Let's talk about the recent patch and changes

~~IAmHawtness~~ · 05/21/2009, 15:49

TQ patched the mob/player structure, that's for sure. What I have found so far is:

Code:

PlayerBaseAddress = [0064ff48] (the read value of that address, not the address itself)

PlayerBaseAddress + 0x8D4 = x coordinate
PlayerBaseAddress + 0x8D8 = y coordinate


TargetBaseAddress + 0x18C = x coordinate
TargetBaseAddress + 0x190 = y coordinate


UseSkill Function:
004BB30D - 53                         - push ebx // always 0, I believe
004BB30E - 50                         - push eax // Target ID
004BB30F - ff b7 30 ba 09 00          - push [edi+0009ba30] // Skill ID
004BB315 - e8 e4 28 04 00             - call 004fdbfe



Shift-click Function:
00483C40 - b8 44 58 5c 00             - mov eax,005c5844
00483C45 - e8 c6 e7 0e 00             - call 00572410
00483C4A - 8b 45 08                   - mov eax,[ebp+08]
00483C4D - 83 65 fc 00                - and dword ptr [ebp-04],00
00483C51 - 85 c0                      - test eax,eax
00483C53 - 74 1f                      - je 00483c74
00483C55 - 8b 50 60                   - mov edx,[eax+60]
00483C58 - 89 91 a4 09 00 00          - mov [ecx+000009a4],edx // ebx = Target ID
00483C5E - 8b 80 e4 00 00 00          - mov eax,[eax+000000e4]
00483C64 - 85 c0                      - test eax,eax
00483C66 - 74 0c                      - je 00483c74
00483C68 - 50                         - push eax
00483C69 - 81 c1 78 0a 00 00          - add ecx,00000a78
00483C6F - e8 fc e4 0e 00             - call 00572170

The name of a player/mob is now no longer in the player/mob structure. (Well, it might be, but then it's definitely not as plain text)

The player base address (or whatever you want to call it) is now dynamic, where it used to be static (0x5DABB8 in the last couple of patches)

~~high6~~ · 05/21/2009, 16:40

Well I am a bit busy looking at the anti-bot checks. But here is the call to get the player's address.

0x004FDBFE(1, 0);

They probably changed the name from being in the structure to a pointer. Which makes sense. Having it be a static char[] was very unsafe.

Also I will post in my epvper blog when I find something interesting.

~~IAmHawtness~~ · 05/21/2009, 16:44

Quote:

Originally Posted by high6

Well I am a bit busy looking at the anti-bot checks. But here is the call to get the player's address.

0x004FDBFE(1, 0);

They probably changed the name from being in the structure to a pointer. Which makes sense. Having it be a static char[] was very unsafe.

Also I will post in my epvper blog when I find something interesting.

epvper blog?

And what anti-bot checks? You mean the one that checks if your Conquer.exe is modified?

~~high6~~ · 05/21/2009, 16:50

Yup, the checks that are getting people banned right now.

Link to the blog is right under my post count.

Blog Entries: X <- Link

Also I will read the comments and such.

I am using the blog just because I rather have a place that is not full of leechers going "HACK PLZ!!!"

~~IAmHawtness~~ · 05/21/2009, 16:56

Quote:

Originally Posted by high6

Yup, the checks that are getting people banned right now.

Link to the blog is right under my post count.

Blog Entries: X <- Link

Wtf is zfhook.exe and zfws.exe ?

Btw, is it just me, or does this address store the player base address: 0x64ff48?

~~high6~~ · 05/21/2009, 17:04

Quote:

Originally Posted by IAmHawtness

Wtf is zfhook.exe and zfws.exe ?

Btw, is it just me, or does this address store the player base address: 0x64ff48?

Probably a chinese CO hack.

Probably, looks that way at first glance.

clintonselke · 05/21/2009, 17:27

so soon bots will have to be called "notepad.exe" or "mspaint.exe"? (thats what my brother had to do w/ his wow bots)

~~IAmHawtness~~ · 05/21/2009, 17:49

Quote:

Originally Posted by clintonselke

so soon bots will have to be called "notepad.exe" or "mspaint.exe"? (thats what my brother had to do w/ his wow bots)

Haha yeah, typical TQ scanning for processes' NAMES, lol.

~~high6~~ · 05/21/2009, 18:26

also, a better way to represent this (at least I think)

Code:

PlayerBaseAddress = [0064ff48] (the read value of that address, not the address itself)

PlayerBaseAddress + 0x8D4 = x coordinate
PlayerBaseAddress + 0x8D8 = y coordinate

is

Code:

ClientInfo = 0x0064ff48;

int PlayerBaseAddress = *(int*)ClientInfo;
PlayerBaseAddress + 0x8D4 = x coordinate
PlayerBaseAddress + 0x8D8 = y coordinate

Although that is just me :P.

~~high6~~ · 05/21/2009, 18:34

Also the moblist is the same. I may post up the new address later. My only problem is that I rather people learn how to find things rather then just copy and pasting.

Evan Lim · 05/21/2009, 18:45

are u guys talking about the character x,y coordinate address?
it is at x-coordinate 0x64E6CC and +4 for y-coordinate

~~IAmHawtness~~ · 05/21/2009, 19:08

Quote:

Originally Posted by Evan Lim

are u guys talking about the character x,y coordinate address?
it is at x-coordinate 0x64E6CC and +4 for y-coordinate

We're talking about that the addresses that store the x and y coordinate (along with Player ID, animation, etc.) are now dynamic and not static as they used to be.

Quote:

Originally Posted by high6

Also the moblist is the same. I may post up the new address later. My only problem is that I rather people learn how to find things rather then just copy and pasting.

Yeah, about that.. did you find out at what offset the name is stored

?

ookamocka · 05/21/2009, 19:59

Quote:

Originally Posted by high6

Also the moblist is the same. I may post up the new address later. My only problem is that I rather people learn how to find things rather then just copy and pasting.

i have absolutely np finding it myself, i personally prefer to learn how to find things myself then to just be told what it is, only thing is, not sure how to find that address

everything else i can find w/o a problem

clintonselke · 05/21/2009, 21:32

I'm about to go to sleep, and thought i might share something first.

I could be wrong , but i think the mobs list starts here

@ 005EBDCC

Code:

CPU Dump
Address   Hex dump                 ASCII
005EBDCC  CF F9 51 00|19 FE 51 00| Q.Q.
005EBDD4  D8 1E 52 00|A5 4C 4F 00| R.LO.
005EBDDC  AC 4C 4F 00|C4 4C 4F 00| LO.LO.
005EBDE4  DC 4C 4F 00|D4 F7 4D 00| LO.M.

The attack function seems to take the structure as its first argument (and i have no idea what the 2nd argument is)

4F8C0A(num1, num2, 0, 1)

as inside it

004F8E32 |. 8B8F E4000000 MOV ECX,DWORD PTR DS:[EDI+0E4]

Puts a pointer to the name of the mob ur attacking into ECX, where EDI is equal to num1 (our first parameter)... And the mob name used to be inside the mob structure b4 the new patch & the first parameter of this attack function used to be the pointer to the struct.... So im guessing since after the patch it still is the pointer to the struct, but they have introduced this new num2 which i think didn't exist b4 the patch.

B4 the new patch, i think i found a pointer value inside the mob structure that leads back to the DequeEx parent structure (i can't really remember)... and the first pointer value inside the mob struct i found when attacking a monster lead to that mob list start address i posted up the top of this message.

Just not 100% sure, bcuz its alot longer than i expected.

~~high6~~ · 05/21/2009, 21:47

No, the moblist is at like 0x64XXXX. It is around "ClientInfo".

There is 2 easy ways to find it.

1 You use a multiclient. You have a second character move around while you search the coords. Then you trace back from there.

2 You breakpoint the receive mob packet and go from there.