Conquer2 Gamehacking Tutorial Mod: Please Sticky this!
Some notes at the beginning, this is my first tutorial, and you need at least a bit asm knowledge, i dont explain everything in detail, for such things there are other tutorials/books. There are for sure different ways to do it, some easier some harder, this is just my personal way todo it.
I work in this tutorial with the following tools:
-Hexeditor
-UPX
-OllyDbg v1.10
-TSearch v1.6b
-W32Dasm v8.7
-Conquer2 Client
-Borland Delphi (only for the example of the tool)
The Delphisource and the binary isn’t updated in this version, as soon I have installed Delphi again I will update them too.
The exe is now upx packed, so to work with this tutorial, you have to open first the conquer.exe in a hexeditor of your choice, at the very beginning of the code change “afe0” to “UPX0” and “1.21 fea” to “1.21 UPX”, after that modification you can unpack the file with upx.
Et voila now you have the normal exe.
First of all we need a plan, to get a good entry for getting alot of the internal functions, when we look around ingame and doing some actions we can see, that most kind of actions can end with a error message that is outprinted in the upper area, so it is a good idea to find the routine that print out such messages, with it it will be easy to backtrace alot of functions (i will come back on that later in this tutorial).
So let us start with the work, start the game and do something to produce a errormessage, we will take here the message "You can't stop here!", so let us open TSearch, open the conquer process with it and start the Hex Editor of tsearch, with it we search now for that message.
Like you can see on the picture for me it is offset 1860fe0, now it is time to start OllyDbg. After starting, attach it to the process of conquer, it will break the process after finishing loading, press play to continue it, cause it is a online game it dc you after approx 10s break.
The Screenshot just shows the windows with names, so you know about what window I am speaking.
We click now just one time in the memory window to activate it then we press “ctrl+g” and enter the address we found with tseach in this case “1860fe0” , then we mark the “You can’t stop here” and right click and choose then “Breakpoint->Memory, on Access”, now we have a Memory Breakpoint on it, whenever the process read/write on that address it breaks at the offset that want access to it. So now let us click on anything we cant stop. And boom the debugger breaks the process at address “77C13830” in my case, when you have a look at the small window under the process window, you can see that register EAX holds an offset of an routine:
77C13830 8B01 MOV EAX,DWORD PTR DS:[ECX]
DS:[01860FE0]=20756F59
EAX=00475310 (Conquer.00475310)
So it is near to think that function can have something todo with the function that prints the error msgs, so let us take a look at it, open the conquer.exe with wdasm (I prefer it for such things, cause it give a better overview), when the file is analyzed we use the Goto Code Location function and goto the offset “00475310”, we scroll up to find the beginning of the function, and we see fast that it is only 2 lines up, you can see the end of function that theres a “ret” (return) the next line is then the beginning of a new function.
We can see that there are many offsets that reference that function, so it could be that we just found the function that prints the errormsg, cause we know that a lot of things we do in game maybe produce a errormessage, so let us test it, if this is the right method. Set a breakpoint at offset “475306”, now do some things in game (that don’t produce a errormsg) and look if it breaks or not. We can see nothings happens, so let us do things that produce a errormsg, as we can see it doesn’t matter what errormessage comes it stops at that breakpoint.
(Info: it only breaks at the erromsg that begins with
[System] not with a [System], that is so cause the first one are produced by the client itself, the other are send by server)
So now I will explain how to find the other function, we just let our breakpoint at “475306” active, in this case we want to find the jump function, so we just click anywhere we cannot stop, boom and ollydbg pause our process, now you have to know that in the register ESP the offset is saved where it jumps back after executing the function. So we take a look into it, just rightclick in the register window on the ESP register and choose follow in dump, in the memory window we see now the following:
0012F6D0 5E DD 46 00
We will now switch to w32dasm and go to location “46DD5E” from there we scroll the code so long up until we reach the beginning of the function, so we come to the offset “46DB7Ds” (it’s the beginning of the jump function), now we switch back to olldbg and set a breakpoint at that offset. Then we do a jump and we see olldbg pause at that breakpoint, we look now again at the values in the ESP register and see the following:
0012F80C F8 99 45 00
We go now in the process window to that offset (4599F8) , we are now one line under the Call that calls that function so we look at the code before and see that the function has 2 paramters (the push command put things on stacks, it save the variables for a function)
We set now a breakpoint at offset “4459E9” to see what paramters the function use. Do a jump at look what stands in EAX, cause it is a hex value, translate it into decimal and write it down, press F8 twice to step to the next step, write down the ECX value then continue the process and looks at your new coords you are, you can see that the EDX value is your y coord and the EAX value is you x coord. In ECX the pointer is stored for the function.
You have found your first function, but what todo with it now? In the next section we will write our own little tool, with that we can use the function, so that we can enter a x,y coord and our char will jump then to that coords.
I only explain here short how to do it generally, to see an example look at the delphi sourcecodes I comment the sourcecode.
The generally way is that you make your own dll, that you inject into the conquer process, in that dll you create a thread (that one runs then in the conquer process,too), in the thread you make then a function something like:
Function jump(x,y)
Begin
asm
push y; //overgive the y coord
push x; // overgive the x coord
mov ECX,$004FE420; //move the pointer to ECX
mov EAX,$0046DB7D; //move the offset of the jump function to EAX
call EAX; // call the jump function
end;
End;
That function you call then with your x,y coords where you want to jump.
I also put the compiled version of the example tool, for all that don’t have delphi and want to see it in action, and my coloader tool, it starts conquer and inject the dll into its process.
How to use the loader: As paramater you need the path to your conquer dir with "\" at the end, best is to make a shortcut to it. I put a shortcut within the bin dir, you just have to change the properties.
Finish!
I hope this helps a bit to learn something about gamehacking.
Linear Mode
