1. Hi, Guest,

    Currently we have three official hacks running. CSGO, Battlefield Hardline and Audition America. Be sure to check them out!

    CSGO - "50 Shades of Gaben" - CSGO Cheat

    Battlefield Hardline Cheat - FREE

    Audition Redbana Hack [ARH Modz]

    More to Come!
    Dismiss Notice
Dismiss Notice
CSGO VIP Cheats now available!! Click here to get a copy!
Dismiss Notice
Want to Shorten Your Long URL? Check out our sister website Tiniurl to solve your needs!

Release FLYFF Bot and Tutorial

Discussion in 'FlyFF Discussion' started by Slugsnack, Aug 18, 2008.

Thread Status:
Not open for further replies.
  1. Slugsnack

    Slugsnack

    Messages:
    14
    Likes Received:
    0
    Joined:
    May 30, 2006
    First off, I do not play FLYFF nor have I ever even downloaded the game. I have no idea what you're supposed to do in the game and don't intend on finding out any time too soon (sorta too busy to play games). However a good friend of mine who I have now known for 2-3 years does play the game and mentioned it might be nice to have a program to do several functions. So I spent a whole day coding both of these applications.

    I am going to release two applications publically now with source. This means they will probably be patched very, very soon. However, with the source you can easily undetect it again and more importantly, you can customise it and add your own hacks and stuff. I will personally unpatch 1 copy once it gets patched for my friend and from then on my support for these programs end (unless his copy gets patched again in which case I'll unpatch it, but that's unlikely since nobody else will have that copy).
    Okay so the first application, probably going to be the most useful for you FLYFF players :

    [​IMG]

    The first function is to be able to send F5/Enter in quick successions. Apparently this can be used for some sort of autofeeding or something ?
    The second function is to AutoClick on the position of your mouse. This can be used for spamming skills or actions or 'grinding'. If it can't be used for those then blame my friend lol, that's what he told me.
    The second program is more for educational purposes than any real use. I show you how to bypass GameGuard's GetDC usermode hook. This means you can now get the display device context handle for FLYFF's window allowing you to directly render graphics onto the game's screen like so :

    [​IMG]

    [​IMG]

    [​IMG]

    Missed the text ? Look at the top left. And yes, Irwin does indeed ram cock.

    Now then for people that want to learn or find out how I made both of these applications, keep reading. Else, download and off you go !
    Before I start, be warned that my code is probably not spectacularly efficient nor 'good' but that is because I only started coding about 2-3 months ago.

    Making the AutoClicker/Bot

    To make the bot I needed to be able to send two types of messages to the game, namely clicks and key presses. I have done this by posting messages to the game window's message queue. This was done by the API PostMessageA. However GameGuard hooks this function so I needed to bypass that first. This was done by what is known as a trampoline. When GameGuard hooks a function in usermode, it goes to the first 5 bytes of that function and replaces it with a jump to its own procedure. It then goes around to all processes it can find and does this. Now whenever any application calls this function (unless you hide yourself from GameGuard), code execution will firstly go to GameGuard's hook before it goes to the actual code of the function. GameGuard then runs some sort of check to see if the function you are using is allowed to pass and if not, it will block it. For example, for PostMessage, it would probably check whether the window handle used matched the window handle of the game it was protecting. So we can bypass this by executing the real first 5 bytes ourselves first then jumping right over GameGuard's hook and hence our function is never hooked.

    So looking at the first few lines of the source for the bot, I first of all use LoadLibrary and GetProcAddress to obtain an address for PostMessageA. I then add 5 to that address to get it ready for later use for the trampoline.
    Next thing I wanted to do was to watch for FLYFF's process and as soon as I found that, I could start looking for its window. Bear in mind that the method I am using for finding FLYFF's process will not work after GameGuard has loaded because it hides the game's process.

    To find the process, what I have done is to take a snapshot of the current active processes with the API CreateToolhelp32Snapshot. This fills in a PROCESSENTRY32 structure. I can then iterate through this structure with Process32First and Process32Next until I get a match of szExeFile (name of process). I know when I have reached the end of the current snapshot because Process32Next will return an ERROR_NO_MORE_FILES so I keep checking for that and when that occurs, I can take a new snapshot.

    Okay so now we have found the process in PROCESSENTRY32 we can proceed to get a PID and handle for it. Another member of the structure, th32ProcessID holds the PID for the process selected. I then use OpenProcess to obtain a handle for the program.

    Remember whenever you open a handle, to always close it again afterwards ! If not you will get what is known as a memory leak. If you are opening a handle and not closing it in a procedure and your procedure is called many times then you are basically using memory and not freeing it for use afterwards so your machine will become bogged down and possibly eventually crash.

    Anyway once we have detected the process as active, we can start watching for the window handle of the game. This is done by looping FindWindow until it returns true. Btw you may be wondering why we even bothered getting handle/PID earlier. Well I used this same source to watch for a process for my DLL injector so that is what I needed it for but I figured some people would want to see and maybe use this code too.
    To use FindWindow efficiently, to me this means not just detecting by window name since that can lead to a wrong handle obtained, I had to get the class name for FLYFF's window. I have attached the application I made to do that also. All it does is use FindWindow generally with only a window name and then uses GetClassName to get the class name. Using class name and window name to detect a window is much more reliable than just using the window name.

    Okay so now we have a window handle to FLYFF. I'm not sure how threads are usually made (being a beginner programmer) so I'm not sure whether this method is strictly 'right' but it seems to work anyway. What I did was created two threads, 1 for the clicker and 1 for the bot. I also created two events, one for each thread. Then I created two new threads, passing the handle created from CreateEvent to them.

    Now I can have the 'main thread' wait for the other two threads to finish before continuing with WaitForMultipleObjects. After that, I can close all the handles, two from the events, two thread handles and one target handle.

    Let's look at the first AutoClick thread first. It is in an infinite loop where 2 key presses are watched for. The hotkey for ending the application and the hotkey for toggling the clicking. If the toggle hotkey is pressed then we first fill in a POINT structure using GetCursorPos to get the coordinates of the current mouse position. Then we can send a click at that spot using our trampoline function (I named it PostMessageX) and with WM_LBUTTONDOWN/WM_LBUTTONUP as parameters (two calls need to made to PostMessage).

    Now the other 'bot' thread does a similar thing. To use PostMessage to send keys, lParam needs to be the scan code for the key that is sent. So we can use MapVirtualKey to do that. And then the same thing is done as above except with WM_KEYDOWN instead.

    Now then, when F10 is pressed (to exit application), both threads set the event that was created for them respectively and then returns. The 'main thread' now continues and ends the program, cleaning up open handles, etc.

    Making the Draw Application

    There are many bits of code which are very similar or the same to the other application. First of all we set up the trampoline but this time for TextOutA (I'm not even sure if it's hooked but I set up a trampoline just in case). We then also watch for the process by making snapshots and walking the PROCESSENTRY32 structure.

    Now comes the interesting part. To draw directly onto the game's screen, we had to first obtain a handle to the device context that the game created for itself to render its graphics. Bear in mind that the method I use results in flickering graphics but DirectX/hooking DirectX is just that bit more complicated and I don't want to go into it yet.

    Anyway, we could just do a simple trampoline for GetDC (which is hooked in ring3) but one thing to watch out for is that the first 5 bytes is not the standard stack frame set up code that is for most procedures, ie.

    Code:
    mov edi, edi
    push ebp
    mov ebp, esp
    So it is better to get the bytes dynamically and that is what I have done. In the IAT hook procedure, we first hook the module's IAT so calls to GetDC no longer go to GetDC but to our own function prototype declared as IATTrampoline. We need to use VirtualProtect several times to first change protections so we can write to the two places we are going to write bytes to and also to restore the old protection.

    After altering the IAT to point to our own function, we now need to dynamically fetch and write the first original 5 bytes to IATTrampoline. As you can see, that is done with some simple code just below that. Notice if you scroll down that I made the first instruction of IATTrampoline "push ebp" prior to writing the 5 bytes. There is no reason you can't just have 5 NOPs there instead though. Only reason I put that there was because OllyDbg (program I use for debugging) does not recognise the procedure as a proper procedure unless I did that (fussy bastard). I also added a possible exit condition for the same reason (the exit condition can never be met of course).

    I know I have not gone through the process of the IAT hook very clearly but I have written a short article explaining exactly how to do it before so if anyone needs more help understanding or wants to see it explained more fully, just shout and I'll post a link.

    Anyway after the IAT hook, we can call GetDC without problems from GameGuard and get a device context for FLYFF's window. The rest of the code from there on is pretty self explanatory. Remember that neither of these applications are supposed to be complete programs. Think of them as skeletons. I have given you source and explained it so you can add any function you want or you can rip functions out of it that you want and use them in your own applications.

    Hope the source will be useful to some people and sorry if you don't like my coding style, I'm still pretty new to programming. Any questions ? Ask below.
     
  2. acekey

    acekey

    Messages:
    175
    Likes Received:
    0
    Joined:
    Jul 18, 2007
    thax for the great program can i ask you somthing what book are you using to undertand programming quickly
     
  3. joostp

    joostp

    Messages:
    385
    Likes Received:
    2
    Joined:
    Apr 1, 2008
    Nice contribution!
     
  4. shesuke004

    shesuke004

    Messages:
    6
    Likes Received:
    0
    Joined:
    Jan 5, 2008
  5. jeffseaw

    jeffseaw

    Messages:
    210
    Likes Received:
    0
    Joined:
    Nov 26, 2005
    wow, nice source u have. but im getting bored with flyff >.<
     
  6. carru

    carru

    Messages:
    1,369
    Likes Received:
    98
    Joined:
    Dec 10, 2005
    Use the source to learn and write your own bots.

    carru ~
     
    1 person likes this.
  7. ElvenLegendz

    ElvenLegendz

    Messages:
    213
    Likes Received:
    0
    Joined:
    Aug 30, 2006
    What a lie Slugsnack -_- You can reserve engineer but your new at programming? Sure you are.
     
  8. xeno4000

    xeno4000

    Messages:
    10
    Likes Received:
    0
    Joined:
    Aug 15, 2008
    hi i need more info plz
     
  9. SykD

    SykD

    Messages:
    257
    Likes Received:
    1
    Joined:
    Mar 6, 2007
    Wow, went above and beyond anything released here, it may not be as good as some of nForce's releases but what i love that you did is you left it open source, and you actually explained how everything works, you left a huge gate open for leechers to be able to have a wonderful start in programming and hacking on their own. Congratulatoins.

    BTW I think this thread will go unread, there have been many releases lately of small bots and small autoprograms. I almost didn't view this topic. I suggest changing the Title to something more like Bot & Hacking Tutorial

    (›†o†)›Syk'D‹(†o†‹)
     
  10. jeffseaw

    jeffseaw

    Messages:
    210
    Likes Received:
    0
    Joined:
    Nov 26, 2005
    I think the key is wrong for this bot xD
     
  11. mendoza090

    mendoza090

    Messages:
    9
    Likes Received:
    0
    Joined:
    Jun 11, 2008
    Someone Scan It Please!!

    [​IMG]
     
    Last edited: Aug 20, 2008
  12. joostp

    joostp

    Messages:
    385
    Likes Received:
    2
    Joined:
    Apr 1, 2008
    It's clean, its written in MASM though.
    What he does is basically the same thing as Ive explained in my tutorial.

    I still think its better to use inline-asm with a c++ compiler.
    That way you dont have to worry about not closing the handles properly.
    ASM is, in a way, faster than c++.
    But since all you do is load a dll in memory, return the offset+5 of the function you want to use and manually execute the 5 bytes youve just skipped you will not really experience any difference in speed at all.
    Its a matter of nanoseconds, not seconds.

    Also, writing a full program in ASM is much more complicated than writing a program in c++.

    It just gives another approach and another example of what Ive already explained.

    Nice work though, its a good contribution!
     
  13. Cluster

    Cluster

    Messages:
    21
    Likes Received:
    0
    Joined:
    Jun 16, 2008
    why the hell people think that its so many needet to send keys to flyff -.-
    a simply
    SendMessage(flyffhwnd, VK_F5, 0, 0);
    thats all -.-
     
  14. synshadow

    synshadow

    Messages:
    12
    Likes Received:
    0
    Joined:
    Nov 30, 2005
    Thats pretty interesting that you werea ble to just throw that together real quick. what did u use?
     
  15. Tyler1800

    Tyler1800

    Messages:
    158
    Likes Received:
    2
    Joined:
    Jun 30, 2007
    You gotta bypass the hook on the functions too.
     
  16. Serenade

    Serenade

    Messages:
    108
    Likes Received:
    2
    Joined:
    Aug 23, 2008
    Reserve?

    Reverse engineering in fact, does not require you to have programming skills.
    Also programming a basic application in MASM32 seems like a beginner in programming to me,
    why would he even lie about the fact that he's a beginner in programming?

    -topic

    Like joostp said, this is a very nice contribution, great job.
     
  17. tomy5194

    tomy5194

    Messages:
    1
    Likes Received:
    0
    Joined:
    Jul 25, 2008
    Re: FLYFF Bot and Tutorial:: quset

    :wavey:Hello!!
    it is a Bot He Hunt By HimSALF!!!!???
    Please Unswer Me Thank If you Would Help:plane:
     
  18. xaxaonline

    xaxaonline

    Messages:
    3
    Likes Received:
    0
    Joined:
    Oct 6, 2008
    i cannot open the rar. file download..i cannot run the file because i cannot open it.. somebody help... please..
     
  19. clonejutsu

    clonejutsu

    Messages:
    250
    Likes Received:
    0
    Joined:
    Jan 1, 2007
    I may be wrong but I've tested and the hot keys seems to function differently. it doesn't bot at all.
     
  20. manipulatorofobjects

    manipulatorofobjects

    Messages:
    7
    Likes Received:
    0
    Joined:
    Oct 19, 2008
    Re: FLYFF Bot and Tutorial^^

    Thx for posting that program......
    but i get a little more confused >.<....
    ^^ please can you repeat the process how 2 use this program...
    i want to use it but im confused..
    ^^ just how to use the program step by step...
    THX.....xD
     
Thread Status:
Not open for further replies.

Share This Page