[Guide]Modifying client.

In the guide, it will teach you on modifying the client to have jump,zoom,multi, launcher bypass and finding debug registers.

Guide is in .doc form available for download.

Multi-client bypass Laucher
credits,akson.
Download OllyDBG from OllyDbg v1.10
--------------*
Open OllyDBG
--------------*
File -> Open -> Choose your elementclient.exe
Right click -> Search for -> All referenced text strings(#pic1)

In the Text strings window
*Scroll to top & left click any line(#pic2)
Right click -> Search for Text
key in "launch" -> OK
Double click the line of ASCII "Plz start game from launcher.exe"(#pic3)

In the CPU window
Double click JNZ SHORT 00XXXXXX will show a Assemble box(#pic4)
change JNZ to JMP -> press Assemble button & close the box

Find again text in Text strings window
Search for "running"
do it again double click JE SHORT 00XXXXXX
change JE to JMP -> press Assemble button & close the box

Okay~
right click in CPU window -> Copy -> Select all
right click in CPU window -> Backup -> Update backup
right click in CPU window -> Copy to Executable -> Selection(#pic5)
Olly will show a File window
right click in File window -> Save file

Zoom Hack :
Credits,akson
open Olly
Search for sequence of commands
fadd dword ptr [esi+40]
fst dword ptr [esi+40]

004056BE . D985 CD000000 fld dword ptr [ebp+CD]
004056C4 . D846 40 fadd dword ptr [esi+40]
004056C7 . D956 40 fst dword ptr [esi+40]
004056CA . D81D FCAB8400 fcomp dword ptr [84ABFC] may be XXXXXX
004056D0 . DFE0 fstsw ax
004056D2 . 25 00410000 and eax, 4100
004056D7 . EB 03 jnz short 004056DC <---jnz change to jmp
004056D9 . 894E 40 mov dword ptr [esi+40], ecx
004056DC > 8B07 mov eax, dword ptr [edi]
004056DE . 3BC3 cmp eax, ebx
004056E0 . 0F85 E8000000 jnz 004057CE



Jump Hack
Note:this is different in different servers I am find a command that works for all.
Search:
mov edi,[esi+00000b08]
nop line below cmp edi,[XXXXXXX]
Else
MOV EAX,DWORD PTR DS:[ESI+62C]
MOV EDX,EAX
SHR EDX,7
TEST BL,DL
One of the results with,
0045B7B6 |. 8BBE 080B0000 MOV EDI,DWORD PTR DS:[ESI+B08]
0045B7BC |. 8B0D B4EF8B00 MOV ECX,DWORD PTR DS:[8BEFB4]<<can be XXXXXX
0045B7C2 |. 3BF9 CMP EDI,ECX <<NOP
0045B7C4 |. 0F8D EB040000 JGE elementc.0045BCB5
0045B7CA |. 8A8E 0C0B0000 MOV CL,BYTE PTR DS:[ESI+B0C]
0045B7D0 |. 84C9 TEST CL,CL
Pic:jump1.jpg

Debug Registers
NPC ID, credits to ericjohn
this will enable the npc id
Searching for address that toggle mp bar:
search for 1 in 1 byte and untoggle it and search for 0 until it minimize your search after you found it

Finding Debug Register :
Using hex calculator,
address of toggle mp - 0x3B (NPC:ID)
- 0x2E(Misc)
- 0x2D(Coords)
- 0x2C(Dist)
Eg. 57F834EA -3B = 57F834AF

you can also debug the client to automate this
search for command:
address is = toggle mp adress
MOV BYTE PTR DS:[adress+2081],1 and change it to
MOV BYTE PTR DS:[npcid toggle adress],1

and also change this:
MOV BYTE PTR DS:[adress+2081],0 and change it to
MOV BYTE PTR DS:[npcid toggle address],0

Video Hack:
CECGame::Run(), break because CECGameRun::Tick return false <<Search this text
jmp 0042bfac
cmp [esi+00000418],bl
je XXXXXXXX
Nop BELOW cmp(fill with nops)

how i find it:
use cheat engine search changed when video running n freezed>>got a address look at what access it>>look for similar code in olly>>find a pattern to it for easy update.

New-Video Unfreeze
Note some guides are directly copied and paste, credits to original author.

Wow, u just rule. Thank you, gr8 thread. But could u explain this part for lamers like me:

Quote:

Originally Posted by zevorc Jump Hack Note:this is different in different servers I am find a command that works for all. Search: mov edi,[esi+00000b08] nop line below cmp edi,[XXXXXXX] Else MOV EAX,DWORD PTR DS:[ESI+62C] MOV EDX,EAX SHR EDX,7 TEST BL,DL One of the results with, 0045B7B6 |. 8BBE 080B0000 MOV EDI,DWORD PTR DS:[ESI+B08] 0045B7BC |. 8B0D B4EF8B00 MOV ECX,DWORD PTR DS:[8BEFB4]<<can be XXXXXX 0045B7C2 |. 3BF9 CMP EDI,ECX <<Nop 0045B7C4 |. 0F8D EB040000 JGE elementc.0045BCB5 0045B7CA |. 8A8E 0C0B0000 MOV CL,BYTE PTR DS:[ESI+B0C] 0045B7D0 |. 84C9 TEST CL,CL Pic:jump1.jpg

I mean, I've found same parts of code in my .exe, but what should I change. And what's "nope"?

Quote:

Originally Posted by dimode . But could u explain this part for lamers like me: I mean, I've found same parts of code in my .exe, but what should I change. And what's "nope"?

Original client:

0045B633 |> 8B86 2C060000 MOV EAX,DWORD PTR DS:[ESI+62C] ; Case A of switch 0045AFC6
0045B639 |. 8BD0 MOV EDX,EAX
0045B63B |. C1EA 07 SHR EDX,7
0045B63E |. 84D3 TEST BL,DL
0045B640 |. 0F85 FF040000 JNZ elementc.0045BB45
0045B646 |. 8BBE 080B0000 MOV EDI,DWORD PTR DS:[ESI+B08]
0045B64C |. 8B0D 74BF8B00 MOV ECX,DWORD PTR DS:[8BBF74]
0045B652 |. 3BF9 CMP EDI,ECX
0045B654 |. 0F8D EB040000 JGE elementc.0045BB45
0045B65A |. 8A8E 0C0B0000 MOV CL,BYTE PTR DS:[ESI+B0C]
0045B660 |. 84C9 TEST CL,CL
0045B662 |. 0F85 DD040000 JNZ elementc.0045BB45
0045B668 |. 83BE E0050000 >CMP DWORD PTR DS:[ESI+5E0],2
0045B66F |. 0F84 D0040000 JE elementc.0045BB45
0045B675 |. C1E8 05 SHR EAX,5
0045B678 |. 84C3 TEST BL,AL


write click on marked line - Binary - Fill with NOPs

modified client :

0045B633 |> 8B86 2C060000 MOV EAX,DWORD PTR DS:[ESI+62C] ; Case A of switch 0045AFC6
0045B639 |. 8BD0 MOV EDX,EAX
0045B63B |. C1EA 07 SHR EDX,7
0045B63E |. 84D3 TEST BL,DL
0045B640 |. 0F85 FF040000 JNZ elementc.0045BB45
0045B646 |. 8BBE 080B0000 MOV EDI,DWORD PTR DS:[ESI+B08]
0045B64C |. 8B0D 74BF8B00 MOV ECX,DWORD PTR DS:[8BBF74]
0045B652 |. 3BF9 CMP EDI,ECX
0045B654 |. 90 NOP
0045B655 |. 90 NOP
0045B656 |. 90 NOP
0045B657 |. 90 NOP
0045B658 |. 90 NOP
0045B659 |. 90 NOP
0045B65A |. 8A8E 0C0B0000 MOV CL,BYTE PTR DS:[ESI+B0C]
0045B660 |. 84C9 TEST CL,CL

you talk about jump hack. how can i do about speed hack? I'm a newbie.

very good~~ thax~~ zevorc nice man~~

Quote:

Originally Posted by zevorc;1075381 [B Jump Hack[/B] Note:this is different in different servers I am find a command that works for all. Search: mov edi,[esi+00000b08] <---What do i click to search for this? nop line below cmp edi,[XXXXXXX] Else MOV EAX,DWORD PTR DS:[ESI+62C] MOV EDX,EAX SHR EDX,7 TEST BL,DL One of the results with, 0045B7B6 |. 8BBE 080B0000 MOV EDI,DWORD PTR DS:[ESI+B08] 0045B7BC |. 8B0D B4EF8B00 MOV ECX,DWORD PTR DS:[8BEFB4]<<can be XXXXXX 0045B7C2 |. 3BF9 CMP EDI,ECX <<NOP 0045B7C4 |. 0F8D EB040000 JGE elementc.0045BCB5 0045B7CA |. 8A8E 0C0B0000 MOV CL,BYTE PTR DS:[ESI+B0C] 0045B7D0 |. 84C9 TEST CL,CL Pic:jump1.jpg

Sorry for the noob question, i've never modded anything before, so its really confusing to me..

you rightclick search >>for command or sequence of command

Quote:

Debug Registers NPC ID, credits to ericjohn this will enable the npc id Searching for address that toggle mp bar: search for 1 in 1 byte and untoggle it and search for 0 until it minimize your search after you found it

i haven't try this one yet.. should i use CE to search for the address?

Quote:

Originally Posted by zevorc NPC ID

what do U need for NPC ID?

Quote:

Originally Posted by Yka Original client: 0045B633 |> 8B86 2C060000 MOV EAX,DWORD PTR DS:[ESI+62C] ; Case A of switch 0045AFC6 0045B639 |. 8BD0 MOV EDX,EAX 0045B63B |. C1EA 07 SHR EDX,7 0045B63E |. 84D3 TEST BL,DL 0045B640 |. 0F85 FF040000 JNZ elementc.0045BB45 0045B646 |. 8BBE 080B0000 MOV EDI,DWORD PTR DS:[ESI+B08] 0045B64C |. 8B0D 74BF8B00 MOV ECX,DWORD PTR DS:[8BBF74] 0045B652 |. 3BF9 CMP EDI,ECX 0045B654 |. 0F8D EB040000 JGE elementc.0045BB45 0045B65A |. 8A8E 0C0B0000 MOV CL,BYTE PTR DS:[ESI+B0C] 0045B660 |. 84C9 TEST CL,CL 0045B662 |. 0F85 DD040000 JNZ elementc.0045BB45 0045B668 |. 83BE E0050000 >CMP DWORD PTR DS:[ESI+5E0],2 0045B66F |. 0F84 D0040000 JE elementc.0045BB45 0045B675 |. C1E8 05 SHR EAX,5 0045B678 |. 84C3 TEST BL,AL write click on marked line - Binary - Fill with NOPs modified client : 0045B633 |> 8B86 2C060000 MOV EAX,DWORD PTR DS:[ESI+62C] ; Case A of switch 0045AFC6 0045B639 |. 8BD0 MOV EDX,EAX 0045B63B |. C1EA 07 SHR EDX,7 0045B63E |. 84D3 TEST BL,DL 0045B640 |. 0F85 FF040000 JNZ elementc.0045BB45 0045B646 |. 8BBE 080B0000 MOV EDI,DWORD PTR DS:[ESI+B08] 0045B64C |. 8B0D 74BF8B00 MOV ECX,DWORD PTR DS:[8BBF74] 0045B652 |. 3BF9 CMP EDI,ECX 0045B654 |. 90 NOP 0045B655 |. 90 NOP 0045B656 |. 90 NOP 0045B657 |. 90 NOP 0045B658 |. 90 NOP 0045B659 |. 90 NOP 0045B65A |. 8A8E 0C0B0000 MOV CL,BYTE PTR DS:[ESI+B0C] 0045B660 |. 84C9 TEST CL,CL

it works, nice =) thank you :)

am coufuse about zoomHack, how can i fix it??



sorry for my english ^ ^

Quote:

Originally Posted by kulas2k2 i haven't try this one yet.. should i use CE to search for the address?

yes use any memory searcher,i use cheat engine.

Quote:

what do U need for NPC ID?

search for the toggle mp bar address then sub 3B(hex)

Quote:

Originally Posted by zevorc yes use any memory searcher,i use cheat engine. search for the toggle mp bar address then sub 3B(hex)

can u teach step by step ? am very noob for cheat engine.

Quote:

Originally Posted by zevorc yes use any memory searcher,i use cheat engine. search for the toggle mp bar address then sub 3B(hex)

I'm Thai SV perfect world
How about 'sub 3B(hex)
And you can make MP and HP value are still not empty
By lock address
TH

Im just wondering how people find this out on ollydbg im a noob to that only no CE