Guide to Modifying the Client

In the guide, it will teach you on modifying the client to have jump,zoom,multi, launcher bypass and finding debug registers.

Guide is in .doc form available for download.

Multi-client bypass Laucher
credits,akson.
Download OllyDBG from OllyDbg v1.10
--------------*
Open OllyDBG
--------------*
File -> Open -> Choose your elementclient.exe
Right click -> Search for -> All referenced text strings(#pic1)

In the Text strings window
*Scroll to top & left click any line(#pic2)
Right click -> Search for Text
key in \"launch\" -> OK
Double click the line of ASCII \"Plz start game from launcher.exe\"(#pic3)

In the CPU window
Double click JNZ SHORT 00XXXXXX will show a Assemble box(#pic4)
change JNZ to JMP -> press Assemble button & close the box

Find again text in Text strings window
Search for \"running\"
do it again double click JE SHORT 00XXXXXX
change JE to JMP -> press Assemble button & close the box

Okay~
right click in CPU window -> Copy -> Select all
right click in CPU window -> Backup -> Update backup
right click in CPU window -> Copy to Executable -> Selection(#pic5)
Olly will show a File window
right click in File window -> Save file

Zoom Hack:
Credits,akson
open Olly
Search for sequence of commands
fadd dword ptr [esi+40]
fst dword ptr [esi+40]

004056BE . D985 CD000000 fld dword ptr [ebp+CD]
004056C4 . D846 40 fadd dword ptr [esi+40]
004056C7 . D956 40 fst dword ptr [esi+40]
004056CA . D81D FCAB8400 fcomp dword ptr [84ABFC] may be XXXXXX
004056D0 . DFE0 fstsw ax
004056D2 . 25 00410000 and eax, 4100
004056D7 . EB 03 jnz short 004056DC <---jnz change to jmp
004056D9 . 894E 40 mov dword ptr [esi+40], ecx
004056DC > 8B07 mov eax, dword ptr [edi]
004056DE . 3BC3 cmp eax, ebx
004056E0 . 0F85 E8000000 jnz 004057CE

Jump Hack
Note:this is different in different servers I am find a command that works for all.
Search:
mov edi,[esi+00000b08]
nop line below cmp edi,[XXXXXXX]
Else
MOV EAX,DWORD PTR DS:[ESI+62C]
MOV EDX,EAX
SHR EDX,7
TEST BL,DL
One of the results with,
0045B7B6 |. 8BBE 080B0000 MOV EDI,DWORD PTR DS:[ESI+B08]
0045B7BC |. 8B0D B4EF8B00 MOV ECX,DWORD PTR DS:[8BEFB4]<<can be XXXXXX
0045B7C2 |. 3BF9 CMP EDI,ECX <<NOP
0045B7C4 |. 0F8D EB040000 JGE elementc.0045BCB5
0045B7CA |. 8A8E 0C0B0000 MOV CL,BYTE PTR DS:[ESI+B0C]
0045B7D0 |. 84C9 TEST CL,CL
Pic:jump1.jpg

Debug Registers
NPC ID, credits to ericjohn
this will enable the npc id
Searching for address that toggle mp bar:
search for 1 in 1 byte and untoggle it and search for 0 until it minimize your search after you found it

Finding Debug Register :
Using hex calculator,
address of toggle mp - 0x3B (NPC:ID)
- 0x2E(Misc)
- 0x2D(Coords)
- 0x2C(Dist)
Eg. 57F834EA -3B = 57F834AF

you can also debug the client to automate this
search for command:
address is = toggle mp adress
MOV BYTE PTR DS:[adress+2081],1 and change it to
MOV BYTE PTR DS:[npcid toggle adress],1

and also change this:
MOV BYTE PTR DS:[adress+2081],0 and change it to
MOV BYTE PTR DS:[npcid toggle address],0

Video Hack:
CECGame::Run(), break because CECGameRun::Tick return false <<Search this text
jmp 0042bfac
cmp [esi+00000418],bl
je XXXXXXXX
Nop BELOW cmp

New-Video Unfreeze