407
Master Cheater
![]() Reputation: 0
Joined: 25 Oct 2007
Posts: 357
|
 Posted: Wed Apr 15, 2009 4:52 pm Post subject: [LEAK]MAPLE STORY SECRET |
 |
|
CREDITS TO CHEESELOVER FOR DOXING/HAXING SF
| GMZorita wrote: | Rope / Ladder:
Portal:
Mob:
Inventory:
Platafforms:
Full credits to: PedraSimon & KittonKicker. |
| kittonkicker wrote: | As promised in the teleporting thread, here are the unpacked binary files for NNB.
You will have to get the rest of the trainer yourself.
http://rapidshare.com/files/199351129/nnbunpfiles.rar ~ (v1.09)
http://rapidshare.com/files/199365457/nnb2.06unp.rar ~ (v2.06)
Both are traffic share enabled (so you can download without having to wait).
These are posted here solely for reversing/analysis.
I am releasing them solely on the basis that on downloading, you agree to post any and all discoveries about the trainer in this thread. |
| ._Henley wrote: | Heres a pic:
Functions:
Read addys/pointers
Freeze values
Change values
Inject it into a process and just add the addys you wanna read. Please report all the bugs here ._.
if nothing show when you inject it -> Download.(remember to extract)[/b] |
| Quote: |
| sponge wrote: | | Code: | .686
.model flat, stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
include \masm32\m32lib\dw2ah.asm
consoleOut PROTO :DWORD
consoleProc PROTO :DWORD
loadLibraryHook PROTO :DWORD
.data
hConsole dd 0
szTitle db "memWZ", 0
szIntro1 db "memWZ - by spunge", 0Ah, 0
szIntro2 db "_____________________________", 0Ah, 0Ah, "Loading hooks...", 0Ah, 0Ah, 0
szKernel32 db "kernel32.dll", 0
szLoadLibrary db "LoadLibraryA", 0
dwLoadLibrary dd 0
szCreateFile db "CreateFileA", 0
dwCreateFile dd 0
szCreateMap db "CreateFileMappingA",0
dwCreateMap dd 0
szMapView db "MapViewOfFile", 0
dwMapView dd 0
szNameSpace db "NAMESPACE.DLL", 0
dwNameSpace dd 0
dwNSHook dd 0
bNSBool dd 0
szError1 db "Cannot set up console control handler; memWZ is shutting down."
dwRandom dd 0
dwRandom2 dd 0
bExit dd 0
dwCounter dd 0
dwAquired dd 0
dwAquired2 dd 0
szBase db "Base.wz: ", 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
szCharacter db "Character.wz: ", 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
szMob db "Mob.wz: ", 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
szSkill db "Skill.wz: ", 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
szReactor db "Reactor.wz: ", 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
szNPC db "Npc.wz: ", 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
szUI db "UI.wz: ", 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
szQuest db "Quest.wz: ", 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
szItem db "Item.wz: ", 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
szEffect db "Effect.wz: ", 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
szString db "String.wz: ", 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
szETC db "Etc.wz: ", 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
szMorph db "Morph.wz: ", 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
szTamingMob db "TamingMob.wz: ", 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
szSound db "Sound.wz: ", 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
szMap db "Map.wz: ", 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
szAddress dd 0
dd 0
dd 0
dwTblIndex dd 0
szTable dd offset szBase
dd offset szCharacter
dd offset szMob
dd offset szSkill
dd offset szReactor
dd offset szNPC
dd offset szUI
dd offset szQuest
dd offset szItem
dd offset szEffect
dd offset szString
dd offset szETC
dd offset szMorph
dd offset szTamingMob
dd offset szSound
dd offset szMap
scbufinfo CONSOLE_SCREEN_BUFFER_INFO <>
.code
OPTION PROLOGUE:NONE
OPTION EPILOGUE:NONE
createFileHook proc
mov dword ptr ss:[esp+4], GENERIC_READ or GENERIC_WRITE
call dword ptr ds:[dwCreateFile]
push eax
mov eax, dword ptr ds:[dwNameSpace]
add eax, 0C7dEh
mov dword ptr ds:[dwRandom], eax
pop eax
jmp dword ptr ds:[dwRandom]
createFileHook endp
createFileMapHook proc
mov dword ptr ss:[esp+8], PAGE_READWRITE
call dword ptr ds:[dwCreateMap]
push eax
mov eax, dword ptr ds:[dwNameSpace]
add eax, 0D098h
mov dword ptr ds:[dwRandom], eax
pop eax
jmp dword ptr ds:[dwRandom]
createFileMapHook endp
mapViewHook proc
mov dword ptr ss:[esp+4], FILE_MAP_WRITE
call dword ptr ds:[dwMapView]
push eax
mov eax, dword ptr ds:[dwNameSpace]
add eax, 0D109h
mov dword ptr ds:[dwRandom], eax
pop eax
jmp dword ptr ds:[dwRandom]
mapViewHook endp
mapViewRetHook proc
pushad
pushf
invoke dw2ah, eax, addr szAddress
mov eax, dword ptr ds:[dwTblIndex]
mov ecx, dword ptr ds:[szTable+eax]
invoke lstrcat, ecx, addr szAddress
;invoke consoleOut, eax
add dword ptr ds:[dwTblIndex], 4
popf
popad
test eax, eax
mov dword ptr ds:[esi+18], eax
push eax
mov eax, dword ptr ds:[dwNameSpace]
add eax, 0D10Fh
mov dword ptr ds:[dwRandom], eax
pop eax
jmp dword ptr ds:[dwRandom]
mapViewRetHook endp
nameSpaceBase proc
pushad
pushf
cmp dword ptr ds:[bNSBool], 01h
jne @f
mov dword ptr ds:[dwNameSpace], eax
push eax
push eax
push eax
push eax
add eax, 0C7D9h
invoke VirtualProtect, eax, 936h, PAGE_EXECUTE_READWRITE, addr dwRandom
pop eax
add eax, 0C7D9h
push eax
mov byte ptr ds:[eax], 0E9h
mov ecx, offset createFileHook
add eax, 5
sub ecx, eax
sub eax, 4
mov dword ptr ds:[eax], ecx
pop eax
add eax, 5
mov byte ptr ds:[eax], 090h
pop eax
add eax, 0D093h
push eax
mov byte ptr ds:[eax], 0E9h
mov ecx, offset createFileMapHook
add eax, 5
sub ecx, eax
sub eax, 4
mov dword ptr ds:[eax], ecx
pop eax
add eax, 5
mov byte ptr ds:[eax], 090h
pop eax
add eax, 0D104h
push eax
mov byte ptr ds:[eax], 0E9h
mov ecx, offset mapViewHook
add eax, 5
sub ecx, eax
sub eax, 4
mov dword ptr ds:[eax], ecx
pop eax
add eax, 5
mov byte ptr ds:[eax], 090h
pop eax
add eax, 0D10Ah
mov byte ptr ds:[eax], 0E9h
mov ecx, offset mapViewRetHook
add eax, 5
sub ecx, eax
sub eax, 4
mov dword ptr ds:[eax], ecx
mov dword ptr ds:[bNSBool], 0
@@:
popf
popad
mov ecx, dword ptr ss:[ebp-014h]
and byte ptr ss:[ebp-4], 0
mov esi, dword ptr ds:[dwNSHook]
add esi, 5h
jmp esi
nameSpaceBase endp
loadLibraryHook proc lpFileName:DWORD
pushad
pushf
cmp dword ptr ds:[dwAquired], 01h
je continueLoad
mov ecx, dword ptr ds:[esp+026h]
@@:
xor eax, eax
mov edx, dword ptr ds:[dwCounter]
mov al, byte ptr ds:[ecx+edx]
cmp al, 00h
je stringEnd
inc dword ptr ds:[dwCounter]
jmp @b
stringEnd:
lea eax, dword ptr ds:[ecx+edx-0Dh]
invoke lstrcmp, eax, addr szNameSpace
test eax, eax
jnz continueLoad
popf
popad
push eax
invoke VirtualProtect, dword ptr ss:[esp+10h], 5h, PAGE_EXECUTE_READWRITE, addr dwRandom
push eax
mov eax, dword ptr ds:[esp+8]
mov dword ptr ds:[dwNSHook], eax
mov byte ptr ds:[eax], 0E9h
push ecx
mov ecx, offset nameSpaceBase
add eax, 5
sub ecx, eax
sub eax, 4
mov dword ptr ds:[eax], ecx
mov eax, dword ptr ds:[dwNSHook]
add eax, 5
mov word ptr ds:[eax], 09090h
pop ecx
pop eax
pop eax
mov dword ptr ds:[dwAquired], 01h
mov dword ptr ds:[bNSBool], 01h
jmp @f
continueLoad:
mov dword ptr ds:[dwCounter], 0h
popf
popad
@@:
push ebp
mov ebp, esp
push eax
mov eax, dword ptr ds:[dwLoadLibrary]
add eax, 5
mov dword ptr ds:[dwRandom], eax
pop eax
jmp dword ptr ds:[dwRandom]
loadLibraryHook endp
OPTION PROLOGUE:PrologueDef
OPTION EPILOGUE:EpilogueDef
botConsole proc
invoke SetConsoleTitle, addr szTitle
invoke SetConsoleTextAttribute, dword ptr ds:[hConsole], FOREGROUND_RED or FOREGROUND_GREEN or FOREGROUND_BLUE or FOREGROUND_INTENSITY
invoke consoleOut, addr szIntro1
invoke SetConsoleTextAttribute, dword ptr ds:[hConsole], FOREGROUND_INTENSITY
invoke consoleOut, addr szIntro2
invoke GetModuleHandle, addr szKernel32
mov ebx, eax
invoke GetProcAddress, ebx, addr szCreateFile
mov dword ptr ds:[dwCreateFile], eax
invoke GetProcAddress, ebx, addr szCreateMap
mov dword ptr ds:[dwCreateMap], eax
invoke GetProcAddress, ebx, addr szMapView
mov dword ptr ds:[dwMapView], eax
invoke GetProcAddress, ebx, addr szLoadLibrary
mov dword ptr ds:[dwLoadLibrary], eax
invoke VirtualProtect, dword ptr ds:[dwLoadLibrary], 05h, PAGE_EXECUTE_READWRITE, addr dwRandom
mov eax, dword ptr ds:[dwLoadLibrary]
mov byte ptr ds:[eax], 0E9h
mov ecx, offset loadLibraryHook
add eax, 5
sub ecx, eax
sub eax, 4
mov dword ptr ds:[eax], ecx
invoke SetConsoleCtrlHandler, addr consoleProc, TRUE
test eax, eax
jne @f
invoke consoleOut, addr szError1
invoke Sleep, 02710h
ret
@@:
invoke Sleep, 04E20h
xor edx, edx
@@:
push edx
mov eax, dword ptr ds:[szTable+edx]
invoke consoleOut, eax
pop edx
add edx, 4h
cmp edx, 040h
jne @b
@@:
invoke Sleep, 02710h
jmp @b
@@:
ret
botConsole endp
consoleProc proc fdwCtrlType:DWORD
cmp dword ptr ds:[fdwCtrlType], CTRL_CLOSE_EVENT
jne @f
mov dword ptr ds:[bExit], 01h
@@:
ret
consoleProc endp
consoleOut proc lpBuffer:DWORD
invoke lstrlen, lpBuffer
invoke WriteConsole, dword ptr ds:[hConsole], dword ptr ds:[lpBuffer], eax, dword ptr ds:[dwRandom2], NULL
ret
consoleOut endp
consoleCreate proc
invoke AllocConsole
invoke GetStdHandle, STD_OUTPUT_HANDLE
mov dword ptr ds:[hConsole], eax
call botConsole
invoke ExitThread, 0
consoleCreate endp
DllMain proc hinstDLL:HINSTANCE, fdwReason:DWORD, lpvReserved:LPVOID
cmp dword ptr ds:[fdwReason], DLL_PROCESS_ATTACH
jne @f
invoke CreateThread, NULL, NULL, addr consoleCreate, NULL, NULL, NULL
@@:
mov eax, 1
pop ebp
retn 0Ch
DllMain endp
end DllMain |
Something stupid, maybe you can actually make use of it. Map.wz is never mapped, yet maps still are loaded. (Themida uses up too much memory and the API returns an error.) So obviously, you need to dig a little deeper. I'm not sure what would happen if you changed the mapped memory. Never got the chance. |
|
| Quote: |
After looking over Pedra's mob struct information, etc I managed to find the one that controls platforms.
Using this, it's possible to make your own "Active" or "Live" pvac that doesn't require .wz edits or a CRC bypass (by directly modifying the structure).
The platform structure works as a linked list just like the mob structure, as follows:
GMS 0.62:
0x978138[0x88] = firstplatform+0x10 (just like mob structure).
Code:
platformlist:
0 = seh or template address
4 = nextplatformlist (is a ptr)
8 = previousplatformlist (is a ptr)
...
10 = ep of the base ptr (if is first platform in list)
14 = platformdata
18 = sizeof(struct)
platformdata:
0 = seh or template address
...
c = left boundary of platform
10 = top boundary of platform
14 = right boundary of platform
18 = bottom boundary of platform
...
30 = an unknown "double byte value"
38 = an unknown "double byte value"
40 = an unknown "double byte value"
48 = the .wz platformID of the platform
4c = nextplatformdata (follows .wz defintions, is a ptr)
50 = previousplatformdata (follows .wz defintions, is a ptr)
...
80 = sizeof(struct)
I've made simple structs for access to this information in c++:
Code:
struct platdata {
unsigned template1;
unsigned unknown2;
unsigned unknown3;
unsigned left;
unsigned top;
unsigned right;
unsigned bottom;
unsigned unknown8;
unsigned unknown9;
unsigned unknown10;
unsigned unknown11;
unsigned unknown12;
double unknown13;
double unknown14;
double unknown15;
unsigned platformid;
platdata* next;
platdata* previous;
unsigned unknown19;
unsigned unknown20;
unsigned unknown21;
unsigned unknown22;
unsigned unknown23;
unsigned unknown24;
unsigned unknown25;
unsigned unknown26;
unsigned unknown27;
unsigned unknown28;
unsigned unknown29;
unsigned size;
};
struct platlist {
unsigned template1;
platlist* next;
platlist* previous;
unsigned template2;
unsigned unknown;
platdata* data;
unsigned size;
};
And functions for accessing/reading the structs:
Code:
unsigned platlistaddr = 0x978138;
unsigned platlistoffset = 0x88;
unsigned long readPointer( unsigned long addr, unsigned long offset)
{
if ( IsBadReadPtr( (void*) addr, 4 ) != 0 ) {
return -1;
}
unsigned long *ptr = (unsigned long*) addr;
unsigned long base = ptr[0];
if ( IsBadReadPtr( (void*) (base+offset), 4 ) != 0 ) {
return -1;
}
ptr = (unsigned long*) (base+offset);
return ptr[0];
}
platlist* getPlatList() {
unsigned platlistreal = readPointer(platlistaddr,platlistoffset);
if(platlistreal==0)
return NULL;
platlistreal-=0x10;
return (platlist*)platlistreal;
}
unsigned getPlatNumberFromPlatData(platdata* obj) {
if(obj==NULL)
return -1;
return obj->platformid;
}
platdata* getPlatDataByPlatId(unsigned id) {
platlist* thisplat = getPlatList();
while(thisplat!=NULL) {
if(getPlatNumberFromPlatData(thisplat->data) == id)
return thisplat->data;
thisplat = thisplat->next;
}
return NULL;
}
Why am I spoonfeeding again you ask? I want you idiots to get to work and find more shit than .wz edits to make your vacs.
EDIT:
Couple more functions for you guys to play about with:
Code:
platlist* addPlatform(platlist* original) {
platlist* newplat = new platlist;
memcpy(newplat,original,sizeof(platlist));
platdata* newdata = new platdata;
memcpy(newdata,original->data,sizeof(platdata));
newplat->data = newdata;
return newplat;
}
platlist* getFirstPlatform() {
return getPlatList();
}
platlist* getLastPlatform() {
platlist* thisplat = getPlatList();
while(thisplat!=NULL) {
if(thisplat->next==NULL)
break;
thisplat = thisplat->next;
}
return thisplat; //FIXED NAO
}
EDIT: summore new functions...
Code:
platlist* getPlatListByPlatId(unsigned id) {
platlist* thisplat = getPlatList();
while(thisplat!=NULL) {
if(thisplat->data->platformid == id)
return thisplat;
thisplat = thisplat->next;
}
return NULL;
}
void duplicatePlatforms() {
platlist* lastplat = getLastPlatform();
if(!lastplat)
return;
platlist* thisplat=getFirstPlatform();
int totalplats = lastplat->data->platformid;
int originaltotalplats = totalplats;
platlist* firstdupedplatform = NULL;
int curpos = 1;
while(curpos <= originaltotalplats) {
platlist* newplat = addPlatform(thisplat);
if(!newplat)
break;
if(!firstdupedplatform)
firstdupedplatform = newplat;
totalplats++;
newplat->data->platformid = totalplats;
newplat->previous = lastplat;
newplat->next = 0;
lastplat->next = newplat;
lastplat = newplat;
thisplat = thisplat->next;
curpos++;
}
//redirecting new platforms
thisplat = firstdupedplatform;
while(thisplat!=NULL) {
int next = getPlatNumberFromPlatData(thisplat->data->next);
int nextget = originaltotalplats+next;
if(next!=-1)
thisplat->data->next = getPlatDataByPlatId(nextget);
int previous = getPlatNumberFromPlatData(thisplat->data->previous);
int previousget = originaltotalplats+previous;
if(previous!=-1)
thisplat->data->previous = getPlatDataByPlatId(previousget);
thisplat = thisplat->next;
}
//redirecting old platforms
thisplat = getFirstPlatform();
while(thisplat!=firstdupedplatform) {
int next = getPlatNumberFromPlatData(thisplat->data->next);
int nextget = originaltotalplats+next;
if(next!=-1)
thisplat->data->next = getPlatDataByPlatId(nextget);
int previous = getPlatNumberFromPlatData(thisplat->data->previous);
int previousget = originaltotalplats+previous;
if(previous!=-1)
thisplat->data->previous = getPlatDataByPlatId(previousget);
thisplat = thisplat->next;
}
}
Ignore the sloppyness of that... I wrote it in like 10 minutes.
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Reputation: -1
Reputation: 14
Reputation: 26
Reputation: 4
Reputation: -1
