Tutorial: How to Bypass Speedhack Rollback

AZiRes1 · 06/05/2018, 18:16

Download Ollydbg at

Open your RFO and login into the world.
Open your Ollydbg, press 'File -> Attach' and select your RFO proccess.

Right click on Ollydbg and select 'View -> Module RF_Online'
Again, Right click on Ollydbg and select 'Search for -> all referenced text strings'

Now we have a list of functions, and need to search for 2 of them. (MoveRequest, RealmovposRequest)
Just like in the picture:

Save those 2 addresse's to notepad.
Close Ollydbg, and lets continue with CheatEngine.

Again, Open RFO, Open CheatEngine, and attach it to RFO.

Open 'Memory View' and press 'CTRL + G' (goto address), and place your 1st address there.
Right click anywhere on the code, and select 'Select current function' (so it goes to the beginning of the function)

Now we have to find the line of code, checking for the time elapsed delay.

Example:

As shown in the image
The 'ecx' register contains the amount of time elapsed since last packet was sent. (in ms/milliseconds)
The '1F4' (hexadecimal) is 500(decimal)
So, in 'cmp ecx, 1F4' means, we are checking if 500ms are elapsed.
If the 500ms are elapsed, jae will jmp forward, and keep executing the 'movereq' function.
If the 500ms are NOT elapsed, jae wont jmp forward, but instead use the 'jmp 0x..' to jump to the address exiting the function.

All we have to do, is to replace the 'jae' with 'jmp' so there wont be any checking.
Or replace the '1F4' with a lesser value.

Do the same process with the other function address 'RealmovposRequest'.

Now your game will be able to send 'Move' packet's without delay. (that's all we need to bypass rollback)

Only thing left is to search for the 'Speed Address', change it to a higher value and freeze.

Done, your speed hack is working. Have fun

Remember, those addresses are different on each server, and they can change after an update.
Not sure if this method works on every server. but probably is working on 90% of them.
And if you're not able to find the right address on CheatEngine, you probably used the wrong address, or your game is encrypted/protected by an antihack. (that's another story ^^)

Good luck!

Edit --- Video Added
Tutorial Video:

Luxcy666 · 06/08/2018, 04:44

Spoiler

Quote:

Originally Posted by AZiRes1

Download Ollydbg at

Open your RFO and login into the world.
Open your Ollydbg, press 'File -> Attach' and select your RFO proccess.

Right click on Ollydbg and select 'View -> Module RF_Online'
Again, Right click on Ollydbg and select 'Search for -> all referenced text strings'

Now we have a list of functions, and need to search for 2 of them. (MoveRequest, RealmovposRequest)
Just like in the picture:

Save those 2 addresse's to notepad.
Close Ollydbg, and lets continue with CheatEngine.

Again, Open RFO, Open CheatEngine, and attach it to RFO.

Open 'Memory View' and press 'CTRL + G' (goto address), and place your 1st address there.
Right click anywhere on the code, and select 'Select current function' (so it goes to the beginning of the function)

Now we have to find the line of code, checking for the time elapsed delay.

Example:
As shown in the image
The 'ecx' register contains the amount of time elapsed since last packet was sent. (in ms/milliseconds)
The '1F4' (hexadecimal) is 500(decimal)
So, in 'cmp ecx, 1F4' means, we are checking if 500ms are elapsed.
If the 500ms are elapsed, jae will jmp forward, and keep executing the 'movereq' function.
If the 500ms are NOT elapsed, jae wont jmp forward, but instead use the 'jmp 0x..' to jump to the address exiting the function.

All we have to do, is to replace the 'jae' with 'jmp' so there wont be any checking.
Or replace the '1F4' with a lesser value.

Do the same process with the other function address 'RealmovposRequest'.

Now your game will be able to send 'Move' packet's without delay. (that's all we need to bypass rollback)

Only thing left is to search for the 'Speed Address', change it to a higher value and freeze.

Done, your speed hack is working. Have fun

Remember, those addresses are different on each server, and they can change after an update.
Not sure if this method works on every server. but probably is working on 90% of them.
And if you're not able to find the right address on CheatEngine, you probably used the wrong address, or your game is encrypted/protected by an antihack. (that's another story ^^)

Good luck!

Spoiler

Stupid question sir [Very newbie learn assembly]
1. How to replace the 'jae' with 'jmp' ?
2. How to reduce value at assembly 1F4 ?
3. how to make it into script / "Code Injection"?

I am still a beginner in CE. Just know find the value and make a CE pointer
Ini masih dalam percobaan RFid Classic [Official Server Lyto]

************************************************** **********************************
still in editing process, Post #3

is what am I doing right or wrong?

Step1
Address 1: 005A1B3F
Address 2: 005A1C72

Spoiler

Step2: First address

Spoiler

AZiRes1 · 06/08/2018, 09:51

Yes, you are doing everything right.

Quote:

1. How to replace the 'jae' with 'jmp' ?
2. How to reduce value at assembly 1F4 ?
3. how to make it into script / "Code Injection"?

1 and 2: just double click the line, and edit it as you wish. (jae to jmp, or change the 1F4 to another value)
3: you can use 'Auto assemble', example:

Luxcy666 · 06/10/2018, 06:07

the second address looks different from the first address
what should i do with the second address

Image 1, 2 & 3 (Select current function)

Spoiler

Luxcy666 · 06/12/2018, 17:20

as far as i know, there are 3 blink
1. blink run: default 66
2. blink walk: default 65 / 66
3. blink with float: armor ranger, injurer weapon, speed, etc

mbahkung · 07/13/2018, 20:19

@

can you give screenshoot after you change at step 1 and step 2?
i already try it, but nothing happen, im really confused at step 2.
sorry for my bad english

@

are u get it?
im play at rf classic too

serkidz1 · 07/31/2018, 05:31

man its still blinking

~~occulttime~~ · 08/15/2018, 20:16

is this working on RF Reign? 2.2.3.2

jamzter17 · 08/16/2018, 18:36

is there already damage hack?

baltais99 · 09/02/2018, 18:22

Does this work IN R/e/d/f/o/x ?
And can this be done with Damage Hack ?

shinkinsaki · 09/23/2018, 23:56

bro if possible can u make a video or by pics step by step on how to do it? Im completely noob regarding to this but I want it

Im stuck at 2nd step lol in this part

"Right click on Ollydbg and select 'View -> Module RF_Online'
Again, Right click on Ollydbg and select 'Search for -> all referenced text strings'"

tiktakto3 · 09/26/2018, 19:40

hey man can you teach me how to use damage hack im very new to CE and my head hurts like hell reading and trying to follow all the guide

Quote:

Originally Posted by baltais99

Does this work IN R/e/d/f/o/x ?
And can this be done with Damage Hack ?

hey man can you teach me how to use damage hack im very new to CE and my head hurts like hell reading and trying to follow all the guide

tempe132 · 11/05/2018, 05:56

Quote:

Originally Posted by AZiRes1

Download Ollydbg at

Open your RFO and login into the world.
Open your Ollydbg, press 'File -> Attach' and select your RFO proccess.

Right click on Ollydbg and select 'View -> Module RF_Online'
Again, Right click on Ollydbg and select 'Search for -> all referenced text strings'

Now we have a list of functions, and need to search for 2 of them. (MoveRequest, RealmovposRequest)
Just like in the picture:

Save those 2 addresse's to notepad.
Close Ollydbg, and lets continue with CheatEngine.

Again, Open RFO, Open CheatEngine, and attach it to RFO.

Open 'Memory View' and press 'CTRL + G' (goto address), and place your 1st address there.
Right click anywhere on the code, and select 'Select current function' (so it goes to the beginning of the function)

Now we have to find the line of code, checking for the time elapsed delay.

Example:
As shown in the image
The 'ecx' register contains the amount of time elapsed since last packet was sent. (in ms/milliseconds)
The '1F4' (hexadecimal) is 500(decimal)
So, in 'cmp ecx, 1F4' means, we are checking if 500ms are elapsed.
If the 500ms are elapsed, jae will jmp forward, and keep executing the 'movereq' function.
If the 500ms are NOT elapsed, jae wont jmp forward, but instead use the 'jmp 0x..' to jump to the address exiting the function.

All we have to do, is to replace the 'jae' with 'jmp' so there wont be any checking.
Or replace the '1F4' with a lesser value.

Do the same process with the other function address 'RealmovposRequest'.

Now your game will be able to send 'Move' packet's without delay. (that's all we need to bypass rollback)

Only thing left is to search for the 'Speed Address', change it to a higher value and freeze.

Done, your speed hack is working. Have fun

Remember, those addresses are different on each server, and they can change after an update.
Not sure if this method works on every server. but probably is working on 90% of them.
And if you're not able to find the right address on CheatEngine, you probably used the wrong address, or your game is encrypted/protected by an antihack. (that's another story ^^)

Good luck!

HMMM

Amadial · 11/12/2018, 15:45

Not working, cause second address looks different from the first address
and "Do the same process with the other function address 'RealmovposRequest'" is impossible

OracleApex · 11/23/2018, 11:30

Quote:

Originally Posted by Amadial

Not working, cause second address looks different from the first address
and "Do the same process with the other function address 'RealmovposRequest'" is impossible

agreed because cmp ecx,000001F4

not found in second address' function list