Thread not for LEECHERS Need Help For The Last Part of Code (Rohan PH)

hugaskepias · 05/28/2009, 15:28

I'm already done with the
-GM Command
-Disabled Attack Animation
-Disable the client from setting the current attack state (Can't confirm though but as far as i look at it, seems like i NOP's the right address)
-Disable attack speed (Can't confirm though but as far as i look at it, seems
like i NOP's the right address)
-Created the call for the 2nd Code Cave (the long code)

At first i tried putting the original code from the address were i change to CALL XXXXXXXX (Code cave address)

Code Cave Snippets:
XOR EDI,EDI
MOV EDX,DWORD PTR DS:[Exx+1xx] <-The original code which is replace by CALL XXXXXXXX (Code cave)
INC EDI
CMP EDI,4
JL short XXXXXXXX (MOV EDX,DWORD PTR DS:[Exx+1xx] address of the 2nd command in the code cave)
RETN

This works, no attack animation then after a few sec monster dies (but i dont think the attack speed changes, the rate of mons kill is almost the same)

so when I change the code cave to sorien's code (with updated addresses)
when i attack, the game crashes lol (this is where i'm stuck)

Any idea what's wrong with this code will be much appreciated and I'm willing to share the code if your suggestion helps me out and you want the code (which i doubt since you already help me out how to make this work so probably you already have your working one but if incase i will

and don't worry i won't leak it to public your code is safe, i will just use this for my own during long boring grinding days of rohan

) anyway here's the code that gave me problem

XOR EDI,EDI
MOV EDX,DWORD PTR DS:[0AF1264]
MOV EAX,DWORD PTR DS:[0AF1260]
MOV ECX,DWORD PTR DS:[0AC2F38]
PUSH EDX
PUSH EAX
PUSH 0
PUSH 1308
CALL 00406E54 <- Changes this to the updated address
MOV EDX,DWORD PTR DS:[0AF1264]
MOV EAX,DWORD PTR DS:[0AF1260]
PUSH EDX
PUSH EAX
LEA ECX,DWORD PTR SS:[ESP+1C]
PUSH ECX
MOV ECX,DWORD PTR DS:[0AC2F38]
PUSH 1307
CALL 00406E54 <- Changes this to the updated address
steps upward
INC EDI
CMP EDI,4
JL SHORT 00A06969 <- updated this address to the address of MOV EDX,DWORD PTR DS:[0AF1264] (2nd command of the code cave)
MOV EDI,EBP
RETN

Any idea what could be the problem?

Thanks,

Again don't flame me if I said I wont leak it to public, as the Subject say's NOT FOR LEECHERS!

prototype10 · 05/28/2009, 16:10

i did it with my client and got the same result...

Elsys · 05/28/2009, 22:46

Quote:

Originally Posted by hugaskepias

I'm already done with the
-GM Command
-Disabled Attack Animation
-Disable the client from setting the current attack state (Can't confirm though but as far as i look at it, seems like i NOP's the right address)
-Disable attack speed (Can't confirm though but as far as i look at it, seems
like i NOP's the right address)
-Created the call for the 2nd Code Cave (the long code)

At first i tried putting the original code from the address were i change to CALL XXXXXXXX (Code cave address)

Code Cave Snippets:
XOR EDI,EDI
MOV EDX,DWORD PTR DS:[Exx+1xx] <-The original code which is replace by CALL XXXXXXXX (Code cave)
INC EDI
CMP EDI,4
JL short XXXXXXXX (MOV EDX,DWORD PTR DS:[Exx+1xx] address of the 2nd command in the code cave)
RETN

This works, no attack animation then after a few sec monster dies (but i dont think the attack speed changes, the rate of mons kill is almost the same)

so when I change the code cave to sorien's code (with updated addresses)
when i attack, the game crashes lol (this is where i'm stuck)

Any idea what's wrong with this code will be much appreciated and I'm willing to share the code if your suggestion helps me out and you want the code (which i doubt since you already help me out how to make this work so probably you already have your working one but if incase i will and don't worry i won't leak it to public your code is safe, i will just use this for my own during long boring grinding days of rohan ) anyway here's the code that gave me problem

XOR EDI,EDI
MOV EDX,DWORD PTR DS:[0AF1264]
MOV EAX,DWORD PTR DS:[0AF1260]
MOV ECX,DWORD PTR DS:[0AC2F38]
PUSH EDX
PUSH EAX
PUSH 0
PUSH 1308
CALL 00406E54 <- Changes this to the updated address
MOV EDX,DWORD PTR DS:[0AF1264]
MOV EAX,DWORD PTR DS:[0AF1260]
PUSH EDX
PUSH EAX
LEA ECX,DWORD PTR SS:[ESP+1C]
PUSH ECX
MOV ECX,DWORD PTR DS:[0AC2F38]
PUSH 1307
CALL 00406E54 <- Changes this to the updated address
steps upward
INC EDI
CMP EDI,4
JL SHORT 00A06969 <- updated this address to the address of MOV EDX,DWORD PTR DS:[0AF1264] (2nd command of the code cave)
MOV EDI,EBP
RETN

Any idea what could be the problem?

Thanks,

Again don't flame me if I said I wont leak it to public, as the Subject say's NOT FOR LEECHERS!

Might be off base here but I will attempt,

XOR EDI,EDI
//Begin Comment
MOV EDX,DWORD PTR DS:[0AF1264]
MOV EAX,DWORD PTR DS:[0AF1260]
MOV ECX,DWORD PTR DS:[0AC2F38]
/*Check out the above addresses in memory likely they are not the original intended pointer addresses and the memory changes here may be significant. IE moving Registrations <--- I think that's what their called into an incorrect region of memory could have disaster written all over it. In addition you should not write to a protected segment of memory while the program is running it may have different than intended results.*/
PUSH EDX
PUSH EAX
PUSH 0
PUSH 1308
CALL 00406E54 <- Changes this to the updated address
//Begin Comment
MOV EDX,DWORD PTR DS:[0AF1264]
MOV EAX,DWORD PTR DS:[0AF1260]
//Same as above comment
PUSH EDX
PUSH EAX
//Begin comment
LEA ECX,DWORD PTR SS:[ESP+1C]
/*Check ESP and add 1C in hex to that address. See if it makes sense with what is trying to be performed here*/
PUSH ECX
//Begin Comment
MOV ECX,DWORD PTR DS:[0AC2F38]
//Same as related to incorrect address's
PUSH 1307
CALL 00406E54 <- Changes this to the updated address
steps upward
INC EDI
CMP EDI,4
JL SHORT 00A06969 <- updated this address to the address of MOV
//Begin comment
EDX,DWORD PTR DS:[0AF1264] (2nd command of the code cave)
//End comment
MOV EDI,EBP
RETN

The only way to be certain that changes are properly made is to compare the original memory that this hack was designed to work with. To the new client and use AOB searches to determine that all the address's were properly changed. In addition to make your hack update ready using AOB and a search function from an old GunZ dll source which I can provide to you through PM you can inject a .dll that is self updating. Requiring you to update your hacks rarely if at all. If the old client needs to run to find the new addresses find the old client install it in a separate location apply the no update fix then search at the login screen. This is the US client you want to find for the searching and I understand you use the PH version however the structure of the ASM should not have changed greatly between versions. Additionally check your new address's against the old ones in this client as well to be certain they are accurate. I would need the old client(whole thing) to accurately convert this code for the newer client. Even then it would be for US/Global cause that's what I play.

radascars · 05/29/2009, 09:37

hmm... how can i find these codes MOV EAX,BYTE PTR SS:[ESP+A9] or anything that relates me to gm command.. can't seem to find it. >,< im a noob.

can u give me the command address for gm command?

ranie15 · 05/31/2009, 07:43

Quote:

Originally Posted by Elsys

Might be off base here but I will attempt,

XOR EDI,EDI
//Begin Comment
MOV EDX,DWORD PTR DS:[0AF1264]
MOV EAX,DWORD PTR DS:[0AF1260]
MOV ECX,DWORD PTR DS:[0AC2F38]
/*Check out the above addresses in memory likely they are not the original intended pointer addresses and the memory changes here may be significant. IE moving Registrations <--- I think that's what their called into an incorrect region of memory could have disaster written all over it. In addition you should not write to a protected segment of memory while the program is running it may have different than intended results.*/
PUSH EDX
PUSH EAX
PUSH 0
PUSH 1308
CALL 00406E54 <- Changes this to the updated address
//Begin Comment
MOV EDX,DWORD PTR DS:[0AF1264]
MOV EAX,DWORD PTR DS:[0AF1260]
//Same as above comment
PUSH EDX
PUSH EAX
//Begin comment
LEA ECX,DWORD PTR SS:[ESP+1C]
/*Check ESP and add 1C in hex to that address. See if it makes sense with what is trying to be performed here*/
PUSH ECX
//Begin Comment
MOV ECX,DWORD PTR DS:[0AC2F38]
//Same as related to incorrect address's
PUSH 1307
CALL 00406E54 <- Changes this to the updated address
steps upward
INC EDI
CMP EDI,4
JL SHORT 00A06969 <- updated this address to the address of MOV
//Begin comment
EDX,DWORD PTR DS:[0AF1264] (2nd command of the code cave)
//End comment
MOV EDI,EBP
RETN

The only way to be certain that changes are properly made is to compare the original memory that this hack was designed to work with. To the new client and use AOB searches to determine that all the address's were properly changed. In addition to make your hack update ready using AOB and a search function from an old GunZ dll source which I can provide to you through PM you can inject a .dll that is self updating. Requiring you to update your hacks rarely if at all. If the old client needs to run to find the new addresses find the old client install it in a separate location apply the no update fix then search at the login screen. This is the US client you want to find for the searching and I understand you use the PH version however the structure of the ASM should not have changed greatly between versions. Additionally check your new address's against the old ones in this client as well to be certain they are accurate. I would need the old client(whole thing) to accurately convert this code for the newer client. Even then it would be for US/Global cause that's what I play.

MOV EDX,DWORD PTR DS:[0AF1264]
MOV EAX,DWORD PTR DS:[0AF1260]
MOV ECX,DWORD PTR DS:[0AC2F38]

i know the pointers used here...
pm me ill send you the ryt addresses/

~~normanwashere~~ · 06/01/2009, 20:24

RADASCAR u dont need to look for MOV EAX,BYTE PTR SS:[ESP+A9]

try to see Kenzo's Edited Client.. insted of looking for MOV EAX,BYTE PTR SS:[ESP+A9] try to look for the next line.. which is hard to explain but eventually you'll get it

radascars · 06/01/2009, 20:56

Quote:

Originally Posted by normanwashere

RADASCAR u dont need to look for MOV EAX,BYTE PTR SS:[ESP+A9]

try to see Kenzo's Edited Client.. insted of looking for MOV EAX,BYTE PTR SS:[ESP+A9] try to look for the next line.. which is hard to explain but eventually you'll get it

i already have my own gm command enabled rohanclient.exe.
I am now searching the right address for dmg hack/atk spd.

~~normanwashere~~ · 06/03/2009, 17:25

well u made yours how? what did u use.. which command did u follow? what if u didn't get a copy of kenzo's hack will u be able to find it.. im looking for the address not because i cant find it.. i need the address because in the future.. when they update the client the addresses will be different again. so for now i need to look for triggers or common codes with the address for the Attack speed Hack.. well that's just it.. i tried to compare soriens work with my us client here. but the version don't match.. so either i get an updated sorien hack or i get a us version fitted for soriens hack( which is impossible if i patch the us version that i have)

radascars · 06/04/2009, 21:12

Quote:

Originally Posted by normanwashere

well u made yours how? what did u use.. which command did u follow? what if u didn't get a copy of kenzo's hack will u be able to find it.. im looking for the address not because i cant find it.. i need the address because in the future.. when they update the client the addresses will be different again. so for now i need to look for triggers or common codes with the address for the Attack speed Hack.. well that's just it.. i tried to compare soriens work with my us client here. but the version don't match.. so either i get an updated sorien hack or i get a us version fitted for soriens hack( which is impossible if i patch the us version that i have)

the command line "MOV EAX,BYTE PTR SS:[ESP+A9]" doesn't change at all in the new rohanclient.exe that's why i found the address and also hugaskepias gave it to the public....

after having the right address for gmcommand i just follow sorien's tuts..

kenzo90 · 06/04/2009, 21:37

If you cant find the command line like that try searching it like this "MOV EAX,BYTE PTR SS:[ESP+0A9]". Just add 0 before A9 that should worked. :P

~~normanwashere~~ · 06/05/2009, 11:19

i ddnt use that method.. i tried a diffrent approach.. ^_^ i searched for the command after the MOV EAX,BYTE PTR SS:[ESP+0A9] command.. any ways.. i my self need help with the address for the speed hack.. actually i need an older VERSION of the hack + the non hacked client of the same version... like i said.. i have soriens US hacked Client.. all i need is THE original us client compatible with that version.. so i can Compare the code and make new hacks... or if u have ur own hack kenzo.. u can edit it again and ill try to rebuild it.. im not just looking for the adress but im trying to figure out the pattern..