Tutorial: How to Bypass Speedhack Rollback

Download Ollydbg at [Only registered and activated users can see links. Click Here To Register...]

Open your RFO and login into the world.
Open your Ollydbg, press 'File -> Attach' and select your RFO proccess.


Right click on Ollydbg and select 'View -> Module RF_Online'
Again, Right click on Ollydbg and select 'Search for -> all referenced text strings'


Now we have a list of functions, and need to search for 2 of them. (MoveRequest, RealmovposRequest)
Just like in the picture: [Only registered and activated users can see links. Click Here To Register...]

Save those 2 addresse's to notepad.
Close Ollydbg, and lets continue with CheatEngine.




Again, Open RFO, Open CheatEngine, and attach it to RFO.

Open 'Memory View' and press 'CTRL + G' (goto address), and place your 1st address there.
Right click anywhere on the code, and select 'Select current function' (so it goes to the beginning of the function)

Now we have to find the line of code, checking for the time elapsed delay.

Example: [Only registered and activated users can see links. Click Here To Register...]
As shown in the image
The 'ecx' register contains the amount of time elapsed since last packet was sent. (in ms/milliseconds)
The '1F4' (hexadecimal) is 500(decimal)
So, in 'cmp ecx, 1F4' means, we are checking if 500ms are elapsed.
If the 500ms are elapsed, jae will jmp forward, and keep executing the 'movereq' function.
If the 500ms are NOT elapsed, jae wont jmp forward, but instead use the 'jmp 0x..' to jump to the address exiting the function.

All we have to do, is to replace the 'jae' with 'jmp' so there wont be any checking.
Or replace the '1F4' with a lesser value.

Do the same process with the other function address 'RealmovposRequest'.

Now your game will be able to send 'Move' packet's without delay. (that's all we need to bypass rollback)

Only thing left is to search for the 'Speed Address', change it to a higher value and freeze.

Done, your speed hack is working. Have fun :p


Remember, those addresses are different on each server, and they can change after an update.
Not sure if this method works on every server. but probably is working on 90% of them.
And if you're not able to find the right address on CheatEngine, you probably used the wrong address, or your game is encrypted/protected by an antihack. (that's another story ^^)

Good luck!


Edit --- Video Added
Tutorial Video: [Only registered and activated users can see links. Click Here To Register...]

Stupid question sir [Very newbie learn assembly]
1. How to replace the 'jae' with 'jmp' ?
2. How to reduce value at assembly 1F4 ?
3. how to make it into script / "Code Injection"?

I am still a beginner in CE. Just know find the value and make a CE pointer
Ini masih dalam percobaan RFid Classic [Official Server Lyto]



************************************************** **********************************
still in editing process, Post #3

is what am I doing right or wrong?

Step1
Address 1: 005A1B3F
Address 2: 005A1C72

Step2: First address

Yes, you are doing everything right.

Quote:

1. How to replace the 'jae' with 'jmp' ? 2. How to reduce value at assembly 1F4 ? 3. how to make it into script / "Code Injection"?

1 and 2: just double click the line, and edit it as you wish. (jae to jmp, or change the 1F4 to another value)
3: you can use 'Auto assemble', example: [Only registered and activated users can see links. Click Here To Register...]

the second address looks different from the first address
what should i do with the second address

Image 1, 2 & 3 (Select current function)

as far as i know, there are 3 blink
1. blink run: default 66
2. blink walk: default 65 / 66
3. blink with float: armor ranger, injurer weapon, speed, etc

@[Only registered and activated users can see links. Click Here To Register...] can you give screenshoot after you change at step 1 and step 2?
i already try it, but nothing happen, im really confused at step 2.
sorry for my bad english

@[Only registered and activated users can see links. Click Here To Register...] are u get it?
im play at rf classic too

man its still blinking :facepalm:

is this working on RF Reign? 2.2.3.2

is there already damage hack?

Does this work IN R/e/d/f/o/x ?
And can this be done with Damage Hack ?

bro if possible can u make a video or by pics step by step on how to do it? Im completely noob regarding to this but I want it :(

Im stuck at 2nd step lol in this part

"Right click on Ollydbg and select 'View -> Module RF_Online'
Again, Right click on Ollydbg and select 'Search for -> all referenced text strings'"

hey man can you teach me how to use damage hack im very new to CE and my head hurts like hell reading and trying to follow all the guide :(

Quote:

Originally Posted by baltais99 Does this work IN R/e/d/f/o/x ? And can this be done with Damage Hack ?

hey man can you teach me how to use damage hack im very new to CE and my head hurts like hell reading and trying to follow all the guide

Quote:

Originally Posted by AZiRes1 Download Ollydbg at [Only registered and activated users can see links. Click Here To Register...] Open your RFO and login into the world. Open your Ollydbg, press 'File -> Attach' and select your RFO proccess. Right click on Ollydbg and select 'View -> Module RF_Online' Again, Right click on Ollydbg and select 'Search for -> all referenced text strings' Now we have a list of functions, and need to search for 2 of them. (MoveRequest, RealmovposRequest) Just like in the picture: [Only registered and activated users can see links. Click Here To Register...] Save those 2 addresse's to notepad. Close Ollydbg, and lets continue with CheatEngine. Again, Open RFO, Open CheatEngine, and attach it to RFO. Open 'Memory View' and press 'CTRL + G' (goto address), and place your 1st address there. Right click anywhere on the code, and select 'Select current function' (so it goes to the beginning of the function) Now we have to find the line of code, checking for the time elapsed delay. Example: [Only registered and activated users can see links. Click Here To Register...] As shown in the image The 'ecx' register contains the amount of time elapsed since last packet was sent. (in ms/milliseconds) The '1F4' (hexadecimal) is 500(decimal) So, in 'cmp ecx, 1F4' means, we are checking if 500ms are elapsed. If the 500ms are elapsed, jae will jmp forward, and keep executing the 'movereq' function. If the 500ms are NOT elapsed, jae wont jmp forward, but instead use the 'jmp 0x..' to jump to the address exiting the function. All we have to do, is to replace the 'jae' with 'jmp' so there wont be any checking. Or replace the '1F4' with a lesser value. Do the same process with the other function address 'RealmovposRequest'. Now your game will be able to send 'Move' packet's without delay. (that's all we need to bypass rollback) Only thing left is to search for the 'Speed Address', change it to a higher value and freeze. Done, your speed hack is working. Have fun :p Remember, those addresses are different on each server, and they can change after an update. Not sure if this method works on every server. but probably is working on 90% of them. And if you're not able to find the right address on CheatEngine, you probably used the wrong address, or your game is encrypted/protected by an antihack. (that's another story ^^) Good luck!

HMMM

Not working, cause second address looks different from the first address
and "Do the same process with the other function address 'RealmovposRequest'" is impossible

Quote:

Originally Posted by Amadial Not working, cause second address looks different from the first address and "Do the same process with the other function address 'RealmovposRequest'" is impossible

agreed because cmp ecx,000001F4

not found in second address' function list