put screenshots later, plz give a hint on figuring out the pointers/base add. :handsdown:

You can try tracing the pointer manually. Try setting breakpoints in CE debugger. If it still crashes, change the breakpoint method in settings. If you can set breakpoints, try to read register contents, then search for the addresses in the registers. Rinse and repeat, it's not that hard once you got it figured out.

For example :

mov eax, [edx+100]

Set bp on this and check what edx register's value is. Now search manually for that. If you have a result, continue.

Cheers

ok thanks for the tips, I'll experiment with it
---edit---


when I clicked [find out what writes to this address], CE gave me this: mov [ecx],ax, before my computer froze and had BSOD bcoz I was using dbvm+kerneldebugger (I guess it's not stable in my pc or just a bug), anyway..what is ax ? it's not listed in the registers

here is the ss

I also tried with MHS without using debugger and search pointers manually bcoz this game doesn't like debugger of any kind attached to it, but it's like the pointer never ends :mad: , I could put the address along with multi offsets and it could still point to the correct hp address (tried both in CE and MHS), but it never static

if anyone has the time to look into it, pls advise.

AX is the lower 16 bits (2 bytes) of the EAX register. Conversely, AH is the upper 16 bits of the EAX register.
The other registers can also be accessed in this way, typically for short integer operations. They are similarly named; BX, CX, DX (lower 16 bits of EBX, ECX and EDX registers respectively).

If you don't already have them, it might be worth downloading these for reference:
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]

ohh I see, it fits with the hp value which in 'short' type as well

You can't have more then 65k HP in that game? Boooring :D

Lol I suppose it at least shows that they perhaps coded the game with some sort of respect for efficiency in mind, unlike PW. PW uses longs for pretty much everything... I've only come across a very small handful of shorts or bytes anywhere in the code. 32 bits for HP and MP for example are perhaps a little optimistic :D. No wonder the client sometimes consumes around 700Mb of RAM.

I find that funny too - There is a byte in char struct which saves info bitwise (was +678 a few patches ago). That made me wonder, because like you said, they are NOT efficient at all. This is a strong contrast how the rest is coded, and even the protocol (lots of junk bytes on certain packets, but then we come across a custom "packed" datatype for length of packets and length of strings in protocol, so there's a big gap there...). And yeah, I doubt anybody will ever reach 4 Billion HP :D...

Something tells me PWI was done with copy+paste coding. Sometimes they got lucky and copied efficient stuff from the net, other times it was their standard quality.

I gotta say though, 64k HP is too small a limit for PWI, just look at bosses and such with several million HP. I dare say that some barbs with full vit stones +12 with a good ToP genie might get quite close to that 64k too.

Other than that, there definitely are some less efficient things present ;)

how do you kill a barb with 64k hp and charmed ? I saw a video on youtube the other day, even a barb with 39k hp is hard to kill on a 1 vs 3 battle, and the 3 opponents were all r9, but his charm really got raped lol, he even put a new one during the battle if I remember correctly. I'm sure nothing can beat a barb with 64k hp on a 1 on 1 battle.

A lot is depending on what class you playing and what you have as avaiable.
Indeed if the barb has just to stay alive, 1v1 gonna be a pain.
Beside that, with current game status I recall it not being doable above 55sh k hp.

i can only thing of 2 things to kil a barb that strong, a pure dex sage R9 sin DoT (142 somthing atk levels zerk criting repeatedly with spark) or a full out DoT R9 wizard using insta cast apoc and criting. i know when Poetic played on Dreamweaver on his sin he could take out any cata barb on the server easily.

as for hp limits of 65k, i know Tojan's barb has about 54k at the moment and im quite shure with a crappy top he could hit 65k, altho i dont know if it would actualy cap there? i know on privat servers ive seen 90k+ lets all pray they dont release those +20 vit stones u see in the ah, so many barbs will be mad they have a hp cap hahah