1413

Thanks a ton. It all makes sense now. I think I can come up with something that works in a few weeks, kinda busy now. AchYlek is right. Sharing is good, but sometime for the greater good, we must not share some certain things :D

I had a hunch a debugger could be useful someday, then I collected some, such as IDA pro, ollydbg... But never use them before because I have no idea how to read ASM :D So, I have to find the address of the callback function StaticWndProc in the memory, then overwrite the first 5 bytes with my instructions that jump to my_function in my_dll and then my function will jump back to the 6th byte and run the original StaticWndProc. I think I read somewhere they call it trampoline, but actually it is access memory of other process and overwrite a part of that process' memory with my instructions, am I right? I have a question, since guard.des overwrite the first 5 bytes with inline-detour which jump to a function in guard.des, is that right? I think maybe we just need to overwrite that 5 bytes with the original 5 bytes of the original function, like undo what guard.des does and bam StaticWndProc now received WM_KEYDOWN again.

It starts to make sense. So, guard.des detours the callback function that handle all the messages sent to L2 client hwnd and filters out WM_KEYUP / WM_KEYDOWN. That is probably why message WM_CHAR still works. Well, that is beyond my knowledge :D But at least, I have something to search for. I guess I have a lot of reading to do. Thanks alot.

I mean I am newb at hook and reverse engineering stuffs and that is what I've read somewhere from the internet :D Mouse hook and keyboard hook are the only kind of hook that I know. Since I am a noob clicker is easiest to code for me, and clicker is enough for me. On some private high/mid rate server, there are other way to farm than hunt mobs, such as raid boss Zaken which need about 12 - 14 players (or 14 boxes on a single computer), and clicker is the best. My clicker just does SendMessage with WM_KEYDOWN / WM_KEYUP to the correct L2 hwnd(s) and everything is good: one player, one computer, 14 L2 client windows and one clicker. That's it. Before L2 exilium upgraded with smartguard my clicker worked fine. You know what happened after they upgraded with smartguard :D Like I said, I am noob at this hook / detour stuffs, and the information I find on the internet is not helping much. Here are the logs usermodehook.txt log.txt

Hi, I am writing a clicker for L2 and stuck with smartguard. I understand that I have to use some trampoline to bypass api hook from smartguard, but I can't find good document on how using it. As far as I understand, trampoline must be place in a DLL, and that DLL must inject to L2. I have to find what api guard.des is hooking and then write a trampoline to jump to original function. In my case, I need to use SendInput() or keybd_event() or SendMessage( [WM_KEYDOWN / WM_KEYUP] ). Then I must find the actual address of these function in module User32.dll and then write a trampoline to jump back to this function. That is pretty much everything I understand about api hook / detours. But It seem not right. I think I got it wrong somewhere. I use hookshark to find which api detours guard.des using, and the only interesting detour I found on the L2.exe process is GetRawInputData and it doesn't make sense. So, Guard.des doesn't hook on SendInput, keybd_event or SendMessage as it is no use to write trampoline for these function. This is where I stuck. Appreciate any help :)