*HOT* How to make gamehacks for Conquer

01/12/2007 17:31 NoName#91
sorry but its wrong compared to my notices but i will take a deeper look later into what you found there, btw you can do the whole tutorial just with a debugger no need for any extra tools

edit: just looked short into it it isnt even a beginning of a function nor anything happen at that offset when doing jumping,warlking,dropping,pickup,login,porting those i tested

p.s. maybe interesting how you got there.
01/12/2007 20:22 giacometti#92
lol, I kinda cheat on your tutorial... well, didnt work.. I will explain with details when I get home. Well, I have a little time now:

Basically I used CheatEngine 5.2. Found the msg, trace what access it, (well, i needed to change code finder of CE for the non default method, cause I get ??? EAX, [EBX] thing), traced the function stored at EAX, and found the beginning of the msg function - Very similar code. Now come the problem: I traced that function and did a jump ingame.. it was triggered, just fine. And the value at ESP was very similar, 0012F6C8 instead of 0012F6D0 of your old one. But when i checked the hex chain of this ESP address, it was very strange one.. something like 0012F???... and i think that something goes wrong....

well, after a few unsuccessfull attempts, i decided to look for directly for the jump function.. So i could at least know where I was supposed to get at the end... And just looked for the hex chain of the jump function... I found two adress (Statics ones). Check their code and both are very similar (in fact they just differ in the address of the call and of the jump). I traced both and both were triggered when jumping and when walking. So I choose the first one. Maybe it was the second... :) Anyway, I will try again but with Olldbg. That's it.
01/12/2007 20:33 NoName#93
i think that is best to use at least a debugger what one your choice but should be one they just allow more than something like cheatengine (dont know myself it always use tsearch if i need something similar)

you should posted the msg addy too so i could check if you land there right
01/12/2007 21:12 giacometti#94
msg started at 0047e016. This must be right, dam. ;)
01/14/2007 03:01 NoName#95
didnt see your post till now and yes you are right
01/16/2007 18:53 Coksnuss#96
Quote:
now you have to know that in the register ESP the offset is saved where it jumps back after executing the function. So we take a look into it, just rightclick in the register window on the ESP register and choose follow in dump, in the memory window we see now the following:
I dont get that part :(...
There is no "Follow in dump" option when i click in the register window...

And please tell me what ESP is O_o...

Thanks in advance...
01/16/2007 21:35 giacometti#97
right click exactly above the value of ESP, you should get a popup if you are using OllyDbg.
01/16/2007 22:59 death1111#98
When I get to this part.. "when the file is analyzed we use the Goto Code Location function and goto the offset ?00475310?, we scroll up to find the beginning of the function, and we see fast that it is only 2 lines up, you can see the end of function that theres a ?ret? (return) the next line is then the beginning of a new function."
-Right after I put 00475310 as the offset W32Dasm doesn't repsond. Any ideas?
01/16/2007 23:44 giacometti#99
make sure that you clicked at "go to code location". I will just scroll to that location... you can see it at ollydbg too. W32Dasm just show it better organized.
01/17/2007 01:03 death1111#100
[Only registered and activated users can see links. Click Here To Register...]

--This is what my W32Dasm looks like after I analyze "conquer.exe". Any suggestions of what I did wrong? Or is it suppose to look like that.
01/17/2007 03:26 giacometti#101
oh, it could be better if you unpack the exe before dissambling it... ;)
01/17/2007 05:59 death1111#102
How exactly do I unpack the .exe??
01/17/2007 07:26 Coksnuss#103
Quote:
Originally posted by death1111@Jan 16 2007, 22:59
When I get to this part.. "when the file is analyzed we use the Goto Code Location function and goto the offset ?00475310?, we scroll up to find the beginning of the function, and we see fast that it is only 2 lines up, you can see the end of function that theres a ?ret? (return) the next line is then the beginning of a new function."
-Right after I put 00475310 as the offset W32Dasm doesn't repsond. Any ideas?
00475310 Value has changed with the Patch....

Its now 0047E020...

And you need UPX to unpack the exe

// Edit: Thanks giacomette
01/17/2007 12:22 NoName#104
Quote:
Originally posted by death1111@Jan 17 2007, 01:03
[Only registered and activated users can see links. Click Here To Register...]

--This is what my W32Dasm looks like after I analyze "conquer.exe". Any suggestions of what I did wrong? Or is it suppose to look like that.
dissambler->font->select font choose one then dissablmer->font->save default font
01/17/2007 14:47 giacometti#105
I updated the offsets in the tutorial.doc. Every changed that i made is in pink color. ;) Maybe this help you if you are getting too lost.