Moopler

# Release Few shits made out of sheer boredom (from gms 187 and up)

## Recommended Posts

while leveling up my test account (mechanic job) I got perma ban from logging out and on too fast so im done. + school started so my dad will uninstall all games on my computer(starting next week)  and monitor me if I use any electronics.

Tubi (filtered all other call to CWvsContext::SetExclRequestSent so will not create a conflict with auto pot aka use more than 1 pot):

Spoiler
```
[ENABLE]
0225336A: // call below is CWvsContext::SetExclRequestSent
db 6A 00

00D1E656: // Remove loot animation
db 0F 8C

00F5004F: // Remove drop animation (Scan value 1000.00 as double]
db F2 0F 5E

00F453AF: // No item floating (Scan value 1000.00 as double]
db F2 0F 59

[DISABLE]
0225336A: // 8D 8E ? ? 00 00 E8 ? ? ? ? E8 ? ? ? ? 50 [Start]
db 6A 01

00D1E656: // 81 ? BC 02 [Second result & address below]
db 0F 8D

00F5004F: // F2 ? ? ? ? ? ? ? 3B ? 7F
db F2 0F 59

00F453AF: // F2 ? ? ? ? ? ? ? F2 ? ? ? ? ? ? ? F2 ? ? ? ? ? ? ? F2 ? ? ? ? ? ? ? E8 [Third result]
db F2 0F 5E```

Fly Map (enable then cc/cs or trigger a new session):

Spoiler
```
[ENABLE]
db 75

[DISABLE]
0233BADC: // E8 ? ? ? ? 85 ? 74 ? 8B ? ? ? ? ? 6A ? 83 [Second result & je below]
db 74

Swim Map (enable then cc/cs or trigger a new session):

Spoiler
```
[ENABLE]
0233BABF:
db 75

[DISABLE]
0233BABF: // E8 ? ? ? ? 85 ? 74 ? 8B ? ? ? ? ? 6A ? 83 [First result & je below]
db 74

DupeX (should use the same function as "Safe Fast DupeX" by Ghoul check ccplz and tweak this shit):

Spoiler
```
[ENABLE]
alloc(DupeX,256)
alloc(Platform,4)
alloc(RunFlag,4)
label(NullPlatform)
label(DoVac)
label(Normal)

Platform:
dd 00000000

RunFlag:
dd 00000000

DupeX:
pushfd
push eax
push ecx
mov eax,[02D82708] // CUserLocal: 8B 3D ? ? ? ? 8B CF F3
test eax,eax
je NullPlatform
mov eax,[eax+0000AB44] // Character Vector Control Offset: 8B 97 ? ? 00 00 6A 00 6A 00 [Fourth result]
lea ecx,[eax-10]
test ecx,ecx
je NullPlatform
mov eax,[ecx+0000013C]
test eax,eax
je NullPlatform
cmp [RunFlag],01
je DoVac
mov [Platform],eax
inc [RunFlag]
jmp DoVac

DoVac:
cmp ebx,ecx
je Normal
mov edi,[Platform]
jmp Normal

NullPlatform:
mov [Platform],00
mov [RunFlag],00
jmp Normal

Normal:
pop ecx
pop eax
popfd
mov [ebx+0000013C],edi // Original Opcodes
jmp 00B932E1+6

00B932E1:
jmp DupeX
db 90

[DISABLE]
00B932E1: // CVecCtrl::OnAttachedObjectChanged: 89 ? ? ? 00 00 C7 ? ? ? 00 00 00 00 00 00 C7 ? ? ? 00 00 00 00 00 00 C7 ? ? ? 00 00 00 00 00 00 66 [First result]
mov [ebx+0000013C],edi

dealloc(DupeX)
dealloc(Platform)
dealloc(RunFlag)

// Assembly scan: call CUserLocal::SetDamaged [First result]
// CVecCtrl::OnAttachedObjectChanged: E8 ? ? ? ? 5F 5E 5B 8B E5 5D C2 10 00 CC [Second result & follow call at end of function]```

Mob Control:

Spoiler
```
// 00 Doesn't seem to do anything but Disconnect to world selection screen
// 01 Normal Mobs
// 02 Jump mob
// 03 Fly Mobs
// 04 Stationary Mobs
// 05 Mob Walk Right
// 06-07-08 Lemmings
// 09 and above crash MapleStory with "error code: -2147467259 (Unspecified error)"

[ENABLE]
alloc(MobControl,128)

MobControl:
mov [edi+00000418],04
mov eax,[edi+00000418]
jmp 021B90AC+6

021B90AC:
jmp MobControl
db 90

[DISABLE]
021B90AC: // CVecCtrlMob::WorkUpdateActive: E9 ? ? ? ? 8B ? ? ? 00 00 83 ? ? 0F ? ? ? ? ? FF [Address below]
mov eax,[edi+00000418]

dealloc(MobControl)```

CDragon::TryDoingMagicAttack:

Spoiler
```
define(Skill_ID,#22111012) // Dragon Flash

[ENABLE]
alloc(CUserLocal__Update_Hook,128)
alloc(Time,4)
label(Ending)

Time:
dd 0

CUserLocal__Update_Hook:
push ebp
mov ebp,esp
push -01
call GetTickCount
mov edx,eax
sub edx,[Time]
cmp edx,#1000 // Delay in milliseconds
jl Ending
mov [Time],eax
mov ebx,ecx // CUserLocal *this
push Skill_ID // int nSkillID
mov ecx,[02D699C8] // CSkillInfo *this: Inside CUserLocal::GetSkillLevel or breakpoint CSkillInfo::GetSkill and check ecx
call 00A95CB0 // CSkillInfo::GetSkill: 9C 9F D5 00 ? ? ? ? 9D 9F D5 00 [Follow first call above]
mov eax,[eax+04]
mov esi,eax
push 00 // SKILLENTRY **ppSkillEntry
push Skill_ID // int nSkillID
mov ecx,ebx // CUserLocal *this
call 020454A0 // CUserLocal::GetSkillLevel: 68 11 12 42 00 [Follow first call above]
push 00 // bool bDoActiveSkill
push 00 // bool bVariableRectAttack
push 00 // unsigned int nRandForAction
push eax // int nSLV
push esi // SKILLENTRY *pSkill
mov ecx,ebx // CUserLocal *this
mov ecx,[ecx+FA30] // CDragon *this: Inside CUser::Update: 8B ? ? ? 00 00 85 ? 74 ? 8B ? 8B ? FF [Third result]
call 00F3AFB0 // CDragon::TryDoingMagicAttack: E8 ? ? ? ? 89 ? ? 83 ? ? ? 74 ? 8D [Second result & follow call]
jmp Ending

Ending:
jmp 01FCAA30+5

01FCAA30:
jmp CUserLocal__Update_Hook

[DISABLE]
01FCAA30: // CUserLocal::Update: E8 ? ? ? ? 8B ? ? ? ? ? 8B ? ? 89 ? ? 85 ? 74 ? 83 ? ? 8D ? ? 50 FF 15 ? ? ? ? 85 ? 75 ? 8B ? ? ? ? ? 85 ? 74 ? C6 ? ? ? 8D ? ? ? FF 15 ? ? ? ? 85 ? 74 ? 8B ? 8B ? 6A 01 8B [Start]
push ebp
mov ebp,esp
push -01

dealloc(CUserLocal__Update_Hook)
dealloc(Time)```

CDragon::TryDoingShootAttack:

Spoiler
```
define(Skill_ID,#22110014) // Wind Flash

[ENABLE]
alloc(CUserLocal__Update_Hook,128)
alloc(Time,4)
label(Ending)

Time:
dd 0

CUserLocal__Update_Hook:
push ebp
mov ebp,esp
push -01
call GetTickCount
mov edx,eax
sub edx,[Time]
cmp edx,#1000 // Delay in milliseconds
jl Ending
mov [Time],eax
mov ebx,ecx // CUserLocal *this
push Skill_ID // int nSkillID
mov ecx,[02D699C8] // CSkillInfo *this: Inside CUserLocal::GetSkillLevel or breakpoint CSkillInfo::GetSkill and check ecx
call 00A95CB0 // CSkillInfo::GetSkill: 9C 9F D5 00 ? ? ? ? 9D 9F D5 00 [Follow first call above]
mov eax,[eax+04]
mov esi,eax
push 00 // SKILLENTRY **ppSkillEntry
push Skill_ID // int nSkillID
mov ecx,ebx // CUserLocal *this
call 020454A0 // CUserLocal::GetSkillLevel: 68 11 12 42 00 [Follow first call above]
push 00 // bool bDoActiveSkill
push 00 // bool bRepeatAttack
push 00 // DRAGON_ACTION eDragonAction
push 00 // unsigned int nRandForAction
push eax // int nSLV
push esi // SKILLENTRY *pSkill
mov ecx,ebx // CUserLocal *this
mov ecx,[ecx+FA30] // CDragon *this: Inside CUser::Update: 8B ? ? ? 00 00 85 ? 74 ? 8B ? 8B ? FF [Third result]
call 00F3D360 // CDragon::TryDoingShootAttack: E8 ? ? ? ? 8B ? 85 ? 0F 84 ? ? ? ? FF ? ? ? ? ? C7 [Follow call (CDragon::DragonAttack is at start of function)] || E8 ? ? ? ? 33 ? 85 ? 0F ? ? C7 [First result & follow call (CDragon::Update is at start of function)]
jmp Ending

Ending:
jmp 01FCAA30+5

01FCAA30:
jmp CUserLocal__Update_Hook

[DISABLE]
01FCAA30: // CUserLocal::Update: E8 ? ? ? ? 8B ? ? ? ? ? 8B ? ? 89 ? ? 85 ? 74 ? 83 ? ? 8D ? ? 50 FF 15 ? ? ? ? 85 ? 75 ? 8B ? ? ? ? ? 85 ? 74 ? C6 ? ? ? 8D ? ? ? FF 15 ? ? ? ? 85 ? 74 ? 8B ? 8B ? 6A 01 8B [Start]
push ebp
mov ebp,esp
push -01

dealloc(CUserLocal__Update_Hook)
dealloc(Time)```

CUserLocal::TryDoingBodyAttack:

Spoiler
```
define(Skill_ID,#2311007)

[ENABLE]
alloc(CUserLocal__Update_Hook,128)
alloc(Time,4)
label(Ending)

Time:
dd 0

alloc(time_stamp_hook,128)
alloc(time_stamp_initialized,4)
alloc(time_stamp,4)
label(time_stamp_continue)

time_stamp_initialized:
dd 00000000

time_stamp:
dd 00000000

CUserLocal__Update_Hook:
push ebp
mov ebp,esp
push -01
call GetTickCount
mov edx,eax
sub edx,[Time]
cmp edx,#0 // Delay in milliseconds
jl Ending
mov [Time],eax
mov ebx,ecx // CUserLocal *this
push Skill_ID // int nSkillID
mov ecx,[02D699C8] // CSkillInfo *this: Inside CUserLocal::GetSkillLevel or breakpoint CSkillInfo::GetSkill and check ecx
call 00A95CB0 // CSkillInfo::GetSkill: 9C 9F D5 00 ? ? ? ? 9D 9F D5 00 [Follow first call above]
mov eax,[eax+04]
mov esi,eax
push 00 // SKILLENTRY **ppSkillEntry
push Skill_ID // int nSkillID
mov ecx,ebx // CUserLocal *this
call 020454A0 // CUserLocal::GetSkillLevel: 68 11 12 42 00 [Follow first call above]
push 00 // tagPOINT ptHit.Y
push 00 // tagPOINT ptHit.X
push 00 // CMob *pMob
push eax // int nSLV
push esi // SKILLENTRY *pSkill
mov ecx,ebx // CUserLocal *this
call 0202B650 // CUserLocal::TryDoingBodyAttack: E8 ? ? ? ? 6A 00 6A 00 6A 00 53 FF ? ? 8B ? 89 ? ? ? ? ? E8 [Third result & follow second call] || E8 ? ? ? ? 89 85 ? ? FF FF C7 85 ? ? ? ? 00 00 00 00 EB ? 8B 95 ? ? ? ? 83 [Fifth result & start]
jmp Ending

Ending:
jmp 01FCAA30+5

time_stamp_hook:
cmp [time_stamp_initialized],00000000
jne time_stamp_continue
call 0213CC30 // Original Opcode
mov [time_stamp],eax
mov [time_stamp_initialized],00000001

time_stamp_continue:
mov eax,[time_stamp]
ret

01FCAA30:
jmp CUserLocal__Update_Hook

0202CC5B: // Fix timestamp-disconnect
call time_stamp_hook

[DISABLE]
01FCAA30: // CUserLocal::Update: E8 ? ? ? ? 8B ? ? ? ? ? 8B ? ? 89 ? ? 85 ? 74 ? 83 ? ? 8D ? ? 50 FF 15 ? ? ? ? 85 ? 75 ? 8B ? ? ? ? ? 85 ? 74 ? C6 ? ? ? 8D ? ? ? FF 15 ? ? ? ? 85 ? 74 ? 8B ? 8B ? 6A 01 8B [Start]
push ebp
mov ebp,esp
push -01

0202CC5B: // E8 ? ? ? ? 89 85 ? ? FF FF C7 85 ? ? ? ? 00 00 00 00 EB ? 8B 95 ? ? ? ? 83 [Fifth result]
call 0213CC30 // get_update_time

dealloc(CUserLocal__Update_Hook)

dealloc(time_stamp_hook)
dealloc(time_stamp_initialized)
dealloc(time_stamp)```

CUserLocal::TryDoingMagicAttack (Set bForce to 1 and you'll have the same thing as "Controlled Magic Injection"):

Spoiler
```
define(Skill_ID,#2301005) // Holy Arrow (Cleric)

[ENABLE]
alloc(CUserLocal__Update_Hook,128)
alloc(Time,4)
label(Ending)

Time:
dd 0

CUserLocal__Update_Hook:
push ebp
mov ebp,esp
push -01
call GetTickCount
mov edx,eax
sub edx,[Time]
cmp edx,#1000 // Delay in milliseconds
jl Ending
mov [Time],eax
mov ebx,ecx // CUserLocal *this
push Skill_ID // int nSkillID
mov ecx,[02D699C8] // CSkillInfo *this: Inside CUserLocal::GetSkillLevel or breakpoint CSkillInfo::GetSkill and check ecx
call 00A95CB0 // CSkillInfo::GetSkill: 9C 9F D5 00 ? ? ? ? 9D 9F D5 00 [Follow first call above]
mov eax,[eax+04]
mov esi,eax
push 00 // SKILLENTRY **ppSkillEntry
push Skill_ID // int nSkillID
mov ecx,ebx // CUserLocal *this
call 020454A0 // CUserLocal::GetSkillLevel: 68 11 12 42 00 [Follow first call above]
push 00 // void* unknown1
push 00 // unsigned int nRandForActionParam
push 01 // bool bMakeRandom
push -01 // int nOption
push 00 // unsigned int dwExceptID
push 00 // int nForcedY
push 00 // int nForcedX
push 01 // bool bForce
push 00 // int tKeyDown
push 00 // int nReduceCount
push eax // int nSLV
push esi // SKILLENTRY *pSkill
mov ecx,ebx // CUserLocal *this
call 0201A7F0 // CUserLocal::DoActiveSkilll_ForcedMagicAttack: 3D CC EF B8 00 75 || 68 CC EF B8 00 50 [Follow call at end of function (CUserLocal::TryDoingMagicAttack)]
jmp Ending

Ending:
jmp 01FCAA30+5

01FCAA30:
jmp CUserLocal__Update_Hook

[DISABLE]
01FCAA30: // CUserLocal::Update: E8 ? ? ? ? 8B ? ? ? ? ? 8B ? ? 89 ? ? 85 ? 74 ? 83 ? ? 8D ? ? 50 FF 15 ? ? ? ? 85 ? 75 ? 8B ? ? ? ? ? 85 ? 74 ? C6 ? ? ? 8D ? ? ? FF 15 ? ? ? ? 85 ? 74 ? 8B ? 8B ? 6A 01 8B [Start]
push ebp
mov ebp,esp
push -01

dealloc(CUserLocal__Update_Hook)
dealloc(Time)```

CUserLocal::TryDoingMeleeAttack:

Spoiler
```
define(Skill_ID,#31011000) // Exceed: Double Slash

[ENABLE]
alloc(CUserLocal__Update_Hook,128)
alloc(Time,4)
label(Ending)

Time:
dd 0

CUserLocal__Update_Hook:
push ebp
mov ebp,esp
push -01
call GetTickCount
mov edx,eax
sub edx,[Time]
cmp edx,#1000 // Delay in milliseconds
jl Ending
mov [Time],eax
mov ebx,ecx // CUserLocal *this
push Skill_ID // int nSkillID
mov ecx,[02D699C8] // CSkillInfo *this: Inside CUserLocal::GetSkillLevel or breakpoint CSkillInfo::GetSkill and check ecx
call 00A95CB0 // CSkillInfo::GetSkill: 9C 9F D5 00 ? ? ? ? 9D 9F D5 00 [Follow first call above]
mov eax,[eax+04]
mov esi,eax
push 00 // SKILLENTRY **ppSkillEntry
push Skill_ID // int nSkillID
mov ecx,ebx // CUserLocal *this
call 020454A0 // CUserLocal::GetSkillLevel: 68 11 12 42 00 [Follow first call above]
push 00 // void* unknown4 added in GMS v.188.2
push 00 // void* unknown3
push 00 // void* unknown2
push 00 // void* unknown1
push 00 // unsigned int dwTargetMobID
push 00 // int nBySummonedID
push 00 // int nShootSkillID
push 00 // int nTimeBombY
push 00 // int nTimeBombX
push 00 // int bTimeBombAttack
push 00 // int nReservedSkillID
push 00 // int tKeyDown
push 00 // unsigned int dwLastAttackMobID
push 00 // int nSerialAttackSkillID
push 00 // int *pnShootRange0
push eax // int nSLV
push esi // SKILLENTRY *pSkill
mov ecx,ebx // CUserLocal *this
call 01FED500 // CUserLocal::TryDoingMeleeAttack: 0F ? ? ? ? ? 0F ? ? ? ? ? ? FF ? ? ? ? ? ? 84 [Scroll down]
jmp Ending

Ending:
jmp 01FCAA30+5

01FCAA30:
jmp CUserLocal__Update_Hook

[DISABLE]
01FCAA30: // CUserLocal::Update: E8 ? ? ? ? 8B ? ? ? ? ? 8B ? ? 89 ? ? 85 ? 74 ? 83 ? ? 8D ? ? 50 FF 15 ? ? ? ? 85 ? 75 ? 8B ? ? ? ? ? 85 ? 74 ? C6 ? ? ? 8D ? ? ? FF 15 ? ? ? ? 85 ? 74 ? 8B ? 8B ? 6A 01 8B [Start]
push ebp
mov ebp,esp
push -01

dealloc(CUserLocal__Update_Hook)
dealloc(Time)```

CUserLocal::TryDoingShootAttack:

Spoiler
```
define(Skill_ID,#23001000) // Swift Dual Shot

[ENABLE]
alloc(CUserLocal__Update_Hook,128)
alloc(Time,4)
label(Ending)

Time:
dd 0

CUserLocal__Update_Hook:
push ebp
mov ebp,esp
push -01
call GetTickCount
mov edx,eax
sub edx,[Time]
cmp edx,#1000 // Delay in milliseconds
jl Ending
mov [Time],eax
mov ebx,ecx // CUserLocal *this
push Skill_ID // int nSkillID
mov ecx,[02D699C8] // CSkillInfo *this: Inside CUserLocal::GetSkillLevel or breakpoint CSkillInfo::GetSkill and check ecx
call 00A95CB0 // CSkillInfo::GetSkill: 9C 9F D5 00 ? ? ? ? 9D 9F D5 00 [Follow first call above]
mov eax,[eax+04]
mov esi,eax
push 00 // SKILLENTRY **ppSkillEntry
push Skill_ID // int nSkillID
mov ecx,ebx // CUserLocal *this
call 020454A0 // CUserLocal::GetSkillLevel: 68 11 12 42 00 [Follow first call above]
push 00 // void* unknown added in GMS v.188.2
push 00 // int nBySummonedID
push 00 // int nSkillCastItemPos
push 00 // unsigned int nRandForMortalBlowAction
push 00 // int tKeyDown
push 00 // int bMortalBlow
push 41 // int nShootRange0
push eax // int nSLV
push esi // SKILLENTRY *pSkill
mov ecx,ebx // CUserLocal *this
call 0200E0D0 // CUserLocal::TryDoingShootAttack: 0F ? ? ? ? ? 0F ? ? ? ? ? ? FF ? ? ? ? ? ? 84 [Scroll down]
jmp Ending

Ending:
jmp 01FCAA30+5

01FCAA30:
jmp CUserLocal__Update_Hook

[DISABLE]
01FCAA30: // CUserLocal::Update: E8 ? ? ? ? 8B ? ? ? ? ? 8B ? ? 89 ? ? 85 ? 74 ? 83 ? ? 8D ? ? 50 FF 15 ? ? ? ? 85 ? 75 ? 8B ? ? ? ? ? 85 ? 74 ? C6 ? ? ? 8D ? ? ? FF 15 ? ? ? ? 85 ? 74 ? 8B ? 8B ? 6A 01 8B [Start]
push ebp
mov ebp,esp
push -01

dealloc(CUserLocal__Update_Hook)
dealloc(Time)```

BW FMA (Don't know why the cunts on gk are saying it ab lol... I actually got to level 100 on my bw no problem)

Spoiler
```
[ENABLE]
alloc(CMobPool__FindHitMobInRect_Hook,128)
alloc(CMob__GetPos_Hook,128)

CMobPool__FindHitMobInRect_Hook:
mov eax,[02D83230] // CWvsPhysicalSpace2D: 8B 0D ? ? ? ? 6A 01 6A 00 68
lea eax,[eax+0C] // Left Wall Offset
mov [esp+04],eax
jmp 01367FF0 // Original opcode

CMob__GetPos_Hook:
mov eax,[02D82708] // CUserLocal: 8B 3D ? ? ? ? 8B CF F3
mov eax,[eax+013B64] // Character X Location Offset: 89 8F ? ? ? ? 8B CF 8B 40 04 89
mov [esi],eax
call 007D5B20 // Original Opcode
mov eax,[02D82708] // CUserLocal: 8B 3D ? ? ? ? 8B CF F3
mov eax,[eax+013B68] // Character Y Location Offset: Character X Location Offset + 04
mov [esi+04],eax
jmp 0131E15A+5

01178B99:
call CMobPool__FindHitMobInRect_Hook

0131E15A:
jmp CMob__GetPos_Hook

[DISABLE]
01178B99: // CForceAtom_NonTargetAttack::UpdateAttackCollision: E8 ? ? ? ? 89 ? ? ? ? ? ? ? ? ? ? ? FF 15 [First Result]
call 01367FF0 // CMobPool::FindHitMobInRect

0131E15A: // CMob::GetPos: E8 ? ? ? ? 89 ? ? 8B ? 5F 5E 5D C2 04 00 [Ninth result from last green result]
call 007D5B20 // TSecType<long>::GetData

dealloc(CMobPool__FindHitMobInRect_Hook)
dealloc(CMob__GetPos_Hook)```

Auto Rune:

Spoiler
```
[ENABLE]
alloc(Hook,128)

Hook:
push ebp
mov ebp,esp
push -01
mov ebx,ecx // CRuneStoneMgrForClient: 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B ? E8
mov ecx,ebx
call 0152AB30 // CRuneStoneMgrForClient::NoticeInRect: E8 ? ? ? ? A1 ? ? ? ? 89 ? ? 85 C0 0F 84 [Fifth result & start]
push 25 // Left arrow
mov ecx,ebx
call 0152B830 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 26 // Up arrow
mov ecx,ebx
call 0152B830 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 27 // Right arrow
mov ecx,ebx
call 0152B830 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 28 // Down arrow
mov ecx,ebx
call 0152B830 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
jmp 0152A3C0+5

0152A3C0:
jmp Hook

02071490:
db C3

[DISABLE]
0152A3C0: // CRuneStoneMgrForClient::Update: E8 ? ? ? ? 8B 0D ? ? ? ? 85 ? 74 ? ? E8 ? ? ? ? 8B 0D [Before last green result]
push ebp
mov ebp,esp
push -01

02071490: // CUserLocal::ResetRuneStoneActionAndSendFailPacket: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow second call]
db 55

dealloc(Hook)```

Beholder's shit(ya i use the same hook point cuz i was testing shits but you can combine them all into 1 or do what ever):

Beholder infinte heal:

Spoiler
```
[ENABLE]
alloc(Hook,128)

Hook:
call 0213CC30 // Original Opcode
push 00 // int tCur
mov ecx,esi // CSummoned *this
call 015BACC0 // CSummoned::TryDoingHeal: 26 01 14 00 [Ninth result & start]
jmp 015BFF2E+5

015BFF2E:
jmp Hook

[DISABLE]
015BFF2E: // CSummoned::Update: E8 ? ? ? ? 8B ? 8B ? ? ? ? ? 89 ? ? 85 ? 0F ? ? ? ? ? 33
call 0213CC30 // get_update_time

dealloc(Hook)```

Beholder Infinite Buff:

Spoiler
```
[ENABLE]
alloc(Hook,128)

Hook:
call 0213CC30 // Original Opcode
push 00 // int tCur
mov ecx,esi // CSummoned *this
call 015BB170 // CSummoned::TryDoingGiveBuff: after call to CSummoned::TryDoingHeal in CSummoned::Update
jmp 015BFF2E+5

015BFF2E:
jmp Hook

[DISABLE]
015BFF2E: // CSummoned::Update: E8 ? ? ? ? 8B ? 8B ? ? ? ? ? 89 ? ? 85 ? 0F ? ? ? ? ? 33
call 0213CC30 // get_update_time

dealloc(Hook)```

Force Beholder Action (bypass cool down and shit) you can use beholder impact (5th job) once you get beholder at level 30 i believe so:

Spoiler
```
/*
6 = Evil Eye of Domination
7 = Evil Eye Shock
9 = Beholder's Impact
*/

[ENABLE]
alloc(Hook,128)
alloc(Time,4)
label(Ending)

Time:
dd 0

Hook:
call 0213CC30 // Original Opcode
call GetTickCount
mov edx,eax
sub edx,[Time]
cmp edx,#500 // Delay in milliseconds
jl Ending
mov [Time],eax
push 00 // void *unknown2 (skill id)
push #9 // void *unknown1 (action)
push 01 // int bForce
mov ebx,[02D831E0] // 8D 8E ? ? 00 00 E8 ? ? ? ? E8 ? ? ? ? 50 [Follow second call]
mov ebx,[ebx+1C]
push ebx // int tCur
mov ecx,esi // CSummoned *this
call 015B5590 // CSummoned::TryDoingAttackManual: 55 8B EC 6A FF 68 ? ? ? ? 64 A1 00 00 00 00 50 B8 ? ? ? ? E8 ? ? ? ? A1 ? ? ? ? 33 C5 89 ? ? 53 56 57 50 8D ? ? 64 A3 00 00 00 00 89 ? ? ? ? ? C7 [Third result]
jmp Ending

Ending:
jmp 015BFF2E+5

015BFF2E:
jmp Hook

015B83A4:
db 6A 00

[DISABLE]
015BFF2E: // CSummoned::Update: E8 ? ? ? ? 8B ? 8B ? ? ? ? ? 89 ? ? 85 ? 0F ? ? ? ? ? 33
call 0213CC30 // get_update_time

015B83A4: // E8 ? ? ? ? 6A 01 8B ? ? ? ? ? E8 ? ? ? ? 83 [Address below] (Follow call =  CSummoned::PrepareActionLayer)
db 6A 01

dealloc(Hook)
dealloc(Time)```

Edited by Korgon
• 3
• 1

Monster Mind Control (to be used with auto aggro):

Spoiler
```
[ENABLE]
alloc(CVecCtrlMob__CtrlUpdateActiveMove_Hook,128)
alloc(CVecCtrlMob__CtrlUpdateActiveJump_Hook,128)
alloc(CVecCtrlMob__CtrlUpdateActiveFlyX_Hook,128)
alloc(CVecCtrlMob__CtrlUpdateActiveFlyY_Hook,128)
alloc(CVecCtrlMob__CtrlUpdateActiveFlyX2_Hook,128)
alloc(CVecCtrlMob__CtrlUpdateActiveFlyY2_Hook,128)
alloc(X,4)
alloc(Y,4)

X:
dd #500

Y:
dd #200

CVecCtrlMob__CtrlUpdateActiveMove_Hook:
movd xmm1,[X]
xor eax,eax
jmp 02115A33+6

CVecCtrlMob__CtrlUpdateActiveJump_Hook:
movd xmm1,[X]
xor eax,eax
jmp 02116263+6

CVecCtrlMob__CtrlUpdateActiveFlyX_Hook:
push [X]
call 007F84D0
jmp 02116798+7

CVecCtrlMob__CtrlUpdateActiveFlyY_Hook:
mov eax,[Y]
push eax
call 007F84D0
jmp 021167B6+9

CVecCtrlMob__CtrlUpdateActiveFlyX2_Hook:
push [X]
lea ecx,[edi+0C]
jmp 02116819+5

CVecCtrlMob__CtrlUpdateActiveFlyY2_Hook:
push [Y]
mov ecx,edi
jmp 02116823+5

02115A33:
jmp CVecCtrlMob__CtrlUpdateActiveMove_Hook
db 90

02116263:
jmp CVecCtrlMob__CtrlUpdateActiveJump_Hook
db 90

02116798:
jmp CVecCtrlMob__CtrlUpdateActiveFlyX_Hook
db 90 90

021167B6:
jmp CVecCtrlMob__CtrlUpdateActiveFlyY_Hook
db 90 90 90 90

02116819:
jmp CVecCtrlMob__CtrlUpdateActiveFlyX2_Hook

02116823:
jmp CVecCtrlMob__CtrlUpdateActiveFlyY2_Hook

[DISABLE]
/* All theses addresses can be easily obtained with CUser::GetPos (Return Address) */

02115A33: // CVecCtrlMob::CtrlUpdateActiveMove: 66 ? ? ? 31 ? F3 [First result]
movd xmm1,[eax]
xor eax,eax

02116263: // CVecCtrlMob::CtrlUpdateActiveJump: 66 ? ? ? 31 ? F3 [Second result]
movd xmm1,[eax]
xor eax,eax

02116798: // CVecCtrlMob::CtrlUpdateActiveFly: FF ? E8 ? ? ? ? 8B ? ? ? ? ? 8D ? ? 52
push [eax]
call 007F84D0 // TSecType<long>::SetData

021167B6: // CVecCtrlMob::CtrlUpdateActiveFly: 8B ? ? 50 E8 ? ? ? ? 8B ? ? ? ? ? E8 ? ? ? ? 85
mov eax,[eax+04]
push eax
call 007F84D0 // TSecType<long>::SetData

02116819: // CVecCtrlMob::CtrlUpdateActiveFly: FF ? 8D ? ? E8 ? ? ? ? FF ? ? 8B [Last Green Result & push [esi]]
push [esi]
lea ecx,[edi+0C]

02116823: // CVecCtrlMob::CtrlUpdateActiveFly: FF ? 8D ? ? E8 ? ? ? ? FF ? ? 8B [Last Green Result & push [esi+04]]
push [esi+04]
mov ecx,edi

dealloc(CVecCtrlMob__CtrlUpdateActiveMove_Hook)
dealloc(CVecCtrlMob__CtrlUpdateActiveJump_Hook)
dealloc(CVecCtrlMob__CtrlUpdateActiveFlyX_Hook)
dealloc(CVecCtrlMob__CtrlUpdateActiveFlyY_Hook)
dealloc(CVecCtrlMob__CtrlUpdateActiveFlyX2_Hook)
dealloc(CVecCtrlMob__CtrlUpdateActiveFlyY2_Hook)
dealloc(X)
dealloc(Y)```

Auto AP (Auto assign ap):

Spoiler
```
[ENABLE]
alloc(Hook,128)
label(Ending)

Hook:
call 02098B30 // Original Opcode
mov ecx,ebx // CWvsContext: 8D ? ? 53 56 57 50 E8 [mov ecx above]
mov ecx,[ecx+223C] // CWvsContext::GetCharacterData: 8D ? ? 53 56 57 50 E8 [Follow call]
call 01C97540 // GW_CharacterStat::_ZtlSecureGet_nAP: E8 ? ? ? ? 6A ? FF ? ? 98 [First result(CUIStat::Draw) & Follow call]
cwde
cmp eax,0
je Ending
push -01
call 01C94D40 // CUIStat::OnButtonClicked (CUIStat::AutoApUp) C2 04 00 6A 01 E8 ? ? ? ? [Result 14/20 & follow call]
jmp Ending

Ending:
jmp 021C5294+5

021C5294:
jmp Hook

01C95288:
db B8 06 00 00 00

[DISABLE]
021C5294: // CWvsContext::Update: E8 ? ? ? ? 83 ? ? ? ? ? ? 8B ? 89 ? ? 75 ? 89
call 02098B30 // get_update_time

01C95288: // E8 ? ? ? ? 83 ? ? 83 ? ? 75 ? 8D ? ? 8B [Last Green Result]
call 020B69B0 // CUtilDlg::YesNo

dealloc(Hook)```

For Xenon jobs:

replace with:

push #2015 // STR = 2013, DEX = 2014, LUK = 2015
call 01C952F0// CUIStat::OnButtonClicked (CUIStat::AutoApUp) C2 04 00 6A 01 E8 ? ? ? ? [Result 14/20 & scroll down] CUIStat::AutoApUpXenon

For Demon avenger or hp based job

replace with

call 01C950C0// CUIStat::OnButtonClicked (CUIStat::AutoApUp) C2 04 00 6A 01 E8 ? ? ? ? [Result 14/20 & scroll up] CUIStat::AutoApHPBasedJob

• 1
• 1

I hope you know I love you Korgon <3 (and other leechers like me :3 )

Edited by misterdave35

Spoiler
```
[ENABLE]
02230AB0: // CWvsContext::OnEnterField: E8 ? ? ? ? 8B ? ? 83 ? ? 8B ? 89 ? ? 8D [First result(CField::Init) & follow call]
db 33 C0 C3

[DISABLE]```

This bypass the two mscrc. No need to manually get the 2 crc each patch and update the register.

If I find more stuff in my hdd ill post.

Edited by Korgon

good shit <3

Taking your leave now that you've been found out aasdf? Sounds about right, see you on one of your next alternate accounts (probably next week).

You're a beast, no I'm not the fag apollo from GK.

Do you mind submitting these to the Scripts Database?

• 2

2 hours ago, Razz said:

Do you mind submitting these to the Scripts Database?

I'm lazy and posting a thread was faster. I left aobs and function names for people to easily update them so they can post in the script database if they wish.

Force summon to do their "normal attack":

Spoiler
```
[ENABLE]
alloc(Hook,128)

Hook:
call 0213CC50 // Original Opcode
push 00 // int nAIType
push 00 // int tCur
mov ecx,esi // CSummoned *this
call 015AFE20 // CSummoned::TryDoingAttack: 55 8B EC 6A FF 68 ? ? ? ? 64 A1 00 00 00 00 50 B8 ? ? ? ? E8 ? ? ? ? A1 ? ? ? ? 33 C5 89 ? ? 53 56 57 50 8D ? ? 64 A3 00 00 00 00 89 ? ? ? ? ? C7 [Second result]
jmp 015BFF0E+5

015BFF0E:
jmp Hook

[DISABLE]
015BFF0E: // CSummoned::Update: E8 ? ? ? ? 8B ? 8B ? ? ? ? ? 89 ? ? 85 ? 0F ? ? ? ? ? 33
call 0213CC50 // get_update_time

dealloc(Hook)```

example:

Robo Launcher RM7 mech 2nd job:

• 1

sweet stuff man. I appreciate the contributions, even if you are aasdf

Spoiler
56 minutes ago, Korgon said:

I'm lazy and posting a thread was faster. I left aobs and function names for people to easily update them so they can post in the script database if they wish.

Force summon to do their "normal attack":

Reveal hidden contents
```

[ENABLE]
alloc(Hook,128)

Hook:
call 0213CC50 // Original Opcode
push 00 // int nAIType
push 00 // int tCur
mov ecx,esi // CSummoned *this
call 015AFE20 // CSummoned::TryDoingAttack: 55 8B EC 6A FF 68 ? ? ? ? 64 A1 00 00 00 00 50 B8 ? ? ? ? E8 ? ? ? ? A1 ? ? ? ? 33 C5 89 ? ? 53 56 57 50 8D ? ? 64 A3 00 00 00 00 89 ? ? ? ? ? C7 [Second result]
jmp 015BFF0E+5

015BFF0E:
jmp Hook

[DISABLE]
015BFF0E: // CSummoned::Update: E8 ? ? ? ? 8B ? 8B ? ? ? ? ? 89 ? ? 85 ? 0F ? ? ? ? ? 33
call 0213CC50 // get_update_time

dealloc(Hook)```

example:

Robo Launcher RM7 mech 2nd job:

So that script is like this one??

Spoiler

//ULTIMOCSM  A272C5
[enable]
alloc(hook, 128)
label(return)

015403AA: //8B 86 B4 01 00 00 48 83 F8 0D 0F 87 (PRIMERO)
jmp hook
nop
return:

hook: //beholder summon hook
mov [esi+000001B4], 1
mov eax,[esi+000001B4] //a diff function checks this value so modify it i guess
jmp return

0133EF9D://7E 3D 8B 86 A0 01 00 00 3D B5 29 27 02 (PRIMERO)
db 90 90

01297530://8B 4C 24 04 81 F9 C1 F5 E9 01 0F 8F 96 (RPIMERO)
xor eax, eax
ret
nop

0133EF34://7E 10 81 BE A0 01 00 00 A0 BC C4 04 (PRIMERO)
db eb

[disable]

015403AA: //8B 86 B4 01 00 00 48 83 F8 0D 0F 87 (PRIMERO)
mov eax,[esi+000001B4] // ES SU COSA

0133EF9D: //7E 3D 8B 86 A0 01 00 00 3D B5 29 27 02 (PRIMERO)
db 7e 3d

01297530: //8B 4C 24 04 81 F9 C1 F5 E9 01 0F 8F 96 (RPIMERO)
mov ecx,[esp+04]

0133EF34: //7E 10 81 BE A0 01 00 00 A0 BC C4 04 (PRIMERO)
db 7e

that one is for Veholder Summon fast attack on ver 183.x

i dont even know what that script is or what it does.

it work's like the script that you posted but also works with kshin of kanna and every summon do a fast attack, but I can't update that script all the AoB are broken ...

i only tested mine with mechanic summon so idk about other jobs summon. but i know that the script force summon to do their "normal attack"

Auto AP seems to just spam the auto ap box until I crash (Blaze Wizard). Am I missing something or did I update incorrectly?

Spoiler

//v188.3

[Enable]

alloc(Hook,128)
label(Ending)

Hook:
call 0213CC50 // Original Opcode
mov ecx,ebx // CWvsContext: 8D ? ? 53 56 57 50 E8 [mov ecx above]
mov ecx,[ecx+2240] // CWvsContext::GetCharacterData: 8D ? ? 53 56 57 50 E8 [Follow call]
call 01D40B90 // GW_CharacterStat::_ZtlSecureGet_nAP: E8 ? ? ? ? 6A ? FF ? ? 98 [First result(CUIStat::Draw) & Follow call]
cwde
cmp eax,0
je Ending
push -01
call 01D3E330 // CUIStat::OnButtonClicked (CUIStat::AutoApUp) C2 04 00 6A 01 E8 ? ? ? ? [Result 14/20 & follow call]
jmp Ending

Ending:
jmp 022707E4+5

022707E4:
jmp Hook

01D3E878:
db B8 06 00 00 00

[Disable]

022707E4: // CWvsContext::Update: E8 ? ? ? ? 83 ? ? ? ? ? ? 8B ? 89 ? ? 75 ? 89
call 0213CC50 // get_update_time

01D3E878: // E8 ? ? ? ? 83 ? ? 83 ? ? 75 ? 8D ? ? 8B [Last Green Result]
call 0215B070 // CUtilDlg::YesNo

dealloc(Hook)

1 minute ago, misterdave35 said:

Auto AP seems to just spam the auto ap box until I crash (Blaze Wizard). Am I missing something or did I update incorrectly?

Hide contents

//v188.3

[Enable]

alloc(Hook,128)
label(Ending)

Hook:
call 0213CC50 // Original Opcode
mov ecx,ebx // CWvsContext: 8D ? ? 53 56 57 50 E8 [mov ecx above]
mov ecx,[ecx+2240] // CWvsContext::GetCharacterData: 8D ? ? 53 56 57 50 E8 [Follow call]
call 01D40B90 // GW_CharacterStat::_ZtlSecureGet_nAP: E8 ? ? ? ? 6A ? FF ? ? 98 [First result(CUIStat::Draw) & Follow call]
cwde
cmp eax,0
je Ending
push -01
call 01D3E330 // CUIStat::OnButtonClicked (CUIStat::AutoApUp) C2 04 00 6A 01 E8 ? ? ? ? [Result 14/20 & follow call]
jmp Ending

Ending:
jmp 022707E4+5

022707E4:
jmp Hook

01D3E878:
db B8 06 00 00 00

[Disable]

022707E4: // CWvsContext::Update: E8 ? ? ? ? 83 ? ? ? ? ? ? 8B ? 89 ? ? 75 ? 89
call 0213CC50 // get_update_time

01D3E878: // E8 ? ? ? ? 83 ? ? 83 ? ? 75 ? 8D ? ? 8B [Last Green Result]
call 0215B070 // CUtilDlg::YesNo

dealloc(Hook)

[ENABLE]
alloc(Hook,128)
label(Ending)

Hook:
call 0213CC50 // Original Opcode
mov ecx,ebx // CWvsContext: 8D ? ? 53 56 57 50 E8 [mov ecx above]
mov ecx,[ecx+2240] // CWvsContext::GetCharacterData: 8D ? ? 53 56 57 50 E8 [Follow call]
call 01D40B90 // GW_CharacterStat::_ZtlSecureGet_nAP: E8 ? ? ? ? 6A ? FF ? ? 98 [First result(CUIStat::Draw) & Follow call]
cwde
cmp eax,0
je Ending
push -01
call 01D3E330// CUIStat::OnButtonClicked (CUIStat::AutoApUp) C2 04 00 6A 01 E8 ? ? ? ? [Result 14/20 & follow call]
jmp Ending

Ending:
jmp 022707E4+5

022707E4:
jmp Hook

01D3E63D:
db B8 06 00 00 00

[DISABLE]
022707E4: // CWvsContext::Update: E8 ? ? ? ? 83 ? ? ? ? ? ? 8B ? 89 ? ? 75 ? 89
call 0213CC50 // get_update_time

01D3E63D: // E8 ? ? ? ? 83 ? ? 83 ? ? 75 ? 8B ? ? 8D [Third result starting from last green result]
call 0215B070 // CUtilDlg::YesNo

dealloc(Hook)

should work

• 1

Spoiler
```
[ENABLE]
alloc(Hook,128)
alloc(Time,4)
label(Ending)

Time:
dd 0

Hook:
call 0213CC50 // Original Opcode
call GetTickCount
mov edx,eax
sub edx,[Time]
cmp edx,#300 // Delay in milliseconds
jl Ending
mov [Time],eax
push 00 // int tCur
mov ecx,esi // CSummoned *this
call 015BBD30 // CSummoned::TryDoingTaslaCoilAttack: 55 8B EC 6A FF 68 ? ? ? ? 64 A1 00 00 00 00 50 B8 ? ? ? ? E8 ? ? ? ? A1 ? ? ? ? 33 C5 89 ? ? 53 56 57 50 8D ? ? 64 A3 00 00 00 00 89 ? ? ? ? ? C7 ? ? ? ? ? ? ? ? ? 8B [Third result]
jmp Ending

Ending:
jmp 015BFF0E+5

015BFF0E:
jmp Hook

[DISABLE]
015BFF0E: // CSummoned::Update: E8 ? ? ? ? 8B ? 8B ? ? ? ? ? 89 ? ? 85 ? 0F ? ? ? ? ? 33
call 0213CC50 // get_update_time

dealloc(Hook)```

Rock n' Shock (Mech 3th job) worthless shit dc after sometimes funfact: in the kmst pdb some function name, it's spelled tesla or tasla:

• 1

Sorry to ask again, but looks like Auto Rune is causing a runtime error when enabled. I'm going to assume I updated it incorrectly?

Spoiler

[ENABLE]

alloc(Hook,128)

Hook:
push ebp
mov ebp,esp
push -01
mov ebx,ecx // CRuneStoneMgrForClient: 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B ? E8
mov ecx,ebx
call 0152AB10 // CRuneStoneMgrForClient::NoticeInRect: E8 ? ? ? ? A1 ? ? ? ? 89 ? ? 85 C0 0F 84 [Fifth result & start]
push 25 // Left arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 26 // Up arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput
push 27 // Right arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput
push 28 // Down arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput
jmp 0152A3A0+5

0152A3A0:
jmp Hook

020714B0:
db C3

[DISABLE]
0152A3A0: // CRuneStoneMgrForClient::Update: E8 ? ? ? ? 8B 0D ? ? ? ? 85 ? 74 ? ? E8 ? ? ? ? 8B 0D [Before last green result & Follow Call]
push ebp
mov ebp,esp
push -01

020714B0: // CUserLocal::ResetRuneStoneActionAndSendFailPacket: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow second call]
db 55

dealloc(Hook)

Auto Rune / Doesnt work.

14 hours ago, misterdave35 said:

Sorry to ask again, but looks like Auto Rune is causing a runtime error when enabled. I'm going to assume I updated it incorrectly?

Hide contents

[ENABLE]

alloc(Hook,128)

Hook:
push ebp
mov ebp,esp
push -01
mov ebx,ecx // CRuneStoneMgrForClient: 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B ? E8
mov ecx,ebx
call 0152AB10 // CRuneStoneMgrForClient::NoticeInRect: E8 ? ? ? ? A1 ? ? ? ? 89 ? ? 85 C0 0F 84 [Fifth result & start]
push 25 // Left arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 26 // Up arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput
push 27 // Right arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput
push 28 // Down arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput
jmp 0152A3A0+5

0152A3A0:
jmp Hook

020714B0:
db C3

[DISABLE]
0152A3A0: // CRuneStoneMgrForClient::Update: E8 ? ? ? ? 8B 0D ? ? ? ? 85 ? 74 ? ? E8 ? ? ? ? 8B 0D [Before last green result & Follow Call]
push ebp
mov ebp,esp
push -01

020714B0: // CUserLocal::ResetRuneStoneActionAndSendFailPacket: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow second call]
db 55

dealloc(Hook)

Addresses looks correct to me. what runtime error?

@wshh Be specific...? https://gyazo.com/c4ab10a788b7d94a4e36f17388b79034

You need to be close to the rune to do it.

Unlimited summon + time:

Spoiler
```
/*
CUser::AddSummonedList: A9 F3 B8 00 [Eleventh result from last green result & start]
In CUser::AddSummonedList, the third call in the function is ZList<ZRef<CSummoned>>::RemoveAt
*/

[ENABLE]
015EA100: // Unlimited Summon + Time
db C2 04 00

[DISABLE]
015EA100:
db 55 8B EC```

Edited by Korgon

Ic @Korgon thats where I made the mistake I wasn't close to the rune, do I have to move after the first time using auto rune to the next place it spawns?

1 hour ago, Korgon said:

Addresses looks correct to me. what runtime error?

45 minutes ago, misterdave35 said:

idk never happened to me before

try doing this perhaps:

1.enable it in game

2. disable it

3.Comment out line 12 & 13 (CRuneStoneMgrForClient::StartKeyInput)

4.Enable it.

5. Be close to the rune and try.

Spoiler
```
[ENABLE]
alloc(Hook,128)

Hook:
push ebp
mov ebp,esp
push -01
mov ebx,ecx // CRuneStoneMgrForClient: 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B ? E8
mov ecx,ebx
call 0152AB10 // CRuneStoneMgrForClient::NoticeInRect: E8 ? ? ? ? A1 ? ? ? ? 89 ? ? 85 C0 0F 84 [Fifth result & start]
mov ecx,ebx
call 0152AF40 // CRuneStoneMgrForClient::StartKeyInput: 68 F8 2A 00 00 6A 01 [First result & follow third call]
push 25 // Left arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 26 // Up arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 27 // Right arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 28 // Down arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
jmp 0152A3A0+5

0152A3A0:
jmp Hook

020714B0:
db C3

[DISABLE]
0152A3A0: // CRuneStoneMgrForClient::Update: E8 ? ? ? ? 8B 0D ? ? ? ? 85 ? 74 ? ? E8 ? ? ? ? 8B 0D [Before last green result & Follow Call]
push ebp
mov ebp,esp
push -01

020714B0: // CUserLocal::ResetRuneStoneActionAndSendFailPacket: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow second call]
db 55

dealloc(Hook)```

Edit: or just use this maybe (forget everything before):

Spoiler

```
[ENABLE]
alloc(Hook,128)
alloc(Hook2,128)

Hook2:
mov ecx,[02D89C30] // CRuneStoneMgrForClient: bp CRuneStoneMgrForClient::Update and check ecx
call 0152AF40 // CRuneStoneMgrForClient::StartKeyInput: 68 F8 2A 00 00 6A 01 [First result & follow third call]
ret

Hook:
push ebp
mov ebp,esp
push -01
mov ebx,ecx // CRuneStoneMgrForClient: 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B ? E8
mov ecx,ebx
call 0152AB10 // CRuneStoneMgrForClient::NoticeInRect: E8 ? ? ? ? A1 ? ? ? ? 89 ? ? 85 C0 0F 84 [Fifth result & start]
push 25 // Left arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 26 // Up arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 27 // Right arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 28 // Down arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
jmp 0152A3A0+5

0152A3A0:
jmp Hook

020714B0:
db C3

[DISABLE]
0152A3A0: // CRuneStoneMgrForClient::Update: E8 ? ? ? ? 8B 0D ? ? ? ? 85 ? 74 ? ? E8 ? ? ? ? 8B 0D [Before last green result & Follow Call]
push ebp
mov ebp,esp
push -01

020714B0: // CUserLocal::ResetRuneStoneActionAndSendFailPacket: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow second call]
db 55

dealloc(Hook)
dealloc(Hook2)```

keep in mind this only do the arrow input, you need to be close to the rune to do it. Either find the rune x,y and teleport to it or spoof CUser::GetPos to the rune x,y.

Edited by Korgon

42 minutes ago, Korgon said:

idk never happened to me before

try doing this perhaps:

1.enable it in game

2. disable it

3.Comment out line 12 & 13 (CRuneStoneMgrForClient::StartKeyInput)

4.Enable it.

5. Be close to the rune and try.

Reveal hidden contents
```

[ENABLE]
alloc(Hook,128)

Hook:
push ebp
mov ebp,esp
push -01
mov ebx,ecx // CRuneStoneMgrForClient: 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B ? E8
mov ecx,ebx
call 0152AB10 // CRuneStoneMgrForClient::NoticeInRect: E8 ? ? ? ? A1 ? ? ? ? 89 ? ? 85 C0 0F 84 [Fifth result & start]
mov ecx,ebx
call 0152AF40 // CRuneStoneMgrForClient::StartKeyInput: 68 F8 2A 00 00 6A 01 [First result & follow third call]
push 25 // Left arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 26 // Up arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 27 // Right arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 28 // Down arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
jmp 0152A3A0+5

0152A3A0:
jmp Hook

020714B0:
db C3

[DISABLE]
0152A3A0: // CRuneStoneMgrForClient::Update: E8 ? ? ? ? 8B 0D ? ? ? ? 85 ? 74 ? ? E8 ? ? ? ? 8B 0D [Before last green result & Follow Call]
push ebp
mov ebp,esp
push -01

020714B0: // CUserLocal::ResetRuneStoneActionAndSendFailPacket: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow second call]
db 55

dealloc(Hook)```

Edit: or just use this maybe (forget everything before):

Reveal hidden contents

```

[ENABLE]
alloc(Hook,128)
alloc(Hook2,128)

Hook2:
mov ecx,[02D89C30] // CRuneStoneMgrForClient: bp CRuneStoneMgrForClient::Update and check ecx
call 0152AF40 // CRuneStoneMgrForClient::StartKeyInput: 68 F8 2A 00 00 6A 01 [First result & follow third call]
ret

Hook:
push ebp
mov ebp,esp
push -01
mov ebx,ecx // CRuneStoneMgrForClient: 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B ? E8
mov ecx,ebx
call 0152AB10 // CRuneStoneMgrForClient::NoticeInRect: E8 ? ? ? ? A1 ? ? ? ? 89 ? ? 85 C0 0F 84 [Fifth result & start]
push 25 // Left arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 26 // Up arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 27 // Right arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 28 // Down arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
jmp 0152A3A0+5

0152A3A0:
jmp Hook

020714B0:
db C3

[DISABLE]
0152A3A0: // CRuneStoneMgrForClient::Update: E8 ? ? ? ? 8B 0D ? ? ? ? 85 ? 74 ? ? E8 ? ? ? ? 8B 0D [Before last green result & Follow Call]
push ebp
mov ebp,esp
push -01

020714B0: // CUserLocal::ResetRuneStoneActionAndSendFailPacket: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow second call]
db 55

dealloc(Hook)
dealloc(Hook2)```

keep in mind this only do the arrow input, you need to be close to the rune to do it. Either find the rune x,y and teleport to it or spoof CUser::GetPos to the rune x,y.

Yea. Tried both, still get the runtime error. Maybe because I'm on Win10 64bit? Oh wells

do you do that when you're in game?