So someone requested this to me, and I feel it is somewhat important to know.
It's a fairly simple concept and with proper analysis anyone can figure this out, without any real advanced ASM knowledge.
So when we look at the wall script we have this section here.
CMP is a compare operation, at the line where it says
This is basically comparing the value at [eax+00000402] (which is where the map is currently being stored), with the bytes 5F 62 65 77 (which translate from Hex to String as "_bew".
I am not sure the exact reason but the memory is written in backwards when writing the script, this is absolutely necessary for it to work correctly.
Moving on, what is happening in the script next:
After comparing the two values, there is a JE operation (jump if equal).
This essentially moves our execution to a different portion of the code provided that the two values that were CMP'ed or compared are equal. If they are not equal it will skip the JE and execute the next line in code.
In our case, it will compare the value to be equal to "bew_" or as we recognize it as "web_". This is the begging of "web_image.mac". We only need the first four string values of each map. If it is equal it will skip this value and jump the execution to "ReturnWall",which, in this script, is returning us back to where the original code should have left off if unmodified. This compare value makes it so that if it see the map is already set to "web_image.mac". It will then skip that since there is no need to replace something that is already there.
If the values are not equal it will then MOV (copy) "web_image.mac" into the register [eax+00000402].
Each value must be 4 bytes long. This is why the offset changes in 4 byte increments. (+402, +406, +40A, +40E).
Also note that each new MOV line displays the values backwards as well.
-----
So, if you want to add your own maps to exclude from the wall list, this is very simple, we will do it the same way that we skip the modification of maps that are already named "web_image.mac".
Here are all the internal map names: (if any are wrong or missing let me know)
MAP NAMES ARE CASE SENSITIVE! (This is important when getting the hexadecimal value for each letter. "A" is a different value from "a".)
So to exclude ardeca from our wall hack list. we should find the correct name for ardeca. Which is "Ardeca_global.mac"
Since we only need the first four characters, we only need "Arde", remember its CASE SENSITIVE.
Using this website you can easily translate between string to hex and vice versa.
[Only registered and activated users can see links. Click Here To Register...]
Simply add a compare command before the MOVs for each map you want to exclude, and don't forget to make sure each CMP will JE to your return address.
------
Here is the Wall hack script without ardeca and deneb. (auto update)
It's a fairly simple concept and with proper analysis anyone can figure this out, without any real advanced ASM knowledge.
So when we look at the wall script we have this section here.
Code:
Wall: lea ecx,ss:[esp+0000008C] cmp [eax+00000402],5f626577 //web_image.mac //(compare if map is equal to 'web_') je ReturnWall mov [eax+00000402],5f626577 mov [eax+00000406],67616d69 mov [eax+0000040a],616d2e65 mov [eax+0000040e],00000063 jmp ReturnWall
Code:
cmp [eax+00000402],5f626577
I am not sure the exact reason but the memory is written in backwards when writing the script, this is absolutely necessary for it to work correctly.
Moving on, what is happening in the script next:
After comparing the two values, there is a JE operation (jump if equal).
This essentially moves our execution to a different portion of the code provided that the two values that were CMP'ed or compared are equal. If they are not equal it will skip the JE and execute the next line in code.
In our case, it will compare the value to be equal to "bew_" or as we recognize it as "web_". This is the begging of "web_image.mac". We only need the first four string values of each map. If it is equal it will skip this value and jump the execution to "ReturnWall",which, in this script, is returning us back to where the original code should have left off if unmodified. This compare value makes it so that if it see the map is already set to "web_image.mac". It will then skip that since there is no need to replace something that is already there.
If the values are not equal it will then MOV (copy) "web_image.mac" into the register [eax+00000402].
Code:
mov [eax+00000402],5f626577 // "_bew" mov [eax+00000406],67616d69 // "gami" mov [eax+0000040a],616d2e65 // "am.e" mov [eax+0000040e],00000063 // "c" ^ spells "web_image.mac" when all together ^
Also note that each new MOV line displays the values backwards as well.
-----
So, if you want to add your own maps to exclude from the wall list, this is very simple, we will do it the same way that we skip the modification of maps that are already named "web_image.mac".
Here are all the internal map names: (if any are wrong or missing let me know)
MAP NAMES ARE CASE SENSITIVE! (This is important when getting the hexadecimal value for each letter. "A" is a different value from "a".)
So to exclude ardeca from our wall hack list. we should find the correct name for ardeca. Which is "Ardeca_global.mac"
Since we only need the first four characters, we only need "Arde", remember its CASE SENSITIVE.
Using this website you can easily translate between string to hex and vice versa.
[Only registered and activated users can see links. Click Here To Register...]
Simply add a compare command before the MOVs for each map you want to exclude, and don't forget to make sure each CMP will JE to your return address.
Code:
cmp [eax+00000402],65647241 //Ardeca_global.mac //('Arde')
je ReturnWall
------
Here is the Wall hack script without ardeca and deneb. (auto update)
