tanelipe i tried the run conquer directly doesnt work i think the assembly needs update and also i tried a couple times
OllyDBG & CO
11/13/2008 06:55
Acidburncx#76
11/13/2008 13:51
Catacomb187#77
How about removing the clicker detection? i've been scanning thru the code but unable to locate the mouse click event monitor.
11/13/2008 15:16
tanelipe#78
These addresses are only for reference, it's not likely that they'll work for the latest patch; However these tutorials show how the addresses are found.
11/15/2008 18:14
shinobi14#79
awesome guide ty so much tanelipe very helpful and ty trash for the wall jump keep up the good work
11/16/2008 14:03
ViRuSeXy#80
hi can you chek new Conquer.exe i can't edite it
new patch difrent sumthing i dont know i cant find nuthing
what i need cheng for multi work agen + time clock + data etc
new patch difrent sumthing i dont know i cant find nuthing
what i need cheng for multi work agen + time clock + data etc
11/16/2008 18:25
Zkiller110#81
does these things work on patsh 5072.......when i search it say item not found............plz help
11/16/2008 21:52
David5646#82
Yes all of this w3orks for patch 5072 ^^ and you probably have case sensitive on ^^
11/17/2008 21:20
Azothoras#83
So I've now successfully done all of this to my conquer.exe but when I jump in conquer I get an error and my conquer crashes... It says that it can't write to 0x0056EFB0.... Do I need to change this to something other? I'm not that good with this shit but I've managed to get everything else working and I've managed to understand that I had to change the other addresses to fit my conquer version :)Quote:
Sorry about the delay, had a fever for the most of the week (-> I was laying down most of the time)
I won't go in that much of details in this one, I'll give you guys the "tools" to keep it patched though.
[Making Conquer.exe NON-DC]
0. Backup the Conquer.exe
1. Open Conquer in OllyDBG and let it analyze the code.
2. Find a code block that looks like this
3. Easiest way to find that is, find command (Ctrl + F) for that PUSH 186B7Code:004A6830 |. 8B10 MOV EDX,DWORD PTR DS:[EAX] 004A6832 |. 6A 00 PUSH 0 004A6834 |. 6A 00 PUSH 0 004A6836 |. 68 0000FF00 PUSH 0FF0000 004A683B |. 68 D5070000 PUSH 7D5 004A6840 |. 68 B7860100 PUSH 186B7 004A6845 |> 8BC8 MOV ECX,EAX
4. Couple lines above that there should be codeblock that looks like this
5. Notice the CALL to winmm jmp.Code:004A67FD |. 89BD ECFEFFFF MOV DWORD PTR SS:[EBP-114],EDI 004A6803 |. 8985 F8FEFFFF MOV DWORD PTR SS:[EBP-108],EAX 004A6809 |. 899D FCFEFFFF MOV DWORD PTR SS:[EBP-104],EBX 004A680F |. E8 30560400 CALL <JMP.&WINMM.timeGetTime> 004A6814 |. 8D8D ECFEFFFF LEA ECX,DWORD PTR SS:[EBP-114] 004A681A |. 8985 14FFFFFF MOV DWORD PTR SS:[EBP-EC],EAX
6. Next what we need to do is make the exe jump to our own code instead of that call.
7. We need to search a place that can have 20 bytes (example from 500000 to 500020)
8. Scroll to almost the bottom of the Conquer.exe module and you should see lines like this (note the addresses)
9. ADD BYTES PTR DS:[EAX],AL might be DB 00 for you guys ignore that.Code:00524C54 . 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10] 00524C57 . 83C1 08 ADD ECX,8 00524C5A .^E9 3B31FBFF JMP Conquer.004D7D9A 00524C5F . B8 108C5500 MOV EAX,Conquer.00558C10 00524C64 .^E9 C1B2FCFF JMP <JMP.&MSVCRT.__CxxFrameHandler> 00524C69 00 DB 00 00524C6A 0000 ADD BYTE PTR DS:[EAX],AL 00524C6C 0000 ADD BYTE PTR DS:[EAX],AL 00524C6E 0000 ADD BYTE PTR DS:[EAX],AL 00524C70 0000 ADD BYTE PTR DS:[EAX],AL 00524C72 0000 ADD BYTE PTR DS:[EAX],AL 00524C74 0000 ADD BYTE PTR DS:[EAX],AL 00524C76 0000 ADD BYTE PTR DS:[EAX],AL 00524C78 0000 ADD BYTE PTR DS:[EAX],AL 00524C7A 0000 ADD BYTE PTR DS:[EAX],AL 00524C7C 0000 ADD BYTE PTR DS:[EAX],AL
10. We start writing our own code at 00524C6A
11. Hit Ctrl + E and write these to the HEX part of the window just came. You can't put those 0x's or the ','s
12. So just write 81 05 B0 EF and so on..Code:0x81, 0x05, 0xB0, 0xEF, 0x56, 0x00, 0x6A, 0x04, 0x00, 0x00, 0xA1, 0xB0, 0xEF, 0x56, 0x00, 0xE9, 0x96, 0x1B, 0xF8, 0xFF
13. After that the codeblock should look like this
14. Note that we add the 46A (hex) into a static location, after that we mov it to eaxCode:00524C6A 8105 B0EF5600 6A040000 ADD DWORD PTR DS:[56EFB0],46A 00524C74 A1 B0EF5600 MOV EAX,DWORD PTR DS:[56EFB0] 00524C79 ^E9 961BF8FF JMP Conquer.004A6814
15. Note the address it jumps to, it should be exactly one line BELOW the call to timeGetTime()
16. It jumps to code that looks like this (Should be familiar from before)
17. What we now need to do is, change the CALL thing to jump to our own code that we just wrote. Remember the address?Code:004A6814 |. 8D8D ECFEFFFF LEA ECX,DWORD PTR SS:[EBP-114]
18. We replace this
withCode:004A680F |. E8 30560400 CALL <JMP.&WINMM.timeGetTime>
19. Now every time the jump function "trys" to call the old timeGetTime, it jumps to our code that holds the lastjumptime+46A and then moves it to eax at somepoint it'll add it to the packet (lazy mofos not doing server side check)Code:004A680F E9 56E40700 JMP Conquer.00524C6A
20. Now it'd be really nice if people didn't start making shitloads of these nondc things here, already couple working so.
If there is anything you'd like to ask me about, please go ahead
But this I have no idea about ^^
Ty for all anyways
11/17/2008 21:54
tanelipe#84
I'm not sure why that address doesn't work anymore, I advice you to find another place which can hold 2 bytes and is static. (Doesn't get accessed by any other part of the code) Finding this shouldn't be too hard. When you have done this only thing you need to do is to modify the addresses and it should work, I haven't updated it for myself yet so I don't have an example address.
11/18/2008 13:46
_fobos_#85
Quote:
Code:
004BB7C8 E8 ADAC0400 CALL <JMP.&WINMM.timeGetTime> 004BB7C8 /E9 33550800 JMP Conquer_.00540D00 00540D00 8105 C8275800 6A0400>ADD DWORD PTR DS:[5827C8],46A 00540D0A A1 C8275800 MOV EAX,DWORD PTR DS:[5827C8] 00540D0F ^ E9 B9AAF7FF JMP Conquer_.004BB7CD
11/18/2008 14:58
Azothoras#86
What does this adress access? It doesn't access anything not in my conquer.exe or yours whatever version you've got... hehe and this is where the error occurs... :)Quote:
11/18/2008 19:22
_fobos_#87
Did you test it? :)Quote:
I had no trouble updating it at all, download the multi I have released open it up in olly and go to the addresses u quoted, you will see it works just fine :)
hint: look it up in dump window :)
If you still have the old exe aswell load it up in olly and go to the one in tanelipe's guide :)
You will find the way I updated it :)
11/18/2008 21:13
high6#88
This really isn't a tutorial, more of steps.
11/19/2008 12:27
ace_heart#89
i do non dc and it work but when i jump more jump it's dc and i see in window msg "System:invalid jump"
can help me why it dc i finish upgrade CO YETI tool for patch 5072 but can't upload it for this reason
can help me why it dc i finish upgrade CO YETI tool for patch 5072 but can't upload it for this reason
11/19/2008 19:50
_fobos_#90
Oops my bad I messed up somewhere, I dont use speedhack myself :p
just tested my apologies :p
Im gonna look into it, i assumed it worked my bad :p
just tested my apologies :p
Im gonna look into it, i assumed it worked my bad :p