- Joined
- Nov 10, 2010
- Messages
- 47
- Reaction score
- 28
PART I : PREPARATION
1. download this (google it):
2. Open your gameserver.exe or zoneX.exe with hex editor .
note: i believe some zone.exe file is packed, so you have to unpacked it first
3. go to the last byte of your gameserver.exe
im using ROWgameserver.exe from arpakuutio release so it will be at 193FFF .
4. press edit > insert string
on the hex string, write 90
on the insert
times, choose hexadecimal and write any number as you like (i choose $100000) write that down
press OK then save
5. now open Lord PE,
click PE editor
choose the gameserver.exe
click section
right-click one of the section listed
click add section header, a new section named NewSec is created
6. right click that NewSec
click edit section header.
7. remember the number you set at step 4.
write that number at the virtual size and raw size option
click OK
close section table
click SAVE then click OK
Preparation is done, now you have 100000h (65535) free bytes to jump in and out your gameserver.exe
PART II : Tracing
1. try to run your server with only 1 zone. attach that gameserver with ollydbg
2. remember what Alpha said (i forgot which thread) , find the skill ID from skillscript.txt
. i choose hard hit (human), so it will be 0x8104
3. Press ctrl-F on your Ollydbg write "push 8104" then press enter.
for my gameserver it will go to 43A6E3
4. check the line before that,
for my gameserver, it should written like this "PUSH 433C40"
thats the starting offset of hard hit skills
go there by press ctrl-G and write 433c40.
5. now logged on to your server,
then try to set cast the skill at the monster , check the damage deal then write that down
(for me its around 6k or 1964 in hex)
6. set breakpoint at the starting addres from point 4
so the gameserver will paused every time you cast hard hit.
then cast it again.
7. now you're on your own. check every value near 1964 ( in hex) at the register or memory or 6k value at the (st) register which is affected by the command line. (take a look at your upper-right corner)
press F8 to execute new line and look again.
8. do it over and over again, with luck and patience i found
(st0) value was around 6k at 434BD6, which is affected by the command before
FMUL DWORD PTR SS:[ESP+10]
write that down
PART III : Jumping out and back
from here you need to know assembly language
1. lets find our virtual address that we create at part I
look at the toolbar at olly, pres the M icon
find the address for the NewSec, for me its 709000
write that down
and back to dissasembler
2. check the command line at the address we found at part II step 8
for me its "CALL 004F3CF4"
write that down
also the address right after it, for me its 00434BDB
write that down
3. change that command to "JMP 709000"
that means, instead of executing the call, we jump it out first. right to the newsec
4. then go to 709000.
from the part II step 8 , we know that the value of st0 is the real damage deal by the skill.
so, if you want to increase it, just multiply it again by 1.x or 0.x to reduce it.
for example:
1st line : i put the value 3fb33333 on to ESP (equal to 1.4 . check that
2nd line : multiply that value with the previous damage calculation,
this means i increase the damage deal by this skill by exactly 40%
3rd line : since push command decrease ESP register by 4, it will be a disaster if we dont set that back, so i add the ESP by 4 to make it normal again
4th line : rewrite the command that we replaced on step 3 , carefull on this, im just lucky that my jmp only remove 1 line of the real code, if you remove more, make sure you write it back here , every single line of it.
5th line : Jump back to the real function.
5. now save it by block all the command that you write (shift + arrow up)
right click on it,
copy to executable
, click selection
, right click again on the newly opened window
click save file
click yes
press ctrl+F2 to restart
6. open your gameserver again with olly then go straight to the address that you create a jump out.
you may see it back to a call function instead of jump,
thats because we cant save both section on the same time , so we need to change it back again to JMP 709000 , then save it again
its done.
LAST NOTE:
since i show you how to add new section with 65535 of free bytes , thats means you can jumping in and out all function like like skill effect, blacksmith rate, metal type, exp table , even build your own integrated anti cheat system in there (which im trying to do now).
of course if you know how to deal with the code.
if you dont know what im talking about, then forget it, just ask someone (like me) to do it for you.
if you insist want to do it your self, then try to learn asembly programming. theres a lot of tutorial out there.
Credit:
- alphaest for the clue
- arpakuutio for the release
- the guy who create those 3 tools and make it available for us.
hope this help
1. download this (google it):
- Lord PE
- any hex editor (i use xvi32 for this tutorial)
- ollydbg
2. Open your gameserver.exe or zoneX.exe with hex editor .
note: i believe some zone.exe file is packed, so you have to unpacked it first
3. go to the last byte of your gameserver.exe
im using ROWgameserver.exe from arpakuutio release so it will be at 193FFF .
4. press edit > insert string
on the hex string, write 90
on the insert
times, choose hexadecimal and write any number as you like (i choose $100000) write that downpress OK then save
5. now open Lord PE,
click PE editor
choose the gameserver.exe
click section
right-click one of the section listed
click add section header, a new section named NewSec is created
6. right click that NewSec
click edit section header.
7. remember the number you set at step 4.
write that number at the virtual size and raw size option
click OK
close section table
click SAVE then click OK
Preparation is done, now you have 100000h (65535) free bytes to jump in and out your gameserver.exe
PART II : Tracing
1. try to run your server with only 1 zone. attach that gameserver with ollydbg
2. remember what Alpha said (i forgot which thread) , find the skill ID from skillscript.txt
. i choose hard hit (human), so it will be 0x8104
3. Press ctrl-F on your Ollydbg write "push 8104" then press enter.
for my gameserver it will go to 43A6E3
4. check the line before that,
for my gameserver, it should written like this "PUSH 433C40"
thats the starting offset of hard hit skills
go there by press ctrl-G and write 433c40.
5. now logged on to your server,
then try to set cast the skill at the monster , check the damage deal then write that down
(for me its around 6k or 1964 in hex)
6. set breakpoint at the starting addres from point 4
so the gameserver will paused every time you cast hard hit.
then cast it again.
7. now you're on your own. check every value near 1964 ( in hex) at the register or memory or 6k value at the (st) register which is affected by the command line. (take a look at your upper-right corner)
press F8 to execute new line and look again.
8. do it over and over again, with luck and patience i found
(st0) value was around 6k at 434BD6, which is affected by the command before
FMUL DWORD PTR SS:[ESP+10]
write that down
PART III : Jumping out and back
from here you need to know assembly language
1. lets find our virtual address that we create at part I
look at the toolbar at olly, pres the M icon
find the address for the NewSec, for me its 709000
write that down
and back to dissasembler
2. check the command line at the address we found at part II step 8
for me its "CALL 004F3CF4"
write that down
also the address right after it, for me its 00434BDB
write that down
3. change that command to "JMP 709000"
that means, instead of executing the call, we jump it out first. right to the newsec
4. then go to 709000.
from the part II step 8 , we know that the value of st0 is the real damage deal by the skill.
so, if you want to increase it, just multiply it again by 1.x or 0.x to reduce it.
for example:
Code:
PUSH 3FB33333
FMUL DWORD PTR SS:[ESP]
ADD ESP,4
CALL 004F3CF4
JMP 00434BDB1st line : i put the value 3fb33333 on to ESP (equal to 1.4 . check that
You must be registered to see links
)2nd line : multiply that value with the previous damage calculation,
this means i increase the damage deal by this skill by exactly 40%
3rd line : since push command decrease ESP register by 4, it will be a disaster if we dont set that back, so i add the ESP by 4 to make it normal again
4th line : rewrite the command that we replaced on step 3 , carefull on this, im just lucky that my jmp only remove 1 line of the real code, if you remove more, make sure you write it back here , every single line of it.
5th line : Jump back to the real function.
5. now save it by block all the command that you write (shift + arrow up)
right click on it,
copy to executable
, click selection
, right click again on the newly opened window
click save file
click yes
press ctrl+F2 to restart
6. open your gameserver again with olly then go straight to the address that you create a jump out.
you may see it back to a call function instead of jump,
thats because we cant save both section on the same time , so we need to change it back again to JMP 709000 , then save it again
its done.
LAST NOTE:
since i show you how to add new section with 65535 of free bytes , thats means you can jumping in and out all function like like skill effect, blacksmith rate, metal type, exp table , even build your own integrated anti cheat system in there (which im trying to do now).
of course if you know how to deal with the code.
if you dont know what im talking about, then forget it, just ask someone (like me) to do it for you.
if you insist want to do it your self, then try to learn asembly programming. theres a lot of tutorial out there.
Credit:
- alphaest for the clue
- arpakuutio for the release
- the guy who create those 3 tools and make it available for us.
hope this help
Last edited:
