Skip to content

Instantly share code, notes, and snippets.

@ZeusAFK
Created October 22, 2012 21:58
Show Gist options
  • Save ZeusAFK/3934802 to your computer and use it in GitHub Desktop.
Save ZeusAFK/3934802 to your computer and use it in GitHub Desktop.
bypass code for knightonline
#include "stdafx.h"
#include <Windows.h>
#include <stdio.h>
#include <iostream>
#include <stdlib.h>
#include <fstream>
#include <strsafe.h>
using namespace std;
DWORD ProcessID;
HANDLE ProcessHandle;
HWND WindowsHandle;
DWORD currentSend1;
BYTE ADR1 []= {0x57,0x8B,0xEC,0x83,0xEC,0x00,0x53,0x56,0x57,0x89,0x4D,0xE0};
BYTE ADR2 []= {0x84,0xC6,0x00,0x85,0xDB,0x75,0x00,0x55,0xFF,0x00,0x00,0x00,0x00,0x83,0xC6,0x00,0x33,0x00};
BYTE SCAN1 []= {0x8C,0x45,0x00,0x0A,0xC2,0x0A,0x45,0x00,0x8C,0x7D,0xDC,0x00};
BYTE SCAN2 []= {0x8C,0x55,0x00,0x59,0xFF,0x00,0x00,0x00,0x83,0xC4,0x14,0x89,0x45,0x00,0x83,0x7D,0xE4,0x00};
BYTE DETECT1 []= {0x8C,0x53,0x49,0x14,0xC9,0x23,0x55,0x55,0x00,0x7D,0xDC,0x00};
void WriteMemory(void *adr, void *ptr, int size)
{
DWORD OldProtection;
VirtualProtect(adr, size, PAGE_EXECUTE_READWRITE, &OldProtection);
memcpy(adr, ptr, size);
//ErrorExit(TEXT("memcpy"));
VirtualProtect(adr, size, OldProtection, &OldProtection);
}
typedef unsigned char byte;
int ReadMemory(void *addr, bool wait, bool debug)
{
byte Bytes[] = {0x0, 0x0, 0x0, 0x0};
DWORD OldProtection;
VirtualProtect(addr, 4L, PAGE_EXECUTE_READWRITE, &OldProtection);
if(debug){
printf("Changed memory permission access of 0x%x from 0x%x to 0x%x\n", addr, OldProtection, PAGE_EXECUTE_READWRITE);
printf("Buffer status: \t0x%x, 0x%x, 0x%x, 0x%x\n", Bytes[3], Bytes[2], Bytes[1], Bytes[0]);
}
int value = 0;
while(1)
{
bool again = false;
ReadProcessMemory(ProcessHandle, addr, &Bytes, 4L, 0L);
if(debug)
printf("Readed bytes in address 0x%x: \t0x%x, 0x%x, 0x%x, 0x%x\n", addr, Bytes[3], Bytes[2], Bytes[1], Bytes[0]);
value = 0;
value = (value << 8) + Bytes[3];
value = (value << 8) + Bytes[2];
value = (value << 8) + Bytes[1];
value = (value << 8) + Bytes[0];
if((value == 0xFFFFFFFF) || (value == 0x00000000)){
value = -1;
again = wait;
}
if(!again) break;
Sleep(2000);
}
VirtualProtect(addr, 4L, OldProtection, &OldProtection);
return value;
}
void ReadCharacterInfo()
{
printf("Character HP: %x\n", ReadMemory((void *)(ReadMemory((void *)0xD74C9C, true, true) + 0x6B4), true, true));
}
/*void WallHack()
{
printf("Wall Hack Address value: %x\n", ReadMemory((void *)(ReadMemory((void *)0xD74C9C, false, false) + 0x6B8), false, false));
DWORD mem_base = (*(DWORD*)(0xD74C9C));
//*(DWORD*)(mem_base + 0x6B8) = 0;
//printf("Wall Hack Address value: %x\n", ReadMemory((void *)(ReadMemory((void *)0xD74C9C, true, false) + 0x6B8), true, false));
WriteMemory((void *)(ReadMemory((void *)0xD74C9C, false, false) + 0x6B8), (void *)"\x00", 1);
printf("Wall Hack Address value: %x\n", ReadMemory((void *)(ReadMemory((void *)0xD74C9C, false, false) + 0x6B8), true, true));
Sleep(5000);
}*/
void SND_FIX() {
switch ((*(BYTE*)(0xCEED20))) {
case 0x16:
__asm mov currentSend1, 0
break;
case 0x17:
__asm mov currentSend1, 1
break;
case 0x14:
__asm mov currentSend1, 2
break;
case 0x15:
__asm mov currentSend1, 3
break;
case 0x12:
__asm mov currentSend1, 4
break;
case 0x13:
__asm mov currentSend1, 5
break;
case 0x10:
__asm mov currentSend1, 6
break;
case 0x11:
__asm mov currentSend1, 7
break;
case 0x1E:
__asm mov currentSend1, 8
break;
case 0x1F:
__asm mov currentSend1, 9
break;
}
}
void AttachProcess(LPTSTR WindowsName)
{
printf("Waiting for FindWindowA...\n");
while(1)
{
WindowsHandle = FindWindowA(NULL, WindowsName);
if(WindowsHandle)
{
printf("FindWindowA: %x\n", (DWORD)WindowsHandle);
printf("Waiting for GetWindowThreadProcessId...\n");
int addresses[] = {0xD74C9C, 0xD74D54, 0xD74D20, 0x476762, 0xCEED20, 0x835DD0, 0xD74C98};
while(1)
{
GetWindowThreadProcessId(WindowsHandle, &ProcessID);
if(ProcessID)
{
printf("GetWindowThreadProcssId: %x\n", ProcessID);
ProcessHandle = OpenProcess(0x1F0FFF, false, (DWORD)ProcessID);
printf("OpenProcess: %x\n", (DWORD)ProcessHandle);
DWORD oldProtection;
VirtualProtectEx(ProcessHandle, (LPVOID)0xD74C9C, 4L, PAGE_EXECUTE_READWRITE, &oldProtection);
printf("Changed memory permission access of 0xD7C9C from 0x%x to 0x%x\n", oldProtection, PAGE_EXECUTE_READWRITE);
SND_FIX();
break;
}
}
//system("start c:\\ads\\koxp.exe");
//while(1)
//{
//printf("Wall hack injecting...\n");
//WallHack();
//printf("Starting threads...\n");
//ReadCharacterInfo();
//WallHack();
//}
break;
}
}
}
void HackShield_Bypass (void)
{
DWORD w3pro = 0;
while(1)
{
DWORD ehsvc = (DWORD)GetModuleHandle("ehsvc.dll");
//w3pro = (DWORD)GetModuleHandleA("v3pro32s.dll");
if(ehsvc)
{
//printf("EhSvc.dll handle = 0x%x\n", ehsvc);
/*for ( int j =1; j <= 40; j++)
{
char bump[255];
sprintf(bump,"%d",j);
DWORD Function = (DWORD)GetProcAddress((HMODULE)ehsvc, bump);
printf("[EhSvc] Function %d address: 0x%x\n", j, Function);
printf("[EhSvc] Function %d relative address: 0x%x\n\n", j, (Function - ehsvc));
//printf("[HS] HackShield Function Adress: 0x%.4x%d\n", Function);
}*/
//int x;
//for(x = 1; x < 37; x++)
//{
// DWORD CurrentProc = (DWORD)GetProcAddress((HMODULE)ehsvc, x + "");
// printf("Procedure address %n: 0x%x\n", x, CurrentProc);
//}
//printf("v3pro32s.dll handle = %x\n", w3pro);
//WriteMemory((void *)(ehsvc + 0x9FB0), (void *)"\x74\x15", 2);
//WriteMemory((void *)(ehsvc + 0x7B4EC), (void *)"\xC3", 1);
//WriteMemory((void *)(ehsvc + 0x3CB2E), (void *)"\x03\xD2", 2);
//WriteMemory((void *)(ehsvc + 0x39F6F), (void *)"\xB8\x00\x00\x00\x00", 5);
WriteMemory((void *)(ehsvc + 0x09FB0), (void *)"\xC2\x04\x00", 3);
WriteMemory((void *)(ehsvc + 0x2BF41), (void *)"\x90\x90", 2);
WriteMemory((void *)(ehsvc + 0x3CBA4), (void *)"\x90\x90", 2);
WriteMemory((void *)(ehsvc + 0x7B4EC), (void *)"\xC2\x04\x00",3);
WriteMemory((void *)(ehsvc + 0x3CB2E), (void *)"\xB8\x01\x00\x00\x00\xC3",6);
WriteMemory((void *)(ehsvc + 0x39F6F), (void *)"\xB8\x01\x00\x00\x00\xC3",6);
WriteMemory((void *)(ehsvc + 0x3BFE6), (void *)"\xB8\x01\x00\x00\x00\xC3",6);
Sleep(1000);
AttachProcess("Knight OnLine Client");
break;
}
}
/*
while(1)
{
DWORD ehsvc = (DWORD)GetModuleHandle("ehsvc.dll");
if(ehsvc)
{
printf("EhSvc handle = %x\n", ehsvc);
WriteMemory((void*)(ehsvc + 0xA048), (void*)"\x74\x15", 2);
WriteMemory((void*)(ehsvc + 0x7BF79), (void*)"\xC3", 1);
WriteMemory((void*)(ehsvc + 0x9A270), (void*)"\x03\xD2", 2);
WriteMemory((void*)(ehsvc + 0x97CBF), (void*)"\xB8\x00\x00\x00\x00", 5);
AttachProcess("Knight OnLine Client");
break;
//DWORD AdressPointer = (*(DWORD*)(0xD74C9C));
}
}
*/
}
DWORD RDWORD(DWORD addr){
DWORD retval;
__asm {
mov ebx,[addr]
xor eax,eax
mov eax,DWORD PTR DS:[ebx]
mov retval,eax
}
return retval;
}
void MDWORD(DWORD addr, DWORD pval){
__asm {
mov ebx,addr
xor eax,eax
mov eax,pval
mov DWORD PTR DS:[ebx],eax
}
}
void WallHack(int Current){
DWORD ADDR_CHARB = RDWORD(0xD74C9C);
switch(Current){
case 1:
MDWORD(ADDR_CHARB + 0x6B8, 0);
cout << ">> Message: WallHack Activated ! " << endl;
break;
case 0:
MDWORD(ADDR_CHARB + 0x6B8, 1);
cout << ">> Message: WallHack Deactivated" << endl;
break;
}
}
DWORD CharHP(){
DWORD ADDR_CHARB = RDWORD(0xD74C9C);
return RDWORD(ADDR_CHARB + 0x6B4);
}
DWORD CharMP(){
DWORD ADDR_CHARB = RDWORD(0xD74C9C);
return RDWORD(ADDR_CHARB + 0xC50);
}
void SendPackets(BYTE* packets,size_t sizes) {
SND_FIX();
__asm {
mov ecx, 0xD74D20
mov ecx, dword ptr ds:[ecx]
mov eax, currentSend1
push sizes
push packets
call [eax*4+ecx+4008Ch]
}
}
#define CopyBytes(Dest,Src) memcpy(Dest, (BYTE*)&Src, sizeof(Src))
void run(float x, float y, short mode) {
BYTE pBytes1[] = { 0x06,0 ,0 ,0 ,0 ,0x2F, 0x00, 0x2D, 0x00, mode};
WORD buffer(0);
buffer=((int) x) * 10;
CopyBytes(pBytes1 + 1, buffer);
buffer=((int) y) * 10;
CopyBytes(pBytes1 + 3, buffer);
SendPackets(pBytes1, sizeof(pBytes1));
}
void SpeedHack(float nx, float ny) {
DWORD ADDR_CHRB = RDWORD(0xD74C9C);
float x =*(FLOAT*)(ADDR_CHRB + 0xD8);
float y =*(FLOAT*)(ADDR_CHRB + 0xE0);
run(x, y, 1);
float i, yy;
BOOL allowX = TRUE;
BOOL allowY = TRUE;
for ( i = x, yy = y; ((i < nx) || (yy < ny)) || ((i > nx) || (yy > ny)); ) {
BOOL op = FALSE;
BOOL opy = FALSE;
float bX = i;
float bY = yy;
if (i < nx && allowX) {
op = TRUE;
i += 7.0;
}
if (yy < ny && allowY) {
if (opy == TRUE) allowY = FALSE;
opy = TRUE;
yy += 7.0;
}
if (i > nx && allowX) {
if (op == TRUE) allowX = false;
i -= 7.0;
}
if (yy > ny && allowY) {
if (opy == TRUE) allowY =FALSE;
yy -= 7.0;
}
if (!allowX && !allowY) break;
if (bX == i && bY == yy) break;
run(i, yy, 3);
Sleep(41);
}
run(nx, ny, 3);
run(nx, ny, 0);
run(x, y, 1);
}
void socket(BYTE Packet[]){
SendPackets(Packet,sizeof(Packet));
}
void UpdateMouse(){
DWORD ADDR_CHRB = RDWORD(0xD74C9C);
float CharX =*(FLOAT*)(ADDR_CHRB + 0xD8);
float CharY =*(FLOAT*)(ADDR_CHRB + 0xE0);
for(int i = 1; i < 1000; i++){
float MouseX1 =*(FLOAT*)(ADDR_CHRB + 0xD84 + i);
float MouseX2 =*(FLOAT*)(ADDR_CHRB + 0xD84 - i);
float MouseY1 =*(FLOAT*)(ADDR_CHRB + 0xD8C + i);
float MouseY2 =*(FLOAT*)(ADDR_CHRB + 0xD8C - i);
if(MouseX1 < 0) MouseX1 *= -1;
if(MouseX2 < 0) MouseX2 *= -1;
if(CharX < 0) CharX *= -1;
if(MouseY1 < 0) MouseY1 *= -1;
if(MouseY2 < 0) MouseY2 *= -1;
if(CharY < 0) CharY *= -1;
float value_1 = 0;
if(CharX > MouseX1) value_1 = CharX - MouseX1; else value_1 = MouseX1 - CharX;
if(value_1 > 1 && value_1 < 10)
printf("MX + %d: %f\n", i, MouseX1);
float value_2 = 0;
if(CharX > MouseX2) value_2 = CharX - MouseX2; else value_2 = MouseX2 - CharX;
if(value_2 > 1 && value_2 < 10)
printf("MX - %d: %f\n", i, MouseX2);
float value_3 = 0;
if(CharY > MouseY1) value_3 = CharY - MouseY1; else value_3 = MouseY1 - CharY;
if(value_3 > 1 && value_3 < 10)
printf("MY + %d: %f\n", i, MouseY1);
float value_4 = 0;
if(CharY > MouseY2) value_4 = CharY - MouseY2; else value_4 = MouseY2 - CharY;
if(value_4 > 1 && value_4 < 10)
printf("MY - %d: %f\n", i, MouseY2);
}
}
void hotkeys(){
while(true){
if(GetAsyncKeyState(VK_HOME)){
printf("Character HP: %d\n",CharHP());
printf("Character MP: %d\n",CharMP());
WallHack(1);
}
Sleep(100);
if(GetAsyncKeyState(VK_END)){
WallHack(0);
}
Sleep(100);
int VK_F = 0x58; // "F"
if(GetAsyncKeyState(VK_F)){
BYTE TOWN[] = {0x48, 0x00};
socket(TOWN);
cout << "<< TOWN ! >>";
}
if(GetAsyncKeyState(VK_SPACE)){
DWORD ADDR_CHRB =RDWORD(0xD74C9C);
float CharX =*(FLOAT*)(ADDR_CHRB + 0xD8);
float CharY =*(FLOAT*)(ADDR_CHRB + 0xE0);
float MouseX =*(FLOAT*)(ADDR_CHRB + 0xEF4);
float MouseY =*(FLOAT*)(ADDR_CHRB + 0xEFC);
//printf("printing coords...\n");
//printf("CX: %f, CY: %f, MX: %f, MY: %f\n", CharX, CharY, MouseX, MouseY);
if(((CharX - MouseX) < 5) || ((CharY - MouseY) < 5) || ((MouseX - CharX) < 5) || ((MouseY - CharY) < 5)){
printf("Teleporting to: %f, %f\n", MouseX, MouseY);
SpeedHack(MouseX, MouseY);
printf("Ready.\n");
//UpdateMouse();
}
}
Sleep(100);
}
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
AllocConsole();
AttachConsole(GetCurrentProcessId());
freopen("CON","w",stdout);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)HackShield_Bypass, 0, 0, 0);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)hotkeys, 0, 0, 0);
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment