Okay, I've been working on this for a day, and I feel the only thing I'm missing from this equation are the updated offsets for the '08 client. Mind you, I have no experience with coding, I'm just very observant and somewhat open-ended with practical direct editing. This is based off Nobody666/Wizkid's post about making a new code cave. I have no idea how to find offsets but I do know that it's obviously different because it's a different compiled version. Anyway, here is my edit
Code:
CPU Disasm
Address Hex dump Command Comments
0042E1BF |. 8B88 A0010000 MOV ECX,DWORD PTR DS:[EAX+1A0]
0042E1C5 |. 898D F4FEFFFF MOV DWORD PTR SS:[LOCAL.67],ECX
0042E1CB |. 8B90 A4010000 MOV EDX,DWORD PTR DS:[EAX+1A4]
0042E1D1 |. 6A 00 PUSH 0
0042E1D3 |. E9 68311F00 JMP 00621340
0042E1D8 |> 8D8D F4FEFFFF LEA ECX,[LOCAL.67] ; |
0042E1DE |. 51 PUSH ECX ; |Arg1 => OFFSET LOCAL.67
0042E1DF |. 8995 F8FEFFFF MOV DWORD PTR SS:[LOCAL.66],EDX ; |
0042E1E5 |. E8 76F6FFFF CALL 0042D860 ; \theduelv125e.0042D860
0042E1EA |. 8B4D FC MOV ECX,DWORD PTR SS:[LOCAL.1]
0042E1ED |. 83C4 0C ADD ESP,0C
0042E1F0 |. E8 F9911400 CALL 005773EE
0042E1F5 |. 89EC MOV ESP,EBP
0042E1F7 |. 5D POP EBP
0042E1F8 \. C3 RETN
My codecave, I'll bold the offsets that need to be changed.
Code:
CPU Disasm
Address Hex dump Command Comments
00621340 /> \50 PUSH EAX
00621341 |. 53 PUSH EBX
00621342 |. 51 PUSH ECX
00621343 |. 52 PUSH EDX
00621344 |. 57 PUSH EDI
00621345 |. BF 3CC76600 MOV EDI,OFFSET 0066C73C
0062134A |. BA 00006F00 MOV EDX,OFFSET 006F0000
0062134F |. 29C9 SUB ECX,ECX
00621351 |> 8A040F /MOV AL,BYTE PTR DS:[ECX+EDI]
00621354 |. 3C 00 |CMP AL,0
00621356 |. 74 06 |JE SHORT 0062135E
00621358 |. 88040A |MOV BYTE PTR DS:[ECX+EDX],AL
0062135B |. 41 |INC ECX
0062135C |.^ EB F3 \JMP SHORT 00621351
0062135E |> B0 20 MOV AL,20
00621360 |. 88040A MOV BYTE PTR DS:[ECX+EDX],AL
00621363 |. 41 INC ECX
00621364 |. B0 3A MOV AL,3A
00621366 |. 88040A MOV BYTE PTR DS:[ECX+EDX],AL
00621369 |. 41 INC ECX
0062136A |. B0 20 MOV AL,20
0062136C |. 88040A MOV BYTE PTR DS:[ECX+EDX],AL
0062136F |. 41 INC ECX
00621370 |. 01CA ADD EDX,ECX
00621372 |. 29C9 SUB ECX,ECX
00621374 |. 89E7 MOV EDI,ESP
00621376 |. 83C7 20 ADD EDI,20
00621379 |> 8A040F /MOV AL,BYTE PTR DS:[ECX+EDI]
0062137C |. 3C 00 |CMP AL,0
0062137E |. 74 06 |JE SHORT 00621386
00621380 |. 88040A |MOV BYTE PTR DS:[ECX+EDX],AL
00621383 |. 41 |INC ECX
00621384 |.^ EB F3 \JMP SHORT 00621379
00621386 |> 88040A MOV BYTE PTR DS:[ECX+EDX],AL
00621389 |. 66:C705 FEFF6 MOV WORD PTR DS:[6EFFFE],325E
00621392 |. 5F POP EDI
00621393 |. 5A POP EDX
00621394 |. 59 POP ECX
00621395 |. 5B POP EBX
00621396 |. 58 POP EAX
00621397 |. 68 FEFF6E00 PUSH OFFSET 006EFFFE
0062139C \.^ E9 37CEE0FF JMP 0042E1D8
I believe that's the last piece of the puzzle and we can get the admin wall unmasked for the 08 client. If I'm wrong, please correct me, for I am just a beginner in stuff like this, regardless of how easy this is for you veterans.