Jump to content
MaxCheaters Official Group on X
MaxCheaters Official Group on Discord
--> Place your ad text here <--

How To Bypass Smartguard?

bubaby

By bubaby
in Hacks & Cheats [English]

 Share

Recommended Posts

  • 4 weeks later...
1413 Newbie

1413

Posted
Posted

Hi, I am writing a clicker for L2 and stuck with smartguard. I understand that I have to use some trampoline to bypass api hook from smartguard, but I can't find good document on how using it.

 

As far as I understand, trampoline must be place in a DLL, and that DLL must inject to L2. I have to find what api guard.des is hooking and then write a trampoline to jump to original function. In my case, I need to use SendInput() or keybd_event() or SendMessage( [WM_KEYDOWN / WM_KEYUP] ). Then I must find the actual address of  these function in module User32.dll and then write a trampoline to jump back to this function. That is pretty much everything I understand about api hook / detours.

 

But It seem not right. I think I got it wrong somewhere.

 

I use hookshark to find which api detours guard.des using, and the only interesting detour I found on the L2.exe process is GetRawInputData and it doesn't make sense. So, Guard.des doesn't hook on SendInput, keybd_event or SendMessage as it is no use to write trampoline for these function.

 

This is where I stuck.

Appreciate any help :)

 

 

Szakalaka Newbie

Szakalaka

Posted
Posted

Why clicker? Just go for a bot. But if u really want to, the as far as i know L2 uses directinput which is resistant by nature of it to keybd_event or SendInput. Did you try inejcting messages directly to window procedure? This works in most cases. Dont use Hookshark program, write one yourself. The popular one has soem defects, doesnt show all hooks, especially cant scan ntdll where most of interesting stuff resides.

 

And what do you mean by saying "That is pretty much everything I understand about api hook" ? You have to avoid any modifications when creating a cheat, more mods = higher detect ratio and you definitel dont want it. Hooking is terrible idea (look at l2tower which hooks like 20 functions, doesnt work anywhere).

 

So right now reverse to the window creation, find the address of WndProc and try here. BTW Can you show screenshot with log from hookshark? Im interested how many did he find... :)

 

Greetz

AchYlek Enthusiast

AchYlek

Posted
Posted

Why clicker? Just go for a bot. But if u really want to, the as far as i know L2 uses directinput which is resistant by nature of it to keybd_event or SendInput. Did you try inejcting messages directly to window procedure? This works in most cases. Dont use Hookshark program, write one yourself. The popular one has soem defects, doesnt show all hooks, especially cant scan ntdll where most of interesting stuff resides.

 

And what do you mean by saying "That is pretty much everything I understand about api hook" ? You have to avoid any modifications when creating a cheat, more mods = higher detect ratio and you definitel dont want it. Hooking is terrible idea (look at l2tower which hooks like 20 functions, doesnt work anywhere).

 

So right now reverse to the window creation, find the address of WndProc and try here. BTW Can you show screenshot with log from hookshark? Im interested how many did he find... :)

 

Greetz

:dat: :dat:

1413 Newbie

1413

Posted
Posted

I mean I am newb at hook and reverse engineering stuffs and that is what I've read somewhere from the internet  :D

 

Mouse hook and keyboard hook are the only kind of hook that I know. Since I am a noob clicker is easiest to code for me, and clicker is enough for me.

 

On some private high/mid rate server, there are other way to farm than hunt mobs, such as raid boss Zaken which need about 12 - 14 players (or 14 boxes on a single computer), and clicker is the best. My clicker just does SendMessage with WM_KEYDOWN / WM_KEYUP to the correct L2 hwnd(s) and everything is good: one player, one computer, 14 L2 client windows and one clicker. That's it.

 

Before L2 exilium upgraded with smartguard my clicker worked fine. You know what happened after they upgraded with smartguard  :D

 

Like I said, I am noob at this hook / detour stuffs, and the information I find on the internet is not helping much.

 

Here are the logs

post-133584-0-12635200-1443437460_thumb.png

usermodehook.txt

log.txt

Szakalaka Newbie

Szakalaka

Posted
Posted

The one which makes your clicker not work is most probably this:

 

[6596] L2.exe!window.dll->?StaticWndProc@WWindow@@SGJPAUHWND__@@IIJ@Z       || [0x1101C480] => guard.des [0x72FD382B]            || Inline - Detour [5 Bytes] || push ebp            || jmp 72FD3830h
 

Did you try to preapre the stack + original entry instructions and call it? This would work almost for sure

1413 Newbie

1413

Posted
Posted (edited)

The one which makes your clicker not work is most probably this:

 

[6596] L2.exe!window.dll->?StaticWndProc@WWindow@@SGJPAUHWND__@@IIJ@Z       || [0x1101C480] => guard.des [0x72FD382B]            || Inline - Detour [5 Bytes] || push ebp            || jmp 72FD3830h

 

It starts to make sense. So, guard.des detours the callback function that handle all the messages sent to L2 client hwnd and filters out WM_KEYUP /  WM_KEYDOWN. That is probably why message WM_CHAR still works.

 

 

 

Did you try to preapre the stack + original entry instructions and call it? This would work almost for sure

Well, that is beyond my knowledge :D

 

But at least, I have something to search for. I guess I have a lot of reading to do.

 

Thanks alot.

Edited by 1413
Szakalaka Newbie

Szakalaka

Posted
Posted (edited)

I've never been using the detour/retour terminology :) You have to understand how hooking works and how do the "hooker" call real function. The algorithm is to copy instructions from the functions entry and overwrite them with a jump to your code, and create a jump back to real function using the copied instructions and adding a jump to it. If you manage to find or reproduce these instructions then you are set. It may sound very compilcated at start but u need to check it carefully. Do you use a debugger? Its million times easier with one

Edited by Szakalaka
1413 Newbie

1413

Posted
Posted

I've never been using the detour/retour terminology :) You have to understand how hooking works and how do the "hooker" call real function. The algorithm is to copy instructions from the functions entry and overwrite them with a jump to your code, and create a jump back to real function using the copied instructions and adding a jump to it. If you manage to find or reproduce these instructions then you are set. It may sound very compilcated at start but u need to check it carefully. Do you use a debugger? Its million times easier with one

 

I had a hunch a debugger could be useful someday, then I collected some, such as IDA pro, ollydbg... But never use them before because I have no idea how to read ASM :D

 

So, I have to find the address of the callback function StaticWndProc in the memory, then overwrite the first 5 bytes with my instructions that jump to my_function in my_dll and then my function will jump back to the 6th byte and run the original StaticWndProc. I think I read somewhere they call it trampoline, but actually it is access memory of other process and overwrite a part of that process' memory with my instructions, am I right?

 

I have a question, since guard.des overwrite the first 5 bytes with inline-detour which jump to a function in guard.des, is that right? I think maybe we just need to overwrite that 5 bytes with the original 5 bytes of the original function, like undo what guard.des does and bam StaticWndProc now received WM_KEYDOWN again.

Szakalaka Newbie

Szakalaka

Posted
Posted

Welp i wrote a big post and it did not send it somehow... So basically u are right with the jump idea, but u cannot unhook guard.des, it will detect it immidietly. You can try to disable the checking loop but without asm knowledge u wont do it, so what you need to do is to reproduce first 5 bytes, then add jump to the 6th and call function that way. I may make short video on it maybe

Guest
This topic is now closed to further replies.
 Share
Go to topic listing


  • Posts

    • adenaVIP
      WE DO A TURNKEY PROJECT

      By adenaVIP · Posted

    • Tryskell
      Multi route walker npc HELP

      By Tryskell · Posted

      Verify if following is supposed to be the way to handle movement npc.getAI().setIntention(CtrlIntention.AI_INTENTION_MOVE_TO, new Location(point.getX(), point.getY(), point.getZ())); For me, it's not enough. And if it's the case, whole AI system is probably buggy.
    • SmurfsZone
      SmurfsZone: Your Best Source for League of Legend

      By SmurfsZone · Posted

      This is a  bump
    • reacheap
      wtt harbor 1x for l2reborn 10x new

      By reacheap · Posted

      hello, i want to wtt my charracter in l2elmorelab 1x harbor for 1.5kkk adena in l2reborn 10x new. Or if you interested tell me your offer. :)) Clean Mail 30 lvl Cleric Naked   Updated.
    • Starfire868686
      Multi route walker npc HELP

      By Starfire868686 · Posted

      package ai.npc.NFWalker; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Random; import l2r.gameserver.enums.CtrlIntention; import l2r.gameserver.model.Location; import l2r.gameserver.model.actor.L2Npc; import l2r.gameserver.model.quest.Quest; import l2r.gameserver.network.clientpackets.Say2; import l2r.gameserver.network.serverpackets.NpcSay; public class NFWalkerAI extends Quest { private static final int WALKER_NPC_ID = 20116; private final Map<String, Route> routes = new HashMap<>(); private final Map<Integer, Integer> npcIndexes = new HashMap<>(); private final Map<Integer, Boolean> npcReverse = new HashMap<>(); private final Map<Integer, String> npcCurrentRoute = new HashMap<>(); public NFWalkerAI() { super(-1, NFWalkerAI.class.getSimpleName(), "ai/npc/NFWalker"); loadRoutes(); addSpawnId(WALKER_NPC_ID); } private void loadRoutes() { // Route 1 Data Route route1 = new Route("route1"); route1.addPoint(new RoutePoint(0, 149363, 172341, -941, 0, false, "")); route1.addPoint(new RoutePoint(1, 148568, 172328, -980, 5, true, "Puff")); route1.addPoint(new RoutePoint(2, 148536, 172792, -980, 0, false, "")); // Route 2 Data Route route2 = new Route("route2"); route2.addPoint(new RoutePoint(0, 149363, 172341, -941, 0, false, "")); route2.addPoint(new RoutePoint(1, 150248, 172328, -980, 5, true, "Rise my children! Bring me the servants of the god! Let them be offered to our god Bifrons!")); route2.addPoint(new RoutePoint(2, 150248, 172776, -980, 0, false, "")); // Add routes to the map routes.put("route1", route1); routes.put("route2", route2); } @Override public String onSpawn(L2Npc npc) { if (npc.getId() == WALKER_NPC_ID) { selectInitialRouteForNpc(npc); } return super.onSpawn(npc); } @Override public String onAdvEvent(String event, L2Npc npc, l2r.gameserver.model.actor.instance.L2PcInstance player) { if (event.equalsIgnoreCase("move")) { moveNpc(npc); } else if (event.equalsIgnoreCase("check_reached")) { checkIfReached(npc); } return null; } private void moveNpc(L2Npc npc) { String routeName = npcCurrentRoute.get(npc.getObjectId()); Route route = routes.get(routeName); Integer pointIndex = npcIndexes.get(npc.getObjectId()); if (route != null && pointIndex != null) { RoutePoint point = route.getPoints().get(pointIndex); if (point.isRun()) { npc.setRunning(); } else { npc.setWalking(); } if (!point.getChat().isEmpty()) { npc.broadcastPacket(new NpcSay(npc.getObjectId(), Say2.NPC_ALL, npc.getId(), point.getChat())); } npc.getAI().setIntention(CtrlIntention.AI_INTENTION_MOVE_TO, new Location(point.getX(), point.getY(), point.getZ())); // Log movement intention System.out.println("NPC " + npc.getObjectId() + " moving to " + point.getX() + ", " + point.getY() + ", " + point.getZ()); // Schedule a check to see if the NPC has reached its destination startQuestTimer("check_reached", 1000, npc, null); } } private void checkIfReached(L2Npc npc) { String routeName = npcCurrentRoute.get(npc.getObjectId()); Route route = routes.get(routeName); Integer pointIndex = npcIndexes.get(npc.getObjectId()); if (route != null && pointIndex != null) { RoutePoint point = route.getPoints().get(pointIndex); Location currentLocation = npc.getLocation(); Location targetLocation = new Location(point.getX(), point.getY(), point.getZ()); // Check if the NPC has reached the target location if (currentLocation.equals(targetLocation)) { // Log that the NPC has reached the target System.out.println("NPC " + npc.getObjectId() + " reached target " + targetLocation); // Schedule the next movement startQuestTimer("move", point.getDelay() * 1000, npc, null); if (!npcReverse.get(npc.getObjectId())) { pointIndex++; if (pointIndex >= route.getPoints().size()) { npcReverse.put(npc.getObjectId(), true); pointIndex = route.getPoints().size() - 1; } } else { pointIndex--; if (pointIndex < 0) { npcReverse.put(npc.getObjectId(), false); pointIndex = 0; // Choose a new route after completing the current one in both directions switchRouteForNpc(npc); return; } } npcIndexes.put(npc.getObjectId(), pointIndex); } else { // Check again after 1 second startQuestTimer("check_reached", 1000, npc, null); } } } private void selectInitialRouteForNpc(L2Npc npc) { // Randomly select either route1 or route2 String selectedRouteName = "route" + (new Random().nextInt(2) + 1); npcCurrentRoute.put(npc.getObjectId(), selectedRouteName); npcIndexes.put(npc.getObjectId(), 0); npcReverse.put(npc.getObjectId(), false); startQuestTimer("move", 5000, npc, null); // Log initial route selection System.out.println("NPC " + npc.getObjectId() + " selected initial route " + selectedRouteName); } private void switchRouteForNpc(L2Npc npc) { String currentRoute = npcCurrentRoute.get(npc.getObjectId()); String newRoute = currentRoute.equals("route1") ? "route2" : "route1"; npcCurrentRoute.put(npc.getObjectId(), newRoute); npcIndexes.put(npc.getObjectId(), 0); npcReverse.put(npc.getObjectId(), false); startQuestTimer("move", 5000, npc, null); // Log route switching System.out.println("NPC " + npc.getObjectId() + " switched to route " + newRoute); } private static class Route { private List<RoutePoint> points = new ArrayList<>(); public Route(String name) { } public void addPoint(RoutePoint point) { points.add(point); } public List<RoutePoint> getPoints() { return points; } } private static class RoutePoint { private int id; private int x, y, z, delay; private boolean run; private String chat; public RoutePoint(int id, int x, int y, int z, int delay, boolean run, String chat) { this.id = id; this.x = x; this.y = y; this.z = z; this.delay = delay; this.run = run; this.chat = chat; } public int getId() { return id; } public int getX() { return x; } public int getY() { return y; } public int getZ() { return z; } public int getDelay() { return delay; } public boolean isRun() { return run; } public String getChat() { return chat; } } } I looking for help, with this, the npc not start to move. Im trying to create, an NPC wich have multiple walk routes basic logic is  random pick a route complite the route  like Route 1 start form zero (0 -> 1 -> 2(or more) -> 1 -> 0) When the npc return to 0, the script should pic the other route and start again.  And if there is a message like point 1 here     "route1.addPoint(new RoutePoint(1, 148568, 172328, -980, 5, true, "Puff"));" The npc should display the chat message. Currently my problem is the npc not moving, but if I manage it to start moving its randomly move between the route 1 and 2 set of coordinates. Currently for me its  a nightmare. I hope anyone can help somhow.

  • Topics

×
×
  • Create New...