Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

[ASSEMBLY] Using and manipulating GunBoundWC Client Functions

C

c4str0

Newbie Spellweaver
Joined
Aug 21, 2019
Messages
10
Reaction score
4
Hello.

I'm an old GunBound cheater. In the past few years, I've been coding many many things for my private server (known as GITZWC) and protection (GunProtect). Many of those codes are used in almost every Brazillian GunBound WC since 2010, because many years ago I used to sell them to developers.

I dont know much about GunBound developing but I'm very experienced with reverse-engeneering. Those are some useful functions to use from the client. You can make tons of creative interfaces with this.

If you don't understand what I am saying you probably need to study some about assembly before trying this. This code can be easily translated to any language since that's mostly an assembly code.

ShowGameMessage - fake GunBound Message:
c4str0 - [ASSEMBLY] Using and manipulating GunBoundWC Client Functions - RaGEZONE Forums


Code: 
{Function SGM
 by C4sTr0 ( [EMAIL="C4sTr0@live.com"]C4sTr0@live.com[/EMAIL] )
 Parameters: lpMessage is a pointer for the message you wanna show
 dwIcon is the icon value you wanna show (0 = no icon)
 dwColor is the color value you wanna show}
procedure ShowGameMessage_Fixed(lpMessage: PChar; dwIcon: byte; dwColor: byte);
var
dwMessage: cardinal;
procedure ShowGameMessage_Real(lpMessage: PChar); assembler;
 asm
  pushad
  mov ecx, [dwMessage]
  add ecx, $44
  mov bh, [dwIcon]
  mov [ecx], bh
  add ecx, $47
  mov [ecx], bh
  add ecx, $47
  mov [ecx], bh
  mov bh, [dwColor]
  mov ecx, [dwMessage]
  add ecx, $5C
  mov [ecx], bh
  add ecx, $31
  mov [ecx], bh
  add ecx, $E
  mov [ecx], bh
  add ecx, $39
  mov [ecx], bh
  add ecx, $10
  mov [ecx], bh
  popad
  jmp @call

  @call:
  lea edi, [lpMessage]
  call [dwMessage]
  jmp @[I][B][URL="http://forum.ragezone.com/members/2000287950.html"]reb[/URL][/B][/I]uild


  @[I][B][URL="http://forum.ragezone.com/members/2000287950.html"]reb[/URL][/B][/I]uild:
  mov [dwIcon], 6
  mov [dwColor], 2
  mov ecx, [dwMessage]
  add ecx, $44
  mov bh, [dwIcon]
  mov [ecx], bh
  add ecx, $47
  mov [ecx], bh
  add ecx, $47
  mov [ecx], bh
  mov bh, [dwColor]
  mov ecx, [dwMessage]
  add ecx, $5C
  mov [ecx], bh
  add ecx, $31
  mov [ecx], bh
  add ecx, $E
  mov [ecx], bh
  add ecx, $39
  mov [ecx], bh
  add ecx, $10
  mov [ecx], bh
  end;
begin
  dwMessage := $00414B80;
  ShowGameMessage_Real(lpMessage);
end;



Packet Sender - Allows you to send any regular type of paket to gunbound server, this can be used to do powerful cheats, integration with a custom gunbound server and many other useful things.
This code forces the gunbound to generate the sequence bytes and send the packet for you to the current server.

Code: 
{Function sendPacket
by C4sTr0 (c4str0@live.com)

Allows you to send a normal-type of packet regardless of the sequence/authentication bytes.

lpAddress - Pointer to buffer with packet data, starts with the packet protocol.
len - size of the packet to send (packet data + 4)

 
}
procedure sendPacket(lpaddress: pointer; len: word);
const
baseaddrpacket: cardinal= $00870558;
packetfunc: cardinal = $00445CD0;
xpcomp: cardinal = $0052A420;
begin

  copymemory(pointer(pdword(baseaddrpacket)^+$9C), lpaddress, len);
  pword(pdword(baseaddrpacket)^+$4098)^ := len;

  asm
   pushad
   mov esi, [baseaddrpacket]
   mov esi, [esi]
   lea ecx, [esi+$80BC]
   mov eax, [xpcomp]
   call eax
   popad
   mov ecx, [baseaddrpacket]
   mov ecx, [ecx]
   mov [ebp-4], ecx
   mov ecx, [packetfunc]
   mov [ebp-8], ecx
   push [ebp-4]
   call dword ptr [ebp-8]
  end;

end;

Example of use:

Code: 
var
ExitRoom: array [0..3] of byte = ( $00, $20, $FF, $FF); //the gunbound exit packet, with protocol+data
begin
 sendPacket(@ExitRoom[0],8); //you must add 4 bytes to the size since 2 bytes are from packetSize and 2 bytes are the sequence (the gunbound will generate those)
end;

Those codes can be easily converted to any language, also the addresses can be updated to all gunbound versions up to season 2, and you won't need to change much in the assembly code to update it. If you have problems to update them, you can contact me ^^
Maybe I will keep posting more functions here if this can help anyone.
You can also contact me in my server GitzWC, or by email.

C4sTr0.
 
Last edited:
The Best DDoS Protected Servers
R

rizzo

Initiate Mage
Joined
Jan 4, 2021
Messages
2
Reaction score
4
It was a pleasure to work with you over the years developing GitzWC. None of the private GunBound today would survive if it weren't for yours advances in anti-hacks. And these two functions are an example of that
 
D

DarkSton

Newbie Spellweaver
10 Happy Years
Joined
Feb 17, 2011
Messages
76
Reaction score
3
It is very interesting, this function allows to kick the user from a room, avatar shop, but how do I send it to the world list?
 
C

c4str0

Newbie Spellweaver
Joined
Aug 21, 2019
Messages
10
Reaction score
4
DarkSton said:
It is very interesting, this function allows to kick the user from a room, avatar shop, but how do I send it to the world list?
Click to expand...

To send this to the broker you will need to find another function in the GunBound.gme. This one won't do it. If you need it I can post it when I get some free time.


ChoVinisTa said:
Great C4STR0! It helped me a lot when I was developing the horn system for my server.
Click to expand...

I'm glad to see that this could help you somehow. You can make many more creative things with this such as: autokick, auto start system, leave room, auto join room, invite system and countless other things.

rizzo said:
It was a pleasure to work with you over the years developing GitzWC. None of the private GunBound today would survive if it weren't for yours advances in anti-hacks. And these two functions are an example of that
Click to expand...

<3 Your contribution to our project is priceless and we couldn't have grown so much without you.


I will post more codes on the following days.
 
D

DarkSton

Newbie Spellweaver
10 Happy Years
Joined
Feb 17, 2011
Messages
76
Reaction score
3
I just have a problem in putting the invisible dll

Form1: TForm1;
ExitRoom: array [0..3] of byte = ($ 01, $ 30, $ FF, $ FF);
Okay so I put it under from1: Tfrom1;
 
Last edited by a moderator:
TheMarKs

TheMarKs

Junior Spellweaver
10 Happy Years
Joined
Nov 21, 2006
Messages
137
Reaction score
39
Send Packet function translated to C:

Code: 
void SendGamePacket(BYTE* lpaddress, WORD len)
{
     DWORD* baseaddrpacket = (DWORD*)0x[COLOR=#666666]00870558[/COLOR];
     DWORD* packetfunc = (DWORD*)0x[COLOR=#666666]00445CD0[/COLOR];

     memcpy((DWORD*)(*baseaddrpacket + 0x9C), lpaddress, len);
     *PWORD(*PDWORD(baseaddrpacket) + 0x4098) = len;

      __asm
     {
          pushad
          mov esi, [baseaddrpacket]
          mov esi, [esi]
          lea ecx, [esi + 0x80BC]
          popad
          mov ecx, [baseaddrpacket]
          mov ecx, [ecx]
          mov[ebp - 4], ecx
          mov ecx, [packetfunc]
          mov[ebp - 8], ecx
          push[ebp - 4]
          call dword ptr[ebp - 8]
      }
}
 
You must log in or register to reply here.

About Us

RaGEZONE® is a website dedicated to the development of massively multiplayer online role-playing games (MMORPGs).

Online statistics

Members online
206
Guests online
1,876
Total visitors
2,082
Totals may include hidden visitors.

Forum statistics

Threads
428,846
Messages
4,588,929
Members
279,285
Latest member
lidora
Most visitors online was 8830 , on 6 Feb 2024

RaGEZONE Sponsor

    HyperFilter
Back
Top