Jump to content
Moopler
  • 0
Sign in to follow this  
KamiOh

How to Update Script with Instructions?

Question

Hi.
I want update scripts myselff, help me.
I found some scripts with some comments that I do not understand what they mean

[jne below]
next jne
next jl
jg below H1
(3rd je below)
address of JE below
 

Spoiler

/*
  Perfect Stance
  GMS v179.2
  Created by AIRRIDE
*/

[enable]
01CD032F:
xor esi,esi
nop
nop

01CD033A: //address of JE below
db EB

[disable]
01CD032F: //85 F6 75 ? 39 ? 24 ? ? ? ? 74
db 85 F6 75 09

01CD033A:
db 74

 

Spoiler

//Slide & Attack
//v179.2
[Enable]
01E10D52: //83 ? ? 85 ? 74 ? 8B ? ? ? E8 ? ? ? ? 50 E8 ? ? ? ? 83 ? ? 3D ? ? ? ? 0F 84 (3rd je below)
db 75

[Disable]
01E10D52:
db 74

 

Share this post


Link to post

19 answers to this question

Recommended Posts

  • 2
22 minutes ago, Blanc said:

How abt the [FUNCTIONS START], I really dont know what to do with this

  Reveal hidden contents

//v179.4
//No Falling Pierre Hats, Gollux Roots, etc
define(NDS,00C835E0)//7F ? 8B 44 24 ? C7 44 24 ? FF FF FF FF 3B [1ST RESULT] [FUNCTION START]
//6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 83 EC
[enable]
NDS: // No Dropping Stones (Vellum)
ret 0004

[disable]
NDS:
db 6A FF 68

 

@Blanc after using the AOB it points to an address 00C8366B.

Function start means the address is the start of that function.

To get to the top you can simply right click 00C8366B and click "Select Current Function" until it brings you all the way to the top.

You know you reached the top when you start seeing "int 3" opcodes
2afe9797480e11645723b2a3388a776a.gif

  • Like 2

Share this post


Link to post
  • 1
10 hours ago, KamiOh said:

Hi.
I want update scripts myselff, help me.
I found some scripts with some comments that I do not understand what they mean

[jne below]
next jne
next jl
jg below H1
(3rd je below)
address of JE below
 

  Reveal hidden contents

/*
  Perfect Stance
  GMS v179.2
  Created by AIRRIDE
*/

[enable]
01CD032F:
xor esi,esi
nop
nop

01CD033A: //address of JE below
db EB

[disable]
01CD032F: //85 F6 75 ? 39 ? 24 ? ? ? ? 74
db 85 F6 75 09

01CD033A:
db 74

 

  Reveal hidden contents

//Slide & Attack
//v179.2
[Enable]
01E10D52: //83 ? ? 85 ? 74 ? 8B ? ? ? E8 ? ? ? ? 50 E8 ? ? ? ? 83 ? ? 3D ? ? ? ? 0F 84 (3rd je below)
db 75

[Disable]
01E10D52:
db 74

 

Moved your topic to the appropriate place.

The instructions are pretty literal, you can open up memory view in cheat engine and follow directly what most of them mean. 

Example after you use the AOB for Perfect Stance it brings you to the address 01CD02FF

4e76dd86a507a3ebb3bbd1fab984cfdf.png The address would be the address that contains the je below

 

The same would apply to Slide and Attack except you go count three JE opcodes down

  • Like 1

Share this post


Link to post
  • 1
10 hours ago, OuterHaven said:

Various of reasons, most common one is that just quick and easier to do make an AOB that uses reference point to towards the function. Although it is almost always better to make the AOB for the actual address.

For the second question if I'm interpreting your question correctly, if you assume the AOB is correct for the version and the instruction directs you to do so then I guess. 

This is wrong in so many ways.

The primary reason for deviant AoBs, is that the requested address is not dynamically obtainable at a given AoB. Since you're looking for a function start, the function prolog would be the same as for 1000 other functions in the game, and you'd have to type out a 50-byte array-string before even being able to identify less than 10 functions, which is still not just the single function at hand. Besides, the prolog is set by the compiler, and can vary between builds, as the optimizer (especially in Visual Studio, which MapleStory uses) likes to be "smart". This also means a prolog is not a valid dynamic aob for cross-buildversions, which in turn means it's not a desired aob. When I include aobs that points to indirect places, it's because those are distinct, and thus easily recognizable nomatter how the compiler optimizes.

  • Like 4

Share this post


Link to post
  • 0
6 hours ago, OuterHaven said:

Moved your topic to the appropriate place.

The instructions are pretty literal, you can open up memory view in cheat engine and follow directly what most of them mean. 

Example after you use the AOB for Perfect Stance it brings you to the address 01CD02FF

4e76dd86a507a3ebb3bbd1fab984cfdf.png The address would be the address that contains the je below

 

The same would apply to Slide and Attack except you go count three JE opcodes down

How abt the [FUNCTIONS START], I really dont know what to do with this

Spoiler

//v179.4
//No Falling Pierre Hats, Gollux Roots, etc
define(NDS,00C835E0)//7F ? 8B 44 24 ? C7 44 24 ? FF FF FF FF 3B [1ST RESULT] [FUNCTION START]
//6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 83 EC
[enable]
NDS: // No Dropping Stones (Vellum)
ret 0004

[disable]
NDS:
db 6A FF 68

 

Share this post


Link to post
  • 0
5 minutes ago, OuterHaven said:

@Blanc after using the AOB it points to an address 00C8366B.

Function start means the address is the start of that function.

To get to the top you can simply right click 00C8366B and click "Select Current Function" until it brings you all the way to the top.

You know you reached the top when you start seeing "int 3" opcodes
2afe9797480e11645723b2a3388a776a.gif

Oh god, this have solve many thing i dont understand before, thanks for help TT

Share this post


Link to post
  • 0
15 hours ago, OuterHaven said:

@Blanc after using the AOB it points to an address 00C8366B.

Function start means the address is the start of that function.

To get to the top you can simply right click 00C8366B and click "Select Current Function" until it brings you all the way to the top.

You know you reached the top when you start seeing "int 3" opcodes

So why do people include an AoB that points somewhere other than the address the script is manipulating? Does it usually point to the start of the function?

Share this post


Link to post
  • 0
Just now, Roast said:

So why do people include an AoB that points somewhere other than the address the script is manipulating? Does it usually point to the start of the function?

Various of reasons, most common one is that just quick and easier to do make an AOB that uses reference point to towards the function. Although it is almost always better to make the AOB for the actual address.

For the second question if I'm interpreting your question correctly, if you assume the AOB is correct for the version and the instruction directs you to do so then I guess. 

  • Like 1

Share this post


Link to post
  • 0
2 hours ago, OuterHaven said:

Various of reasons, most common one is that just quick and easier to do make an AOB that uses reference point to towards the function. Although it is almost always better to make the AOB for the actual address.

For the second question if I'm interpreting your question correctly, if you assume the AOB is correct for the version and the instruction directs you to do so then I guess. 

It was meant to be one question, but English is a weird language sometimes. I always thought there was a specific reason people made AoBs that lead to somewhere other than the actual address, like they would always make it point to the start of a function. I guess it's almost random depending on who made the script. That makes sense, thank you :)

Share this post


Link to post
  • 0
On 17-1-2017 at 10:36, NewSprux2.0? said:

This is wrong in so many ways.

The primary reason for deviant AoBs, is that the requested address is not dynamically obtainable at a given AoB. Since you're looking for a function start, the function prolog would be the same as for 1000 other functions in the game, and you'd have to type out a 50-byte array-string before even being able to identify less than 10 functions, which is still not just the single function at hand. Besides, the prolog is set by the compiler, and can vary between builds, as the optimizer (especially in Visual Studio, which MapleStory uses) likes to be "smart". This also means a prolog is not a valid dynamic aob for cross-buildversions, which in turn means it's not a desired aob. When I include aobs that points to indirect places, it's because those are distinct, and thus easily recognizable nomatter how the compiler optimizes.

But what if I would write Maplestory.exe and generate junk asm between every ~2 lines. How much would you like to fuck me?

Edited by Naz

Share this post


Link to post
  • 0
14 hours ago, Naz said:

But what if I would write Maplestory.exe and generate junk asm between every ~2 lines. How much would you like to fuck me?

Hmm, by '1 line' you mean..? How would you judge the amount of 'lines' by genering junk asm? You'd need a very complex assembler to do this, and I doubt MapleStory's scrubteam would be able to do that. Of course you could generate a junk amount of random bytes, but it's still possible to make a dynamically scalable scanner.

Share this post


Link to post
  • 0
18 minutes ago, NewSprux2.0? said:

Hmm, by '1 line' you mean..? How would you judge the amount of 'lines' by genering junk asm? You'd need a very complex assembler to do this, and I doubt MapleStory's scrubteam would be able to do that. Of course you could generate a junk amount of random bytes, but it's still possible to make a dynamically scalable scanner.

 

Guess if this is the orginal asm

mov eax, eax
jmp naz
xor eax, eax
neg eax
je sprux

And the first time you start maple it will be:

mov eax, eax
junk asm, 4 bytes
jmp naz
xor eax, eax
junk asm, 2 bytes
neg eax
junk asm, 1 byte.
je sprux

But the next time you start

junk asm 2 bytes
mov eax, eax
junk asm 1 bytes
jmp naz
xor eax, eax
neg eax
junk asm 3 bytes.
je sprux

Have fun with aobs. I could imagine it being quite hard to do this. But it should be possible.

Edited by Naz

Share this post


Link to post
  • 0
2 minutes ago, Naz said:

 

Guess if this is the orginal asm


mov eax, eax
jmp naz
xor eax, eax
neg eax
je sprux

And the first time you start maple it will be:


mov eax, eax
junk asm, 4 bytes
jmp naz
xor eax, eax
junk asm, 2 bytes
neg eax
junk asm, 1 byte.
je sprux

But the next time you start


junk asm 2 bytes
mov eax, eax
junk asm 1 bytes
jmp naz
xor eax, eax
neg eax
junk asm 3 bytes.
je sprux

Have fun with aobs. I could imagine it being quite hard to do this. But it should be possible.

You can make a dynamically scanner, that takes pattern input like XX XX * EB XX 33 C0 * XX * 74 XX, and dynamically scale the * to match parameters using standardized development algorithms.

Share this post


Link to post
  • 0
Just now, NewSprux2.0? said:

You can make a dynamically scanner, that takes pattern input like XX XX * EB XX 33 C0 * XX * 74 XX, and dynamically scale the * to match parameters using standardized development algorithms.

That is going to be a bigbigbig pain though. And I guess if the random asm is picked in a smart way, it could get a bloody mess.

Share this post


Link to post
  • 0
1 minute ago, Naz said:

That is going to be a bigbigbig pain though. And I guess if the random asm is picked in a smart way, it could get a bloody mess.

Well, in your example we're assuming 1 line. If it was to be maybe 4 lines, we'd have a maximum of ... say.... 30-ish byte padding. Given this, the time to calculate a single AoB would be O((30 * amount_of_paddings_in_aob) N). It would be slower to calculate than regular AoBs but very simple none-the-less.

Share this post


Link to post
  • 0
Just now, NewSprux2.0? said:

Well, in your example we're assuming 1 line. If it was to be maybe 4 lines, we'd have a maximum of ... say.... 30-ish byte padding. Given this, the time to calculate a single AoB would be O((30 * amount_of_paddings_in_aob) N). It would be slower to calculate than regular AoBs but very simple none-the-less.

How would you know if the asm is 'junk' though? Are there algorithms for that?

Share this post


Link to post
  • 0
Just now, Naz said:

How would you know if the asm is 'junk' though? Are there algorithms for that?

You can open two distinct clients and check for similar bytes. If you open ~4 clients, the chance of duplication in all 4 is very unlikely, and as such duplicated bytes can be considered static.

Share this post


Link to post
  • 0
Just now, NewSprux2.0? said:

You can open two distinct clients and check for similar bytes. If you open ~4 clients, the chance of duplication in all 4 is very unlikely, and as such duplicated bytes can be considered static.

Aha ye thats is great. But what if I make ~50% of the random junk static to.

Share this post


Link to post
  • 0
Just now, NewSprux2.0? said:

Then it's still static...?

Owell, that was a retarded. LOL.

  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×