Jump to content
Moopler
Sign in to follow this  
WildWildLove

Discussion Bypassless Trainer?

Recommended Posts

Out of curiosity and inspiration from @hackbotmaple , we actually started to try out bypassless trainer as we still does not have sufficient information about bypassing XC. We are currently working on MapleSEA trainer and I tried something like that for the trainer

if(chkALoot->Checked == true)
				 {
					 this->lblMessage->Text = L"ALoot checked";

					 if(autoLootTicks < GetTickCount()) {
						 HWND inputWindow = FindWindow(NULL, TEXT("MapleStory"));
						 //PostMessage(inputWindow, WM_KEYDOWN, key, (MapVirtualKey(key, MAPVK_VK_TO_VSC) << 16) + 1);
						 PostMessage(inputWindow, WM_KEYDOWN, 'C', (MapVirtualKey('C', 0) & 0xFF) << 16);
						 autoLootTicks = GetTickCount() + 100; // next update at 100 ms
						 this->lblCheck->Text = L"ALoot running";
					 }

				 } else {
					 this->lblMessage->Text = L"ALoot unchecked";
				 }

 

It did work, the trainer was sending 'C' to MapleStory, but after awhile it started to get detected by XC. Everytime I inject the trainer, when I was at the Channel selection page it will get detected. May I know if there is any other way to do it? Or pro out there will be able to guide us on whether is there a need for XC bypass or not?

  • Like 1

Share this post


Link to post

 

On 12/24/2016 at 16:05, XShade said:

Other than that, XignCode will probably flag any injected files. So you might have to find a way to hide your module

posted that in hackbotmaple's thread, im rather outdated with XignCode detection, but i rmb people used to hide their injected dll/modules by erasing PE headers and remove the dll from the PEB. Not sure if the latest XC will be able to detect it.
Another option is to run the trainer outside of MapleStory process, as a standalone process, but i doubt this will work since XignCode checks for any opened process handles to MapleStory.
Its best to have a XignCode bypass to avoid those troublesome issues.

Share this post


Link to post
1 hour ago, XShade said:

 

posted that in hackbotmaple's thread, im rather outdated with XignCode detection, but i rmb people used to hide their injected dll/modules by erasing PE headers and remove the dll from the PEB. Not sure if the latest XC will be able to detect it.
Another option is to run the trainer outside of MapleStory process, as a standalone process, but i doubt this will work since XignCode checks for any opened process handles to MapleStory.
Its best to have a XignCode bypass to avoid those troublesome issues.

If I were to do the bypass for XC, I would have to do it at the mainDLL.cpp (I named it mainDLL) to actually hook on the WinAPI used by XC?

Share this post


Link to post

I managed to find a bypass temporarily for MSEA. This was for GMS

//v178.3
[ENABLE]
alloc(find_hit_mob_in_rect_hook,128)

find_hit_mob_in_rect_hook:
mov eax,[029D8870] // CWvsPhysicalSpace2D: //8B 0D ? ? ? ? E8 ? ? ? ? 8B 08 83
lea eax,[eax+0C] // Left Wall Offset
mov [esp+04],eax
jmp 0105E870 // Original call (CMobPool::FindHitMobInRect)

00D8CB7B: // Function:CForceAtom_NonTargetAttack::UpdateAttackCollision
call find_hit_mob_in_rect_hook

[DISABLE]
dealloc(find_hit_mob_in_rect_hook)
00D8CB7B: // E8 ? ? ? ? 8B ? 89 ? ? ? 85 ? 0F 8E [First Result]
call 0105E870

And I am trying to update it for MSEA. I have already updated 029D8870 and 00D8CB7B, but I don't really know how to find 00D8CB7B for MapleSEA. How do I do it? I compared against the previous version and it was different. 

Share this post


Link to post

All of a sudden I remembered about IDA, whereby it has such naming conversion. If I were to do it for MSEA, do I have to use IDA as well? How do I specifically find that address? Am I able to use it to find in CE instead? Hmm

Share this post


Link to post
On 26/12/2016 at 06:35, WildWildLove said:

I managed to find a bypass temporarily for MSEA. This was for GMS


//v178.3
[ENABLE]
alloc(find_hit_mob_in_rect_hook,128)

find_hit_mob_in_rect_hook:
mov eax,[029D8870] // CWvsPhysicalSpace2D: //8B 0D ? ? ? ? E8 ? ? ? ? 8B 08 83
lea eax,[eax+0C] // Left Wall Offset
mov [esp+04],eax
jmp 0105E870 // Original call (CMobPool::FindHitMobInRect)

00D8CB7B: // Function:CForceAtom_NonTargetAttack::UpdateAttackCollision
call find_hit_mob_in_rect_hook

[DISABLE]
dealloc(find_hit_mob_in_rect_hook)
00D8CB7B: // E8 ? ? ? ? 8B ? 89 ? ? ? 85 ? 0F 8E [First Result]
call 0105E870

And I am trying to update it for MSEA. I have already updated 029D8870 and 00D8CB7B, but I don't really know how to find 00D8CB7B for MapleSEA. How do I do it? I compared against the previous version and it was different. 

This shit is hilarious, i'm glad i found it.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×