United Hackprogrammers Front(UHF)-CO2 Memory Tables

Quote:

Originally posted by DyNy28@May 8 2007, 00:20 Damn! Who can give me the Poke for the HP, i have tryed 2 days and it is not working here. i need an Poke for VB.NET 2005 Im working olso with Tsearch16, that's olso an easy program i have get from Blinko, but i don't know anymore how we do that to get the Poke. en d how i need to write all the values below in the code! when that is correct, the HP is working again here is the code i use: Code: Public Sub InjectDMA_HP() * * * *Dim phandle As Integer * * * *Dim hwnd As Integer * * * *Dim NewBytes1(11) As Byte * * * *Dim NewBytes2(5) As Byte * * * *Dim NewBytes3(5) As Byte * * * *'Poke 10E00 89 08 89 0D CC 0D 01 00 50 8B CE * * * *'Poke 10E0B E9 4A BC 49 00 * * * *'Poke 4ACA55 E9 A6 43 B6 FF * * * *NewBytes1(1) = &H89S '89 * * * *NewBytes1(2) = &H8S '08 * * * *NewBytes1(3) = &H89S '89 * * * *NewBytes1(4) = &HDS '0D * * * *NewBytes1(5) = &HCCS 'CC * * * *NewBytes1(6) = &HDS '0d * * * *NewBytes1(7) = &H1S '01 * * * *NewBytes1(8) = &H0S '00 * * * *NewBytes1(9) = &H50S '50 * * * *NewBytes1(10) = &H8BS '8B * * * *NewBytes1(11) = &HCES 'CE * * * *NewBytes2(1) = &HE9S : NewBytes2(2) = &H4AS : NewBytes2(3) = &HBCS : NewBytes2(4) = &H49S : NewBytes2(5) = &H0S * * * *NewBytes3(1) = &HE9S : NewBytes3(2) = &HA6S : NewBytes3(3) = &H43S : NewBytes3(4) = &HB6S : NewBytes3(5) = &HFFS * * * * * * * * * * * *WriteProcessMemoryBuffer(phandle, &H10E00, NewBytes1(1), 11, 0) * * * * * *WriteProcessMemoryBuffer(phandle, &H10E0B, NewBytes2(1), 5, 0) * * * * * *WriteProcessMemoryBuffer(phandle, &H4ACA55, NewBytes3(1), 5, 0) * * * * * *CloseHandle(phandle) * * * * * *System.Array.Clear(NewBytes1, 0, NewBytes1.Length) * * * * * *System.Array.Clear(NewBytes2, 0, NewBytes2.Length) * * * * * *System.Array.Clear(NewBytes3, 0, NewBytes3.Length) * * * *End If Please Help!!

I'm curious with your VB program,

Do your VB work on Conquere 4347?

If yes, I wonder that why you trap at address 4ACA55 with E9A643B6FF = JMP 00010E00,

At conquer patch 4347, No program running on this address and code that write on address 00010E00 is not old command.

Quote:

00010E00: 89 08* * * * * * * * * * * * * * mov [eax],ecx 89 0D CC 0D 01 00* * * mov [10dcc],ecx 50* * * * * * * * * * * * * * * * push eax 8B CE* * * * * * * * * * * * * * mov ecx,esi E9 4A BC 49 00* * * * * * jmp 004aca5a

Anyway i suggest poke command for my edit

Quote:

00010E00: 89 05 CC 0D 01 00* * * * MOV [00010DCC],EAX* * * * * * // Save HP value at address 10DCC 6A 0F* * * * * * * * * * * * * * PUSH 0F* * * * * * * * * * * * * * * * // Old replaced Inject command 8B 4D C4* * * * * * * * * * * MOV ECX, [EBP-3C]* * * * * * * * // E9 44 A0 46 00* * * * * * * JMP 0047AE46* * * * * * * * * * * // Jump to next command 0047AE41: E9 BA 5F B9 FF* * * * * * * JMP 00010E00* * * * * * * * * * * // Jump to hook command

So poke command as your request is here

Quote:

* * * * 'Poke 10E00 89 05 CC 0D 01 00 6A 0F 8B 4D C4 * * * * 'Poke 10E0B E9 44 A0 46 00 * * * * 'Poke 47AE41 E9 BA 5F B9 FF * * * * * WriteProcessMemoryBuffer(phandle, &H10E00, NewBytes1(1), 11, 0) * * * * * WriteProcessMemoryBuffer(phandle, &H10E0B, NewBytes2(1), 5, 0) * * * * * WriteProcessMemoryBuffer(phandle, &H47AE41, NewBytes3(1), 5, 0)

Edited: Sorry for overnight work. Change poke 10E00 address

Quote:

Originally posted by anantasia+May 7 2007, 20:50--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (anantasia @ May 7 2007, 20:50)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin--DyNy28@May 8 2007, 00:20 Damn! Who can give me the Poke for the HP, i have tryed 2 days and it is not working here. i need an Poke for VB.NET 2005 Im working olso with Tsearch16, that's olso an easy program i have get from Blinko, but i don't know anymore how we do that to get the Poke. en d how i need to write all the values below in the code! when that is correct, the HP is working again here is the code i use: Code: Public Sub InjectDMA_HP&#40;&#41; * * * *Dim phandle As Integer * * * *Dim hwnd As Integer * * * *Dim NewBytes1&#40;11&#41; As Byte * * * *Dim NewBytes2&#40;5&#41; As Byte * * * *Dim NewBytes3&#40;5&#41; As Byte * * * *'Poke 10E00 89 08 89 0D CC 0D 01 00 50 8B CE * * * *'Poke 10E0B E9 4A BC 49 00 * * * *'Poke 4ACA55 E9 A6 43 B6 FF * * * *NewBytes1&#40;1&#41; = &H89S '89 * * * *NewBytes1&#40;2&#41; = &H8S '08 * * * *NewBytes1&#40;3&#41; = &H89S '89 * * * *NewBytes1&#40;4&#41; = &HDS '0D * * * *NewBytes1&#40;5&#41; = &HCCS 'CC * * * *NewBytes1&#40;6&#41; = &HDS '0d * * * *NewBytes1&#40;7&#41; = &H1S '01 * * * *NewBytes1&#40;8&#41; = &H0S '00 * * * *NewBytes1&#40;9&#41; = &H50S '50 * * * *NewBytes1&#40;10&#41; = &H8BS '8B * * * *NewBytes1&#40;11&#41; = &HCES 'CE * * * *NewBytes2&#40;1&#41; = &HE9S &#58; NewBytes2&#40;2&#41; = &H4AS &#58; NewBytes2&#40;3&#41; = &HBCS &#58; NewBytes2&#40;4&#41; = &H49S &#58; NewBytes2&#40;5&#41; = &H0S * * * *NewBytes3&#40;1&#41; = &HE9S &#58; NewBytes3&#40;2&#41; = &HA6S &#58; NewBytes3&#40;3&#41; = &H43S &#58; NewBytes3&#40;4&#41; = &HB6S &#58; NewBytes3&#40;5&#41; = &HFFS * * * * * * * * * * * *WriteProcessMemoryBuffer&#40;phandle, &H10E00, NewBytes1&#40;1&#41;, 11, 0&#41; * * * * * *WriteProcessMemoryBuffer&#40;phandle, &H10E0B, NewBytes2&#40;1&#41;, 5, 0&#41; * * * * * *WriteProcessMemoryBuffer&#40;phandle, &H4ACA55, NewBytes3&#40;1&#41;, 5, 0&#41; * * * * * *CloseHandle&#40;phandle&#41; * * * * * *System.Array.Clear&#40;NewBytes1, 0, NewBytes1.Length&#41; * * * * * *System.Array.Clear&#40;NewBytes2, 0, NewBytes2.Length&#41; * * * * * *System.Array.Clear&#40;NewBytes3, 0, NewBytes3.Length&#41; * * * *End If Please Help!!

I'm curious with your VB program,

Do your VB work on Conquere 4347?

If yes, I wonder that why you trap at address 4ACA55 with E9A643B6FF = JMP 00010E00,

At conquer patch 4347, No program running on this address and code that write on address 00010E00 is not old command.

Quote:

00010E00: 89 08* * * * * * * * * * * * * * mov [eax],ecx 89 0D CC 0D 01 00* * * mov [10dcc],ecx 50* * * * * * * * * * * * * * * * push eax 8B CE* * * * * * * * * * * * * * mov ecx,esi E9 4A BC 49 00* * * * * * jmp 004aca5a

Anyway i suggest poke command for my edit

Quote:

00010E00: 89 05 CC 0D 01 00* * * * MOV [00010DCC],EAX* * * * * * // Save HP value at address 10DCC 6A 0F* * * * * * * * * * * * * * PUSH 0F* * * * * * * * * * * * * * * * // Old replaced Inject command 8B 4D C4* * * * * * * * * * * MOV ECX, [EBP-3C]* * * * * * * * // E9 44 A0 46 00* * * * * * * JMP 0047AE46* * * * * * * * * * * // Jump to next command 0047AE41: E9 BA 5F B9 FF* * * * * * * JMP 00010E00* * * * * * * * * * * // Jump to hook command

So poke command as your request is here

Quote:

* * * * 'Poke 10E00 89 05 CC 0D 01 00 6A 0F6 68 FF 00 8B 4D C4 * * * * 'Poke 10E0B E9 44 A0 46 00 * * * * 'Poke 47AE41 E9 BA 5F B9 FF * * * * * WriteProcessMemoryBuffer(phandle, &H10E00, NewBytes1(1), 11, 0) * * * * * WriteProcessMemoryBuffer(phandle, &H10E0B, NewBytes2(1), 5, 0) * * * * * WriteProcessMemoryBuffer(phandle, &H47AE41, NewBytes3(1), 5, 0)

[/b][/quote]
yes my VB work works fully now with patch 4347 only the Auto HP doesnt work yet



<hr>Append on May 7 2007, 23:13<hr> hmmm,

i have change the code with your poke and stuff but my client crached!

i have to find out why, i'm an noob with this hahahahaha

that memory stuff and POKE is difficult, but im learning

This is my method, i am not a pro debugger, but I got into this (just copy and past in tsearch to see if it will crash):

</span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (code to be injected)</td></tr><tr><td id='QUOTE'>
offset 0x585300
mov esi,eax
mov [0x00585320],eax
mov ecx,00580308
jmp 0x42b4b2

offset 0x42b4ab
jmp 00585300
nop
nop
[/b][/quote]

</span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (original code)</td></tr><tr><td id='QUOTE'>
offset 0x42b4ab
mov esi,eax
mov ecx,00580308
[/b][/quote]

and then read the hp value at 00585320 (or just &H585320 if you are a vb reader =p)
Here, I am using the old method injecting the code in a codecave (inside conquer.exe process), cause tsearch is old and dont support allocating memory as cheatengine does. Below are the pokes value if you want to do it directly in your application:

</span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (POKE Values)</td></tr><tr><td id='QUOTE'>
Poke 585300 8B F0 A3 20 53 58 00 B9 08 03 58
Poke 58530B 00 E9 A1 61 EA FF
Poke 42B4AB E9 50 9E 15 00 90 90
[/b][/quote]

Thats it.

Quote:

Originally posted by giacometti@May 8 2007, 03:39--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (giacometti @ May 8 2007, 03:39)</td></tr><tr><td id='QUOTE'> This is my method, i am not a pro debugger, but I got into this (just copy and past in tsearch to see if it will crash): </span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (code to be injected)</td></tr><tr><td id='QUOTE'> offset 0x585300 mov esi,eax mov [0x00585320],eax mov ecx,00580308 jmp 0x42b4b2 offset 0x42b4ab jmp 00585300 nop nop [/b]

</span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (original code)</td></tr><tr><td id='QUOTE'>
offset 0x42b4ab
mov esi,eax
mov ecx,00580308
[/b][/quote]

and then read the hp value at 00585320 (or just &H585320 if you are a vb reader =p)
Here, I am using the old method injecting the code in a codecave (inside conquer.exe process), cause tsearch is old and dont support allocating memory as cheatengine does. Below are the pokes value if you want to do it directly in your application:

<!--QuoteBegin--POKE Values

Poke 585300 8B F0 A3 20 53 58 00 B9 08 03 58
Poke 58530B 00 E9 A1 61 EA FF
Poke 42B4AB E9 50 9E 15 00 90 90
[/quote]

Thats it. [/b][/quote]
He dude!!!

Thanks man, it's working! my tool is olmost fully working again!



<hr>Append on May 8 2007, 22:56<hr> He i have discoverd that the WareHouse Money Memoryadress is the same as the Inventory money?

when i look for the WH money memory it's not the same for other client!!!

Is WH money memory olso Floating? the same as HP???

Greets,

DyNy

[img]text2schild.php?smilienummer=1&text=4347 Revision 3 Of The Memory Table Is Now Out!!!' border='0' alt='4347 Revision 3 Of The Memory Table Is Now Out!!!' />

Here is my work for MP and equip arrow

[MemAdd]
CharMana=&H585351
InArrow=&H58537A
CharArrow=&H585367

[DMAinject]
;characters MP
MP1ad=&H58533D
MP1cd=89 05 51 53 58 00 8B F0 B9 08 03 58 00 E9 BC 61 EA FF
MP2ad=&H42B504
MP2cd=E9 34 9E 15 00

;characters Arrow
MP1ad=&H585357
MP1cd=66 89 05 67 53 58 00 8B E5 5D C3
MP2ad=&H407FCE
MP2cd=E9 84 D3 17 00

;Arrow Set inventory count
MP1ad=&H58536C
MP1cd=89 15 7A 53 58 00 8B E5 5D C2 08 00
MP2ad=&H4574EF
MP2cd=E9 78 DE 12 00 90


or this style

Poke 58533D 89 05 51 53 58 00 8B F0 B9 08 03 58 00 E9 BC 61 EA FF
Poke 42B504 E9 34 9E 15 00

Read memory address 585351 for Character Mana


Poke 585357 66 89 05 67 53 58 00 8B E5 5D C3
Poke 407FCE E9 84 D3 17 00

Read memory address 58537A for Equip arrow


Poke 58536C 89 15 7A 53 58 00 8B E5 5D C2 08 00
Poke 4574EF E9 78 DE 12 00 90

Read memory address 585367 for Arrow set in inventory

Quote:

Originally posted by anantasia@May 10 2007, 14:27 Here is my work for MP and equip arrow

Thats great, many thanks for the contribution.
Whats the arrow routine used for, its it the number of arrow packs in inventory ?

Quote:

Originally posted by joek+May 10 2007, 14:06--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (joek @ May 10 2007, 14:06)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin--anantasia@May 10 2007, 14:27 Here is my work for MP and equip arrow

Thats great, many thanks for the contribution.
Whats the arrow routine used for, its it the number of arrow packs in inventory ? [/b][/quote]


I just post both item as your requested,

Quote:

Originally posted by anantasia+May 10 2007, 16:11--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (anantasia @ May 10 2007, 16:11)</td></tr><tr><td id='QUOTE'> Quote: Originally posted by -joek@May 10 2007, 14:06 <!--QuoteBegin--anantasia Quote: @May 10 2007, 14:27 Here is my work for MP and equip arrow Thats great, many thanks for the contribution. Whats the arrow routine used for, its it the number of arrow packs in inventory ?

I just post both item as your requested, [/b][/quote]
Ahh ok thats was DyNy28 who was after arrow packs, cool I will add that also.
Ive got ArrowCnt=&H58132C for equipped arrow, it seems to be a static address or doesn't that work for others?

&H58132C works with an offset of 46 which if working with VB is easier by saying +70

i'm having trouble doing this in Delphi though the asm i mean.
it has errors where i put in my code.

Quote:

Originally posted by blinko@May 14 2007, 02:39 &H58132C works with an offset of 46 which if working with VB is easier by saying +70 i'm having trouble doing this in Delphi though the asm i mean. it has errors where i put in my code.

blinko, the offset "46" is in hexadecimal, and its equal to 70 in decimal base. All offsets in asm must be in hexadecimal. Delphi understand hexadecimal numbers by the "&#036;" symbol, so &#036;46 = 70. Another thing, as you are migrating from vb to delphi, "&H" is just "00" and you should omit it in delphi, just use, for example, "&#036;0058132C " or "&#036;58132C " instead.

he dudes!

im busy with the inventory list to work with that for my new modules, but does someone now what the adressess are for the inventorylist???

and olso an adress to spot an Bleuname or red or blacknames??

and an Disconnect procedure?

Greets,

DyNy

PS - i'm search with Tsearch and Cheat Engine to discover the adressess but i cant find them

Quote:

Originally posted by DyNy28@Jun 3 2007, 22:05 he dudes! im busy with the inventory list to work with that for my new modules, but does someone now what the adressess are for the inventorylist??? and olso an adress to spot an Bleuname or red or blacknames?? and an Disconnect procedure? Greets, DyNy PS - i'm search with Tsearch and Cheat Engine to discover the adressess but i cant find them

Try this script for locate player/monster.

Attacking player/monster is locate somewhere in DMA location.


Tick on Enable Trap for monster / player list

You will see monster/player name on below line

Anyway my script writing in 32 buffer location that you can read DMA location code from 5853C0 til 5853E0 in conquer.exe process.

Preliminary table for for version 4351 of the client is now available, its just the basics but enough to get things up and running again.
Personally I'd stick with the old version of the client for now since theres going to be a pile of updates and f@#k ups coming out of TQ in the near future.

Here is new address for new patch 4351,

Damn TQ was specific more detail on code page/data page

[MemAdd]
CharHP=&H5573C0
CharMana=&H5573C4

[DMAinject]
;characters HP
HP1ad=&H52D810
HP1cd=6A 0F 8B 4D C4 89 05 C0 73 55 00 E9 26 C2 F4 FF
HP2ad=&H479A41
HP2cd=E9 CA 3D 0B 00

;characters MP
MP1ad=&H52D822
MP1cd=89 05 C4 73 55 00 8B 45 C4 8B 10 E9 A0 C2 F4 FF
MP2ad=&H479ACD
MP2cd=E9 503D 0B 00