CO Functions List

~~high6~~ · 08/23/2007, 21:52

Rate the thread

Visit the site for updates

Some functions in CO that can be used to make hacks.

Un-equip Item(Unlike equip TQ made 1 function for ever slot you un-equip).

Code:

00433122    .  33C0               XOR EAX,EAX
00433124    .  3941 74            CMP DWORD PTR DS:[ECX+74],EAX
00433127    .  75 1D              JNZ SHORT Conquer.00433146
00433129    .  6A 64              PUSH 64
0043312B    .  50                 PUSH EAX
0043312C    .  50                 PUSH EAX
0043312D    .  50                 PUSH EAX
0043312E    .  50                 PUSH EAX
0043312F    .  68 14A54D00        PUSH Conquer.004DA514                                 ;  ASCII "Sound/Unequip.wav"
00433134    .  FF15 50C54B00      CALL DWORD PTR DS:[<&NDSound.DSound._DXP>]            ;  NDSound.DXPlaySound
0043313A    .  6A 01              PUSH 1
0043313C    .  B9 000F4E00        MOV ECX,Conquer.004E0F00
00433141    .  E8 D9F20400        CALL Conquer.0048241F
00433146    >  C3                 RETN
00433147    .  33C0               XOR EAX,EAX
00433149    .  3941 74            CMP DWORD PTR DS:[ECX+74],EAX
0043314C    .  75 1D              JNZ SHORT Conquer.0043316B
0043314E    .  6A 64              PUSH 64
00433150    .  50                 PUSH EAX
00433151    .  50                 PUSH EAX
00433152    .  50                 PUSH EAX
00433153    .  50                 PUSH EAX
00433154    .  68 14A54D00        PUSH Conquer.004DA514                                 ;  ASCII "Sound/Unequip.wav"
00433159    .  FF15 50C54B00      CALL DWORD PTR DS:[<&NDSound.DSound._DXP>]            ;  NDSound.DXPlaySound
0043315F    .  6A 05              PUSH 5
00433161    .  B9 000F4E00        MOV ECX,Conquer.004E0F00
00433166    .  E8 B4F20400        CALL Conquer.0048241F
0043316B    >  C3                 RETN
0043316C    .  33C0               XOR EAX,EAX
0043316E    .  3941 74            CMP DWORD PTR DS:[ECX+74],EAX
00433171    .  75 1D              JNZ SHORT Conquer.00433190
00433173    .  6A 64              PUSH 64
00433175    .  50                 PUSH EAX
00433176    .  50                 PUSH EAX
00433177    .  50                 PUSH EAX
00433178    .  50                 PUSH EAX
00433179    .  68 14A54D00        PUSH Conquer.004DA514                                 ;  ASCII "Sound/Unequip.wav"
0043317E    .  FF15 50C54B00      CALL DWORD PTR DS:[<&NDSound.DSound._DXP>]            ;  NDSound.DXPlaySound
00433184    .  6A 02              PUSH 2
00433186    .  B9 000F4E00        MOV ECX,Conquer.004E0F00
0043318B    .  E8 8FF20400        CALL Conquer.0048241F
00433190    >  C3                 RETN
00433191    .  33C0               XOR EAX,EAX
00433193    .  3941 74            CMP DWORD PTR DS:[ECX+74],EAX
00433196    .  75 1D              JNZ SHORT Conquer.004331B5
00433198    .  6A 64              PUSH 64
0043319A    .  50                 PUSH EAX
0043319B    .  50                 PUSH EAX
0043319C    .  50                 PUSH EAX
0043319D    .  50                 PUSH EAX
0043319E    .  68 14A54D00        PUSH Conquer.004DA514                                 ;  ASCII "Sound/Unequip.wav"
004331A3    .  FF15 50C54B00      CALL DWORD PTR DS:[<&NDSound.DSound._DXP>]            ;  NDSound.DXPlaySound
004331A9    .  6A 03              PUSH 3
004331AB    .  B9 000F4E00        MOV ECX,Conquer.004E0F00
004331B0    .  E8 6AF20400        CALL Conquer.0048241F
004331B5    >  C3                 RETN
004331B6    .  33C0               XOR EAX,EAX
004331B8    .  3941 74            CMP DWORD PTR DS:[ECX+74],EAX
004331BB    .  75 1D              JNZ SHORT Conquer.004331DA
004331BD    .  6A 64              PUSH 64
004331BF    .  50                 PUSH EAX
004331C0    .  50                 PUSH EAX
004331C1    .  50                 PUSH EAX
004331C2    .  50                 PUSH EAX
004331C3    .  68 14A54D00        PUSH Conquer.004DA514                                 ;  ASCII "Sound/Unequip.wav"
004331C8    .  FF15 50C54B00      CALL DWORD PTR DS:[<&NDSound.DSound._DXP>]            ;  NDSound.DXPlaySound
004331CE    .  6A 08              PUSH 8
004331D0    .  B9 000F4E00        MOV ECX,Conquer.004E0F00
004331D5    .  E8 45F20400        CALL Conquer.0048241F
004331DA    >  C3                 RETN
004331DB    .  33C0               XOR EAX,EAX
004331DD    .  3941 74            CMP DWORD PTR DS:[ECX+74],EAX
004331E0    .  75 1D              JNZ SHORT Conquer.004331FF
004331E2    .  6A 64              PUSH 64
004331E4    .  50                 PUSH EAX
004331E5    .  50                 PUSH EAX
004331E6    .  50                 PUSH EAX
004331E7    .  50                 PUSH EAX
004331E8    .  68 14A54D00        PUSH Conquer.004DA514                                 ;  ASCII "Sound/Unequip.wav"
004331ED    .  FF15 50C54B00      CALL DWORD PTR DS:[<&NDSound.DSound._DXP>]            ;  NDSound.DXPlaySound
004331F3    .  6A 06              PUSH 6
004331F5    .  B9 000F4E00        MOV ECX,Conquer.004E0F00
004331FA    .  E8 20F20400        CALL Conquer.0048241F
004331FF    >  C3                 RETN
00433200    .  33C0               XOR EAX,EAX
00433202    .  3941 74            CMP DWORD PTR DS:[ECX+74],EAX
00433205    .  75 1D              JNZ SHORT Conquer.00433224
00433207    .  6A 64              PUSH 64
00433209    .  50                 PUSH EAX
0043320A    .  50                 PUSH EAX
0043320B    .  50                 PUSH EAX
0043320C    .  50                 PUSH EAX
0043320D    .  68 14A54D00        PUSH Conquer.004DA514                                 ;  ASCII "Sound/Unequip.wav"
00433212    .  FF15 50C54B00      CALL DWORD PTR DS:[<&NDSound.DSound._DXP>]            ;  NDSound.DXPlaySound
00433218    .  6A 04              PUSH 4
0043321A    .  B9 000F4E00        MOV ECX,Conquer.004E0F00
0043321F    .  E8 FBF10400        CALL Conquer.0048241F                                 ;  Un-equip Right Hand
00433224    >  C3                 RETN
00433225    .  33C0               XOR EAX,EAX
00433227    .  3941 74            CMP DWORD PTR DS:[ECX+74],EAX
0043322A    .  75 1D              JNZ SHORT Conquer.00433249
0043322C    .  6A 64              PUSH 64
0043322E    .  50                 PUSH EAX
0043322F    .  50                 PUSH EAX
00433230    .  50                 PUSH EAX
00433231    .  50                 PUSH EAX
00433232    .  68 14A54D00        PUSH Conquer.004DA514                                 ;  ASCII "Sound/Unequip.wav"
00433237    .  FF15 50C54B00      CALL DWORD PTR DS:[<&NDSound.DSound._DXP>]            ;  NDSound.DXPlaySound
0043323D    .  6A 07              PUSH 7
0043323F    .  B9 000F4E00        MOV ECX,Conquer.004E0F00
00433244    .  E8 D6F10400        CALL Conquer.0048241F

Jump(local1 = Y,ESI = Constant ,local2 = X)

Code:

004473E0   |.  FF75 FC            PUSH [LOCAL.1]                                        ; /Arg2 = FFFFFFFF
004473E3   |.  8BCE               MOV ECX,ESI                                           ; |Conquer.004C3A58
004473E5   |.  FF75 F8            PUSH [LOCAL.2]                                        ; |Arg1 = 76B44E87
004473E8   |.  E8 9D1D0300        CALL Conquer.0047918A                                 ; Jump Function

run(local1 = Y,ESI = Constant ,local2 = X)

Code:

00447404   |.  FF75 FC            PUSH [LOCAL.1]                                        ; /Arg2 = 00000000
00447407   |.  8BCE               MOV ECX,ESI                                           ; |
00447409   |.  FF75 F8            PUSH [LOCAL.2]                                        ; |Arg1 = 7C802458
0044740C   |.  E8 3B1C0300        CALL Conquer.0047904C                                 ; Run Function

walk(local1 = Y,ESI = Constant ,local2 = X)

Code:

00447413   |> FF75 FC            PUSH [LOCAL.1]                                        ; /Arg2 = 00000000
00447416   |.  8BCE               MOV ECX,ESI                                           ; |
00447418   |.  FF75 F8            PUSH [LOCAL.2]                                        ; |Arg1 = 7C802458
0044741B   |.  E8 081B0300        CALL Conquer.00478F28                                 ; Walk Function

Drop Gold(unknown?,unknown?,amount)

Code:

0044816C    .  FF35 B00F4E00      PUSH DWORD PTR DS:[4E0FB0]
00448172    .  B9 000F4E00        MOV ECX,Conquer.004E0F00
00448177    .  FF35 AC0F4E00      PUSH DWORD PTR DS:[4E0FAC]
0044817D    .  FF75 0C            PUSH DWORD PTR SS:[EBP+C]
00448180    .  E8 8A0E0400        CALL Conquer.0048900F                                 ;  Drop Gold

Error output:
these vary but the general syntax is the same, push 5 constants after calling GameDataSetQuery.

(NOTE: if it outputs a red error message that means w/e it is doing is server side and you should just move on)

Code:

00489187   |.  FF15 44C04B00      CALL DWORD PTR DS:[<&GraphicData.GameDataSetQuery>]   ;  GraphicD.GameDataSetQuery
0048918D   |.  8B10               MOV EDX,DWORD PTR DS:[EAX]
0048918F   |.  6A 00              PUSH 0
00489191   |.  6A 00              PUSH 0
00489193   |.  68 0000FF00        PUSH 0FF0000
00489198   |.  68 D5070000        PUSH 7D5
0048919D   |.  68 C8860100        PUSH 186C8
004891A2   |>  8BC8               MOV ECX,EAX
004891A4   |.  FF52 3C            CALL DWORD PTR DS:[EDX+3C]
004891A7   |.  50                 PUSH EAX
004891A8   |.  B9 70ED4D00        MOV ECX,Conquer.004DED70
004891AD   |.  E8 D3BCFCFF        CALL Conquer.00454E85
004891B2   |.  33C0               XOR EAX,EAX

Cast Spell

Code:

004509F6   |> 6A 00              PUSH 0
004509F8   |>  FF70 44            PUSH DWORD PTR DS:[EAX+44]                            ;  Target
004509FB   |.  FFB6 50150500      PUSH DWORD PTR DS:[ESI+51550]                         ;  Spell Type
00450A01   |>  8BCF               MOV ECX,EDI
00450A03   |.  E8 7BBB0300        CALL Conquer.0048C583                                 ;  Cast Spell
00450A08   |>  8BCE               MOV ECX,ESI
00450A0A   |.  E8 05F50500        CALL <JMP.&MFC42.#2379>

Equip Item(Push Item Type , ECX = Item)

Code:

00447A67    > FF75 0C            PUSH DWORD PTR SS:[EBP+C]                             ;  Case 11 of switch 0044756D
00447A6A    .  8BCE               MOV ECX,ESI
00447A6C    .  E8 B3650000        CALL Conquer.0044E024                                 ;  Equip Item

Code:

00439ED6    > 53                 PUSH EBX                                              ;  0
00439ED7    .  68 D2070000        PUSH 7D0                                              ;  Text Type
00439EDC    >  68 FFFFFF00        PUSH 0FFFFFF                                          ; |00FFFFFF
00439EE1    .  8D85 C8FBFFFF      LEA EAX,DWORD PTR SS:[EBP-438]                        ; |
00439EE7    .  53                 PUSH EBX                                              ; |0
00439EE8    .  50                 PUSH EAX                                              ; |Text
00439EE9    .  53                 PUSH EBX                                              ; |0
00439EEA    .  B9 000F4E00        MOV ECX,Conquer.004E0F00                              ; |Const 004E0F00
00439EEF    .  E8 B3FD0300        CALL Conquer.00479CA7                                 ; Send Text

Variations of Text Type.

7D0 = Talk Text
7D1 = Whisper Text(special function)
7D2 = Action Text
7D3 = Team Text
7D4 = Guild Text
7D5 = Client Side [System] Text (Purple)
7D6 = Spouse Text
7D7 = Talk Text (Removed One?)
7D8 = Yell Text
7D9 = Client Side [System] Text (Maybe GM commands?)
7DA = Client Side [BroadCast] Text
7DB = Client Side [GM] Text
7DE = Service Text
7DF = Tips Text
839 = Open Directory <text>
83D = Top Right Text
9C4 = BroadCast Text (Only to people in area)

I will post more later alone with source in C++ on how to call them with some tutorials on finding these. IF this topic gains interest.

~~d0v3r~~ · 08/23/2007, 21:57

Awesome, thanks for the list.

Dgen · 08/23/2007, 22:00

Ty for the list!

XxDarkKillaxX · 08/23/2007, 22:07

u did the hard work for me lol maybe ill check some of these out

~~high6~~ · 08/24/2007, 03:23

O btw guys, here is a tip if you are looking for exploits with these functions.

Go inside the function:
CALL Conquer.<address>

Then look around for the error messages. They are usually a simple by-pass by doing a jmp patch(somethings are calculated serverside).

kmaworld586 · 08/24/2007, 03:39

This post is interesting. Probably old hat for the advanced programmers here, but a bit new for me. Would definitely like to see the sample code that you suggested

IHateHomos · 08/24/2007, 03:57

Could you find the Function for repair/ equips too? :P
I liked that function :P, I could try to make it work...
But what language should i use to make it :P

~~high6~~ · 08/24/2007, 04:23

Quote:

Originally Posted by IHateHomos

Could you find the Function for repair/ equips too? :P
I liked that function :P, I could try to make it work...
But what language should i use to make it :P

Code:

00447A11    > FF75 0C            PUSH DWORD PTR SS:[EBP+C]                             ; /Arg1 = 00000000; Case E of switch 0044756D
00447A14    .  8BCE               MOV ECX,ESI                                           ; |
00447A16    .  E8 6F4C0000        CALL Conquer.0044C68A                                 ; Repair Item Function

yokoyoko · 08/24/2007, 05:40

cool +1 thanks

nice info now i wanna make bots from those please release tutorial on how to do that, i can't do jump/walk/fly to specific coords with macro languages such as ahk or auto it, so if i could use those that'd make bots/macros all so much better!

Acidburncx · 08/24/2007, 10:51

sorry kinda new about that program what program to apply that code?

~~high6~~ · 08/24/2007, 18:55

Quote:

Originally Posted by vegetasupersaiyan6

sorry kinda new about that program what program to apply that code?

Asm

giacometti · 08/24/2007, 19:07

the arguments from walk and jump function are wrong, i check these cause i use them on my private program. For the curious ones, its possible to call FastBlade/SS skill too, so aimbot are easy to make if you know how to call these functions. Although fb/ss function has a protection that crashs conquer if you called it, but not difficult to bypass it.

and by the way, these are for conquer 4354 patch. We will get another patch soon, so its good attach version for reference. Nice post! =p

~~high6~~ · 08/24/2007, 19:13

Quote:

Originally Posted by giacometti

the arguments from walk and jump function are wrong, i check these cause i use them on my private program. For the curious ones, its possible to call FastBlade/SS skill too, so aimbot are easy to make if you know how to call these functions. Although fb/ss function has a protection that crashs conquer if you called it, but not difficult to bypass it.

and by the way, these are for conquer 4354 patch. We will get another patch soon, so its good attach version for reference. Nice post! =p

Ya I forgot that they are pushed in Y,X format. Also I need to update that part anyways.

Dragon~Ash · 08/25/2007, 06:06

Quote:

Originally Posted by high6

O btw guys, here is a tip if you are looking for exploits with these functions.

Go inside the function:
CALL Conquer.<address>

Then look around for the error messages. They are usually a simple by-pass by doing a jmp patch(somethings are calculated serverside).

What prog are you using to analyze the ASM?
Cheatengines a little different it just has Call <address> but I dont think it has the option to go inside the function and search for the error messages.

~~high6~~ · 08/25/2007, 06:14

Quote:

Originally Posted by Dragon~Ash

What prog are you using to analyze the ASM?
Cheatengines a little different it just has Call <address> but I dont think it has the option to go inside the function and search for the error messages.

OllyDbg