 |
Cheat Engine The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Symbol I'm a spammer
Reputation: 0
Joined: 18 Apr 2007 Posts: 5094 Location: Israel.
|
Posted: Thu Mar 06, 2008 2:17 pm Post subject: [Release]MapleStory MP & HP Instant Regain hacks DLL sou |
|
|
http://forum.cheatengine.org/viewtopic.php?p=2142889
Edit: improved the source a bit:
| Code: | #include <Windows.h>
#include <fstream>
using namespace std;
BOOL bWantQuit = FALSE;
DWORD HPAddress, MPAddress;
HMODULE thisModule;
BYTE MPAoB[7] = { 0x81, 0xFB, 0x10, 0x27, 0x00, 0x00, 0x7C }; //cmp ebx,00002710 and 0x7C = jnge short
BYTE HPAoB[7] = { 0x81, 0xFF, 0x10, 0x27, 0x00, 0x00, 0x7C }; //cmp edi,00002710 and 0x7C = jnge short
unsigned int FindMPAddress()
{
int Index = 0;
for (int i = 0x400000; i < 780000; i++) //Starting from 0x450000 from some reason...
{
if (*(BYTE*)i == MPAoB[Index])
Index++;
else Index = 0;
if (Index == 7)
return i-6; //Because there are 7 bytes, but I need the "0x27" byte (4th) which is address+4, but "i" incrases anyway, so decrase "i" and add 4. :)
}
return 0;
}
unsigned int FindHPAddress()
{
int Index = 0;
for (int i = 0x400000; i < 0x780000; i++)
{
if (*(BYTE*)i == HPAoB[Index])
Index++;
else Index = 0;
if (Index == 7)
return i-6;
}
return 0;
}
void Thread()
{
if ( !bWantQuit )
{
Sleep(2000); //Let it load MapleStory...
ofstream OFile;
OFile.open("Log.txt");
OFile << "Trying to get MP and HP regain addresses..." << endl;
HPAddress = FindHPAddress()+3;
MPAddress = FindMPAddress()+3;
if (HPAddress == 0 || MPAddress == 0)
{
bWantQuit = TRUE;
OFile << "Failed getting MP and HP regain addresses!";
}
else
OFile << "HP Address: " << HPAddress << endl << "MP Address: " << MPAddress;
OFile.close();
while ( !bWantQuit )
{
if (GetAsyncKeyState(VK_F8))
{
*(BYTE*)HPAddress ^= 0x27;
*(BYTE*)MPAddress ^= 0x27;
Sleep(300);
}
if (GetAsyncKeyState(VK_F12))
bWantQuit = TRUE;
}
}
MessageBox(NULL, L"Log.txt was created at MapleStory folder.\nNow exiting...", NULL, MB_OK);
FreeLibraryAndExitThread(thisModule,0);
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
{
DisableThreadLibraryCalls( hModule );
thisModule = hModule;
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&Thread, (LPVOID)hModule, 0, 0);
}
return TRUE;
} |
Last edited by Symbol on Fri Mar 07, 2008 9:52 am; edited 1 time in total |
|
| Back to top |
|
 |
MrNeef Cheater
Reputation: 0
Joined: 26 Feb 2008 Posts: 44
|
|
| Back to top |
|
 |
BlackD Newbie cheater
Reputation: 0
Joined: 22 Apr 2007 Posts: 12
|
Posted: Thu Mar 06, 2008 2:40 pm Post subject: |
|
|
Hello, Thank you for your source. I've been looking for a general format. One question though, in your other thread you said that changing the value from 10 to 9 could make it work, but i don't see a 10 or an 'A'(the hex value of 10). So my question is, where is the 10 you were talking about? Also is there a way I can add a gui to this, kinda like ecstatic trainer(sorry for the noob questions)?
Thanks for any help.
BlackD
Last edited by BlackD on Thu Mar 06, 2008 2:45 pm; edited 2 times in total |
|
| Back to top |
|
 |
Jonny999 Grandmaster Cheater
Reputation: 0
Joined: 10 Jan 2007 Posts: 789 Location: England, Near London
|
Posted: Thu Mar 06, 2008 2:43 pm Post subject: |
|
|
Nice, and good to see some of the script commented also =]
_________________
1 Step ahead of the rest. |
|
| Back to top |
|
 |
Codeslinger I post too much
Reputation: 1
Joined: 11 Oct 2007 Posts: 3652 Location: Midwest, United States of America
|
Posted: Thu Mar 06, 2008 2:47 pm Post subject: |
|
|
Thank you!!
Finally someone has posted source to a simple injectable DLL. I tried this before and had simple questions that no one could answer.
I wasn't sure if I use DllMain as the main function or what (maplestory could have simply loaded the DLL and called a specific procedure other than DllMain).
That is a very good way of writing memory, it seems. I thought you would have to use an API call but it looks like your simply finding an address and then writing a value to it by using pointers...
|
|
| Back to top |
|
 |
Fisk Grandmaster Cheater
Reputation: 0
Joined: 18 Mar 2007 Posts: 711 Location: rymdsylt
|
Posted: Thu Mar 06, 2008 2:47 pm Post subject: |
|
|
It would've been cool if I understood any of that =P
Great job though, nice to see that you're working on your trainer
_________________
мs, |
|
| Back to top |
|
 |
Symbol I'm a spammer
Reputation: 0
Joined: 18 Apr 2007 Posts: 5094 Location: Israel.
|
Posted: Thu Mar 06, 2008 3:15 pm Post subject: |
|
|
| BlackD wrote: | Hello, Thank you for your source. I've been looking for a general format. One question though, in your other thread you said that changing the value from 10 to 9 could make it work, but i don't see a 10 or an 'A'(the hex value of 10). So my question is, where is the 10 you were talking about? Also is there a way I can add a gui to this, kinda like ecstatic trainer(sorry for the noob questions)?
Thanks for any help.
BlackD |
I meant 10 seconds, every 10 seconds you gain MP, so if you'll change it to 9 seconds, it might work without dc'ing.
If you'll check the array of byte, you'll see that the MP address bytes are:
0x81, 0xFB, 0x10, 0x27, 0x00, 0x00 (the extra 0x7C is the jnge from the address below) and if you'll convert that to assembly its
cmp ebx,00002710
Notice that 2710 is in hex, and 0x2710 is actually 10,000. (10,000ms = 10 seconds, time to regain MP)
If you'll change it to cmp ebx,2328 (0x2328 = 9000) you might not dc. (or at least, not right away)
Notice that the bytes are opposite (its called little endian) so if you'll change the value that my DLL changes, ofcoruse you'll have to use WORD instead of BYTE and make it write 2 bytes, (0x28 0x23, instead 0x00 on 0x27 and leaving 0x10 so it regains MP every 10ms) it would work.
Good luck.
|
|
| Back to top |
|
 |
hcavolsdsadgadsg I'm a spammer
Reputation: 26
Joined: 11 Jun 2007 Posts: 5801
|
Posted: Thu Mar 06, 2008 3:21 pm Post subject: |
|
|
| Kenny420 wrote: | Thank you!!
Finally someone has posted source to a simple injectable DLL. I tried this before and had simple questions that no one could answer.
I wasn't sure if I use DllMain as the main function or what (maplestory could have simply loaded the DLL and called a specific procedure other than DllMain).
That is a very good way of writing memory, it seems. I thought you would have to use an API call but it looks like your simply finding an address and then writing a value to it by using pointers... |
You're in the memory space when you're injected, so you don't need to use the API
|
|
| Back to top |
|
 |
Flyte Peanuts!!!!
Reputation: 6
Joined: 19 Apr 2006 Posts: 1887 Location: Canada
|
Posted: Thu Mar 06, 2008 3:40 pm Post subject: |
|
|
Your code is ugly and redundant, here is an improved version (not saying it is perfect). Might be an error or two, coded quickly.
| Code: | #include <windows.h>
#include <tchar.h>
unsigned char hp_aob[] = { 0x81, 0xFF, 0x10, 0x27, 0x00, 0x00, 0x7C };
unsigned char mp_aob[] = { 0x81, 0xFB, 0x10, 0x27, 0x00, 0x00, 0x7C };
void __declspec(noinline) __declspec(noreturn) ErrorAndExit(LPTSTR error, HMODULE hMod)
{
MessageBox(0, error, _T("Error!"), 0);
FreeLibraryAndExitThread((HMODULE)hMod, EXIT_FAILURE);
}
unsigned long __declspec(noinline) ArrayToPtr(unsigned char * aob)
{
int k = 0, i;
__try {
for (i = 0x400000; i < 0x780000; i++) {
if(*((unsigned char*)i) == aob[k]) {
k++;
if (k == 7) return (unsigned long)(i-6);
} else k = 0;
}
} __except(EXCEPTION_EXECUTE_HANDLER) {
return 0;
}
return 0;
}
void __declspec(noreturn) Thread(LPVOID hMod)
{
unsigned char * hp = ((unsigned char *)ArrayToPtr(hp_aob)) + 3;
unsigned char * mp = ((unsigned char *)ArrayToPtr(mp_aob)) + 3;
if(hp == 0 || mp == 0) ErrorAndExit(_T("HP/MP addresses invalid!"), (HMODULE)hMod);
__try {
for(;; Sleep(10)) {
if(GetAsyncKeyState(VK_F8)) {
*hp ^= 0x27;
*mp ^= 0x27;
}
if(GetAsyncKeyState(VK_F12)) break;
}
} __except(EXCEPTION_EXECUTE_HANDLER) {
ErrorAndExit(_T("OH SHI-, BLACK HOLE!"), (HMODULE)hMod);
}
FreeLibraryAndExitThread((HMODULE)hMod, EXIT_SUCCESS);
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD call, LPVOID lpReserved)
{
if (call == DLL_PROCESS_ATTACH) {
DisableThreadLibraryCalls(hModule);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&Thread, (LPVOID)hModule, 0, 0);
}
return TRUE;
} |
Edit: Small fix.
Last edited by Flyte on Thu Mar 06, 2008 5:26 pm; edited 1 time in total |
|
| Back to top |
|
 |
Symbol I'm a spammer
Reputation: 0
Joined: 18 Apr 2007 Posts: 5094 Location: Israel.
|
Posted: Thu Mar 06, 2008 3:50 pm Post subject: |
|
|
| Flyte wrote: | | Your code is ugly and redundant, here is an improved version (not saying it is perfect). Might be an error or two, coded quickly. |
Well, yea, its better, I'm not coding much in C++ so I'm not that good, but I really liked the xor bytes idea. very clever.
|
|
| Back to top |
|
 |
BlackD Newbie cheater
Reputation: 0
Joined: 22 Apr 2007 Posts: 12
|
Posted: Thu Mar 06, 2008 4:37 pm Post subject: |
|
|
Did I do this right?
| Code: | #include <Windows.h>
#include <fstream>
using namespace std;
DWORD FindMPAddress()
{
BYTE AoB[7] = { 0x81, 0xFB, 0x10, 0x27, 0x00, 0x00, 0x7C }; //cmp ebx,00002710 and 0x7C = jnge short
int Index = 0;
for (int i = 0x450000; i < 0x800000; i++) //Starting from 0x450000 from some reason...
{
if (*(BYTE*)i == AoB[Index])
Index++;
else Index = 0;
if (Index == 7)
return i-3; //Because there are 7 bytes, but I need the "0x27" byte (4th) which is address+4, but "i" incrases anyway, so decrase "i" and add 4. :)
}
return 0;
}
DWORD FindHPAddress()
{
BYTE AoB[7] = { 0x81, 0xFF, 0x10, 0x27, 0x00, 0x00, 0x7C };
int Index = 0;
for (int i = 0x450000; i < 0x800000; i++)
{
if (*(BYTE*)i == AoB[Index])
Index++;
else Index = 0;
if (Index == 7)
return i-3;
}
return 0;
}
BOOL InstantRegainON = FALSE, bWantQuit = FALSE;
DWORD HPAddress, MPAddress;
HMODULE thisModule;
void Thread()
{
if ( !bWantQuit )
{
Sleep(5000); //Let it load MapleStory...
ofstream OFile;
OFile.open("Log.txt");
OFile << "Trying to get MP and HP regain addresses..." << endl;
HPAddress = FindHPAddress();
MPAddress = FindMPAddress();
if (HPAddress == 0 || MPAddress == 0)
{
bWantQuit = TRUE;
OFile << "Failed getting MP and HP regain addresses!";
}
else
OFile << "HP Address: " << HPAddress << endl << "MP Address: " << MPAddress;
OFile.close();
WORD OnOff[2] = { 0x00, 0x28, 0x23 }; //<-------
while ( !bWantQuit )
{
if (GetAsyncKeyState(VK_F8))
{
InstantRegainON = !InstantRegainON;
*(BYTE*)HPAddress = OnOff[InstantRegainON];
*(BYTE*)MPAddress = OnOff[InstantRegainON];
Sleep(300);
}
if (GetAsyncKeyState(VK_F12))
bWantQuit = TRUE;
}
}
MessageBox(NULL, L"Log.txt was created at MapleStory folder.\nNow exiting...", NULL, MB_OK);
FreeLibraryAndExitThread(thisModule,0);
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
{
DisableThreadLibraryCalls( hModule );
thisModule = hModule;
DWORD tID;
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&Thread, 0, 0, &tID);
MessageBox(NULL, L"Welcome to Symbol's instant MP and HP regain!\nPress F8 to activate or F12 to exit.\nHave fun! :)", L"Symbol's instant MP & HP regain!", MB_ICONINFORMATION | MB_OK);
}
return TRUE;
}
|
Thanks BlackD
Last edited by BlackD on Thu Mar 06, 2008 5:12 pm; edited 1 time in total |
|
| Back to top |
|
 |
mOnSoOn Expert Cheater
Reputation: 0
Joined: 05 Jul 2007 Posts: 203
|
Posted: Thu Mar 06, 2008 5:07 pm Post subject: |
|
|
Lol?
I thought your address updating method is different, this method is really bad... You really need to think about which errors can cause through this scanning ( not compiling errors.. ).
anyway.. Why don't you make a function that update addresses? Why do you have to write it again and again?
Anyway, the address updating method will fail next version or more 2 versions.
|
|
| Back to top |
|
 |
Flyte Peanuts!!!!
Reputation: 6
Joined: 19 Apr 2006 Posts: 1887 Location: Canada
|
Posted: Thu Mar 06, 2008 5:13 pm Post subject: |
|
|
| mOnSoOn wrote: | Lol?
I thought your address updating method is different, this method is really bad... You really need to think about which errors can cause through this scanning ( not compiling errors.. ).
anyway.. Why don't you make a function that update addresses? Why do you have to write it again and again?
Anyway, the address updating method will fail next version or more 2 versions. |
See the version I posted above.
|
|
| Back to top |
|
 |
BlackD Newbie cheater
Reputation: 0
Joined: 22 Apr 2007 Posts: 12
|
Posted: Thu Mar 06, 2008 5:19 pm Post subject: |
|
|
Hey Flyte to do it your way would i do it like this..
to change the pointer from 10s to 9s would i do
*hp ^= 0x28, 0x23; ?
Thanks BlackD
|
|
| Back to top |
|
 |
Flyte Peanuts!!!!
Reputation: 6
Joined: 19 Apr 2006 Posts: 1887 Location: Canada
|
Posted: Thu Mar 06, 2008 5:25 pm Post subject: |
|
|
| BlackD wrote: | Hey Flyte to do it your way would i do it like this..
to change the pointer from 10s to 9s would i do
*hp ^= 0x28, 0x23; ?
Thanks BlackD |
Should be the same value, but since I don't play MapleStory I can't be sure.
Oh, and in the code above, you have to add 3 to each pointer after ArrayToPtr returns. I'll fix that now, didn't noticed the comment in the code.
|
|
| Back to top |
|
 |
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|