I'm not really sure how heero trace his codes though but I found these codes using ollydbg.
search:
85 c0 74 07 c6 05 e7 a2 98 00 01 33 db
replace:
85 c0 eb 07 c6 05 e7 a2 98 00 01 33 db
search:
85 c0 0f 85 d1 00 00 00 0f be 05 19 fe 89 00
replace:
85 c0 90 90 90 90 90 90 0f be 05 19 fe 89 00
search:
e8 42 27 dd ff 3b c6 74 75
replace:
90 90 90 90 90 90 90 90 90
Since the gdi and kernel imports are available. Try heero's method during the Bifrost patch.
(I haven't tried this method though. )
OPENING MULTIPLE CLIENT WINDOWS
For the first string, search for gdi32.GetStockObject until you find the block that looks something like this:
The code we are after is up gdi32.GetStockObject so scroll up a bit so you can find it.Code: Select all
* Referenced by a CALL at Address: |:00788180 | :00786E40 83EC60 sub esp, 00000060 :00786E43 A1401E8800 mov eax, dword ptr [00881E40] :00786E48 33C4 xor eax, esp :00786E4A 8944245C mov dword ptr [esp+5C], eax :00786E4E A118F18600 mov eax, dword ptr [0086F118] :00786E53 53 push ebx :00786E54 55 push ebp :00786E55 56 push esi :00786E56 8B742470 mov esi, dword ptr [esp+70] :00786E5A 57 push edi :00786E5B 50 push eax :00786E5C 50 push eax :00786E5D 89742428 mov dword ptr [esp+28], esi :00786E61 8935D06B9600 mov dword ptr [00966BD0], esi :00786E67 FF1530377E00 call dword ptr [007E3730] :00786E6D 85C0 test eax, eax :00786E6F 7407 je 00786E78 <----------------- This is what we need to look for :00786E71 C605EF6B960001 mov byte ptr [00966BEF], 01 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00786E6F(C) | :00786E78 33DB xor ebx, ebx :00786E7A 6A77 push 00000077 :00786E7C 56 push esi :00786E7D 895C242C mov dword ptr [esp+2C], ebx :00786E81 C744243020667800 mov [esp+30], 00786620 :00786E89 895C2434 mov dword ptr [esp+34], ebx :00786E8D 895C2438 mov dword ptr [esp+38], ebx :00786E91 8974243C mov dword ptr [esp+3C], esi :00786E95 FF1534377E00 call dword ptr [007E3734] :00786E9B 68007F0000 push 00007F00 :00786EA0 53 push ebx :00786EA1 89442440 mov dword ptr [esp+40], eax :00786EA5 FF1550377E00 call dword ptr [007E3750] :00786EAB 6A04 push 00000004 :00786EAD 89442440 mov dword ptr [esp+40], eax * Reference To: gdi32.GetStockObject, Ord:0000h | :00786EB1 FF1574307E00 Call dword ptr [007E3074] :00786EB7 89442440 mov dword ptr [esp+40], eax
Search:
85 C0 74 07 C6 05 EF 6B 96 00 01 33 DB
Replace:
85 C0 EB 07 C6 05 5E F6 B9 00 01 33 DB
For the second string, search for kernel32.CreateMutexA
Search:Code: Select all
* Possible StringData Ref from Data Obj ->"Global\%s" | :007880DB 68E0168200 push 008216E0 :007880E0 50 push eax :007880E1 FF15B8377E00 call dword ptr [007E37B8] :007880E7 83C418 add esp, 00000018 :007880EA 56 push esi :007880EB 8D8C2424030000 lea ecx, dword ptr [esp+00000324] :007880F2 51 push ecx :007880F3 56 push esi :007880F4 56 push esi * Reference To: kernel32.CreateMutexA, Ord:0000h | :007880F5 FF1580317E00 Call dword ptr [007E3180] :007880FB 50 push eax :007880FC FFD7 call edi :007880FE 85C0 test eax, eax :00788100 0F85D1000000 jne 007881D7 <----------------- This is what we need to look for :00788106 0FBE0579F08700 movsx eax, byte ptr [0087F079] :0078810D 0FBE157AF08700 movsx edx, byte ptr [0087F07A] :00788114 0FBE0D78F08700 movsx ecx, byte ptr [0087F078] :0078811B 03D0 add edx, eax :0078811D 0FBE0577F08700 movsx eax, byte ptr [0087F077] :00788124 03D1 add edx, ecx :00788126 0FBE0D76F08700 movsx ecx, byte ptr [0087F076] :0078812D 03D0 add edx, eax :0078812F 0FBE0575F08700 movsx eax, byte ptr [0087F075] :00788136 03D1 add edx, ecx :00788138 0FBE0D74F08700 movsx ecx, byte ptr [0087F074] :0078813F 03D0 add edx, eax :00788141 03D1 add edx, ecx :00788143 81FAC9020000 cmp edx, 000002C9 :00788149 0F8588000000 jne 007881D7 :0078814F B9E8199600 mov ecx, 009619E8 :00788154 E88745FEFF call 0076C6E0 :00788159 E86277DEFF call 0056F8C0 <---------------- This is for disabling GameGuard :0078815E 3BC6 cmp eax, esi :00788160 7475 je 007881D7
85 C0 0F 85 D1 00 00 00 0F BE 05 79 F0 87 00
Replace:
85 C0 90 90 90 90 90 90 0F BE 05 79 F0 87 00
That should enable you to run multiple ragnarok clients now.
To disable GameGuard just look at the above code for kernel32.CreateMutexA and look down a bit I marked it already.
Search:
E8 62 77 DE FF
Replace:
90 90 90 90 90
That should disable GameGuard for the pRO client