United Hackprogrammers Front(UHF)-CO2 Memory Tables

*M* · 08/05/2007, 02:35

Quote:

Originally posted by DyNy28@Aug 5 2007, 02:16
he guys!

what can you do with those adressess?

ClientRGB-R=&H4D1F46
ClientRGB-G=&H4D1F45
ClientRGB-B=&H4D1F44
Trippyness=&H4D1F47
CharEffects=&H4D36EE

greets,

DyNy

ClientRGB-R=&H4D1F46<\
ClientRGB-G=&H4D1F45<----- Change levels of RGB colour - 00 Lowest and FF(default) for highest
ClientRGB-B=&H4D1F44</
Trippyness=&H4D1F47 <--- Change to a lower value for blur effect - 00 for Most blur and FF(default) for No blur, I think 50-90 Gives the best effect
CharEffects=&H4D36EE <--- Client effects like fly and cyclone - Inject 80 to initiate cyclone/speed hack

anantasia · 08/05/2007, 13:29

Quote:

Originally posted by joek@Aug 3 2007, 17:51
All thats left now is MP

For about MP using DMA defeat for patch 4353,
(read MP at $004B0F6C after inject read EBX register at offset $0046F4D8):

Quote:

offset 0x4B0F70:
mov [0x4B0F6C],ebx
mov [ebp+08],ebx
xor ebx,ebx
jmp 0x46F4DD

offset 0x46F4D8:
jmp 0x4B0F70

Quote:

(original code)

offset 0x46F4D8:
mov [ebp+08],ebx
xor ebx,ebx

or just the pokes values:
Poke 4B0F70 89 1D 6C 0F 4B 00 89 5D 08 31 DB E9 5D E5 FB FF
Poke 46F4D8 E9 93 1A 04 00

For about slot 1,

<hr>Append on Aug 5 2007, 14:52<hr> For about slot 1 , You need dma inject address at $43C511 and read value in ECX for address then location of slot value will at ECX + $10B4 + (Slot# * 4)

joek · 08/05/2007, 15:37

Thanks for your work on MP & SLOT1 anantasia, its most appreciated !

I seem to have a problem with the MP's tho,
on a totally clean version of the client EBX always contains 0 when it jumps to the code pool.

anantasia · 08/05/2007, 16:35

May you need using PE explorer to change segment permission to read/write.

Anyway I test with that code is working properly. May you need to read MP value from address $4B0F6C after inject that code.

giacometti · 08/05/2007, 18:13

Quote:

Originally posted by anantasia@Aug 5 2007, 12:35
May you need using PE explorer to change segment permission to read/write.

Thats an interesting thing i always wanted to do by my own code. Any ideas for where to look for this or any direction?

aaaassss · 08/05/2007, 18:27

Quote:

Originally posted by giacometti+Aug 5 2007, 18:13--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (giacometti @ Aug 5 2007, 18:13)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin--anantasia@Aug 5 2007, 12:35
May you need using PE explorer to change segment permission to read/write.

Thats an interesting thing i always wanted to do by my own code. Any ideas for where to look for this or any direction? [/b][/quote]

ZeRo-ToLeRaNcE · 08/05/2007, 20:02

hello anantasia,

can you maby give here for the MP olso the poke values please.
i don't get the right values here.

and the poke below is for the slot 1?
or can you now olso look what in the slots are?
i mean for example i want to know what in slot 11 is. how can i do that? olso with an poke value? and every slot has then an own memoryadress?

by the way, i have been botjailed yesterday, with my tool i think, but my tool is totaly clientside, and you can not come in botjail i mean, or is it because TQ has protected the conquer.exe? has i do to the PE explorer stuf to unlock the write?
is that save?

greets,

DyNy

anantasia · 08/06/2007, 03:44

Quote:

Originally posted by DyNy28@Aug 6 2007, 02:02
hello anantasia,

can you maby give here for the MP olso the poke values please.
i don't get the right values here.

You may using below value to poke your client. May need changing conquer.exe for enable read/write all.

Quote:

Poke 4B0F70 89 1D 6C 0F 4B 00 89 5D 08 31 DB E9 5D E5 FB FF
Poke 46F4D8 E9 93 1A 04 00

Quote:

and the poke below is for the slot 1?
or can you now olso look what in the slots are?
i mean for example i want to know what in slot 11 is. how can i do that? olso with an poke value? and every slot has then an own memoryadress?

Sorry, I didn't post poke value for slot 1 just give infomation for idea that you can follow to find solution.

That guide is about number item in slot on F1 not slot in your inventory. So it's just query for Slot 1 to 10 (F1-F10).

Guide is finding address of dynamic memory of conquer that keep inventory info. Original code if you browse code with any debugger.

Quote:

OFFSET $0043C511:
MOV EDX,[ESP+04] // EDX = SLOT #
MOV EAX,[ESP+08] // EAX = UPDATE VALUE
MOV [ECX+EDX*4+000010B4],EAX // ECX = DYNAMIC MEMORY ADDRESS
RET 0008

PS. Above code will call every time you press F1-F10 for using item.

Quote:

by the way, i have been botjailed yesterday, with my tool i think, but my tool is totaly clientside, and you can not come in botjail i mean, or is it because TQ has protected the conquer.exe? has i do to the PE explorer stuf to unlock the write?
is that save?

Not sure about your tool, But TQ alway want to keep client conquer.exe clean. Unlock PE is using to write any code to conquer process memory program. If you running your own program and no need to write code cave to conquer program. I think this method is safer. There are lot of anti-hacking that checking attach / memory edit process like CE ,ollydbg and other.

Finally I think that your tool may do something that timely such as disconnect/ connect with exactly time, Run skill with 2 minute. Possible that someone frape your action and report to GM and/or problem may occur in new version of patch 4353 (They change packet structure that mean change in server side also).

ZeRo-ToLeRaNcE · 08/06/2007, 20:48

Damn!!!

if i do this code DMA injection of MP then the conquer.exe crached

Code:

Dim NewBytes10&#40;16&#41; As Byte
 * * * * * *Dim NewBytes20&#40;5&#41; As Byte
 * * * * * *'Poke 4B0F70 89 1D 6C 0F 4B 00 89 5D 08 31 DB E9 5D E5 FB FF
 * * * * * *'Poke 46F4D8 E9 93 1A 04 00
 * * * * * *NewBytes10&#40;1&#41; = &H89S
 * * * * * *NewBytes10&#40;2&#41; = &H1DS
 * * * * * *NewBytes10&#40;3&#41; = &H6CS
 * * * * * *NewBytes10&#40;4&#41; = &HFS
 * * * * * *NewBytes10&#40;5&#41; = &H4BS
 * * * * * *NewBytes10&#40;6&#41; = &H0S
 * * * * * *NewBytes10&#40;7&#41; = &H89S
 * * * * * *NewBytes10&#40;8&#41; = &H5DS
 * * * * * *NewBytes10&#40;9&#41; = &H8S
 * * * * * *NewBytes10&#40;10&#41; = &H31S
 * * * * * *NewBytes10&#40;11&#41; = &HDBS
 * * * * * *NewBytes10&#40;12&#41; = &HE9S
 * * * * * *NewBytes10&#40;13&#41; = &H5DS
 * * * * * *NewBytes10&#40;14&#41; = &HE5S
 * * * * * *NewBytes10&#40;15&#41; = &HFBS
 * * * * * *NewBytes10&#40;16&#41; = &HFFS
 * * * * * *NewBytes20&#40;1&#41; = &HE9S &#58; NewBytes20&#40;2&#41; = &H93S &#58; NewBytes20&#40;3&#41; = &H1AS &#58; NewBytes20&#40;4&#41; = &H4S &#58; NewBytes20&#40;5&#41; = &H0S
 * * * * * *hWnd = FindWindow&#40;vbNullString, COWiN&#41;
 * * * * * *GetWindowThreadProcessId&#40;hWnd, pID&#41;
 * * * * * *pHandle = OpenProcess&#40;PROCESS_ALL_ACCESS, False, pID&#41;
 * * * * * *WriteProcessMemoryBuffer&#40;pHandle, &H4B0F70, NewBytes10&#40;1&#41;, 16, 0&#41;
 * * * * * *WriteProcessMemoryBuffer&#40;pHandle, &H46F4D8, NewBytes20&#40;1&#41;, 5, 0&#41;
 * * * * * *CloseHandle&#40;pHandle&#41;
 * * * * * *System.Array.Clear&#40;NewBytes10, 0, NewBytes10.Length&#41;
 * * * * * *System.Array.Clear&#40;NewBytes20, 0, NewBytes20.Length&#41;
 * * * * * *hWnd = FindWindow&#40;vbNullString, COWiN&#41;
 * * * * * *GetWindowThreadProcessId&#40;hWnd, pID&#41;
 * * * * * *pHandle = OpenProcess&#40;PROCESS_ALL_ACCESS, False, pID&#41;
 * * * * * *Dim CurrentMP As Integer
 * * * * * *ReadProcessMemory&#40;pHandle, CURRENT_MP_LOCATION, CurrentMP, Len&#40;Read_Current_MP&#41;, 0&#41;
 * * * * * *CloseHandle&#40;pHandle&#41;

and the Code DMA injection of HP is doing well

Code:

Dim NewBytes1&#40;11&#41; As Byte
 * * * * * *Dim NewBytes2&#40;4&#41; As Byte
 * * * * * *Dim NewBytes3&#40;5&#41; As Byte
 * * * * * *'Poke 4D290E 50 6A 01 8B CF A3 FE 28 4D 00 E9 
 * * * * * *'Poke 4D2919 1F D4 F4 FF 
 * * * * * *'Poke 41FD37 E9 D2 2B 0B 00 
 * * * * * *NewBytes1&#40;1&#41; = &H50S
 * * * * * *NewBytes1&#40;2&#41; = &H6AS
 * * * * * *NewBytes1&#40;3&#41; = &H1S
 * * * * * *NewBytes1&#40;4&#41; = &H8BS
 * * * * * *NewBytes1&#40;5&#41; = &HCFS
 * * * * * *NewBytes1&#40;6&#41; = &HA3S
 * * * * * *NewBytes1&#40;7&#41; = &HFES
 * * * * * *NewBytes1&#40;8&#41; = &H28S
 * * * * * *NewBytes1&#40;9&#41; = &H4DS
 * * * * * *NewBytes1&#40;10&#41; = &H0S
 * * * * * *NewBytes1&#40;11&#41; = &HE9S
 * * * * * *NewBytes2&#40;1&#41; = &H1FS &#58; NewBytes2&#40;2&#41; = &HD4S &#58; NewBytes2&#40;3&#41; = &HF4S &#58; NewBytes2&#40;4&#41; = &HFFS
 * * * * * *NewBytes3&#40;1&#41; = &HE9S &#58; NewBytes3&#40;2&#41; = &HD2S &#58; NewBytes3&#40;3&#41; = &H2BS &#58; NewBytes3&#40;4&#41; = &HBS &#58; NewBytes3&#40;5&#41; = &H0S
 * * * * * *hWnd = FindWindow&#40;vbNullString, COWiN&#41;
 * * * * * *GetWindowThreadProcessId&#40;hWnd, pID&#41;
 * * * * * *pHandle = OpenProcess&#40;PROCESS_ALL_ACCESS, False, pID&#41;
 * * * * * *WriteProcessMemoryBuffer&#40;pHandle, &H4D290E, NewBytes1&#40;1&#41;, 11, 0&#41;
 * * * * * *WriteProcessMemoryBuffer&#40;pHandle, &H4D2919, NewBytes2&#40;1&#41;, 4, 0&#41;
 * * * * * *WriteProcessMemoryBuffer&#40;pHandle, &H41FD37, NewBytes3&#40;1&#41;, 5, 0&#41;
 * * * * * *CloseHandle&#40;pHandle&#41;
 * * * * * *System.Array.Clear&#40;NewBytes1, 0, NewBytes1.Length&#41;
 * * * * * *System.Array.Clear&#40;NewBytes2, 0, NewBytes2.Length&#41;
 * * * * * *System.Array.Clear&#40;NewBytes3, 0, NewBytes3.Length&#41;
 * * * * * *hWnd = FindWindow&#40;vbNullString, COWiN&#41;
 * * * * * *GetWindowThreadProcessId&#40;hWnd, pID&#41;
 * * * * * *pHandle = OpenProcess&#40;PROCESS_ALL_ACCESS, False, pID&#41;
 * * * * * *Dim CurrentHP As Integer
 * * * * * *ReadProcessMemory&#40;pHandle, CURRENT_HP_LOCATION, CurrentHP, Len&#40;Read_Current_HP&#41;, 0&#41;
 * * * * * *CloseHandle&#40;pHandle&#41;

and this are my public read adressess of the HP and MP

Code:

Public Const CURRENT_HP_LOCATION As Integer = &H4D28FE
Public Const CURRENT_MP_LOCATION As Integer = &H4B0F6C

Has someone an idea what the problem can be?

i have discover that it is hard to read the memory's and write Code Caves..
conquer.exe has been good protected i think, and i don't like that, because im think you can get botjailed with that

Please Help,

DyNy

ZeRo-ToLeRaNcE · 08/06/2007, 21:21

I have it olso try with enable READ/WRITE with PE explorer, and exacly the same.

nons3n5e · 08/08/2007, 16:54

omg can some one please tell me the neccesary steps in order for me to activate M's multi cause this error message always appears: runtime error 13 type mismatch. Thank you

giacometti · 08/13/2007, 22:23

Quote:

Originally posted by anantasia--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (anantasia)</td></tr><tr><td id='QUOTE'>
For about MP using DMA defeat for patch 4353,
(read MP at $004B0F6C after inject read EBX register at offset $0046F4D8):

Quote:

offset 0x4B0F70:
mov [0x4B0F6C],ebx
mov [ebp+08],ebx
xor ebx,ebx
jmp 0x46F4DD

offset 0x46F4D8:
jmp 0x4B0F70

Quote:

(original code)

offset 0x46F4D8:
mov [ebp

Quote:

@08],ebx
xor ebx,ebx

[/b]

just a little fix, cause it seems not to work:
(same address to read and inject as above)

Quote:

offset 0x4B0F70
mov [0x4B0F6C],ebx
xor ebx,ebx
push ebx
push edi
call 004a3335
jmp 0x46F4e4

offset 0x46F4Db
jmp 0x4B0F70
nop
nop
nop
nop

<!--QuoteBegin--original code

offset 0x46F4Db
xor ebx,ebx
push ebx
push edi
call 004a3335
[/quote]

or just use the poke values:
Poke 4B0F70 89 1D 6C 0F 4B 00 33 DB 53 57 E8
Poke 4B0F7B B6 23 FF FF E9 60 E5 FB FF
Poke 46F4DB E9 90 1A 04 00 90 90 90 90

ZeRo-ToLeRaNcE · 08/14/2007, 21:17

he Dude

i have modified my tool with your new poke values,
but with the last poke value conquer is craching!

Code:

Poke 46F4DB E9 90 1A 04 00 90 90 90 90

maby you have type someting wrong?

greets,

DyNy

joek · 08/16/2007, 12:27

[img]text2schild.php?smilienummer=1&text=Table For Client 4354 Now Out !' border='0' alt='Table For Client 4354 Now Out !' />

Heres the first release table I made, this should get at least the basic functionality of the supported programs working.

hippie · 08/17/2007, 17:49

can u fix the link i cant dl it thxns joek XD