Guide to Modifying the Client

In the guide, it will teach you on modifying the client to have jump,zoom,multi, launcher bypass and finding debug registers. Guide is in .doc form available for download. Multi-client bypass Laucher credits,akson. Download OllyDBG from OllyDbg v1.10 --------------* Open OllyDBG --------------* File -> Open -> Choose your elementclient.exe Right click -> Search for -> All referenced text strings(#pic1) In the Text strings window *Scroll to top & left click any line(#pic2) Right click -> Search for Text key in \"launch\" -> OK Double click the line of ASCII \"Plz start game from launcher.exe\"(#pic3) In the CPU window Double click JNZ SHORT 00XXXXXX will show a Assemble box(#pic4) change JNZ to JMP -> press Assemble button & close the box Find again text in Text strings window Search for \"running\" do it again double click JE SHORT 00XXXXXX change JE to JMP -> press Assemble button & close the box Okay~ right click in CPU window -> Copy -> Select all right click in CPU window -> Backup -> Update backup right click in CPU window -> Copy to Executable -> Selection(#pic5) Olly will show a File window right click in File window -> Save file Zoom Hack: Credits,akson open Olly Search for sequence of commands fadd dword ptr [esi+40] fst dword ptr [esi+40] 004056BE . D985 CD000000 fld dword ptr [ebp+CD] 004056C4 . D846 40 fadd dword ptr [esi+40] 004056C7 . D956 40 fst dword ptr [esi+40] 004056CA . D81D FCAB8400 fcomp dword ptr [84ABFC] may be XXXXXX 004056D0 . DFE0 fstsw ax 004056D2 . 25 00410000 and eax, 4100 004056D7 . EB 03 jnz short 004056DC <---jnz change to jmp 004056D9 . 894E 40 mov dword ptr [esi+40], ecx 004056DC > 8B07 mov eax, dword ptr [edi] 004056DE . 3BC3 cmp eax, ebx 004056E0 . 0F85 E8000000 jnz 004057CE Jump Hack Note:this is different in different servers I am find a command that works for all. Search: mov edi,[esi+00000b08] nop line below cmp edi,[XXXXXXX] Else MOV EAX,DWORD PTR DS:[ESI+62C] MOV EDX,EAX SHR EDX,7 TEST BL,DL One of the results with, 0045B7B6 |. 8BBE 080B0000 MOV EDI,DWORD PTR DS:[ESI+B08] 0045B7BC |. 8B0D B4EF8B00 MOV ECX,DWORD PTR DS:[8BEFB4]<<can be XXXXXX 0045B7C2 |. 3BF9 CMP EDI,ECX <<NOP 0045B7C4 |. 0F8D EB040000 JGE elementc.0045BCB5 0045B7CA |. 8A8E 0C0B0000 MOV CL,BYTE PTR DS:[ESI+B0C] 0045B7D0 |. 84C9 TEST CL,CL Pic:jump1.jpg Debug Registers NPC ID, credits to ericjohn this will enable the npc id Searching for address that toggle mp bar: search for 1 in 1 byte and untoggle it and search for 0 until it minimize your search after you found it Finding Debug Register : Using hex calculator, address of toggle mp - 0x3B (NPC:ID) - 0x2E(Misc) - 0x2D(Coords) - 0x2C(Dist) Eg. 57F834EA -3B = 57F834AF you can also debug the client to automate this search for command: address is = toggle mp adress MOV BYTE PTR DS:[adress+2081],1 and change it to MOV BYTE PTR DS:[npcid toggle adress],1 and also change this: MOV BYTE PTR DS:[adress+2081],0 and change it to MOV BYTE PTR DS:[npcid toggle address],0 Video Hack: CECGame::Run(), break because CECGameRun::Tick return false <<Search this text jmp 0042bfac cmp [esi+00000418],bl je XXXXXXXX Nop BELOW cmp New-Video Unfreeze