- Joined
- Mar 30, 2007
- Messages
- 745
- Reaction score
- 34
A small guide on how to inject C++ code/assembler into the Main Server.
Thanks to Bakabug for some samples
Requirements
- Visual C++
- A hex editor
- Basic coding skills
Step 1 - Hex Injection
First thing to do , is unpack the MainServer.exe , or find a unpacked version.
When this is done, open the mainserver in your favorite hex editor, and search for "ADVAPI32.dll"
Now replace "ADVAPI32.dll" with "KalHooks.dll" , our new DLL.
Notice the mainserver will not function untill you provide the nessary dll in the same folder as the MainServer.exe
Step 2 - Some Basic Code
In visual studio, create a standard windows library project, and set it to create a DLL.
Now find dllmain.cpp , and replace it's content with the following code:
Step 3 - Injector Class
Now we wish to create a class handling our actions.
And here is the class, plus a example of a injected function. KalHooks::MemoryCopy and KalHooks::Intercept bluntly stolen from Bakabug.
KalHooks.cpp
KalHooks.h
And now change dllmain.cpp to the following
Step 4 - Finalizing
Before we compile, one more important addition is required.
Due to a error made in the 70's by the Windows C developers, DLLs are compiled by default to have a _ (underscore) before a function name.
But since the MainServer cannot handle this, we need to create a new file, to ensure the underscores are not added.
Simply, add a file named Exports.def to your project, with following content
Step 5 - Compiling
Compile (Make sure to compile to Release!), and copy your new KalHooks.dll into your MainServer folder.
Once this is done, run the MainServer and cross your fingers you did not do any ASM hacks that didden't work.
Thanks to Bakabug for some samples
Requirements
- Visual C++
- A hex editor
- Basic coding skills
Step 1 - Hex Injection
First thing to do , is unpack the MainServer.exe , or find a unpacked version.
When this is done, open the mainserver in your favorite hex editor, and search for "ADVAPI32.dll"
Now replace "ADVAPI32.dll" with "KalHooks.dll" , our new DLL.
Notice the mainserver will not function untill you provide the nessary dll in the same folder as the MainServer.exe
Step 2 - Some Basic Code
In visual studio, create a standard windows library project, and set it to create a DLL.
Now find dllmain.cpp , and replace it's content with the following code:
PHP:
#include "stdafx.h"
HMODULE libraryHandle;
_declspec(dllexport) BOOL WINAPI GetUserNameA(LPSTR input, LPDWORD buffer)
{
typedef BOOL (WINAPI* CFunction) (LPSTR input, LPDWORD buffer);
CFunction getUserName = (CFunction)GetProcAddress(libraryHandle, "GetUserNameA");
return getUserName(input, buffer);
}
BOOL WINAPI DllMain(HMODULE module,DWORD action,LPVOID reserved)
{
libraryHandle = LoadLibraryA("ADVAPI32.dll");
switch(action)
{
case DLL_PROCESS_ATTACH:
// Startup Functions
break;
case DLL_THREAD_ATTACH:
// Shutdown Functions
break;
}
return true;
}
Step 3 - Injector Class
Now we wish to create a class handling our actions.
And here is the class, plus a example of a injected function. KalHooks::MemoryCopy and KalHooks::Intercept bluntly stolen from Bakabug.
KalHooks.cpp
PHP:
#include "stdafx.h"
#include "KalHook.h"
namespace Sword
{
///
/// DLL Loading.
///
void KalHook::Attach()
{
this->DisableExperienceLoss();
}
///
/// DLL Unloading.
///
void KalHook::Detach()
{
}
///
/// Disable experience loss when dying.
///
void KalHook::DisableExperienceLoss()
{
unsigned char myCode[4] = {0xC2, 0x04, 0x00, 0x90};
this->MemoryCopy((DWORD)0x004643A0,(DWORD)&myCode,4);
}
///
/// Thread safe memory copying (address changing).
///
LPVOID KalHook::MemoryCopy(DWORD destination, DWORD source, int length)
{
DWORD oldSource = 0;
DWORD oldDestination = 0;
VirtualProtect((LPVOID)source,length,PAGE_EXECUTE_READWRITE,&oldSource);
VirtualProtect((LPVOID)destination,length,PAGE_EXECUTE_READWRITE,&oldDestination);
memcpy((void*)destination,(void*)source,length);
VirtualProtect((LPVOID)destination,length,oldDestination,&oldDestination);
VirtualProtect((LPVOID)source,length,oldSource,&oldSource);
return (LPVOID)destination;
};
///
/// Intercept a instruction into the memory.
///
DWORD KalHook::Intercept(int instruction, DWORD source, DWORD destination, int length)
{
DWORD realTarget;
LPBYTE buffer = new BYTE[length];
memset(buffer,0x90,length);
if(instruction != INST_NOP && length >= 5)
{
buffer[(length-5)] = instruction;
DWORD dwJMP = (DWORD)destination - (source + 5 + (length-5));
memcpy(&realTarget,(void*)(source+1),4);
realTarget = realTarget + source + 5;
memcpy(buffer + 1 + (length - 5),&dwJMP,4);
}
if(instruction == SHORT_JZ)
{
buffer[0] = instruction;
buffer[1] = (BYTE)destination;
}
if(instruction == INST_BYTE)
{
buffer[0] = (BYTE)destination;
}
this->MemoryCopy(source,(DWORD)buffer,length);
delete[] buffer;
return realTarget;
}
}
KalHooks.h
PHP:
///
/// KalOnline DLL hook handler.
///
/// By Windcape and KingIzu.
///
#define INST_NOP 0x90
#define INST_CALL 0xE8
#define INST_JMP 0xE9
#define INST_BYTE 0x00
#define SHORT_JZ 0x74
namespace Sword
{
class KalHook
{
public:
void Attach();
void Detach();
void DisableExperienceLoss();
private:
LPVOID MemoryCopy(DWORD destination, DWORD source, int length);
DWORD Intercept(int instruction, DWORD source, DWORD destination, int length);
};
};
And now change dllmain.cpp to the following
PHP:
#include "stdafx.h"
#include "KalHook.h"
HMODULE libraryHandle;
///
/// Implementation of the WINBASE.H method GetUserNameA().
/// Required for proxying the ADVAPI32.dll library.
///
_declspec(dllexport) BOOL WINAPI GetUserNameA(LPSTR input, LPDWORD buffer)
{
typedef BOOL (WINAPI* CFunction)(LPSTR input,LPDWORD buffer);
CFunction getUserName = (CFunction)GetProcAddress(libraryHandle, "GetUserNameA");
return getUserName(input, buffer);
}
///
/// Initialize and attach the KalHooks class to the DLL loading
/// allowing us to do inline assembler and memory editing.
///
BOOL WINAPI DllMain(HMODULE module,DWORD action,LPVOID reserved)
{
libraryHandle = LoadLibraryA("ADVAPI32.dll");
Sword::KalHook *hook = new Sword::KalHook();
switch(action)
{
case DLL_PROCESS_ATTACH:
hook->Attach();
break;
case DLL_THREAD_ATTACH:
hook->Detach();
break;
}
return true;
}
Step 4 - Finalizing
Before we compile, one more important addition is required.
Due to a error made in the 70's by the Windows C developers, DLLs are compiled by default to have a _ (underscore) before a function name.
But since the MainServer cannot handle this, we need to create a new file, to ensure the underscores are not added.
Simply, add a file named Exports.def to your project, with following content
PHP:
LIBRARY "KalHooks"
EXPORTS
GetUserNameA
DllMain
Step 5 - Compiling
Compile (Make sure to compile to Release!), and copy your new KalHooks.dll into your MainServer folder.
Once this is done, run the MainServer and cross your fingers you did not do any ASM hacks that didden't work.
Last edited: