Packet hack, proxy dll
Here is guide for creating the basic Proxy-DLL skeleton + hack.
Target: Kal-Online
Requirements
- Some C++ and UCE (memory and such stuff) knowledge
- Some Time
- Common sense
Theory
So our first question is „How do I even get some piece of my code into the game process?“
There are many possible ways, I also don’t know all possibilities, but for our Kal-Online purposes, we might use Proxy-DLL solution (It isn’t only solution of course).
Let me explain how it works: We know, that Kal-Online imports some functions from dllsSo we will one of those libraries, from which Kal-Online needs to load the imports and we will basically create library with same name, then we will export all functions with same name as in original library and all needed functions code will be loaded from the original library.Originally Posted by wiki
Scheme
It’s possible that you still don’t get it – read - you may understand it later in tutorial.
So… Because we are lazy guys and there are simply too many exports to write it by hand, we will use wrapper which will help us to create Proxy-Dll skeleton for us in no time.
Creating Proxy dll
So, let’s copy all needed files into one folder. Let’s say it’s C:/ProxyDLL/. Copy the wrappit and the original library, from which will wrap the exports. I will copy d3dx9_29.dll in this case.
- Step:
We will obtain the export list by using Visual Studio command prompt command. Open it from program files, or from Start/All apps/Microsoft Visual Studio xxxx/Visual Studio Tools/Visual Studio Command Prompt (xxxx).
- Step:
Change dir to our ProxyDLL folder. And type into command prompt: “DUMPBIN /EXPORTS d3dx9_29.dll > EXPORTS.txt “without the quotes. This should create in our folder a file with needed export information.- Step:
Now let’s rename the original library into something else, like “favorite” d3dx9_29_.dll or BadAss_Lib.dll.- Step:
We are ready to use wrapper now. The syntax for using it is <dll> <txt> <convention> <new dll name> <cpp> <def> . Where the <dll> is old name of original lib, <txt> exports dump in the textfile, <convention> function calling convention, <new dll name> the name we assigned to original lib, <cpp> the name of cpp file which will be generated and <def> name of definition file which will be generated. So it will be: wrappit.exe d3dx9_29.dll EXPORTS.txt __stdcall d3dx9_29_.dll d3dx9_29.cpp Exports_Def.def- Step:
Now your folder should contain 2 new files: d3dx9_29.cpp and Exports_Def.def
If yes, then congratulations… You have just created Proxy-DLL skeleton…
Creating Cheat
1. Project Setup
Now create new empty dll project in the Visual Studio and add existing item into source, d3dx9_29.cpp . You can name that project with whatever name, but if you are not experienced, then I recommend naming it d3dx9_29. Now right-click on project and select Properties. First of all, although it’s not really necessary, change the character set to multi-byte, as I don’t want to read cry posts about “My compiler gives me error about strings”. Switch to Linker/Input and Module definition file will be Exports_Def.def. Save the properties and return to the project.
Notice LoadLibrary(".\d3dx9_29_.dll");Code:#include <windows.h> #pragma pack(1) HINSTANCE hLThis = 0; HINSTANCE hL = 0; FARPROC p[332] = {0}; BOOL WINAPI DllMain(HINSTANCE hInst,DWORD reason,LPVOID) { if (reason == DLL_PROCESS_ATTACH) { hLThis = hInst; hL = LoadLibrary(".\d3dx9_29_.dll"); if (!hL) return false; p[0] = GetProcAddress(hL,"D3DXAssembleShader"); p[1] = GetProcAddress(hL,"D3DXAssembleShaderFromFileA"); p[2] = GetProcAddress(hL,"D3DXAssembleShaderFromFileW"); p[3] = GetProcAddress(hL,"D3DXAssembleShaderFromResourceA"); p[4] = GetProcAddress(hL,"D3DXAssembleShaderFromResourceW"); p[5] = GetProcAddress(hL,"D3DXBoxBoundProbe"); p[6] = GetProcAddress(hL,"D3DXCheckCubeTextureRequirements"); p[7] = GetProcAddress(hL,"D3DXCheckTextureRequirements");
It may contain other name which you specified when we was creating proxy-dll skeleton (Like “BadAss-Lib.dll”).
Short explain: You can see main function of dll. On initialization the original library is loaded and all original function addresses are obtained. Read more at: GetProcAddress Function (Windows)
2. Cheat Setup
Let’s finally add the cheat…
You might need pattern scanner aswell, I will explain why later. I don’t fancy releasing mine yet, use the BakaBug’s one. What it does? It searches for bytes in preset order, inside the process, from specified address to specified address. If such byte order is found, then address of first byte is returned.
Also you should add a MemCpyEx. What’s that? It’s extension of memcpy. The bonus feature is that it calls VirtualProtect before memcpy. That’s the whole magic.
Those two functions are included in this source and also other sources around.
Let’s create our hacking function. This source will use console as we won’t control that hack by GUI (It would make the source more difficult to read). So let’s add Command Console function. In the source it will be called void CommandComm()
You will have to include new headers for the console: io.h ; stdio.h and fcntl.h
We will also add a function, which will handle the commands typed into command console.
void CommandHandler()
How does it work is explained in the comments in the source.
You can also add a simple function, which will print available commands.
It’s called void Menu() in the source.
So let’s create our main cheat function. Call it whatever you like… In source it will be called void CheatMain()
So what will CheatMain do? It will be created as a new Thread and then we need the function that will delay execution a litte, otherwise the INT anti-hacking tricks at start will free it (FreeConsole). The Sleep function will be helpful. Then you can load your Command box… Now you can also change the title by calling SetConsoleTitle.Then display available commands by calling Menu(). We will printf them… We can also use cout, but we have stdio.h already included so why should we include iostream? The rest of the source is commented.
So how do we exactly use the collected information from UCE/Dbg/Whatever?
Well let’s declare new global double word variable, which will store the baseaddress of pointer you found. Also declare the offsets and our pointers, which will point to speed, x, y, z, whatever.
In our command handling function, we will create procedure for setting up speed.Code:DWORD g_dwBasePointerAddress = 0/* INPUT YOUR FOUND ADDRESS HERE INSTEAD OF ZERO */; DWORD g_dwSpeedOffset = 0; // Set here offsets, which you found DWORD g_dwZCoordOffset = 0; DWORD* g_pdwSpeed = 0; DWORD* g_pdwCoordZ = 0;
That’s pretty much whole trick.Code:if (strcmp ( chCommand , ".setspeed" ) == 0) //If string stored in chCommand is .setspeed , then execute commands { DWORD dwSpeedValue = 0; DWORD dwBuffer = 0; // Temporary storage for memory copied from basepointer address. printf_s("Enter desired value: "); scanf_s("%d%*c",&dwSpeedValue); MemCpyEx((LPVOID)&dwBuffer, (LPVOID)g_dwBasePointerAddress, 4); // Copies memory from the value stored in g_dwBasePointerAddress (In our case, it's the basepointeraddress) to dwBuffer address. g_pdwSpeed = (DWORD*)(dwBuffer + g_dwSpeedOffset); // dwBuffer contains the pointer now. We have to add offset to it. *g_pdwSpeed = dwSpeedValue; // Sets value pointed by this pointer to dwSpeedValue - Desired value. printf_s("nEnter Command: "); }
3. Pattern Solution
I promised I will return to SearchPattern function. I think you already noticed Search for array of bytes in your UCE. So that’s it. You can use it to find the basepointer address. You will have to extract some bytes which are unique and they have some relation to basepointer or something else you are trying to figure out. For example you found, that this pattern unique pattern (I just pulled this one out my ass) “EB 4A 5C 2A 54 85 44 AC 6F 7B 7B 7B 00 00 AA 4C 1A 12” is always 0x50 bytes far from basepointer.
Example:
In the .setspeed procedure ->
You will have to add the source files to your project, because not all of you would be able to open VS2010 Solution. Also If you don't understand some windows function, then look onto MSDN...Code:.... DWORD dwFar = 0x75; // Its 0x75 bytes far from pattern. 0x is prefix for hexdecimal number if( g_dwBasePointerAddress == 0 ) { g_dwBasePointerAddress = dwFar + (SearchPattern("EB 4A 5C 2A 54 85 44 AC 6F 7B 7B 7B 00 00 AA 4C 1A 12", 0x00400000, 0x007FFFFFF)); if( g_dwBasePointerAddress != 0 && g_dwBasePointerAddress != dwFar) { printf_s("Everything went smoothly. g_dwBasePointerAddress was set"); } else { printf_s("Something went wrong. g_dwBasePointerAddress will be set to zero"); g_dwBasePointerAddress = 0; } } if( g_dwBasePointerAddress != 0) { .... SAME AS THE CODE I WRITTEN BEFORE .... } ...
© Thiesius
Addon:
SendFunction
RecvFunctionCode:DWORD PBACK = 0x000000;// <- U need to get the Back Adress with IDA etc. Or do it with SearchPattern. #define SendASM __asm{ push ebp };__asm{ mov ebp, esp };__asm{ sub esp, 18h};__asm{ JMP PBACK}; __declspec(naked) int __cdecl SendPacket (BYTE Header , LPCSTR Format , ... ){SendASM;}
RecvHandling (method 2 by ILikeItEasy)Code:int DetouredRecv(SOCKET Socket, char *Buffer, int Length, int Flags); int (__stdcall *PacketRecv)(SOCKET Socket, char *Buffer, int Length, int Flags); void Recv() { PacketRecv = (int (__stdcall *)(SOCKET, char *, int, int))DetourFunction((PBYTE)recv, (PBYTE)DetouredRecv); } int DetouredRecv(SOCKET Socket, char *Buffer, int Length, int Flags) { switch(Buffer[2]) { case 0x36: //item drop break; } return PacketRecv(Socket, Buffer, Length, Flags); }
Code:int ASyncPos=0; int FinalSize=0; int WINAPI __stdcall MyMagicRecv(SOCKET s, const unsigned char* buf, int len, int flags) { if (ASyncPos==FinalSize && FinalSize>0) { HandlePacket(buf, ASyncPos); ASyncPos = 0; } int ret = OrigRecv(s,buf,len,flags); if (ret<0) { return ret; } if (ASyncPos==0) FinalSize = *((short int*) buf); ASyncPos+=ret; return ret; }
Please register or login to download attachments.