Anyone Can help me and teach me What ineed to do to have Infinite Zoom if i use Sbot , The moderators from Sbot took this option away ... and i rly need it :) Thx for help and sry for my noobish :D
Help with Infinite Zoom
08/07/2009 02:01
mihai_paculea#1
08/08/2009 17:25
tamalanrea#2
i'am use Sbot and i can infinite zoom.
08/08/2009 19:48
r3vRb#3
since version 1.31b the zoomhack is disabled because you need to modified the sro_client.exe i dont know how u can use infinite zoom with 1.33bQuote:
i'am use Sbot and i can infinite zoom.
08/09/2009 04:50
Electrified0#4
Just so you know, the mods of sbot don't "remove" anything, they're forum moderators, nothing more. The admins are the actual coders of the bot. So ask them lol, it was most likely for security purposes.
08/09/2009 06:19
pushedx#5
Here's a mini guide for "zoomhack" I've written.
The first thing you need to do is find in the client where the "zooming" takes places. For most games this is pretty easy since the mouse wheel is used to change the zoom factor. Because of this, you need to track down the windows message that is sent when you scroll the mouse. That message is [Only registered and activated users can see links. Click Here To Register...]. Figuring that out requires some basic Win32 programming knowledge.
Once you know the message, you just have to locate it in the client. For some games this is hard, for Silkroad it's easy. You just search for all constants and use the constant for the WM_MOUSEWHEEL message, which is 0x20A. In our case on the 205 client, you'll get a few results:
Now, you can just BP on them all and start tracing to see which is toggled when you scroll the wheel. You will want to actually BP after the code in the actual handler though. For example on the "CMP ESI,20A" entry, if you follow that in the client, you'll see:
The address of the conditional jump is where you want to BP because that logic is saying if(ESI == 0x20A) goto 0xA7B946.
Likewise for the "SUB EAX,20A" line, you will see a conditional jump and on the new line you'll see:
so that line is what you want to BP since it's the code executed if EAX == 0x20A (switch statement this time).
So that's the basics of how you go about finding areas to trace through based on the mouse wheel event. Once you know that, then it's just a matter of tracing the code.
The first BP that's hit (the switch statement) doesn't have much code in it, so you can be sure that's not the right area. You'll find one pretty empty call and then another call with code related to multithreading (you know with the critical section calls)
The second BP that's hit is a bit more interesting. You will see a function pointer call that you can only trace in real time. Here's the code listing:
When you trace into the CALL EDX address, you will see a lot of floating point code. Floating point code always stands out because of the instructions that are used. You can be pretty sure you are in the right area once you start setting floating point code when looking for zoom code.
Here's that complete listing:
Now, you kind of need to know ASM to know what to look for, but the zoom limitations really stick out here. They are:
Zoom minimal:
Zoom maximal:
If you trace the conditional jumps after the test call, you can easily see this code sets the zoom range. For the maximal zoom, you will notice that when you are not at the max, the line:
will always execute and skip over the code. When you reach the zoom limit, it will not execute and you will execute the next line this time:
which basically changes the current zoom (which is past the max limit) to the max limit.
If you change the JPE to a JMP, then you will never set the zoom to the maximal value, thus creating a "zoom hack".
So, the final code for the zoom hack is simply:
You can either repeat this process of tracking down the zoom logic or you can create a binary snippet to search for each time. For a binary snippet, you don't want to select any lines that have physical addresses since those change client to client. You want code that's non-address based instructions or ones that use offsets. That's up to you though. once you know how to find it, it's not too hard to do again. :)
The first thing you need to do is find in the client where the "zooming" takes places. For most games this is pretty easy since the mouse wheel is used to change the zoom factor. Because of this, you need to track down the windows message that is sent when you scroll the mouse. That message is [Only registered and activated users can see links. Click Here To Register...]. Figuring that out requires some basic Win32 programming knowledge.
Once you know the message, you just have to locate it in the client. For some games this is hard, for Silkroad it's easy. You just search for all constants and use the constant for the WM_MOUSEWHEEL message, which is 0x20A. In our case on the 205 client, you'll get a few results:
Code:
References in sro_clie: to constant 20A Address Disassembly Comment 0050F651 MOV DWORD PTR SS:[ESP+20A],EAX 00A7B91F CMP ESI,20A 00A87E08 SUB EAX,20A
Code:
00A7B91F |> \81FE 0A020000 CMP ESI,20A 00A7B925 |. 74 1F JE SHORT sro_clie.00A7B946
Likewise for the "SUB EAX,20A" line, you will see a conditional jump and on the new line you'll see:
Code:
00A87E26 |> \0FBFC6 MOVSX EAX,SI ; Case 20A of switch 00A87C57
So that's the basics of how you go about finding areas to trace through based on the mouse wheel event. Once you know that, then it's just a matter of tracing the code.
The first BP that's hit (the switch statement) doesn't have much code in it, so you can be sure that's not the right area. You'll find one pretty empty call and then another call with code related to multithreading (you know with the critical section calls)
The second BP that's hit is a bit more interesting. You will see a function pointer call that you can only trace in real time. Here's the code listing:
Code:
00A7B946 |> \8B4B 18 MOV ECX,DWORD PTR DS:[EBX+18] 00A7B949 |. 0FB743 0A MOVZX EAX,WORD PTR DS:[EBX+A] 00A7B94D |. 8B17 MOV EDX,DWORD PTR DS:[EDI] 00A7B94F |. 8B92 90000000 MOV EDX,DWORD PTR DS:[EDX+90] 00A7B955 |. 51 PUSH ECX 00A7B956 |. 8B4B 14 MOV ECX,DWORD PTR DS:[EBX+14] 00A7B959 |. 51 PUSH ECX 00A7B95A |. 50 PUSH EAX 00A7B95B |. 6A 00 PUSH 0 00A7B95D |. 8BCF MOV ECX,EDI 00A7B95F |. FFD2 CALL NEAR EDX ; sro_clie.006C88F0 00A7B961 |. 5E POP ESI 00A7B962 |. 5D POP EBP 00A7B963 |. 85C0 TEST EAX,EAX 00A7B965 |. 5B POP EBX 00A7B966 |. 0F95C0 SETNE AL 00A7B969 |. 5F POP EDI 00A7B96A |. 83C4 10 ADD ESP,10 00A7B96D |. C2 0400 RETN 4
Here's that complete listing:
Code:
006C88F0 . 56 PUSH ESI 006C88F1 . 8BF1 MOV ESI,ECX 006C88F3 . 80BE A2070000>CMP BYTE PTR DS:[ESI+7A2],1 006C88FA . 0F84 C6000000 JE sro_clie.006C89C6 006C8900 . 83BE DC070000>CMP DWORD PTR DS:[ESI+7DC],0 006C8907 . 74 1F JE SHORT sro_clie.006C8928 006C8909 . 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14] 006C890D . 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10] 006C8911 . 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C] 006C8915 . 50 PUSH EAX 006C8916 . 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C] 006C891A . 51 PUSH ECX 006C891B . 52 PUSH EDX 006C891C . 50 PUSH EAX 006C891D . 8BCE MOV ECX,ESI 006C891F . E8 8CE8FFFF CALL sro_clie.006C71B0 006C8924 . 5E POP ESI 006C8925 . C2 1000 RETN 10 006C8928 > 0FBF4C24 0C MOVSX ECX,WORD PTR SS:[ESP+C] 006C892D . D986 EC030000 FLD DWORD PTR DS:[ESI+3EC] 006C8933 . 894C24 0C MOV DWORD PTR SS:[ESP+C],ECX 006C8937 . DB4424 0C FILD DWORD PTR SS:[ESP+C] 006C893B . DC35 5869CC00 FDIV QWORD PTR DS:[CC6958] 006C8941 . DEE9 FSUBP ST(1),ST 006C8943 . D95C24 0C FSTP DWORD PTR SS:[ESP+C] 006C8947 . D94424 0C FLD DWORD PTR SS:[ESP+C] 006C894B . D996 EC030000 FST DWORD PTR DS:[ESI+3EC] 006C8951 . D905 8016C400 FLD DWORD PTR DS:[C41680] 006C8957 . D8D1 FCOM ST(1) 006C8959 . DFE0 FSTSW AX 006C895B . DDD9 FSTP ST(1) 006C895D . F6C4 01 TEST AH,1 006C8960 . 75 08 JNZ SHORT sro_clie.006C896A 006C8962 . D99E EC030000 FSTP DWORD PTR DS:[ESI+3EC] 006C8968 . EB 02 JMP SHORT sro_clie.006C896C 006C896A > DDD8 FSTP ST 006C896C > 80BE CF030000>CMP BYTE PTR DS:[ESI+3CF],0 006C8973 . 74 1D JE SHORT sro_clie.006C8992 006C8975 . D905 60BBC600 FLD DWORD PTR DS:[C6BB60] 006C897B . D896 EC030000 FCOM DWORD PTR DS:[ESI+3EC] 006C8981 . DFE0 FSTSW AX 006C8983 . F6C4 41 TEST AH,41 006C8986 . 7A 08 JPE SHORT sro_clie.006C8990 006C8988 . D99E EC030000 FSTP DWORD PTR DS:[ESI+3EC] 006C898E . EB 02 JMP SHORT sro_clie.006C8992 006C8990 > DDD8 FSTP ST 006C8992 > D986 EC030000 FLD DWORD PTR DS:[ESI+3EC] 006C8998 . 6A 00 PUSH 0 006C899A . D95C24 10 FSTP DWORD PTR SS:[ESP+10] 006C899E . 6A 01 PUSH 1 006C89A0 . D94424 14 FLD DWORD PTR SS:[ESP+14] 006C89A4 . 8BCE MOV ECX,ESI 006C89A6 . D996 E8030000 FST DWORD PTR DS:[ESI+3E8] 006C89AC . 8B15 4881F900 MOV EDX,DWORD PTR DS:[F98148] ; sro_clie.00D77228 006C89B2 . D99A 7C030000 FSTP DWORD PTR DS:[EDX+37C] 006C89B8 . E8 23D2FFFF CALL sro_clie.006C5BE0 006C89BD . 6A 00 PUSH 0 ; /Arg1 = 00000000 006C89BF . 8BCE MOV ECX,ESI ; | 006C89C1 . E8 4A310100 CALL sro_clie.006DBB10 ; \sro_clie.006DBB10 006C89C6 > B8 01000000 MOV EAX,1 006C89CB . 5E POP ESI 006C89CC . C2 1000 RETN 10
Zoom minimal:
Code:
006C895D . F6C4 01 TEST AH,1 006C8960 . 75 08 JNZ SHORT sro_clie.006C896A 006C8962 . D99E EC030000 FSTP DWORD PTR DS:[ESI+3EC] 006C8968 . EB 02 JMP SHORT sro_clie.006C896C 006C896A > DDD8 FSTP ST
Code:
006C8983 . F6C4 41 TEST AH,41 006C8986 . 7A 08 JPE SHORT sro_clie.006C8990 006C8988 . D99E EC030000 FSTP DWORD PTR DS:[ESI+3EC] 006C898E . EB 02 JMP SHORT sro_clie.006C8992 006C8990 > DDD8 FSTP ST
Code:
006C8986 . /7A 08 JPE SHORT sro_clie.006C8990
Code:
006C8988 . D99E EC030000 FSTP DWORD PTR DS:[ESI+3EC]
If you change the JPE to a JMP, then you will never set the zoom to the maximal value, thus creating a "zoom hack".
So, the final code for the zoom hack is simply:
Code:
006C8983 . F6C4 41 TEST AH,41 006C8986 EB 08 JMP SHORT sro_clie.006C8990 ; Always JMP for zoom hack! 006C8988 . D99E EC030000 FSTP DWORD PTR DS:[ESI+3EC] 006C898E . EB 02 JMP SHORT sro_clie.006C8992 006C8990 > DDD8 FSTP ST
08/09/2009 08:38
darklord696#6
" Here's a mini guide for "zoomhack" I've written." omg if this mini i would like to see a big one ( joking ) thanks for sharing your method
08/13/2009 16:37
soadmania#7
i tried to find zoomhack but value of 00A7B95F address is not same. using 205 unpacked client.
Yours
Yours
and mineQuote:
00A7B95F |. FFD2 CALL NEAR EDX ; sro_clie.006C88F0
Quote:
00A7B95F |. FFD2 CALL EDX
08/13/2009 21:43
recking#8
so obviously, you are wrong, cause he is drew ;)Quote:
Yours
and mine
maybe u go back to the first steps...
08/13/2009 23:46
Electrified0#9
Well that was taken from a stickied topic in bot-cave.netQuote:
Inifinite Zoom:
The "inifinite" zoom will be gone, since this is the only function left, that depends on changes made to the client directly.
Maybe it will find its way into the bot later, maybe not. :(
Clientless:
We didn't add the go ''clientless'' function after re-login..
Because that would support many gold botters..
Since we don't support gold botters, we decided not to add this function.
08/15/2009 04:15
pushedx#10
It's the same, your Olly just has different settings on how to display the call.Quote:
Yours
and mine
See how the hex for the instruction is "FFD2" on mine and yours? That's all that matters.
If you want your settings to look like mine, here's a screenshot of the setting (Options->Debugging Options):
[Only registered and activated users can see links. Click Here To Register...]