v83 Spammable Skills?

[Angxl]

Right off the bat, I'm here for help on finding out how to add:
Spammable/in air/on the ground:
Teleport
Combo Step
Flash Jump
Etc: Spammable facial expressions

Okay so I've done some small exploring on client editing and honestly I'm still really new at this kind of stuff, but I can do small modifications (honestly anyone can do these really simple changes). So basically what I'm asking is for help on how to find out how to actually modify certain skills (the ones stated above), then me trying to be able to execute the "help" and me modifying my own client. I've read up on the "0.83] UnlimitedFlashJump in Air + Ground + Spammable Localhost" thread, however this post really confuses me. I want to find out exactly how he's able to know what addresses to modify and what he needs to change them to.

I already have a client with UFJ/spammable teleport, but I want to physically learn how to make these changes on my own.

In short:
I want to learn some basics on client editing :

Here's what I've found out so far:

Addresses:
81 FE 9E BA 3E 00 - Flash Jump
004FB2E3   81FE 9EBA3E00    CMP ESI,3EBA9E

81 FE 49 1C 23 00 - Teleport (Bishop)
004FB2CB   81FE 491C2300    CMP ESI,231C49

68 29 73 40 01 - ComboStep
0074C57B   68 29734001      PUSH 1407329

Packet Short:
9E BA 3E 00 - Flash Jump
29 73 40 01 - Combo Step
49 1C 23 00 - Teleport (Bishop)

Packets:
9E BA 3E 00 14 00 00 - Flash Jump
49 1C 23 00 14 00 00 - Teleport (Bishop)
29 73 40 01 0F 00 00 - Combo Step

In my mind, there is only 1 packet for flash jump, so there should only be 1 address for that same skill, right? Why are there so many addresses to make Flash Jump spammable? Can anyone help a brotha out if they have the time?
That would be sincerely appreciated :angel2: Thanks

 

[Kimberly]

In my mind, there is only 1 packet for flash jump, so there should only be 1 address for that same skill, right? Why are there so many addresses to make Flash Jump spammable? Can anyone help a brotha out if they have the time?

While I actually also don't have the ability to modify the client in regards to finding addresses, I can at least try explain this part. You may think it works this easily, but it works much different behind scene. Let me try give you an example.

While you may think FJ is just 1 whole thing, there's a lot more going on.

Example, 1 address alone can be the part that checks 'Is the user on the ground or not?' since as you know you can't use FJ when the player is on the ground. A second address can already be the 'Has the user FJ'd before?' since as you know you can only FJ once normally, so another address could be handling that. However, there is also a lot of 'hidden' addresses often which is mostly there because Nexon didn't wanted you to hack these skills, and Nexon makes them hidden so if you manage to hack these checks, there's either more addresses so it still don't work or your client simply just crashes/dc you since the client detects that you modified stuff around, or things become unstable since one part of the code is no longer matching with the other.

Eric is without doubt one that knows the most about this, so maybe he can explain all of it for you

 

[Eric]

Client Editing is just having knowledge in assembly and RE, nothing special really. However, with that in mind, there isn't really any step-by-step tutorials teaching you how to client edit, how to find things that'll work in every version, and why you do so. For that, you must learn yourself.

First off, you just did an AoB search in the client for the SkillID of Flash Jump. If you do a full analysis of this, you'll find several results and CMP instructions. You likely landed in either a movement skill conditional or the very populated DoActiveSkill function.

Second, it is NOT the packet that is the issue. If you're targeting or looking into the packet for these kinds of things, then you won't ever find anything. They are in internal client functions that the application processes, nothing that you'd ever see sent between servers or anything commonly named.

Third, there's a few ways of client editing. The way you used to do it (probably done by the thread your mentioning) was by debugging the addresses. You would use something like olly or Cheat Engine and toggle breakpoints and such to find what/where the client is restricting you from something. From there, you either JMP the instruction, NOP it, or modify it's minimum or maximum value. I personally find this to be a long, time consuming process, and with knowledge of the actual client internals I can get the addys any of the client edits released in seconds with the use of IDA. If you know the client, it makes all of your ideas when it comes to client editing become possible.

Furthermore, the client edits involved to make Flash Jump and Teleport spammable is called Tubi. I've explained in a previous post on how to find Tubi using IDA. The client uses ExclRequests between the server and client, it lets the client know when they can perform the next action that has restricted time intervals. The main function that the client references for ExclRequest checks is CWvsContext::OnExclRequest. Within the function, you'll notice conditionals for if bExclRequest is true, or if the timeGetTime() - blabla >= tExclRequest, it'll return false. A conditional in assembly would be cmp xxx, yyy followed by a jump conditional. Here, the client will likely use something like JNZ, JE, and/or JGE for the conditionals in the function. All we need to do is modify these conditionals from their regular checks JNZ, JE, JGE (which means things like "Jump if Not Zero", "Jump if Equal", etc) and change them into JMP (which means Jump -- doesn't matter the comparison, just force a jump). If we modify them to force-jump to return true, then whenever the client inspects an ExclRequest time interval, it always returns true. This is why you can spam AP/SP so fast, loot so fast, spam FJ so fast, and so on.

It's really the way you wish to learn how to do it, but it will take time to get used to. Performing publicly released client edits is a lot easier because you have AoBs available from previous client versions. When it comes to finding your own addresses for your own client hacks you want to have, that's the tricky part you have to learn. Either utilize IDA, or debug and trace them using Cheat Engine or another debugger.