Florensia -HShield Bypass + Multiclient (DIY)

Hi,

I'm mostly a lurker here, so to avoid the usual suspicion etc I'm not going to provide exe's, just show you what to do, like a DIY guide. This is also my first successful hack ever (woo, go me!) so it's probably excrutiatingly simple to a lot of people here... but, since I only did this BECAUSE a multiclient didn't already exist for Florensia on these forums, I figured it would be nice to give back to this community which is very helpful to many people.:handsdown:

I'm not an expert, either, so this isn't perfect, but it works, and that's all that matters, right? :}

K, first, you need Olly. If you don't have it, go download it. It's a decompiler. If you're totally lost right now, sorry, but I'm not really writing this as a newbie guide, you'll have to get someone to explain it to you.

First order of business is getting rid of shitty HShield, because it stops you opening up multiple copies of the game. Delete or rename the HShield folder in the Florensia\bin folder, then open up FlorensiaEN.bin in Olly and do an ASCII search. I use "Ultra String References Plugin" for this, but it may work without... try it and see, download the aforementioned plugin if not.

Now, in the new window of strings that popped up, Ctrl+F for 'hshield' and doubleclick the first instance of that word that it highlights.

If you scroll up from that line, pretty soon the section of code ends (begins) and you'll see this:

008CD6E7 CC INT3
008CD6E8 CC INT3
008CD6E9 CC INT3
008CD6EA CC INT3
008CD6EB CC INT3
008CD6EC CC INT3
008CD6ED CC INT3
008CD6EE CC INT3
008CD6EF CC INT3
008CD6F0 > 55 PUSH EBP

where that PUSH EBP is the beginning of the code chunk, and is a JUMP from a CALL somewhere else. So, rightclick, Goto->JMP from wherever it says.

That takes you into a middle of a JMP minefield. Make sure you don't select a different line and get yourself lost... rightclick the line that was highlighted, and again do rightclick, Goto->CALL from wherever it says.

Now you'll be at a line that probably looks like this:

008CDDDA . E8 2A97ECFF CALL Florensi.00797509

and below it, a MOVZX, followed by a TEST, and then a JNZ. That' JNZ is what you need to change; doubleclick it and change it to a JMP.

A few lines down you'll find another TEST followed by another JNZ. Again, switch that JNZ for a JMP.

That's it, BOOM, HShield is dead. But now we want to disable the errors that force the game to close, because now it will complain that HShield isn't running. D'oh. Time to nuke that once and for all.

If you go back into your string references window, Ctrl+F to find the text "has no object leaks". Here is where you should end up:

008CE454 > 68 3C20EE00 PUSH Florensi.00EE203C ; /String = "Application has no object leaks."
008CE459 . FF15 44557601 CALL DWORD PTR DS:[<&KERNEL32.OutputDebu>; \OutputDebugStringA
008CE45F > C785 70DDFFFF >MOV DWORD PTR SS:[EBP-2290],0
008CE469 . 8D8D 90EAFFFF LEA ECX,DWORD PTR SS:[EBP-1570]
008CE46F . FF15 54587601 CALL DWORD PTR DS:[<&MSVCP71.??1?$basic_>; MSVCP71.??1?$basic_string@DU?$char_traits@D@std@@V ?$allocator@D@2@@std@@QAE@XZ
008CE475 . 8B85 70DDFFFF MOV EAX,DWORD PTR SS:[EBP-2290]
008CE47B > 5F POP EDI
008CE47C . 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
008CE47F . 33CD XOR ECX,EBP
008CE481 . E8 FC98EDFF CALL Florensi.007A7D82
008CE486 . 8BE5 MOV ESP,EBP
008CE488 . 5D POP EBP
008CE489 . C2 1000 RETN 10
008CE48C CC INT3
008CE48D CC INT3
008CE48E CC INT3
008CE48F CC INT3

The line we are interested in here is: 008CE47B (your equivilent will most likely be a different number, so use the above paste chunk to figure out which line you should be focusing on)

That line is being jumped to from a whole bunch of different instructions. Rightclick that line, Goto->the first JMP item in the list. Then doubleclick that JMP and NOP it's ass. :) Now read down the lines slowly, and find anything that JMPs to (your equivilent of 008CE47B), and NOP those as well. Do that 3 or 4 times and that should be sufficient.

Now, assuming no screwups, rightclick anywhere in the window and do Copy->Select All, followed by rightclick->Copy to executable->Selection.

In the new window, rightclick->Save File. Save it as FlorensiaEN.bin (but for the love of all that is holy, make sure you backup the original first!)


Now, when you load up the game, you'll get two errors regarding HShield... but the game WILL still load. If you then load the game again, you'll get three errors (HShield whinging + 'game is already operation') but, again, the client will still load, and you are free to log in two different accounts. Trading between them works, as does inviting them to party, etc. There's some weirdness, and of course, those errors you get at first are annoying, but apart from that it's perfect. :D

If anyone wants to use this as a basis for a better hack, go ahead, you got my full permission to do whatever. Just don't shove a virus in it and distribute exe's saying "this was made by Fiestaa, enjoy!!" :P

Edit: Oh, also, you might need to change the Launcher.exe a bit too. If it complains about "game already operation", you'll want to search for that string in Olly and NOP whatever jumps to that section of code (you'll see a little > symbol next to any lines that are jumped to from elsewhere, meaning if you see one of these near that string, rightclick and goto->JMP from wherever, and NOP that line. Hope that makes sense.)

Hi there

thanks for your guide, I'll certainly try it out.

Merry Christmas

sorry do you mind explain in detail how do i do an ASCII search ?

like right click CPU maybe search for - ??

i used All referenced text string for Perfectworld but i cant find "search ASCII"

thanks

Ah sorry, yeah I can explain that.

Rightclick anywhere in the cpu window and go to "Search for -> All referenced text strings".

You can then rightclick->"Search for text".

works fine thx a lot

someone know some hacks with CE??

i wish u all merry X-Mas

Was kann man damit genau machen mein Englisch ist nicht wirklich gut!

man when i do the search for hshield the highligtened line do not apears and at the botom of the Olly it says "single step event atntdll.7d62f565- use shift+f7/f8/f9 to pass exeption to program" and theres a "paused" that have been highlightened with yellow at the botom right corner. what should i do?

=) nice guide~ easy to follow and works well.
many thanks

Ardale, make sure you're not actually running the game while you do this, and also, make sure you're not running it via "debug", because that's what it sounds like you're doing. :}


Some people have asked for more detail regarding the Launcher part, so this is a copypaste from what I just wrote to HimikoChan in a PM (hope you don't mind, Himiko ;P)

The reason I didn't go into detail there was because I (stupidly) forgot to back up Launcher before modifying it... so I don't have the original to compare anymore. xD

Whenever the game makers make a new patch, though, I'll get a fresh copy of Launcher from that, and can add some more detail to my instructions here.

Basically what you need to do is search strings for the error message that the launcher gives (I think it's "game is already operation" but the wording might be different). Then when you enter that area of code, you should start looking for operations that point towards this section.

So, you're looking at that line "game is already operation". Do you see a symbol that looks like an arrow pointing down? Examine the lines above, looking for that symbol. If in doubt, rightclick each of them and see if you can do "goto -> JMP from" any of them.

The first line that you come to during your upwards travel that is a JMP from elsewhere, follow that JMP. It really shouldn't be more than a few lines up, at most. Then wherever you end up, NOP that instruction.

That SHOULD work, but you may need to experiment a bit (it took me a while to do it right, too). Remember to backup first, and only change ONE thing at a time. It helps to keep a list of things you tried in Notepad or something, so you don't get confused.

Well, hopefully that helps, but like I said, as soon as they patch the game I'll have to crack it again anyway, so I will post more detailed instructions when that happens.

Have fun. :}

ohh ic...tnx a lot man

Hi... thanks for the great guide...

For the error "Game is already operation" can be find in Florensia.bin....

[Only registered and activated users can see links. Click Here To Register...]
:mofo:

I found it there, I did what fiestaa wrote, but I still get the message "Game is already operation". help pls

[GERMAN]

Hallo Leute.

Nach vielen Stunden hab ich es endlich geschafft, mit der deutschen Version Multi-Client zu starten.

Ich erklärs wie es bei mir klappt.

1.OllyDbg öffnen
2.Datei "FlorensiaEN.bin" öffnen
3.Rechte Mausklick---> Search for---> All referenced text string
4.Rechte Mausklick---> Search text---> "Game is already operation"
5.Nachdem ihr Doppelklick gemacht habt, müsst ein bissel runter gehn bis ihr dieses zeichen hier ">" seht. bei mir is es 008CDE95
6.Rechte Mausklick --->Go To ---> JMP from XXXXXXXX
7.ihr müsstet nun nen stückchen weiter oben sein. Dort macht ihr nen Doppelklick und schreibt davor JMP Hacken bei "Fill with NOPS" und dann auf Assemble klicken.
8.Rechte Mausklick ---> Copy ---> Select All
9.Rechte Mausklick ---> Copy to Executable ---> Selection
10.Rechte Mausklick ---> Save File ---> die Datei FlorensiaEN.bin überschreiben.
11.Startet nun erstmal Florensia. Wenn der Fehler vom Hackshield kommt, dann drückt erstma nix. Macht erst nen neues Spiel auf bis der Fehler von Hackshield wieder kommt.


Ich habe es so versucht, wie es in diesen TUT stand, aber anscheinend funktioniert das nicht bei jedem so.

Ich wünsch euch allen viel Spass beim zocken.

MfG namirdani


[ENGLISH]

Hello people of the world
ive tried it some hours till it runs on my PC
my english is very very bad but im trying to explain how u can run a multi-client

1.open OllyDBG
2.Open the file FlorensiaEN.bin
3.rightklick---> search for all referenced text string
4. search "Games is already opreation"
5.do a doubleklick :)
6.go down till u can do a Go To Jump
7. Jump there and do a doubleklick again
8. type ther JMP and Fill it with NOP'S and press ASSEMBLE
9.rightklick--->copy--->select all
10. rightklick--->copy to executable--->selection
11.rightklick again an save the file and overwrite it.

now when u start florensia wait till the error from hackshield appear
dont klick anything now just start another game of florensia till the hackshield error appears again.
now you can go on and play it with multi

Quote:

Originally Posted by plsnoban I found it there, I did what fiestaa wrote, but I still get the message "Game is already operation". help pls

for "Game is already operation" error search the string in FlorensiaEN.bin... like in feestaa tutorial....

Look for bold address...
NOP that JMP

Okay, now that the new update has occured, I can tell about the process of hacking the Launcher. :}

If you haven't already figured it out, the launcher will give you an error message called: "Now Game Playing AllGameClose Launcher restart"

If this happens, search for that string in Olly.

You will arrive somewhere similar to this:

[Only registered and activated users can see links. Click Here To Register...]

Scroll up until you see the line indicated (a "CALL from" somewhere). Go to where that CALL came from, and you will end up here:

[Only registered and activated users can see links. Click Here To Register...]

NOP the JNZ you'll see a few lines up (as indicated). Then that should solve it.