|
You last visited: Today at 20:47
Advertisement
United Hackprogrammers Front(UHF)-CO2 Memory Tables
Discussion on United Hackprogrammers Front(UHF)-CO2 Memory Tables within the CO2 Exploits, Hacks & Tools forum part of the Conquer Online 2 category.
08/05/2007, 02:35
|
#91
|
elite*gold: 0 
Join Date: Apr 2007
Posts: 950
Received Thanks: 2,410
|
Quote:
Originally posted by DyNy28@Aug 5 2007, 02:16
he guys!
what can you do with those adressess?
ClientRGB-R=&H4D1F46
ClientRGB-G=&H4D1F45
ClientRGB-B=&H4D1F44
Trippyness=&H4D1F47
CharEffects=&H4D36EE
greets,
DyNy
|
ClientRGB-R=&H4D1F46<\
ClientRGB-G=&H4D1F45<----- Change levels of RGB colour - 00 Lowest and FF(default) for highest
ClientRGB-B=&H4D1F44</
Trippyness=&H4D1F47 <--- Change to a lower value for blur effect - 00 for Most blur and FF(default) for No blur, I think 50-90 Gives the best effect
CharEffects=&H4D36EE <--- Client effects like fly and cyclone - Inject 80 to initiate cyclone/speed hack
|
|
|
|
08/05/2007, 13:29
|
#92
|
elite*gold: 0
Join Date: Jan 2006
Posts: 406
Received Thanks: 284
|
Quote:
Originally posted by joek@Aug 3 2007, 17:51
All thats left now is MP
|
For about MP using DMA defeat for patch 4353,
(read MP at $004B0F6C after inject read EBX register at offset $0046F4D8):
Quote:
offset 0x4B0F70:
mov [0x4B0F6C],ebx
mov [ebp+08],ebx
xor ebx,ebx
jmp 0x46F4DD
offset 0x46F4D8:
jmp 0x4B0F70
|
Quote:
(original code)
offset 0x46F4D8:
mov [ebp+08],ebx
xor ebx,ebx
|
or just the pokes values:
Poke 4B0F70 89 1D 6C 0F 4B 00 89 5D 08 31 DB E9 5D E5 FB FF
Poke 46F4D8 E9 93 1A 04 00
For about slot 1,
<hr> Append on Aug 5 2007, 14:52<hr> For about slot 1 , You need dma inject address at $43C511 and read value in ECX for address then location of slot value will at ECX + $10B4 + (Slot# * 4)
|
|
|
|
|
08/05/2007, 15:37
|
#93
|
elite*gold: 20
Join Date: Nov 2005
Posts: 1,322
Received Thanks: 3,452
|
Thanks for your work on MP & SLOT1 anantasia, its most appreciated !
I seem to have a problem with the MP's tho,
on a totally clean version of the client EBX always contains 0 when it jumps to the code pool.
|
|
|
|
|
08/05/2007, 16:35
|
#94
|
elite*gold: 0
Join Date: Jan 2006
Posts: 406
Received Thanks: 284
|
May you need using PE explorer to change segment permission to read/write.
Anyway I test with that code is working properly. May you need to read MP value from address $4B0F6C after inject that code.
|
|
|
|
|
08/05/2007, 18:13
|
#95
|
elite*gold: 0
Join Date: May 2006
Posts: 319
Received Thanks: 49
|
Quote:
Originally posted by anantasia@Aug 5 2007, 12:35
May you need using PE explorer to change segment permission to read/write.
|
Thats an interesting thing i always wanted to do by my own code. Any ideas for where to look for this or any direction?
|
|
|
|
|
08/05/2007, 18:27
|
#96
|
elite*gold: 0
Join Date: Aug 2007
Posts: 78
Received Thanks: 72
|
Quote:
Originally posted by giacometti+Aug 5 2007, 18:13--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (giacometti @ Aug 5 2007, 18:13)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin--anantasia@Aug 5 2007, 12:35
May you need using PE explorer to change segment permission to read/write.
|
Thats an interesting thing i always wanted to do by my own code. Any ideas for where to look for this or any direction? [/b][/quote]
|
|
|
|
|
08/05/2007, 20:02
|
#97
|
elite*gold: 0
Join Date: Oct 2006
Posts: 544
Received Thanks: 655
|
hello anantasia,
can you maby give here for the MP olso the poke values please.
i don't get the right values here.
and the poke below is for the slot 1?
or can you now olso look what in the slots are?
i mean for example i want to know what in slot 11 is. how can i do that? olso with an poke value? and every slot has then an own memoryadress?
by the way, i have been botjailed yesterday, with my tool i think, but my tool is totaly clientside, and you can not come in botjail i mean, or is it because TQ has protected the conquer.exe? has i do to the PE explorer stuf to unlock the write?
is that save?
greets,
DyNy
|
|
|
|
|
08/06/2007, 03:44
|
#98
|
elite*gold: 0
Join Date: Jan 2006
Posts: 406
Received Thanks: 284
|
Quote:
Originally posted by DyNy28@Aug 6 2007, 02:02
hello anantasia,
can you maby give here for the MP olso the poke values please.
i don't get the right values here.
|
You may using below value to poke your client. May need changing conquer.exe for enable read/write all.
Quote:
Poke 4B0F70 89 1D 6C 0F 4B 00 89 5D 08 31 DB E9 5D E5 FB FF
Poke 46F4D8 E9 93 1A 04 00
|
Quote:
and the poke below is for the slot 1?
or can you now olso look what in the slots are?
i mean for example i want to know what in slot 11 is. how can i do that? olso with an poke value? and every slot has then an own memoryadress?
|
Sorry, I didn't post poke value for slot 1 just give infomation for idea that you can follow to find solution.
That guide is about number item in slot on F1 not slot in your inventory. So it's just query for Slot 1 to 10 (F1-F10).
Guide is finding address of dynamic memory of conquer that keep inventory info. Original code if you browse code with any debugger.
Quote:
OFFSET $0043C511:
MOV EDX,[ESP+04] // EDX = SLOT #
MOV EAX,[ESP+08] // EAX = UPDATE VALUE
MOV [ECX+EDX*4+000010B4],EAX // ECX = DYNAMIC MEMORY ADDRESS
RET 0008
|
PS. Above code will call every time you press F1-F10 for using item.
Quote:
by the way, i have been botjailed yesterday, with my tool i think, but my tool is totaly clientside, and you can not come in botjail i mean, or is it because TQ has protected the conquer.exe? has i do to the PE explorer stuf to unlock the write?
is that save?
|
Not sure about your tool, But TQ alway want to keep client conquer.exe clean. Unlock PE is using to write any code to conquer process memory program. If you running your own program and no need to write code cave to conquer program. I think this method is safer. There are lot of anti-hacking that checking attach / memory edit process like CE ,ollydbg and other.
Finally I think that your tool may do something that timely such as disconnect/ connect with exactly time, Run skill with 2 minute. Possible that someone frape your action and report to GM and/or problem may occur in new version of patch 4353 (They change packet structure that mean change in server side also).
|
|
|
|
|
08/06/2007, 20:48
|
#99
|
elite*gold: 0
Join Date: Oct 2006
Posts: 544
Received Thanks: 655
|
Damn!!!
if i do this code DMA injection of MP then the conquer.exe crached
Code:
Dim NewBytes10(16) As Byte
* * * * * *Dim NewBytes20(5) As Byte
* * * * * *'Poke 4B0F70 89 1D 6C 0F 4B 00 89 5D 08 31 DB E9 5D E5 FB FF
* * * * * *'Poke 46F4D8 E9 93 1A 04 00
* * * * * *NewBytes10(1) = &H89S
* * * * * *NewBytes10(2) = &H1DS
* * * * * *NewBytes10(3) = &H6CS
* * * * * *NewBytes10(4) = &HFS
* * * * * *NewBytes10(5) = &H4BS
* * * * * *NewBytes10(6) = &H0S
* * * * * *NewBytes10(7) = &H89S
* * * * * *NewBytes10(8) = &H5DS
* * * * * *NewBytes10(9) = &H8S
* * * * * *NewBytes10(10) = &H31S
* * * * * *NewBytes10(11) = &HDBS
* * * * * *NewBytes10(12) = &HE9S
* * * * * *NewBytes10(13) = &H5DS
* * * * * *NewBytes10(14) = &HE5S
* * * * * *NewBytes10(15) = &HFBS
* * * * * *NewBytes10(16) = &HFFS
* * * * * *NewBytes20(1) = &HE9S : NewBytes20(2) = &H93S : NewBytes20(3) = &H1AS : NewBytes20(4) = &H4S : NewBytes20(5) = &H0S
* * * * * *hWnd = FindWindow(vbNullString, COWiN)
* * * * * *GetWindowThreadProcessId(hWnd, pID)
* * * * * *pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pID)
* * * * * *WriteProcessMemoryBuffer(pHandle, &H4B0F70, NewBytes10(1), 16, 0)
* * * * * *WriteProcessMemoryBuffer(pHandle, &H46F4D8, NewBytes20(1), 5, 0)
* * * * * *CloseHandle(pHandle)
* * * * * *System.Array.Clear(NewBytes10, 0, NewBytes10.Length)
* * * * * *System.Array.Clear(NewBytes20, 0, NewBytes20.Length)
* * * * * *hWnd = FindWindow(vbNullString, COWiN)
* * * * * *GetWindowThreadProcessId(hWnd, pID)
* * * * * *pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pID)
* * * * * *Dim CurrentMP As Integer
* * * * * *ReadProcessMemory(pHandle, CURRENT_MP_LOCATION, CurrentMP, Len(Read_Current_MP), 0)
* * * * * *CloseHandle(pHandle)
and the Code DMA injection of HP is doing well
Code:
Dim NewBytes1(11) As Byte
* * * * * *Dim NewBytes2(4) As Byte
* * * * * *Dim NewBytes3(5) As Byte
* * * * * *'Poke 4D290E 50 6A 01 8B CF A3 FE 28 4D 00 E9
* * * * * *'Poke 4D2919 1F D4 F4 FF
* * * * * *'Poke 41FD37 E9 D2 2B 0B 00
* * * * * *NewBytes1(1) = &H50S
* * * * * *NewBytes1(2) = &H6AS
* * * * * *NewBytes1(3) = &H1S
* * * * * *NewBytes1(4) = &H8BS
* * * * * *NewBytes1(5) = &HCFS
* * * * * *NewBytes1(6) = &HA3S
* * * * * *NewBytes1(7) = &HFES
* * * * * *NewBytes1(8) = &H28S
* * * * * *NewBytes1(9) = &H4DS
* * * * * *NewBytes1(10) = &H0S
* * * * * *NewBytes1(11) = &HE9S
* * * * * *NewBytes2(1) = &H1FS : NewBytes2(2) = &HD4S : NewBytes2(3) = &HF4S : NewBytes2(4) = &HFFS
* * * * * *NewBytes3(1) = &HE9S : NewBytes3(2) = &HD2S : NewBytes3(3) = &H2BS : NewBytes3(4) = &HBS : NewBytes3(5) = &H0S
* * * * * *hWnd = FindWindow(vbNullString, COWiN)
* * * * * *GetWindowThreadProcessId(hWnd, pID)
* * * * * *pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pID)
* * * * * *WriteProcessMemoryBuffer(pHandle, &H4D290E, NewBytes1(1), 11, 0)
* * * * * *WriteProcessMemoryBuffer(pHandle, &H4D2919, NewBytes2(1), 4, 0)
* * * * * *WriteProcessMemoryBuffer(pHandle, &H41FD37, NewBytes3(1), 5, 0)
* * * * * *CloseHandle(pHandle)
* * * * * *System.Array.Clear(NewBytes1, 0, NewBytes1.Length)
* * * * * *System.Array.Clear(NewBytes2, 0, NewBytes2.Length)
* * * * * *System.Array.Clear(NewBytes3, 0, NewBytes3.Length)
* * * * * *hWnd = FindWindow(vbNullString, COWiN)
* * * * * *GetWindowThreadProcessId(hWnd, pID)
* * * * * *pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pID)
* * * * * *Dim CurrentHP As Integer
* * * * * *ReadProcessMemory(pHandle, CURRENT_HP_LOCATION, CurrentHP, Len(Read_Current_HP), 0)
* * * * * *CloseHandle(pHandle)
and this are my public read adressess of the HP and MP
Code:
Public Const CURRENT_HP_LOCATION As Integer = &H4D28FE
Public Const CURRENT_MP_LOCATION As Integer = &H4B0F6C
Has someone an idea what the problem can be?
i have discover that it is hard to read the memory's and write Code Caves..
conquer.exe has been good protected i think, and i don't like that, because im think you can get botjailed with that
Please Help,
DyNy
|
|
|
|
|
08/06/2007, 21:21
|
#100
|
elite*gold: 0
Join Date: Oct 2006
Posts: 544
Received Thanks: 655
|
I have it olso try with enable READ/WRITE with PE explorer, and exacly the same.
|
|
|
|
|
08/08/2007, 16:54
|
#101
|
elite*gold: 0
Join Date: Jul 2007
Posts: 4
Received Thanks: 0
|
omg can some one please tell me the neccesary steps in order for me to activate M's multi cause this error message always appears: runtime error 13 type mismatch. Thank you
|
|
|
|
|
08/13/2007, 22:23
|
#102
|
elite*gold: 0
Join Date: May 2006
Posts: 319
Received Thanks: 49
|
Quote:
Originally posted by anantasia--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (anantasia)</td></tr><tr><td id='QUOTE'>
For about MP using DMA defeat for patch 4353,
(read MP at $004B0F6C after inject read EBX register at offset $0046F4D8):
Quote:
offset 0x4B0F70:
mov [0x4B0F6C],ebx
mov [ebp+08],ebx
xor ebx,ebx
jmp 0x46F4DD
offset 0x46F4D8:
jmp 0x4B0F70
|
Quote:
(original code)
offset 0x46F4D8:
mov [ebp
|
Quote:
[/b]
|
just a little fix, cause it seems not to work:
(same address to read and inject as above)
Quote:
offset 0x4B0F70
mov [0x4B0F6C],ebx
xor ebx,ebx
push ebx
push edi
call 004a3335
jmp 0x46F4e4
offset 0x46F4Db
jmp 0x4B0F70
nop
nop
nop
nop
|
<!--QuoteBegin--original code
offset 0x46F4Db
xor ebx,ebx
push ebx
push edi
call 004a3335
[/quote]
or just use the poke values:
Poke 4B0F70 89 1D 6C 0F 4B 00 33 DB 53 57 E8
Poke 4B0F7B B6 23 FF FF E9 60 E5 FB FF
Poke 46F4DB E9 90 1A 04 00 90 90 90 90
|
|
|
|
|
08/14/2007, 21:17
|
#103
|
elite*gold: 0
Join Date: Oct 2006
Posts: 544
Received Thanks: 655
|
he Dude
i have modified my tool with your new poke values,
but with the last poke value conquer is craching!
Code:
Poke 46F4DB E9 90 1A 04 00 90 90 90 90
maby you have type someting wrong?
greets,
DyNy
|
|
|
|
|
08/16/2007, 12:27
|
#104
|
elite*gold: 20
Join Date: Nov 2005
Posts: 1,322
Received Thanks: 3,452
|
[img]text2schild.php?smilienummer=1&text=Table For Client 4354 Now Out !' border='0' alt='Table For Client 4354 Now Out !' />
Heres the first release table I made, this should get at least the basic functionality of the supported programs working.
|
|
|
|
|
08/17/2007, 17:49
|
#105
|
elite*gold: 0
Join Date: Jan 2006
Posts: 268
Received Thanks: 27
|
can u fix the link i cant dl it thxns joek XD
|
|
|
|
 |
|
Similar Threads
|
Quick Memory Editor - Alternative Memory Hacking Software
11/21/2009 - Cabal Hacks, Bots, Cheats, Exploits & Macros - 11 Replies
This might be detected or not by GameGuard, I have not tested this on Official servers however it worked perfectly fine on other private servers.
http://imagenic.net/images/x0jxwzwpg2zxmkdtcf36.p ng
This is just an alternative memory editing tool.
Press thanks if this helps.
Remember, scan before using this.
Cause its 5.5MB.
|
POLL->Is it time to retire C02M8 and the CO2 Memory Tables?
11/07/2009 - Conquer Online 2 - 25 Replies
Once again I'm back after having taken my leave from CO2 for a few months and this time on my return the poor game appears to be in a rather sorry state.
Yes I would like to update both the CO2M8 tool and the memory tables, however, time is money and so I need some feedback as to how useful updates will be.
Please everyone vote on this poll to help me with my decision.
|
AHK MEMORY TABLES AND SCANNERS
08/09/2009 - CO2 Programming - 0 Replies
I'm new to memory addresses so please pitch in. My goal is to convert my pixel based scripts to read memory addresses. i've noticed most of the memory addresses i need are not static so i've had to build a scanner. if anyone knows where to find static locations for any of the memory addresses in these scanners please let us know.
x,y location scanner
+!t::
co2l:
WinGet,id1, ID,
this takes a little while to scan so if anyone knows better region(s) to scan please let us know
|
Old RF Online patch Memory tables (pointers)
06/28/2009 - RF Online - 0 Replies
anyone have Old RF Online patch Memory tables (pointers) in Crimson Down?
hmmmmm...i need it ^_^ thanks for those who will share!!
and also!! if you have the latest memory pointers can you share it also??
hmmmm..
my YM: user_6teen
|
Fragen Zur Memory!!!(Auslesen von Spawn/Memory)
12/31/2008 - Guild Wars - 3 Replies
hey leute,
ich wollte mal einen bot schreiben und nun bin ich ganz verwirrt.
könnte mir jmd bitte schritt für schritt erklären wie das mit Memory auslesen, benutzen und der Spawnpointer funktioniert.
Ich wär sehr dankbar wenn jmd kontakt mit mir aufnehmen würde...
und sobald der bot fertig ist bekommt der ihn natürlicherweise umsonst:D
ICQ: 481799773
oder hier im forum
|
All times are GMT +1. The time now is 20:47.
|
|
