[Tutorial] How to Detour the Kal Mainserver

[MadKnight]

I have a problem. When injected choose the dll main server closing.
Can you help me
I am beginner in c++ and I want learn

Sure, that is why im posted all this here, so you're welcome : )

I saw you code and i think i know what you want to try, but i need more information about your Problem.
Did you tried with Clean Repack? How do you load your DLL? Did you tried only printing "Hello World", and did this work? Can you attach Olly maybe to see what happens exactly?

You can also pm me and we can talk a bit about Coding via ICQ/MSN/Skype.

 

[asas12]

that is my msn address
ayna_hamit@homail.com


Thx for helping

I tried clean repack with obsidian
Yes I am tried "hello Word " I is working
and I cant attach olly

 

[asas12]

Sure, that is why im posted all this here, so you're welcome : )

I saw you code and i think i know what you want to try, but i need more information about your Problem.
Did you tried with Clean Repack? How do you load your DLL? Did you tried only printing "Hello World", and did this work? Can you attach Olly maybe to see what happens exactly?

You can also pm me and we can talk a bit about Coding via ICQ/MSN/Skype.

I am waiting you since 1 day

 

[xhethx]

1>------ Build started: Project: hook test !, Configuration: Release Win32 ------
1> stdafx.cpp
1> hook test !.cpp
1>dllmain.obj : error LNK2001: unresolved external symbol _DetourTransactionCommit@0
1>dllmain.obj : error LNK2001: unresolved external symbol _DetourTransactionBegin@0
1>dllmain.obj : error LNK2001: unresolved external symbol _DetourUpdateThread@4
1>dllmain.obj : error LNK2001: unresolved external symbol _DetourAttach@8
1>dllmain.obj : error LNK2001: unresolved external symbol _DetourDetach@8
1>c:\users\heth\documents\visual studio 2010\Projects\hook test !\Release\hook test !.dll : fatal error LNK1120: 5 unresolved externals
========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========

any solution ? cant build it

 

[pamz]

you tried this?: #include "detours.h" and put detours (obj) and header (h) file where you got your project files at....

 

[xhethx]

you tried this?: #include "detours.h" and put detours (obj) and header (h) file where you got your project files at....

same .. !

 

[spatti88]

just do it like . DETOURS:

You must be registered to see links

#pragma comment(lib,"Detours/detours.lib")
#undef UNICODE
#include "Detours/detours.h"

#pragma pack(1)

 

[xhethx]

just do it like . DETOURS:

You must be registered to see links

#pragma comment(lib,"Detours/detours.lib")
#undef UNICODE
#include "Detours/detours.h"

#pragma pack(1)

thanks for help !!
you are the best

the problem was .. , my detour.h and .lib is wrong .. thanks for upload

you got my like

 

[jurczasiak]

can anyone give an example of how to create new skill any of them. I am begginier in *.dll making and want to learn how to create new skills. Only DMG with action to new engine.

And can you tell me when I try this tutorial my server crashes?. Another source realased here with window at start works well.

 

[spatti88]

so if you begginer at programming, you should try to make easier dlls

 

[jurczasiak]

so maby you could tell me why my server crashes with "MadKnight is Mad!" source? because the source below works well.

and can anyone tell me how make this usefull? please I make some simple dlls but try now sth harder (doesnt matter that this source sux)

if(skillID == 36) // Spin Blade
{
int area = 90;
int* pX = CChar::GetX((int)Player);
int* pY = CChar::GetY((int)Player);

bool first = true;
for(int x = 1; x < 15000; x++)
{

void* Object = CMonster::FindMonster(x);
if(Object
&& *CChar::GetX((int)Object) < *pX + area
&& *CChar::GetX((int)Object) > *pX - area
&& *CChar::GetY((int)Object) < *pY + area
&& *CChar::GetY((int)Object) > *pY - area)
{
nAoe = true;
//////////////////////////////////////
CChar::ActionBeforeDmg(Object);
const int* const pCurHp = CChar::GetCurHP(Object);
nDmg = CChar::GetAttack((void*)Player) * 10;
EB = 0;
nHit = true;
bool finish = false;
if((nDmg+EB) >= *pCurHp)
{
nDmg = *pCurHp - 1;
EB = 0;
finish = true;
}
if(nHit)
CMonster::Hit((int)Player, Object, nDmg, EB);
else
nDmg = 0;

if(finish){
for(int ab = 0; ab < 10; ab++){
*(DWORD *)((int)Player + 1448) = 0;
CMonster::Kill(x, (int)Player);
}
}

if(first)
CChar::WriteInSight(Player, 0x3f, "bddbbwwb", skillID, CPlayer::GetPlayerID((int)Player), x, 1, 1, nDmg, EB, nHit);
else
CChar::WriteInSight(Player, 10, "bbddww", 1, skillID, CPlayer::GetPlayerID((int)Player), x, nDmg, EB);
first = false;
//////////////////////////////////
}
}
if(first)
CChar::WriteInSight(Player, 0x3f, "bddbbwwb", skillID, CPlayer::GetPlayerID((int)Player), CPlayer::GetPlayerID((int)Player), 1, 1, nDmg, EB, false);
Sleep(450);

}

 

[spatti88]

@stik3r2k5

Basicly you don't have to do anything clientside...Just serverside. First, test skills simply by allowing the server to display it to the client. For this, you have to create a virtual array(or whatever..) where the new skills from the db get saved.Therefore, the server will display errors while loading unknown skills. there you have to hook and get the skills, disable the error message and there you go. Learn skill, skill up is the next step. Now you can skill up, learn skills and display them in the client. First step done. Next step PreSkill and Execute skill needs to be hooked. There you can add your cd protection aswell... Pre skill is mostly unimportant, only for Ice Arrow it's important and the CD protection...what's important is the execute skill function...there you check everything, add damage to target and send the execution packet. Skills done.

void __fastcall Hooked_ExcuteSkill(void* thispointer, void *_edx, signed int nSkillID, int a3, int a4)
{
void* Pointer = (void*)*(DWORD*)(int)thispointer;
int Class = *(DWORD*)((int)Pointer + 460);
const int nPlayerID = *(int*)(unsigned(thispointer)+0x1c);

if(Class == 0)//kn
{
if(nSkillID == 43)
{
//your skill
}
}

}

 

[jurczasiak]

#include <detours.h>
#include "stdafx.h"
what else??

Can anyone help me to show how creat complite skill?

Thanks

I learn C++ but its total magic to me making sth to kalonline

 

[spatti88]

try to compile/rewrite old sources from rg....

 

[MadKnight]

So many ways..

I noticed that some people started with coding or are interested in Kal coding. Here is another little post from me about Kal Coding, maybe there's some interesting for you in it : )
Lets Begin with Intercept : )

The Intercept

The Intercept code can be found here: http://forum.ragezone.com/f389/source-code-collection-917296/
Some people know that Kealy wrote a little Memory Class, where Intercept is included as Memory Hook.
So whats the difference between: Intercept / Memory->Hook and DetourAttach / Memory->HookAPI? API Hook (DetourAttach) means that we dont need to grab a caller, all function calls that leads to the orgianal function, will be redirected to our hooked function. I think this is easy to understand and this is how the tutorial Code made the hook.
Intercepting means, that you put in the Caller Adress, instead of the Functions adress.
An Example:

int __cdecl CParty__FindParty(int a3)
{
CIOCriticalSection__Enter((struct _RTL_CRITICAL_SECTION *)&unk_4E1FD0);
LinkObjectReference(&unk_4E1FC4, (int)&a2, (int)&a3);
v1 = (int)GetPointer((int)&unk_4E1FC4, &v3);
if ( sub_47D070(&a2, v1) )
{
v4 = *(_DWORD *)(sub_420250(&a2) + 4);
CIOObject__AddRef(v4);
}
CIOCriticalSection__Leave((int)&unk_4E1FD0);
return v4;
}
.text:0044D538 call CIOObject__AddRef

Memory->Hook(0x0044D538,OurHookedFunction); // This would be an Intercept
With this we are able to jump directly into functions and modify single calls, its also usefull if you have a very very lage Method and dont want to rewrite the whole function, then you can modify it only on some little places.

Protect yourself

All people knows that Clean, KOSP/R11, KoemV1 and KoemV2 are "hacked". The questions is why? And the answer is:

Spoiler

__declspec (naked) int __cdecl KoemSend(BYTE type , char* format, ...)
{
    __asm push ebp
    __asm mov ebp,esp
    __asm mov ebp,esp
    __asm push eax
    __asm mov eax,4
    __asm redo:
    __asm add esp, -4092
    __asm push eax
    __asm dec eax
    __asm jnz redo
    __asm mov eax, dword ptr ss:[ebp-4]
    __asm add esp, -44
    __asm xor eax, eax
    __asm mov dword ptr ss:[ebp-8], eax


    //you can also sniff send here


    //fake the caller (will be append to the packet and checked @ serverside)


    __asm mov eax, 0x004921f9
    __asm sub eax,5
    __asm mov dword ptr ss:[ebp-4], eax
    __asm jmp sendadr
}


__declspec (naked) int __cdecl KocpSend(BYTE type , char* format, ...)
{
    __asm push ebp
    __asm mov ebp, esp
    __asm sub esp, 0x14
    //skip the caller check


    //you can also sniff send here


    __asm jmp sendadr
}


__declspec (naked) int __cdecl KoemV2Send(BYTE type , char* format, ...)
{
    //no caller check, jump directly to the function header
    __asm jmp sendadr
}


//get the send adr
DWORD adr = ((*(DWORD*)(0x004921F4+1))+(0x004921F4+1)+4);


//get the handle of the adr
HMODULE* hModule = new HMODULE;
GetModuleHandleExA(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS,(char*)adr, hModule);


//determinate to which module it belongs
char* ModuleName = new char[MAX_PATH];
GetModuleBaseNameA(GetCurrentProcess(), *hModule, ModuleName, MAX_PATH);


//depeding on the result do your poop
//if ModuleName == Extended.dll - koem - use KoemSend
sendadr = adr+55;
//if ModuleName == ProtectC.dll - kocp - use KocpSend
sendadr = adr+35;
//if ModuleName == engine.exe - clean - use KocpSend(normal)
sendadr = adr;
//if ModuleName == Protect.cpln - koem2 - use KoemV2Send
sendadr = adr;


//or if you want to sniff hook it


...


delete hModule;
delete [] ModuleName;

All these Send Methods are known, so we are able to send our own Packets (Crash Packets, Hack Packets) to the Server, for R11 it would be as example:

KocpSend(0x02,"ss","LoginName","Password"); // When i send this would me Login if this Login would exist

And with the same way you can send crash or hack packets to all these kown Sends.
What you can do against this?
-> Write your own Send Method like i did, my Send Method is called
MadSend (at the moment it is Online at Xiukal, so you could test to hack there and you will see all exisiting Hacks (public or nonpublic) wich are based on packet hacks, will not work there anymore).
Look into Kealys Source Code, how he made his own Send and try to adapt it and make it save with your own Send Method, then these Packet Hacks (crashes etc) are fixed.

The Memory God

All what we do in Kal coding is based on Memoryedits, i want you to show some equivalent ways of editing.
We take as Example the ThreadCount Value wich is at 0x004E1190. We want to modify it and write the Value 5 into it:

Dereferencing:
*(int *)0x004E1190 = 5;

Set
memory->Fill(0x004E1190,0x05,1);
or Fill
memory->Set(0x004E1190,"\x05",1);

Olly:

It depends on what you want or what your prefered coding style is, choose a method that fits to your needs : )

Master the Stack

C++ is a nice to programm things for Kal, but sometimes you may need to go a little bit deeper into the Mainserver ^^
Then youre welcome to inline assembly
I found a little explaination from BakaBug about the Calling Convetions:
http://forum.ragezone.com/f554/tutorial-c-dll-injection-main-375634/index4.html#post3257022
So we have __fastcall, __thiscall, __stdcall and __cdecl. Sometimes you need to put all params onto the stack, via __asm push param and somtimes you need to move it into the ecx register, for example for an __thiscall __asm mov ecx, thispointer.
If you are not sure about what todo, take a look at the IDA ASM view.
Example:
.text:00434B21 push offset aStackDumpCompl ; "Stack dump completed"
.text:00434B26 call Console__Write__Blue ; Call Procedure
.text:00434B2B add esp, 4

Console__Write__Blue is a __cdecl, so we need to clear the stack via __asm add esp, 4
If you have more Params, then you need to clear more (__asm add esp, 8,12,...).

Another Example for __thiscall
.text:00453136 mov ecx, [ebp+playerpointer]
.text:0045313C call CPlayer__CanMove ; Call Procedure
.text:00453141 test eax, eax

Here we only move the Playerpointer into the ecx Register and call CPlayer__CanMove. After a Call of an Function, that have an Return Value, the return Value is always stored in the Register eax, thats the Reason why i am allowed to write:

int Player::GetLevel()
{
__asm mov eax, [ecx]
__asm mov eax, [eax+60]
}

You may think where is the return Statement, this can compile, but eax is the "AutoReturn" Register and you will have no Compiler error, also the [ecx] is a litte Trick, because the only Attribut of my Class is void* thispointer;, wich is exactly [ecx] in this case : )

I hope some people helps this a little bit : )

 

[asas12]

madknight can you write any skill for ex: when I use spain blade server write a message "spain blade used"

 

[Akamaru]

1. Hook at 0x0047FBB0
2. Look at lafreak's code: http://forum.ragezone.com/f315/skill-sources-917291/ (Check skill id and class)
3. Write own skillzz.
4. As lafreak said his AOE method is old and crappy, check splashy ice code to use native method.

"Rome was not built in a day."
If you can't do that just start with smaller things like hooking small functions and printing some values etc.

If you don't know even how to start (despite of all that tutorials) you should start learn basics of C++ :>

 

[asas12]

I am write this for NWK server but when I used this skill server closed

#include "StdAfx.h"
#include "Interface.h"
#include "Memory.h"
#include "Deflector.h"
#include "Deflection.h"
#include "Tools.h"
#include "Server.h"
static int (__thiscall *sub_47FBB0)(void *thispointer, signed int a2, int a3, int a4) = (int (__thiscall*)(void *thispointerpointer, signed int a2, int a3, int a4))0x0047FBB0; 
void __fastcall Hooked_ExcuteSkill(void* thispointer, void *_edx, signed int nSkillID, int a3, int a4) 
{
void* Pointer = (void*)*(DWORD*)(int)thispointer;
int Class = *(DWORD*)((int)Pointer + 460);
const int nPlayerID = *(int*)(unsigned(thispointer)+0x1c);

if(Class == 0)
{
if(nSkillID == 43)
{

Server::WriteBlue("skill used");
}
}
  sub_47FBB0(thispointer, nSkillID , a3,  a4);
}
CREATE_INTERFACE(skill)
class skill
{
public:
skill();
~skill();
};


skill::skill()
{
Interface<IMemory> Memory;
Server::WriteBlue("skill loaded");
Memory->Hook(0x0047FBB0,Hooked_ExcuteSkill);
}




skill::~skill()
{
}

 

[spatti88]

make hook at 0x00406970 it's ExcuteSkill .

void __fastcall Hooked_ExcuteSkill(void* thispointer, void *_edx, signed int nSkillID, int a3, int a4)
{
void* Pointer = (void*)*(DWORD*)(int)thispointer;
int Class = *(DWORD*)((int)Pointer + 460);
const int nPlayerID = *(int*)(unsigned(thispointer)+0x1c);

if(Class == 0)// class of kn
{
if(nSkillID == 43)//skill ID
{
YourSkill((int*)Class,Pointer,(char*)a3,(char*)a4);
}
}

}

your skill

void __fastcall YourSkill(void* pSkill, void* pPlayer, char* pPacket, char* pPos)
{
const int nPlayerID = *(int*)(unsigned(pPlayer)+0x1c);
const int nSkillID = 43; /// eg. Sword's Dance ID
const int nSkillGrade = 1; // skill grade of skill
int nDmg = 0;

nDmg = 5000;

WriteInSight(pPlayer, 0x3f, "bddbbwwb", nSkillID, nPlayerID, nPlayerID, 1, nSkillGrade, nDmg, 0, 1);
}

now it's time for find aggro,killing mobs,calculate dmg

 

[asas12]

Thx all I am write this and nothing

#include "StdAfx.h"
#include "Interface.h"
#include "Memory.h"
#include "Deflector.h"
#include "Deflection.h"
#include "Tools.h"
#include "Server.h"

static void (__cdecl* WriteInSight) (void* pPlayer, BYTE bType, const char *Format, ...) = ( void (__cdecl*) (void*, BYTE, const char*, ...))0x0040B9E0;
static void* (__cdecl* FindMonster) (int nID) = (void* (__cdecl*) (int))0x0043A240;
static int (__thiscall* MonsterOnDelete)() = (int (__thiscall*)())0x0043AA00;

void __fastcall Behead(void* pSkill, void* pPlayer, char* pPacket, char* pPos)
{
const int nPlayerID = *(int*)(unsigned(pPlayer)+0x1c);
const int nSkillID = 1;
const int nSkillGrade = 1;
int nDmg = 0;
   
int nTargetID;
char bType;
bool finish = false;

   Server::ReadPacketSecure((char*)pPacket, (char*)pPos, "bd", &bType, &nTargetID);

   void* pTarget = 0;

   switch(bType)
   {
   case 1:
    pTarget = FindMonster(nTargetID);
	finish = true ;
    break;
   }
   if( finish ){

   MonsterOnDelete();
   WriteInSight(pPlayer, 0x3f, "bddbbwwb", nSkillID, nPlayerID, nPlayerID, 1, nSkillGrade, nDmg, 0, 1);
   }
   else
	   WriteInSight(pPlayer, 10, "bbddww", 1, nSkillID, nPlayerID, nPlayerID, nDmg, 0);
}


void __fastcall Hooked_ExcuteSkill(void* thispointer, void *_edx, signed int nSkillID, int a3, int a4) 
{
void* Pointer = (void*)*(DWORD*)(int)thispointer;
int Class = *(DWORD*)((int)Pointer + 460);
const int nPlayerID = *(int*)(unsigned(thispointer)+0x1c);

if(Class == 3) // thief
{
if(nSkillID == 1) //behead
{
Behead((int*)Class,Pointer,(char*)a3,(char*)a4);

}
}

}

CREATE_INTERFACE(skill)
class skill
{
public:
skill();
~skill();
};


skill::skill()
{
Interface<IMemory> Memory;
Server::WriteBlack("skill loaded");
Memory->Hook(0x00406970,Hooked_ExcuteSkill);
}




skill::~skill()
{
}

And I get this error

CPlayerSkill::SetSkill() Cant Find Skill [Class:3 , Skill:1]

Thx for helping