xarkes / l2bot Goto Github PK

Hello! I just found your article a day ago, it's magic!
Can you help me a bit?
I want to hook sendPacket function, i found it, got addresses, but i don't get how to hook it properly. Can i use function for recvPacket? (Hook) and do it like:

sendPacketDW = (DWORD(_stdcall*)(DWORD, const char*, ...))DATA_SEND_ADDR;
sendPacket = (DWORD(_stdcall*)(DWORD, const char*, ...))Hook((LPVOID)sendPacketDW, testDW, HOOK_SIZE);

Also why HOOK_SIZE is 6? Should it be 6 for sendPacket too?

Also should i need to initialize SendPacketFP = DATA_SEND_SOCKET_INFO;. I think when we hook, it's value initialized, but if i'm trying to send packet by myself its empty.

Hi there,

I know it's been a while since you've posted this code, I came across it whilst looking for a fairly simple bot for Lineage.
I have however 0 knowledge of Visual studio or any of the code. I have managed to get to the point where I compile the dll, but it gets the following error:
Severity Code Description Project File Line Suppression State
Error C1010 unexpected end of file while looking for precompiled header. Did you forget to add '#include "pch.h"' to your source? L2BotLib C:\Users\Amidaz\Downloads\l2bot-master\L2BotLib\dllmain.cpp 341

How do I fix this?

Thanks in advance!

Hey, just got to PacketSend function and've got some question.
Was that actually working?

char* format = (char*) buffer;
size_t formatLength = strlen(format);
auto pidx = formatLength + 1;

if (formatLength > MAX_PARAM) {
    // We can only handle at most 10 parameters
    return;
}

// Setup parameters buffer
for (size_t i = 0; i < formatLength; i++)
{
    parameters[i] = *(DWORD*)(buffer + pidx + i * 4);
}

Do not understand where I'm mistaken, but maybe you can clarify that.

Usual call in c++ is with next params:
[socket_info], [format], [opcode], [other call specific params]

Dont taking into account these two: [socket_info], [format]. They seem to be correct.
socket_info is hardcoded and you get format from the base pointer to the buffer. Reading format as string allows you to find the zero code which is the start of rest of params.

But the further stuff I cant understand.

parameters[i] = *(DWORD*)(buffer + pidx + i * 4);

Next param is opcode and it is 1 byte length, but it seems for me like you are interpreting it as a dword (4 bytes). The next param could be a string with completely unpredictable length and it will be considered as dword as well.
Is the way I'm thinking correct? Or what I'm missing in my understanding?
Thanks

Hi, i wanna try to use your bot, but have a problem with Qt version and can't do a single thing with it.
So, my problem:
There's no Qt version assigned to project L2Bot.vcxproj for configuration Debug/x64. Please assign a Qt installation in 'Qt Project Settings'
in ....\QtMsBuild\qt_vars.targets 68
Can u help me, cause i'm not a C++ dev and google can't help me, thx

Hello i try compile but we can't include pch.h header.

I tried to follow your instructions but I couldn't compile the project

I had some problems with the c libraries, like ctype.h and others, I was solving some of them but I got to one that I couldn't solve.

You could generate the executable/binary and make it available in release mode for us.

And it would be possible to create a video showing step by step how you reverse engineered it.

I'm trying to create a very simple bot, where the character goes to the x,y,z position, use one skill and wait a while, go back to the starting position and use another skill for the chronic interlude.

But I'm having trouble understanding low-level windows protocols.

Hey, just wanted to say thanks for the article. That was quite an interesting reading. Short but intense.
My short-term nostalgia periodically hits me as well, and... well.. today is the day.
Wanted to try some of your stuff, but not being a reverse engineer by any means I've stuck on the very first steps. Could you clarify some stuff?
The test server I've selected is C4.
ATM I see (from the comments in the code and github) that you suggest to somehow find out the offsets for functions from engine.dll (e.g. send packet).
I was re-reading the article multiple times and haven't found a clue of what are the required steps to achieve this.
This is the screen from your article:

Further you set the offsets in the code:

#define DATA_SEND_ADDR 0x3E3B80          // Offset of the "send packet" function in engine.dll
#define DATA_SEND_SOCKET_INFO 0xFD890000 // Offset of the networking structure

Basically I was trying to guess what you've done and came to the next:

1. First, just for my confidence, can you confirm that "offset" refers to some number that when added to some base address points to some address in virtual memory? If yes, what is this base: 0, some imagebase, or whatever currently is in EBP? (I'm basically concerned if image base should be subtracted from the address)

2. Are the all offsets I need to find out listed in the code as follows:
   DATA_RECV_ADDR, DATA_SEND_ADDR, DATA_SEND_SOCKET_INFO, DATA_SEND_MOVEMENT_ADDR ?
   Is this exhaustive list? Or will there be an offset per every action that triggers a packet send (or receive)? Like I see here a special offset for movement, or at least it gives that impression.

3. Do I understand correctly that in order to find out the offset I need to find where the beginning of the send packet function lives in engine.dll in virtual memory? In my case from what I see sending message in chat goes through the path of ... -> nwindow -> engine * N -> ws_32.
   engine module is calling memory inside itself few times, and is one of that addresses what I'm looking for? If yes, how can I know which offset is correct (assuming changing value in code and running the solution in visual studio may not work as I may have other stuff miscofigured)?

4. Also I've found that from launch to launch the addresses I see in x32dbg differ. E.g.
   
   
   Am I doing something wrong? Any clues what it might be?
   (also I've used the editbin to turn off the ASLR for l2.exe)

5. The offset that needs to be found, is it the address where the call instruction goes? or where the push ebp instruction goes (atm it seems for me like the preparation for a call) or which one?

6. In your code snippet you have the DATA_SEND_ADDR = 0x3E3B80. I've reviewed the screens very carefully but couldn't identify where (and how) you've got it from.

Can you clarify that? Thanks
Again nice work with article!

Severity Code Description Project File Line Suppression State
Error (active) E0167 argument of type "const wchar_t *" is incompatible with parameter of type "WCHAR *" L2Bot ...\L2Bot-master (1)\L2Bot-master\L2Bot\Injector.cpp 181

Just to say that I enjoyed your article https://xarkes.com/b/making-a-lineage-2-bot.html.

I myself am creating a Lineage2 bot. I choosed to develop a OOG version for Interlude. If you are interested :)