Figuring out v117 on Windows 10

[Halcyon]

For about the past week, I've been jumping around from version to version learning about the Windows 10 fix on v83, v62, v75, etc. I've made those work fine on Windows 10, but, sadly, I hate all of those versions, so learning how to do it was worthless.

The version I mainly want to work on is v117.2, but, of course, it has to be one of the harder things to figure out, because of the whole redirector thing.

I understand that a client address hack is needed in order to patch addresses. Just like damage cap removal. However, I wouldn't know how to figure this out due having trouble figuring out where v117.2's Direct8Input or whatever is located.

Something like this would have to be used, if I'm correct. In AxedMS's v117 redirector

private void dmgToolStripMenuItem_Click(object sender, EventArgs e)        {
            if (Process.GetProcessesByName("MapleStory").Length > 0)
            {
                Process[] processesByName = Process.GetProcessesByName("MapleStory");
                this.pHandel = processesByName[0].Handle;
                this.WriteDMG(16150920);
                MessageBox.Show("Damage Cap removed!");
            }
        }

with WriteDMG being this:

private void WriteDMG(int Address)        {
            byte[] array = new byte[]
            {
                0,
                0,
                192,
                255,
                255,
                255,
                223
            };
            IntPtr zero = IntPtr.Zero;
            Form1.WriteProcessMemory(this.pHandel, (IntPtr)Address, array, (uint)array.Length, out zero);
        }

I am not sure if that is NOPing the address or, doing something else to it. Can someone point me in the right direction? I'm seriously trying to learn but I'm quite slow when it comes to address's, packets, etc.

I've got so tired of Windows 10 that I installed Windows 7 just to work on it again. :'(

 

[Snopboy]

Iirc NOP's value is 0, so I guess the byte array is the code that should be after the nop, the intPtr.Zero is the NOPing.

 

[Eric]

Iirc NOP's value is 0, so I guess the byte array is the code that should be after the nop, the intPtr.Zero is the NOPing.

No.. 0 is just zero. NOP's value is 0x90, and JMP's value is 0xEB. Those will be the most common instructions seen when working with client addys.

Put short, you're using a DLL that has methods to overwrite locations within the processes memory. The methods use a parameter, which is the direct address. This would be the address/location of the addy that you'd be going to in Olly. Then, you write the client hack as you would in assembly, but with AoB's instead. Here it is written in decimal, but you'd be more familiar seeing it all in hexadecimal from your usual ASM/Hex Editor views previously. If you've ever worked with CE scripts, this is pretty much the exact same. For example:

A db 90 90 90 90 90 90 90 90 inside of a CE script for Droppable NX can be translated to this function:

private void WriteDroppableNX(int Address) // Droppable NX, drop NX from EQUIP/USE inventories
        {
            byte[] buffer = new byte[] 
            { 
                0x90,
                0x90,
                0x90,
                0x90,
                0x90,
                0x90,
                0x90,
                0x90
            };
            IntPtr zero = IntPtr.Zero;
            WriteProcessMemory(this.pHandel, (IntPtr)Address, buffer, (uint)buffer.Length, out zero);
            Close();
        }

So..figuring out this Windows 10 issue for v117. For starters, you would need a unpacked v117 or an IDB. In IDA, you would want to do an AoB search using the AoB from the Win 10 fix post. Alternatively, you can go into IDA's "Imports" tab and find it and XREF it to the function. Once you've found CInputSystem::Init and the Direct8 initialization (or even Direct9 by then dunno), then you'd Tab into IDA-View (assembly) to find the address. Now you have the address, and simply need to write the function for it using AoBs. More of a pain to work with DLLs imo, but they work the same way in the end.

 

[Halcyon]

-snip-

lol it still uses 8

How do I jump/delay it? I guess I'l just try nopping it for now and see how that goes.

Edit: Obviously that was not going to work. The issue however is that using Sunnyboy's IDA's from http://forum.ragezone.com/f921/library-idbs-versions-named-addresses-987815/index23.html , I'm not sure if those are v117.1 or v117.2. ._.

 

[soomin]

Edit: Obviously that was not going to work. The issue however is that using Sunnyboy's IDA's from http://forum.ragezone.com/f921/library-idbs-versions-named-addresses-987815/index23.html , I'm not sure if those are v117.1 or v117.2. ._.

How far did you go with this? Any updates on what you manged to find out.

 

[Halcyon]

How far did you go with this? Any updates on what you manged to find out.

Nah, sorry, gave up then. Started working on v146 instead.