- Joined
- Jan 18, 2010
- Messages
- 3,109
- Reaction score
- 1,139
I had posted some of my client edits on a help thread a while back, but since I've been asked about v90 addys still I'll just make a thread for all of my documented/noted edits.
These are all of the popularly used "client hacks"
These are my Gr2D hacks
These are my encryption/client changes
These are my loginscreen layout addys
This is the old Windows 8 code-cave fix
These were random tests for customization
UPDATE: Here are my notes in regards to modifying the "WZ" extension to your own. This is just another random change I did on Orion which will work for any client version.
Hope this helps!
- Eric
These are all of the popularly used "client hacks"
Code:
// No Damage Cap
00C7D6C0 -> db 2147483647.00000
// Meso Drop Cap, ty justin
00917612 -> db 2000000000
// ADBoard Max Length (default max is db 40)
00A5CBCF -> 7F
// Repeating Chat Text Bypass (default condition is 0x74/JE)
004B2A70 -> JMP (db EB)
// 2s Chat Spam Delay Bypass (default condition is 0x73/JNB)
004B2ABA -> JMP (db EB)
// Infinite Chat Text (default max is db 46)
// -- This can be modified to reach up to 256 characters ;)
009E9385 -> db 127
// Swear Filter (default condition is 0x75/JNZ)
008702FA -> JE (db 74)
// Tubi + Super Tubi
004A76E5 -> NOP (db 90 90) ; !this->m_bExclRequestSent
004A7705 -> NOP (db 90 90) ; bIgnoreDeadState || this->m_pCharacterData.characterStat.nHP > 0
004A7716 -> NOP (db 90 90) ; get_update_time() - this->m_tExclRequestSent >= tTimeInterval
// Droppable NX
00531844 -> NOP (db 90 90 90 90 90 90)
00531856 -> NOP (db 90 90 90 90 90 90)
// SkillEffectChange Bypass
00B8234A -> JMP (db EB)
// AP Check Removal (nAP > 200, "Please use AP")
00B82429 -> JMP (db EB)
// Let GM/Admins Drop Items (default condition is 0x74/JE)
00531515 -> JMP (db EB)
// Let GM/Admins Drop Mesos (default condition is 0x74/JE)
00917505 -> JMP (db EB)
// Let GM/Admins Attack (default condition is 0x74/JE)
00A7B859 -> JMP (db EB)
00A838A8 -> JMP (db EB)
00A882E4 -> JMP (db EB)
00A95DA6 -> JMP (db EB)
00A8C554 -> JMP (db EB)
// Bound Jump Foothold Bypass (Floor Jump)
00AA89AF -> NOP (db 90 90 90 90 90 90)
00AA89BE -> NOP (db 90 90 90 90 90 90)
00AA89F1 -> NOP (db 90 90 90 90 90 90)
00AA8A00 -> NOP (db 90 90 90 90 90 90)
00AA8A22 -> NOP (db 90 90 90 90 90 90)
00AA8B17 -> NOP (db 90 90 90 90 90 90)
// Falldown Foothold Bypass (Infinite Flash Jumps)
00A7B4DB -> NOP (db 90 90)
00A7B4DD -> NOP (db 90 90 90 90 90 90)
// Delete Character No-PIC bypass (Fake PIC)
00675C15 -> JMP
These are my Gr2D hacks
Code:
// Pre-BB Gr2D DirectX Window Mode Client Startup
00B4F535 -> MOV DWORD PTR DS:[D8E7D0], 1
00B52A18 -> MOV EAX, 0
// Enable the graphics Gr2D FPS Toggle
00B52D2C -> NOP (db 90 90)
00B52D2E -> NOP (db 90 90 90 90)
These are my encryption/client changes
Code:
// Client Locale (GMS Locale is 08)
004BB5F1 -> 4F
// IGcipher Encryption Keys
// -- IGcipher::innoHash
00BB3B3E -> C65053F2
// -- IGcipher::innoDecrypt
00BB3C3B -> C65053F2
// -- IGcipher::innoEncrypt
00BB3BD3 -> C65053F2
// Rename ijl15.dll, ty justin
01160092 -> db 'ijl15.dll'
// CLogo client modifications.
006B23CA -> modify 514 to 0FF to remove the ability to skip CLogo.
006B2427 -> modify to millisecond time. ex 0x915E is a 37.2 second long intro.
006B24AE -> modify to 7F, though unncessary. length interval check for Wizet.
// Disable CLogo entirely.
-> NOP address 006B1F7D~006B1F90
006B1F7D 90 NOP
006B1F7E 90 NOP
006B1F7F 90 NOP
006B1F80 90 NOP
006B1F81 90 NOP
006B1F82 90 NOP
006B1F83 90 NOP
006B1F84 90 NOP
006B1F85 90 NOP
006B1F86 90 NOP
006B1F87 90 NOP
006B1F88 90 NOP
006B1F89 90 NOP
006B1F8A 90 NOP
006B1F8B 90 NOP
006B1F8C 90 NOP
006B1F8D 90 NOP
006B1F8E 90 NOP
006B1F8F 90 NOP
006B1F90 90 NOP
006B1F91 90 NOP
These are my loginscreen layout addys
Code:
// Move the Login Screen Dialogue Box to coordinates
006A25B6 -> Change -0x2C to new Y-value
006A258B -> Change -0x60 to new X-value
-- For integer coordinates > 0x7F adjustment:
-- You must remove the last DWORD and move all remaining assignment up.
-- Then, push an integer rather than a single byte.
006A2570 |. 89BE 4C010000 MOV DWORD PTR DS:[ESI+14C], EDI
006A2576 |. 8D8E 58010000 LEA ECX, DWORD PTR DS:[ESI+158]
006A257C |. C645 FC 0B MOV BYTE PTR SS:[EBP-4], 0B
006A2580 |. E8 E4923500 CALL 009FB869
006A2585 68 00010000 PUSH 100
006A258A |. 90 NOP
006A258B |. 90 NOP
006A258C |. 90 NOP
006A258D |. 5B POP EBX
// Change the font color of usernames/password on the Login Screen
006A2B47 -> Change 0xFF[5D3C1D] -> To your own Hex Color Code. [Ex: 0xFF000000 is Black]
// Move the Login button:
006A283F -> 0x4F
006A2841 -> 0x4C
// Move the Password Box
006A2C78 -> 0x29
006A2C7A -> 0x28
// Move the ID Box
006A2BDC -> 0xF
006A2BDE -> 0x28
// Move the Save Email button
006A28B9 -> 0x16
006A28BB -> 0x17
// Checkmark
006A2E8C -> 0x17
006A2E8F -> 0x16
// Disable the Website button
006A2A98 -> 0x58
006A2A9A -> -0x61 (Enable: 0x57)
// Disable the Join button
006A2A21 -> 0x44 (Enable: 0x58)
006A2A23 -> -0x55 (Enable: 0xF)
// Move the Forgot ID button
006A2930 -> 0x52
006A2932 -> 0xD
// Move the Forgot P/W button
006A29A7 -> 0x67
006A29A9 -> 0xD
// Move the Quit button
006A2B0F -> 0x52
006A2B11 -> 0xAE
This is the old Windows 8 code-cave fix
Code:
// Windows 8, 8.1, and 10 Support (Pre-BB)
// ** First Method - Performing a kernel32 2000ms sleep code-cave.
// AoB: 68 00 08 00 00 ?? FF 15 ?? ?? ??
// -> Address Call [006035E2]
006035E2 |. E8 C9DC5D00 CALL <JMP.&dinput8.DirectInput8Create>
// -> Address Call [006035ED]
006035ED |. E8 7A297900 CALL 00D95F6C
// -> Address Code Cave [00D95F6C]
00D95F6C $ 90 NOP
00D95F6D . 90 NOP
00D95F6E . 90 NOP
00D95F6F . 90 NOP
00D95F70 . 68 00200000 PUSH 2000 ; /Timeout = 8192. ms
00D95F75 . FF15 E0D1C600 CALL NEAR DWORD PTR DS:[<&kernel32.Sl>; \Sleep
00D95F7B .^ E9 72D686FF JMP 006035F2
00D95F80 90 NOP
00D95F81 90 NOP
00D95F82 90 NOP
00D95F83 90 NOP
These were random tests for customization
Code:
// Modify the background color of item description tooltips
// Hex value represents binary representation. Values are in ARGB format.
// Orion Colors: [Default=0x32630F3D] [Premium=0xA007070A]
00A0106C 0F8 and eax, 3FFFC0h -> 25 [C0 00 FF 3F]
00A01071 0F8 add eax, 0A0000040h -> 05 [40 00 00 A0]
// To allow unique TVmedia on MapleTV's (assign each media to NPC ID)
// we must modify the addresses below.
// the objective here is to nop the two pop ecx, nop the randomizer calls,
// and modify the mov edi, eax register to mov edi, [edx] for ptr [edx+0]->dwTemplateID
// *all below addresses are for v90.
00763247 56 PUSH ESI
00763248 FFB0 40040000 PUSH DWORD PTR DS:[EAX+440]
0076324E |. C745 FC 10000>MOV [LOCAL.1], 10
-------------------------------------------------------------
00763255 90 NOP
00763256 90 NOP
00763257 90 NOP
00763258 90 NOP
00763259 90 NOP
0076325A 90 NOP
0076325B 90 NOP
0076325C 8B3A MOV EDI, DWORD PTR DS:[EDX]
-------------------------------------------------------------
0076325E 8D45 08 LEA EAX, DWORD PTR SS:[EBP+8]
UPDATE: Here are my notes in regards to modifying the "WZ" extension to your own. This is just another random change I did on Orion which will work for any client version.
Code:
; Modifying the game client's ResMan "WZ" extension to our own.
; To easily find the extensions, use the AoB: 77 00 7A 00
; -------------------------
; PE Unicode String Dump:
; -------------------------
00B520FA PUSH 00CC61A8 ; %s.wz
00B51D0D PUSH 00CC6214 ; Base.wz
; ------------------
; Assembly Section:
; ------------------
00CC61A8 unicode 0, <%s.wz>,0
00CC6214 unicode 0, <Base.wz>,0
; Unicode stores characters as two bytes:
; [25 00] -> %
; [73 00] -> s
; [2E 00] -> .
; [77 00] -> w
; [7A 00] -> z
; We modify the unicode and change it to a <.or> extension with
; the following bytes:
; [6F 00] -> o
; [72 00] -> r
; Nexon iterates all files under %s.wz EXCEPT for Base, so we
; must change from the 'Base.wz' unicode to 'Base.or':
; [42 00] -> B
; [61 00] -> a
; [73 00] -> s
; [65 00] -> e
; [2E 00] -> .
; [77 00] -> w => [6F 00] -> o
; [7A 00] -> z => [72 00] -> r
; Nexon may check for Base.wz in the MapleStory module, but
; not 'List.wz' as that is in two different DLLs. In order
; to use 'List.or', two additional files must be updated.
; -> Canvas.DLL - Modify 'List<.wz>' to 'List<.or>'
; -> PCOM.dll - Modify 'List<.wz>' to 'List<.or>'
; NOTE: It is infinitely easier to open up a Hex Editor like HxD,
; search for the AoB as hex bytes, and update the raw string there.
; No need to go through the trouble of messing with DB/DD values in olly.
Hope this helps!
- Eric
Last edited: