[Release][Method]Aeria - Bypass Attack speed hack protection

[Mega Byte]

yes well if they ever patch it again it better be done server side.

[generichaxor]

Quote:

Originally Posted by Mega Byte

yes well if they ever patch it again it better be done server side.

Alt1's too stupid for that **** :P haha

[sltpppy]

Quote:

Originally Posted by generichaxor

Alt1's too stupid for that **** :P haha

Lol ;P

[Fujin_God]

Quote:

Originally Posted by Mega Byte

Heya all as you are now awear alt1 has patched the attack speed hack.

This is how I have worked arround it. Please Alt1 Patch it SERVER SIDE for once.


First I found the attack speed buff as one usally does. Had help from Iktov on that one.

Then we noticed it had a limiter.
Here is how to bypass it.

Find what code accesses the attack speed buff:
This is the code address that copy's the attack speed modifyer buff
00430A00

Stepping out of the function it had two things calling it I found the mele hit one.

Code:

0048EA5E  |.  52            PUSH EDX
0048EA5F  |.  B9 845A5F00   MOV ECX,TwelveSk.005F5A84
0048EA64  |.  E8 971FFAFF   CALL TwelveSk.00430A00

There is also this one for other kinds of attacks

Code:

0048F3BE  |.  52            PUSH EDX                                 ; /Arg1
0048F3BF  |.  B9 845A5F00   MOV ECX,TwelveSk.005F5A84                ; |
0048F3C4  |.  E8 3716FAFF   CALL TwelveSk.00430A00                   ; \TwelveSk.00430A00

Scrolling down we see a JPE

For Mele one

Code:

0048F3EA  |. /7A 1E         JPE SHORT TwelveSk.0048F40A

For Skills one

Code:

0048F3EA  |. /7A 1E         JPE SHORT TwelveSk.0048F40A

Look for code that could jump or something:
Tests god knows what against 5 im not too sure how TEST operator works all I know is that the jump is not taken when not speed hacking but is taken when speed hacking above 20 soooo.

Code:

0048EA87  |.  F6C4 05       TEST AH,5
0048EA8A  |.  7A 1E         JPE SHORT TwelveSk.0048EAAA

Solution:
Lets force it to not be taken by changing it to a nop.

Mele Hit

Code:

Origionaly
0048EA8A  |.  7A 1E         JPE SHORT TwelveSk.0048EAAA
Change to
0048EA8A      90            NOP
0048EA8B      90            NOP

Skills Hit

Code:

Origionaly
0048F3EA  |. /7A 1E         JPE SHORT TwelveSk.0048F40A
Change to
0048F3EA      90            NOP
0048F3EB      90            NOP

And success.. we can now freeze attack speed buff address which is
10D0EEB

To anything we want.

To apply this alter the code.
You should be able to add
0048EA8A and 0048F3EA as byte arrays with length of 2 and set both byte's in them to 90 90
in cheat engine or do it in memory view w/e

I win,

Ok I am COMPLETELY lost lol.... I'm not very good at using cheat engine so Im not sure exactly what all this means or how exactly to alter it :P

[BlaXpirit]

Hey, people... I can explain why speed [hacks] are not server-sided. If every step you make in the game had to be checked on the server, the game would be sooooo laggy...

[Mega Byte]

its still a simple check.. just send the speed hack addy value to server when you attack.. if its too high disconnect. or like check the incomming packets for atack
if they are comming in faster than say 800 ms then its a hack

[BlaXpirit]

Well, they could do many things better... But they don't.

[Mega Byte]

I have updated this for the latest patch

[holyhill]

Hi Mega Byte,
good job by finding the bypass!

i try to follow ur steps to find the new addresses for the called functions to overwrite them with the nope.
i found the function that accesses the attackspeed memory address, but now i dont know how to jump out of that function.
can u give me a hint how to manage it?
do i have to put a breakpoint in the function and then step out?
if so how do i do it with ollydbg?

thx for ur help!

[Mega Byte]

just change it by double clicking the text and typing the new instruction in.

[rhotar]

Quote:

Originally Posted by holyhill

Hi Mega Byte,
good job by finding the bypass!

i try to follow ur steps to find the new addresses for the called functions to overwrite them with the nope.
i found the function that accesses the attackspeed memory address, but now i dont know how to jump out of that function.
can u give me a hint how to manage it?
do i have to put a breakpoint in the function and then step out?
if so how do i do it with ollydbg?

thx for ur help!

Quote:

Originally Posted by Mega Byte

just change it by double clicking the text and typing the new instruction in.

I think he means how to step out of the function while debbuging and reach to the block of code where a cmp instruction is executed so he can nop the following jmp or jne or jb, etc

he isnt exactly asking how to Nop a byte.

holyhill:

Im in the exact same situation i pinpointed the functions wich access the attackspeed for skills and melee attacks, but as you i cant set a breakpoint and step out of that particular region of code cuz the gameclient crashes, it used to work just fine using ollydbg+strong plugin but ever since they patched the game recently i cant debug the client anymore, maybe using a different plugin for a recent version of themida packer.

Btw it was megabytes who suggested me to use strong pluging to debug the game client.

[holyhill]

ty rhotar for clarify my problem!
It's exactly as u discribed.

ok i think i have to get familiar with ollydbg.
Thanks for the help!

[Mega Byte]

ah yes my bad i thought he ment to jump over it lol.

I use olly dbg and it works just fine for me with StrongOD and ignoring exceptions etc.
Only seems to work on 32bit os though.

What you do is goto that address you have found in ollydbg using Ctrl+G and click up the top of the function where its like PUSH EBP or PUSH EAX etc something similar.
It will say what it has been called by and you can goto that. Or you can breakpoint and press Alt+F9 or Ctrl+F9 i forget which to goto the return then F7 to goto below the code that called the function .If you want to learn ollydbg go grab lena's tutorials for cracking. you can google them and find them on tuts4you.

[Elebut]

thanx gonna check it out

[EvilDazza]

i cant seem to get it to work, i think its been patched again as i cant find the function at that location with mem view and the game crashed when the debugger is attached to find what access the speed hack address, olly does not show any of the above either....