Jump to content
Moopler
Korgon

Release Few shits made out of sheer boredom (from gms 187 and up)

Recommended Posts

while leveling up my test account (mechanic job) I got perma ban from logging out and on too fast so im done. + school started so my dad will uninstall all games on my computer(starting next week)  and monitor me if I use any electronics.

Tubi (filtered all other call to CWvsContext::SetExclRequestSent so will not create a conflict with auto pot aka use more than 1 pot):

Spoiler

[ENABLE]
0225336A: // call below is CWvsContext::SetExclRequestSent
db 6A 00

00D1E656: // Remove loot animation
db 0F 8C

00F5004F: // Remove drop animation (Scan value 1000.00 as double]
db F2 0F 5E

00F453AF: // No item floating (Scan value 1000.00 as double]
db F2 0F 59

[DISABLE]
0225336A: // 8D 8E ? ? 00 00 E8 ? ? ? ? E8 ? ? ? ? 50 [Start]
db 6A 01

00D1E656: // 81 ? BC 02 [Second result & address below]
db 0F 8D

00F5004F: // F2 ? ? ? ? ? ? ? 3B ? 7F
db F2 0F 59

00F453AF: // F2 ? ? ? ? ? ? ? F2 ? ? ? ? ? ? ? F2 ? ? ? ? ? ? ? F2 ? ? ? ? ? ? ? E8 [Third result]
db F2 0F 5E

 

Fly Map (enable then cc/cs or trigger a new session):

Spoiler

[ENABLE]
0233BADC:
db 75

[DISABLE]
0233BADC: // E8 ? ? ? ? 85 ? 74 ? 8B ? ? ? ? ? 6A ? 83 [Second result & je below]
db 74

// follow call = CField::IsFlyingMap

 

Swim Map (enable then cc/cs or trigger a new session):

Spoiler

[ENABLE]
0233BABF:
db 75

[DISABLE]
0233BABF: // E8 ? ? ? ? 85 ? 74 ? 8B ? ? ? ? ? 6A ? 83 [First result & je below]
db 74

// follow call = CField::IsSwimmingMap

 

DupeX (should use the same function as "Safe Fast DupeX" by Ghoul check ccplz and tweak this shit):

Spoiler

[ENABLE]
alloc(DupeX,256)
alloc(Platform,4)
alloc(RunFlag,4)
label(NullPlatform)
label(DoVac)
label(Normal)

Platform:
dd 00000000

RunFlag:
dd 00000000

DupeX:
pushfd
push eax
push ecx
mov eax,[02D82708] // CUserLocal: 8B 3D ? ? ? ? 8B CF F3
test eax,eax
je NullPlatform
mov eax,[eax+0000AB44] // Character Vector Control Offset: 8B 97 ? ? 00 00 6A 00 6A 00 [Fourth result]
lea ecx,[eax-10]
test ecx,ecx
je NullPlatform
mov eax,[ecx+0000013C]
test eax,eax
je NullPlatform
cmp [RunFlag],01
je DoVac
mov [Platform],eax
inc [RunFlag]
jmp DoVac

DoVac:
cmp ebx,ecx
je Normal
mov edi,[Platform]
jmp Normal

NullPlatform:
mov [Platform],00
mov [RunFlag],00
jmp Normal

Normal:
pop ecx
pop eax
popfd
mov [ebx+0000013C],edi // Original Opcodes
jmp 00B932E1+6

00B932E1:
jmp DupeX
db 90

[DISABLE]
00B932E1: // CVecCtrl::OnAttachedObjectChanged: 89 ? ? ? 00 00 C7 ? ? ? 00 00 00 00 00 00 C7 ? ? ? 00 00 00 00 00 00 C7 ? ? ? 00 00 00 00 00 00 66 [First result]
mov [ebx+0000013C],edi

dealloc(DupeX)
dealloc(Platform)
dealloc(RunFlag)

// Assembly scan: call CUserLocal::SetDamaged [First result]
// CVecCtrl::OnAttachedObjectChanged: E8 ? ? ? ? 5F 5E 5B 8B E5 5D C2 10 00 CC [Second result & follow call at end of function]

 

Mob Control:

Spoiler

// 00 Doesn't seem to do anything but Disconnect to world selection screen
// 01 Normal Mobs
// 02 Jump mob
// 03 Fly Mobs
// 04 Stationary Mobs
// 05 Mob Walk Right
// 06-07-08 Lemmings
// 09 and above crash MapleStory with "error code: -2147467259 (Unspecified error)"

[ENABLE]
alloc(MobControl,128)

MobControl:
mov [edi+00000418],04
mov eax,[edi+00000418]
jmp 021B90AC+6

021B90AC:
jmp MobControl
db 90

[DISABLE]
021B90AC: // CVecCtrlMob::WorkUpdateActive: E9 ? ? ? ? 8B ? ? ? 00 00 83 ? ? 0F ? ? ? ? ? FF [Address below]
mov eax,[edi+00000418]

dealloc(MobControl)

 

CDragon::TryDoingMagicAttack:

Spoiler

define(Skill_ID,#22111012) // Dragon Flash

[ENABLE]
alloc(CUserLocal__Update_Hook,128)
alloc(Time,4)
label(Ending)

Time:
dd 0

CUserLocal__Update_Hook:
push ebp
mov ebp,esp
push -01
pushad
call GetTickCount
mov edx,eax
sub edx,[Time]
cmp edx,#1000 // Delay in milliseconds
jl Ending
mov [Time],eax
mov ebx,ecx // CUserLocal *this
push Skill_ID // int nSkillID
mov ecx,[02D699C8] // CSkillInfo *this: Inside CUserLocal::GetSkillLevel or breakpoint CSkillInfo::GetSkill and check ecx
call 00A95CB0 // CSkillInfo::GetSkill: 9C 9F D5 00 ? ? ? ? 9D 9F D5 00 [Follow first call above]
mov eax,[eax+04]
mov esi,eax
push 00 // SKILLENTRY **ppSkillEntry
push Skill_ID // int nSkillID
mov ecx,ebx // CUserLocal *this
call 020454A0 // CUserLocal::GetSkillLevel: 68 11 12 42 00 [Follow first call above]
push 00 // bool bDoActiveSkill
push 00 // bool bVariableRectAttack
push 00 // CGrenade *pGrenade
push 00 // unsigned int nRandForAction
push eax // int nSLV
push esi // SKILLENTRY *pSkill
mov ecx,ebx // CUserLocal *this
mov ecx,[ecx+FA30] // CDragon *this: Inside CUser::Update: 8B ? ? ? 00 00 85 ? 74 ? 8B ? 8B ? FF [Third result]
call 00F3AFB0 // CDragon::TryDoingMagicAttack: E8 ? ? ? ? 89 ? ? 83 ? ? ? 74 ? 8D [Second result & follow call]
jmp Ending

Ending:
popad
jmp 01FCAA30+5

01FCAA30:
jmp CUserLocal__Update_Hook

[DISABLE]
01FCAA30: // CUserLocal::Update: E8 ? ? ? ? 8B ? ? ? ? ? 8B ? ? 89 ? ? 85 ? 74 ? 83 ? ? 8D ? ? 50 FF 15 ? ? ? ? 85 ? 75 ? 8B ? ? ? ? ? 85 ? 74 ? C6 ? ? ? 8D ? ? ? FF 15 ? ? ? ? 85 ? 74 ? 8B ? 8B ? 6A 01 8B [Start]
push ebp
mov ebp,esp
push -01

dealloc(CUserLocal__Update_Hook)
dealloc(Time)

 

CDragon::TryDoingShootAttack:

Spoiler

define(Skill_ID,#22110014) // Wind Flash

[ENABLE]
alloc(CUserLocal__Update_Hook,128)
alloc(Time,4)
label(Ending)

Time:
dd 0

CUserLocal__Update_Hook:
push ebp
mov ebp,esp
push -01
pushad
call GetTickCount
mov edx,eax
sub edx,[Time]
cmp edx,#1000 // Delay in milliseconds
jl Ending
mov [Time],eax
mov ebx,ecx // CUserLocal *this
push Skill_ID // int nSkillID
mov ecx,[02D699C8] // CSkillInfo *this: Inside CUserLocal::GetSkillLevel or breakpoint CSkillInfo::GetSkill and check ecx
call 00A95CB0 // CSkillInfo::GetSkill: 9C 9F D5 00 ? ? ? ? 9D 9F D5 00 [Follow first call above]
mov eax,[eax+04]
mov esi,eax
push 00 // SKILLENTRY **ppSkillEntry
push Skill_ID // int nSkillID
mov ecx,ebx // CUserLocal *this
call 020454A0 // CUserLocal::GetSkillLevel: 68 11 12 42 00 [Follow first call above]
push 00 // bool bDoActiveSkill
push 00 // bool bRepeatAttack
push 00 // DRAGON_ACTION eDragonAction
push 00 // unsigned int nRandForAction
push eax // int nSLV
push esi // SKILLENTRY *pSkill
mov ecx,ebx // CUserLocal *this
mov ecx,[ecx+FA30] // CDragon *this: Inside CUser::Update: 8B ? ? ? 00 00 85 ? 74 ? 8B ? 8B ? FF [Third result]
call 00F3D360 // CDragon::TryDoingShootAttack: E8 ? ? ? ? 8B ? 85 ? 0F 84 ? ? ? ? FF ? ? ? ? ? C7 [Follow call (CDragon::DragonAttack is at start of function)] || E8 ? ? ? ? 33 ? 85 ? 0F ? ? C7 [First result & follow call (CDragon::Update is at start of function)]
jmp Ending

Ending:
popad
jmp 01FCAA30+5

01FCAA30:
jmp CUserLocal__Update_Hook

[DISABLE]
01FCAA30: // CUserLocal::Update: E8 ? ? ? ? 8B ? ? ? ? ? 8B ? ? 89 ? ? 85 ? 74 ? 83 ? ? 8D ? ? 50 FF 15 ? ? ? ? 85 ? 75 ? 8B ? ? ? ? ? 85 ? 74 ? C6 ? ? ? 8D ? ? ? FF 15 ? ? ? ? 85 ? 74 ? 8B ? 8B ? 6A 01 8B [Start]
push ebp
mov ebp,esp
push -01

dealloc(CUserLocal__Update_Hook)
dealloc(Time)

 

CUserLocal::TryDoingBodyAttack:

Spoiler

define(Skill_ID,#2311007)

[ENABLE]
alloc(CUserLocal__Update_Hook,128)
alloc(Time,4)
label(Ending)

Time:
dd 0

alloc(time_stamp_hook,128)
alloc(time_stamp_initialized,4)
alloc(time_stamp,4)
label(time_stamp_continue)

time_stamp_initialized:
dd 00000000

time_stamp:
dd 00000000

CUserLocal__Update_Hook:
push ebp
mov ebp,esp
push -01
pushad
call GetTickCount
mov edx,eax
sub edx,[Time]
cmp edx,#0 // Delay in milliseconds
jl Ending
mov [Time],eax
mov ebx,ecx // CUserLocal *this
push Skill_ID // int nSkillID
mov ecx,[02D699C8] // CSkillInfo *this: Inside CUserLocal::GetSkillLevel or breakpoint CSkillInfo::GetSkill and check ecx
call 00A95CB0 // CSkillInfo::GetSkill: 9C 9F D5 00 ? ? ? ? 9D 9F D5 00 [Follow first call above]
mov eax,[eax+04]
mov esi,eax
push 00 // SKILLENTRY **ppSkillEntry
push Skill_ID // int nSkillID
mov ecx,ebx // CUserLocal *this
call 020454A0 // CUserLocal::GetSkillLevel: 68 11 12 42 00 [Follow first call above]
push 00 // tagPOINT ptHit.Y
push 00 // tagPOINT ptHit.X
push 00 // CMob *pMob
push eax // int nSLV
push esi // SKILLENTRY *pSkill
mov ecx,ebx // CUserLocal *this
call 0202B650 // CUserLocal::TryDoingBodyAttack: E8 ? ? ? ? 6A 00 6A 00 6A 00 53 FF ? ? 8B ? 89 ? ? ? ? ? E8 [Third result & follow second call] || E8 ? ? ? ? 89 85 ? ? FF FF C7 85 ? ? ? ? 00 00 00 00 EB ? 8B 95 ? ? ? ? 83 [Fifth result & start]
jmp Ending

Ending:
popad
jmp 01FCAA30+5

time_stamp_hook:
cmp [time_stamp_initialized],00000000
jne time_stamp_continue
call 0213CC30 // Original Opcode
mov [time_stamp],eax
mov [time_stamp_initialized],00000001

time_stamp_continue:
add [time_stamp],3E8
mov eax,[time_stamp]
ret

01FCAA30:
jmp CUserLocal__Update_Hook

0202CC5B: // Fix timestamp-disconnect
call time_stamp_hook

[DISABLE]
01FCAA30: // CUserLocal::Update: E8 ? ? ? ? 8B ? ? ? ? ? 8B ? ? 89 ? ? 85 ? 74 ? 83 ? ? 8D ? ? 50 FF 15 ? ? ? ? 85 ? 75 ? 8B ? ? ? ? ? 85 ? 74 ? C6 ? ? ? 8D ? ? ? FF 15 ? ? ? ? 85 ? 74 ? 8B ? 8B ? 6A 01 8B [Start]
push ebp
mov ebp,esp
push -01

0202CC5B: // E8 ? ? ? ? 89 85 ? ? FF FF C7 85 ? ? ? ? 00 00 00 00 EB ? 8B 95 ? ? ? ? 83 [Fifth result]
call 0213CC30 // get_update_time

dealloc(CUserLocal__Update_Hook)

dealloc(time_stamp_hook)
dealloc(time_stamp_initialized)
dealloc(time_stamp)

 

CUserLocal::TryDoingMagicAttack (Set bForce to 1 and you'll have the same thing as "Controlled Magic Injection"):

Spoiler

define(Skill_ID,#2301005) // Holy Arrow (Cleric)

[ENABLE]
alloc(CUserLocal__Update_Hook,128)
alloc(Time,4)
label(Ending)

Time:
dd 0

CUserLocal__Update_Hook:
push ebp
mov ebp,esp
push -01
pushad
call GetTickCount
mov edx,eax
sub edx,[Time]
cmp edx,#1000 // Delay in milliseconds
jl Ending
mov [Time],eax
mov ebx,ecx // CUserLocal *this
push Skill_ID // int nSkillID
mov ecx,[02D699C8] // CSkillInfo *this: Inside CUserLocal::GetSkillLevel or breakpoint CSkillInfo::GetSkill and check ecx
call 00A95CB0 // CSkillInfo::GetSkill: 9C 9F D5 00 ? ? ? ? 9D 9F D5 00 [Follow first call above]
mov eax,[eax+04]
mov esi,eax
push 00 // SKILLENTRY **ppSkillEntry
push Skill_ID // int nSkillID
mov ecx,ebx // CUserLocal *this
call 020454A0 // CUserLocal::GetSkillLevel: 68 11 12 42 00 [Follow first call above]
push 00 // void* unknown1
push 00 // unsigned int nRandForActionParam
push 01 // bool bMakeRandom
push -01 // int nOption
push 00 // unsigned int dwExceptID
push 00 // int nForcedY
push 00 // int nForcedX
push 01 // bool bForce
push 00 // int tKeyDown
push 00 // int nReduceCount
push eax // int nSLV
push esi // SKILLENTRY *pSkill
mov ecx,ebx // CUserLocal *this
call 0201A7F0 // CUserLocal::DoActiveSkilll_ForcedMagicAttack: 3D CC EF B8 00 75 || 68 CC EF B8 00 50 [Follow call at end of function (CUserLocal::TryDoingMagicAttack)]
jmp Ending

Ending:
popad
jmp 01FCAA30+5

01FCAA30:
jmp CUserLocal__Update_Hook

[DISABLE]
01FCAA30: // CUserLocal::Update: E8 ? ? ? ? 8B ? ? ? ? ? 8B ? ? 89 ? ? 85 ? 74 ? 83 ? ? 8D ? ? 50 FF 15 ? ? ? ? 85 ? 75 ? 8B ? ? ? ? ? 85 ? 74 ? C6 ? ? ? 8D ? ? ? FF 15 ? ? ? ? 85 ? 74 ? 8B ? 8B ? 6A 01 8B [Start]
push ebp
mov ebp,esp
push -01

dealloc(CUserLocal__Update_Hook)
dealloc(Time)

 

CUserLocal::TryDoingMeleeAttack:

Spoiler

define(Skill_ID,#31011000) // Exceed: Double Slash

[ENABLE]
alloc(CUserLocal__Update_Hook,128)
alloc(Time,4)
label(Ending)

Time:
dd 0

CUserLocal__Update_Hook:
push ebp
mov ebp,esp
push -01
pushad
call GetTickCount
mov edx,eax
sub edx,[Time]
cmp edx,#1000 // Delay in milliseconds
jl Ending
mov [Time],eax
mov ebx,ecx // CUserLocal *this
push Skill_ID // int nSkillID
mov ecx,[02D699C8] // CSkillInfo *this: Inside CUserLocal::GetSkillLevel or breakpoint CSkillInfo::GetSkill and check ecx
call 00A95CB0 // CSkillInfo::GetSkill: 9C 9F D5 00 ? ? ? ? 9D 9F D5 00 [Follow first call above]
mov eax,[eax+04]
mov esi,eax
push 00 // SKILLENTRY **ppSkillEntry
push Skill_ID // int nSkillID
mov ecx,ebx // CUserLocal *this
call 020454A0 // CUserLocal::GetSkillLevel: 68 11 12 42 00 [Follow first call above]
push 00 // void* unknown4 added in GMS v.188.2
push 00 // void* unknown3
push 00 // void* unknown2
push 00 // void* unknown1
push 00 // unsigned int dwTargetMobID
push 00 // int nBySummonedID
push 00 // bool bAddAttackProc
push 00 // int nShootSkillID
push 00 // int nTimeBombY
push 00 // int nTimeBombX
push 00 // int bTimeBombAttack
push 00 // int nReservedSkillID
push 00 // CGrenade *pGrenade
push 00 // int tKeyDown
push 00 // unsigned int dwLastAttackMobID
push 00 // int nSerialAttackSkillID
push 00 // int *pnShootRange0
push eax // int nSLV
push esi // SKILLENTRY *pSkill
mov ecx,ebx // CUserLocal *this
call 01FED500 // CUserLocal::TryDoingMeleeAttack: 0F ? ? ? ? ? 0F ? ? ? ? ? ? FF ? ? ? ? ? ? 84 [Scroll down]
jmp Ending

Ending:
popad
jmp 01FCAA30+5

01FCAA30:
jmp CUserLocal__Update_Hook

[DISABLE]
01FCAA30: // CUserLocal::Update: E8 ? ? ? ? 8B ? ? ? ? ? 8B ? ? 89 ? ? 85 ? 74 ? 83 ? ? 8D ? ? 50 FF 15 ? ? ? ? 85 ? 75 ? 8B ? ? ? ? ? 85 ? 74 ? C6 ? ? ? 8D ? ? ? FF 15 ? ? ? ? 85 ? 74 ? 8B ? 8B ? 6A 01 8B [Start]
push ebp
mov ebp,esp
push -01

dealloc(CUserLocal__Update_Hook)
dealloc(Time)

 

CUserLocal::TryDoingShootAttack:

Spoiler

define(Skill_ID,#23001000) // Swift Dual Shot

[ENABLE]
alloc(CUserLocal__Update_Hook,128)
alloc(Time,4)
label(Ending)

Time:
dd 0

CUserLocal__Update_Hook:
push ebp
mov ebp,esp
push -01
pushad
call GetTickCount
mov edx,eax
sub edx,[Time]
cmp edx,#1000 // Delay in milliseconds
jl Ending
mov [Time],eax
mov ebx,ecx // CUserLocal *this
push Skill_ID // int nSkillID
mov ecx,[02D699C8] // CSkillInfo *this: Inside CUserLocal::GetSkillLevel or breakpoint CSkillInfo::GetSkill and check ecx
call 00A95CB0 // CSkillInfo::GetSkill: 9C 9F D5 00 ? ? ? ? 9D 9F D5 00 [Follow first call above]
mov eax,[eax+04]
mov esi,eax
push 00 // SKILLENTRY **ppSkillEntry
push Skill_ID // int nSkillID
mov ecx,ebx // CUserLocal *this
call 020454A0 // CUserLocal::GetSkillLevel: 68 11 12 42 00 [Follow first call above]
push 00 // void* unknown added in GMS v.188.2
push 00 // bool bAddAttackProc
push 00 // int nBySummonedID
push 00 // int nSkillCastItemPos
push 00 // unsigned int nRandForMortalBlowAction
push 00 // int tKeyDown
push 00 // int bMortalBlow
push 41 // int nShootRange0
push eax // int nSLV
push esi // SKILLENTRY *pSkill
mov ecx,ebx // CUserLocal *this
call 0200E0D0 // CUserLocal::TryDoingShootAttack: 0F ? ? ? ? ? 0F ? ? ? ? ? ? FF ? ? ? ? ? ? 84 [Scroll down]
jmp Ending

Ending:
popad
jmp 01FCAA30+5

01FCAA30:
jmp CUserLocal__Update_Hook

[DISABLE]
01FCAA30: // CUserLocal::Update: E8 ? ? ? ? 8B ? ? ? ? ? 8B ? ? 89 ? ? 85 ? 74 ? 83 ? ? 8D ? ? 50 FF 15 ? ? ? ? 85 ? 75 ? 8B ? ? ? ? ? 85 ? 74 ? C6 ? ? ? 8D ? ? ? FF 15 ? ? ? ? 85 ? 74 ? 8B ? 8B ? 6A 01 8B [Start]
push ebp
mov ebp,esp
push -01

dealloc(CUserLocal__Update_Hook)
dealloc(Time)

 

BW FMA (Don't know why the cunts on gk are saying it ab lol... I actually got to level 100 on my bw no problem)

Spoiler

[ENABLE]
alloc(CMobPool__FindHitMobInRect_Hook,128)
alloc(CMob__GetPos_Hook,128)

CMobPool__FindHitMobInRect_Hook:
mov eax,[02D83230] // CWvsPhysicalSpace2D: 8B 0D ? ? ? ? 6A 01 6A 00 68
lea eax,[eax+0C] // Left Wall Offset
mov [esp+04],eax
jmp 01367FF0 // Original opcode

CMob__GetPos_Hook:
mov eax,[02D82708] // CUserLocal: 8B 3D ? ? ? ? 8B CF F3
mov eax,[eax+013B64] // Character X Location Offset: 89 8F ? ? ? ? 8B CF 8B 40 04 89
add eax,#0
mov [esi],eax
call 007D5B20 // Original Opcode
mov eax,[02D82708] // CUserLocal: 8B 3D ? ? ? ? 8B CF F3
mov eax,[eax+013B68] // Character Y Location Offset: Character X Location Offset + 04
add eax,#0
mov [esi+04],eax
jmp 0131E15A+5

01178B99:
call CMobPool__FindHitMobInRect_Hook

0131E15A:
jmp CMob__GetPos_Hook

[DISABLE]
01178B99: // CForceAtom_NonTargetAttack::UpdateAttackCollision: E8 ? ? ? ? 89 ? ? ? ? ? ? ? ? ? ? ? FF 15 [First Result]
call 01367FF0 // CMobPool::FindHitMobInRect

0131E15A: // CMob::GetPos: E8 ? ? ? ? 89 ? ? 8B ? 5F 5E 5D C2 04 00 [Ninth result from last green result]
call 007D5B20 // TSecType<long>::GetData

dealloc(CMobPool__FindHitMobInRect_Hook)
dealloc(CMob__GetPos_Hook)

 

Auto Rune:

Spoiler

[ENABLE]
alloc(Hook,128)

Hook:
push ebp
mov ebp,esp
push -01
pushad
mov ebx,ecx // CRuneStoneMgrForClient: 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B ? E8
mov ecx,ebx
call 0152AB30 // CRuneStoneMgrForClient::NoticeInRect: E8 ? ? ? ? A1 ? ? ? ? 89 ? ? 85 C0 0F 84 [Fifth result & start]
push 25 // Left arrow
mov ecx,ebx
call 0152B830 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 26 // Up arrow
mov ecx,ebx
call 0152B830 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 27 // Right arrow
mov ecx,ebx
call 0152B830 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 28 // Down arrow
mov ecx,ebx
call 0152B830 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
popad
jmp 0152A3C0+5

0152A3C0:
jmp Hook

02071490:
db C3

[DISABLE]
0152A3C0: // CRuneStoneMgrForClient::Update: E8 ? ? ? ? 8B 0D ? ? ? ? 85 ? 74 ? ? E8 ? ? ? ? 8B 0D [Before last green result]
push ebp
mov ebp,esp
push -01

02071490: // CUserLocal::ResetRuneStoneActionAndSendFailPacket: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow second call]
db 55

dealloc(Hook)

 

Beholder's shit(ya i use the same hook point cuz i was testing shits but you can combine them all into 1 or do what ever):

Beholder infinte heal:

Spoiler

[ENABLE]
alloc(Hook,128)

Hook:
call 0213CC30 // Original Opcode
pushad
push 00 // int tCur
mov ecx,esi // CSummoned *this
call 015BACC0 // CSummoned::TryDoingHeal: 26 01 14 00 [Ninth result & start]
popad
jmp 015BFF2E+5

015BFF2E:
jmp Hook

[DISABLE]
015BFF2E: // CSummoned::Update: E8 ? ? ? ? 8B ? 8B ? ? ? ? ? 89 ? ? 85 ? 0F ? ? ? ? ? 33
call 0213CC30 // get_update_time

dealloc(Hook)

 

Beholder Infinite Buff:

Spoiler

[ENABLE]
alloc(Hook,128)

Hook:
call 0213CC30 // Original Opcode
pushad
push 00 // int tCur
mov ecx,esi // CSummoned *this
call 015BB170 // CSummoned::TryDoingGiveBuff: after call to CSummoned::TryDoingHeal in CSummoned::Update
popad
jmp 015BFF2E+5

015BFF2E:
jmp Hook

[DISABLE]
015BFF2E: // CSummoned::Update: E8 ? ? ? ? 8B ? 8B ? ? ? ? ? 89 ? ? 85 ? 0F ? ? ? ? ? 33
call 0213CC30 // get_update_time

dealloc(Hook)

 

Force Beholder Action (bypass cool down and shit) you can use beholder impact (5th job) once you get beholder at level 30 i believe so:

Spoiler

/*
6 = Evil Eye of Domination
7 = Evil Eye Shock
9 = Beholder's Impact
*/

[ENABLE]
alloc(Hook,128)
alloc(Time,4)
label(Ending)

Time:
dd 0

Hook:
call 0213CC30 // Original Opcode
pushad
call GetTickCount
mov edx,eax
sub edx,[Time]
cmp edx,#500 // Delay in milliseconds
jl Ending
mov [Time],eax
push 00 // void *unknown2 (skill id)
push #9 // void *unknown1 (action)
push 01 // int bForce
mov ebx,[02D831E0] // 8D 8E ? ? 00 00 E8 ? ? ? ? E8 ? ? ? ? 50 [Follow second call]
mov ebx,[ebx+1C]
push ebx // int tCur
mov ecx,esi // CSummoned *this
call 015B5590 // CSummoned::TryDoingAttackManual: 55 8B EC 6A FF 68 ? ? ? ? 64 A1 00 00 00 00 50 B8 ? ? ? ? E8 ? ? ? ? A1 ? ? ? ? 33 C5 89 ? ? 53 56 57 50 8D ? ? 64 A3 00 00 00 00 89 ? ? ? ? ? C7 [Third result]
jmp Ending

Ending:
popad
jmp 015BFF2E+5

015BFF2E:
jmp Hook

015B83A4:
db 6A 00

[DISABLE]
015BFF2E: // CSummoned::Update: E8 ? ? ? ? 8B ? 8B ? ? ? ? ? 89 ? ? 85 ? 0F ? ? ? ? ? 33
call 0213CC30 // get_update_time

015B83A4: // E8 ? ? ? ? 6A 01 8B ? ? ? ? ? E8 ? ? ? ? 83 [Address below] (Follow call =  CSummoned::PrepareActionLayer)
db 6A 01

dealloc(Hook)
dealloc(Time)

 

 

Edited by Korgon
  • Like 3
  • Thanks 1

Share this post


Link to post

Monster Mind Control (to be used with auto aggro):

Spoiler

[ENABLE]
alloc(CVecCtrlMob__CtrlUpdateActiveMove_Hook,128)
alloc(CVecCtrlMob__CtrlUpdateActiveJump_Hook,128)
alloc(CVecCtrlMob__CtrlUpdateActiveFlyX_Hook,128)
alloc(CVecCtrlMob__CtrlUpdateActiveFlyY_Hook,128)
alloc(CVecCtrlMob__CtrlUpdateActiveFlyX2_Hook,128)
alloc(CVecCtrlMob__CtrlUpdateActiveFlyY2_Hook,128)
alloc(X,4)
alloc(Y,4)

X:
dd #500

Y:
dd #200

CVecCtrlMob__CtrlUpdateActiveMove_Hook:
movd xmm1,[X]
xor eax,eax
jmp 02115A33+6

CVecCtrlMob__CtrlUpdateActiveJump_Hook:
movd xmm1,[X]
xor eax,eax
jmp 02116263+6

CVecCtrlMob__CtrlUpdateActiveFlyX_Hook:
push [X]
call 007F84D0
jmp 02116798+7

CVecCtrlMob__CtrlUpdateActiveFlyY_Hook:
mov eax,[Y]
push eax
call 007F84D0
jmp 021167B6+9

CVecCtrlMob__CtrlUpdateActiveFlyX2_Hook:
push [X]
lea ecx,[edi+0C]
jmp 02116819+5

CVecCtrlMob__CtrlUpdateActiveFlyY2_Hook:
push [Y]
mov ecx,edi
jmp 02116823+5

02115A33:
jmp CVecCtrlMob__CtrlUpdateActiveMove_Hook
db 90

02116263:
jmp CVecCtrlMob__CtrlUpdateActiveJump_Hook
db 90

02116798:
jmp CVecCtrlMob__CtrlUpdateActiveFlyX_Hook
db 90 90

021167B6:
jmp CVecCtrlMob__CtrlUpdateActiveFlyY_Hook
db 90 90 90 90

02116819:
jmp CVecCtrlMob__CtrlUpdateActiveFlyX2_Hook

02116823:
jmp CVecCtrlMob__CtrlUpdateActiveFlyY2_Hook

[DISABLE]
/* All theses addresses can be easily obtained with CUser::GetPos (Return Address) */

02115A33: // CVecCtrlMob::CtrlUpdateActiveMove: 66 ? ? ? 31 ? F3 [First result]
movd xmm1,[eax]
xor eax,eax

02116263: // CVecCtrlMob::CtrlUpdateActiveJump: 66 ? ? ? 31 ? F3 [Second result]
movd xmm1,[eax]
xor eax,eax

02116798: // CVecCtrlMob::CtrlUpdateActiveFly: FF ? E8 ? ? ? ? 8B ? ? ? ? ? 8D ? ? 52
push [eax]
call 007F84D0 // TSecType<long>::SetData

021167B6: // CVecCtrlMob::CtrlUpdateActiveFly: 8B ? ? 50 E8 ? ? ? ? 8B ? ? ? ? ? E8 ? ? ? ? 85
mov eax,[eax+04]
push eax
call 007F84D0 // TSecType<long>::SetData

02116819: // CVecCtrlMob::CtrlUpdateActiveFly: FF ? 8D ? ? E8 ? ? ? ? FF ? ? 8B [Last Green Result & push [esi]]
push [esi]
lea ecx,[edi+0C]

02116823: // CVecCtrlMob::CtrlUpdateActiveFly: FF ? 8D ? ? E8 ? ? ? ? FF ? ? 8B [Last Green Result & push [esi+04]]
push [esi+04]
mov ecx,edi

dealloc(CVecCtrlMob__CtrlUpdateActiveMove_Hook)
dealloc(CVecCtrlMob__CtrlUpdateActiveJump_Hook)
dealloc(CVecCtrlMob__CtrlUpdateActiveFlyX_Hook)
dealloc(CVecCtrlMob__CtrlUpdateActiveFlyY_Hook)
dealloc(CVecCtrlMob__CtrlUpdateActiveFlyX2_Hook)
dealloc(CVecCtrlMob__CtrlUpdateActiveFlyY2_Hook)
dealloc(X)
dealloc(Y)

 

Auto AP (Auto assign ap):

Spoiler

[ENABLE]
alloc(Hook,128)
label(Ending)

Hook:
call 02098B30 // Original Opcode
pushad
mov ecx,ebx // CWvsContext: 8D ? ? 53 56 57 50 E8 [mov ecx above]
mov ecx,[ecx+223C] // CWvsContext::GetCharacterData: 8D ? ? 53 56 57 50 E8 [Follow call]
call 01C97540 // GW_CharacterStat::_ZtlSecureGet_nAP: E8 ? ? ? ? 6A ? FF ? ? 98 [First result(CUIStat::Draw) & Follow call]
cwde
cmp eax,0
je Ending
push -01
call 01C94D40 // CUIStat::OnButtonClicked (CUIStat::AutoApUp) C2 04 00 6A 01 E8 ? ? ? ? [Result 14/20 & follow call]
jmp Ending

Ending:
popad
jmp 021C5294+5

021C5294:
jmp Hook

01C95288:
db B8 06 00 00 00

[DISABLE]
021C5294: // CWvsContext::Update: E8 ? ? ? ? 83 ? ? ? ? ? ? 8B ? 89 ? ? 75 ? 89
call 02098B30 // get_update_time

01C95288: // E8 ? ? ? ? 83 ? ? 83 ? ? 75 ? 8D ? ? 8B [Last Green Result]
call 020B69B0 // CUtilDlg::YesNo

dealloc(Hook)

 

For Xenon jobs:

replace with:

push #2015 // STR = 2013, DEX = 2014, LUK = 2015
call 01C952F0// CUIStat::OnButtonClicked (CUIStat::AutoApUp) C2 04 00 6A 01 E8 ? ? ? ? [Result 14/20 & scroll down] CUIStat::AutoApUpXenon

For Demon avenger or hp based job

replace with 

call 01C950C0// CUIStat::OnButtonClicked (CUIStat::AutoApUp) C2 04 00 6A 01 E8 ? ? ? ? [Result 14/20 & scroll up] CUIStat::AutoApHPBasedJob

  • Like 1
  • Thanks 1

Share this post


Link to post
Spoiler

[ENABLE]
02230AB0: // CWvsContext::OnEnterField: E8 ? ? ? ? 8B ? ? 83 ? ? 8B ? 89 ? ? 8D [First result(CField::Init) & follow call]
db 33 C0 C3

[DISABLE]

 

This bypass the two mscrc. No need to manually get the 2 crc each patch and update the register.

If I find more stuff in my hdd ill post.

Edited by Korgon

Share this post


Link to post

Taking your leave now that you've been found out aasdf? Sounds about right, see you on one of your next alternate accounts (probably next week). 9_9

Share this post


Link to post
2 hours ago, Razz said:

Do you mind submitting these to the Scripts Database?

I'm lazy and posting a thread was faster. I left aobs and function names for people to easily update them so they can post in the script database if they wish.

 

 

 

Force summon to do their "normal attack":

Spoiler

[ENABLE]
alloc(Hook,128)

Hook:
call 0213CC50 // Original Opcode
pushad
push 00 // int nAIType
push 00 // int tCur
mov ecx,esi // CSummoned *this
call 015AFE20 // CSummoned::TryDoingAttack: 55 8B EC 6A FF 68 ? ? ? ? 64 A1 00 00 00 00 50 B8 ? ? ? ? E8 ? ? ? ? A1 ? ? ? ? 33 C5 89 ? ? 53 56 57 50 8D ? ? 64 A3 00 00 00 00 89 ? ? ? ? ? C7 [Second result]
popad
jmp 015BFF0E+5

015BFF0E:
jmp Hook

[DISABLE]
015BFF0E: // CSummoned::Update: E8 ? ? ? ? 8B ? 8B ? ? ? ? ? 89 ? ? 85 ? 0F ? ? ? ? ? 33
call 0213CC50 // get_update_time

dealloc(Hook)

 

example:

Robo Launcher RM7 mech 2nd job:

https://gyazo.com/d8232a12ef5e1ba88c0bfc776e315a23

 

  • Thanks 1

Share this post


Link to post
Spoiler
56 minutes ago, Korgon said:

I'm lazy and posting a thread was faster. I left aobs and function names for people to easily update them so they can post in the script database if they wish.

 

 

 

Force summon to do their "normal attack":

  Reveal hidden contents



[ENABLE]
alloc(Hook,128)

Hook:
call 0213CC50 // Original Opcode
pushad
push 00 // int nAIType
push 00 // int tCur
mov ecx,esi // CSummoned *this
call 015AFE20 // CSummoned::TryDoingAttack: 55 8B EC 6A FF 68 ? ? ? ? 64 A1 00 00 00 00 50 B8 ? ? ? ? E8 ? ? ? ? A1 ? ? ? ? 33 C5 89 ? ? 53 56 57 50 8D ? ? 64 A3 00 00 00 00 89 ? ? ? ? ? C7 [Second result]
popad
jmp 015BFF0E+5

015BFF0E:
jmp Hook

[DISABLE]
015BFF0E: // CSummoned::Update: E8 ? ? ? ? 8B ? 8B ? ? ? ? ? 89 ? ? 85 ? 0F ? ? ? ? ? 33
call 0213CC50 // get_update_time

dealloc(Hook)

 

example:

Robo Launcher RM7 mech 2nd job:

https://gyazo.com/d8232a12ef5e1ba88c0bfc776e315a23

 

 

So that script is like this one??

Spoiler

//ULTIMOCSM  A272C5
[enable]
alloc(hook, 128)
label(return)


015403AA: //8B 86 B4 01 00 00 48 83 F8 0D 0F 87 (PRIMERO)
jmp hook
nop
return:

hook: //beholder summon hook
mov [esi+000001B4], 1
mov eax,[esi+000001B4] //a diff function checks this value so modify it i guess
jmp return

0133EF9D://7E 3D 8B 86 A0 01 00 00 3D B5 29 27 02 (PRIMERO)
db 90 90

01297530://8B 4C 24 04 81 F9 C1 F5 E9 01 0F 8F 96 (RPIMERO)
xor eax, eax
ret
nop

0133EF34://7E 10 81 BE A0 01 00 00 A0 BC C4 04 (PRIMERO)
db eb

[disable]


015403AA: //8B 86 B4 01 00 00 48 83 F8 0D 0F 87 (PRIMERO)
mov eax,[esi+000001B4] // ES SU COSA

0133EF9D: //7E 3D 8B 86 A0 01 00 00 3D B5 29 27 02 (PRIMERO)
db 7e 3d

01297530: //8B 4C 24 04 81 F9 C1 F5 E9 01 0F 8F 96 (RPIMERO)
mov ecx,[esp+04]

0133EF34: //7E 10 81 BE A0 01 00 00 A0 BC C4 04 (PRIMERO)
db 7e

that one is for Veholder Summon fast attack on ver 183.x

Share this post


Link to post

it work's like the script that you posted but also works with kshin of kanna and every summon do a fast attack, but I can't update that script all the AoB are broken ...

Share this post


Link to post

i only tested mine with mechanic summon so idk about other jobs summon. but i know that the script force summon to do their "normal attack"

Share this post


Link to post

Auto AP seems to just spam the auto ap box until I crash (Blaze Wizard). Am I missing something or did I update incorrectly?

Spoiler

//v188.3

[Enable]

    alloc(Hook,128)
    label(Ending)

    Hook:
    call 0213CC50 // Original Opcode
    pushad
    mov ecx,ebx // CWvsContext: 8D ? ? 53 56 57 50 E8 [mov ecx above]
    mov ecx,[ecx+2240] // CWvsContext::GetCharacterData: 8D ? ? 53 56 57 50 E8 [Follow call]
    call 01D40B90 // GW_CharacterStat::_ZtlSecureGet_nAP: E8 ? ? ? ? 6A ? FF ? ? 98 [First result(CUIStat::Draw) & Follow call]
    cwde
    cmp eax,0
    je Ending
    push -01
    call 01D3E330 // CUIStat::OnButtonClicked (CUIStat::AutoApUp) C2 04 00 6A 01 E8 ? ? ? ? [Result 14/20 & follow call]
    jmp Ending

    Ending:
    popad
    jmp 022707E4+5

    022707E4:
    jmp Hook

    01D3E878:
    db B8 06 00 00 00

[Disable]

    022707E4: // CWvsContext::Update: E8 ? ? ? ? 83 ? ? ? ? ? ? 8B ? 89 ? ? 75 ? 89
    call 0213CC50 // get_update_time

    01D3E878: // E8 ? ? ? ? 83 ? ? 83 ? ? 75 ? 8D ? ? 8B [Last Green Result]
    call 0215B070 // CUtilDlg::YesNo

    dealloc(Hook)

 

Share this post


Link to post
1 minute ago, misterdave35 said:

Auto AP seems to just spam the auto ap box until I crash (Blaze Wizard). Am I missing something or did I update incorrectly?

  Hide contents

//v188.3

[Enable]

    alloc(Hook,128)
    label(Ending)

    Hook:
    call 0213CC50 // Original Opcode
    pushad
    mov ecx,ebx // CWvsContext: 8D ? ? 53 56 57 50 E8 [mov ecx above]
    mov ecx,[ecx+2240] // CWvsContext::GetCharacterData: 8D ? ? 53 56 57 50 E8 [Follow call]
    call 01D40B90 // GW_CharacterStat::_ZtlSecureGet_nAP: E8 ? ? ? ? 6A ? FF ? ? 98 [First result(CUIStat::Draw) & Follow call]
    cwde
    cmp eax,0
    je Ending
    push -01
    call 01D3E330 // CUIStat::OnButtonClicked (CUIStat::AutoApUp) C2 04 00 6A 01 E8 ? ? ? ? [Result 14/20 & follow call]
    jmp Ending

    Ending:
    popad
    jmp 022707E4+5

    022707E4:
    jmp Hook

    01D3E878:
    db B8 06 00 00 00

[Disable]

    022707E4: // CWvsContext::Update: E8 ? ? ? ? 83 ? ? ? ? ? ? 8B ? 89 ? ? 75 ? 89
    call 0213CC50 // get_update_time

    01D3E878: // E8 ? ? ? ? 83 ? ? 83 ? ? 75 ? 8D ? ? 8B [Last Green Result]
    call 0215B070 // CUtilDlg::YesNo

    dealloc(Hook)

 

[ENABLE]
alloc(Hook,128)
label(Ending)

Hook:
call 0213CC50 // Original Opcode
pushad
mov ecx,ebx // CWvsContext: 8D ? ? 53 56 57 50 E8 [mov ecx above]
mov ecx,[ecx+2240] // CWvsContext::GetCharacterData: 8D ? ? 53 56 57 50 E8 [Follow call]
call 01D40B90 // GW_CharacterStat::_ZtlSecureGet_nAP: E8 ? ? ? ? 6A ? FF ? ? 98 [First result(CUIStat::Draw) & Follow call]
cwde
cmp eax,0
je Ending
push -01
call 01D3E330// CUIStat::OnButtonClicked (CUIStat::AutoApUp) C2 04 00 6A 01 E8 ? ? ? ? [Result 14/20 & follow call]
jmp Ending

Ending:
popad
jmp 022707E4+5

022707E4:
jmp Hook

01D3E63D:
db B8 06 00 00 00

[DISABLE]
022707E4: // CWvsContext::Update: E8 ? ? ? ? 83 ? ? ? ? ? ? 8B ? 89 ? ? 75 ? 89
call 0213CC50 // get_update_time

01D3E63D: // E8 ? ? ? ? 83 ? ? 83 ? ? 75 ? 8B ? ? 8D [Third result starting from last green result]
call 0215B070 // CUtilDlg::YesNo

dealloc(Hook)

 

should work

  • Like 1

Share this post


Link to post
Spoiler

[ENABLE]
alloc(Hook,128)
alloc(Time,4)
label(Ending)

Time:
dd 0

Hook:
call 0213CC50 // Original Opcode
pushad
call GetTickCount
mov edx,eax
sub edx,[Time]
cmp edx,#300 // Delay in milliseconds
jl Ending
mov [Time],eax
push 00 // int tCur
mov ecx,esi // CSummoned *this
call 015BBD30 // CSummoned::TryDoingTaslaCoilAttack: 55 8B EC 6A FF 68 ? ? ? ? 64 A1 00 00 00 00 50 B8 ? ? ? ? E8 ? ? ? ? A1 ? ? ? ? 33 C5 89 ? ? 53 56 57 50 8D ? ? 64 A3 00 00 00 00 89 ? ? ? ? ? C7 ? ? ? ? ? ? ? ? ? 8B [Third result]
jmp Ending

Ending:
popad
jmp 015BFF0E+5

015BFF0E:
jmp Hook

[DISABLE]
015BFF0E: // CSummoned::Update: E8 ? ? ? ? 8B ? 8B ? ? ? ? ? 89 ? ? 85 ? 0F ? ? ? ? ? 33
call 0213CC50 // get_update_time

dealloc(Hook)

 

Rock n' Shock (Mech 3th job) worthless shit dc after sometimes funfact: in the kmst pdb some function name, it's spelled tesla or tasla:

https://gyazo.com/eb5fb42767d50a7d663898f858912d23

  • Thanks 1

Share this post


Link to post

Sorry to ask again, but looks like Auto Rune is causing a runtime error when enabled. I'm going to assume I updated it incorrectly?

Spoiler

[ENABLE]

    alloc(Hook,128)

    Hook:
    push ebp
    mov ebp,esp
    push -01
    pushad
    mov ebx,ecx // CRuneStoneMgrForClient: 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B ? E8
    mov ecx,ebx
    call 0152AB10 // CRuneStoneMgrForClient::NoticeInRect: E8 ? ? ? ? A1 ? ? ? ? 89 ? ? 85 C0 0F 84 [Fifth result & start]
    push 25 // Left arrow
    mov ecx,ebx
    call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
    push 26 // Up arrow
    mov ecx,ebx
    call 0152B810 // CRuneStoneMgrForClient::KeyInput
    push 27 // Right arrow
    mov ecx,ebx
    call 0152B810 // CRuneStoneMgrForClient::KeyInput
    push 28 // Down arrow
    mov ecx,ebx
    call 0152B810 // CRuneStoneMgrForClient::KeyInput
    popad
    jmp 0152A3A0+5

    0152A3A0:
    jmp Hook

    020714B0:
    db C3

[DISABLE]
    0152A3A0: // CRuneStoneMgrForClient::Update: E8 ? ? ? ? 8B 0D ? ? ? ? 85 ? 74 ? ? E8 ? ? ? ? 8B 0D [Before last green result & Follow Call]
    push ebp
    mov ebp,esp
    push -01

    020714B0: // CUserLocal::ResetRuneStoneActionAndSendFailPacket: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow second call]
    db 55

    dealloc(Hook)

 

Share this post


Link to post
14 hours ago, misterdave35 said:

Sorry to ask again, but looks like Auto Rune is causing a runtime error when enabled. I'm going to assume I updated it incorrectly?

  Hide contents

[ENABLE]

    alloc(Hook,128)

    Hook:
    push ebp
    mov ebp,esp
    push -01
    pushad
    mov ebx,ecx // CRuneStoneMgrForClient: 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B ? E8
    mov ecx,ebx
    call 0152AB10 // CRuneStoneMgrForClient::NoticeInRect: E8 ? ? ? ? A1 ? ? ? ? 89 ? ? 85 C0 0F 84 [Fifth result & start]
    push 25 // Left arrow
    mov ecx,ebx
    call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
    push 26 // Up arrow
    mov ecx,ebx
    call 0152B810 // CRuneStoneMgrForClient::KeyInput
    push 27 // Right arrow
    mov ecx,ebx
    call 0152B810 // CRuneStoneMgrForClient::KeyInput
    push 28 // Down arrow
    mov ecx,ebx
    call 0152B810 // CRuneStoneMgrForClient::KeyInput
    popad
    jmp 0152A3A0+5

    0152A3A0:
    jmp Hook

    020714B0:
    db C3

[DISABLE]
    0152A3A0: // CRuneStoneMgrForClient::Update: E8 ? ? ? ? 8B 0D ? ? ? ? 85 ? 74 ? ? E8 ? ? ? ? 8B 0D [Before last green result & Follow Call]
    push ebp
    mov ebp,esp
    push -01

    020714B0: // CUserLocal::ResetRuneStoneActionAndSendFailPacket: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow second call]
    db 55

    dealloc(Hook)

 

Addresses looks correct to me. what runtime error?

 

@wshh Be specific...? https://gyazo.com/c4ab10a788b7d94a4e36f17388b79034

You need to be close to the rune to do it.

 

 

 

Unlimited summon + time:

Spoiler

/*
CUser::AddSummonedList: A9 F3 B8 00 [Eleventh result from last green result & start]
In CUser::AddSummonedList, the third call in the function is ZList<ZRef<CSummoned>>::RemoveAt
*/

[ENABLE]
015EA100: // Unlimited Summon + Time
db C2 04 00

[DISABLE]
015EA100:
db 55 8B EC

 

 

Edited by Korgon

Share this post


Link to post

Ic @Korgon thats where I made the mistake I wasn't close to the rune, do I have to move after the first time using auto rune to the next place it spawns?

Share this post


Link to post
45 minutes ago, misterdave35 said:

idk never happened to me before

try doing this perhaps:

1.enable it in game

2. disable it

3.Comment out line 12 & 13 (CRuneStoneMgrForClient::StartKeyInput)

4.Enable it.

5. Be close to the rune and try.

Spoiler

[ENABLE]
alloc(Hook,128)

Hook:
push ebp
mov ebp,esp
push -01
pushad
mov ebx,ecx // CRuneStoneMgrForClient: 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B ? E8
mov ecx,ebx
call 0152AB10 // CRuneStoneMgrForClient::NoticeInRect: E8 ? ? ? ? A1 ? ? ? ? 89 ? ? 85 C0 0F 84 [Fifth result & start]
mov ecx,ebx
call 0152AF40 // CRuneStoneMgrForClient::StartKeyInput: 68 F8 2A 00 00 6A 01 [First result & follow third call]
push 25 // Left arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 26 // Up arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 27 // Right arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 28 // Down arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
popad
jmp 0152A3A0+5

0152A3A0:
jmp Hook

020714B0:
db C3

[DISABLE]
0152A3A0: // CRuneStoneMgrForClient::Update: E8 ? ? ? ? 8B 0D ? ? ? ? 85 ? 74 ? ? E8 ? ? ? ? 8B 0D [Before last green result & Follow Call]
push ebp
mov ebp,esp
push -01

020714B0: // CUserLocal::ResetRuneStoneActionAndSendFailPacket: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow second call]
db 55

dealloc(Hook)

 

Edit: or just use this maybe (forget everything before):

Spoiler

 


[ENABLE]
alloc(Hook,128)
alloc(Hook2,128)

CreateThread(Hook2)

Hook2:
mov ecx,[02D89C30] // CRuneStoneMgrForClient: bp CRuneStoneMgrForClient::Update and check ecx
call 0152AF40 // CRuneStoneMgrForClient::StartKeyInput: 68 F8 2A 00 00 6A 01 [First result & follow third call]
ret

Hook:
push ebp
mov ebp,esp
push -01
pushad
mov ebx,ecx // CRuneStoneMgrForClient: 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B ? E8
mov ecx,ebx
call 0152AB10 // CRuneStoneMgrForClient::NoticeInRect: E8 ? ? ? ? A1 ? ? ? ? 89 ? ? 85 C0 0F 84 [Fifth result & start]
push 25 // Left arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 26 // Up arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 27 // Right arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 28 // Down arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
popad
jmp 0152A3A0+5

0152A3A0:
jmp Hook

020714B0:
db C3

[DISABLE]
0152A3A0: // CRuneStoneMgrForClient::Update: E8 ? ? ? ? 8B 0D ? ? ? ? 85 ? 74 ? ? E8 ? ? ? ? 8B 0D [Before last green result & Follow Call]
push ebp
mov ebp,esp
push -01

020714B0: // CUserLocal::ResetRuneStoneActionAndSendFailPacket: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow second call]
db 55

dealloc(Hook)
dealloc(Hook2)

keep in mind this only do the arrow input, you need to be close to the rune to do it. Either find the rune x,y and teleport to it or spoof CUser::GetPos to the rune x,y.

Edited by Korgon

Share this post


Link to post
42 minutes ago, Korgon said:

idk never happened to me before

try doing this perhaps:

1.enable it in game

2. disable it

3.Comment out line 12 & 13 (CRuneStoneMgrForClient::StartKeyInput)

4.Enable it.

5. Be close to the rune and try.

  Reveal hidden contents


[ENABLE]
alloc(Hook,128)

Hook:
push ebp
mov ebp,esp
push -01
pushad
mov ebx,ecx // CRuneStoneMgrForClient: 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B ? E8
mov ecx,ebx
call 0152AB10 // CRuneStoneMgrForClient::NoticeInRect: E8 ? ? ? ? A1 ? ? ? ? 89 ? ? 85 C0 0F 84 [Fifth result & start]
mov ecx,ebx
call 0152AF40 // CRuneStoneMgrForClient::StartKeyInput: 68 F8 2A 00 00 6A 01 [First result & follow third call]
push 25 // Left arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 26 // Up arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 27 // Right arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 28 // Down arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
popad
jmp 0152A3A0+5

0152A3A0:
jmp Hook

020714B0:
db C3

[DISABLE]
0152A3A0: // CRuneStoneMgrForClient::Update: E8 ? ? ? ? 8B 0D ? ? ? ? 85 ? 74 ? ? E8 ? ? ? ? 8B 0D [Before last green result & Follow Call]
push ebp
mov ebp,esp
push -01

020714B0: // CUserLocal::ResetRuneStoneActionAndSendFailPacket: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow second call]
db 55

dealloc(Hook)

 

Edit: or just use this maybe (forget everything before):

  Reveal hidden contents

 



[ENABLE]
alloc(Hook,128)
alloc(Hook2,128)

CreateThread(Hook2)

Hook2:
mov ecx,[02D89C30] // CRuneStoneMgrForClient: bp CRuneStoneMgrForClient::Update and check ecx
call 0152AF40 // CRuneStoneMgrForClient::StartKeyInput: 68 F8 2A 00 00 6A 01 [First result & follow third call]
ret

Hook:
push ebp
mov ebp,esp
push -01
pushad
mov ebx,ecx // CRuneStoneMgrForClient: 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B 0D ? ? ? ? E8 ? ? ? ? 8B ? E8
mov ecx,ebx
call 0152AB10 // CRuneStoneMgrForClient::NoticeInRect: E8 ? ? ? ? A1 ? ? ? ? 89 ? ? 85 C0 0F 84 [Fifth result & start]
push 25 // Left arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 26 // Up arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 27 // Right arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
push 28 // Down arrow
mov ecx,ebx
call 0152B810 // CRuneStoneMgrForClient::KeyInput: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow first call]
popad
jmp 0152A3A0+5

0152A3A0:
jmp Hook

020714B0:
db C3

[DISABLE]
0152A3A0: // CRuneStoneMgrForClient::Update: E8 ? ? ? ? 8B 0D ? ? ? ? 85 ? 74 ? ? E8 ? ? ? ? 8B 0D [Before last green result & Follow Call]
push ebp
mov ebp,esp
push -01

020714B0: // CUserLocal::ResetRuneStoneActionAndSendFailPacket: 8B 0D ? ? ? ? 53 E8 ? ? ? ? 85 C0 75 ? 8B [Follow second call]
db 55

dealloc(Hook)
dealloc(Hook2)

keep in mind this only do the arrow input, you need to be close to the rune to do it. Either find the rune x,y and teleport to it or spoof CUser::GetPos to the rune x,y.

Yea. Tried both, still get the runtime error. Maybe because I'm on Win10 64bit? Oh wells

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×