yes well if they ever patch it again it better be done server side.
[Release][Method]Aeria - Bypass Attack speed hack protection
03/13/2010 05:09
Mega Byte#16
03/13/2010 07:37
generichaxor#17
Alt1's too stupid for that shit :P hahaQuote:
yes well if they ever patch it again it better be done server side.
03/13/2010 08:08
sltpppy#18
Lol ;PQuote:
03/13/2010 16:43
Fujin_God#19
Ok I am COMPLETELY lost lol.... I'm not very good at using cheat engine so Im not sure exactly what all this means or how exactly to alter it :PQuote:
This is how I have worked arround it. Please Alt1 Patch it SERVER SIDE for once.
First I found the attack speed buff as one usally does. Had help from Iktov on that one.
Then we noticed it had a limiter.
Here is how to bypass it.
Find what code accesses the attack speed buff:
This is the code address that copy's the attack speed modifyer buff
00430A00
Stepping out of the function it had two things calling it I found the mele hit one.
There is also this one for other kinds of attacksCode:0048EA5E |. 52 PUSH EDX 0048EA5F |. B9 845A5F00 MOV ECX,TwelveSk.005F5A84 0048EA64 |. E8 971FFAFF CALL TwelveSk.00430A00
Scrolling down we see a JPECode:0048F3BE |. 52 PUSH EDX ; /Arg1 0048F3BF |. B9 845A5F00 MOV ECX,TwelveSk.005F5A84 ; | 0048F3C4 |. E8 3716FAFF CALL TwelveSk.00430A00 ; \TwelveSk.00430A00
For Mele one
For Skills oneCode:0048F3EA |. /7A 1E JPE SHORT TwelveSk.0048F40A
Look for code that could jump or something:Code:0048F3EA |. /7A 1E JPE SHORT TwelveSk.0048F40A
Tests god knows what against 5 im not too sure how TEST operator works all I know is that the jump is not taken when not speed hacking but is taken when speed hacking above 20 soooo.
Solution:Code:0048EA87 |. F6C4 05 TEST AH,5 0048EA8A |. 7A 1E JPE SHORT TwelveSk.0048EAAA
Lets force it to not be taken by changing it to a nop.
Mele Hit
Code:Origionaly 0048EA8A |. 7A 1E JPE SHORT TwelveSk.0048EAAA Change to 0048EA8A 90 NOP 0048EA8B 90 NOP
Skills Hit
Code:Origionaly 0048F3EA |. /7A 1E JPE SHORT TwelveSk.0048F40A Change to 0048F3EA 90 NOP 0048F3EB 90 NOP
And success.. we can now freeze attack speed buff address which is
10D0EEB
To anything we want.
To apply this alter the code.
You should be able to add
0048EA8A and 0048F3EA as byte arrays with length of 2 and set both byte's in them to 90 90
in cheat engine or do it in memory view w/e
I win,
03/13/2010 20:04
BlaXpirit#20
Hey, people... I can explain why speed [hacks] are not server-sided. If every step you make in the game had to be checked on the server, the game would be sooooo laggy...
03/13/2010 21:43
Mega Byte#21
its still a simple check.. just send the speed hack addy value to server when you attack.. if its too high disconnect. or like check the incomming packets for atack
if they are comming in faster than say 800 ms then its a hack
if they are comming in faster than say 800 ms then its a hack
03/13/2010 21:44
BlaXpirit#22
Well, they could do many things better... But they don't.
03/26/2010 00:28
Mega Byte#23
I have updated this for the latest patch :)
04/13/2010 20:42
holyhill#24
Hi Mega Byte,
good job by finding the bypass!
i try to follow ur steps to find the new addresses for the called functions to overwrite them with the nope.
i found the function that accesses the attackspeed memory address, but now i dont know how to jump out of that function.
can u give me a hint how to manage it?
do i have to put a breakpoint in the function and then step out?
if so how do i do it with ollydbg?
thx for ur help!
good job by finding the bypass!
i try to follow ur steps to find the new addresses for the called functions to overwrite them with the nope.
i found the function that accesses the attackspeed memory address, but now i dont know how to jump out of that function.
can u give me a hint how to manage it?
do i have to put a breakpoint in the function and then step out?
if so how do i do it with ollydbg?
thx for ur help!
04/14/2010 16:13
Mega Byte#25
just change it by double clicking the text and typing the new instruction in.
04/14/2010 16:24
rhotar#26
Quote:
good job by finding the bypass!
i try to follow ur steps to find the new addresses for the called functions to overwrite them with the nope.
i found the function that accesses the attackspeed memory address, but now i dont know how to jump out of that function.
can u give me a hint how to manage it?
do i have to put a breakpoint in the function and then step out?
if so how do i do it with ollydbg?
thx for ur help!
Quote:
I think he means how to step out of the function while debbuging and reach to the block of code where a cmp instruction is executed so he can nop the following jmp or jne or jb, etc
he isnt exactly asking how to Nop a byte.
holyhill:
Im in the exact same situation i pinpointed the functions wich access the attackspeed for skills and melee attacks, but as you i cant set a breakpoint and step out of that particular region of code cuz the gameclient crashes, it used to work just fine using ollydbg+strong plugin but ever since they patched the game recently i cant debug the client anymore, maybe using a different plugin for a recent version of themida packer.
Btw it was megabytes who suggested me to use strong pluging to debug the game client.
04/14/2010 21:49
holyhill#27
ty rhotar for clarify my problem!
It's exactly as u discribed.
ok i think i have to get familiar with ollydbg.
Thanks for the help!
It's exactly as u discribed.
ok i think i have to get familiar with ollydbg.
Thanks for the help!
04/17/2010 10:47
Mega Byte#28
ah yes my bad i thought he ment to jump over it lol.
I use olly dbg and it works just fine for me with StrongOD and ignoring exceptions etc.
Only seems to work on 32bit os though.
What you do is goto that address you have found in ollydbg using Ctrl+G and click up the top of the function where its like PUSH EBP or PUSH EAX etc something similar.
It will say what it has been called by and you can goto that. Or you can breakpoint and press Alt+F9 or Ctrl+F9 i forget which to goto the return then F7 to goto below the code that called the function :).If you want to learn ollydbg go grab lena's tutorials for cracking. you can google them and find them on tuts4you.
I use olly dbg and it works just fine for me with StrongOD and ignoring exceptions etc.
Only seems to work on 32bit os though.
What you do is goto that address you have found in ollydbg using Ctrl+G and click up the top of the function where its like PUSH EBP or PUSH EAX etc something similar.
It will say what it has been called by and you can goto that. Or you can breakpoint and press Alt+F9 or Ctrl+F9 i forget which to goto the return then F7 to goto below the code that called the function :).If you want to learn ollydbg go grab lena's tutorials for cracking. you can google them and find them on tuts4you.
04/21/2010 21:26
Elebut#29
thanx gonna check it out
04/24/2010 20:26
EvilDazza#30
i cant seem to get it to work, i think its been patched again as i cant find the function at that location with mem view and the game crashed when the debugger is attached to find what access the speed hack address, olly does not show any of the above either....