Results 1 to 10 of 10
  1. #1
    pohkak
    pohkak is offline
    Member-in-training pohkak's Avatar
    Join Date
    2010 Dec
    Posts
    171
    Thanks Thanks Given 
    29
    Thanks Thanks Received 
    10
    Thanked in
    10 Posts
    Rep Power
    0

    Help to find out

    Hi all.
    Looking for so me help to find out solution on how to realise function get mob on target .
    MMORPG Requiem Online.

    OllyDBG show the ligne where initialise function take mob on target.


    whene i m trying to inject my code to call this function
    Code:
    pushad
    pushfd
    mov ecx,WID  // to read WID im using ReadInt(0xa48e40)+0x320 
    mov edx,0x7c29e0 //  function adress
    push ecx           // 
    mov ecx,[0xa48e40]
    call edx           //  call function
    retn
    after injecting this code im getting inside of client Toon have on target empty HP bar witout mob name...
    and after 2 sec client crash.

    Looks like on the moment whene function was called code dont disposed enoughe arguments .

    If i attach OllyDBG to client at the ligne
    Code:
    push ecx
    the value ecx not corespond to WID of mob on the CE.
    Are you hackers ?...No, wee are russians!

  2. #2
    tacaovo
    tacaovo is offline
    New member tacaovo's Avatar
    Join Date
    2011 Sep
    Posts
    8
    Thanks Thanks Given 
    6
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    Maybe you should restore the stack with POPFD and POPAD?

    Code:
    pushad
    pushfd
    mov ecx,WID  // to read WID im using ReadInt(0xa48e40)+0x320 
    mov edx,0x7c29e0 //  function adress
    push ecx           // 
    mov ecx,[0xa48e40]
    call edx           //  call function
    popfd
    popad
    retn

  3. #3
    pohkak
    pohkak is offline
    Member-in-training pohkak's Avatar
    Join Date
    2010 Dec
    Posts
    171
    Thanks Thanks Given 
    29
    Thanks Thanks Received 
    10
    Thanked in
    10 Posts
    Rep Power
    0
    I tryed restore all registers. But client froze before that.
    It still taking empty HP bar on target & crash.
    Are you hackers ?...No, wee are russians!

  4. #4
    pkedpker
    pkedpker is offline
    Member-in-training
    Join Date
    2011 Mar
    Posts
    67
    Thanks Thanks Given 
    13
    Thanks Thanks Received 
    41
    Thanked in
    14 Posts
    Rep Power
    0
    what IDA PRO say about function is it __fastcall?

    I see that edx is used.. but it is used as function address so probably not parameter..

    if it is fastcall try.. typedef'ing it

    Code:
    typedef void (__fastcall * t_Mob)(int param);
    t_Mob mobFunction = (t_Mob)0x7c29e0;
    
    mobFunction(&0xa48e40); //<-- find out what is at 0xa48e40 offset.. maybe it is buffer



    In other words if not fastcall function..

    you must fix stack.. Try this

    Code:
    push ebp
    mov ebp, esp
    mov ecx,WID  // to read WID im using ReadInt(0xa48e40)+0x320 
    mov edx,0x7c29e0 //  function adress
    push ecx           // 
    mov ecx,[0xa48e40]
    call edx           //  call function
    retn

  5. #5
    pohkak
    pohkak is offline
    Member-in-training pohkak's Avatar
    Join Date
    2010 Dec
    Posts
    171
    Thanks Thanks Given 
    29
    Thanks Thanks Received 
    10
    Thanked in
    10 Posts
    Rep Power
    0
    with this game crashed witout showing empty HP bar
    probably [0xa48e40] is buffer
    Last edited by pohkak; 2011-09-25 at 10:20 PM.
    Are you hackers ?...No, wee are russians!

  6. #6
    pkedpker
    pkedpker is offline
    Member-in-training
    Join Date
    2011 Mar
    Posts
    67
    Thanks Thanks Given 
    13
    Thanks Thanks Received 
    41
    Thanked in
    14 Posts
    Rep Power
    0
    can you add ollydbg to your game? or game is protected?

    if you can add ollydbg.. or atleast.. attach ollydbg to game.. while it's running.. Resume Threads etc..

    Then your DLL you are injecting.. breakpoint on the code you added should be a __declspec(naked) function maybe you forgot this.

    Run it line by line.. and find out which line it crashes.. most likely.. the bad parameter yup

    Code:
    __declspec(naked) void MOB(int WID)
    {
        __asm{
            pushad
            pushfd
            push ebp
            mov ebp, esp
            mov ecx,WID  // to read WID im using ReadInt(0xa48e40)+0x320 
            mov edx,0x7c29e0 //  function adress
            push ecx           // 
            mov ecx,[0xa48e40]
            call edx           //  call function
            popad
            popfd
            ret
        }
    }
    break point it.. I think it will crash at either
    call edx..
    or somewhere inside edx function.. find out differences where registers look messed up.. between your code and official code..

    Then you have to somehow either create buffer yourself.. or if buffer is important.. somehow point it properly.. maybe this address [0xa48e40] will not be found in DLL's asm... since it's part of game exe.

  7. The Following 2 Users Say Thank You to pkedpker For This Useful Post:


  8. #7
    pohkak
    pohkak is offline
    Member-in-training pohkak's Avatar
    Join Date
    2010 Dec
    Posts
    171
    Thanks Thanks Given 
    29
    Thanks Thanks Received 
    10
    Thanked in
    10 Posts
    Rep Power
    0
    Thx for good idea to check where my cod stop working ...
    by putting on direct in cod the WID of mob it worked ....now need only find how read rite that value from memory ....
    Are you hackers ?...No, wee are russians!

  9. #8
    ratrix
    ratrix is offline
    New member
    Join Date
    2011 Oct
    Posts
    13
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    1
    Thanked in
    1 Post
    Rep Power
    0
    pkedpker

    I'm trying to decipher the packets with a java program that I created based on the post: PHP Code:
    # ifndef _INFINITY_TALE_CRYPT_
    # define _INFINITY_TALE_CRYPT_
    # include <string.h>

    laEncrypt int (char * data, int length)
    {
    int size = length;

    data [4] ^ = 0x76;
    for (int i = 5; i <size; i + +)
    data [i] ^ = data [i-1];
    return 1;
    }

    laDecrypt int (char * data, int length)
    {
    int size = length;
    char k = data [4];
    char j = 0;

    data [4] ^ = 0x76;
    for (int i = 5; i <size; i + +)
    {
    j = data [i];
    data [i] ^ = k;
    k = j;
    }
    return 1;
    }

    # endif
    by SaiMs


    a) Let's take a look at a sample header and decrypt it.


    crypt char [] = {0x0A, 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00, 0x00, 0x01};

    or Simply
    [INT32] [CHAR8] [char []]
    [HEADER] [Packet ID] [DATA]
    0A 00 00 00 64 00 00 00 00 01 (HEX)

    0x0A is the LENGTH of the packet and is not needed in the decryption process.
    This is an INT, little-endian and uses the first 4 bytes to find how long is the TOTAL length.

    0x0A = 10 in decimal, the length of this packet is indeed 10.

    ENF NOTE: Packet headers are NOT encrypted.

    1.b) Let's step through the encryption.



    PHP Code:
    data [4] ^ = 0x76;
    We skip to the packet id, and xor it with 0x76 (magic #).

    This Reveals the packet ID, so in this case:

    64 XOR 12 = 0x76 You can use a calculator if you want sci, These Are the results accurate I have checked with Them Bravo's posts. (I assume he used traitor's sniffer or we, I'll be releasing my own soon with the GUI)

    After the header, we have a for loop:



    PHP Code:
    data [i] ^ = data [i-1];
    It starts at 5, we are finished with the header and the packet id.

    This is just some logic xor swap.

    Grab the first byte,


    PHP Code:
    j = data [i];

    xor it with k, WHICH IS packet id (init)


    PHP Code:
    j = data [i] ^ = k;
    make new k value, the date we just produced



    PHP Code:
    k = j;

    I need to send a message in the chat all, change the program and be accepted on the target server. But the packages necessary to decipher ... can you help me? the program did not work ..

    the game is AIKA.

    ---------- Post added at 04:16 PM ---------- Previous post was at 04:15 PM ----------

    if necessary, I can create a decryption call. Help me please

  10. #9
    pkedpker
    pkedpker is offline
    Member-in-training
    Join Date
    2011 Mar
    Posts
    67
    Thanks Thanks Given 
    13
    Thanks Thanks Received 
    41
    Thanked in
    14 Posts
    Rep Power
    0
    ^ that is not java its C/C++, looks like you just copy pasted that out of aika section and have no idea what it does or how to use it. Try trying

  11. #10
    ratrix
    ratrix is offline
    New member
    Join Date
    2011 Oct
    Posts
    13
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    1
    Thanked in
    1 Post
    Rep Power
    0
    Well .. I did not understand your comment ... I translated the text above for java. I glued a package aika HEX ... but did not work ... Accurate method of decryption and encryption, so that if I create a chat spam ... can also do it with honor! O.o. .. Type capture the package through the ollydgb honor, and use the method of enc-desc and I am repeating it like a repeating structure. auhauhauah ... My English is very bad. pkedpker you, I believe, is one of the people who have an understanding of the functioning of routines aika ... Help me

Similar Threads

  1. [Info] Find out if your getting kicked
    By Dwar in forum CrossFire Guides, Tutorials
    Replies: 0
    Last Post: 2010-12-17, 07:18 AM
  2. [Guide] How to find a Scrim
    By Dwar in forum CrossFire Guides, Tutorials
    Replies: 0
    Last Post: 2010-12-17, 06:59 AM
  3. Can't find base addres with CE
    By DJK in forum General Game Research
    Replies: 7
    Last Post: 2010-12-12, 11:53 PM
  4. How to find Aika GB Items ID
    By vngage in forum Aika Online
    Replies: 3
    Last Post: 2010-11-30, 06:07 AM
  5. Replies: 0
    Last Post: 2010-11-29, 04:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •