Results 1 to 8 of 8
  1. #1
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10

    Packet hack, writing proxy dll

    Packet hack, proxy dll

    Here is guide for creating the basic Proxy-DLL skeleton + hack.
    Target: Kal-Online

    Requirements
    • Some C++ and UCE (memory and such stuff) knowledge
    • Some Time
    • Common sense


    Theory
    So our first question is „How do I even get some piece of my code into the game process?“
    There are many possible ways, I also don’t know all possibilities, but for our Kal-Online purposes, we might use Proxy-DLL solution (It isn’t only solution of course).
    Let me explain how it works: We know, that Kal-Online imports some functions from dlls
    Quote Originally Posted by wiki
    Dynamic-link library (also written without the hyphen), or DLL, is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems.
    So we will one of those libraries, from which Kal-Online needs to load the imports and we will basically create library with same name, then we will export all functions with same name as in original library and all needed functions code will be loaded from the original library.

    Scheme

    It’s possible that you still don’t get it – read - you may understand it later in tutorial.
    So… Because we are lazy guys and there are simply too many exports to write it by hand, we will use wrapper which will help us to create Proxy-Dll skeleton for us in no time.

    Creating Proxy dll
    So, let’s copy all needed files into one folder. Let’s say it’s C:/ProxyDLL/. Copy the wrappit and the original library, from which will wrap the exports. I will copy d3dx9_29.dll in this case.
    1. Step:
      We will obtain the export list by using Visual Studio command prompt command. Open it from program files, or from Start/All apps/Microsoft Visual Studio xxxx/Visual Studio Tools/Visual Studio Command Prompt (xxxx).

    2. Step:
      Change dir to our ProxyDLL folder. And type into command prompt: “DUMPBIN /EXPORTS d3dx9_29.dll > EXPORTS.txt “without the quotes. This should create in our folder a file with needed export information.
    3. Step:
      Now let’s rename the original library into something else, like “favorite” d3dx9_29_.dll or BadAss_Lib.dll.
    4. Step:
      We are ready to use wrapper now. The syntax for using it is <dll> <txt> <convention> <new dll name> <cpp> <def> . Where the <dll> is old name of original lib, <txt> exports dump in the textfile, <convention> function calling convention, <new dll name> the name we assigned to original lib, <cpp> the name of cpp file which will be generated and <def> name of definition file which will be generated. So it will be: wrappit.exe d3dx9_29.dll EXPORTS.txt __stdcall d3dx9_29_.dll d3dx9_29.cpp Exports_Def.def
    5. Step:
      Now your folder should contain 2 new files: d3dx9_29.cpp and Exports_Def.def
      If yes, then congratulations… You have just created Proxy-DLL skeleton…



    Creating Cheat

    1. Project Setup
    Now create new empty dll project in the Visual Studio and add existing item into source, d3dx9_29.cpp . You can name that project with whatever name, but if you are not experienced, then I recommend naming it d3dx9_29. Now right-click on project and select Properties. First of all, although it’s not really necessary, change the character set to multi-byte, as I don’t want to read cry posts about “My compiler gives me error about strings”. Switch to Linker/Input and Module definition file will be Exports_Def.def. Save the properties and return to the project.
    Code:
     #include <windows.h>
    #pragma pack(1)
    
    
    HINSTANCE hLThis = 0;
    HINSTANCE hL = 0;
    FARPROC p[332] = {0};
    
    BOOL WINAPI DllMain(HINSTANCE hInst,DWORD reason,LPVOID)
    	{
    	if (reason == DLL_PROCESS_ATTACH)
    		{
    		hLThis = hInst;
    		hL = LoadLibrary(".\d3dx9_29_.dll");
    		if (!hL) return false;
    
    		p[0] = GetProcAddress(hL,"D3DXAssembleShader");
    		p[1] = GetProcAddress(hL,"D3DXAssembleShaderFromFileA");
    		p[2] = GetProcAddress(hL,"D3DXAssembleShaderFromFileW");
    		p[3] = GetProcAddress(hL,"D3DXAssembleShaderFromResourceA");
    		p[4] = GetProcAddress(hL,"D3DXAssembleShaderFromResourceW");
    		p[5] = GetProcAddress(hL,"D3DXBoxBoundProbe");
    		p[6] = GetProcAddress(hL,"D3DXCheckCubeTextureRequirements");
    		p[7] = GetProcAddress(hL,"D3DXCheckTextureRequirements");
    Notice LoadLibrary(".\d3dx9_29_.dll");
    It may contain other name which you specified when we was creating proxy-dll skeleton (Like “BadAss-Lib.dll”).
    Short explain: You can see main function of dll. On initialization the original library is loaded and all original function addresses are obtained. Read more at: GetProcAddress Function (Windows)

    2. Cheat Setup
    Let’s finally add the cheat…
    You might need pattern scanner aswell, I will explain why later. I don’t fancy releasing mine yet, use the BakaBug’s one. What it does? It searches for bytes in preset order, inside the process, from specified address to specified address. If such byte order is found, then address of first byte is returned.
    Also you should add a MemCpyEx. What’s that? It’s extension of memcpy. The bonus feature is that it calls VirtualProtect before memcpy. That’s the whole magic.
    Those two functions are included in this source and also other sources around.
    Let’s create our hacking function. This source will use console as we won’t control that hack by GUI (It would make the source more difficult to read). So let’s add Command Console function. In the source it will be called void CommandComm()
    You will have to include new headers for the console: io.h ; stdio.h and fcntl.h
    We will also add a function, which will handle the commands typed into command console.
    void CommandHandler()
    How does it work is explained in the comments in the source.
    You can also add a simple function, which will print available commands.
    It’s called void Menu() in the source.
    So let’s create our main cheat function. Call it whatever you like… In source it will be called void CheatMain()
    So what will CheatMain do? It will be created as a new Thread and then we need the function that will delay execution a litte, otherwise the INT anti-hacking tricks at start will free it (FreeConsole). The Sleep function will be helpful. Then you can load your Command box… Now you can also change the title by calling SetConsoleTitle.Then display available commands by calling Menu(). We will printf them… We can also use cout, but we have stdio.h already included so why should we include iostream? The rest of the source is commented.
    So how do we exactly use the collected information from UCE/Dbg/Whatever?
    Well let’s declare new global double word variable, which will store the baseaddress of pointer you found. Also declare the offsets and our pointers, which will point to speed, x, y, z, whatever.
    Code:
     DWORD g_dwBasePointerAddress =  0/* INPUT YOUR FOUND ADDRESS HERE INSTEAD OF ZERO */;
    DWORD g_dwSpeedOffset =  0; // Set here offsets, which you found
    DWORD g_dwZCoordOffset = 0;
    DWORD* g_pdwSpeed = 0;
    DWORD* g_pdwCoordZ = 0;
    In our command handling function, we will create procedure for setting up speed.
    Code:
     if (strcmp ( chCommand , ".setspeed" ) == 0) //If string stored in chCommand is .setspeed , then execute commands
    		{
    			DWORD dwSpeedValue = 0;
    			DWORD dwBuffer = 0; // Temporary storage for memory copied from basepointer address.
    			
    			printf_s("Enter desired value: ");
    			scanf_s("%d%*c",&dwSpeedValue);
    		
    			MemCpyEx((LPVOID)&dwBuffer, (LPVOID)g_dwBasePointerAddress, 4); // Copies memory from the value stored in g_dwBasePointerAddress (In our case, it's the basepointeraddress) to dwBuffer address.
    			g_pdwSpeed = (DWORD*)(dwBuffer + g_dwSpeedOffset); // dwBuffer contains the pointer now. We have to add offset to it.
    			*g_pdwSpeed = dwSpeedValue; // Sets value pointed by this pointer to dwSpeedValue - Desired value.
    			
    			printf_s("nEnter Command: ");
    		}
    That’s pretty much whole trick.

    3. Pattern Solution
    I promised I will return to SearchPattern function. I think you already noticed Search for array of bytes in your UCE. So that’s it. You can use it to find the basepointer address. You will have to extract some bytes which are unique and they have some relation to basepointer or something else you are trying to figure out. For example you found, that this pattern unique pattern (I just pulled this one out my ass) “EB 4A 5C 2A 54 85 44 AC 6F 7B 7B 7B 00 00 AA 4C 1A 12” is always 0x50 bytes far from basepointer.

    Example:
    In the .setspeed procedure ->
    Code:
     ....
    		DWORD dwFar = 0x75;   // Its 0x75 bytes far from pattern. 0x is prefix for hexdecimal number
    		if( g_dwBasePointerAddress == 0 ) 
    		{
    			g_dwBasePointerAddress = dwFar + (SearchPattern("EB 4A 5C 2A 54 85 44 AC 6F 7B 7B 7B 00 00 AA 4C 1A 12", 0x00400000, 0x007FFFFFF));
    
    			if( g_dwBasePointerAddress != 0 && g_dwBasePointerAddress != dwFar)
    			{
    				printf_s("Everything went smoothly. g_dwBasePointerAddress was set");
    			}
    			else
    			{
    				printf_s("Something went wrong. g_dwBasePointerAddress will be set to zero");
    				g_dwBasePointerAddress = 0;
    			}
    		}
    
    		if( g_dwBasePointerAddress != 0)
    		{
    			....
    			SAME AS THE CODE I WRITTEN BEFORE
    			....
    		}
    ...
    You will have to add the source files to your project, because not all of you would be able to open VS2010 Solution. Also If you don't understand some windows function, then look onto MSDN...
    © Thiesius



    Addon:
    SendFunction

    Code:
     DWORD PBACK  =  0x000000;// <- U need to get the Back Adress with IDA etc. Or do it with SearchPattern. 
    #define SendASM __asm{ push ebp };__asm{ mov ebp, esp };__asm{ sub esp, 18h};__asm{ JMP PBACK}; 
    __declspec(naked) int __cdecl SendPacket (BYTE Header , LPCSTR Format , ... ){SendASM;}
    RecvFunction
    Code:
     int DetouredRecv(SOCKET Socket, char *Buffer, int Length, int Flags); 
    int (__stdcall *PacketRecv)(SOCKET Socket, char *Buffer, int Length, int Flags); 
    
    void Recv() 
    { 
        PacketRecv = (int (__stdcall *)(SOCKET, char *, int, int))DetourFunction((PBYTE)recv, (PBYTE)DetouredRecv); 
    }
    
    int DetouredRecv(SOCKET Socket, char *Buffer, int Length, int Flags) 
    { 
        switch(Buffer[2]) 
        { 
        case 0x36: //item drop 
            break; 
         
        } 
        return PacketRecv(Socket, Buffer, Length, Flags); 
    }
    RecvHandling (method 2 by ILikeItEasy)
    Code:
     int ASyncPos=0;
    int FinalSize=0;
    
    int WINAPI __stdcall MyMagicRecv(SOCKET s, const unsigned char* buf, int len, int flags)
    {
    
    	if (ASyncPos==FinalSize && FinalSize>0)
    	{
    		HandlePacket(buf, ASyncPos);
    		ASyncPos = 0;
    	}
    	int ret = OrigRecv(s,buf,len,flags);
    	if (ret<0)
    	{
    		return ret;
    	}
    	if (ASyncPos==0)
    		FinalSize = *((short int*) buf);
    	ASyncPos+=ret;
    	return ret;
    }

    Please register or login to download attachments.

    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  2. The Following 6 Users Say Thank You to Dwar For This Useful Post:


  3. #2
    isanswer
    isanswer is offline
    New member
    Join Date
    2010 Aug
    Posts
    5
    Thanks Thanks Given 
    12
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0

    re: Packet hack, writing proxy dll

    Simple yet elaborate tutorial...
    I cannot help pressing THANKS button

  4. #3
    JeanAHough
    JeanAHough is offline
    Guest
    Join Date
    2011 Jul
    Posts
    1
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0

    Need help?

    i know where you can get that file

  5. #4
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10
    you can create gui (form etc) inside dll, but such approach isn't good. Simple - create a pipe and communicate with your app.
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  6. #5
    pornpinoy
    pornpinoy is offline
    New member pornpinoy's Avatar
    Join Date
    2011 Nov
    Posts
    13
    Thanks Thanks Given 
    2
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    what do you mean by a pipe sir dwar?

  7. #6
    maho34
    maho34 is offline
    Guest
    Join Date
    2011 Sep
    Posts
    2
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    i'm not access a download please re upload alternative link? thanks.

  8. #7
    d4rk_sasuke
    d4rk_sasuke is offline
    New member
    Join Date
    2012 Jan
    Posts
    9
    Thanks Thanks Given 
    3
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    By me too, reup would be nice.

  9. #8
    odynz
    odynz is offline
    New member
    Join Date
    2012 Sep
    Posts
    6
    Thanks Thanks Given 
    6
    Thanks Thanks Received 
    1
    Thanked in
    1 Post
    Rep Power
    0
    Nice Guide..Can This use for every game online??

  10. The Following User Says Thank You to odynz For This Useful Post:


Similar Threads

  1. VIP Freebies. For anonymity and privacy. Proxy
    By Grooguz in forum General Talk
    Replies: 3
    Last Post: 2012-08-26, 09:08 PM
  2. Help in writing a bot
    By wiskas in forum Forsaken World Bots, Hacks, Cheats
    Replies: 0
    Last Post: 2012-07-14, 09:07 AM
  3. [C++] Simple Proxy Reference
    By Dwar in forum Programming Tutorials
    Replies: 1
    Last Post: 2011-11-18, 10:52 AM
  4. [C++] Using Detours for packets redirection to a proxy
    By Dwar in forum Programming Tutorials
    Replies: 0
    Last Post: 2010-11-29, 04:15 PM
  5. Phoenix Dynasty packet hack with WPE
    By netti in forum Other MMO
    Replies: 17
    Last Post: 2010-11-29, 04:08 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •