- Joined
- Oct 31, 2008
- Messages
- 341
- Reaction score
- 294
You must be registered to see links
You need to add the right Damage Calculation and take a look at Splashy 0x00484710 how u get Target's arround.
I just used LaFreaks "get monster" to test this stuff.
PHP:
// dllmain.cpp : Definiert den Einstiegspunkt für die DLL-Anwendung.
#include <Windows.h>
#define INST_NOP 0x90
#define INST_CALL 0xe8
#define INST_JMP 0xe9
#define INST_BYTE 0x00
#define SHORT_JZ 0x74
void MemcpyEx(DWORD destination, DWORD source, int length)
{
DWORD oldSource = 0;
DWORD oldDestination = 0;
VirtualProtect((LPVOID)source, length, PAGE_EXECUTE_READWRITE, &oldSource);
VirtualProtect((LPVOID)destination, length, PAGE_EXECUTE_READWRITE, &oldDestination);
memcpy((void*)destination, (void*)source, length);
VirtualProtect((LPVOID)destination, length, oldDestination, &oldDestination);
VirtualProtect((LPVOID)source, length, oldSource, &oldSource);
}
DWORD Intercept(BYTE instruction, DWORD lpSource, DWORD lpDest, int len)
{
DWORD realtarget = 0;
LPBYTE buffer = new BYTE[len];
memset(buffer, 0x90, len); //Fill out with nops
if (instruction != INST_NOP && len >= 5){
buffer[(len - 5)] = instruction;
DWORD dwJMP = (DWORD)lpDest - (lpSource + 5 + (len - 5));
memcpy(&realtarget, (void*)(lpSource + 1), 4);
realtarget = realtarget + lpSource + 5;
memcpy(buffer + 1 + (len - 5), &dwJMP, 4);
}
if (instruction == SHORT_JZ){
buffer[0] = instruction;
buffer[1] = (BYTE)lpDest;
}
if (instruction == INST_BYTE){
buffer[0] = (BYTE)lpDest;
}
MemcpyEx(lpSource, (DWORD)buffer, len);
delete[] buffer;
return realtarget;
}
static int(__thiscall *oExecuteSkill)(void *thispointer, signed int a2, char* a3, char* a4) = (int(__thiscall*)(void *thispointerpointer, signed int a2, char* a3, char* a4))0x0047FBB0;
static unsigned (__thiscall* AverageDamage) (void* pPlayer) = (unsigned (__thiscall*) (void*))0x0043D970;
static char* (__cdecl* ReadPacket)(char *pPacket, char *pPos, const char *sFormat, ...) = (char* (__cdecl*)(char*, char*, const char*, ...))0x4975F0;
static void* (__cdecl* FindMonster) (int nID) = (void* (__cdecl*) (int))0x0043A240;
static void* (__cdecl* FindPlayer) (int nID) = (void* (__cdecl*) (int))0x00450810;
static void (__cdecl* WriteInSight) (void* pPlayer, BYTE bType, const char *Format, ...) = ( void (__cdecl*) (void*, BYTE, const char*, ...))0x0040B9E0;
static LONG (__thiscall* ObjectRelease)(void* pOject, LONG lpAddend) = (LONG (__thiscall*)(void*, LONG))0x4239C0;
static int (__thiscall *GetASpeed)(void *Char) = (int (__thiscall*)(void*))0x0043D8E0;
enum
{
TYPE_PLAYER,
TYPE_MONSTER,
};
void __fastcall Hooked_ExcuteSkill(int* PointToPlayerBase, void* _edx, signed int nSkillID, char* PacketPointer, char* PositionPointer)
{
UNREFERENCED_PARAMETER(_edx);
bool forward = true;
int* pPlayer = reinterpret_cast<int*>(*reinterpret_cast<unsigned long*>(PointToPlayerBase));
int* pSkill = *reinterpret_cast<int**>(reinterpret_cast<char*>(PointToPlayerBase)+static_cast<int>(nSkillID)* 4 + 8);
if(nSkillID == 40)
{
forward = false;
int nTargetID;
char bType;
ReadPacket(PacketPointer, PositionPointer, "bd", &bType, &nTargetID);
int* pTarget = 0;
switch(bType)
{
case TYPE_PLAYER:
pTarget = (int*)FindPlayer(nTargetID);
break;
case TYPE_MONSTER:
pTarget = (int*)FindMonster(nTargetID);
break;
}
int area = 90;
int nDmg = 0;
int EB = 0;
bool first = true;
for(int x = 1; x < 10000; x++)
{
int pX = pTarget[83];
int pY = pTarget[84];
int* Object = (int*)FindMonster(x);
if(Object && Object[83] < pX + area && Object[83] > pX - area && Object[84] < pY + area&& Object[84] > pY - area && Object[70] != 1)
{
int pCurHp = (int)Object[68];
nDmg = AverageDamage((void*)pPlayer); // Look at -> 0x00483460 how dmg is calculated with real Soul Destruction
WriteInSight(pPlayer, 0x3f, "bddbbwwb", nSkillID, pPlayer[7], x, 1, 1, nDmg, EB, true);
int pid = 0;
int a1 = 0;
int a2 = 0;
int v22 = GetASpeed(pPlayer);
int v23 = GetTickCount();
int v25 = 0;
if(v23 < Object[362])
v25 -= Object[362] - v23;
Object[362] = v22 + v23;
if(Object[115] == 1)
pid = 0;
else
pid = v25 * (*(int (__thiscall **)(DWORD *, int))(*pPlayer + 168))((DWORD*)pPlayer, (int)Object) / v22;
(*(int (__thiscall **)(int, int, int, int *, int *, int *, int))(*(DWORD *)Object+ 72))((int)Object,(int)pPlayer,nDmg,&a1,&a2,&pid,0);
ObjectRelease((void *)Object, (volatile LONG )(Object + 352));
}
}
Sleep(450);
}
if (forward)
oExecuteSkill(static_cast<void*>(PointToPlayerBase), nSkillID, PacketPointer, PositionPointer);
}
unsigned long __stdcall MainThr(void* _t)
{
Sleep(3000);
Server::Console::WriteRed("SD AOE");
Intercept(INST_CALL, (DWORD)0x004533D4, (DWORD)Hooked_ExcuteSkill, 5);
return TRUE;
}
void gogo()
{
CreateThread(0,0,MainThr,nullptr,0,0);
}
int __stdcall DllMain( HMODULE hModule,unsigned long ul_reason_for_call,void* lpReserved )
{
DisableThreadLibraryCalls(hModule);
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
gogo();
break;
}
return TRUE;
}
