Work Required ~ Player Detect Script

Page 1 of 3 1 23
08/09/2009 08:40 Keith1#1
Well I thought Id give something back. I will not put my whole script that detects GMS And closes your client but I will give a basic script that some of the pservers are using just for the lulz. You can make it work from this and I dont believe it has the right adress atm but hey if you arent retarded you can make it work.

~Keith

[ENABLE]
alloc(newmem,1024)

label(returnhere)
label(originalcode)
label(exit)
label(flag)


registersymbol(name1)
label(name1)
registersymbol(name2)
label(name2)
registersymbol(name3)
label(name3)
registersymbol(name4)
label(name4)
registersymbol(name5)
label(name5)
registersymbol(name6)
label(name6)
registersymbol(name7)
label(name7)
registersymbol(name8)
label(name8)
label(index)
label(save_name)

53BB93:
jmp newmem
nop
nop
returnhere:

newmem:
mov [flag],FF
inc [index]
cmp [index],7
jb save_name
mov [index],0

save_name:
pushad
mov ebx,[index]
mov edx,name1
lea ecx,[edx+ebx*08]
lea ecx,[ecx+ebx*08]

mov ebx,[eax+70]
mov [ecx],ebx

mov ebx,[eax+74]
mov [ecx+4],ebx

mov ebx,[eax+78]
mov [ecx+8],ebx

mov ebx,[eax+7C]
mov [ecx+C],ebx
popad
originalcode:
mov [esi+0c],00000000

exit:
jmp returnhere

flag:
dd 00000000

name1:
dd 00000000 00000000 00000000 00000000
name2:
dd 00000000 00000000 00000000 00000000
name3:
dd 00000000 00000000 00000000 00000000
name4:
dd 00000000 00000000 00000000 00000000
name5:
dd 00000000 00000000 00000000 00000000
name6:
dd 00000000 00000000 00000000 00000000
name7:
dd 00000000 00000000 00000000 00000000
name8:
dd 00000000 00000000 00000000 00000000
index:
dd 00000000
[DISABLE]
53BB93:
mov [esi+0c],00000000

dealloc(newmem)
08/09/2009 09:26 ind3siszive#2
ahh i think i see what your doing here



ooooh i have an idea hehehe
08/09/2009 14:26 6Drako9#3
Nice
but now I have to find the address...and without the help of Array of Bytes :(
btw why would you need 7 different saved Names?
only 1 in enough to detect GMs

Also, do you know if this works even if the GM is in ghost mode?


EDIT: Also for those of you who want to make this script detect GMs
just compare [name1] with 5D4D475B and then CRASH 2MOONS muahahhahaha ^_^
I'm guessing that's what Keith used the flag for... since its not used in the script
08/09/2009 17:56 Keith1#4
Well this script is somewhat different then my personal one. This is just a basic player detect script that will detect people if they have ghost mode on.
As I said some of the Pserver staff use it to get the names of people hacking in ghost mode. That is why there is 7 because with the other parts it just has the adresses so it comes up and you can see what the players IGN is.


Anyways, Yer... lol Have fun, Ill give help to those who deserve it I suppose. But I wont give my script or tell you exactly step by step what to do to get it working 100% (The UG would kill me xD)
08/09/2009 22:31 6Drako9#5
WOOOOT here it is,
through trial and error i got the address
00550863

Code:
[ENABLE]
alloc(GetName,512)
label(ReturnName)
label(Name)
registersymbol(Name)

GetName:
pushad
mov edx,Name
lea ecx,[edx+ebx*08]
lea ecx,[ecx+ebx*08]
mov ebx,[eax+70]
mov [ecx],ebx
mov ebx,[eax+74]
mov [ecx+4],ebx
mov ebx,[eax+78]
mov [ecx+8],ebx
mov ebx,[eax+7C]
mov [ecx+C],ebx
cmp [eax+70],5D4D475B //[GM]
je 00000000
popad
mov [esi+0c],00000000
jmp ReturnName
Name:
dd 00000000 00000000 00000000 00000000

00550863: //C7 46 0C 00 00 00 00 89 47 04
jmp GetName
nop
nop
ReturnName:

[DISABLE]
dealloc(GetName)
00550863:
mov [esi+0c],00000000
OR
Code:
[ENABLE]
alloc(DetectGM,512)
label(ReturnName)
registersymbol(DetectGM)

DetectGM:
cmp [eax+70],5D4D475B //[GM]
je 00000000
mov [esi+0c],00000000
jmp ReturnName

00550863: //C7 46 0C 00 00 00 00 89 47 04
jmp DetectGM
nop
nop
ReturnName:

[DISABLE]
dealloc(DetectGM)
unregistersymbol(DetectGM)
00550863:
mov [esi+0c],00000000
EDIT: sorry I changed the script a lil
cuz i didn't like the other bulky thing

Keith if you want me to take down this script I will honor your word. Just tell me
+ I want to know if this is how you made the game crash.
08/10/2009 07:08 ind3siszive#6
address is easy to find just scan for a certain opcode that im not going to say in a debugger
08/10/2009 07:17 6Drako9#7
Not really indesiszive... try scaning for the original code... you will get over 300 results
08/10/2009 07:44 Sodomizied#8
6Drako9 so your script will show if a GM pops up by you? Btw very nice i'll give you Thanks once you answer my question.
08/10/2009 08:19 6Drako9#9
no it wont just show you a gm is there... it will close the game.
However I just tested it and it kind of takes a little while :( (about 60 seconds)

bagi please give thanks to Keith too.
I updated and simplified the script but he provided it
NOTE: also I just updated the script so copy the current one (the last one would reset the computer entirely LOL, but this new one doesn't:D)
08/10/2009 08:24 Sodomizied#10
Quote:
Originally Posted by 6Drako9 View Post
no it wont just show you a gm is there... it will close the game.
However I just tested it and it kind of takes a little while :( (about 60 seconds)

bagi please give thanks to Keith too.
I updated and simplified the script but he provided it
NOTE: also I just updated the script so copy the current one (the last one would reset the computer entirely LOL, but this new one doesn't:D)
k thx I will for both of you was just making sure.

Also... the address you posted

00550863

Is the one for Normal dekaron.exe or unpacked dekaron.exe?
08/10/2009 08:47 6Drako9#11
Quote:
Originally Posted by bagipower View Post
k thx I will for both of you was just making sure.

Also... the address you posted

00550863

Is the one for Normal dekaron.exe or unpacked dekaron.exe?
no I'm not gonna help you anymore because you already thanked me :p

lol jk



well I'm not using the unpacked.. but it should be for both
so if you are either using dekaron version 4.6.24 or unpacked_dekaron_4.6.23 then dont wory about it because I just tested it and it works fine on both

oh and OOPS copy the script again lol cuz if you would have a friend who's name started with "kyno" you would never be able to meet them again lol, if you know what I mean
08/10/2009 09:19 Sodomizied#12
Quote:
Originally Posted by 6Drako9 View Post
no I'm not gonna help you anymore because you already thanked me :p

lol jk



well I'm not using the unpacked.. but it should be for both
so if you are either using dekaron version 4.6.24 or unpacked_dekaron_4.6.23 then dont wory about it because I just tested it and it works fine on both

oh and OOPS copy the script again lol cuz if you would have a friend who's name started with "kyno" you would never be able to meet them again lol, if you know what I mean
Lol xD , Uber thx

Literally thanks alot lol
08/10/2009 10:31 HellSpider#13
Quote:
Originally Posted by bagipower View Post
k thx I will for both of you was just making sure.

Also... the address you posted

00550863

Is the one for Normal dekaron.exe or unpacked dekaron.exe?
The virtual addresses are same for both packed and unpacked because the packed executable gets unpacked in memory anyway :).
08/10/2009 12:19 insert#14
I sure could use a GM detect script. I already lost my 114 sum.
I have a 113 sum remade. Anybody hit me up in PM cause I am sick of gettin banned by these ghost-mode-fuckers.
08/10/2009 14:19 bottomy#15
Quote:
Originally Posted by insert View Post
I sure could use a GM detect script. I already lost my 114 sum.
I have a 113 sum remade. Anybody hit me up in PM cause I am sick of gettin banned by these ghost-mode-fuckers.

didn't see the first page? lol
Page 1 of 3 1 23