Openkore.com

OpenKore Forums
It is currently 24 Sep 2017, 17:00

All times are UTC - 5 hours [ DST ]



Forum rules


This server is currently not maintained and tables folder (including connection info) is outdated. Read the wiki for instructions on how to update those information. Please contribute your updated info. Contact Cozzie to join the team as a regular server supporter.



Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 309 posts ]  Go to page 1, 2, 3, 4, 5 ... 31  Next
Author Message
 Post subject: Unpacked Clients for pRO with ways of finding hex codes
PostPosted: 27 Sep 2012, 11:54 
Offline
Super Moderators
Super Moderators

Joined: 04 Apr 2008, 11:12
Posts: 161
Unpacked exe links Updated 07/29/2014
You can use either one of these unpacked ragexe
unpacked ragexe.exe by heero, http://www.mediafire.com/download/5e996 ... 9-2014.zip
unpacked sakexe.exe by heero, http://www.mediafire.com/download/up0na ... 9-2014.zip
unpacked f2pexe.exe by heero, http://www.mediafire.com/download/gfp0k ... 9-2014.zip

The files above are for people who don't know how to unpack Ragnarok exe

figured I should post this since people have been having problems with multiple window hexing
Belladonas - credit for the original posts
Old guide - viewtopic.php?p=33

Files used along with this post:
(OBSOLETE no longer used) Ragexe.exe unpacker - http://www.mediafire.com/?8ie73qzx9bnz0ll
(New) Video on how to unpack ragexe.exe - http://forums.openkore.com/viewtopic.php?p=223339#p223339
URSoft W32DASM V8.93 - http://www.exetools.com/disassemblers.htm
XVI32 Hex Editor - http://www.chmaas.handshake.de/delphi/f ... /xvi32.htm

Latest method to finding Hex Codes.
Seems like some of the codes have reverted back to the older way they were referenced I am posting another guide here.
The 1st hex code for Multiple Client Window.
Code:
* Reference To: user32.FindWindowA, Ord:00E4h
                                  |
:008219C4 FF1574878B00            Call dword ptr [008B8774]
:008219CA 85C0                    test eax, eax
:008219CC 7407                    je 008219D5  <----------------- 1st Hex code for Multiple Client Window
:008219CE C6057B24A70001          mov byte ptr [00A7247B], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:008219CC(C)
|
:008219D5 53                      push ebx
:008219D6 57                      push edi
:008219D7 33FF                    xor edi, edi
:008219D9 6A77                    push 00000077
:008219DB 56                      push esi
:008219DC 897DA0                  mov dword ptr [ebp-60], edi
:008219DF C745A430118200          mov [ebp-5C], 00821130
:008219E6 897DA8                  mov dword ptr [ebp-58], edi
:008219E9 897DAC                  mov dword ptr [ebp-54], edi
:008219EC 8975B0                  mov dword ptr [ebp-50], esi


Search:
FF 15 74 87 8B 00 85 C0 74 07 C6 05
Replace:
FF 15 74 87 8B 00 85 C0 EB 07 C6 05

The 2nd hex code for Multiple Client Window
Code:
* Reference To: kernel32.CreateMutexA, Ord:005Dh
                                  |
:008228D1 FF15E0818B00            Call dword ptr [008B81E0]
:008228D7 50                      push eax

* Reference To: kernel32.WaitForSingleObject, Ord:037Fh
                                  |
:008228D8 FF155C828B00            Call dword ptr [008B825C]
:008228DE 85C0                    test eax, eax
:008228E0 740A                    je 008228EC  <----------------- 2nd hex code for Multiple Client Window

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0082292E(C), :00822941(C), :00822969(C)
|
:008228E2 B801000000              mov eax, 00000001
:008228E7 E9B4030000              jmp 00822CA0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:008228E0(C)
|
:008228EC 0FBE0DD5519800          movsx ecx, byte ptr [009851D5]
:008228F3 0FBE05D6519800          movsx eax, byte ptr [009851D6]
:008228FA 0FBE15D4519800          movsx edx, byte ptr [009851D4]
:00822901 03C1                    add eax, ecx
:00822903 0FBE0DD3519800          movsx ecx, byte ptr [009851D3]
:0082290A 03C2                    add eax, edx
:0082290C 0FBE15D2519800          movsx edx, byte ptr [009851D2]
:00822913 03C1                    add eax, ecx
:00822915 0FBE0DD1519800          movsx ecx, byte ptr [009851D1]
:0082291C 03C2                    add eax, edx
:0082291E 0FBE15D0519800          movsx edx, byte ptr [009851D0]
:00822925 03C1                    add eax, ecx
:00822927 03C2                    add eax, edx
:00822929 3DC9020000              cmp eax, 000002C9
:0082292E 75B2                    jne 008228E2
:00822930 B908E1A600              mov ecx, 00A6E108
:00822935 E8F683FDFF              call 007FAD30
:0082293A E851FBD8FF              call 005B2490  <---------------- This is for disabling GameGuard
:0082293F 3BC6                    cmp eax, esi
:00822941 749F                    je 008228E2

* Possible StringData Ref from Data Obj ->"resNameTable.txt"
                                  |
:00822943 6808C68F00              push 008FC608
:00822948 E8B3BCD9FF              call 005BE600
:0082294D 8BC8                    mov ecx, eax
:0082294F E81CB4D9FF              call 005BDD70


Search:
FF 15 5C 82 8B 00 85 C0 74 0A B8 01
Replace:
FF 15 5C 82 8B 00 85 C0 EB 0A B8 01

The 3rd hex code for Multiple Client Window
Code:
* Reference To: mss32._AIL_open_3D_provider@4, Ord:0076h
                                  |
:006E0591 FF153C898B00            Call dword ptr [008B893C]
:006E0597 85C0                    test eax, eax
:006E0599 0F85D0FEFFFF            jne 006E046F  <----------------- 3rd hex code for Mutiple Client Window
:006E059F 8B0DAC95A500            mov ecx, dword ptr [00A595AC]
:006E05A5 51                      push ecx

* Reference To: mss32._AIL_3D_speaker_type@4, Ord:0012h
                                  |
:006E05A6 FF1540898B00            Call dword ptr [008B8940]
:006E05AC 83F8FF                  cmp eax, FFFFFFFF


Search:
FF 15 3C 89 8B 00 85 C0 0F 85 D0 FE FF FF 8B 0D AC 95 A5 00
Replace:
FF 15 3C 89 8B 00 85 C0 0F 90 90 90 90 90 8B 0D AC 95 A5 00

If you want the hex code for gameguard look at the 2nd Multiple Client Window hex code I marked it there
Search:
E8 51 FB D8 FF 3B C6 74 9F
Replace:
90 90 90 90 90 90 90 90 90

The method listed below are obsolete and only kept for future reference.
Old method 1

OPENING MULTIPLE CLIENT WINDOWS
For the first string, search for gdi32.GetStockObject until you find the block that looks something like this:

Code:
* Referenced by a CALL at Address:
|:00788180   
|
:00786E40 83EC60                  sub esp, 00000060
:00786E43 A1401E8800              mov eax, dword ptr [00881E40]
:00786E48 33C4                    xor eax, esp
:00786E4A 8944245C                mov dword ptr [esp+5C], eax
:00786E4E A118F18600              mov eax, dword ptr [0086F118]
:00786E53 53                      push ebx
:00786E54 55                      push ebp
:00786E55 56                      push esi
:00786E56 8B742470                mov esi, dword ptr [esp+70]
:00786E5A 57                      push edi
:00786E5B 50                      push eax
:00786E5C 50                      push eax
:00786E5D 89742428                mov dword ptr [esp+28], esi
:00786E61 8935D06B9600            mov dword ptr [00966BD0], esi
:00786E67 FF1530377E00            call dword ptr [007E3730]
:00786E6D 85C0                    test eax, eax
:00786E6F 7407                    je 00786E78  <----------------- This is what we need to look for
:00786E71 C605EF6B960001          mov byte ptr [00966BEF], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00786E6F(C)
|
:00786E78 33DB                    xor ebx, ebx
:00786E7A 6A77                    push 00000077
:00786E7C 56                      push esi
:00786E7D 895C242C                mov dword ptr [esp+2C], ebx
:00786E81 C744243020667800        mov [esp+30], 00786620
:00786E89 895C2434                mov dword ptr [esp+34], ebx
:00786E8D 895C2438                mov dword ptr [esp+38], ebx
:00786E91 8974243C                mov dword ptr [esp+3C], esi
:00786E95 FF1534377E00            call dword ptr [007E3734]
:00786E9B 68007F0000              push 00007F00
:00786EA0 53                      push ebx
:00786EA1 89442440                mov dword ptr [esp+40], eax
:00786EA5 FF1550377E00            call dword ptr [007E3750]
:00786EAB 6A04                    push 00000004
:00786EAD 89442440                mov dword ptr [esp+40], eax

* Reference To: gdi32.GetStockObject, Ord:0000h
                                  |
:00786EB1 FF1574307E00            Call dword ptr [007E3074]
:00786EB7 89442440                mov dword ptr [esp+40], eax


The code we are after is up gdi32.GetStockObject so scroll up a bit so you can find it.

Search:
85 C0 74 07 C6 05 EF 6B 96 00 01 33 DB
Replace:
85 C0 EB 07 C6 05 5E F6 B9 00 01 33 DB

For the second string, search for kernel32.CreateMutexA

Code:
* Possible StringData Ref from Data Obj ->"Global\%s"
                                  |
:007880DB 68E0168200              push 008216E0
:007880E0 50                      push eax
:007880E1 FF15B8377E00            call dword ptr [007E37B8]
:007880E7 83C418                  add esp, 00000018
:007880EA 56                      push esi
:007880EB 8D8C2424030000          lea ecx, dword ptr [esp+00000324]
:007880F2 51                      push ecx
:007880F3 56                      push esi
:007880F4 56                      push esi

* Reference To: kernel32.CreateMutexA, Ord:0000h
                                  |
:007880F5 FF1580317E00            Call dword ptr [007E3180]
:007880FB 50                      push eax
:007880FC FFD7                    call edi
:007880FE 85C0                    test eax, eax
:00788100 0F85D1000000            jne 007881D7  <----------------- This is what we need to look for
:00788106 0FBE0579F08700          movsx eax, byte ptr [0087F079]
:0078810D 0FBE157AF08700          movsx edx, byte ptr [0087F07A]
:00788114 0FBE0D78F08700          movsx ecx, byte ptr [0087F078]
:0078811B 03D0                    add edx, eax
:0078811D 0FBE0577F08700          movsx eax, byte ptr [0087F077]
:00788124 03D1                    add edx, ecx
:00788126 0FBE0D76F08700          movsx ecx, byte ptr [0087F076]
:0078812D 03D0                    add edx, eax
:0078812F 0FBE0575F08700          movsx eax, byte ptr [0087F075]
:00788136 03D1                    add edx, ecx
:00788138 0FBE0D74F08700          movsx ecx, byte ptr [0087F074]
:0078813F 03D0                    add edx, eax
:00788141 03D1                    add edx, ecx
:00788143 81FAC9020000            cmp edx, 000002C9
:00788149 0F8588000000            jne 007881D7
:0078814F B9E8199600              mov ecx, 009619E8
:00788154 E88745FEFF              call 0076C6E0
:00788159 E86277DEFF              call 0056F8C0  <---------------- This is for disabling GameGuard
:0078815E 3BC6                    cmp eax, esi
:00788160 7475                    je 007881D7


Search:
85 C0 0F 85 D1 00 00 00 0F BE 05 79 F0 87 00
Replace:
85 C0 90 90 90 90 90 90 0F BE 05 79 F0 87 00

That should enable you to run multiple ragnarok clients now.

To disable GameGuard just look at the above code for kernel32.CreateMutexA and look down a bit I marked it already.

Search:
E8 62 77 DE FF
Replace:
90 90 90 90 90

That should disable GameGuard for the pRO client


Old method 2
OPENING MULTIPLE CLIENTS OF RAGNAROK
First step is to search for WINMM.timeBeginPeriod it should look like the code below

Code:
* Reference To: WINMM.timeBeginPeriod, Ord:0090h
                                  |
:0079FC15 FF15F8E77F00            Call dword ptr [007FE7F8]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0079FBE6(C)
|
:0079FC1B E83087EEFF              call 00688350
:0079FC20 56                      push esi
:0079FC21 FF150CEA7F00            call dword ptr [007FEA0C]
:0079FC27 6A3F                    push 0000003F
:0079FC29 8D942425030000          lea edx, dword ptr [esp+00000325]
:0079FC30 56                      push esi
:0079FC31 52                      push edx
:0079FC32 C684242C03000000        mov byte ptr [esp+0000032C], 00
:0079FC3A E825F30000              call 007AEF64

* Possible StringData Ref from Data Obj ->"Surface"
                                  |
:0079FC3F 68A4BD8900              push 0089BDA4
:0079FC44 8D842430030000          lea eax, dword ptr [esp+00000330]
:0079FC4B 68F8D48300              push 0083D4F8
:0079FC50 50                      push eax
:0079FC51 FF15B0E77F00            call dword ptr [007FE7B0]
:0079FC57 83C418                  add esp, 00000018
:0079FC5A 56                      push esi
:0079FC5B 8D8C2424030000          lea ecx, dword ptr [esp+00000324]
:0079FC62 51                      push ecx
:0079FC63 56                      push esi
:0079FC64 56                      push esi
:0079FC65 FF157CE17F00            call dword ptr [007FE17C]
:0079FC6B 50                      push eax
:0079FC6C FFD7                    call edi
:0079FC6E 85C0                    test eax, eax
:0079FC70 0F85D1000000            jne 0079FD47  <----------------- This is what we need to edit first
:0079FC76 0FBE05A9BD8900          movsx eax, byte ptr [0089BDA9]
:0079FC7D 0FBE15AABD8900          movsx edx, byte ptr [0089BDAA]
:0079FC84 0FBE0DA8BD8900          movsx ecx, byte ptr [0089BDA8]
:0079FC8B 03D0                    add edx, eax
:0079FC8D 0FBE05A7BD8900          movsx eax, byte ptr [0089BDA7]
:0079FC94 03D1                    add edx, ecx
:0079FC96 0FBE0DA6BD8900          movsx ecx, byte ptr [0089BDA6]
:0079FC9D 03D0                    add edx, eax
:0079FC9F 0FBE05A5BD8900          movsx eax, byte ptr [0089BDA5]
:0079FCA6 03D1                    add edx, ecx
:0079FCA8 0FBE0DA4BD8900          movsx ecx, byte ptr [0089BDA4]
:0079FCAF 03D0                    add edx, eax
:0079FCB1 03D1                    add edx, ecx
:0079FCB3 81FAC9020000            cmp edx, 000002C9
:0079FCB9 0F8588000000            jne 0079FD47
:0079FCBF B9680A9800              mov ecx, 00980A68
:0079FCC4 E80745FEFF              call 007841D0
:0079FCC9 E89226DDFF              call 00572360  <---------------- This is for disabling GameGuard
:0079FCCE 3BC6                    cmp eax, esi
:0079FCD0 7475                    je 0079FD47
:0079FCD2 68E4D48300              push 0083D4E4
:0079FCD7 E814D6DDFF              call 0057D2F0
:0079FCDC 8BC8                    mov ecx, eax
:0079FCDE E85DC3DDFF              call 0057C040
:0079FCE3 8B942480030000          mov edx, dword ptr [esp+00000380]
:0079FCEA 8B442418                mov eax, dword ptr [esp+18]
:0079FCEE 52                      push edx
:0079FCEF 50                      push eax
:0079FCF0 E8BBECFFFF              call 0079E9B0  <---------------- Take note of this line you will need it later
:0079FCF5 83C408                  add esp, 00000008
:0079FCF8 85C0                    test eax, eax
:0079FCFA 744B                    je 0079FD47
:0079FCFC 8D4C2440                lea ecx, dword ptr [esp+40]


The first line I marked above is what we need to edit.

Search:
85 C0 0F 85 D1 00 00 00 0F BE 05 A9 BD 89 00
Replace:
85 C0 90 90 90 90 90 90 0F BE 05 A9 BD 89 00

Now remember the line I wanted you to take note of call 0079E9B0 we must search for :0079E9B0 (dont forget the colon thats important) when you find :0079E9B0 it should look like the lines below

Code:
* Referenced by a CALL at Address:
|:0079FCF0   
|
:0079E9B0 83EC60                  sub esp, 00000060
:0079E9B3 A170E78900              mov eax, dword ptr [0089E770]
:0079E9B8 33C4                    xor eax, esp
:0079E9BA 8944245C                mov dword ptr [esp+5C], eax
:0079E9BE A138C18800              mov eax, dword ptr [0088C138]
:0079E9C3 53                      push ebx
:0079E9C4 55                      push ebp
:0079E9C5 56                      push esi
:0079E9C6 8B742470                mov esi, dword ptr [esp+70]
:0079E9CA 57                      push edi
:0079E9CB 50                      push eax
:0079E9CC 50                      push eax
:0079E9CD 89742428                mov dword ptr [esp+28], esi
:0079E9D1 8935685D9800            mov dword ptr [00985D68], esi
:0079E9D7 FF1528E77F00            call dword ptr [007FE728]
:0079E9DD 85C0                    test eax, eax
:0079E9DF 7407                    je 0079E9E8  <----------------- This is what we need to look for
:0079E9E1 C605875D980001          mov byte ptr [00985D87], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0079E9DF(C)
|
:0079E9E8 33DB                    xor ebx, ebx
:0079E9EA 6A77                    push 00000077
:0079E9EC 56                      push esi
:0079E9ED 895C242C                mov dword ptr [esp+2C], ebx
:0079E9F1 C744243090E17900        mov [esp+30], 0079E190
:0079E9F9 895C2434                mov dword ptr [esp+34], ebx
:0079E9FD 895C2438                mov dword ptr [esp+38], ebx
:0079EA01 8974243C                mov dword ptr [esp+3C], esi
:0079EA05 FF152CE77F00            call dword ptr [007FE72C]
:0079EA0B 68007F0000              push 00007F00
:0079EA10 53                      push ebx
:0079EA11 89442440                mov dword ptr [esp+40], eax
:0079EA15 FF1548E77F00            call dword ptr [007FE748]
:0079EA1B 6A04                    push 00000004
:0079EA1D 89442440                mov dword ptr [esp+40], eax
:0079EA21 FF1570E07F00            call dword ptr [007FE070]
:0079EA27 89442440                mov dword ptr [esp+40], eax
:0079EA2B A138C18800              mov eax, dword ptr [0088C138]
:0079EA30 8D4C2424                lea ecx, dword ptr [esp+24]
:0079EA34 51                      push ecx
:0079EA35 895C2448                mov dword ptr [esp+48], ebx
:0079EA39 8944244C                mov dword ptr [esp+4C], eax
:0079EA3D FF1530E77F00            call dword ptr [007FE730]


Now we just search for the line we marked.

Search:
85 C0 74 07 C6 05 87 5D 98 00 01 33 DB
Replace:
85 C0 EB 07 C6 05 87 5D 98 00 01 33 DB

That should enable you to run multiple ragnarok clients now.

To disable GameGuard just look at the above code for WINMM.timeBeginPeriod and look down a bit I marked it already.

Search:
E8 92 26 DD FF 3B C6 74 75
Replace:
90 90 90 90 90 90 90 90 90

That should disable GameGuard for the pRO client.


Top
 Profile  
 
 Post subject: Re: Unpacked Clients for pRO with ways of finding hex codes
PostPosted: 27 Sep 2012, 11:58 
Offline
Noob
Noob
User avatar

Joined: 16 Sep 2010, 09:00
Posts: 15
Location: Quezon City, Philippines
you're a heero indeed!!! \m/
ima do this now. thanks so much for the time and effort!!! kudos to you and your team!! :D


Top
 Profile  
 
 Post subject: Re: Unpacked Clients for pRO with ways of finding hex codes
PostPosted: 27 Sep 2012, 12:02 
Offline
Super Moderators
Super Moderators

Joined: 04 Apr 2008, 11:12
Posts: 161
Post replies here if you have problems with the client. I did'nt do much testing with this since I am kinda busy as well.


Top
 Profile  
 
 Post subject: Re: Unpacked Clients for pRO with ways of finding hex codes
PostPosted: 27 Sep 2012, 12:03 
Offline
Noob
Noob

Joined: 26 Sep 2012, 18:14
Posts: 2
I really need to know these assembly workaround T_T ...

thank you very much heero !!

will test now..


Top
 Profile  
 
 Post subject: Re: Unpacked Clients for pRO with ways of finding hex codes
PostPosted: 27 Sep 2012, 12:18 
Offline
Noob
Noob
User avatar

Joined: 16 Sep 2010, 09:00
Posts: 15
Location: Quezon City, Philippines
just want to ask, is there a working no SP tele?


Top
 Profile  
 
 Post subject: Re: Unpacked Clients for pRO with ways of finding hex codes
PostPosted: 27 Sep 2012, 12:50 
Offline
Noob
Noob

Joined: 01 Apr 2012, 01:01
Posts: 3
I downloaded the file under mediafire and renamed the .exe to my server (New Iris) and overwrite my current .exe but it seems like the gameguard is still active. Did I miss something sir heero?


Top
 Profile  
 
 Post subject: Re: Unpacked Clients for pRO with ways of finding hex codes
PostPosted: 27 Sep 2012, 13:01 
Offline
Super Moderators
Super Moderators

Joined: 04 Apr 2008, 11:12
Posts: 161
orange193 wrote:
I downloaded the file under mediafire and renamed the .exe to my server (New Iris) and overwrite my current .exe but it seems like the gameguard is still active. Did I miss something sir heero?


I take it you did'nt read my first post READ IT AGAIN FROM TOP TO BOTTOM and dont give me the too long did'nt read answer or I may have to stop updating this.

bilyakosta wrote:
just want to ask, is there a working no SP tele?


Sorry I no longer do that kind of thing since I am a bit busy, I am only focusing on what is needed nothing more.


Top
 Profile  
 
 Post subject: Re: Unpacked Clients for pRO with ways of finding hex codes
PostPosted: 27 Sep 2012, 15:04 
Offline
Noob
Noob

Joined: 01 Apr 2012, 01:01
Posts: 3
I apologize for my stupidity I thought it was a ready-to-go .exe

Thanks for the guide and have a Good Day.


Top
 Profile  
 
 Post subject: Re: Unpacked Clients for pRO with ways of finding hex codes
PostPosted: 27 Sep 2012, 18:49 
Offline
Noob
Noob

Joined: 27 Sep 2012, 14:14
Posts: 1
Location: Here
Thank you, heero. It works 100%.

_________________
To bot is human, to hex divine.


Top
 Profile  
 
 Post subject: Re: Unpacked Clients for pRO with ways of finding hex codes
PostPosted: 27 Sep 2012, 20:24 
Offline
Noob
Noob

Joined: 11 Feb 2012, 00:04
Posts: 2
Hi Sir Heero,

I used to hex my own client but ever since they changed it so that you need to unpack it first I haven't been able to figure it out.
What I mean is, I can hex my own client but I would need the unpacked ragexe first.

Would you mind telling me what program I need to use to unpack the ragexe? I tried using stripperX but its not working and the output is messed up.
Could you create a guide for that part so we could do the hexing ourselves starting from the packed ragexe?

Thanks!


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 309 posts ]  Go to page 1, 2, 3, 4, 5 ... 31  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group