SV trace assembly code

mom4kids · 01/13/2007, 22:07

Quote:

Logining......
Logining......
Logining......
Logining......
Logining......
Sorry, the Scriptvessel Client is updated! Pls use the new one.
Last login time:2007-1-10 13:36:09

No sure why, but after days of SV working right, it s tarted doing the same thing to me this afternoon.

Any ideas?

hanjie · 01/14/2007, 11:14

i got the same problem too. here's a snapshot of it.

Cucurucho · 01/14/2007, 11:28

Quote:

Originally posted by alan77+Jan 10 2007, 19:14--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (alan77 @ Jan 10 2007, 19:14)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin--anantasia@Jan 2 2007, 17:50
Here is DIY (do it your self) crack SV as your self.

At first, I'm no intension to release cracked version or modify SV to anyone. This thread post for your study.

First thing to do is download all program that need,

1. Download SV (2 files of them)
Download link for SV (agent king and dll) is locate on lower post,

2. Use "Cheat Engine" to set trace/debug & trap
Here is link to download "Cheat Engine"

Below is instruction code that you see in Cheat Engine, Please follow step
.
/*1* Starting Agent King insert user/password
.
/*2* Set trap(breakpoint) on first jump here and click start button at AgentKing window
00403596 je 40378c <- by pass this point to 40359C
0040359C move ecx,[ebp-2c]
/*3* When your CE(Cheat Engine) stop at 403596 change your EIP to next command 40359C
.
.
/*4* Set trap at here 4035CB. When CE stop at 4035CB change EIP to 4035DD
004035CB jne 40378c <- by pass this point to 4035DD
004035D1 cmp [004356e0],edi
004035D7 jne 40378c
004035DD push 00
.
.
/*5* Set trap at 403685. When CE stop press F7 to trace in to sub routine 403CF6
00403685 CALL 00403CF6 <- this command to call routine at address 00403CF6 and when hit command RET. It's will return to next address 40368A
0040368A mov eax,[esi+1c]
.
.
/*6* Routine 403CF6 will send you to address 10002860. Press F7 to step to countrymakeinUS.dll
00403CF6 JMP DWORD PTR[00429508] <- Just FYI, this command jump to DLL. DWORD PTR[00429508] = 10002860
.
.
/*7* Starting tracestep at here, look carefully for miss jump/exit program
10002860 SUB ESP, 000000C8 <- here is starting of countrymakeinus.dll
.
.
1000288B CALL 1001E804 <- Nothing to do at here just press F8 to step over
.
.
/*8* When found JNE command just change your EIP to next command. For below instead jump EIP to 10002897 you can jump to 100028A4 coz of CMP is just compare command not change memory value.
.
10002895 JNE 101zo1z21v01o12012z1vo101zo1z21v0+5d <- by pass this point to 100028A4
10002897 CMP [esp+000000d4],fffd7fd0
100028A2 JNE 101zo1z21v01o12012z1vo101zo1z21v0+5d
100028A4 MOV eax,[esp+000000d8]
.
.
/*9* there amount 10-20 jump condition (JNE) at here. Only thing is change EIP to next command if you found JNE
.
.
10002AC0 CALL dword ptr[100303a0] < Nothing to do here just press F8 to step over.
.
.
/*10* there amount 10-20 jump condition (JNE) at here. Only thing is change EIP to next command if you found JNE
.
.
/*11* When you first hit RET command at 10003110 that mean u finished it. Return to program and try press F11 to test bot is activate or not
10003110 RET <- finished sub routine and return to address 40368A

After this poin you can start bot by press Funtion key 11

Anyone have a simplifed steps to crack the SV? i tried, it failed. don't understand almost all part of it... anyone can help? [/b][/quote]
Sure! check any of my guides at my sign. Nº1.1 and Nº1.2 u'll find it easy.

Cucurucho · 01/14/2007, 11:34

Quote:

Originally posted by glefC@Jan 12 2007, 11:46
what does his line mean?

22. In the JNE instruction click on EIP and put the next adress of JNE instruction (in this case 10002897) click OK.

i don understand xD.

That lines means that you have to click over EIP and change the value of it, the question is: Which value should i put in EIP? and the answer is the Adress of the next instruction to the JNE one.
Example:
1000296 JNE l1l1l100l11o1o1l1ol1o1l101l10l101o1o1
1000297 PUSH 00

If you want to bypass the JNE instruction when the line of this instrucion (JNE) is selected (blue) click on EIP and change the value for 1000297 (which is the next adress to the JNE adress).

Got It?

thundersfury · 01/15/2007, 07:26

dam...i wish this thing would jsut work ive did all i could to it -_-

glefC · 01/15/2007, 11:43

Thanks Cucurucho i got it.

I managed to crack it yeseday but i heard that SV changed is login IP i only used it for 1 day and this happens...

retlic · 01/15/2007, 12:12

Lol so you cracked it for its new IP? Can u tell me what i have to do to change those addresses?

felix_fx2 · 01/15/2007, 17:05

ok so the login ip changed. guess we over logged it

but anyone can teach us how to make a server emulator like the old ones ?
then we can find out what needs to be done the share the magic of making

anantasia · 01/15/2007, 20:00

New SV for patch 4337 had change login IP address.

There are some way to fix it.
1) change your hosts file to redirect port, Thx Mantis X for his info
Here is his link

2) find new SV and crack it again. with same concept.

3) I try crack old one with by pass internet connect, but it's take more time.

shamshoum · 01/15/2007, 23:15

i just want to ask how did u know which addresses u got to bay pass when u thought of the agent cracking plz answer if u can coz it can rlly help in future needs

anantasia · 01/15/2007, 23:25

Quote:

Originally posted by shamshoum@Jan 15 2007, 23:15
i just want to ask how did u know which addresses u got to bay pass when u thought of the agent cracking plz answer if u can coz it can rlly help in future needs

If u read from post#3 u will know that how i can find that code.

It's need to know that message that appear and what call that make that message.

Trap that message and trace after that.

U will find out algorithm loop event program like visualbasic,c,java.

shamshoum · 01/15/2007, 23:38

srry for being a little ****** but i just wanna check if i understood right now u use a program called AgentKing :S? and open the SV and u trace breakpoints :S lol i didnt rlly understand plz just explain in short:S thnx for ur troubles

anantasia · 01/16/2007, 07:38

Quote:

Originally posted by shamshoum@Jan 15 2007, 23:38
srry for being a little ****** but i just wanna check if i understood right now u use a program called AgentKing :S? and open the SV and u trace breakpoints :S lol i didnt rlly understand plz just explain in short:S thnx for ur troubles

Sorry for make u fuzzy, Now it's not called AgentKing anymore. Please use ScriptVessel as your refer.

* reupload SV*

ArkticWolf · 01/16/2007, 11:13

I'm trying to make a login server for SV, and the part I don't understand is this:

Code:

&#60;a b8d5776cf1a68e5d834b95a2d9d06c97&Confirms successfully,the Account will be Expired at 2007-2-12!#2007-1-16 17&#58;46&#58;39>

I know it's an MD5 hash, but it changes every login and I don't know how to generate it exactly to trigger enabling it.

The login string is fairly simple, it's made of 3 MD5 hashes and one (what looks like a descriptor number) concatenated into one:

Code:

g=3846705a105e8b9d40e1329780d62ea2265d8a5a105e8b9d40e1329780d62ea2265d8a000d41d8cd98f0b24e980998ecf8427e

So it looks like this

Code:

384670 &#40;Descriptor* - this one means logout&#41;
5a105e8b9d40e1329780d62ea2265d8a &#40;login&#41;
5a105e8b9d40e1329780d62ea2265d8a &#40;pass&#41;
000d41d8cd98f0b24e980998ecf8427e &#40;Don't know-doesn't change&#41;

The program seems to understand HTTP redirects, and session cookies. Ive noticed if I do a POST and mimic SV with the same session cookie data I get the same trigger data back.

The descriptors are always digits:
100410 - login
384670 - logout.

This is as far as I've gotten.

PS. I've hidden my propper login hashes to protect my details, so the calculations anyone trys won't match the login trigger hash.

anantasia · 01/16/2007, 13:17

Quote:
Originally posted by ArkticWolf@Jan 16 2007, 11:13
I'm trying to make a login server for SV, and the part I don't understand is this:

Code:

<a b8d5776cf1a68e5d834b95a2d9d06c97&Confirms successfully,the Account will be Expired at 2007-2-12!#2007-1-16 17:46:39>

I know it's an MD5 hash, but it changes every login and I don't know how to generate it exactly to trigger enabling it.

The login string is fairly simple, it's made of 3 MD5 hashes and one (what looks like a descriptor number) concatenated into one:

Code:

g=3846705a105e8b9d40e1329780d62ea2265d8a5a105e8b9d40e1329780d62ea2265d8a000d41d8cd98f0b24e980998ecf8427e

So it looks like this

Code:

384670 (Descriptor* - this one means logout) 5a105e8b9d40e1329780d62ea2265d8a (login) 5a105e8b9d40e1329780d62ea2265d8a (pass) 000d41d8cd98f0b24e980998ecf8427e (Don't know-doesn't change)

The program seems to understand HTTP redirects, and session cookies. Ive noticed if I do a POST and mimic SV with the same session cookie data I get the same trigger data back.

The descriptors are always digits:
100410 - login
384670 - logout.

This is as far as I've gotten.

PS. I've hidden my propper login hashes to protect my details, so the calculations anyone trys won't match the login trigger hash.

SV need to login and get some code to execute.

I try bypass that info get from login server and that cause program disconnect anyway i know that there is trick to do that with out connect to server by hard code to it.

It's need to by pass all verification check that check on every computer.

For example
login = 5a105e8b9d40e1329780d62ea2265d8a
pass = 5a105e8b9d40e1329780d62ea2265d8a
machine Identification = 000d41d8cd98f0b24e980998ecf8427e

I think this SV version need more improve.
If u see Ragnarok bot or other game online bot.
Bot can modify more data to pickup such as quantity,quality.
Bot in Market can auto refill stuff in mat.
When you lving and someone talk with you it's will auto answer and more feature.
All of that is free also.