Need a multiclient

[tematojuice]

Found some interesting stuff... want to dupe but lo-and behold... sandboxie isn't working for ts2 ne mo... and it was so easy QQ. I'm not giving out information, just need to find a multiclient, or some way of hiding 12sky2 from detecting itself... same thing XD

[tematojuice]

if it works i may be able to help some mhaxors dupe items... but SHHHH u'll have to talk a smooth game to get me to release to u XD

[Mega Byte]

Wellllllll im going to be showing how to do multi client on ts2 in my TSXClient project sometime soon.

If you look at the message box with ollydbg then scroll up a bit theres a JNZ you can change to a JMP patching that before the codes executed allows running the game twice Requires dll inject or very fast writeprocessmemory app with brains as to what process to target.

The code ive been writing works with injectors and I might put my injector up later.

[tematojuice]

haha well, i'll take that as a promise XD. as soon as you get done with a working injector (good luck, I don't even want to know how complicated that has to be, aeria and alt1 seem sloppy) i'll get to work dupin... and i've already used quite a few of yours and blax stuff so u get my info free, and i'll trust you not to leak XD... at least not till people are ready

[tematojuice]

actually i just realised, i know a bit of python... i could use some direction tho... i'm gonna start by looking into what a .dll really is... from the looks of it if i learn to write my own *.dll i should be able to trick more than just 12sky2 XD

[Mega Byte]

cool although ide stay away from python if I was you, use Visual C++ its free. get 2008 if you can.

The mult client is in my TSXClient thread now ill quote it for you here though

Quote:

Multi Client
This one is something a lot of people want, heres how to do it.
First of all we need to run the game before we run it in ollydbg.
We then run the game in ollydbg so that we can see the message box text that pops up saying the window is already open. When the messagebox pops up we take note of the text and search for it as a referenced string find where its referenced scroll up and patch the conditonal jump.

We can find alot of strings actually like the same format. They are all initilization errors. Which we can look at the code around them to find out alot more about the game. Patching it to allow custom items database is along these lines of the item init error. Anyway

Double click [Error::FindWindow()] in the referenced text strings list in ollydbg

We see this code

Code:

00403ABE  |.  85C0          TEST EAX,EAX
00403AC0  |.  74 3D         JE SHORT 00403AFF
00403AC2  |.  68 00100000   PUSH 1000
00403AC7  |.  68 B4065600   PUSH 005606B4                            ;  ASCII "TwelveSky2"
00403ACC  |.  68 DC075600   PUSH 005607DC                            ;  ASCII "[Error::FindWindow()]"
00403AD1  |.  53            PUSH EBX
00403AD2  |.  E8 82C6B002   CALL 02F10159

The conditional jump we wanna patch is the only jump there convnient change it to a JMP instead of JE
The code will now jump down under that area. Note we cant use this on this run of the game because the messagebox has already been called and the game will terminate. but what we can do is copy the address above our jump and set a hardware breakpoint on it the next run will hit it and we can make our change to see if it works. The DLL can apply the patch for us later when we code it in.

To make the HWBP right click the TEST EAX,EAX line and click Breakpoint then Hardware, On Execution
Stop the game and restart it keeping the first instance running.
Make the patch in ollydbg when breakpoint is hit then continue running with F9

You can remove the HWBP after patching if you want by clicking Debug Breakpoints and remove or right clickign the line and removing the breakpoint in the breakpoints menu.

SUCCESS two windows of the game.


So we now have to make a signiture for this and apply the patch in our dll.
I will do this later.

So you can make a signiture for it like I have done for another thing on that post and do it in the DLL very easily.

My

Go nuts I guess
As far as duping goes it looks like their fix is to include some numbers that the client must send to server when loging into world server / doing a zone change. So rather than knowing somones username and char name and slot you might also have to know those numbers. I havent found them in memory yet or know if my theory is true. Compare two zone change packets with the packet id 0B for Login to see what is sent. If the values ar e the same then ollydbg the send for that packet before its encrypted on another client and put in the values, if it works Dupe!

Thanks for using our stuff

[extremegreed]

Mega Byte your site is offline?

[I am here]

here the eaiest way to multi client atm