Guidance on reverse-engineering Blade & Soul MMORPG

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

farmith

Newbie
Full Member
Mar 17, 2016
11
64
0
Hello community!

I'm looking with torch and magnets for information on how to reverse-engineer an MMORPG called Blade & Soul,

It's a free-2-play MMORPG so no cost involved in downloading for those interested, anyhew

As its based on UE3, knowing UE3 may be of benefit for someone who hasn't reversed it yet, but has reversed other UE3 games, altho be warned they exported the engine code to its own DLL and re-worked alot in custom code (which makes life harder).

Things im interested in learning how to do:

* Unpacking the game executable successfully to be able to both statically analyze and dynamically, its packed with Themida / Winlicense but the usual scripts don't seem to work full-on (OEP and stuff is scrambled on unpack for me)
* Learning to find the player-base, functions etc to use
* Adapting pattern-scanning to find said bases upon game updates

I've watched several (probably in the range of 50+) tutorials on the unpacking part (but none of them cover what to do if you fail OEP/IAT), numerous (20+) tutorials on general pattern-scanning, and also numerous (20+) tutorials on finding functions inside games, so i would not say im a COMPLETE nib on the subjects, however i'm getting nowhere FAST, the 2 last parts kindof (afaik) require me to do #1 properly first, more or less.

So yeah, if someone could help me out with a video tutorial, skype tutoring or something, that would be so greatly apreciated!

// Farmith
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,298
37,938
269
I won't do any of the suiggested methods but here's my advice.

It's basically not UE3 from what i've seen around, they have loads of custom code, so genning an sdk is pretty much pointless ( ? ).

Have you..
A.) Tried dumping from memory?
B.) Tried running the anti-themida scripts in a compatible environment? ( I.e. WIN XP, Win 7 x86 )
C.) Tried simply reversing dynamically with Olly/x64Dbg/Debugger of choice?

In regards to your final 2 bullet points though, those can be learned via some more video/text tutorials you can find chilling around
 

farmith

Newbie
Full Member
Mar 17, 2016
11
64
0
I won't do any of the suiggested methods but here's my advice.

It's basically not UE3 from what i've seen around, they have loads of custom code, so genning an sdk is pretty much pointless ( ? ).

Have you..
A.) Tried dumping from memory?
B.) Tried running the anti-themida scripts in a compatible environment? ( I.e. WIN XP, Win 7 x86 )
C.) Tried simply reversing dynamically with Olly/x64Dbg/Debugger of choice?

In regards to your final 2 bullet points though, those can be learned via some more video/text tutorials you can find chilling around
Hi mambda, and thanks for the response!

Indeed you are correct, genning an sdk is rather pointless as per my OP (as the engine code is separated from the game logic),

I have dumped the memory a few times, but i always get stuck on trying to rebuild the IAT,so i've googled "rebuild IAT" alot but just can't get the hang of that,

I have ran the themida unpacker scripts (1.0, 1.1, 1.2, 1.3 and 1.4) in WinXP 32bit environment, but they all fail to find the OEP, so i've googled quite alot at how to find the OEP manually, tried to use the proper tools to "test" my results, but again failed miserably

And about reversing dynamically, i have done that too with both CE and Olly, but this process takes quite a long time for me to get anywhere (to the point where they release an update before im done with anything and i basically have to start over, maybe i'm just unlucky that the parts im finding change on update or maybe they have some randomization embedded in the updates that moves stuff "commonly reversed" i don't know.

Cheers!
 

Nazalas

Coder
Dank Tier VIP
Dank Tier Donator
May 20, 2015
99
3,963
3
I tried to do a little bit of work on this game when it first came out but didn't know enough to get very far. I can tell you though that you can get the player base and offsets for quite a few things with just cheat engine and olly. This information may be old but here are some of my older notes.

Player Base for update 02/10/2016: "bsengine_Shipping.dll"+01FBBFB8+158+54C
XYZ is at PB+54, 58, 5C
speed is at PB+2BC

You can use this to teleport short distances as well as increase your speed. If you go above a 415 speed, the game will start rubberbanding. Also, I was able to do a little bit with playing with combat flags to do things like remain out of combat while I was attacking. I had more offsets for things like health and such but I cannot find them. They are pretty easy to get however.

What is it that you are wanting to do with this game? I was trying to make an MMO bot for it that would at least grind areas and loot. I was able to get the entity under the cursor and able to find hp of several enemies but could not find out how to get a list of enemies.

Edit: I still have this game installed so let me know if I can help. I am not great at reverse engineering but I am interested in the same game.
 
Last edited:

JewsusChrist

Newbie
Full Member
Feb 14, 2016
27
403
2
If I remember correctly from my experience with the game, you can get all of the thing you listed here with just Cheat Engine, no unpacking involved. I remember just finding the XYZ and just modifying it to teleport yourself 'cliently' to specific places, but the position is still server-sided. Back in 2010, the game was heavily botted with teleportation, 'cliently' to a black smith that repairs the weapon and then go back to their botting place in the game. There isn't really anything else you can do, for instance if you think you can do stat changes, don't bother.... Although you CAN modify the movement speed, but that only works in PVE, where as PVP it's quite useless and buggy.
 

farmith

Newbie
Full Member
Mar 17, 2016
11
64
0
If I remember correctly from my experience with the game, you can get all of the thing you listed here with just Cheat Engine, no unpacking involved. I remember just finding the XYZ and just modifying it to teleport yourself 'cliently' to specific places, but the position is still server-sided. Back in 2010, the game was heavily botted with teleportation, 'cliently' to a black smith that repairs the weapon and then go back to their botting place in the game. There isn't really anything else you can do, for instance if you think you can do stat changes, don't bother.... Although you CAN modify the movement speed, but that only works in PVE, where as PVP it's quite useless and buggy.
Hey and thanks for the response,

I'm not really interested in teleport-hacking or speedhacking in this game, i'm actually more inclined to automation :)
 

farmith

Newbie
Full Member
Mar 17, 2016
11
64
0
I won't do any of the suiggested methods but here's my advice.

It's basically not UE3 from what i've seen around, they have loads of custom code, so genning an sdk is pretty much pointless ( ? ).

Have you..
A.) Tried dumping from memory?
B.) Tried running the anti-themida scripts in a compatible environment? ( I.e. WIN XP, Win 7 x86 )
C.) Tried simply reversing dynamically with Olly/x64Dbg/Debugger of choice?

In regards to your final 2 bullet points though, those can be learned via some more video/text tutorials you can find chilling around
Seems like my last reply vanished into thin air, but no matter ill just type again!

A) Yes i tried dumping it from memory, but no matter which route i take to this, whatever i dump is never "runnable" and i seem to lack the specific skillset as for now how to make it run again
B) Yes, i've ran all themida unpackers ive found (1.0, 1.1, 1.2, 1.3 and 1.4) on a dedicated WindowsXP 32bit machine (not even a VM but a real installed computer)
C) I have done ALOT of dynamic analysis of the game with both CE and Olly, however i get stuck in the fact that some stuff seems to jump around alot in memory upon restart/reboot making life a living hell

And yeah, the 2 last bullets would be pretty simple (in comparison) once i get a nack for the 1st one i believe, but time will tell!

Again thank you for the response, i apreciate you taking the time to read and reply :)
 

farmith

Newbie
Full Member
Mar 17, 2016
11
64
0
I tried to do a little bit of work on this game when it first came out but didn't know enough to get very far. I can tell you though that you can get the player base and offsets for quite a few things with just cheat engine and olly. This information may be old but here are some of my older notes.

Player Base for update 02/10/2016: "bsengine_Shipping.dll"+01FBBFB8+158+54C
XYZ is at PB+54, 58, 5C
speed is at PB+2BC

You can use this to teleport short distances as well as increase your speed. If you go above a 415 speed, the game will start rubberbanding. Also, I was able to do a little bit with playing with combat flags to do things like remain out of combat while I was attacking. I had more offsets for things like health and such but I cannot find them. They are pretty easy to get however.

What is it that you are wanting to do with this game? I was trying to make an MMO bot for it that would at least grind areas and loot. I was able to get the entity under the cursor and able to find hp of several enemies but could not find out how to get a list of enemies.

Edit: I still have this game installed so let me know if I can help. I am not great at reverse engineering but I am interested in the same game.
Interesting, automation is indeed what i'm curious about too, ive had quite a few offsets that have worked, for a while, but they are updating faster than i'm learning reversal so i never get good AOB's before they update, or well, atleast not ones that work.

If you're curious about cooperating on this matter let me know too, i would gladly have someone to bump heads with as so far i've been doing this whole lone-ranger type thing for a couple months and not really gotten anywhere worth while, as the famous thomas edison would have put this had he been in my shoes: "I have successfully found 1000 ways how NOT to make a bot for Blade & Soul"
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,298
37,938
269
Seems like my last reply vanished into thin air, but no matter ill just type again!

A) Yes i tried dumping it from memory, but no matter which route i take to this, whatever i dump is never "runnable" and i seem to lack the specific skillset as for now how to make it run again
B) Yes, i've ran all themida unpackers ive found (1.0, 1.1, 1.2, 1.3 and 1.4) on a dedicated WindowsXP 32bit machine (not even a VM but a real installed computer)
C) I have done ALOT of dynamic analysis of the game with both CE and Olly, however i get stuck in the fact that some stuff seems to jump around alot in memory upon restart/reboot making life a living hell

And yeah, the 2 last bullets would be pretty simple (in comparison) once i get a nack for the 1st one i believe, but time will tell!

Again thank you for the response, i apreciate you taking the time to read and reply :)
Dumps normally arent meant to be run, theyre simply just for static reverfsal, not dynamic. you'd have to completely unpack it, remove any VM components if applicable and then fix the dump, usually not worth it, i could take a look at the game sometime if you want maybe if im up to it

( final result may vary as i may not follow up :kappa: )
 

farmith

Newbie
Full Member
Mar 17, 2016
11
64
0
Dumps normally arent meant to be run, theyre simply just for static reverfsal, not dynamic. you'd have to completely unpack it, remove any VM components if applicable and then fix the dump, usually not worth it, i could take a look at the game sometime if you want maybe if im up to it

( final result may vary as i may not follow up :kappa: )
I would very much apreciate you taking a look at it indeed :) any and all info would be a great help
 

RynerLute

Newbie
Apr 1, 2016
3
34
0
Seems like my last reply vanished into thin air, but no matter ill just type again!

A) Yes i tried dumping it from memory, but no matter which route i take to this, whatever i dump is never "runnable" and i seem to lack the specific skillset as for now how to make it run again
B) Yes, i've ran all themida unpackers ive found (1.0, 1.1, 1.2, 1.3 and 1.4) on a dedicated WindowsXP 32bit machine (not even a VM but a real installed computer)
C) I have done ALOT of dynamic analysis of the game with both CE and Olly, however i get stuck in the fact that some stuff seems to jump around alot in memory upon restart/reboot making life a living hell

And yeah, the 2 last bullets would be pretty simple (in comparison) once i get a nack for the 1st one i believe, but time will tell!

Again thank you for the response, i apreciate you taking the time to read and reply :)
Yeah I was able to unpack themida successfully but didn't go and fix it so it is runnable. I also posted a little tutorial on another website for dealing with VMProtect which the best BnS bot is using to protect itself. But yeah the only reason I can think of unpacking and fixing the .exe to run would be of use is if you were going to modify it but I don't think that is what you want to do.. So as long as you can look in IDA/ollydbg you should be able to find all information you want.. disable Game Guard and use cheat engine for finding addresses and search in ollydbg. Do some structure analysis and code an bot based off your research.

Personally I reverse engineer and export others bots for fun and crack them per request on other forums but I am starting to want to get into that business of making bots and selling for some money. Got a lot of good ideas for it and I am getting to work on it right now. Anyways most groups that make bots always have at least 4-5 reverse engineers working on it so they can get things done, one person can only do so much so if you are serious about this I would suggest getting a team together and if you are going to sell make sure you have someone who knows how to market products, SEO, customer support, forum management etc. etc. etc.
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods