Activing /gt*commnads + /jjang to ban command

[Demantor]

The tittle says all,,,

please, i want to know how can i Active the /gt*commands instead /gtgod and how to change the Command /jjang to a ban command ( /ban ) ??

[MentaL]

[ThievingSix]

Here is a quick line of thought you(or someone else) can use to enable the "/gt*" commands.

Here's how they work::

First let's give an example of a command that works, "/jjang"

Code:

0042D84C  |.  68 6C685E00   PUSH Gunz.005E686C                       ; /Arg9 = 005E686C
0042D851  |.  68 E4A35E00   PUSH Gunz.005EA3E4                       ; |Arg8 = 005EA3E4 ASCII "/jjang"
0042D856  |.  6A 01         PUSH 1                                   ; |Arg7 = 00000001
0042D858  |.  6A FF         PUSH -1                                  ; |Arg6 = FFFFFFFF
0042D85A  |.  6A FF         PUSH -1                                  ; |Arg5 = FFFFFFFF
0042D85C  |.  68 86000000   PUSH 86                                  ; |Arg4 = 00000086
0042D861  |.  68 E0BA4200   PUSH Gunz.0042BAE0                       ; |Arg3 = 0042BAE0
0042D866  |.  68 DCA35E00   PUSH Gunz.005EA3DC                       ; |Arg2 = 005EA3DC ASCII "jjang"
0042D86B  |.  6A 00         PUSH 0                                   ; |Arg1 = 00000000
0042D86D  |.  8BCE          MOV ECX,ESI                              ; |
0042D86F  |.  E8 FC220000   CALL Gunz.0042FB70                       ; \Gunz.0042FB70

You'll notice that "Arg3" points to an address in gunz which is this:

Code:

0042BAE0   .  837C24 08 02  CMP DWORD PTR SS:[ESP+8],2
0042BAE5   .  7D 46         JGE SHORT Gunz.0042BB2D
0042BAE7   .  8B4424 0C     MOV EAX,DWORD PTR SS:[ESP+C]
0042BAEB   .  56            PUSH ESI
0042BAEC   .  8B30          MOV ESI,DWORD PTR DS:[EAX]
0042BAEE   .  B0 FF         MOV AL,0FF
0042BAF0   .  68 ED030000   PUSH 3ED
0042BAF5   .  884424 13     MOV BYTE PTR SS:[ESP+13],AL
0042BAF9   .  C64424 10 00  MOV BYTE PTR SS:[ESP+10],0
0042BAFE   .  884424 11     MOV BYTE PTR SS:[ESP+11],AL
0042BB02   .  C64424 12 00  MOV BYTE PTR SS:[ESP+12],0
0042BB07   .  E8 E4C90D00   CALL Gunz.005084F0
0042BB0C   .  8BC8          MOV ECX,EAX
0042BB0E   .  E8 5D3B0A00   CALL Gunz.004CF670
0042BB13   .  8B4C24 0C     MOV ECX,DWORD PTR SS:[ESP+C]
0042BB17   .  51            PUSH ECX
0042BB18   .  6A 00         PUSH 0
0042BB1A   .  6A 00         PUSH 0
0042BB1C   .  50            PUSH EAX
0042BB1D   .  E8 0EE7FFFF   CALL Gunz.0042A230
0042BB22   .  56            PUSH ESI
0042BB23   .  E8 A8F4FFFF   CALL Gunz.0042AFD0
0042BB28   .  83C4 14       ADD ESP,14
0042BB2B   .  5E            POP ESI
0042BB2C   .  C3            RETN
0042BB2D   >  8B5424 0C     MOV EDX,DWORD PTR SS:[ESP+C]
0042BB31   .  8B42 04       MOV EAX,DWORD PTR DS:[EDX+4]
0042BB34   .  50            PUSH EAX
0042BB35   .  E8 D6F2FFFF   CALL Gunz.0042AE10
0042BB3A   .  59            POP ECX
0042BB3B   .  C3            RETN

Now let's look at the "/gt*" commands, "/gtgod" for an example:

Code:

0042D933  |.  68 6C685E00   PUSH Gunz.005E686C                       ; /Arg9 = 005E686C
0042D938  |.  68 18A35E00   PUSH Gunz.005EA318                       ; |Arg8 = 005EA318 ASCII "/gtgod"
0042D93D  |.  6A 01         PUSH 1                                   ; |Arg7 = 00000001
0042D93F  |.  6A 01         PUSH 1                                   ; |Arg6 = 00000001
0042D941  |.  6A FF         PUSH -1                                  ; |Arg5 = FFFFFFFF
0042D943  |.  6A 40         PUSH 40                                  ; |Arg4 = 00000040
0042D945  |.  68 70104000   PUSH Gunz.00401070                       ; |Arg3 = 00401070
0042D94A  |.  68 10A35E00   PUSH Gunz.005EA310                       ; |Arg2 = 005EA310 ASCII "gtgod"
0042D94F  |.  6A 00         PUSH 0                                   ; |Arg1 = 00000000
0042D951  |.  8BCE          MOV ECX,ESI                              ; |
0042D953  |.  E8 18220000   CALL Gunz.0042FB70                       ; \Gunz.0042FB70

Now the "Arg3" of "/gtgod" as well as all the other "/gt*" commands point to 0x00401070. When we follow this in Gunz.exe we get this:

Code:

00401070   $  C3            RETN

This means that the entire code doesn't even exist at all. Now this would mean it's impossible to put back together unless you knew what MAIET actually did there.

There is a way, though, to get the code back with some work. Now, the code should exists a while back before MAIET removed them. In GunzOld.exe they do exist(Find this on your own).

Now I went and looked in GunzOld.exe and went to the "Arg3" of "/gtgod"(Note: The addresses of "Arg3" will be different this time). Here is what I found:

Code:

00429EE0   .  51            PUSH ECX
00429EE1   .  E8 2A190700   CALL GunzOld.0049B810
00429EE6   .  84C0          TEST AL,AL
00429EE8   .  75 1D         JNZ SHORT GunzOld.00429F07
00429EEA   .  E8 A1440200   CALL GunzOld.0044E390
00429EEF   .  8B40 58       MOV EAX,DWORD PTR DS:[EAX+58]
00429EF2   .  3D FC000000   CMP EAX,0FC
00429EF7   .  74 0E         JE SHORT GunzOld.00429F07
00429EF9   .  3D FE000000   CMP EAX,0FE
00429EFE   .  74 07         JE SHORT GunzOld.00429F07
00429F00   .  3D FF000000   CMP EAX,0FF
00429F05   .  75 76         JNZ SHORT GunzOld.00429F7D
00429F07   >  A1 BC0A6300   MOV EAX,DWORD PTR DS:[630ABC]
00429F0C   .  85C0          TEST EAX,EAX
00429F0E   .  74 6D         JE SHORT GunzOld.00429F7D
00429F10   .  53            PUSH EBX
00429F11   .  56            PUSH ESI
00429F12   .  E8 B9190700   CALL GunzOld.0049B8D0
00429F17   .  8BF0          MOV ESI,EAX
00429F19   .  E8 F2180700   CALL GunzOld.0049B810
00429F1E   .  84C0          TEST AL,AL
00429F20   .  74 06         JE SHORT GunzOld.00429F28
00429F22   .  8A86 48010000 MOV AL,BYTE PTR DS:[ESI+148]
00429F28   >  84C0          TEST AL,AL
00429F2A   .  0F94C3        SETE BL
00429F2D   .  E8 9E190700   CALL GunzOld.0049B8D0
00429F32   .  5E            POP ESI
00429F33   .  8898 48010000 MOV BYTE PTR DS:[EAX+148],BL
00429F39   .  84DB          TEST BL,BL
00429F3B   .  5B            POP EBX
00429F3C   .  C64424 02 00  MOV BYTE PTR SS:[ESP+2],0
00429F41   .  C64424 01 FF  MOV BYTE PTR SS:[ESP+1],0FF
00429F46   .  C60424 00     MOV BYTE PTR SS:[ESP],0
00429F4A   .  C64424 03 FF  MOV BYTE PTR SS:[ESP+3],0FF
00429F4F   .  74 17         JE SHORT GunzOld.00429F68
00429F51   .  8B0424        MOV EAX,DWORD PTR SS:[ESP]
00429F54   .  50            PUSH EAX
00429F55   .  6A 00         PUSH 0
00429F57   .  6A 00         PUSH 0
00429F59   .  68 0C8A5B00   PUSH GunzOld.005B8A0C                    ;  ASCII "God mode enabled"
00429F5E   .  E8 DDDAFFFF   CALL GunzOld.00427A40
00429F63   .  83C4 10       ADD ESP,10
00429F66   .  59            POP ECX
00429F67   .  C3            RETN
00429F68   >  8B0C24        MOV ECX,DWORD PTR SS:[ESP]
00429F6B   .  51            PUSH ECX
00429F6C   .  6A 00         PUSH 0
00429F6E   .  6A 00         PUSH 0
00429F70   .  68 F8895B00   PUSH GunzOld.005B89F8                    ;  ASCII "God mode disabled"
00429F75   .  E8 C6DAFFFF   CALL GunzOld.00427A40
00429F7A   .  83C4 10       ADD ESP,10
00429F7D   >  59            POP ECX
00429F7E   .  C3            RETN

To make newer Gunz.exe's able to use these commands you will have to copy the code from GunzOld.exe to Gunz.exe; but that's only the easy part. You will have to update all the addresses in the old code to point to the correct code in the newer Gunz.exe's. Not only that but if the old code points to something that doesn't exist, you will have to create it!

Anyway, I don't plan to do this any time soon because it would take a lot of time and be annoying. This post might be the starting point for someone that does though =).

-Cheers ThievingSix

[Rotana]

Nice tut t6.

[kochon]

yup, thanks alot, looks like you khoweverything about GunZ lol

[Demantor]

....Really, thanks a lot ThievingSix....,nice

[sari4ever]

why he have a shotcut t6 i want one too :2

s4v :D call me that

[eele]

Im gonna Call ThievingSix now Master T. XD Nice :D

[wesman2232]

T6 is the master of coding :D

[_System32_]

Yeah.. very nice TuT My friend O_o

[Nayr438]

T6 could you upload ur Gunzold.exe i want to have a look at it




Edit: nvm i found it

[Aimed]

omg I just !!!!!. . . .


Don't get this.. lol

[4ndr34s]

why if i try to open my matchserver.exe i cant find the string /jjang?
i use system32 server files

[ThievingSix]

This is on your client, not server -.-

[peaceofpi]

What a baller

[shortymant]

Here is a quick line of thought you(or someone else) can use to enable the "/gt*" commands.

Here's how they work::

First let's give an example of a command that works, "/jjang"

Code:

0042D84C  |.  68 6C685E00   PUSH Gunz.005E686C                       ; /Arg9 = 005E686C
0042D851  |.  68 E4A35E00   PUSH Gunz.005EA3E4                       ; |Arg8 = 005EA3E4 ASCII "/jjang"
0042D856  |.  6A 01         PUSH 1                                   ; |Arg7 = 00000001
0042D858  |.  6A FF         PUSH -1                                  ; |Arg6 = FFFFFFFF
0042D85A  |.  6A FF         PUSH -1                                  ; |Arg5 = FFFFFFFF
0042D85C  |.  68 86000000   PUSH 86                                  ; |Arg4 = 00000086
0042D861  |.  68 E0BA4200   PUSH Gunz.0042BAE0                       ; |Arg3 = 0042BAE0
0042D866  |.  68 DCA35E00   PUSH Gunz.005EA3DC                       ; |Arg2 = 005EA3DC ASCII "jjang"
0042D86B  |.  6A 00         PUSH 0                                   ; |Arg1 = 00000000
0042D86D  |.  8BCE          MOV ECX,ESI                              ; |
0042D86F  |.  E8 FC220000   CALL Gunz.0042FB70                       ; \Gunz.0042FB70

You'll notice that "Arg3" points to an address in gunz which is this:

Code:

0042BAE0   .  837C24 08 02  CMP DWORD PTR SS:[ESP+8],2
0042BAE5   .  7D 46         JGE SHORT Gunz.0042BB2D
0042BAE7   .  8B4424 0C     MOV EAX,DWORD PTR SS:[ESP+C]
0042BAEB   .  56            PUSH ESI
0042BAEC   .  8B30          MOV ESI,DWORD PTR DS:[EAX]
0042BAEE   .  B0 FF         MOV AL,0FF
0042BAF0   .  68 ED030000   PUSH 3ED
0042BAF5   .  884424 13     MOV BYTE PTR SS:[ESP+13],AL
0042BAF9   .  C64424 10 00  MOV BYTE PTR SS:[ESP+10],0
0042BAFE   .  884424 11     MOV BYTE PTR SS:[ESP+11],AL
0042BB02   .  C64424 12 00  MOV BYTE PTR SS:[ESP+12],0
0042BB07   .  E8 E4C90D00   CALL Gunz.005084F0
0042BB0C   .  8BC8          MOV ECX,EAX
0042BB0E   .  E8 5D3B0A00   CALL Gunz.004CF670
0042BB13   .  8B4C24 0C     MOV ECX,DWORD PTR SS:[ESP+C]
0042BB17   .  51            PUSH ECX
0042BB18   .  6A 00         PUSH 0
0042BB1A   .  6A 00         PUSH 0
0042BB1C   .  50            PUSH EAX
0042BB1D   .  E8 0EE7FFFF   CALL Gunz.0042A230
0042BB22   .  56            PUSH ESI
0042BB23   .  E8 A8F4FFFF   CALL Gunz.0042AFD0
0042BB28   .  83C4 14       ADD ESP,14
0042BB2B   .  5E            POP ESI
0042BB2C   .  C3            RETN
0042BB2D   >  8B5424 0C     MOV EDX,DWORD PTR SS:[ESP+C]
0042BB31   .  8B42 04       MOV EAX,DWORD PTR DS:[EDX+4]
0042BB34   .  50            PUSH EAX
0042BB35   .  E8 D6F2FFFF   CALL Gunz.0042AE10
0042BB3A   .  59            POP ECX
0042BB3B   .  C3            RETN

-Cheers ThievingSix

im still quite nooby at asm. is the 0042BAE0 . ' 837C24 08 02 CMP DWORD PTR SS:[ESP+8],2'
calling a UGradeID change?

[Rotana]

im still quite nooby at asm. is the 0042BAE0 . ' 837C24 08 02 CMP DWORD PTR SS:[ESP+8],2'
calling a UGradeID change?

I'm also not really pro at asm, but that is an compare, it compares the UGradeID of the player with the number 2, if its equal it jumps to the end, else it will send an request to the server for an UgradeID change to number 2

I hope i'm right this time :D

[ThievingSix]

Yes

[Mambo]

I'm also not really pro at asm, but that is an compare, it compares the UGradeID of the player with the number 2, if its equal it jumps to the end, else it will send an request to the server for an UgradeID change to number 2

I hope i'm right this time :D

Well the remove jjang is exactly/almost the same in code. BUt i'll take a closer look..

[jeffro]

Maybe stupid question but in ollydbg how the hell do I search through comments where it writes stuff like: |Arg8 = 005EA3E4 ASCII "/jjang"

I searched everywhere just can't find it.

[4ndr34s]

hi
but if i need to make this comand for ban ,i need to change this 837C24 08 02 CMP DWORD PTR SS:[ESP+8],2 in
this 837C24 08 02 CMP DWORD PTR SS:[ESP+8],253?

[Lambda]

hi
but if i make this comand in ban i need to change this 837C24 08 02 CMP DWORD PTR SS:[ESP+8],2 in
this 837C24 08 02 CMP DWORD PTR SS:[ESP+8],253?

you need to put 253 in hex

[4ndr34s]

with ollydbg?

[4ndr34s]

i need to put 253 in hexadecimal????

[ThievingSix]

Uhh
editing the client won't change the ugradeid that gets changed..

[4ndr34s]

O_o i dont undenstand