Jul 08 - Adding New Grades.

**iCreamPie** · 22-09-10

I'm new to adding grades to my client and I don't understand the codecave of this tutorial , can someone help me?

Code:

004A17B2 - JNZ [Code cave address]
JNZ SHORT [New Grade Address] //You need to jump at the next CMP ECX,[Grade in hexadecimal]

-iCreamPie

**MentaL**

**Cekuro** · 23-09-10

The line where it says [code cave address] means you put an address that's empty and has enough room for you to add in your code. When you are at the address of your actual code cave, you would create a grade on the first line

Code:

cmp ecx, 5    //creating grade number 5

Then on the next line you would create a jmp short to your next grade, personally, I don't know the exact address it'll show up on so I'll just throw in a jnz short that's a few addresses down then change it when my code is all typed in. The rest should be relatively simple, if I didn't explain it thoroughly, my apologizes.

**iCreamPie** · 24-09-10

So the

Code:

JNZ SHORT [New Grade Address]

would be the same address as ?

Code:

JNZ SHORT [New Grade Address]

and uhmm what's with?

Code:

MOV BYTE PTR SS:[EBP+8],FF //The R
MOV BYTE PTR SS:[EBP+9],80 //The G
MOV BYTE PTR SS:[EBP+A],40 //The B
MOV BYTE PTR SS:[EBP+B],FF //The A

This is very hard for me because I don't understand this......can you also explain

Code:

3)Go to address & Assemble the following //Scoreboard
00407823 - MOV ECX,DWORD PTR DS:[EBX+414]
00407829 - PUSH EAX
0040782A - PUSH ECX
0040782B - LEA EDX,DWORD PTR DS:[EDI+C]
0040782E - PUSH 00622D24
00407833 - PUSH EDX
00407834 - CALL 005779CD
00407839 - ADD ESP,14
0040783C - JMP [Code cave address]
00407847 - NOP
00407854 - NOP
00407854 - JMP SHORT 00407857

Must I do a JMP for all my grades?

And what about this one?

Code:

5)Assemble the following in your code cave #
MOV EAX,DWORD PTR DS:[ECX+4EA] // Assemble this only 1 time
CMP EAX,[Grade in hexadecimal] //This grade is the grade you added in step #3
JE SHORT [Take the number of the address which the JE Short is on]

- NOTE: Repeat the above code till (n-1) grades u need

6)For the last grade it should be like this
CMP EAX,[Grade in hexadecimal]
JE SHORT [Take the number of the address which the JE SHORT is on]
XOR AL,AL
RETN
MOV AL,1
RETN

- NOTE: now you need to change all the JE SHORT address to the [MOV AL,1] address

7)Go to address & Assemble the following
00402CEC - CALL [MOV EAX,DWORD PTR DS:[ECX+4EA] Address]
0040316F - CALL [MOV EAX,DWORD PTR DS:[ECX+4EA] Address]
00403436 - CALL [MOV EAX,DWORD PTR DS:[ECX+4EA] Address]
0040368C - CALL [MOV EAX,DWORD PTR DS:[ECX+4EA] Address]
00405A64 - CALL [MOV EAX,DWORD PTR DS:[ECX+4EA] Address]
004077F9 - CALL [MOV EAX,DWORD PTR DS:[ECX+4EA] Address]
004103EA - CALL [MOV EAX,DWORD PTR DS:[ECX+4EA] Address]
00411519 - CALL [MOV EAX,DWORD PTR DS:[ECX+4EA] Address]

I really need some help on this , man. If you wanna help over MSN or TV PM me.

**iCreamPie** · 27-09-10

Help?

**Cekuro** · 27-09-10

To add new grades for the July '08 client:

First edit.

Original:

Code:

004A1831  |> \B0 01         MOV AL,1
004A1833  |.  5E            POP ESI
004A1834  |.  5D            POP EBP
004A1835  |.  C3            RETN
004A1836      32C0          XOR AL,AL
004A1838      5E            POP ESI
004A1839      5D            POP EBP
004A183A      C3            RETN

Modified:

Code:

004A1831  |> \B0 01         MOV AL,1
004A1833  |.  5E            POP ESI
004A1834  |.  5D            POP EBP
004A1835  \.  C3            RETN
004A1836   >  E9 F5F81700   JMP 00621130  //codecave jump
004A183B      CC            INT3
004A183C      CC            INT3
004A183D      CC            INT3

Codecave (can start at a different address, just make sure the jump matches up):

Code:

00621130  /> \83F9 03       CMP ECX,3    //creates grade 3
00621133  |.  75 12         JNE SHORT 00621147
00621135  |.  C645 08 FF    MOV BYTE PTR SS:[EBP+8],0FF  //R
00621139  |.  C645 09 32    MOV BYTE PTR SS:[EBP+9],32  //G
0062113D  |.  C645 0A 32    MOV BYTE PTR SS:[EBP+0A],32  //B
00621141  |.  C645 0B FF    MOV BYTE PTR SS:[EBP+0B],0FF  //A
00621145  |.  EB 05         JMP SHORT 0062114C
00621147  |>  30C0          XOR AL,AL
00621149  |.  5E            POP ESI
0062114A  |.  5D            POP EBP
0062114B  |.  C3            RETN
0062114C  |>  8B55 0C       MOV EDX,DWORD PTR SS:[EBP+0C]
0062114F  |.  8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00621152  |.  8902          MOV DWORD PTR DS:[EDX],EAX
00621154  |.  B0 01         MOV AL,1
00621156  |.  5E            POP ESI
00621157  |.  5D            POP EBP
00621158  \.  C3            RETN

For the grade to be colored when tabbed is pressed:

First edit:

Original:

Code:

00407800  |.  8B83 F4040000 MOV EAX,DWORD PTR DS:[EBX+4F4]
00407806      74 5B         JE SHORT 00407863
00407808  |.  8D81 D8030000 LEA EAX,[ECX+3D8]
0040780E  \.  EB 01         JMP SHORT 00407811
00407810   .  90            NOP
00407811  />  C685 87FEFFFF MOV BYTE PTR SS:[LOCAL.95+3],0FF
00407818  |.  C685 84FEFFFF MOV BYTE PTR SS:[LOCAL.95],0FF
0040781F  |.  C685 85FEFFFF MOV BYTE PTR SS:[LOCAL.95+1],80
00407826  |.  C685 86FEFFFF MOV BYTE PTR SS:[LOCAL.95+2],40
0040782D  |.  8B8D 84FEFFFF MOV ECX,DWORD PTR SS:[LOCAL.95]
00407833  |.  894F 7F       MOV DWORD PTR DS:[EDI+7F],ECX
00407836  |.  C687 83000000 MOV BYTE PTR DS:[EDI+83],1
0040783D  \.  EB 2D         JMP SHORT 0040786C
0040783F      90            NOP
00407840      90            NOP
00407841      90            NOP
00407842      90            NOP
00407843      90            NOP
00407844   .  90            NOP
00407845   .  90            NOP
00407846   .  90            NOP
00407847   .  90            NOP
00407848   .  90            NOP
00407849   .  90            NOP
0040784A   .  90            NOP
0040784B   .  90            NOP
0040784C   .  90            NOP
0040784D   .  90            NOP
0040784E   .  90            NOP
0040784F   .  90            NOP
00407850   .  90            NOP
00407851   .  90            NOP
00407852   .  90            NOP
00407853   .  90            NOP
00407854   .  90            NOP
00407855   .  90            NOP
00407856   .  90            NOP
00407857   .  90            NOP
00407858   .  90            NOP
00407859   .  90            NOP
0040785A   .  90            NOP
0040785B   .  90            NOP
0040785C   .  90            NOP
0040785D   .  90            NOP
0040785E   .  90            NOP
0040785F   .  90            NOP
00407860   .  90            NOP
00407861   .  90            NOP
00407862   .  90            NOP
00407863      8B50 54       MOV EDX,DWORD PTR DS:[EAX+54]
00407866      8B40 0C       MOV EAX,DWORD PTR DS:[EAX+0C]
00407869      8B0490        MOV EAX,DWORD PTR DS:[EDX*4+EAX]
0040786C  |>  50            PUSH EAX
0040786D  |.  68 B5060000   PUSH 6B5   
00407872  |.  E8 591E1000   CALL 005096D0

Modified:

Code:

00407800  |.  8B83 F4040000 MOV EAX,DWORD PTR DS:[EBX+4F4]
00407806  |.  74 37         JE SHORT 0040783F
00407808  |.  8D81 D8030000 LEA EAX,[ECX+3D8]
0040780E  \.  EB 01         JMP SHORT 00407811
00407810   .  90            NOP
00407811  />  C685 87FEFFFF MOV BYTE PTR SS:[EBP-179],0FF
00407818  |.  C685 84FEFFFF MOV BYTE PTR SS:[EBP-17C],0FF
0040781F  |.  C685 85FEFFFF MOV BYTE PTR SS:[EBP-17B],80
00407826  |.  C685 86FEFFFF MOV BYTE PTR SS:[EBP-17A],40
0040782D  |.  8B8D 84FEFFFF MOV ECX,DWORD PTR SS:[EBP-17C]
00407833  |.  894F 7F       MOV DWORD PTR DS:[EDI+7F],ECX
00407836  |.  C687 83000000 MOV BYTE PTR DS:[EDI+83],1
0040783D  |.  EB 2D         JMP SHORT 0040786C
0040783F  \>  E9 3C992100   JMP 00621180  //codecave jump
00407844      90            NOP
00407845      90            NOP
00407846      90            NOP
00407847      90            NOP
00407848      90            NOP
00407849      90            NOP
0040784A      90            NOP
0040784B      90            NOP
0040784C      90            NOP
0040784D      90            NOP
0040784E      90            NOP
0040784F      90            NOP
00407850   .  90            NOP
00407851  />  90            NOP
00407852  |.  90            NOP
00407853  |.  90            NOP
00407854  |.  90            NOP
00407855  |.  90            NOP
00407856  |.  90            NOP
00407857  |.  90            NOP
00407858  |.  90            NOP
00407859  |.  90            NOP
0040785A  |.  90            NOP
0040785B  |.  90            NOP
0040785C  |.  90            NOP
0040785D  |.  90            NOP
0040785E  |.  90            NOP
0040785F  |.  90            NOP
00407860  |.  90            NOP
00407861  |.  90            NOP
00407862  |.  90            NOP
00407863  |.  90            NOP
00407864  |.  90            NOP
00407865  |.  90            NOP
00407866  |.  90            NOP
00407867  |.  90            NOP
00407868  |.  90            NOP
00407869  |.  90            NOP
0040786A  |.  90            NOP
0040786B  |.  90            NOP
0040786C  |>  50            PUSH EAX
0040786D  |.  68 B5060000   PUSH 6B5 
00407872  |.  E8 591E1000   CALL 005096D0

Codecave for color name when tabbing:

Code:

00621180  /> \8B50 54       MOV EDX,DWORD PTR DS:[EAX+54]
00621183  |.  8B40 0C       MOV EAX,DWORD PTR DS:[EAX+0C]
00621186  |.  8B0490        MOV EAX,DWORD PTR DS:[EDX*4+EAX]
00621189  |.  80B9 EA040000 CMP BYTE PTR DS:[ECX+4EA],3
00621190  |.^ 0F85 D666DEFF JNE 0040786C
00621196  |.  C685 87FEFFFF MOV BYTE PTR SS:[EBP-179],0FF //R
0062119D  |.  C685 84FEFFFF MOV BYTE PTR SS:[EBP-17C],0FF //A
006211A4  |.  C685 85FEFFFF MOV BYTE PTR SS:[EBP-17B],32 //B
006211AB  |.  C685 86FEFFFF MOV BYTE PTR SS:[EBP-17A],32 //G
006211B2    ^ E9 9A66DEFF   JMP 00407851

Follow the same diagram to add more to your pleasing. Credits go to DelPa for pointing the way to adding grades in the 08 client.

**Phoenix** · 27-09-10

Thanks a lot Cekuro. But, when did DelPa post things about adding new grades? Isn't this what Kyoshike posted?
Also, adding grades seems to be pretty bugged in the tab list and chat names on a masked July 08 runnable. Any way to fix that?

**iCreamPie** · 27-09-10

I'm using Kyoshike's way and I quite understand it now. Can you post a tutorial on how to split admin and developer's colors?

**Cekuro** · 27-09-10

Originally Posted by phoenix_147

Thanks a lot Cekuro. But, when did DelPa post things about adding new grades? Isn't this what Kyoshike posted?
Also, adding grades seems to be pretty bugged in the tab list and chat names on a masked July 08 runnable. Any way to fix that?

DelPa posted almost a month before Kyoshike did, DelPa just kinda' made you work for it versus Kyoshike cleaning it up and materializing it.:

http://forum.ragezone.com/f311/tutor...0/#post5806710

Kyoshike:
http://forum.ragezone.com/f245/july-...-grade-688781/

I was planning to look at that for a masked runnable. I'll take some time later today to look into it.

**Phoenix** · 27-09-10

Thanks a lot again. You really are quite helpful.
Posted via Mobile Device

**iCreamPie** · 27-09-10

Thanks for the information , Cekuro. I would really like if you can do my request, and the other one I sent you via PM.

**::.kakashi.::** · 27-09-10

i tough u alredy make a rennable with new grade :s

**Phoenix** · 28-09-10

Cekuro, just to let you know, I followed what you posted above but got this as the result:

Names kept changing randomly in the lobby:

Jul 08 - Adding New Grades.

Thread Tools

Search Thread

Jul 08 - Adding New Grades.

Re: Jul 08 - Adding New Grades.

Re: Jul 08 - Adding New Grades.

Re: Jul 08 - Adding New Grades.

Re: Jul 08 - Adding New Grades.

Re: Jul 08 - Adding New Grades.

Re: Jul 08 - Adding New Grades.

Re: Jul 08 - Adding New Grades.

Re: Jul 08 - Adding New Grades.

Re: Jul 08 - Adding New Grades.

Re: Jul 08 - Adding New Grades.

Re: Jul 08 - Adding New Grades.

Advertisement