Advanced hooking
Have you ever needed a simple way to control an application without having to resort to DLL injection? I decided to release a class library for .NET applications that allows you to easily manipulate a remote process by using debugging techniques.
All you have to do is add it as a reference to your project, and you're ready to use it. You can see the sample I provided if you're unsure of how it works (can easily be translated to C#, which someone already did (thanks))
The Debuggee class
Functions AttachDebugger() - Tries to attach the debugger to the target process. Returns true if the function succeeds - returns false otherwise DetachDebugger() - Tries to detach the debugger from the target process and remove all breakpoints. Returns true if the function succeeds - returns false otherwise SetHardwareBreakpoint(Address) - Tries to set a hardware breakpoint at the specified address. Returns true if the function succeeds - returns false otherwise RemoveHardwareBreakpoint(Address) - Tries to remove a hardware breakpoint at the specified address. Returns true if the function succeeds - returns false otherwise SetMemoryBreakpoint(Address) - Tries to set a memory breakpoint at the specified address. Returns true if the function succeeds - returns false otherwise RemoveMemoryBreakpoint(Address) - Tries to remove a memory breakpoint at the specified address. Returns true if the function succeeds - returns false otherwise RemoveAllBreakpoints() - Tries to remove all memory and hardware breakpoints. Returns true if the function succeeds - returns false otherwise GetModuleFunctionAddress(ModuleName, FunctionName) - Tries to retrieve the address of a function inside a module (DLL) in the target process. If the function succeeds, the return value is the address of the module/DLL function AllocateMemory(Size) - Tries to allocate memory in the target process. The Size parameter is the amount of bytes to allocate. If the function succeeds, the return value is the address of the allocated memory FreeMemory(Address) - Tries to free memory at the specified address. The address has to be an address provided by the AllocateMemory function, otherwise the function will fail. Returns true if the function succeeds - returns false otherwise ReadByte/Int16/Int32/Int64(Address) - Reads from the target process' memory and returns that value ReadString(Address, Length) - Reads a null-terminated text string from the target process' memory and returns that string ReadByteArray(Address, Length) - Reads an array of bytes from the target process' memory and returns that array WriteByte/Int16/Int32/Int64/String/ByteArray(Value, Address) - Writes the value to the target process' memory. Returns true if the function succeeds - returns false otherwise
Methods RemoveDebugFlag() - Removes the debug flag from the PEB (prevents IsDebuggerPresent function from detecting the debugger) ExecuteCode(ByteCode) - Executes the "assembly" code specified by the ByteCode parameter
Properties hProcess - Contains a handle to the targeted process (Initialized on debugger attach) CurrentHardwareBreakpoint - Contains the current hardware breakpoint (for use with the OnHardwareBreakpoint event) CurrentMemoryBreakpoint - Contains the current hardware breakpoint (for use with the OnMemoryBreakpoint event)
Events OnAttach(ref Debuggee, ref ctx) - Raised upon successful debugger attach (EXCEPTION_BREAKPOINT) OnProcessExit(ref Debuggee, ref ctx) - Raised when the target process exits OnAccessViolation(ref Debuggee, ref ctx) - Raised upon access violation inside the target process OnHardwareBreakpoint(ref Deuggee, ref ctx) - Raised when a hardware breakpoint is hit inside the target process OnMemoryBreakpoint(ref Deuggee, ref ctx) - Raised when a memory breakpoint is hit inside the target process
just checked it out, skimmed threw the code on the CoClient class.
Guess it'll be nice for the forum to have a working client hook, will be interesting to see what people come up with for bots. I like these much better than proxies. Looks like ya already got hooks set up for send and receive functions so now the forum's got something else to use other than the stripped project alchemy source, which I think a lot of people seem to have issues with.
Never looked at it though, proxies seem like nothing special to me. Gotta love working with memory though!
just checked it out, skimmed threw the code on the CoClient class.
Guess it'll be nice for the forum to have a working client hook, will be interesting to see what people come up with for bots. I like these much better than proxies. Looks like ya already got hooks set up for send and receive functions so now the forum's got something else to use other than the stripped project alchemy source, which I think a lot of people seem to have issues with.
Never looked at it though, proxies seem like nothing special to me. Gotta love working with memory though!
Yeah, I'm just not really sure if people will understand how to execute the send/recv packet functions inside CO using the Debuggee.ExecuteCode function. I mean, this is how my current code for sending a packet from client to server looks
Code:
Public Sub SendPacket(ByVal Packet() As Byte, Length As Short)
Dim PacketType As UShort = BitConverter.ToUInt16(Packet, 2)
Dim PacketAddress As Integer = AllocateMemory(PacketSize)
If PacketAddress > 0 Then
WriteByteArray(Packet, PacketAddress)
Dim ByteCode As New MemoryStream
Dim CodeWriter As New BinaryWriter(ByteCode)
[COLOR="Green"]'mov edx, packettype[/COLOR]
CodeWriter.Write(CByte(&HBA))
CodeWriter.Write(CInt(PacketType))
[COLOR="Green"]'push packetsize[/COLOR]
CodeWriter.Write(CByte(&H68))
CodeWriter.Write(CInt(Length))
[COLOR="Green"]'push packetaddress[/COLOR]
CodeWriter.Write(CByte(&H68))
CodeWriter.Write(CInt(PacketAddress))
[COLOR="Green"]'mov esi, networkclass[/COLOR]
CodeWriter.Write(CByte(&HBE))
CodeWriter.Write(CInt(NetworkClass))
[COLOR="Green"]'mov ecx, [esi+14][/COLOR]
CodeWriter.Write(New Byte() {&H8B, &H4E, &H14})
[COLOR="Green"]'mov eax, sendpacketfunction[/COLOR]
CodeWriter.Write(CByte(&HB8))
CodeWriter.Write(CInt(SendPacketFunction))
[COLOR="Green"]'call eax[/COLOR]
CodeWriter.Write(New Byte() {&HFF, &HD0})
[COLOR="Green"]'ret[/COLOR]
CodeWriter.Write(CByte(&HC3))
[COLOR="Green"]'write to the underlying stream[/COLOR]
CodeWriter.Flush()
If Connected Then
[COLOR="Green"]'execute the code[/COLOR]
ExecuteCode(ByteCode.ToArray)
End If
[COLOR="Green"]'free memory afterwards[/COLOR]
FreeMemory(PacketAddress)
End If
End Sub
I guess I should probably include the send/recv packet functions. Not sure if the community even wants to use this though, I just thought it'd be interesting with something different than regular proxies. This can be used for so much more though, you could use it to make bots for other games too.
I would use this for sure, not only for conquer but for other games like Warrock and such, because you can basicly send the attack packets to. I really would love to have this packet stuff being setup, so you have todo the filtering yourself and make something of a bot with that.
Very handy but the thread title just makes me feel like a h0
Lololololol, I actually gave it a lot of thought - the title of the thread/project.
At least "Advanced hooking" sounds better than like "debugging hooker". I mean.. yeah
Just decided to test it out and wow... so incredibly simple to use and works great.
Super basic test example for people who are still confused...
Code:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using AdvancedHooking;
namespace ProjectHooker
{
class Program
{
public class COClient
{
const int SendPacketAddress = 0x68B0B2;
const int RecvPacketAddress = 0x688F46;
private Debuggee _dbg;
private int ShellExecuteAAddress = 0;
private bool IsAttached = false;
private int _ProcessId = 0;
public event OnExitEventHandler OnExit;
public event OnRecvPacketEventHandler OnRecvPacket;
public event OnSendPacketEventHandler OnSendPacket;
public Debuggee Dbg
{
get { return _dbg; }
}
public int ProcessId
{
get { return _ProcessId; }
}
public COClient(int ProcessID)
{
this._ProcessId = ProcessID;
this._dbg = new Debuggee(ProcessID);
}
public bool Attach()
{
if (IsAttached)
return false;
if (_dbg.AttachDebugger())
{
IsAttached = true;
_dbg.OnHardwareBreakpoint += new Debuggee.OnHardwareBreakpointEventHandler(_dbg_OnHardwareBreakpoint);
_dbg.OnMemoryBreakpoint += new Debuggee.OnMemoryBreakpointEventHandler(_dbg_OnMemoryBreakpoint);
_dbg.OnAttach += new Debuggee.OnAttachEventHandler(_dbg_OnAttach);
_dbg.OnProcessExit += new Debuggee.OnProcessExitEventHandler(_dbg_OnProcessExit);
return true;
}
else
{
return false;
}
}
void _dbg_OnProcessExit(ref Debuggee Debugee, ref Helper.CONTEXT ctx)
{
Detach();
COClient refThis = this;
if (this.OnExit != null)
OnExit.Invoke(ref refThis);
}
void _dbg_OnAttach(ref Debuggee Debugee, ref Helper.CONTEXT ctx)
{
Debugee.RemoveDebugFlag();
Debugee.SetHardwareBreakpoint(SendPacketAddress);
Debugee.SetHardwareBreakpoint(RecvPacketAddress);
this.ShellExecuteAAddress = Debugee.GetModuleFunctionAddress("Shell32.dll", "ShellExecuteA");
if (this.ShellExecuteAAddress > 0)
Debugee.SetMemoryBreakpoint(this.ShellExecuteAAddress);
}
void _dbg_OnMemoryBreakpoint(ref Debuggee Debugee, ref Helper.CONTEXT ctx)
{
if (Debugee.CurrentMemoryBreakpoint == ShellExecuteAAddress)
{
int hWnd = Debugee.ReadInt32(ctx.Esp + 4);
int lpOperation = Debugee.ReadInt32(ctx.Esp + 8);
int lpFile = Debugee.ReadInt32(ctx.Esp + 12);
int lpParameters = Debugee.ReadInt32(ctx.Esp + 16);
int lpDirectory = Debugee.ReadInt32(ctx.Esp + 20);
int nShowCmd = Debugee.ReadInt32(ctx.Esp + 24);
string File = Debugee.ReadString(new IntPtr(lpFile), 255);
if (File == "http://co.91.com/signout/")
Debugee.WriteString("http://www.google.com\0", lpFile);
}
}
void _dbg_OnHardwareBreakpoint(ref Debuggee Debugee, ref Helper.CONTEXT ctx)
{
if (Debugee.CurrentHardwareBreakpoint == SendPacketAddress)
HandleSentPacket(ref ctx);
else if (Debugee.CurrentHardwareBreakpoint == RecvPacketAddress)
HandleRecvPacket(ref ctx);
}
public bool Detach()
{
if (_dbg.DetachDebugger())
return true;
else
return false;
}
private void HandleSentPacket(ref Helper.CONTEXT ctx)
{
int lpPacket = this._dbg.ReadInt32(ctx.Esp + 4);
int Size = this._dbg.ReadInt32(ctx.Esp + 8);
byte[] Packet = this._dbg.ReadByteArray(lpPacket, Size);
if (this.OnSendPacket != null)
this.OnSendPacket.Invoke(ref Packet);
}
private void HandleRecvPacket(ref Helper.CONTEXT ctx)
{
int lpPacket = this._dbg.ReadInt32(ctx.Esp + 4);
int Size = this._dbg.ReadInt32(ctx.Esp + 8);
byte[] Packet = this._dbg.ReadByteArray(lpPacket, Size);
if (this.OnRecvPacket != null)
this.OnRecvPacket.Invoke(ref Packet);
}
public delegate void OnExitEventHandler(ref COClient Client);
public delegate void OnRecvPacketEventHandler(ref byte[] Packet);
public delegate void OnSendPacketEventHandler(ref byte[] Packet);
}
static void Main(string[] args)
{
Console.WriteLine("Enter the process ID to hook");
int PID = int.Parse(Console.ReadLine());
COClient T = new COClient(PID);
T.Attach();
T.OnRecvPacket += new COClient.OnRecvPacketEventHandler(T_OnRecvPacket);
T.OnSendPacket += new COClient.OnSendPacketEventHandler(T_OnSendPacket);
}
static void T_OnSendPacket(ref byte[] Packet)
{
Console.WriteLine("Sending packet");
}
static void T_OnRecvPacket(ref byte[] Packet)
{
Console.WriteLine("Receiving packet");
}
}
}
Obviously does nothing... Just figured I'd demonstrate for people how to attempt to use it.
For process ID I just used the example program to find them. I'm thinking after work though I might write a super basic bot using this for people to mess around with. Just something simple obviously.
Now I have the hardest decision I may have ever faced in my life....
Should I call my new proxy "Hooker: The Bot" or "ProstiBot"
So many choices
<edit>
So I wanna be all 'shmancy' and actually use this properly to make a proper memory based bot vs just using the send/receive functions to make a packet based bot using memory hooks...
I assume I can use a program such as cheat engine to help me find memory addresses? (although I know many of them are more complex then a fixed memory address but I can cross that bridge when I come to it)
Now I have the hardest decision I may have ever faced in my life....
Should I call my new proxy "Hooker: The Bot" or "ProstiBot"
So many choices
<edit>
So I wanna be all 'shmancy' and actually use this properly to make a proper memory based bot vs just using the send/receive functions to make a packet based bot using memory hooks...
I assume I can use a program such as cheat engine to help me find memory addresses? (although I know many of them are more complex then a fixed memory address but I can cross that bridge when I come to it)
You can easily find memory addresses using CheatEngine. Even though some values aren't fixed, it's easy to find pointers, like the PlayerBaseAddressPointer that points to the base of your character, which holds all kind of information about your character like id, name, coordinates, hp, mp, stamina, etc.
Unfortunately, you can only place 4 hardware breakpoints since that's what modern processors are limited to . So you've got to be creative when placing breakpoints on functions. You could of course use memory breakpoints, but these alter the memory of the executable directly, so gotta be careful
[RELEASE] Make a more Advanced NPC 02/02/2011 - CO2 PServer Guides & Releases - 55 Replies This guide will show you how to make a NPC. I will update this post daily with new things to add to your NPC.
First. We are going to take this NPC from Paralyzer and modify this a little bit. here is the link if you have never made a simple NPC.
http://www.elitepvpers.com/forum/co2-pserver-guide s-releases/492901-release-how-code-decent-npc-npcs -txt-entry.html
Easiest stuff first.
How to make an NPC check for a specific level.
To make an NPC check for a level we can do this by adding...
Advanced Tribalwars Bot Release 05/31/2010 - Browsergames - 20 Replies Ein Bot für das Browsergame "Die Stämme".
Features:
Multiaccountfähig
baut Dörfer selbstständig aus
Bot merkt sich, wann ein Gebäude gebaut werden kann, bzw. wann es fertiggestellt ist
Information: Bei "Server" z.B. de60.die-staemme.de o.ä. eingeben.
ReViSiOn [Advanced Public Release] 02/13/2009 - WarRock Hacks, Bots, Cheats & Exploits - 5 Replies http://i295.photobucket.com/albums/mm150/gfx_forum s/revvv3.png
ReViSiOn Public Beta 1.2
_____
Working features:
No Recoil
No Spread
![[Release] Advanced hooking](https://www.elitepvpers.com/forum/iconimages/co2-programming/release-advanced-hooking_ltr.gif){kind=small}
