Category Archives: Boting

Clandestine Group Development With Tor’s Hidden Service Protocol

Intro

Sometimes you have a great software project you want to work on for the benefit of the community. It is so great in fact, that engaging in development is outright illegal, and the company who’s patents you are infringing upon is not afraid to come after you with a lawsuit. So you are left with a very hot programming endeavour, and the need to have a cooperative effort with others in the community to make it happen within a short period of time.

This is exactly what Tor’s Hidden Service Protocol was created for! I kid…it was created for worthy goals like promoting free speech and political dissent in oppressive regimes, but its all the same for our goals.

Creating Custom JAR Loaders With ClassLoaders

[Note] This article is part one of a two part series on making a bot for a java game [/Note]

[Intro]

As part of being in the trial team we were given a game called Objection! which is a really old/DOS-looking kind of game with horrible graphics that allows you to hone your objection skills.  It gets really tough after a while, so I thought it would be fun to inject a dll and dump the questions and make a simple bot. If anything, it would be a good exercise in reverse engineering.

Since it comes bundled in an exe, and it looks old as hell, I assumed the game was written in C and using the WinAPI.  But after popping up IDA and looking inside the exe, I quickly realized that it was nothing more than a JNI class loader, and the game itself came bundled in a jar file called tmgames.jar.  This changes everything, instead of injecting a dll to detour functions from the process, I can build a custom loader to load the jar, and instrument the client’s code at runtime.

The first step in this whole process is taking control of the loading process of the game.  After that we can instrument it.  And so this tutorial is born.

[>>>>>]

The process breaks down in six steps:

  1. Build a classloader from the gamejar.
  2. Load the class that has the game’s main method.
  3. Get the constructor that you want to call of that class.
  4. Instantiate the class with the constructor and parameter(s) you need.
  5. Find the game’s main method.
  6. Invoke the main method.
package runtime;
 
import java.net.URLClassLoader;
import java.net.URL;
import java.lang.reflect.Method;
import java.io.*;
import java.lang.reflect.Constructor;
 
public class Main 
{
	/**
	 * @param args
	 */
	public static void main(String[] args) 
	{
		URL[] url = new URL[1];
		try
		{
			url[0] = new URL("file:////C://Users//emist//workspace//tmloader//bin//runtime//tmgames.jar");
			verifyValidPath(url[0]);
		}
		catch (Exception ex)
		{
			System.out.println("URL error");
		}
		Loader l = new Loader();
		l.loadobjection(url);
 
	}
 
	public static void verifyValidPath(URL url) throws FileNotFoundException
	{
		    File filePath = new File(url.getFile());
		    if (!filePath.exists()) 
		    {
		      throw new FileNotFoundException(filePath.getPath());
		    }
	}
 
}
 
class Loader
{
	public void loadobjection(URL[] myJar)
	{
		try 
		{
			//Create a classloader.  myJar holds the full path to the game's jar file. 
			URLClassLoader child = new URLClassLoader(myJar, this.getClass().getClassLoader());
 
			//tmcore.game is the class that holds the main method in the jar
			Class<?> classToLoad = Class.forName("tmcore.game", true, child);
			if(classToLoad == null)
			{
				System.out.println("No tmcore.game");
				return;
			}
 
			//game doesn't have a default constructor, so we need to get the reference to public game(String[] args)
			Constructor ctor = classToLoad.getDeclaredConstructor(String[].class);
			if(ctor == null)
			{
				System.out.println("can't find constructor");
				return;
			}
 
			//Instantiate the class by calling the constructor
			String[] args = {"tmgames.jar"};
			Object instance = ctor.newInstance(new Object[]{args});
			if(instance == null)
			{
				System.out.println("Can't instantiate constructor");
			}
 
			//get reference to main(String[] args)
			Method method = classToLoad.getDeclaredMethod("main", String[].class);
			//call the main method
			method.invoke(instance);
		}	
		catch (Exception ex)
		{
			System.out.println(ex.getMessage());
			ex.printStackTrace();
		}
	}
}

Something to note about this code is that there are many hidden pitfalls.  For example, if you call getDeclaredMethod(“main”) you will have a methodnotfoundexception.  The reason being that you have to match the method declaration.  getDeclaredMethod(“main”, String[].class) matches main(String[] args), while getDeclaredMethod(“main”) looks for main(), which doesn’t exist.

Another thing that can trip you up is that classToLoad.getDeclaredConstructor is required if the class doesn’t have a default constructor.  If you forget to do this, you will get an exception to the effect that the class cannot be instantiated.

[Epilogue]

If you’re wondering how you find out what methods you need to call and what parameters they take, there’s many ways of going about it.  Personally, since its java I extracted the jar and ran the classes through jad.  Once decompiled its a simple process to figure out what code you need to be calling.

[End]

So now you have a class loader to load your jar.  This is the first step in making a working bot.  In the next article I will show you how this fits into a working bot.

The Four Canons of Relatively Safe Bot Design

So you’ve decided to write a bot for your favorite MMO.  You figured out what technologies you will be using and how you will interface with the game and all that’s left is to get to hacking.  So you grab yourself a couple of bottles of your favorite beer and go at it!

Not so fast big boy.  Do you have a game-plan?  Without a game plan you’ll likely spend a lot of time and effort to develop something that will get detected and banned, leaving you to pick up the pieces.  Don’t worry, it doesn’t take much to pick up a strategy to minimize your risks.  In this post I will share with you what I’d like to call the Four Canons of Relatively Safe Bot Design(tm).

Botting, The Legality Of MMO Automation [Blizzard-Glider]


Typical sunday afternoon in an mmo
Typical Sunday afternoon in any MMO


If you’ve been around MMORPGs long enough you have run into them, they make every game seem like zombieland and there’s nothing anyone can do to stop them. I’m talking about “bots” or programs whose sole function is to automate gameplay so that players can advance without having to sit by the computer for hours on end doing menial, repetitive tasks. Bots come in all shapes and sizes, you have the color-matching, clicking macros, you have the man-in-the-middle type bots, you have the injected ones that run directly inside the game client’s address-space and many variations of these. If you’ve been in any boting community you probably have run into discussions of the legality of using and making these bots and you’ve probably heard that certain types of bots will not set you up for liability. I’m here to tell you that regardless of how the bot is implemented you could be liable to the game company as the developer and almost certainly will be liable to them as the user of these programs.

Eve Online Python Bot Development And The Python Embedding API

Eve Online Python Bot Prologue

For a programmer beginning a project usually the first thing is figuring out how he is going to go about doing what needs to be done.  What technology is out there, what approaches can I take to get this or that needed functionality implemented, is this even possible?  These questions are pretty common and their importance can’t be overlooked-many projects die before they even begin at this stage. Here I’ll teach you everything you need to know to code an eve online python bot.

When designing an injected bot for Eve Online, the hardest issue to tackle is how to get the information you need into and out of the client.  Enter the injected DLL and the Python Embedding API.  If you ever wondered whats inside those DLLs, you’re about to find out.eve online python