GunZ game
random half assed tutorial i made like a year ago
GunZ game Posted on: 08/10/2013 1:31am
Quote Post
The Laziest Man on KongHack
if you would like to add to this slowly growing tutorial, please do! either post a section (or all, i wont mind) or useful links in this thread, or PM them to me and i will add it here.
i created this thread once before but it failed horrendously. perhaps people will be more willing to contribute now? edit: Egads, it seems to be working?!


So you want to learn everything about making hacks? Well then you came to the right place, because you're about to learn exactly that. How to construct, create, and inject your very own self-made hacks! Before we get started i must warn you that you absolutely MUST know basic coding or you wont understand most, if not all, of the information within this tutorial. Some of you may say HELP, i don't know basic coding! But worry not! We here at ***.com have come together and found multiple websites that should help tremendously for learning the basics of coding! (and more if you choose)
Learning Languages

Learning Assembly:
credits to: [MOP]Nessy for giving me this link 3 and a half years ago

Learning the basics of DLL's: bad link
Reversing for noobies:
credits to: Rwkeith for these very helpful links

Learning C/C++: here
credits to: my friend danny for the link

Now that's out of the way, we can start creating cheats! Cheats are basically anything that gives you an advantage over others without breaking the law (maybe the terms of service but not the law), whereas hacks DO break the law because you have to illegally HACK into the games servers to give yourself this advantage. this is HIGHLY ILLEGAL and NOT condoned by anybody including myself here at konghack.

Modifying Code

modifying code is all about exploring the possibilities. grab a source code for some ideas, and think of your own as well!
Finding Addresses

First of all you need to unpack the gunz.exe and this can be trouble. since the move to Aeria, it is now packed with Themida which is quite hard to undo. Thankfully there is a way to bypass the packing entirely. Thanks to Cipher for the original idea/creation and to Shihanus/Deutschland for updating it and releasing the source

link to topic here and in case it goes down, source below


#include typedef long(__stdcall* _NtSuspendProcess)(IN void*); _NtSuspendProcess NtSuspendProcess = (_NtSuspendProcess)GetProcAddress( GetModuleHandle( L"ntdll" ),"NtSuspendProcess" ); bool bLaunchGunz() { _STARTUPINFOW SI = {0}; _PROCESS_INFORMATION PI = {0}; _SECURITY_ATTRIBUTES SA = {0}; int bCreated = ::CreateProcessW(L"C:\\AeriaGames\\GunZ\\Gunz.exe",0,&SA,0,0,CREATE_NEW_CONSOLE,0,L"C:\\AeriaGames\\GunZ\\",&SI,&PI); if(bCreated) return true; return false; } unsigned long ulProcessId(unsigned long* ulProcId) { HWND hWnd; do { hWnd = ::FindWindowW(L"RealSpace2",0); ::Sleep(10); } while(!hWnd);

unsigned long ulID = ::GetWindowThreadProcessId(hWnd,ulProcId); return ulID; } int __cdecl main() { void* vCon = ::GetStdHandle(STD_OUTPUT_HANDLE); unsigned long ulBytesWritten; if(!bLaunchGunz()) { wchar_t* wszFailCreate = L"Failed to launch Gunz!"; ::WriteFile(vCon,wszFailCreate,wcslen(wszFailCreate)*sizeof(wchar_t),&ulBytesWritten,0); } unsigned long ulProcId; ulProcessId(&ulProcId);

void* vGunz = ::OpenProcess(PROCESS_SUSPEND_RESUME,false,ulProcId); if(vGunz == 0) { wchar_t* wszNoHandle = L"Failed to open HANDLE to the process!"; ::WriteFile(vCon,wszNoHandle,wcslen(wszNoHandle)*sizeof(wchar_t),&ulBytesWritten,0); } NtSuspendProcess(vGunz); wchar_t* wszSuspend = L"Gunz is now suspended!\nYou may attach OllyDbg."; ::WriteFile(vCon,wszSuspend,wcslen(wszSuspend)*sizeof(wchar_t),&ulBytesWritten,0); ::Sleep(5000); return 0; }

now after we unpack it into memory, we need to attach olly to the frozen process. if you dont have it, you can grab olly from the bottom of the page. once we're attached, its all a matter of looking for whichever address we need for our DLL. Lets say we want to make a lawnmower. to make it, we would need to know what address the slash is. the name of the function is usually post.melee, but since this is for beginners like myself, ill take the easy route.

Packet ID's

inside the post.melee function is a packet ID which we can search for to easily find it. the packet ID for the slash is 2735. so we go into olly, and press ctrl+F to bring up the search. type in "PUSH 2735" without the quotes into the search bar and click ok. it should take you directly to the packet ID. from there we scroll up a few lines to the Push -1(push ecx above two calls for aeria. actually im not sure about that), which is the base address of that function, and exactly the address we were looking for!
Old Gunz

"wait, i dont know the other packet id's. and what if they dont have one?!"
whoa there, settle down. i'll get to that! some functions dont have packet ID's, like your HP and AP. those are float values. to find them we need to either use an address logger (none of them work the way they should currently), or we can do it the oldschool way and search for it. now how do we search for it if it doesnt have a packet ID? well theres a few ways

you can use an undetected cheat engine if you have a gameguard bypass (goodluck). you can use a logger. you can search the code for a month. you can do cocaine to speed up the process.
but we're going to compare it with an older version to search for the generalized function. below is an old already unpacked gunz exe, and a list of every offset with the functions next to them.
please refer to the wildcard section below before continuing.
Wild cards
wild thang, you make my heart sang
Wild cards are much like the name implies, they can be anything whatsoever. Wildcards are a ?? in the code and ??'s are used to generalize a search or replacement code. Since code unfortunately doesnt stay the same forever, and some things change, the ?? represents the parts that you think changed or parts of the code that you dont need to replace. so for example i want to find 25 ff 7f 42 but i have an older version that says 25 d0 20 42. i would use wildcards! i would search for 25 ?? ?? 42 and it will take me to the first occurence of that code. say the first one we see is 25 d1 77 42. thats not what we want. so we go through all of the occurences until we find the one we want!

Alright now that's out of the way, we are going to use the old gunz offsets to find the function in the old gunz. After you find that function, you're going to want to copy a large chunk of its code. Paste it somewhere like notepad or something. Now remember those wildcards? We are going to use them to find the new function in the new gunz!
See, the code is basically a language. The first couple of bytes (42 XXXXXXX) are called opcodes. They are the operation of the code. This tells the program what to do. Jump, compare, xor, everything and anything. We want to keep those parts of the code pretty much the same because the gunz source hasnt changed too drastically.
The code after those opcodes (XX 00242840) is what is being executed. If the opcode is a jump, it will go to that address. If its an add, it will add that number. So on and so forth. We want to wildcard these parts! That way when we search for that chunk of code (42 ????????) it can find it even though some of it has changed.
Now i can hear you asking me "Why would we do it this way when it shows the packet ID in the old gunz?" Well the answer is simple. As i stated above, some functions dont have ID's! Lets take HP and AP for example. Those are float values. They do not have a packet ID so we have to use the old code to search for the newer one.

Address Loggers
This spot intentionally left blank
Creating a DLL

copied from another thread (thanks Clyde)

Visual Studio
   File -> New -> Win32 Project -> DLL -> Empty Project In the Solution Explorer, right click on "Source Files". Add -> New Item -> *.cpp file Give it a name and hit OK. Paste the code in there. Change the Solution Configuration at the top from Debug to Release. Hit F7 or Build -> Build Solution.
Injecting a DLL

you can use either of the multiple auto-injectors (namely axelfreaks) or if you wish, you can create your own!
credits to Superiorest this awesome source

   Make a .dll project, and name it d3d9.dll. Enter the following code in it:  [code starts here] #include   BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD dwReason, LPVOID lpvReserved) { 	if (dwReason == DLL_PROCESS_ATTACH) 	{ 		DisableThreadLibraryCalls(hInst); 		LoadLibraryA("MyHack.dll");         //Replace "MyHack.dll" with the name of the hack you're injecting 		LoadLibraryA("C:\\Windows\\System32\\d3d9.dll"); 	} 	return TRUE; //Returning FALSE will cause this module to be uninjected. } [code ends here]  You don't really need "DisableThreadLibraryCalls(hInst)", but it's nice to have it.  /**********************************EXPLANATION**********************************/  #include  //This includes the "Windows.h" header file. We need this for our current code.  BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD dwReason, LPVOID lpvReserved) //This is our entry point for the .dll. We get 3 parameters: hInst, dwReason, and lpvReserved, of type HINSTANCE, DWORD, and LPVOID, respectively. { 	if (dwReason == DLL_PROCESS_ATTACH) //dwReason is one of our parameters. It's the reason for calling DllMain(), our entrypoint. 	{ 		DisableThreadLibraryCalls(hInst); //Disables other calls with the DWORD parameter as "DLL_PROCESS_ATTACH" or "DLL_PROCESS_DETACH". 		LoadLibraryA("MyHacks.dll"); //Loads our .dll hack, where "MyHack.dll" is the name of our hack. 		LoadLibraryA("C:\\Windows\\System32\\d3d9.dll"); //We need this. This is what GunZ is actually looking for. 	} 	return TRUE; //DllMain is a BOOL function. We return either TRUE or FALSE. FALSE is returned in case of error or failure. Returning FALSE will cause the .dll to be uninjected.

pretty sure you meant to include those red slashes there ;)
Updating a DLL
you update the addresses and offsets*cough*


Q: Why is this Tutorial so empty? I want to learn!
A: Because the community hates me and you, that's why.

Q: Why is this tutorial so long and hard to understand?
A:The process is unfortunately both difficult and long. you wont be able to do it in a day

Q:Help! I dont know what do do with *insert file here*
A:Read the directions for the program or file, or read what its used for. Seriously. Just read.

Q:You suck at making guides and your life sux l0l douevenlift umad
A:Cool story bro. You make a better guide then.

Q:Thanks for making this guide/TuT/redirect to useful links
A:You're very welcome, thank YOU for reading and not being a retard like the questioner above you

Q:When would you guess this will be complete (or mostly filled in)
A:Probably never, but hopefully it will help in some areas as it was intended.

I'm making this for a few reasons. one: i'd like to learn how to do this. two: im sure others would as well (most leechers wouldn't have a use for this guide because its "too hard qq"). three: i would like to use the game as a sort of gateway into coding and such. learn the basics here, apply them elsewhere to learn even more.

this is a work in progress. hopefully all of this will get filled in and this can get stickied

edit: maybe eventually ill get around to making my own hack and then be able to explain it better. until then ill slowly add things in where i can, or if somebody pm's me something to help with the guide ill stick it in here as well.

Olly dbg with scripts odbg110.rar

Jgunz Attachment 47056

Old Gunz with offsets Attachment 47055

Last edited by thenewcomer; 02-23-2014 at 12:21 AM. Reason: updated the olly config so it no longer shows my name.

i literally copied this from another site. if you want to you can fix it. otherwise its gonna stay pretty much the same

Attached Files
Filename Filesize Downloads
odbg110.rar 3.76 MB 464