Dismiss Notice
Want to Shorten Your Long URL? Check out our sister website Tiniurl to solve your needs!

[Tutorial] How to write bypasses for blocked functions

Discussion in 'FlyFF Discussion' started by joostp, May 9, 2008.

  1. joostp

    joostp Registered User

    Messages:
    385
    Likes Received:
    2
    Joined:
    Apr 1, 2008
    Hey there!

    The simple fact that you are willing to read this tutorial shows that youre at least interested in making your own hacks/bypasses.
    I will walk you guys through the general idea behind the PostMessage bypass and its sourcecode.

    Here is a list of tools that you will probably need (so look for a copy of these programs):
    -Microsoft Visual C++ (any version will do, I myself use 6.0)
    -Microsoft Visual Basic (just to save the hassle and to be able to setup a GUI real fast)
    -OllyDbg with some plugins (IDA pro is more powerful, but also harder to use)
    -A brain and the will to try things over and over again untill u get the hang of it

    You have downloaded these tools, your IQ isnt lower than 70 and you have the will to learn and to try until you succeed!
    So lets get started!

    So, what does GameGuard do? Why can't I use certain functions?

    To keep it simple: GameGuard basically intercepts some (almost every single one) of the functions that allows users to create macro tools/bots.
    If youre familiar with "hacking" you have most likely heard of "hooking" functions (and a many times used technique, Microsoft's Detours).
    This is often done when simple adjustments have to be made to a program of which the user has lost the sourcecode (or simply doesnt have the sourcecode) from.
    You overwrite the first 5 Op-codes of the function you want to intercept with a call to your own function.
    This prevents the original function from being executed and executes your function instead!
    You can then check the params that were send to the original function, execute some other pieces of code if you like and then return to the function so you dont completely ruin the dataflow.
    (As I have mentioned before, a good way to do this is by "detouring" a function.)
    Im unsure if GameGuard uses detours, though it appears to me that the hooking method they use is very similar to what I described.

    So basically the first 5 bytes of the original function are not as they are supposed to be, and therefor you are dependant on what GameGuard allows you to do with this function.
    In the case of PostMessage calling PostMessage will not cause the function to be executed as you intended it to be.


    Well, Ive got a clue now how GG blocks these functions.. How to bypass it?

    Bypassing a function thats hooked by GG isn't that hard.
    Basically you let YOUR function handle the op-codes that were originally at the 1st 5 bytes of the program, then you will let the program jump to the function's offset + 5 bytes.
    That way you JUMP OVER the bytes GG has overwritten to redirect the function to a GG function.
    If you do that without executing the original op-codes you will most likely make the game crash because the registers will be all messed up.

    Off to some code (Here is where Visual c++ jumps in):

    Code:
    #include <windows.h>
    
    HINSTANCE hInst; 
    DWORD DLLFunc; 
    HWND hFlyff;
    HWND hWnd;
    
    
    __declspec(naked) BOOL WINAPI __stdcall myPostMessageA(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
    {
       __asm
       {
          mov  edi, edi
          push ebp
          mov  ebp, esp
          jmp [DLLFunc]
       }
    }
    
    I will explain this code line by line.
    The first few lines are there to declare some variables and to import some standard windowsfunctions.

    This function needs to be able to manage its own stack, and doesnt nessecarily return a value.

    The functionname and the parameters you will pass through it, these parameters must be identical to the ones of the function youre bypassing.
    If you are unsure what parameters to pass to it look the original function up on MSDN.

    Now it's getting tricky, this piece of code is written in assembly, thats just a small step above the "machine language", the 0's and 1's.
    jmp [DLLFunc] means that the program should jump to a certain offset, that offset is equal to the functionroot + 5 bytes.

    We declare it in DLLMain:
    Code:
    BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID /*lpvReason*/)
    {
        switch (dwReason)
        {
            
            case DLL_PROCESS_ATTACH:
            {
                   if (DLLFunc == NULL) {
                    hInst = LoadLibrary("user32.dll");
                    DLLFunc = (DWORD)GetProcAddress(hInst, "PostMessageA") + 5; 
                    }
                   if (hFlyff == NULL) {
                    hFlyff = ::FindWindow(NULL, "FLYFF");
                    }
            }
            break;
    
            case DLL_THREAD_ATTACH:
                {
                   if (DLLFunc == NULL) {
                    hInst = LoadLibrary("user32.dll");
                    DLLFunc = (DWORD)GetProcAddress(hInst, "PostMessageA") + 5; 
                    }
                   if (hFlyff == NULL) {
                    hFlyff = ::FindWindow(NULL, "FLYFF");
                    }
                }
            break;
            case DLL_THREAD_DETACH:
                {
                    if (hInst != NULL) {
                   // Un-Load DLL
                   ::FreeLibrary(hInst);
                   hInst = NULL;
                } 
                }
            break;
            case DLL_PROCESS_DETACH:
            {
                    if (hInst != NULL) {
                   // Un-Load DLL
                   ::FreeLibrary(hInst);
                   hInst = NULL;
                } 
            }
            break;
        }
        return TRUE;
    }
    
    Now this isnt too hard to understand, this piece of code calculates the offset of the PostMessage-function and adds 5 bytes to that offset so the offset DLLFunc helds will be the 1st byte past the 5 bytes that GG has overwritten upon initialisation of the DLL.
    Using both DLL_PROCESS_ATTACH and DLL_PROCESS_DETACH allows you to either inject the dll, or to load the dll from within your own application.
    Which way you choose depends on your own preferences.


    So back to the assembly part:
    I have already explained the jmp [DLLFunc] part.
    Now here's how to understand what the other 3 instructions mean.
    Open up OllyDbg.
    Open user32.dll (located in the systemfolder of your windowsfolder)
    Press Ctrl+N.
    A list of function names will show up, scroll down till you find PostMessageA and double click it.
    You will be taken to the functionroot.
    Look at the first 3 lines: "OMG THATS THE EXACT SAME PIECE OF ASM AS THE ABOVE!"
    True :)
    So with the above piece of assembly code we manually execute the overwritten bytes.
    If you have some knowledge on assembly you will see that
    Code:
          mov  edi, edi
          push ebp
          mov  ebp, esp
    is 5 Bytes long!

    So we have successfully written a bypass for the PostMessageA-function now!
    Gratz! Youve done it!

    Now only 1 more thing remains..
    In order to make other programs able to use our functions we must export it.
    There is an easy way to do this using Visual C++.
    Add a .def file to the project.
    The syntaxis to export a function is as follows:
    Code:
    LIBRARY "<name of dll here>" 
    EXPORTS
        <Name of Function here>
    
    In our case that's:
    Code:
    LIBRARY "BypassedPostMessage" 
    EXPORTS
             myPostMessageA
    
    Compiling this code will result in a dll which you can then use with scripting/programming tools like AutoIT and visual basic.


    Yay! We have a Bypass now! How to use it??!!
    Simple!
    We import the function with visual basic!

    Here is a small example:
    Code:
    Private Declare Function myPostMessageA Lib "BypassedPostmessage.dll" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Long) As Long
    Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
    
    Private Sub Command1_Click()
    Dim hWndCMD As Long
        hWndCMD = FindWindow(vbNullString, "FLYFF")
        myPostMessageA hWndCMD, WM_KEYDOWN, vbKeyE, 0
    End Sub
    
    The first 2 Declarations are there to import the bypass we have just written and to import "FindWindowA", an API that allows us to get the windowhandle of the game.

    The other code sends the "E"-key to the game when you hit the commandbutton.
    Easy isn't it?
    With a simple combination of Timers, sending vbKey"x" where "x" is any key on the keyboard you can make autofeeders, autotalkers, auto...
    Just use your imagination!




    So here are all the steps you have to take again, one by one:
    -Find a function that you want to use, but that is blocked by gameguard.
    -Open the dll that the original function is in with OllyDbg and look it up in the functionname list.
    -Go to the function and copy the first 5 bytes of instructions.
    -Paste these instructions in a piece of inline ASM.
    -Make sure that GetProcAddress() returns the offset of the function you want to bypass.
    -Rewrite the original function and make sure you pass the right parameters to it.
    -Export the function
    -Exploit the new function using Visual Basic, AutoIT, C++, delphi, whatever language you feel comfortable with.


    I hope this tutorial shows enough so you guys can use it to bypass other functions.
    Good luck hacking!

    JoostP
     
    Last edited: Feb 18, 2009
    2 people like this.
  2. tykayoshi

    tykayoshi Registered User

    Messages:
    67
    Likes Received:
    0
    Joined:
    Jan 16, 2007
    WooooooooooooooooooooW you can tell alot of effort has been put into this

    Thanks for the help
     
  3. Diaboly

    Diaboly Former Staff Member Former Staff

    Messages:
    1,181
    Likes Received:
    4
    Joined:
    Sep 24, 2006
    Really, really well done - Copied to Hard Disk :D - You are really putting some Effort in helping the Flyff hacking Community.
    I am looking forward to seeing more from you soon. I expect something more exciting :D
     
  4. KillerCortiz

    KillerCortiz Registered User

    Messages:
    16
    Likes Received:
    0
    Joined:
    May 6, 2008
    Your making my head hurt :der:, why can't this stuff be way easier
     
  5. joostp

    joostp Registered User

    Messages:
    385
    Likes Received:
    2
    Joined:
    Apr 1, 2008
    Well, if you unpack a japanese client and edit the ip it connects to. (no need to know anything big to do so)
    You can connect to any of the Flyff gameservers.
    The only problem is that you will need a GG emulator in order to get past the login screen.
    So guess what Im working on now ;)
    Using a japanese client would give us a more stable client than when I manually patch out every call to GG. (which obviously is damn hard, if not impossible to do)
    If I succeed you can expect a client + emulator that doesn't run GG at all!

    If someone can help me a bit on the games engine I might be able to bring something like Automaton back, LUA isnt all that new to me..

    But thats still hours and hours of work ahead of me, don't expect anything "big" soon.

    Well, to be honest this was the easy part :D
     
  6. IceManWoman

    IceManWoman Registered User

    Messages:
    22
    Likes Received:
    0
    Joined:
    Oct 2, 2006
    Good job, but you dont need to explain SO much about hopping over 5 bytes hook.
    by the way guys, this is just for user32 functions, kernel hooks are MUCH more complicated.

    And by the way I'm not sure if there are not hooks for the lParam, which should be used in the PostMessage API.
     
  7. Tib

    Tib Registered User

    Messages:
    796
    Likes Received:
    2
    Joined:
    Oct 22, 2006
    good tutorial.
    I think this could be stickied :thumb:
     
  8. Yamitsu

    Yamitsu Registered User

    Messages:
    12
    Likes Received:
    0
    Joined:
    May 8, 2008
    Nice toturial...too bad I didn't tried visual C++ but in other hand it looks similar to C/C++ code so maybe I will understand it fast :)
    To be honest I would like to write something to bypass GameGuard to run FLYFF and other games under Linux because cheating like god mode auto target or other things are unnecesary for me...OK unlimited mana would be funny but nothing else :p
     
  9. joostp

    joostp Registered User

    Messages:
    385
    Likes Received:
    2
    Joined:
    Apr 1, 2008
    It is c++
    Visual C++ just has easier ways to export functions.
    If you want I could show you some links on how to do it with regular c++.
     
  10. Tib

    Tib Registered User

    Messages:
    796
    Likes Received:
    2
    Joined:
    Oct 22, 2006
    It's hard to run Flyff @ Linux because flyff is written for windows.
    You can use wine for it, but most MMO's won't work in Linux
     
  11. Yamitsu

    Yamitsu Registered User

    Messages:
    12
    Likes Received:
    0
    Joined:
    May 8, 2008
    Joostp - ah right I forgot that ^_^ too much programming at KWrite so probably I forgot it is the same thing :p and yes if You can please show me link or two (I prefer Linux version if there is something outside gcc ;) )
    Tib - yes they are written for Windows but for example SilkRoad runs without any combinations under Linux and it have GameGuard (strange isn't it?? :p) what's more there is Youtube video with guy showing how he play Albatross18 under Linux but don't want to tell anyone how he did it (nah) so probably rest of GameGuard protected games can be run under Linux with more or less combining with them ^_^
     
  12. joostp

    joostp Registered User

    Messages:
    385
    Likes Received:
    2
    Joined:
    Apr 1, 2008
  13. kunisaki

    kunisaki Registered User

    Messages:
    86
    Likes Received:
    0
    Joined:
    Nov 3, 2006
    Fantastic! Quite literally the most informative hacking post yet. Thanks from meh!
     
  14. UnholyAura

    UnholyAura Registered User

    Messages:
    21
    Likes Received:
    0
    Joined:
    Oct 5, 2007
    This is what I've been looking for. People really don't release tutorials on how to code hacks, they usually just post them and whine about people leaching and not even knowing how to use it. When it comes to programing I'm clueless, but this clears somethings up :) .Its really nice to see a tutorial that actually teaches you how to make the bypass. I'm doing this as I speak!

    Thanks!
     
  15. Malevolance

    Malevolance Registered User

    Messages:
    151
    Likes Received:
    1
    Joined:
    Oct 4, 2006
    oh man, that made my day, great job there, i'd say you know wat you r doing
    that's a big help for some of us.

    thanks.
     
  16. Yamitsu

    Yamitsu Registered User

    Messages:
    12
    Likes Received:
    0
    Joined:
    May 8, 2008
    Hmmm things are getting more interesting from minute to minute...and depending on where we should put compiled file I can compile it under Windows to make .dll or under Linux to make probably .so.0 file...it makes sense...
     
  17. stupith3ros

    stupith3ros Registered User

    Messages:
    37
    Likes Received:
    0
    Joined:
    Aug 17, 2006
    cool joostp :D... forumer in GPZ already can release their own BOT from ur .DLL hahahaha
    i try to create bot for others game that use same rev GG protection.. but sendkey and postmessage only can work for chat windows... same problem we facing when using sendkey function in "FLYFF". any idea why it not working?is it possible that game not using postmessage or send key function?
     
    Last edited: May 11, 2008
  18. Kerman

    Kerman Registered User

    Messages:
    24
    Likes Received:
    0
    Joined:
    Jul 18, 2007
    Ive Tryed tutorials of websites but with this one you have explained it soo much into detail i atually undertsand it THANK YOU
     
  19. joostp

    joostp Registered User

    Messages:
    385
    Likes Received:
    2
    Joined:
    Apr 1, 2008
    First of all, thanks for the positive reactions.

    The sendkey function automatically calculates the lParam thats needed to send it to the chat window, the chatwindow only.
    For example:
    Code:
    Private Declare Function myPostMessageA Lib "BypassedPostmessage.dll" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Long) As Long
    Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
    
    Private Const WM_KEYDOWN = &H100
    Private Sub Command1_Click()
        hWndCMD = FindWindow(vbNullString, "FLYFF")
        myPostMessageA hWndCMD, WM_KEYDOWN, vbKeyE, 0&
    End Sub
    
    This can hide/show the friendslist.
    Calling myPostMessageA give you more control on what you pass as lParam.
    If you use SendKey it will just send it to the chatwindow.
    I believe that it is possible to get the handle of one of those in-game controls, Im just too lazy to figure that out since passing the right lParam will have the same effect.
     
  20. stupith3ros

    stupith3ros Registered User

    Messages:
    37
    Likes Received:
    0
    Joined:
    Aug 17, 2006
    Thanks for reply....
    [​IMG]

    screen shot for manual press key button...


    [​IMG]

    Using (BOT) myPostMessage...

    ok 1st picture record message for manual key press look at lParam = 0x000b0001


    2nd picture record message for myPostMessage using my BOT look at lParam 0x0013f380...

    vb6 code
    Code:
    myPostMessageA hWndCMD, WM_KEYDOWN, vbKey0, 0
    i try set myPostMessageA lParam = to 0x000b0001 to make it same with manual key press lParam (Picture 1).. but the result i get from winspector is same with picture 2 lParam... :der: so what i need now is to get right lParam? or u have other solution?:lol:
     

Share This Page