Created
October 22, 2012 21:58
-
-
Save ZeusAFK/3934802 to your computer and use it in GitHub Desktop.
bypass code for knightonline
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include "stdafx.h" | |
#include <Windows.h> | |
#include <stdio.h> | |
#include <iostream> | |
#include <stdlib.h> | |
#include <fstream> | |
#include <strsafe.h> | |
using namespace std; | |
DWORD ProcessID; | |
HANDLE ProcessHandle; | |
HWND WindowsHandle; | |
DWORD currentSend1; | |
BYTE ADR1 []= {0x57,0x8B,0xEC,0x83,0xEC,0x00,0x53,0x56,0x57,0x89,0x4D,0xE0}; | |
BYTE ADR2 []= {0x84,0xC6,0x00,0x85,0xDB,0x75,0x00,0x55,0xFF,0x00,0x00,0x00,0x00,0x83,0xC6,0x00,0x33,0x00}; | |
BYTE SCAN1 []= {0x8C,0x45,0x00,0x0A,0xC2,0x0A,0x45,0x00,0x8C,0x7D,0xDC,0x00}; | |
BYTE SCAN2 []= {0x8C,0x55,0x00,0x59,0xFF,0x00,0x00,0x00,0x83,0xC4,0x14,0x89,0x45,0x00,0x83,0x7D,0xE4,0x00}; | |
BYTE DETECT1 []= {0x8C,0x53,0x49,0x14,0xC9,0x23,0x55,0x55,0x00,0x7D,0xDC,0x00}; | |
void WriteMemory(void *adr, void *ptr, int size) | |
{ | |
DWORD OldProtection; | |
VirtualProtect(adr, size, PAGE_EXECUTE_READWRITE, &OldProtection); | |
memcpy(adr, ptr, size); | |
//ErrorExit(TEXT("memcpy")); | |
VirtualProtect(adr, size, OldProtection, &OldProtection); | |
} | |
typedef unsigned char byte; | |
int ReadMemory(void *addr, bool wait, bool debug) | |
{ | |
byte Bytes[] = {0x0, 0x0, 0x0, 0x0}; | |
DWORD OldProtection; | |
VirtualProtect(addr, 4L, PAGE_EXECUTE_READWRITE, &OldProtection); | |
if(debug){ | |
printf("Changed memory permission access of 0x%x from 0x%x to 0x%x\n", addr, OldProtection, PAGE_EXECUTE_READWRITE); | |
printf("Buffer status: \t0x%x, 0x%x, 0x%x, 0x%x\n", Bytes[3], Bytes[2], Bytes[1], Bytes[0]); | |
} | |
int value = 0; | |
while(1) | |
{ | |
bool again = false; | |
ReadProcessMemory(ProcessHandle, addr, &Bytes, 4L, 0L); | |
if(debug) | |
printf("Readed bytes in address 0x%x: \t0x%x, 0x%x, 0x%x, 0x%x\n", addr, Bytes[3], Bytes[2], Bytes[1], Bytes[0]); | |
value = 0; | |
value = (value << 8) + Bytes[3]; | |
value = (value << 8) + Bytes[2]; | |
value = (value << 8) + Bytes[1]; | |
value = (value << 8) + Bytes[0]; | |
if((value == 0xFFFFFFFF) || (value == 0x00000000)){ | |
value = -1; | |
again = wait; | |
} | |
if(!again) break; | |
Sleep(2000); | |
} | |
VirtualProtect(addr, 4L, OldProtection, &OldProtection); | |
return value; | |
} | |
void ReadCharacterInfo() | |
{ | |
printf("Character HP: %x\n", ReadMemory((void *)(ReadMemory((void *)0xD74C9C, true, true) + 0x6B4), true, true)); | |
} | |
/*void WallHack() | |
{ | |
printf("Wall Hack Address value: %x\n", ReadMemory((void *)(ReadMemory((void *)0xD74C9C, false, false) + 0x6B8), false, false)); | |
DWORD mem_base = (*(DWORD*)(0xD74C9C)); | |
//*(DWORD*)(mem_base + 0x6B8) = 0; | |
//printf("Wall Hack Address value: %x\n", ReadMemory((void *)(ReadMemory((void *)0xD74C9C, true, false) + 0x6B8), true, false)); | |
WriteMemory((void *)(ReadMemory((void *)0xD74C9C, false, false) + 0x6B8), (void *)"\x00", 1); | |
printf("Wall Hack Address value: %x\n", ReadMemory((void *)(ReadMemory((void *)0xD74C9C, false, false) + 0x6B8), true, true)); | |
Sleep(5000); | |
}*/ | |
void SND_FIX() { | |
switch ((*(BYTE*)(0xCEED20))) { | |
case 0x16: | |
__asm mov currentSend1, 0 | |
break; | |
case 0x17: | |
__asm mov currentSend1, 1 | |
break; | |
case 0x14: | |
__asm mov currentSend1, 2 | |
break; | |
case 0x15: | |
__asm mov currentSend1, 3 | |
break; | |
case 0x12: | |
__asm mov currentSend1, 4 | |
break; | |
case 0x13: | |
__asm mov currentSend1, 5 | |
break; | |
case 0x10: | |
__asm mov currentSend1, 6 | |
break; | |
case 0x11: | |
__asm mov currentSend1, 7 | |
break; | |
case 0x1E: | |
__asm mov currentSend1, 8 | |
break; | |
case 0x1F: | |
__asm mov currentSend1, 9 | |
break; | |
} | |
} | |
void AttachProcess(LPTSTR WindowsName) | |
{ | |
printf("Waiting for FindWindowA...\n"); | |
while(1) | |
{ | |
WindowsHandle = FindWindowA(NULL, WindowsName); | |
if(WindowsHandle) | |
{ | |
printf("FindWindowA: %x\n", (DWORD)WindowsHandle); | |
printf("Waiting for GetWindowThreadProcessId...\n"); | |
int addresses[] = {0xD74C9C, 0xD74D54, 0xD74D20, 0x476762, 0xCEED20, 0x835DD0, 0xD74C98}; | |
while(1) | |
{ | |
GetWindowThreadProcessId(WindowsHandle, &ProcessID); | |
if(ProcessID) | |
{ | |
printf("GetWindowThreadProcssId: %x\n", ProcessID); | |
ProcessHandle = OpenProcess(0x1F0FFF, false, (DWORD)ProcessID); | |
printf("OpenProcess: %x\n", (DWORD)ProcessHandle); | |
DWORD oldProtection; | |
VirtualProtectEx(ProcessHandle, (LPVOID)0xD74C9C, 4L, PAGE_EXECUTE_READWRITE, &oldProtection); | |
printf("Changed memory permission access of 0xD7C9C from 0x%x to 0x%x\n", oldProtection, PAGE_EXECUTE_READWRITE); | |
SND_FIX(); | |
break; | |
} | |
} | |
//system("start c:\\ads\\koxp.exe"); | |
//while(1) | |
//{ | |
//printf("Wall hack injecting...\n"); | |
//WallHack(); | |
//printf("Starting threads...\n"); | |
//ReadCharacterInfo(); | |
//WallHack(); | |
//} | |
break; | |
} | |
} | |
} | |
void HackShield_Bypass (void) | |
{ | |
DWORD w3pro = 0; | |
while(1) | |
{ | |
DWORD ehsvc = (DWORD)GetModuleHandle("ehsvc.dll"); | |
//w3pro = (DWORD)GetModuleHandleA("v3pro32s.dll"); | |
if(ehsvc) | |
{ | |
//printf("EhSvc.dll handle = 0x%x\n", ehsvc); | |
/*for ( int j =1; j <= 40; j++) | |
{ | |
char bump[255]; | |
sprintf(bump,"%d",j); | |
DWORD Function = (DWORD)GetProcAddress((HMODULE)ehsvc, bump); | |
printf("[EhSvc] Function %d address: 0x%x\n", j, Function); | |
printf("[EhSvc] Function %d relative address: 0x%x\n\n", j, (Function - ehsvc)); | |
//printf("[HS] HackShield Function Adress: 0x%.4x%d\n", Function); | |
}*/ | |
//int x; | |
//for(x = 1; x < 37; x++) | |
//{ | |
// DWORD CurrentProc = (DWORD)GetProcAddress((HMODULE)ehsvc, x + ""); | |
// printf("Procedure address %n: 0x%x\n", x, CurrentProc); | |
//} | |
//printf("v3pro32s.dll handle = %x\n", w3pro); | |
//WriteMemory((void *)(ehsvc + 0x9FB0), (void *)"\x74\x15", 2); | |
//WriteMemory((void *)(ehsvc + 0x7B4EC), (void *)"\xC3", 1); | |
//WriteMemory((void *)(ehsvc + 0x3CB2E), (void *)"\x03\xD2", 2); | |
//WriteMemory((void *)(ehsvc + 0x39F6F), (void *)"\xB8\x00\x00\x00\x00", 5); | |
WriteMemory((void *)(ehsvc + 0x09FB0), (void *)"\xC2\x04\x00", 3); | |
WriteMemory((void *)(ehsvc + 0x2BF41), (void *)"\x90\x90", 2); | |
WriteMemory((void *)(ehsvc + 0x3CBA4), (void *)"\x90\x90", 2); | |
WriteMemory((void *)(ehsvc + 0x7B4EC), (void *)"\xC2\x04\x00",3); | |
WriteMemory((void *)(ehsvc + 0x3CB2E), (void *)"\xB8\x01\x00\x00\x00\xC3",6); | |
WriteMemory((void *)(ehsvc + 0x39F6F), (void *)"\xB8\x01\x00\x00\x00\xC3",6); | |
WriteMemory((void *)(ehsvc + 0x3BFE6), (void *)"\xB8\x01\x00\x00\x00\xC3",6); | |
Sleep(1000); | |
AttachProcess("Knight OnLine Client"); | |
break; | |
} | |
} | |
/* | |
while(1) | |
{ | |
DWORD ehsvc = (DWORD)GetModuleHandle("ehsvc.dll"); | |
if(ehsvc) | |
{ | |
printf("EhSvc handle = %x\n", ehsvc); | |
WriteMemory((void*)(ehsvc + 0xA048), (void*)"\x74\x15", 2); | |
WriteMemory((void*)(ehsvc + 0x7BF79), (void*)"\xC3", 1); | |
WriteMemory((void*)(ehsvc + 0x9A270), (void*)"\x03\xD2", 2); | |
WriteMemory((void*)(ehsvc + 0x97CBF), (void*)"\xB8\x00\x00\x00\x00", 5); | |
AttachProcess("Knight OnLine Client"); | |
break; | |
//DWORD AdressPointer = (*(DWORD*)(0xD74C9C)); | |
} | |
} | |
*/ | |
} | |
DWORD RDWORD(DWORD addr){ | |
DWORD retval; | |
__asm { | |
mov ebx,[addr] | |
xor eax,eax | |
mov eax,DWORD PTR DS:[ebx] | |
mov retval,eax | |
} | |
return retval; | |
} | |
void MDWORD(DWORD addr, DWORD pval){ | |
__asm { | |
mov ebx,addr | |
xor eax,eax | |
mov eax,pval | |
mov DWORD PTR DS:[ebx],eax | |
} | |
} | |
void WallHack(int Current){ | |
DWORD ADDR_CHARB = RDWORD(0xD74C9C); | |
switch(Current){ | |
case 1: | |
MDWORD(ADDR_CHARB + 0x6B8, 0); | |
cout << ">> Message: WallHack Activated ! " << endl; | |
break; | |
case 0: | |
MDWORD(ADDR_CHARB + 0x6B8, 1); | |
cout << ">> Message: WallHack Deactivated" << endl; | |
break; | |
} | |
} | |
DWORD CharHP(){ | |
DWORD ADDR_CHARB = RDWORD(0xD74C9C); | |
return RDWORD(ADDR_CHARB + 0x6B4); | |
} | |
DWORD CharMP(){ | |
DWORD ADDR_CHARB = RDWORD(0xD74C9C); | |
return RDWORD(ADDR_CHARB + 0xC50); | |
} | |
void SendPackets(BYTE* packets,size_t sizes) { | |
SND_FIX(); | |
__asm { | |
mov ecx, 0xD74D20 | |
mov ecx, dword ptr ds:[ecx] | |
mov eax, currentSend1 | |
push sizes | |
push packets | |
call [eax*4+ecx+4008Ch] | |
} | |
} | |
#define CopyBytes(Dest,Src) memcpy(Dest, (BYTE*)&Src, sizeof(Src)) | |
void run(float x, float y, short mode) { | |
BYTE pBytes1[] = { 0x06,0 ,0 ,0 ,0 ,0x2F, 0x00, 0x2D, 0x00, mode}; | |
WORD buffer(0); | |
buffer=((int) x) * 10; | |
CopyBytes(pBytes1 + 1, buffer); | |
buffer=((int) y) * 10; | |
CopyBytes(pBytes1 + 3, buffer); | |
SendPackets(pBytes1, sizeof(pBytes1)); | |
} | |
void SpeedHack(float nx, float ny) { | |
DWORD ADDR_CHRB = RDWORD(0xD74C9C); | |
float x =*(FLOAT*)(ADDR_CHRB + 0xD8); | |
float y =*(FLOAT*)(ADDR_CHRB + 0xE0); | |
run(x, y, 1); | |
float i, yy; | |
BOOL allowX = TRUE; | |
BOOL allowY = TRUE; | |
for ( i = x, yy = y; ((i < nx) || (yy < ny)) || ((i > nx) || (yy > ny)); ) { | |
BOOL op = FALSE; | |
BOOL opy = FALSE; | |
float bX = i; | |
float bY = yy; | |
if (i < nx && allowX) { | |
op = TRUE; | |
i += 7.0; | |
} | |
if (yy < ny && allowY) { | |
if (opy == TRUE) allowY = FALSE; | |
opy = TRUE; | |
yy += 7.0; | |
} | |
if (i > nx && allowX) { | |
if (op == TRUE) allowX = false; | |
i -= 7.0; | |
} | |
if (yy > ny && allowY) { | |
if (opy == TRUE) allowY =FALSE; | |
yy -= 7.0; | |
} | |
if (!allowX && !allowY) break; | |
if (bX == i && bY == yy) break; | |
run(i, yy, 3); | |
Sleep(41); | |
} | |
run(nx, ny, 3); | |
run(nx, ny, 0); | |
run(x, y, 1); | |
} | |
void socket(BYTE Packet[]){ | |
SendPackets(Packet,sizeof(Packet)); | |
} | |
void UpdateMouse(){ | |
DWORD ADDR_CHRB = RDWORD(0xD74C9C); | |
float CharX =*(FLOAT*)(ADDR_CHRB + 0xD8); | |
float CharY =*(FLOAT*)(ADDR_CHRB + 0xE0); | |
for(int i = 1; i < 1000; i++){ | |
float MouseX1 =*(FLOAT*)(ADDR_CHRB + 0xD84 + i); | |
float MouseX2 =*(FLOAT*)(ADDR_CHRB + 0xD84 - i); | |
float MouseY1 =*(FLOAT*)(ADDR_CHRB + 0xD8C + i); | |
float MouseY2 =*(FLOAT*)(ADDR_CHRB + 0xD8C - i); | |
if(MouseX1 < 0) MouseX1 *= -1; | |
if(MouseX2 < 0) MouseX2 *= -1; | |
if(CharX < 0) CharX *= -1; | |
if(MouseY1 < 0) MouseY1 *= -1; | |
if(MouseY2 < 0) MouseY2 *= -1; | |
if(CharY < 0) CharY *= -1; | |
float value_1 = 0; | |
if(CharX > MouseX1) value_1 = CharX - MouseX1; else value_1 = MouseX1 - CharX; | |
if(value_1 > 1 && value_1 < 10) | |
printf("MX + %d: %f\n", i, MouseX1); | |
float value_2 = 0; | |
if(CharX > MouseX2) value_2 = CharX - MouseX2; else value_2 = MouseX2 - CharX; | |
if(value_2 > 1 && value_2 < 10) | |
printf("MX - %d: %f\n", i, MouseX2); | |
float value_3 = 0; | |
if(CharY > MouseY1) value_3 = CharY - MouseY1; else value_3 = MouseY1 - CharY; | |
if(value_3 > 1 && value_3 < 10) | |
printf("MY + %d: %f\n", i, MouseY1); | |
float value_4 = 0; | |
if(CharY > MouseY2) value_4 = CharY - MouseY2; else value_4 = MouseY2 - CharY; | |
if(value_4 > 1 && value_4 < 10) | |
printf("MY - %d: %f\n", i, MouseY2); | |
} | |
} | |
void hotkeys(){ | |
while(true){ | |
if(GetAsyncKeyState(VK_HOME)){ | |
printf("Character HP: %d\n",CharHP()); | |
printf("Character MP: %d\n",CharMP()); | |
WallHack(1); | |
} | |
Sleep(100); | |
if(GetAsyncKeyState(VK_END)){ | |
WallHack(0); | |
} | |
Sleep(100); | |
int VK_F = 0x58; // "F" | |
if(GetAsyncKeyState(VK_F)){ | |
BYTE TOWN[] = {0x48, 0x00}; | |
socket(TOWN); | |
cout << "<< TOWN ! >>"; | |
} | |
if(GetAsyncKeyState(VK_SPACE)){ | |
DWORD ADDR_CHRB =RDWORD(0xD74C9C); | |
float CharX =*(FLOAT*)(ADDR_CHRB + 0xD8); | |
float CharY =*(FLOAT*)(ADDR_CHRB + 0xE0); | |
float MouseX =*(FLOAT*)(ADDR_CHRB + 0xEF4); | |
float MouseY =*(FLOAT*)(ADDR_CHRB + 0xEFC); | |
//printf("printing coords...\n"); | |
//printf("CX: %f, CY: %f, MX: %f, MY: %f\n", CharX, CharY, MouseX, MouseY); | |
if(((CharX - MouseX) < 5) || ((CharY - MouseY) < 5) || ((MouseX - CharX) < 5) || ((MouseY - CharY) < 5)){ | |
printf("Teleporting to: %f, %f\n", MouseX, MouseY); | |
SpeedHack(MouseX, MouseY); | |
printf("Ready.\n"); | |
//UpdateMouse(); | |
} | |
} | |
Sleep(100); | |
} | |
} | |
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) | |
{ | |
switch (ul_reason_for_call) | |
{ | |
case DLL_PROCESS_ATTACH: | |
AllocConsole(); | |
AttachConsole(GetCurrentProcessId()); | |
freopen("CON","w",stdout); | |
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)HackShield_Bypass, 0, 0, 0); | |
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)hotkeys, 0, 0, 0); | |
case DLL_THREAD_ATTACH: | |
case DLL_THREAD_DETACH: | |
case DLL_PROCESS_DETACH: | |
break; | |
} | |
return TRUE; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment