Tracing Hex Strings through Disassembly

Do you have a question or problem? Read this forum first! Someone has probably already asked the same thing in the past. Do not ASK questions here!

Moderators: Moderators, Documentation Writers

Message
Author
Cozzie
Spam Generator
Spam Generator
Posts: 499
Joined: 04 Apr 2008, 09:30
Noob?: No
Location: Melbourne, City of beer and awful sushis

Tracing Hex Strings through Disassembly

#1 Post by Cozzie »

tracing hex strings through disassembly


1. please, no noobish posts! such posts will be TRASHED.
2. do not ask here what's a hex editor, disassembler, offset, etc. if you don't know these things by now, the guide won't make any sense.
3. don't ask here where to get a hex editor, disassembler, etc. i'm sure all of us here has already heard of google.
4. don't flood my inbox with PMs!

now that everything's clear, let's get on with the guide...



most guides only show you what hex values to look for & replace. normally, you'll be given:
search : 85 C0 74 09 5F 5E 32 C0
replace: 85 C0 EB 09 5F 5E 32 C0

within this string, only 74 09 is important. but there are plenty of other 74 09 values within the binary. that's why the other values beside it are included in the string to distinguish the relevant one.

that works. but only for that particular moment. when a new version of ragexe.exe goes out, most hex strings change. for example, the hex string might slightly change
from: 85 C0 74 09 5F 5E 32 C0
to: 89 C0 74 09 5F 5E 3F C0
you still need to change the same old 74 09 value but since the values beside it have changed slightly, you would no longer be able to find it (because you're still trying to search the old 85 C0 74 09 5F 5E 32 C0 string). so you'll have to wait for somebody to find the new hex strings again.

i'll show you how to trace the relevant values using disassembly so you can find the new strings by yourserlf.

first, open ragexe.exe in your disassembler (i use w32dasm). it'll take quite some time before the disassembly process finishes. it's a good idea to save the project so you won't have to disassemble the file again in case you want to re-open it some other time.



multiple client windows


there are two ways of doing this: in the older version of ragexes, you only need to replace 2 values. in the newer versions, you need to replace 5. i'll show the newer one first.

click functions -> imports

Image


now look for mss32._AIL_open_3D_provider@4 in the list & double click on it.

Image


now look for the jump (je or jne) within the block & double click it. take note of the hex value & offset. we'll need it later when we actually hex the client.

Image


go back to the imports list & this time, look for USER32.RegisterClassA. there are 3 blocks this time. search for the jumps on each of them & like before, take note of the values & their offsets. you'll need all 3.

Image


for the final value, return to the imports list & look for KERNEL32.WaitForSingleObject. as usual, search for the first jump & take note of the value & offset.

Image


now that we have all the 5 values & offsets we need (1 from mss32._AIL_open_3D_provider@4, 3 from USER32.RegisterClassA, & 1 from KERNEL32.WaitForSingleObject), open ragexe.exe in your hex editor. (remember to make a backup copy first just in case you make a mistake in hexing.)

go to the offset of the first value (the one from mss32._AIL_open_3D_provider@4) & change the first hexadecimal to EB (change 74 09 to EB 09). (do i need to post screenshots for this?) in this particular ragexe, the value to be replaced is 74 09. but that's not always the case. sometimes it could be 74 08, 74 0E, or whatever. when that happens, just keep in mind that you only need to change the first hex to EB.

repeat the same steps for the next 4 values: go to the offset & change the first hex of the value to EB.

you're done once you've changed all 5 values. congratulations. your ragexe.exe now allows multiple clients.



removing gameguard


look for KERNEL32.WaitForSingleObject in the imports list (yes, it's the same one we used to get the last value for dual client). move two blocks down & look for the 3rd listed value. take note of the value & its offset.

Image

open ragexe.exe in your hex editor. go to the offset & replace the whole value with 90s (change E8 03 28 ED FF to 90 90 90 90 90). like the hex value for dual client, the hex value for gameguard may also change depending on the ragexe version. just remember to replace the whole value (no matter how long it is) with 90s.

congratulations. gameguard is now disabled.



multiple client windows (for older clients)


if you're using an older version of ragexe.exe, you only need to replace 2 hex values.

first, search for USER32.FindWindowA. look for the jump & take note of the value & address.

lastly, search for KERNEL32.CreateMutexA. again, look for the jump & take note of the value & address.

now open your ragexe.exe on your hex editor & go to the offsets. then change the first hex of each value to EB.

congratulations. your ragexe.exe now allows multiple client.



releasing hex strings for public use


if you want to release the hex string for other people (who don't know how to do this), just include the next few values beside the target value. for example:

Image

you can give out the hex string as:
search : 85 C0 74 0E 5F 5E
replace: 85 C0 EB 0E 5F 5E

making really long hex strings is unnecessary. you only need enough to distinguish the target value. well actually, most lamers release really long hex strings (like: F2 65 00 85 C0 74 0E 5F 5E B8 01 00 blah blah blah) to make sure that they'll change on the next ragexe version. so when a new ragexe comes, they can release new hex strings & announce: "latest hex strings for <insert-letter-here>RO by <insert-name-here>". please, don't do that.



binding ROKit's ro_ws2.dat to the exe (to enable no sp teleport)
yeah, it has nothing to do with disassembly. but it's too useful to leave out. :P


before we start, i didn't write ROKit. unfortunately, i can't give credit to it's author since i have no idea who he is & it's near-impossible to google japanese sites. well, whoever you are, thanks for making it. :D

first, download the file ROKit.zip & extract ro_ws2.dat in your ro directory. you won't need ROKit.exe (but you can still extract it in case you want to play around with it). now open your ragexe.exe in your hex editor.

search for the string (in ascii NOT hex) ws2_32.dll. there are 2 instances of the string. we only need the second one (the one near the string "Failed to load Winsock library!").

Image

then change the string ws2_32.dll to ro_ws2.dat. save it, & you're done.

now when you play the game & you have the teleport skill (or you have a tele clip equipped), just type "tele" & you'll teleport w/o the annoying confirmation box & w/o consuming sp (just like a bot does). you can bind the word "tele" in your shortcuts (like alt+1) so you can just press it everytime you want to teleport.



hope this helps. ^_^



EDIT: added ro_ws2.dat binding to enable teleport w/o using sp. ;)

Source: http://bibian.ath.cx/openkore/posting.p ... st&p=86483 by punkpudding
Make Openkore Awesome. Join the team.

Cozzie
Spam Generator
Spam Generator
Posts: 499
Joined: 04 Apr 2008, 09:30
Noob?: No
Location: Melbourne, City of beer and awful sushis

Re: Tracing Hex Strings through Disassembly

#2 Post by Cozzie »

reserved
Make Openkore Awesome. Join the team.

Gaara
Noob
Noob
Posts: 14
Joined: 04 Apr 2008, 09:46

Re: Tracing Hex Strings through Disassembly

#3 Post by Gaara »

doesnt removing gameguard make you vulnerable to keyloggers? :?:

h4rry84
Moderators
Moderators
Posts: 234
Joined: 04 Apr 2008, 09:30
Noob?: Yes
Location: My House
Contact:

Re: Tracing Hex Strings through Disassembly

#4 Post by h4rry84 »

yes it'll make you vulnerable to keyloggers.

ZaiR
Noob
Noob
Posts: 1
Joined: 09 Apr 2008, 01:15

Re: Tracing Hex Strings through Disassembly

#5 Post by ZaiR »

Does anyone got the backup of the other disassemble for the Multi window??.. i think its on the page 2 or the page 3 of this thread... the one that post is the one with the Vikings avatar.....

Cozzie
Spam Generator
Spam Generator
Posts: 499
Joined: 04 Apr 2008, 09:30
Noob?: No
Location: Melbourne, City of beer and awful sushis

Re: Tracing Hex Strings through Disassembly

#6 Post by Cozzie »

pass me the link and i'd edit it to the first post.
Make Openkore Awesome. Join the team.

supplement
Noob
Noob
Posts: 1
Joined: 09 Apr 2008, 04:25

Re: Tracing Hex Strings through Disassembly

#7 Post by supplement »

i can't find the 3 jumps in USER32.RegisterClassA. can someone help me?

SkzBR
Noob
Noob
Posts: 2
Joined: 13 Apr 2008, 21:04

Re: Tracing Hex Strings through Disassembly

#8 Post by SkzBR »

Dear Cozzie,

First, Good info for who dont know how to use it.

Second,
I made a program that hook a dll and start a thread on ragexe with a function of DLL on ragnarok, just to learn about hooking, attaching etc. But i want to know, how can be possible make the ragnarok load the dll by him self, i'm about 1 week searching on google and programming forums about it, but i didn't find it. If you can help me, i'll be very happy.

Sincerly,
SkzBR.

Stuff+
Noob
Noob
Posts: 1
Joined: 15 Apr 2008, 18:20

Re: Tracing Hex Strings through Disassembly

#9 Post by Stuff+ »

Ok so I get how to do all that stuff but how do you find the "USER32.RegisterClassA" part? cause I need the one for the Zoom Hex

ezza
Developers
Developers
Posts: 109
Joined: 04 Apr 2008, 09:50

Re: Tracing Hex Strings through Disassembly

#10 Post by ezza »

@Cozzie - The RoKit link dead!! Update pls.

Post Reply