Not a member yet? Register for your free account!

You last visited: Today at 13:55

  • Please register to post and access all features, it's quick, easy and FREE!


Some hacks brought to you by ISXAOC

Old   #1
elite*gold: 0
The Black Market: 0/0/0
Join Date: Aug 2008
Posts: 2
Received Thanks: 4
Some hacks brought to you by ISXAOC

Ok starting with an easy one - NoFall,

How do we locate this each patch?

Well if you wan't the simplest way to do it in 2 bytes, search for "Vehicle Falling" from within the client using OllyDBG or your favorite debugger.

You land around here:
005F5C4E    68 40BB3301     PUSH AgeOfCon.0133BB40                   ; ASCII "Vehicle/Falling"
And simply modify the "damage modifier" to 0.0f by pushing FLDZ on the stack
instead of what would normally be a "multiplier" for the fall damage..
005F5CC3    D945 FC         FLD DWORD PTR SS:[EBP-4]

005F5CC3    D9EE  90        FLDZ

BYTE patch[2] {0xee,0x90};
This has the net effect of doing 0*damage on fall - try it!

Strangely enough you can actually apply this principle to a lot of the games client side checks for damage, because they all use a simple modifier to check the damage done.

Or for the more advanced reverser, lets look at how we can Resurrect on our own corpse when we die with FULL health, mana, stamina (incoming nerf after I post this)

The game itself uses some components to handle your "character actions" which, to cut a long story short can be mapped using C/C++ hook.

The object is shown below which i've 'conveniently' reversed for you

If you wan't to understand how the code below works I suggest you learn some assembly language and how object code can be mapped to a 'higher level' language such as C/C++.

It all stems from the engine handler @ 0x005C8850 as you will see from my code at the bottom which I slowly studied to build up the virtual table for one of it's "interfaces"

The final result call (see below of how this constructed to make the final call from your hook):
//The overall engine which powers many of AOC components
_N3Engine* pN3 = GetN3Engine();

//This will respawn you on top of your corpse
//because we have not provided an Graveyard Id location
//the game is forced to resurrect you at your corpse! 

//virtual void RespawnMe(DWORD GyInstanceId);
class _N3Engine

	_N3CharAgent* GetCharAgent(int,int);
                //Cheap way of quickly doing the lookup - use inheritance if you are anal about it :)
	_N3CharIHandler* GetCharIHandler()
		_N3CharIHandler* p = (_N3CharIHandler*)((DWORD)((pLookup->lookup2+4)+(DWORD)(this)));
		return p;

	_N3EngineLookup* pLookup; 

	virtual void vf00();

//The engine uses a lookup table for various actions to perform
//We will look up the "Interface" for all the client actions...

class _N3EngineLookup
	DWORD unk;
	DWORD lookup1;
	DWORD lookup2; //Interface"CharAgent"
//Generate the correct virtual table offset distances
//If you are lazy you could simply write a macro to do this
//See very bottom of an example of a virtual call emulation macro

class _N3CharAgent
	virtual void vf00();
	virtual void vf04();
	virtual void vf08();
	virtual void vf0c();
	virtual void vf10();
	virtual void vf14();
	virtual void vf18();
	virtual void vf1c();
	virtual void vf20();
	virtual void vf24();
	virtual void vf28();
	virtual void vf2c();
	virtual void vf30();
	virtual void vf34();
	virtual void vf38();
	virtual void vf3c();
	virtual void vf40();
	virtual void vf44();
	virtual void vf48();
	virtual void vf4c();
	virtual void vf50();
	virtual void vf54();
	virtual void vf58();
	virtual void vf5c();
	virtual void vf60();
	virtual void vf64();
	virtual void vf68();
	virtual void vf6c();
	virtual void vf70();
	virtual void vf74();
	virtual void RespawnMe(DWORD);
//Macro to emulate the games function call

#define FUNCTION_AT_ADDRESS(function,offset) __declspec(naked) function
	__asm{mov eax,offset};
	__asm{jmp eax};
//As of aoc 13/09/08
FUNCTION_AT_ADDRESS(_N3Engine* __cdecl GetN3Engine(void), 0x005C8850);
//A less intuitive approach to looking up your virtual table

#define FUNCTION_AT_VIRTUAL_ADDRESS(function,virtualoffset) __declspec(naked) function
	__asm{mov eax, [ecx]};
	__asm{lea eax, [eax+virtualoffset]};
	__asm{mov eax, [eax]};
	__asm{jmp eax};

If you were using my ISXAOC extension, you could ignore all this and simply do:

Hack:SuperRez heh

This should make sense to some seasoned coders with some knowledge of asm...

Next Guide, how to locate all the entities in the game ...

More guides to come.. enjoy!


(isxaoc bot)

Pickled is offline  
2 Users

« Previous Thread | Next Thread »

Similar Threads
.:StoryBox:. v0.61 | 50x Exp | 8x Drop | 10x Mesos | Brought to you by... onegaiBox
onegaiBox is proud to present... (opens 1st...
3 Replies - Maple Story
order of db brought up to date of legendary eo
it will be that the sharing of db of legendary is possible eo? you can postar this its db with the new maps? if I will be able I am thankful.
1 Replies - EO PServer Hosting
I brought some good news ;)
Well guys, the namelessRO Eclipse CP was fixed(and ready to be "bruteforced") Well, that isnt a order to bruteforce, I just let, you updated see ya....
18 Replies - Off Topic

All times are GMT +2. The time now is 13:55.

Powered by vBulletin®
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy
Copyright ©2016 elitepvpers All Rights Reserved.