1. SRL Junior Member
Join Date
Dec 2008
Posts
135
Mentioned
0 Post(s)
Quoted
44 Post(s)
Originally Posted by Krazy_Meerkat
I hope you didn't spend too much, the ones I saw were like $70-$100.. I was talking about the cheaper boards like arduino UNO which I'm seeing for $6-$15 or something like that.. I wanted to learn about aduino's because they looked a bit more fun than PCB's but there's always a shortage of time for all these little projects..
together with shipping it was 57 usd. I don't think uno works. From their website:
These core libraries allow a 32u4 based boards or Due and Zero board to appear as a native Mouse and/or Keyboard to a connected computer.
The cheapest ones were around 20 dollars, but after reading up on it, I wasn't ready to risk it on a leonardo or micro mouse. I have some doubts that the mouse events are truly native event. I expect it to get it tomorrow so we will see.

Also i am not too familiar with c++ code, so how would I implement Jaclib's dll to test whether or not the mouse events are indeed native?

2. SRL Junior Member
Join Date
Dec 2008
Posts
135
Mentioned
0 Post(s)
Quoted
44 Post(s)
Originally Posted by weequ

Buy an arduino and program it to take commands from simba and send mouse events back to operating system.
Just got the arduino today, made a super simple script.

https://gyazo.com/4e8e0cc0b4f161feb1f0f68914d567fd

3. SRL Junior Member
Join Date
Oct 2014
Posts
32
Mentioned
0 Post(s)
Quoted
23 Post(s)
Originally Posted by Grunt
Just got the arduino today, made a super simple script.

https://gyazo.com/4e8e0cc0b4f161feb1f0f68914d567fd
what exactly does that do?, are you not still "faking" a mouse event?

4. SRL Junior Member
Join Date
Dec 2008
Posts
135
Mentioned
0 Post(s)
Quoted
44 Post(s)
Originally Posted by Zef Style
what exactly does that do?, are you not still "faking" a mouse event?
the code is uploaded into the microcontroller, the microcontroller itself is communicating to the pc via serial usb. arduino-zero_atmel-sam-d21_hand.jpgHave not tested whether or not it will set off a flag.

5. You should try to port some of Simba's mouse functions to it. Only if you believe they are necessary though

6. Originally Posted by Joopi
You should try to port some of Simba's mouse functions to it. Only if you believe they are necessary though
I would personally avoid that, Arduinos are rather weak, not ment for any real processing (tho this isn't too bad). You might wanna have the methods on PC end, and just feed the Arduino coordinates. Not saying it would not work, just that having processing on PC is likely better, makes it simpler, and avoids slow mouse movements (as a result of slow processing). Also keep in mind that teh Ardus (depending on which tho) also has other limitations like very limited SRAM, and storage.
Their arm boards doesn't seem as limited. But they are all "microcontrollers" after all.

The ardiono should also be able to function as a keyboard, not sure if there are any programs (code) available for this tho, and it might be harder to have it function as a mouse and kb at once, but should be doable. So you'd have to do some programming yourself.
Last edited by slacky; 02-20-2016 at 01:07 PM.

7. SRL Junior Member
Join Date
Dec 2008
Posts
135
Mentioned
0 Post(s)
Quoted
44 Post(s)
Originally Posted by Joopi
You should try to port some of Simba's mouse functions to it. Only if you believe they are necessary though
Working on a python pluggin that will will allow Simba to send commands to control the mouse via arduno.

Originally Posted by slacky
I would personally avoid that, Arduinos are rather weak, not ment for any real processing (tho this isn't too bad). You might wanna have the methods on PC end, and just feed the Arduino coordinates. Not saying it would not work, just that having processing on PC is likely better, makes it simpler, and avoids slow mouse movements (as a result of slow processing). Also keep in mind that teh Ardus (depending on which tho) also has other limitations like very limited SRAM, and storage.
Their arm boards doesn't seem as limited. But they are all "microcontrollers" after all.

The ardiono should also be able to function as a keyboard, not sure if there are any programs (code) available for this tho, and it might be harder to have it function as a mouse and kb at once, but should be doable. So you'd have to do some programming yourself.
Yes absolutely, you sound quite knowledgeable about the arduino hardware. Do you have any experience with the zero or due?

8. SRL Junior Member
Join Date
Mar 2015
Location
Sweden
Posts
58
Mentioned
0 Post(s)
Quoted
32 Post(s)
Originally Posted by Grunt
Working on a python pluggin that will will allow Simba to send commands to control the mouse via arduno.

Yes absolutely, you sound quite knowledgeable about the arduino hardware. Do you have any experience with the zero or due?

Awesome, I already had an Arduino. I got it as a gift at some testing software program so I'm not sure how good it is
And the best thing is that familiar with c++ too

9. Would anyone mind explaining how how they're testing this? I'd like to do some testing to see what exactly will flag it and what won't.

10. Originally Posted by Twinki
Would anyone mind explaining how they grab the values from the jacLib dll? I'd like to do some testing to see what exactly will flag it and what won't.
what do you mean grab values?

11. Originally Posted by Kasi
what do you mean grab values?
Grab the return value* of the function that hooks the mouse.

12. Originally Posted by Twinki
Grab the return value* of the function that hooks the mouse.
Uh, you have to write a wrapper for jaclib. I don't know if anyone has actually attempted / wrote a wrapper for it. It has no API which makes it somewhat difficult. You'd need to literally work from figuring out as much as you can from jaclib. For your case though, just hooking one function shouldn't be the hardest.
@Brandon;

13. Originally Posted by Kasi
Uh, you have to write a wrapper for jaclib. I don't know if anyone has actually attempted / wrote a wrapper for it. It has no API which makes it somewhat difficult. You'd need to literally work from figuring out as much as you can from jaclib. For your case though, just hooking one function shouldn't be the hardest.
@Brandon;

Apparently it's super easy

Originally Posted by the bank
If anyone would like to check for themselves its very easy. The flag is arg3 (or the last argument) and it is not obfuscated (other than the corresponding class - but that extends a jaclib class which is not obfuscated) so it is super easy to hook.

I just have no idea how to go about doing so, I know nothing about C++ / Assembly.
@the bank;

14. @Twinki;

Completely subjective. Learn basic C/C++ and I'm sure there'll be a reply when you're done either from Brandon or the bank as they probably know more about this than i do. I personally haven't looked at jaclib enough to actually say how easy it'll be. Really just scratched the surface. (Decompiled it using some tool once). From what i know, jaclib mainly just acts as a system scanner if you will. It hooks the mouse, keyboard, checks loaded processes. Doesn't even allow Runescape to be run if it's missing. Doesn't allow runescape to be run if certain plugins are loaded etc.

15. Originally Posted by Twinki
I just have no idea how to go about doing so, I know nothing about C++ / Assembly.

Don't bother. Without even the basic knowledge of either language, you won't get far at all.

However, I'll explain how it works. First you should read.. My small tutorial on BitMasking in Simba: https://villavu.com/forum/showthread...51#post1328551

Play around with bits and get an understanding of how things work.

Otherwise if you already know how bits and bytes and stuff work then continue on..

The SetWindowsHookEx is the key function here: https://msdn.microsoft.com/en-ca/lib...(v=vs.85).aspx

It has a parameter called: WH_KEYBOARD_LL and WH_MOUSE_LL. Both are "Low-Level Hooks". This means they can monitor hardware inputs for the current window and/or application (you choose).

When the hook gets an input from one of your hardware devices, it calls your "callback function". This is a listener function that you gave to the hook to call when some event happens.

This function has the signature (LowLevelKeyboardProc): https://msdn.microsoft.com/en-ca/lib...(v=vs.85).aspx and (LowLevelMouseProc): https://msdn.microsoft.com/en-ca/lib...(v=vs.85).aspx

Both signatures are the same.

The Keyboard Callback has a structure passed to it: https://msdn.microsoft.com/en-ca/lib...(v=vs.85).aspx and the mouse one has the structure: https://msdn.microsoft.com/en-ca/lib...(v=vs.85).aspx

Within that keyboard structure that is given to your callback by the system, there exists a field called: "Flag".

LLKHF_EXTENDED -- Test the extended-key flag.
LLKHF_LOWER_IL_INJECTED -- Test the event-injected (from a process running at lower integrity level) flag.
LLKHF_INJECTED -- Test the event-injected (from any process) flag.
LLKHF_ALTDOWN -- Test the context code.
LLKHF_UP -- Test the transition-state flag.

All of this information is stored in that one flag/unsigned integer. This means that a single integer can contain up to 32 bits. A single character on your keyboard is 8 bits. You can literally use an integer to store 32 boolean values if you felt like it.

For the mouse hook, it has the same thing:

LLMHF_INJECTED -- Test the event-injected (from any process) flag.
LLMHF_LOWER_IL_INJECTED -- Test the event-injected (from a process running at lower integrity level) flag.

To test whether or not a flag is set, you have to test the BITS in the flag. If it's a 1, it is set. If it is a 0, it is not set.

So I can test whether or not this flag is set and do whatever I want (Using the bitwise AND operation):

C Code:
if ((flag & LLKHF_LOWER_IL_INJECTED) || (flag & LLKHF_INJECTED))
{
//Keyboard is not hardware input. Some application is sending the input to us.
}

To remove a flag, you first have to NOT it and then AND it.

You can combine bitwise operators and assignment operators to do this..

C Code:
flag &= ~LLKHF_LOWER_IL_INJECTED;  //If flag is set, remove it.
flag &= ~LLKHF_INJECTED; //If flag is set, remove it.

//Which is the same as:

flag = flag & ~LLKHF_LOWER_IL_INJECTED
flag = flag & ~LLKHF_INJECTED

//Which is the same as:

flag = flag & (~ LLKHF_LOWER_IL_INJECTED)
flag = flag & (~LLKHF_INJECTED)

//Which is the same as:

flag = flag AND (NOT LLKHF_LOWER_IL_INJECTED)
flag = flag AND (NOT LLKHF_INJECTED)

And voila.. flag removed.

Now when you hook something, you usually hook it with a "trampoline". This means that when your hook gets called (your callback), you need to call the ORIGINAL callback otherwise the application may or may not function correctly.

So:

C Code:
LRESULT CALLBACK MyKeyboardHook(int nCode, WPARAM wParam, LPARAM lParam)
{
KBDLLHOOKSTRUCT* keyboardHookPointer = (KBDLLHOOKSTRUCT *)lParam; //Cast.

if ((keyboardHookPointer->flag & LLKHF_LOWER_IL_INJECTED) || (keyboardHookPointer->flag & LLKHF_INJECTED))
{
MessageBox(NULL, "FAKE INPUT DETECTED", "Cheater", 0);
}

keyboardHookPointer->flag &= ~LLKHF_LOWER_IL_INJECTED; //Remove flag.
keyboardHookPointer->flag &= ~LLKHF_INJECTED; //Remove flag.

return JagexKeyboardHook(nCode, wParam, lParam); //Give Jagex the modified parameters.
}

Linux has the same thing via Input.
Last edited by Brandon; 03-05-2016 at 01:04 AM.

16. Originally Posted by Brandon
*snip*
I always wanted to ask you.. but are you a wizard?

17. Originally Posted by Brandon
....

Been messing with it on and off recently, right now i'm only trying to process Mouse info to see if it's flagged as fake or hardware.

Code:
#include <Windows.h>
#include <iostream>

using namespace std;

HHOOK _hook;
DWORD flag;
MSLLHOOKSTRUCT mouseStr;

LRESULT CALLBACK mouseCll(int nCode, WPARAM wParam, LPARAM lParam)
{
if (nCode >= 0)
{
mouseStr = *((MSLLHOOKSTRUCT*)lParam);
flag = mouseStr.flags;

if ((flag & LLMHF_INJECTED) || (flag & LLMHF_LOWER_IL_INJECTED))
{
cout << "Fake \n";
}
else {
cout << "Hardware \n";
}
}

return CallNextHookEx(_hook, nCode, wParam, lParam);
}

void hook()
{
if (!(_hook = SetWindowsHookEx(WH_MOUSE_LL, mouseCll, NULL, 0)))
{
MessageBox(NULL, "Failed to install hook!", "Error", MB_ICONERROR);
}
}

void ReleaseHook()
{
UnhookWindowsHookEx(_hook);
}

void main()
{
hook();

MSG msg;
while (GetMessage(&msg, NULL, 0, 0))
{
}
}
This is what I've come up with, it returns Hardware if I move my mouse within the IDE (I'm using Visual Studio). When I tried a basic script with a loop of PickupMouse, it returned nothing.
I'd assume it's because I have the SetWindowsHook Instance and ThreadID as null and 0, which I think should be capturing input across the system. I tried getting the ThreadID of a Simba instance but it could never hook properly.

18. Originally Posted by Twinki
...
Your message pump is bad.. Especially for a console application (Console applications don't have message pumps so they won't receive messages like hooks unless you create an actual window OR use a message only window.. aka a window with a handle of -1).

Next, it is good practice to NOT block your application by starting the message pump in a separate thread. You must specify an hInstance if you do this hook in a DLL (the DLL's hInstance).. Otherwise for console applications, specify NULL and it will use the current application's hInstance OR you can also do GetModuleHandle(NULL) to get an hInstance. Either one is fine.

If it's just for testing, you don't need a separate thread, but again, for good practice, I added it anyway.

Also, C and C++ applications do NOT return VOID for "main"..

Console application:

C++ Code:
#include <windows.h>
#include <iostream>

#if __cplusplus >= 201103L
#include <chrono>
#endif // __cplusplus

#ifndef LLKHF_INJECTED
#define LLKHF_INJECTED 0x00000010
#endif // LLKHF_INJECTED

#ifndef LLKHF_LOWER_IL_INJECTED
#define LLKHF_LOWER_IL_INJECTED 0x00000002
#endif // LLKHF_LOWER_IL_INJECTED

#ifndef LLMHF_INJECTED
#define LLMHF_INJECTED 0x00000001
#endif // LLMHF_INJECTED

#ifndef LLMHF_LOWER_IL_INJECTED
#define LLMHF_LOWER_IL_INJECTED 0x00000002
#endif // LLMHF_LOWER_IL_INJECTED

bool TerminatedHook;
HHOOK MouseHook = {0};
HHOOK KeyboardHook = {0};

LRESULT __stdcall MouseHookProc(int Code, WPARAM wParam, LPARAM lParam)
{
if (Code == HC_ACTION)
{
MSLLHOOKSTRUCT* Info = reinterpret_cast<MSLLHOOKSTRUCT*>(lParam);
if ((Info->flags & LLMHF_INJECTED) == LLMHF_INJECTED)
{
MessageBox(NULL, "DETECTED Mouse", "", 0);
}
else if ((Info->flags & LLMHF_LOWER_IL_INJECTED) == LLMHF_LOWER_IL_INJECTED)
{
MessageBox(NULL, "DETECTED Mouse", "", 0);
}
else
{
std::cout<<"Mouse Moved\n";
}
}
return CallNextHookEx(MouseHook, Code, wParam, lParam);
}

LRESULT __stdcall KeyboardHookProc(int Code, WPARAM wParam, LPARAM lParam)
{
if (Code == HC_ACTION)
{
KBDLLHOOKSTRUCT* Info = reinterpret_cast<KBDLLHOOKSTRUCT*>(lParam);
if ((Info->flags & LLKHF_INJECTED) == LLKHF_INJECTED)
{
MessageBox(NULL, "DETECTED Keyboard", "", 0);
}
else if ((Info->flags & LLKHF_LOWER_IL_INJECTED) == LLKHF_LOWER_IL_INJECTED)
{
MessageBox(NULL, "DETECTED Keyboard", "", 0);
}
else
{
std::cout<<"Keyboard Pressed\n";
}
}
return CallNextHookEx(KeyboardHook, Code, wParam, lParam);
}

{
HINSTANCE hInstance = reinterpret_cast<HINSTANCE>(param);
MouseHook = SetWindowsHookEx(WH_MOUSE_LL, MouseHookProc, hInstance, 0);
KeyboardHook = SetWindowsHookEx(WH_KEYBOARD_LL, KeyboardHookProc, hInstance, 0);

MSG msg = {0};
while(GetMessage(&msg, reinterpret_cast<HWND>(-1), 0, 0) > 0)
{
TranslateMessage(&msg);
DispatchMessage(&msg);

if (GetAsyncKeyState(VK_ESCAPE))
{
break;
}
}

UnhookWindowsHookEx(KeyboardHook);
UnhookWindowsHookEx(MouseHook);
TerminatedHook = true;

return 0;
}

int main()
{
#if __cplusplus >= 201103L
HINSTANCE hInstance = nullptr;
#else
HINSTANCE hInstance = NULL;
#endif // __cplusplus

while(!TerminatedHook)
{
#if __cplusplus >= 201103L
#else
Sleep(1000);
#endif // __cplusplus
}

return 0;
}

Simba script:

Simba Code:
var
I: Integer;
begin
ActivateClient();

while(true) do
begin
MoveMouse(100, 200);
KeyDown(13);
KeyUp(13);

Sleep(1000);
Inc(I);

if (I > 5) then
break;
end;

end.
Last edited by Brandon; 03-11-2016 at 03:04 AM.

19. Registered User
Join Date
May 2017
Posts
22
Mentioned
1 Post(s)
Quoted
15 Post(s)
Does anybody have a compiled version to share?
Regards

20. Registered User
Join Date
May 2017
Posts
4
Mentioned
0 Post(s)
Quoted
1 Post(s)
Originally Posted by Brandon
I wrote an anti-jaclib hook before. I don't remember if I shared it or not but I remember writing it.. There was lots of features but the one you seem to be interested in is the MouseHook and KeyboardHook flag removal.. Below should be enough to get you started on writing your own.

How it works? We get the game to load our code/plugin/dll (use whatever method you want). Then in DLLMain we HIDE ourselves from detection so if the game tries to detect that our module is loaded/injected, it won't. Then we hook the SetWindowsHookEx function. If the game tries to hook the mouse, return our custom hooks instead and keep a pointer to the original function (Trampoline).

In our trampoline function, we remove the Injection Flags and call the original hook function (don't break the chain). Voila. We are undetected and our mouse and keyboard is undetected. All without the need of a driver.

C++ Code:
#include <windows.h>
#include <winternl.h>
#include <TlHelp32.h>
#include <chrono>

typedef struct _LDR_MODULE
{
LIST_ENTRY              InMemoryOrderModuleList;
LIST_ENTRY              InInitializationOrderModuleList;
PVOID                   EntryPoint;
ULONG                   SizeOfImage;
UNICODE_STRING          FullDllName;
UNICODE_STRING          BaseDllName;
ULONG                   Flags;
SHORT                   TlsIndex;
LIST_ENTRY              HashTableEntry;
ULONG                   TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;

typedef struct _ProcessModuleInfo
{
std::uint32_t Size;
std::uint32_t Initialized;
HANDLE SsHandle;
LIST_ENTRY InitOrder;
LIST_ENTRY MemoryOrder;
} ProcessModuleInfo, *pProcessModuleInfo;

void* DetourFunction(BYTE *src, const BYTE *dst, const int len);
typedef HHOOK (__stdcall *SetWindowsHookEx_t)(int idHook, HOOKPROC lpfn, HINSTANCE hMod, DWORD dwThreadId);
SetWindowsHookEx_t o_SetWindowsHookEx;
HOOKPROC oMouseHookedProc = NULL;

LDR_MODULE* GetModuleIterator()  //I use assembly here but you can remove it and use GetPEB() from WinAPI.
{
#ifndef _USE_GET_PEB_
void* result = NULL;

#ifdef INTEL_SYNTAX     /**-masm=intel**/
asm (".intel_syntax noprefix\n");
#else
asm (".att_syntax noprefix\n");
#endif // INTEL_SYNTAX

#ifndef INTEL_SYNTAX
asm volatile
(
"movl %%FS:0x18,   %%eax\n"
"movl 0x30(%%eax), %%eax\n"
"movl 0x0C(%%eax), %0\n"
: "=r" (result) :: "eax"
);
#else
asm volatile
(
"mov eax, DWORD PTR [FS:0x18]\n\t"
"mov eax, DWORD PTR [eax + 0x30]\n\t"
"mov %0,  DWORD PTR [eax + 0x0C]\n"
: "=r" (result) :: "eax"
);
#endif // INTEL_SYNTAX

#else
#endif
}

{
{
};

}

{
{
};

}

void HideSelf(HMODULE self, LDR_MODULE** old)
{
LDR_MODULE* module = GetModuleIterator();

{
{
*old = module;
}

}
}

LRESULT __stdcall mHookedProc(int Code, WPARAM wParam, LPARAM lParam)
{
if (Code == HC_ACTION)
{
MSLLHOOKSTRUCT* Info = reinterpret_cast<MSLLHOOKSTRUCT*>(lParam);
Info->flags &= ~LLMHF_INJECTED; //remove the injected flag.
Info->flags &= ~LLMHF_LOWER_IL_INJECTED; //remove the injected flag.
}
return oMouseHookedProc(Code, wParam, lParam);
}

HHOOK __stdcall HOOKED_SetWindowsHookEx(int idHook, HOOKPROC lpfn, HINSTANCE hMod, DWORD dwThreadId)
{
if (idHook == WH_MOUSE_LL)
{
oMouseHookedProc = (HOOKPROC)DetourFunction((unsigned char*)lpfn, (unsigned char*)&mHookedProc, 6);
}

}

void* DetourFunction (BYTE *src, const BYTE *dst, const int len)
{
BYTE *jmp = (BYTE*)malloc(len+5);
DWORD dwBack;

memcpy(jmp, src, len);
jmp += len;
jmp[0] = 0xE9; //Assembly JMP instruction.
*(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;
src[0] = 0xE9;
*(DWORD*)(src+1) = (DWORD)(dst - src) - 5;
for (int i=5; i<len; i++)
src[i]=0x90; //Assembly NOP instruction.
VirtualProtect(src, len, dwBack, &dwBack);
return (jmp-len);
}

void InitialiseHooks()
{
while(!GetModuleHandle("User32.dll")) //hook user32's SetWindowsHookEx function..
{
}

o_SetWindowsHookEx = (SetWindowsHookEx_t) DetourFunction((unsigned char*)o_SetWindowsHookEx, (unsigned char*)&HOOKED_SetWindowsHookEx, 5);
}

static LDR_MODULE* me = NULL;
DWORD __stdcall DllMain(HINSTANCE hInst, DWORD nReason, LPVOID Reserved)
{
switch(nReason)
{
case DLL_PROCESS_ATTACH:
{
HideSelf(hInst, &me);
}
break;

case DLL_PROCESS_DETACH:
{
}
break;
}
return TRUE;
}
Hello man
Where can i find the source?
TY

21. SRL Member
Join Date
Dec 2010
Posts
483
Mentioned
30 Post(s)
Quoted
328 Post(s)
Originally Posted by Vasile
Hello man
Where can i find the source?
TY
Are you serious right now Vladria?

22. What is this??? The source is already there.. as for compiling it.. if you guys actually wrote a rootkit that does what you say it does, then there's no need for me to help you compile the above because you have enough skills to write your own..

Screen Shot 2017-05-15 at 8.11.01 PM.jpg

Also, just stick it in any C++ compiler and hit the play/compile button. It'll work just fine. CodeBlocks + Mingw works as well.

23. @Brandon; Think he sent that pm to everyone on this thread.

24. It does seem like, based on some posts I vaguely remember reading (not on Villavu?), that using a touchscreen has gotten people banned for macroing. I'm not sure if they're being entirely truthful but it sounds plausible.

I was trying to make a Windows driver that would simulate a keyboard and mouse, but that's on hold until I get more hardware or more time.