Assumed use of cheat engine.
I will not explain in detail as I am currently updating map fun with this :D
FOR THOSE OF YOU WHO DO NOT UNDERSTAND THIS PLEASE DO NOT ASK QUESTIONS.
Learn cheat engine and some asm please :)
Find autopill autopillhp and autopill chi addresses.
AutoPill: 10AB374
AutoPillHP: 10AB378
AutoPillCHI: 10AB37C
The addresses were off set - 0x20 from last patch
The addresses for code were offset + 0x30 from last patch
Set Autopill to 1 and HP to 5.
Find what accesses AutoPillHP
You will see a few entrys we want the one that compares against 5 the others are just checking if its set to something above 0 etc.
We have to change the 05 to 0A for 100% as it has an imul eax further down and converts it to a % out of 100.
Anyway.
Scrolling down in the code window we can also see another cmp 05 for chi
*NOTE: I hope that you understand 0A is hex for 10*
Now when we set the autopill address to 1 or 100 etc and the hp and chi values to 10 we actually have 100% autopill.
Now for the "fancy" hax.
We have to prevent the game from altering our auto pill or chi / hp values because it figures out eventually *on update packet from server i think* that we have not got the autopill and turns it off.
Set our AutoPill address to 10 or w/e
Find what writes to our AutoPill address.
Trigger it to change by either fighting and waiting or using a portal. I used a portal.
The very first address that changes it is moving ecx into our address opening it in the code window we see this.
WE DO NOT WANT THIS!
so nop away! our code becomes this.
Auto Pill On
HP and CHI values.
By the way! for anyone who is interested in checking there is an auto pill function here
004BAB70 /$ 55 PUSH EBP
Which checks further down for your action. Eg if you are dead or stunned etc it will not auto pill.
I wonder what happens if we force it to autopill and set state to 1 on death LOL
I will not explain in detail as I am currently updating map fun with this :D
FOR THOSE OF YOU WHO DO NOT UNDERSTAND THIS PLEASE DO NOT ASK QUESTIONS.
Learn cheat engine and some asm please :)
Find autopill autopillhp and autopill chi addresses.
AutoPill: 10AB374
AutoPillHP: 10AB378
AutoPillCHI: 10AB37C
The addresses were off set - 0x20 from last patch
The addresses for code were offset + 0x30 from last patch
Set Autopill to 1 and HP to 5.
Find what accesses AutoPillHP
You will see a few entrys we want the one that compares against 5 the others are just checking if its set to something above 0 etc.
Code:
004BAFA8 |. 833D 78B30A01>CMP DWORD PTR DS:[10AB378],5 Becomes 004BAFA8 833D 78B30A01>CMP DWORD PTR DS:[10AB378],0A
We have to change the 05 to 0A for 100% as it has an imul eax further down and converts it to a % out of 100.
Anyway.
Scrolling down in the code window we can also see another cmp 05 for chi
Code:
004BB0C1 |. 833D 7CB30A01>CMP DWORD PTR DS:[10AB37C],5 Change this to 0A again Becomming 004BB0C1 833D 7CB30A01>CMP DWORD PTR DS:[10AB37C],0A
Now when we set the autopill address to 1 or 100 etc and the hp and chi values to 10 we actually have 100% autopill.
Now for the "fancy" hax.
We have to prevent the game from altering our auto pill or chi / hp values because it figures out eventually *on update packet from server i think* that we have not got the autopill and turns it off.
Set our AutoPill address to 10 or w/e
Find what writes to our AutoPill address.
Trigger it to change by either fighting and waiting or using a portal. I used a portal.
The very first address that changes it is moving ecx into our address opening it in the code window we see this.
Ignoring the cmp and the jne we can clearly see that the three moves set our values to 0...Quote:
00407602 |. 890D 74B30A01 MOV DWORD PTR DS:[10AB374],ECX
00407608 |. 837D FC 00 CMP DWORD PTR SS:[EBP-4],0
0040760C |. 75 14 JNZ SHORT TwelveSk.00407622
0040760E |. C705 78B30A01>MOV DWORD PTR DS:[10AB378],0
00407618 |. C705 7CB30A01>MOV DWORD PTR DS:[10AB37C],0
WE DO NOT WANT THIS!
so nop away! our code becomes this.
Auto Pill On
Code:
Origionaly 00407602 |. 890D 74B30A01 MOV DWORD PTR DS:[10AB374],ECX Changed to 00407602 90 NOP 00407603 90 NOP 00407604 90 NOP 00407605 90 NOP 00407606 90 NOP 00407607 90 NOP
Code:
Origionaly 0040760E |. C705 78B30A01>MOV DWORD PTR DS:[10AB378],0 00407618 |. C705 7CB30A01>MOV DWORD PTR DS:[10AB37C],0 Changed to 0040760E 90 NOP 0040760F 90 NOP 00407610 90 NOP 00407611 90 NOP 00407612 90 NOP 00407613 90 NOP 00407614 90 NOP 00407615 90 NOP 00407616 90 NOP 00407617 90 NOP 00407618 90 NOP 00407619 90 NOP 0040761A 90 NOP 0040761B 90 NOP 0040761C 90 NOP 0040761D 90 NOP 0040761E 90 NOP 0040761F 90 NOP 00407620 90 NOP 00407621 90 NOP
By the way! for anyone who is interested in checking there is an auto pill function here
004BAB70 /$ 55 PUSH EBP
Which checks further down for your action. Eg if you are dead or stunned etc it will not auto pill.
I wonder what happens if we force it to autopill and set state to 1 on death LOL
