SpeedHack

[ntKid]

This is how i do speedhack, notice that this is similar to a qpc hook so it will speedup everything...
Credit me if u use this, hope you like my first post...
btw this is for PW MY-EN

Code:

DWORD MallocAddress = (DWORD)malloc;
DWORD MemcpyAddress = (DWORD)memcpy;
int SpeedMeter=2;

__declspec(naked) int __cdecl Reroute(BYTE* source,BYTE* target,int len)
{
	__asm
	{
		push ebx;
		push ebp;
		push esi;
		mov  esi,[esp+0Ch+dword ptr 0Ch];
		lea  eax,[esi+5];
		push edi;
		push eax;
		call MallocAddress;
		mov ebx,[esp+14h+dword ptr 4];
		mov ebp,ds:VirtualProtect;
		add esp,4;
		lea ecx,[esp+10h+dword ptr 0Ch];
		push ecx;
		push 4; 
		push esi; 
		push ebx; 
		mov edi,eax;
		call ebp;
		push esi;
		push ebx;
		push edi;
		call MemcpyAddress;
		mov ecx,[esp+1Ch+dword ptr 8];
		add edi,esi;
		mov edx,ebx;
		sub edx,edi;
		add esp,0Ch;
		lea eax,[edx+esi-5];
		mov byte ptr [edi],0E9h;
		mov [edi+1],eax;
		mov eax,[esp+10h+dword ptr 0Ch];
		lea edx,[esp+10h+dword ptr 0Ch];
		push edx;
		push eax;
		sub ecx,ebx;
		push esi;
		sub ecx,5;
		push ebx;
		mov byte ptr [ebx],0E9h;
		mov [ebx+1],ecx;
		call ebp;
		mov eax,edi;
		pop edi;
		sub eax,esi;
		pop esi;
		pop ebp;
		pop ebx;
		retn
	}
}

BOOL (__cdecl* pGameSpeed)();
BOOL __cdecl myGameSpeed()
{
	BOOL bRet;
	__int64 GameFactor; 
	__int64 OurFactor = 1000000 * SpeedMeter;
	struct _SYSTEMTIME SystemTime;
	struct _FILETIME FileTime; 
	LARGE_INTEGER PerformanceCount; 
	LARGE_INTEGER bTemp = *(LARGE_INTEGER*)0x9482D8;
	bool GetFrequency = *(bool*)0x008FC268;
	
	if(bTemp.HighPart)
	{
		GetLocalTime(&SystemTime);
		SystemTimeToFileTime(&SystemTime, &FileTime);
		return 1000 * FileTime.dwLowDateTime;
	}
	if(bTemp.LowPart)
		return 1000 * timeGetTime();
	
	if(GetFrequency)
	{
		bRet = QueryPerformanceFrequency(&bTemp);
		if(!bRet)
			return bRet;
		GetFrequency = false;
	}

	bRet = QueryPerformanceCounter(&PerformanceCount);

	if(bRet)
	{
		GameFactor = *(__int64*)&PerformanceCount;
		PerformanceCount.LowPart = OurFactor* *(UINT64*)&PerformanceCount % *(UINT64*)&bTemp / *(UINT64*)&bTemp;
		bRet = OurFactor* GameFactor / *(UINT64*)&bTemp + (DWORD)PerformanceCount.LowPart;
	}
	return bRet;
}

//Set the hook once where u wish...
pGameSpeed=(BOOL(__cdecl*)())\
			Reroute((BYTE*)0x006F93C0,(BYTE*)myGameSpeed,5);

[unsight]

can you make this tut more clear...??

[GODDNESS]

what language is it?

[ntKid]

Quote:

Originally Posted by GODDNESS

what language is it?

This is C++ MSDEV

Quote:

Originally Posted by unsight

can you make this tut more clear...??

If you dont know C++ this is what u can do:

Method1:Open your memory editor and put in address 009482DA this carrys the LOWPART Value from the LARGE_INTEGER struct (QPC Argument). Raise the value to slowdown or lower it to speed up

Method2:
Open your memory editor and put in addresses 006F94A9 and 006F9481 this carrys a static int used to calculate Game speed factor both addresses must have the same value and do not set it < than 1000000 always >

Dont speed yourself with crazy amounts...

Cheers, sry my bad english

[BetaBowElfe]

it will speed up everything so everything is just in relative to everything no matter the speed so it doesn't make any sense at all it is just like same with the CE built in speed in hack. Or maybe i got u wrong?

[ntKid]

yes m8 you are right, i said in first post that this is similar to a qpc hook, so u cant push too many out of it. I only speed just a litle until i see no pushback, depends how much ur speeding it. When i first started building this my goal was to make a penney/rosalind hack, i think it can be exploited. Cheers!

[BetaBowElfe]

there is actually a way to add speed without lagging it back but it doesnt really speed at all it just cuts the lag delay from server example in a race the other guy reach the finish lane same as u but u always get to click first than the other when the two of u finish at the same time together at the npc.

[ntKid]

looking at client i found these functions

Code:

.text:00472350                 mov     al, [ecx+5ECh]//Get Character Movement
.text:00472356                 test    al, al // Am i walking or Runing?
.text:00472358                 jz      short loc_472361
.text:0047235A                 fld     dword ptr [ecx+494h] //Running Speed
.text:00472360                 retn
.text:00472361                 fld     dword ptr [ecx+490h] //Walking Speed
.text:00472367                 retn

So
PlayerStruct + 20 + 5EC = 1(Running) 0(Walking) (short int) //2 Bytes...
PlayerStruct + 20 + 494 = Run Speed (float)
PlayerStruct + 20 + 490 = Walk Speed (float)

Code:

.text:0044AA5F                 mov     eax, [ecx+5E8h]//Get Character Moving Action...
.text:0044AA65                 dec     eax
.text:0044AA66                 jz      short loc_44AA87//Swimming
.text:0044AA68                 dec     eax
.text:0044AA69                 jz      short loc_44AA76//Flying
.text:0044AA6B                 call    sub_472350

//Flying
.text:0044AA76                 mov     eax, [ecx+49Ch]//Flying Speed
.text:0044AA7C                 mov     edi, 41h
.text:0044AA81                 mov     [esp+18h+var_10], eax
.text:0044AA85                 jmp     short loc_44AA96
//Swimming
.text:0044AA87                 mov     ecx, [ecx+498h]//Swimming Speed
.text:0044AA8D                 mov     edi, 81h
.text:0044AA92                 mov     [esp+18h+var_10], ecx

So
PlayerStruct + 20 + 5E8 = Moving Action 0(Normal) 1(Swimming) 2(Flying) (short int) //2 Bytes...
PlayerStruct + 20 + 49C = Fly Speed(float)
PlayerStruct + 20 + 498 = Swim Speed(float)

Neverming, i just figured it out how to do it... dont bother pming me asking how, my reply will be the same as ur feedback in my thread, tough here is more than enough info for u to figure it out... Cheers

[jnel26]

Quote:

Originally Posted by ntKid

looking at client i found these functions

Code:

.text:00472350                 mov     al, [ecx+5ECh]//Get Character Movement
.text:00472356                 test    al, al // Am i walking or Runing?
.text:00472358                 jz      short loc_472361
.text:0047235A                 fld     dword ptr [ecx+494h] //Running Speed
.text:00472360                 retn
.text:00472361                 fld     dword ptr [ecx+490h] //Walking Speed
.text:00472367                 retn

So
PlayerStruct + 20 + 5EC = 1(Running) 0(Walking) (short int) //2 Bytes...
PlayerStruct + 20 + 494 = Run Speed (float)
PlayerStruct + 20 + 490 = Walk Speed (float)

Code:

.text:0044AA5F                 mov     eax, [ecx+5E8h]//Get Character Moving Action...
.text:0044AA65                 dec     eax
.text:0044AA66                 jz      short loc_44AA87//Swimming
.text:0044AA68                 dec     eax
.text:0044AA69                 jz      short loc_44AA76//Flying
.text:0044AA6B                 call    sub_472350

//Flying
.text:0044AA76                 mov     eax, [ecx+49Ch]//Flying Speed
.text:0044AA7C                 mov     edi, 41h
.text:0044AA81                 mov     [esp+18h+var_10], eax
.text:0044AA85                 jmp     short loc_44AA96
//Swimming
.text:0044AA87                 mov     ecx, [ecx+498h]//Swimming Speed
.text:0044AA8D                 mov     edi, 81h
.text:0044AA92                 mov     [esp+18h+var_10], ecx

So
PlayerStruct + 20 + 5E8 = Moving Action 0(Normal) 1(Swimming) 2(Flying) (short int) //2 Bytes...
PlayerStruct + 20 + 49C = Fly Speed(float)
PlayerStruct + 20 + 498 = Swim Speed(float)

Neverming, i just figured it out how to do it... dont bother pming me asking how, my reply will be the same as ur feedback in my thread, tough here is more than enough info for u to figure it out... Cheers

dude what is the playerstruct??? its that our base address or the character offsets position?????

[neogrizzly]

Well The main problem about speedhack is rollback. I try to look and change every value I can find and still rollback. Still looking ideas how to find the best way for speed hack (cuz I know someone out there succeeded find undetected speed hack).