Unpacked Clients for pRO with ways of finding hex codes

[noobotter]

@bilyakosta

I'm not really sure how heero trace his codes though but I found these codes using ollydbg.

search:
85 c0 74 07 c6 05 e7 a2 98 00 01 33 db
replace:
85 c0 eb 07 c6 05 e7 a2 98 00 01 33 db

search:
85 c0 0f 85 d1 00 00 00 0f be 05 19 fe 89 00
replace:
85 c0 90 90 90 90 90 90 0f be 05 19 fe 89 00

search:
e8 42 27 dd ff 3b c6 74 75
replace:
90 90 90 90 90 90 90 90 90

Since the gdi and kernel imports are available. Try heero's method during the Bifrost patch.
(I haven't tried this method though. )

OPENING MULTIPLE CLIENT WINDOWS
For the first string, search for gdi32.GetStockObject until you find the block that looks something like this:

Code: Select all

* Referenced by a CALL at Address:
|:00788180   
|
:00786E40 83EC60                  sub esp, 00000060
:00786E43 A1401E8800              mov eax, dword ptr [00881E40]
:00786E48 33C4                    xor eax, esp
:00786E4A 8944245C                mov dword ptr [esp+5C], eax
:00786E4E A118F18600              mov eax, dword ptr [0086F118]
:00786E53 53                      push ebx
:00786E54 55                      push ebp
:00786E55 56                      push esi
:00786E56 8B742470                mov esi, dword ptr [esp+70]
:00786E5A 57                      push edi
:00786E5B 50                      push eax
:00786E5C 50                      push eax
:00786E5D 89742428                mov dword ptr [esp+28], esi
:00786E61 8935D06B9600            mov dword ptr [00966BD0], esi
:00786E67 FF1530377E00            call dword ptr [007E3730]
:00786E6D 85C0                    test eax, eax
:00786E6F 7407                    je 00786E78  <----------------- This is what we need to look for
:00786E71 C605EF6B960001          mov byte ptr [00966BEF], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00786E6F(C)
|
:00786E78 33DB                    xor ebx, ebx
:00786E7A 6A77                    push 00000077
:00786E7C 56                      push esi
:00786E7D 895C242C                mov dword ptr [esp+2C], ebx
:00786E81 C744243020667800        mov [esp+30], 00786620
:00786E89 895C2434                mov dword ptr [esp+34], ebx
:00786E8D 895C2438                mov dword ptr [esp+38], ebx
:00786E91 8974243C                mov dword ptr [esp+3C], esi
:00786E95 FF1534377E00            call dword ptr [007E3734]
:00786E9B 68007F0000              push 00007F00
:00786EA0 53                      push ebx
:00786EA1 89442440                mov dword ptr [esp+40], eax
:00786EA5 FF1550377E00            call dword ptr [007E3750]
:00786EAB 6A04                    push 00000004
:00786EAD 89442440                mov dword ptr [esp+40], eax

* Reference To: gdi32.GetStockObject, Ord:0000h
                                  |
:00786EB1 FF1574307E00            Call dword ptr [007E3074]
:00786EB7 89442440                mov dword ptr [esp+40], eax

The code we are after is up gdi32.GetStockObject so scroll up a bit so you can find it.

Search:
85 C0 74 07 C6 05 EF 6B 96 00 01 33 DB
Replace:
85 C0 EB 07 C6 05 5E F6 B9 00 01 33 DB

For the second string, search for kernel32.CreateMutexA

Code: Select all

* Possible StringData Ref from Data Obj ->"Global\%s"
                                  |
:007880DB 68E0168200              push 008216E0
:007880E0 50                      push eax
:007880E1 FF15B8377E00            call dword ptr [007E37B8]
:007880E7 83C418                  add esp, 00000018
:007880EA 56                      push esi
:007880EB 8D8C2424030000          lea ecx, dword ptr [esp+00000324]
:007880F2 51                      push ecx
:007880F3 56                      push esi
:007880F4 56                      push esi

* Reference To: kernel32.CreateMutexA, Ord:0000h
                                  |
:007880F5 FF1580317E00            Call dword ptr [007E3180]
:007880FB 50                      push eax
:007880FC FFD7                    call edi
:007880FE 85C0                    test eax, eax
:00788100 0F85D1000000            jne 007881D7  <----------------- This is what we need to look for
:00788106 0FBE0579F08700          movsx eax, byte ptr [0087F079]
:0078810D 0FBE157AF08700          movsx edx, byte ptr [0087F07A]
:00788114 0FBE0D78F08700          movsx ecx, byte ptr [0087F078]
:0078811B 03D0                    add edx, eax
:0078811D 0FBE0577F08700          movsx eax, byte ptr [0087F077]
:00788124 03D1                    add edx, ecx
:00788126 0FBE0D76F08700          movsx ecx, byte ptr [0087F076]
:0078812D 03D0                    add edx, eax
:0078812F 0FBE0575F08700          movsx eax, byte ptr [0087F075]
:00788136 03D1                    add edx, ecx
:00788138 0FBE0D74F08700          movsx ecx, byte ptr [0087F074]
:0078813F 03D0                    add edx, eax
:00788141 03D1                    add edx, ecx
:00788143 81FAC9020000            cmp edx, 000002C9
:00788149 0F8588000000            jne 007881D7
:0078814F B9E8199600              mov ecx, 009619E8
:00788154 E88745FEFF              call 0076C6E0
:00788159 E86277DEFF              call 0056F8C0  <---------------- This is for disabling GameGuard
:0078815E 3BC6                    cmp eax, esi
:00788160 7475                    je 007881D7

Search:
85 C0 0F 85 D1 00 00 00 0F BE 05 79 F0 87 00
Replace:
85 C0 90 90 90 90 90 90 0F BE 05 79 F0 87 00

That should enable you to run multiple ragnarok clients now.

To disable GameGuard just look at the above code for kernel32.CreateMutexA and look down a bit I marked it already.

Search:
E8 62 77 DE FF
Replace:
90 90 90 90 90

That should disable GameGuard for the pRO client

[bilyakosta]

wow! thanks for the quick response.
i traced my own strings using this new tutorial..
i'm gonna try this now..

i'm saving this for my future reference..
thanks again for the help!

more power to this forum and to your team..

EDIT: it worked!!

[kervy]

stripper cant unpack it.. which makes the gameguard still present eventhough i put the hex codes said in this post.

[rencecute]

How would I get the ragexe.exe file that sizes 4.x+ mb? I've downloaded the latest installer of Philippine Ragnarok Online. Installed it. And patched every single client - from Ragnarok, Sakray, New Iris, and etc. - but still, I only get the ragexe.exe that sizes 1.x+ mb. So I suppose it is not yet unpacked.

Thank you in advance.

[noobotter]

How would I get the ragexe.exe file that sizes 4.x+ mb? I've downloaded the latest installer of Philippine Ragnarok Online. Installed it. And patched every single client - from Ragnarok, Sakray, New Iris, and etc. - but still, I only get the ragexe.exe that sizes 1.x+ mb. So I suppose it is not yet unpacked.

Thank you in advance.

Like what you've said, it's not yet unpacked so you need to unpack it using stripper provided on the first post of this thread.

[rencecute]

How would I get the ragexe.exe file that sizes 4.x+ mb? I've downloaded the latest installer of Philippine Ragnarok Online. Installed it. And patched every single client - from Ragnarok, Sakray, New Iris, and etc. - but still, I only get the ragexe.exe that sizes 1.x+ mb. So I suppose it is not yet unpacked.

Thank you in advance.

Like what you've said, it's not yet unpacked so you need to unpack it using stripper provided on the first post of this thread.

Ohh... Okay. It was written in the first page that the latest patch gives you an already-unpacked ragexe.exe so I assumed of getting a 4.x+ mb ragexe.exe after updating everything.

Well anyways, thank you for the response. I'll go on unpacking it now. Thanks.


EDIT:

Tried every stripper I have (v2.07, v2.11, and v2.13), they all don't work. They just show a dialog box saying "can not start service...". Tried also changing their compatibilities and running them with admin rights, but they all end up with the same dialog box.

Sir noobotter, would you mind sharing your latest unpacked ragexe.exe?

[noobotter]

How would I get the ragexe.exe file that sizes 4.x+ mb? I've downloaded the latest installer of Philippine Ragnarok Online. Installed it. And patched every single client - from Ragnarok, Sakray, New Iris, and etc. - but still, I only get the ragexe.exe that sizes 1.x+ mb. So I suppose it is not yet unpacked.

Thank you in advance.

Like what you've said, it's not yet unpacked so you need to unpack it using stripper provided on the first post of this thread.

Ohh... Okay. It was written in the first page that the latest patch gives you an already-unpacked ragexe.exe so I assumed of getting a 4.x+ mb ragexe.exe after updating everything.

Well anyways, thank you for the response. I'll go on unpacking it now. Thanks.


EDIT:

Tried every stripper I have (v2.07, v2.11, and v2.13), they all don't work. They just show a dialog box saying "can not start service...". Tried also changing their compatibilities and running them with admin rights, but they all end up with the same dialog box.

Sir noobotter, would you mind sharing your latest unpacked ragexe.exe?

heero haven't updated the first post yet. Stripper doesn't work on Win7 OS as far as i know. Try to use a WinXP OS.

[rencecute]

Okay. I'll give you feedback of whatever happens. Thank you.

EDIT:

Too bad. No more winXP here in the house. >.< My laptop runs at win7 x64. My aunt's desktop has the same. And the laptop and desktop of my two brothers run at win8 x32. None of the three versions of Stripper worked on any computer. >.<

Would you mind sir noobotter if I asked you a copy of your unpacked ragexe.exe? Though it's not yet hexed, it's okay. Please? Thanks.

[noobotter]

Okay. I'll give you feedback of whatever happens. Thank you.

EDIT:

Too bad. No more winXP here in the house. >.< My laptop runs at win7 x64. My aunt's desktop has the same. And the laptop and desktop of my two brothers run at win8 x32. None of the three versions of Stripper worked on any computer. >.<

Would you mind sir noobotter if I asked you a copy of your unpacked ragexe.exe? Though it's not yet hexed, it's okay. Please? Thanks.

Here. http://www.mediafire.com/?8ib64n85fgr6tvw

[rencecute]

Here. http://www.mediafire.com/?8ib64n85fgr6tvw

Thank you very much.