[Collection Thread] War Rock Cheat Programming Discussion

[Mostey]

Quote:

Originally Posted by Peter File

Ist es eigentlich Zufall, dass du hier wieder auftauchst, nachdem xxfabbelxx zurückgetreten ist, Mostey?

Was hat denn der Rücktritt von fabbel damit zutun? Ich interessiere mich nur seit einiger Zeit (wieder) für die Programmierung und dachte halt, dass ich mal meine Fragen bzgl. Gamehacking hier stelle, da hier ja einige recht viel Ahnung davon haben.

Ich werde diese Sektion nicht mehr moderieren, falls du das meinst.

Quote:

Originally Posted by Raz9r

quick_exit

quick_exit is a function provided by WarRock or some self written function for escaping?

Quote:

Originally Posted by Raz9r

Use D3D9 libraries and avoid using D3DX9 where possible.

Why would someone do this? Speed reasons?

Quote:

Originally Posted by Raz9r

The other thing is to modify system interaction. Many people here hook stuff like WinSock2 send, recv, sendto and recvfrom to change certain packet. I also use SetWindowLongPtr with GWLP_WNDPROC to hook the window input procedure.

When hooking the packet functions (send, recv) is a full customization possible? So the content of every packet segment can be changed w/o any complications? (provided the expected arguments are correctly filled in)

Quote:

Originally Posted by Raz9r

There is no such thing like "address scans", but "pattern scans" do exist. Scanning for a memory pattern just means that you look for parts of memory in a specified area that did not change over the last updates and thus do not need to manually find the address again. It's not necessary, but definitely helpful for updating the cheat.

So if I wouldn't use pattern scans, updating my addresses for the cheat would be very time consuming, right?

Thank you for answering my questions and breaking it down a bit. Do you got some additional references which may help me by diving more specific into gamehacking?

[snow]

Quote:

Originally Posted by Mostey

quick_exit is a function provided by WarRock or some self written function for escaping?

It's a function defined by the C++11 standard. As far as I know your process will be terminated immediately -> HackShield is unable to process the ban request (don't know how they handle that in detail but my guess would be a special packet that is sent to the server).

Quote:

When hooking the packet functions (send, recv) is a full customization possible? So the content of every packet segment can be changed w/o any complications? (provided the expected arguments are correctly filled in)

Spoken in general: Yes. There might be some issues depending on your platform, compiler and such but you'd be able to log the packets or to modify the packets, yes.

Quote:

So if I wouldn't use pattern scans, updating my addresses for the cheat would be very time consuming, right?

Once again: In general: Yes.
Patterns might be the most comfortable way to find certain locations in memory after several updates.

Quote:

Thank you for answering my questions and breaking it down a bit. Do you got some additional references which may help me by diving more specific into gamehacking?

Event though I'm not Raz9r and far from being as experienced as he seems to be: I'd recommend the lena151 Tutorials (you'll find them with google), they'll teach you a basic understanding of assembled programs, that helped me a lot. And the MSDN will be your best friend for a long time ().

[Raz9r]

Edit: snow911 was faster...

Quote:

Originally Posted by Mostey

quick_exit is a function provided by WarRock or some self written function for escaping?

It's a function provided by the C++ Standard Library. In case your implementation of the standard library does not support it yet, use _exit from cstdlib.

Quote:

Originally Posted by Mostey

Why would someone do this? Speed reasons?

Yep.

Quote:

Originally Posted by Mostey

When hooking the packet functions (send, recv) is a full customization possible? So the content of every packet segment can be changed w/o any complications? (provided the expected arguments are correctly filled in)

There are some things to workaround, mostly with the logical timestamp. We discussed that few days ago right in this topic, so feel free to take a look at it.

Quote:

Originally Posted by Mostey

So if I wouldn't use pattern scans, updating my addresses for the cheat would be very time consuming, right?

Finding an address manually takes a few minutes, but needs to be done every update. Finding a memory pattern takes at least 15 minutes, but needs to be done only on updates changing the code a lot. Finding a pattern with a unique result can be really time-consuming.

Quote:

Originally Posted by Mostey

Thank you for answering my questions and breaking it down a bit. Do you got some additional references which may help me by diving more specific into gamehacking?

I am not allowed to link any of these here, as they don't link back to elitepvpers.

[Cyno™]

Quote:

Originally Posted by Mostey

Heard some good stuff about him and red his posts, the point is that I asked these questions in public to get some other guys helped at the same time.



First of all, thanks for answering my questions, I really appreciate your help.

The fourth question was about addresses, how they are scanned, you know? I know about scanning some values with CE to get the pointer which accesses that pointer and so on but I heard about some pattern scans that are used here. I'm just questioning why people prefer this pattern scans if they could perform some address-offset actions anyway?

For detecting keys state are you using the message loop, right? Guess these architecture is highly used with the help of the win32api.

About the third point: If I got this correctly, you can't actually draw your menu to the same scene(picture) without hooking this specific function?

I will take a look at hans' D3D menu class to get into it when I find some time for it.



I'm interested in the technique, how this done and stuff and not only the statement that some guys are able too hook it FUD.

Well when i search for a new Address for example for some value about the weapon i use Cheat Engine ( With the Hackshield public bypass ) and scan for those values.
All of them are normally stored in a Weapon class. I use the Cheat Engine debugging functions ( the Cheat Engine tutorial should give you nearly all informations how to use them ) to find a static pointer and the offset for it.
In the next step i create Pattern for it so i search for a specific Binary combination which is near to the static pointer and use the FindPattern function which is easy2find with google, so i don't have to search them manually after updates.
Additionally in WarRock everything is inside the WarRock.exe and not in any modules loaded. Also the Base address stays the same so no GetModuleHandle is needed.

For detecting KeyDown event i use the API GetAsyncKeyState which makes it pretty easy to determine wether specific keys are currently being pressed ( Check out the WinApi about it )

Third point: This is correct, you need to hook it because when for example Present is called you can redirect the program flow to your own code so you can execute your Draw functions.
To find a undetected Hook on those functions got pretty hard in the last few months.
Some months ago a regular JMP hook was enough ( replacing the first 5 bytes with a jump to your function ) , but Hackshield has got more powerful and now they detect all opcode modifications on those functions and also Exception Hooks, which is where you have to think about 'How can i change the program flow to my own function when this specific Function is called'.
This is pretty hard at the beginning, its a good option to learn the basics of Assembler so you know how the program works and where you can change something ( different then .text opcodes ) to get your functions executed.
Its always a good start to check the 'Caller' and 'Callees' of the Function you wan't to Hook. Its all about trying over and over again, there is no really tutorial for it, its just experience which counts here.

Regards Cyno__™

[+Yazzn]

Quote:

Ich werde diese Sektion nicht mehr moderieren, falls du das meinst.

Genau das meinte ich.

Quote:

GetAsyncKeyState

Trivia: WarRock prüft mit GetAsyncKeyState ob W, A, S, D, ... gedrückt werden.

[henksmit]

Someone has updated CPlayerInfo for me?

[*KingDevil*]

Whats wrong on that?

Code:

struct CPlayerInfo
{
        char unknown0[1288];//0x0000
        char ip[16];//0x0508  
        char unknown1[300];//0x0518
        char name[20];//0x0644  
        char unknown2[836];//0x0658
        __int32 health;//0x099C 
        char unknown3[340];//0x09A0
        BYTE team;//0x0AF8 
        char unknown4[31];//0x0AF9
};

And how he calculated this Structsize? "13671"

Code:

struct CPlayerInfo
{

		char unknown0[1288]; //0x0000
	char ip[16]; //0x0508  
		char unknown1304[300]; //0x0518
	char name[20]; //0x0644  
		char unknown1624[836]; //0x0658
	__int32 health; //0x099C  
		char unknown2464[344]; //0x09A0
	BYTE team; //0x0AF8  
		char unknown2805[13671]; //0x0AF9

};

Thank you very much

[xTeRa'Zx]

//////////////////////////////////////////////////////////////////
///////////////////////xTeRa'Zx V.I.P-Logger///////////////
//////////////////////////////////////////////////////////////////

[27/11/2013]

V.I.P:

#define ASM_VEHICLENODAMAGE 0x42A6C7 -
#define ASM_VEHICLEINVISIBLE 0x42AA1F -
#define ASM_UNLAMMO 0x51C275 -
#define ASM_WALKTHRUWALL 0x7786E6 -
#define ASM_AUTOAMMO1 0x506BA6 -
#define ASM_AUTOAMMO2 0x506F1C -
#define ASM_AUTOHEALTH1 0x506CAF -
#define ASM_AUTOHEALTH2 0x506BE6 -
#define ASM_AUTOREPAIR1 0x42722E -
#define ASM_AUTOREPAIR2 0x42725D -
#define ASM_AUTOREPAIR3 0x4272DA -
#define ASM_WarrockCheck1 0x51B876 -
#define ASM_WarrockCheck2 0x5DF0BF -
#define ASM_VEHSUPERFIRE1 0x4271A8 -
#define ASM_VEHSUPERFIRE2 0x4271D3 -
#define ASM_VEHSUPERFIRE3 0x427213 -
#define ASM_VEHJUMP1 0x45E1FF -
#define ASM_VEHJUMP2 0x45E208 -
#define ASM_VEHJUMP3 0x8D5374 -
#define ASM_ARTILLERY1 0x4F7318 -
#define ASM_ARTILLERY2 0x4F75CA -
#define ASM_ARTILLERY3 0x59BA78 -
#define ASM_ARTILLERY4 0x59BB91 -
#define ASM_ARTILLERY5 0x59B8D9 -
#define ASM_ARTILLERY6 0x57D22F -
#define ASM_ARTILLERY7 0x59BA78 -
#define ASM_ARTILLERY8 0x59BC0E -
#define ASM_INVISIBLE 0x50BEDC -
#define ASM_OPK1 0x40824A -
#define ASM_OPK2 0x408253 -
#define ASM_OPK3 0x40825F -


Credits: KingDevil, Bananegel.
//////////////////////////////////////////////////////////////////
///////////////////////xTeRa'Zx V.I.P-Logger///////////////
//////////////////////////////////////////////////////////////////

[Kazbah__]

Quote:

Whats wrong on that?

Code:

struct CPlayerInfo
{
        char unknown0[1288];//0x0000
        char ip[16];//0x0508  
        char unknown1[294];//0x0509
        char name[20];//0x0644  
        char unknown2[824];//0x0645
        __int32 health;//0x099C 
        char unknown3[344];//0x09A0
        BYTE team;//0x0AF8 
        char unknown4[35];//0x0AF9
};

[Cyanstack]

Quote:

Leute, hat einer einen Bypass für mich ?

Code:

void Byeshield ( )
{
printf("HACKSHIELD! YOU SHALL NOT PASS!");
}

Creditz : Gandalf

[Kazbah__]

Quote:

Originally Posted by Cyanstack

Code:

void Byeshield ( )
{
printf("HACKSHIELD! YOU SHALL NOT PASS!");
}

Creditz : Gandalf

was das fürn müll...

Code:

struct cEhscv
{
	const static DWORD WarRockCheck1    = 0x51C120;
	const static DWORD WarRockCheck2    = 0x5E278C;
	const static DWORD HSCallBack1      = 0x0908F0;
	const static DWORD HSCallBack2      = 0x00AC28;
	const static DWORD NanoScan1        = 0x0B3A48;
	const static DWORD NanoScan2        = 0x0B0EFD;
};

blockt aber nur eine std

[Combatdafuq]

Code:

#ifdef __WREU__
#define ADDR_PLAYERPOINTER 0xAF6AA0
#define ADDR_SERVERPOINTER 0xAF1268
#define ADDR_PLAYERINFO      0xB29090
#define OFFS_SIZE                0xB18
#endif

#ifdef __WRBR__
#define ADDR_PLAYERPOINTER 0xD3B8D0
#define ADDR_SERVERPOINTER 0xD3A874
#define ADDR_PLAYERINFO      0xD6D2D0
#define OFFS_SIZE                0xB10
#endif

class cPlayerInfo
{
 #ifdef __WREU__
	public:
		char _0x0000[1288];
			char ip[16]; //0x0508 
		char _0x0518[236];
			char LoginID[16]; //0x0604 
		char _0x0614[48];
			char name[20]; //0x0644 
		char _0x0658[836];
			__int32 health; //0x099C 
		char _0x09A0[340];
			BYTE team; //0x0AF4 
		char _0x0AF5[15691];
  #endif

 #ifdef __WRBR__
	public:
		char _0x0000[1288];
			char ip[16]; //0x0508 
		char _0x0518[228];
			char LoginID[20]; //0x05FC 
		char _0x0610[44];
			char name[16]; //0x063C 
		char _0x064C[840];
			__int32 health; //0x0994 
			__int32 maxhealth; //0x0998 
		char _0x099C[336];
			BYTE team; //0x0AEC 
		char _0x0AED[4435];
    #endif

};

cPlayerInfo * GetPlayerInfo ( int Loop )
{
   pPlayerInfo = (cPlayerInfo*)(ADDR_PLAYERINFO+(Loop*OFFS_SIZE));

   if ( ValidPointer(pPlayerInfo) )
	return pPlayerInfo;
    else
	return NULL;
}

Usage ;)
if ( GetPlayerInfo(i) > 0 ) // make sure our GetPlayerInfo has returned an valid pointer!
{
      GetPlayerInfo(i)->name;

}

Code:

Currently gun's of wr thx to toxic aka Anksel for the list
char* Weapons[411] = 
{ 
	"m7", "knuckle", "stiletto", "sword", "knuckle_2", "squeaky_hammer", "stiletto_jp", "sword_jp", "colt", "desert_eg", "mp5k", "magnum", "glock", "beretta_d", "throwing_knife", "micro_uzi", "beretta_m93r", "mp5k_gold", "mp5k_sw", "ak47", "k2", "m4a1", "famas", "l85a1", "xm8", "type89", "sig550", "tar_21", "m16a4", "an94", "hk416", "m16a4_silver", "ak47_sw", "m4a1_gold", "g36c", "g36c_d", "aks74u", "g36", "g36_d", "mp5", "p90", "uzi", "tmp9", "k1", "mp7a1", "scorpion_d", "spectre_m4", "mac10", "ump45", "cx4storm", "p90_silver", "k1_gold", 
	"cx4storm_sw", "psg_1", "barrett_m82", "aug", "ssg", "m24", "dragunov_svd", "ai_aw", "aw50f", "m21", "wa2000", "sr25", "m40a1", "ai_aw_gold", "psg_1_sw", "ssg_silver", "m60", "m249", "winchester_1300", "m4super90", "pzf_3", "m136at_4", "rpg_7", "javelin", "rpg_7_gold", "rpg_7_sw", "stinger", "sg", "tma_1a", "ha_supply", "k400_grenade", "k400_grenade_assult", "sacrifice", "smoke_g", "flash_bang_1", "flash_bang_2", "drop_c4", "switch_c4", "pda", "switch_c4", "c4", "hacking_tool", "medic_kit_1", "medic_kit_2", "medic_kit_3", "spanner", "pipe_wrench", "adrenaline", "parachute", 
	"stamina", "hp_kit", "detector", "telescope", "flash_mine", "mg3", "m134", "mk1s", "hk69", "hk69_silver", "ammo_box", "m14", "teargas", "medic_box", "k203", "telescope", "silencer", "nippers", "ha_supply", "drum_piece", "slot_chg_6th", "snowball", "scorpion_d_8th", "g36c_d_8th", "tmp9_8th", "mp7a1_8th", "ai_aw_8th", "barrett_m82_8th", "m60_8th", "g36_8th", "m249_8th", "m134_8th", "xm8_red", "scorpion_d_red", "mk1s_red", "barrett_m82_camo", "hk69_camo", "ak47_ex", "squeaky_hammer2", "strike", "lumber", "hook", "shaft", "crush", "suicidal", "infect", "famas_br", "famas_de", 
	"famas_fr", "famas_it", "famas_mx", "famas_nl", "famas_pt", "famas_es", "famas_uk", "famas_us", 
	"famas_kr", "famas_jp", "famas_en", "k400_sb_grenade", "k400_sb_assault", "t_grenade", "claymore_a", "crash", "glock17c", "psg_1_20b", "barrett_m82_nerve", "bizon", "tac_15", "s_water_balloon", "b_water_balloon", "dragunov_svd_red", "m202a1", "galil_ar", "spas_12", "ar-7", "k400_p_assult", "k400_p_grenade", "m500", "ntw_20", "fgm_172_predator", "flame_bizon", "pzf_3_dual", "m202a1_dual", "blallistic_knife", "gurkha", "mortar", "cruisemissile", "strikebomb", "suicidal2", "famas_au", "famas_be", "famas_ee", "famas_gr", "famas_hu", "famas_in", "famas_ie", "famas_pl", "famas_sa", "famas_si", "famas_ch", "famas_at", "famas_ca", "famas_fi", "famas_il", "famas_no", "famas_ro", 
	"famas_se", "famas_tr", "famas_ae", "famas_gold", "famas_g2_sd", "famas_g2_tr", "mp7a1_snow_camo", "famas_snow_camo", "impact_wrench", "t65", "big_snowball", "xm8_camo", "m202a1_camo", "wa2000_camo", "m16a4_pink", "k1_pink", "rpg_7_pink", "ai_aw_pink", "k400_c_grenade", "k400_c_assult", "ar_7", "ar_7_camo", "mag_7", "shovel", "usp", "sw_mp1bd", "m72law", "9k32_strela_2", "aps", "ksg_11", "claw_knife", "claw_knife", "mg3_box", "k400_water", "k400_water", "mp7a1_cheetah", "aw50f_camo", "famas_ind", "famas_red", "desert_eg_gold", "m72law_camo", "t65k2", "t77", "t77_d", "tonfa", "tonfa2", "grenade", "m240h", "m93_hornet_mine", 
	"m240b", "m240b_foregrip", "m240b_tactical", "ex_41_luncher", "sr_2_veresk_dot", "sr_2_veresk_dual", "sr_2_veresk", "crush", "pipe", "scorpion_d_gold", "spas_12_camo", "m60_tur", "ak47_dual", "famas_navycamo", "psg_1_navycamo", "mp7a1_navycamo", "xm8_navycamo", "aw50f_navycamo", "t65k2_camo", "ump45_camo", "tar_21_gold", "tar_21_red", "jump_attack", "degtyaryov", "hk_g11", "k1_snow_camo", "dragunov_svd_sc", "m4a1_snow_camo", "ak47_tube", "jump_breaker", "bighead_hammer", "dumpling", "g36c_d_dragon", "spas_12_dragon", "sr25_dragon", "stinger_dragon", "airdrop", "firesupport", "mk777", "dsr1", "shovel", "m16swing", "dsr1_camo", "broken_revolver", "vector", "vector_black", "at4", 
	"ak47_rb", "g36c_rb", "aw50f_rb", "scar_l", "scar_l_black", "scar_l_camo", "web_grenade", "m16swing", "suicidal", "m95_barrett", "x_12", "gauntlet", "gauntlet", "roadsign", "kitchenknife", "tooth", "pp91kedr", "pp91kedr_dual", "t_capsule", "qlb06", "ksg", "ksg_camo", "pkm", "pkm_camo", "vss", "vss_red", "pp2000", "pp2000_red", "m500_stick", "m4super90_stick", "k400_gift", "k400_a_gift", "chicago_typewriter", "m1891", "rpg_7_winter", "hk416_winter", "ntw_20_winter", "flowers", "m60", "m134", "g36c_d", "ai_aw", "m249", "famas", "k1_esl", "ak47_esl", "aug_esl", "mp5k_esl", "rpg7_esl", "fmg9_dual", "fmg9_desert", "scar_h", "scar_h_blue", "longsword", "longsword_snake", "cheytac_m200", 
	"cheytac_m200_camo", "spikestrip", "beretta_m92", "carlgustav", "type11", "mp7a1_blue", "scorpion_d_blue", "psg_1_blue", "m72law_blue", "famas_blue", "cheytac_m200_red", "type95", "type95_camo", "type95_red", "mp7a1_red", "m72law_red", "scorpion_d_navycamo", "m72law_navycamo", "woodstick_bomb", "m4a1_hanbok", "k1_hanbok", "m95_barrett_hanbok", "mk777_hanbok", "f1", "f1_desert", "usas12", "usas12_luxury", "facawotan", "pt92", "md97", "m72law_pink", "famas_pink", "mp7a1_pink", "scorpion_d_pink", "psg_1_pink", "fmg9", "cheytac_m200_hex", "negev", "negev_camo", "l34a1", "l34a1_orange", "gepard", "as50", "grenade_bow", "ak47tc", "ak47tc_tiger", "mp7tc", "mp7tc_snow", "dsr1tc", "dsr1tc_leaf"
 };

[Alliance™]

I create programm for intercept packets with c++,use socket2.
I create the connect from server:109.234.77.201 port 5330;
I decode packets with xor key.
When i run my programm i get only random code.
Example:

1:Connect to server
2:Riceve packets
3: Decode;
4: printf(packet);

But i riceve firt run:
0042786C

Second run:
00397440

Where is my error?

[Raz9r]

Quote:

Originally Posted by Alliance™

Where is my error?

Post your code.

[Alliance™]

Quote:

Originally Posted by Raz9r

Post your code.

Code:

int main(){

WSADATA wsData;
SOCKET ConnectSocket=INVALID_SOCKET;

if(WSAStartuo(MAKEWORD(2,2),&wsaData)!=0){
cout<<"WSAStartup failed!"<<endl;
WSACleanup();
return 0;
}


//Socket

ConnectSocket=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

if(ConnectSocket==INVALID_SOCKET){

cout<<"Error to create socket!"<<endl;
WSACleanup();
return 0;
}

//Resolve ip address

struct hostent *host;
if((host=gethostbyname("109.234.77.201"))==NULL){
	cout<<"Failed to resolve address ip;"<<endl;
	WSACleanup();
	return 0;
}

SOCKADDR_IN SockAddr;
SockAddr.sin_port=htons(5330);
SockAddr.sin_family=AF_INET;
SockAddr.sin_addr.s_addr=*((unsigned long*)host->h_addr);


//Connect to server

if(connect(ConnectSocket,(SOCKADDR*)(&SockAddr),sizeof(SockAddr))!=0){
	cout<<"Connection server failed!"<<endl;
	WSACleanup();
	return 0;
}

//No block
u_long iMode=1;
ioctlsocket(ConnectSocket,FIONBIO,&iMode);


//loop

for(;;){
char buffer[1000];
memset(buffer,0,999);

//riceve packets

int inDataLength=recv(ConnectSocket,buffer,1000,0);
int  i;
string packet[1000];

for(i=0;i<inDataLength;i++){
	packet[i]=buffer[i]^0x3E; //Client->Server
}

cout<<packet<<endl;

int nError=WSAGetLastError();
if(nError!=WSAEWOULDBLOCK&&nError!=0)
{
	cout<<"WinSocket error:"<<nError<<endl;
	cout<<"Disconnect from server!"<<endl;
	shutdown(ConnectSocket,SD_SEND);
	closesocket(ConnectSocket);
	break;
}
Sleep(1000);
}

system("PAUSE");
return 0;
}

Where is the error?