Secondly this isn't so much a tut on all the things CE scripts can do, its more how to do you get to the process of knowing what to put in them.
Thirdly im a noob with CE so sorry if i made mistakes explaining stuff (i.e the scripts) but this is just what i had worked out by looking at say other peoples scripts etc. Also that's why when i show you how to find the code its in ollydbg cause i do not know how to do it in CE.
So yeh anybody who's experienced with CE that would want to make a tut be my guest, this was only an alternative/to show people that have no idea.
Programs needed(used)
- Ollydbg
- Cheat Engine
Contents:
- Filtering: Finding the correct result
- Locating the function: Finding the code that needs editing
- Writing out the script: Creating the script, working out what needs to be done then putting it in script form.
- Task: Just a little test, to see if you understand everything/chance to understand better.
- Filtering -
For the example i'll be using braiken castle (braiken.mac), if you don't have a character at braiken castle you could do it with another map that its already in or just move there.
Some notes on wallhack, theres 3 functions which call upon the .mac that we will be editing but we only want one of the functions. One is a function thats run constantly ingame, but even though its always running if you make it so wallhack is on you need to scroll or reload the map. Second is char select screen all chars that there current maps are on, you can make wallhack for all of them and they'll all get edited right away but its only the maps your chars are at, at chars select screen. Third is one we want/seems the best has effect at map load.
Firstly we need to find the value we want to edit, so open up CE and connect it to dekaron process. Let it load to login screen, then change to the CE and go into memory viewer click on the hex dump and press ctrl+f and search 'braiken.mac'. These should be all the results you come accross for it (this is in order i get it, yours may be different)
So this is the one we want (the last pic), i.e the one that if we edit won't make us crash and will have affect on the game. So now write down the offset its at '109BD3A6' and open up ollydbg. Go to the file tab -> attach, then select the dekaron process then click the attach button.
- Locating the function -
Once its all up click run once (the button that looks like a play button), or go Debug tab -> Run, or press F9. Now ctrl+g and enter the offset you got, in this case we had '109BD3A6' so enter it without quotation marks.
You can select the code and go right click -> binary -> edit or ctrl+e and it'll display this window with ASCII, so you can be sure its right. Now login the game and wait at your char select page, go right click -> breakpoint -> memory on access, and enter ingame.
Code:
00765B5A F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
look at what value ESI is holding, looks famaliar?
Well it sure looks close to our offset, ESI: 109BD3A4 - our offset: 109BD3A6. So now select it and go right click -> follow in dump, now take a look at the hex dump window see braiken.mac, scroll up its the other braiken's etc. ok now look above the code you'll see my originalcode i used for the script, so lets copy down the offset and quit game.
Code:
00765B4C 8BF0 MOV ESI,EAX 00765B4E B9 FF030000 MOV ECX,3FF 00765B53 8DBC24 88000000 LEA EDI,DWORD PTR SS:[ESP+88] 00765B5A F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
Start up the game again this time get to login screen and attach it to ollydbg again go to the offset underneath the call, 00765B4C and now login. Wait a few secs now place a BP (breakpoint) on that command, you can do this by either double clicking on the 2nd column/its opcode or right click -> breakpoint -> toggle or F2. Now enter game, it'll stop at this command now, now look at the register window again and look at EAX. View EAX in the the dump, and look braiken again, and if you scroll down you'll see braiken.mac, so lets go back to the value of EAX and double click on the offset now it'll create a pointer at that offset, and counting +/- for all the bytes above and below.
So now scroll back down to braiken.mac and you'll see braiken is at +400, well if you look closely not exactly. braiken.mac actually starts two bytes after that so +402 and since this was a pointer on EAX, it is EAX+402
where braiken.mac is.
Now look back at the code and you'll see EAX holds the same value for a few commands onward, so now its just choosing which command you want to be the originalcode. After you've picked the command/commands you'll use for originalcode, we must start on actually making the script thinking about how we can complete it. ill just walk you through mine
- Writing out the script -
In this case adding this little filter isn't that important since this is only ran through at map load. But if its like say non aggro and vac which are ran through at every new mob that loads up onto your screen then trying to make your code just as effective but using fewer bytes is good. Each part is numbered and you refer to the corresponding number to see what that part does.
Code:
[ENABLE]// 1 alloc(blah,1024)// 2 label(return)// 3 00765B53:// 4 JMP blah// 4 NOP// 4 NOP// 4 return: // 5 blah: // 6 LEA EDI,DWORD PTR SS:[ESP+88]// 7 CMP DWORD PTR DS:[EAX+402],5f626577// 7 JE return // 5 and 7 MOV DWORD PTR DS:[EAX+402],5F626577// 7 MOV DWORD PTR DS:[EAX+406],67616D69// 7 MOV DWORD PTR DS:[EAX+40A],616D2E65// 7 MOV DWORD PTR DS:[EAX+40E],00000063// 7 JMP return // 5 and 7 [DISABLE]// 1 dealloc(blah)// 2 00765B53: // 4 LEA EDI,DWORD PTR SS:[ESP+88]// 4
1: [ENABLE]and [DISABLE] CE says they are needed when you try and inject the script, enable section enables the code listed
under it, disable section disables it to the code underneath.
2: alloc(blah,1204) ok lets break this up a bit, alloc() is short for allocate i presume. Inside the curved brackets you state the name that the code will be written under and how bytes it should allocate for this. 1024 bytes is what most scripts say cause most people don't bother changing it since its usually enough in most cases. dealloc(blah) this de-allocates the blah function, so all code in the blah function.
3: label(return), label() is a function that lets you well label xD. What is put in in the brackets can then be used for labeling certain sections/parts in your
code. So its good if you have different sections of code, and for returning so you don't have to list the command. Its also good cause its more easily read and understood by the users of the script (poeple who didn't make it) in case they wanna make edits too.
4: 00765B53: is the offset of the originalcode (in this case), but if you wanted a few originalcodes you could add the offsets of each. And the code underneath it the JMP blah, NOP and NOP is what will be placed on that offset, so over the originalcode. The JMP blah is a jump to the blah section/part so code listed under blah, remember it must be allocated first.
Then the code in the disable section, thats what it'll change the JMP, NOP, NOP back to.
5: the jumps will be taken to return, remember to label it
.6: blah: all code written under this part is apart of the blah section remember to allocate it and add a jump or call to it.
7: is the code, and here is what it does.
Code:
LEA EDI,DWORD PTR SS:[ESP+88]// is the originalcode CMP DWORD PTR DS:[EAX+402],5f626577//compares dword size at the pointer EAX+402 with the bytes 5f626577. and those bytes in ASCII are web_ JE return //if the compare was true then the Z flag was set and so jump will be taken. //So this is a check added, to stop the code below from being ran again if the map has already been edited with web_image.mac, since it would be going through unneeded code hence taking the client longer. MOV DWORD PTR DS:[EAX+402],5F626577//moves dword size of bytes 5F626577 into the pointer EAX+402, 5F626577 in ASCII is web_ MOV DWORD PTR DS:[EAX+406],67616D69//moves dword size of bytes 67616D69 into the pointer EAX+406, 67616D69 in ASCII is imag MOV DWORD PTR DS:[EAX+40A],616D2E65//moves dword size of bytes 616D2E65 into the pointer EAX+40A, 616D2E65 in ASCII is e.ma MOV DWORD PTR DS:[EAX+40E],00000063//moves dword size of bytes 00000063 into the pointer EAX+40E, 00000063 in ASCII is c JMP return// then it jumps back //So this writes web_image.mac over the .mac thats there normally.
- Task -
Ok heres a little 'assignment' XD, see if you can make a script that lets you talk as your epvp name. For example the name change hack is where you would usually search your chars name in CE then change it to say ImLovingThisTut *cough*cough* and this would let you pm/shout as this new name and other would see it. So yeh the task is to make a script that once assembled it changes your epvp name to ssssss's (fills with s's) and lets you pm/shout in that name. Though if you are having trouble there are spoilers for some steps, so the aim is to try and finish with going through the least amount of spoilers, if you do need to go through them all then that means my tut wasn't good enough and ill be mad o.O
If you follow my spoilers from the start you probably will end up a script close to mine, but if you like just check the last spoiler you might be confused. Since there's like 3 or 4 functions that all use this, and maybe all of them will have effect idk i only spent a few mins on this.
That's one of the most detailed guildes i've seen 
