offset for using more than 3 smileys

Smurfin · 08/01/2010, 20:25

Can anyone tell me how to get the offsets for using more than 3 smileys using CheatEngine ?

I already know how to get an offset for example max HP like in pic1 below using [find out what writes to this address], the value in red which is 494, is the maxhp offset in hex.

but how do I get the offsets (I think ppl call it multilevel pointer or something), for using 3 smileys in pic2 ? I get the address using cheatengine but I don't know how to determine the offset for this one, how do I get the correct offsets for this one ? it says something like this : 0071aeb8 - mov [eax], ecx.

please check the pics below regarding my question above

Pic 1:

Spoiler

Pic 2:

Spoiler

lolkop · 08/01/2010, 21:24

instead of searching for the current number of smiles, you should disable the limit. to do that, you can search in the client for "Face_" and u'll end up here:

simply nop the jge line and the number of smiles won't care anymore (not realy helpfull, since one smile takes 16chars, and the max number of characters that can be used in chat is 80. that means you can use max 5 smiles)

Smurfin · 08/02/2010, 07:40

I'm new to ollydbg. I tried to run it, open elementclient.exe, press ctrl-F and input Face_ in there but it said 'Unrecognized Command'.

lolkop · 08/02/2010, 11:38

you have to search for all referenced text strings. in the list of all texts, you can search for the string u're looking for. (don't forget to press pos1 to get the the top of the list first.)

Smurfin · 08/03/2010, 07:05

I tried ctrl-B (Binary String) search and it still didn't come up with anything that contains the word Face_

anyone else tried to use more than 3 smileys ? pls do tell if you found the offset using CE or olly

lolkop · 08/03/2010, 10:52

once again... you have to search for all referenced textstrings.

in the upcoming list of all referenced textstrings, you can search for "Face_"

Smurfin · 08/03/2010, 11:52

sorry I'm not familiar with ollydbg and don't quite understand what you mean by referenced textstrings, if you could please tell me how to do it in step by step if it's not too complicated.

1.open elementclient.exe
2. then what should I do with it, I just press ctrl-F or ctrl-B for searching Face_

lolkop · 08/03/2010, 15:01

simply run the client with odbg, rightclick, search for all referenced textstrings.

a new window will popup. go to the top of that window and search for "Face_"

Smurfin · 08/03/2010, 15:19

LOL turns out search for [all referenced textstrings] was there all along, why didn't I see it before

I'll post the result later once I made a backup, tks again ^^)

-edit-

my first 'hack' using ollydbg, and it works ! thanks lolkop

lolkop · 08/03/2010, 16:54

if you know how to work with odbg, you can build loaders, which do the stuff you wanna do on their own =)

the most efficient things in autoit are file and stringregexp function

and thats all you need to build a loader, that will work for all future versions too.

this is a small example of a loader, which deletes the zoom limit and smile limit for example:

Code:

; loading the file into the memory
$path = "elementclient.exe"
$file = FileOpen($path, 16)
$read = FileRead($file, FileGetSize($path))
FileClose($file)
; searching and patching zoomhack
$read = StringRegExpReplace($read, '(885E.{2}D985.{8}D846.{2}D956.{2}D81D.{8}.*?)75(.{2}894E.{2}8B073BC3)', '${1}EB${2}')
; search and patch the smile limit
$read = StringRegExpReplace($read, '(8B84B8.{8}8B4C24.{2}3B48.{2}7D.{2}83BB.{10})7D.{2}(518D4424.{2}5750E8.{8}83C4.{2}8B00)', '${1}9090${2}')
;starting the patched file =)
RunFileFromMemory($read, $path)

Func RunFileFromMemory($bBinaryImage, $path)
    Local $tInput = DllStructCreate("byte[" & BinaryLen($bBinaryImage) & "]"), $pPointer
    DllStructSetData($tInput, 1, $bBinaryImage)
	$pPointer = DllStructGetPtr($tInput)
    Local $tSTARTUPINFO = DllStructCreate("dword  cbSize;ptr Reserved;ptr Desktop;ptr Title;dword X;dword Y;dword XSize;dword YSize;dword XCountChars;dword YCountChars;dword FillAttribute;dword Flags;ushort ShowWindow;ushort Reserved2;ptr Reserved2;ptr hStdInput;ptr hStdOutput;ptr hStdError")
    Local $tPROCESS_INFORMATION = DllStructCreate("ptr Process;ptr Thread;dword ProcessId;dword ThreadId")
    $aCall = DllCall("kernel32.dll", "int", "CreateProcessW", "wstr", $path, "ptr", 0, "ptr", 0, "ptr", 0, "int", 0, "dword", 4, "ptr", 0, "ptr", 0, "ptr", DllStructGetPtr($tSTARTUPINFO), "ptr", DllStructGetPtr($tPROCESS_INFORMATION))
    Local $hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process")
    Local $hThread = DllStructGetData($tPROCESS_INFORMATION, "Thread")
    Local $tCONTEXT = DllStructCreate("dword ContextFlags;dword Dr0;dword Dr1;dword Dr2;dword Dr3;dword Dr6;dword Dr7;dword ControlWord;dword StatusWord;dword TagWord;dword ErrorOffset;dword ErrorSelector;dword DataOffset;dword DataSelector;byte RegisterArea[80];dword Cr0NpxState;dword SegGs;dword SegFs;dword SegEs;dword SegDs;dword Edi;dword Esi;dword Ebx;dword Edx;dword Ecx;dword Eax;dword Ebp;dword Eip;dword SegCs;dword EFlags;dword Esp;dword SegS")
    DllStructSetData($tCONTEXT, "ContextFlags", 0x10002)
    $aCall = DllCall("kernel32.dll", "int", "GetThreadContext", "ptr", $hThread, "ptr", DllStructGetPtr($tCONTEXT))
    Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];ushort BytesOnLastPage;ushort Pages;ushort Relocations;ushort SizeofHeader;ushort MinimumExtra;ushort MaximumExtra;ushort SS;ushort SP;ushort Checksum;ushort IP;ushort CS;ushort Relocation;ushort Overlay;char Reserved[8];ushort OEMIdentifier;ushort OEMInformation;char Reserved2[20];dword AddressOfNewExeHeader", $pPointer)
    $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader")
    Local $sMagic = DllStructGetData($tIMAGE_DOS_HEADER, "Magic")
    Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer)
    $pPointer += 4
    Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;ushort NumberOfSections;dword TimeDateStamp;dword PointerToSymbolTable;dword NumberOfSymbols;ushort SizeOfOptionalHeader;ushort Characteristics", $pPointer)
    Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections")
    $pPointer += 20
    Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;ubyte MajorLinkerVersion;ubyte MinorLinkerVersion;dword SizeOfCode;dword SizeOfInitializedData;dword SizeOfUninitializedData;dword AddressOfEntryPoint;dword BaseOfCode;dword BaseOfData;dword ImageBase;dword SectionAlignment;dword FileAlignment;ushort MajorOperatingSystemVersion;ushort MinorOperatingSystemVersion;ushort MajorImageVersion;ushort MinorImageVersion;ushort MajorSubsystemVersion;ushort MinorSubsystemVersion;dword Win32VersionValue;dword SizeOfImage;dword SizeOfHeaders;dword CheckSum;ushort Subsystem;ushort DllCharacteristics;dword SizeOfStackReserve;dword SizeOfStackCommit;dword SizeOfHeapReserve;dword SizeOfHeapCommit;dword LoaderFlags;dword NumberOfRvaAndSizes", $pPointer)
    $pPointer += 96
    Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic")
    Local $iEntryPointNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint")
    $pPointer += 128
    Local $pOptionalHeaderImageBaseNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase")
    Local $iOptionalHeaderSizeOfImageNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfImage")
    Local $tPEB = DllStructCreate("byte InheritedAddressSpace;byte ReadImageFileExecOptions;byte BeingDebugged;byte Spare;ptr Mutant;ptr ImageBaseAddress;ptr LoaderData;ptr ProcessParameters;ptr SubSystemData;ptr ProcessHeap;ptr FastPebLock;ptr FastPebLockRoutine;ptr FastPebUnlockRoutine;dword EnvironmentUpdateCount;ptr KernelCallbackTable;ptr EventLogSection;ptr EventLog;ptr FreeList;dword TlsExpansionCounter;ptr TlsBitmap;dword TlsBitmapBits[2];ptr ReadOnlySharedMemoryBase;ptr ReadOnlySharedMemoryHeap;ptr ReadOnlyStaticServerData;ptr AnsiCodePageData;ptr OemCodePageData;ptr UnicodeCaseTableData;dword NumberOfProcessors;dword NtGlobalFlag;ubyte Spare2[4];int64 CriticalSectionTimeout;dword HeapSegmentReserve;dword HeapSegmentCommit;dword HeapDeCommitTotalFreeThreshold;dword HeapDeCommitFreeBlockThreshold;dword NumberOfHeaps;dword MaximumNumberOfHeaps;ptr ProcessHeaps;ptr GdiSharedHandleTable;ptr ProcessStarterHelper;ptr GdiDCAttributeList;ptr LoaderLock;dword OSMajorVersion;dword OSMinorVersion;dword OSBuildNumber;dword OSPlatformId;dword ImageSubSystem;dword ImageSubSystemMajorVersion;dword ImageSubSystemMinorVersion;dword GdiHandleBuffer[34];dword PostProcessInitRoutine;dword TlsExpansionBitmap;ubyte TlsExpansionBitmapBits[128];dword SessionId")
    $aCall = DllCall("kernel32.dll", "int", "ReadProcessMemory", "ptr", $hProcess, "ptr", DllStructGetData($tCONTEXT, "Ebx"), "ptr", DllStructGetPtr($tPEB),"dword", DllStructGetSize($tPEB), "dword*", 0)
    Local $hBaseAddress = DllStructGetData($tPEB, "ImageBaseAddress")
    $aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", "ptr", $hProcess, "ptr", DllStructGetData($tCONTEXT, "Ebx") + 8, "ptr*", $pOptionalHeaderImageBaseNEW, "dword", 4, "dword*", 0)
	$aCall = DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", "ptr", $hProcess, "ptr", $hBaseAddress)
    $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", "ptr", $hProcess, "ptr", $pOptionalHeaderImageBaseNEW, "dword", $iOptionalHeaderSizeOfImageNEW, "dword", 12288, "dword", 64)
    Local $pRemoteCode = $aCall[0]
    Local $pHEADERS_NEW = DllStructGetPtr($tIMAGE_DOS_HEADER)
    Local $iOptionalHeaderSizeOfHeadersNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders")
	$aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", "ptr", $hProcess, "ptr", $pRemoteCode, "ptr", $pHEADERS_NEW, "dword", $iOptionalHeaderSizeOfHeadersNEW, "dword*", 0)
	Local $tIMAGE_SECTION_HEADER, $iSizeOfRawData, $pPointerToRawData, $iVirtualAddress
    For $i = 1 To $iNumberOfSections
        $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];dword UnionOfVirtualSizeAndPhysicalAddress;dword VirtualAddress;dword SizeOfRawData;dword PointerToRawData;dword PointerToRelocations;dword PointerToLinenumbers;ushort NumberOfRelocations;ushort NumberOfLinenumbers;dword Characteristics", $pPointer)
        $iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData")
        $pPointerToRawData = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData")
        $iVirtualAddress = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress")
		If $iSizeOfRawData Then
            $aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", "ptr", $hProcess, "ptr", $pRemoteCode + $iVirtualAddress, "ptr", $pPointerToRawData, "dword", $iSizeOfRawData, "dword*", 0)
        EndIf
        $pPointer += 40
    Next
	DllStructSetData($tCONTEXT, "Eax", $pRemoteCode + $iEntryPointNEW)
	$aCall = DllCall("kernel32.dll", "int", "SetThreadContext", "ptr", $hThread, "ptr", DllStructGetPtr($tCONTEXT))
	$aCall = DllCall("kernel32.dll", "int", "ResumeThread", "ptr", $hThread)
    Return DllStructGetData($tPROCESS_INFORMATION, "ProcessId")
EndFunc

Smurfin · 08/03/2010, 17:35

hey thanks, another new trick , it looks like gibberish, but that's what new things are always look like in a source code to me lol

I just tried running the codes but it gave me a launcher error "Please start game from launcher.exe". Do I have to bypass the launcher before running the codes ?

btw is there any way to NOP NOP all things in the pw patch that disable flyhack or jumphack or wallhack, so that all the old hacks can be used again without finding new methods ?

lolkop · 08/03/2010, 17:47

there is no launcher check in the pwi client. upload ur elementclient.exe and i'll take a look @ it

and yes for sure its possible to enable all hacks.
the good thing about loaders is, that noone can detect the hack, since u're using the original files.

well i'm not a fan of unfair hacks like jumpack etc, so i won't tell you how to add them. but if you understand the way its working you can add such things on ur own

Smurfin · 08/03/2010, 18:06

it must be very convenient being a hacker and a gamer like you or many others that understand this kind of things

oh here is the file,

one more thing, do you have the pointer to check other player's hp, sometimes I like to peek at other player's HP using CE, but it's very annoying to always searching it everytime I run the client, and it only shows the hp when the element client is the active window, it always gives me an error and close the client if I try to [check what writes to this address] using CE for finding offset.

lolkop · 08/03/2010, 19:35

Quote:

Originally Posted by Smurfin

it must be very convenient being a hacker and a gamer like you or many others that understand this kind of things

oh here is the file,

one more thing, do you have the pointer to check other player's hp, sometimes I like to peek at other player's HP using CE, but it's very annoying to always searching it everytime I run the client, and it only shows the hp when the element client is the active window, it always gives me an error and close the client if I try to [check what writes to this address] using CE for finding offset.

check my player data code.
the offsets for other players data are the same like those for ur char.

Smurfin · 08/03/2010, 19:53

oh ok, I'll look for it in there.