Tuesday, May 21, 2013

Client side exploits, Neverwinter, and you.

Courtesy of Blabbermouth and MMOwned. This script was created by: Dragonef22

Unlimited teleport, slide, and roll. (CW, DC, and TR).

Compile the following code using Bloodshed C++ (or your C++ compiler of choice).


#include <Windows.h>
#include <iostream>
#include <tlhelp32.h>
#include <tchar.h>

using namespace std;

HWND windowhandle=0;

DWORD modulebase=0;
HANDLE hopen=0;

HANDLE prozessauf();
DWORD GetModuleBase(LPSTR lpModuleName);
DWORD getadr(DWORD address, HANDLE hopen);
void setadr(DWORD address, int value, HANDLE hopen);


int main()

{   
    SetConsoleTitle("Neverwinter - Mageteleporthack - by Dragonef22"); 
    cout<<"Updated for 21.05.2013";
    
    while(true)
    {
    hopen=prozessauf();
    modulebase=GetModuleBase("GameClient.exe");
    DWORD adress=0;
    DWORD teleportadress=0;
    adress=adress+modulebase+0x024F50B0;     // GameClient.exe+startoffset
    adress=getadr(adress,hopen);
    adress=adress+0x244; // Offset Nr. 0
    adress=getadr(adress,hopen);
    adress=adress+0x6f8; // Offset Nr. 1
    adress=getadr(adress,hopen);
    adress=adress+0x18; // Offset Nr. 2
    adress=getadr(adress,hopen);
    adress=adress+0x9c; // Offset Nr. 3
    adress=getadr(adress,hopen);
     
    teleportadress=adress+0x244; // Teleportresource

    // Full Teleportresource = 1120403456 - set it
    setadr(teleportadress,1120403456,hopen);
    Sleep(1);
    }
}

    
HANDLE prozessauf() 

{
    HWND hwar3=::FindWindow(NULL,"Neverwinter");
    DWORD PID, TID;
    TID = ::GetWindowThreadProcessId (hwar3, &PID);
    HANDLE hopen=OpenProcess( PROCESS_ALL_ACCESS|PROCESS_TERMINATE |PROCESS_VM_READ|
                  PROCESS_VM_WRITE,FALSE,PID);
    return hopen;
}


DWORD GetModuleBase(LPSTR lpModuleName)
{
    DWORD dwProcessId,TID;
    HWND hwar3=::FindWindow(NULL,"Neverwinter");
    TID = ::GetWindowThreadProcessId (hwar3, &dwProcessId);
     
   MODULEENTRY32 lpModuleEntry = {0};
   HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
 
   if(!hSnapShot)
      return 0;
   lpModuleEntry.dwSize = sizeof(lpModuleEntry);
   BOOL bModule = Module32First( hSnapShot, &lpModuleEntry );
   while(bModule)
   {
      if(!strcmp( lpModuleEntry.szModule, lpModuleName ) )
      {
         CloseHandle(hSnapShot);
         return (DWORD)lpModuleEntry.modBaseAddr;
      }
      bModule = Module32Next( hSnapShot, &lpModuleEntry );
   }
   CloseHandle( hSnapShot );
   return 0;
}

// Value eines Adresswerts auslesen

DWORD getadr(DWORD address, HANDLE hopen)
{
    int value =0;
    ReadProcessMemory(hopen,(void*)address,&value,sizeof(value),0);
    return value;
}    
    
void setadr(DWORD address, int value, HANDLE hopen)
{
    WriteProcessMemory(hopen, (LPVOID*)(DWORD) (address), &value, sizeof(value), NULL);
    return;
}


If you don't want to compile it (to make sure it is virus free), download it here or here.

Basically as long as it's running, you have unlimited teleporting as a CW, slides as a DC, and rolls as a TR.

The video that was sent to me as proof is no longer up, so I won't link to it. I am also too lazy to make and upload one myself.
Solid Snake sent me another video of this "exploit" in action. Fast forward to the 50 second mark and watch from there.

Have a Guardian Fighter? Don't fret. Use the 64 bit version of Cheat Engine (32 bit can be detected as Neverwinter is a 32 bit application that can scan for other 32b apps), and search for your guard value.
Set it to 100 (more if you want, but that is detectable), now enjoy unlimited blocking from the front. You are now literally immortal as long as you block.

Have fun, enjoy, and thank Cryptic for making the same rookie mistake that Trion did with Defiance.

Never, EVER trust the client. That is programming 101... Which Cryptic and Trion apparently failed.

Have anymore bugs or exploits to share? Please e-mail them to this address: mmogfails@gmail.com

6 comments:

  1. Just like the reddit assholes downvoting so no one else finds out, stop saying this is fake.

    Works 100%. Just check MMOwned. It has been confirmed.

    ReplyDelete
  2. How come it doesn't work for me then.... I even tried compiling it using the code listed above let it sit for 10 minutes and still didn't work....

    ReplyDelete
    Replies
    1. Tryharder?

      Video proof is right there to.

      Now I finally understand how a TR can escape from my CW by rolling away like 8 times.

      Delete
  3. It just doesn't work for me on Windows 8, that could be the problem, not to worried about it though it's just infinite rolling, on the other hand if someone was to find the stealth value now that would be annoying.

    ReplyDelete
    Replies
    1. Don't know what to tell you. It works for 7. Can you try Cheat Engine with 8 and see if that works?

      Delete