You can use either one of these unpacked ragexe
unpacked ragexe.exe by heero, http://www.mediafire.com/download/5e996 ... 9-2014.zip
unpacked sakexe.exe by heero, http://www.mediafire.com/download/up0na ... 9-2014.zip
unpacked f2pexe.exe by heero, http://www.mediafire.com/download/gfp0k ... 9-2014.zip
The files above are for people who don't know how to unpack Ragnarok exe
figured I should post this since people have been having problems with multiple window hexing
Belladonas - credit for the original posts
Old guide - http://forums.openkore.com/viewtopic.php?p=33
Files used along with this post:
(OBSOLETE no longer used) Ragexe.exe unpacker - http://www.mediafire.com/?8ie73qzx9bnz0ll
(New) Video on how to unpack ragexe.exe - http://forums.openkore.com/viewtopic.ph ... 39#p223339
URSoft W32DASM V8.93 - http://www.exetools.com/disassemblers.htm
XVI32 Hex Editor - http://www.chmaas.handshake.de/delphi/f ... /xvi32.htm
Latest method to finding Hex Codes.
Seems like some of the codes have reverted back to the older way they were referenced I am posting another guide here.
The 1st hex code for Multiple Client Window.
Code: Select all
* Reference To: user32.FindWindowA, Ord:00E4h
|
:008219C4 FF1574878B00 Call dword ptr [008B8774]
:008219CA 85C0 test eax, eax
:008219CC 7407 je 008219D5 <----------------- 1st Hex code for Multiple Client Window
:008219CE C6057B24A70001 mov byte ptr [00A7247B], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:008219CC(C)
|
:008219D5 53 push ebx
:008219D6 57 push edi
:008219D7 33FF xor edi, edi
:008219D9 6A77 push 00000077
:008219DB 56 push esi
:008219DC 897DA0 mov dword ptr [ebp-60], edi
:008219DF C745A430118200 mov [ebp-5C], 00821130
:008219E6 897DA8 mov dword ptr [ebp-58], edi
:008219E9 897DAC mov dword ptr [ebp-54], edi
:008219EC 8975B0 mov dword ptr [ebp-50], esi
FF 15 74 87 8B 00 85 C0 74 07 C6 05
Replace:
FF 15 74 87 8B 00 85 C0 EB 07 C6 05
The 2nd hex code for Multiple Client Window
Code: Select all
* Reference To: kernel32.CreateMutexA, Ord:005Dh
|
:008228D1 FF15E0818B00 Call dword ptr [008B81E0]
:008228D7 50 push eax
* Reference To: kernel32.WaitForSingleObject, Ord:037Fh
|
:008228D8 FF155C828B00 Call dword ptr [008B825C]
:008228DE 85C0 test eax, eax
:008228E0 740A je 008228EC <----------------- 2nd hex code for Multiple Client Window
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0082292E(C), :00822941(C), :00822969(C)
|
:008228E2 B801000000 mov eax, 00000001
:008228E7 E9B4030000 jmp 00822CA0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:008228E0(C)
|
:008228EC 0FBE0DD5519800 movsx ecx, byte ptr [009851D5]
:008228F3 0FBE05D6519800 movsx eax, byte ptr [009851D6]
:008228FA 0FBE15D4519800 movsx edx, byte ptr [009851D4]
:00822901 03C1 add eax, ecx
:00822903 0FBE0DD3519800 movsx ecx, byte ptr [009851D3]
:0082290A 03C2 add eax, edx
:0082290C 0FBE15D2519800 movsx edx, byte ptr [009851D2]
:00822913 03C1 add eax, ecx
:00822915 0FBE0DD1519800 movsx ecx, byte ptr [009851D1]
:0082291C 03C2 add eax, edx
:0082291E 0FBE15D0519800 movsx edx, byte ptr [009851D0]
:00822925 03C1 add eax, ecx
:00822927 03C2 add eax, edx
:00822929 3DC9020000 cmp eax, 000002C9
:0082292E 75B2 jne 008228E2
:00822930 B908E1A600 mov ecx, 00A6E108
:00822935 E8F683FDFF call 007FAD30
:0082293A E851FBD8FF call 005B2490 <---------------- This is for disabling GameGuard
:0082293F 3BC6 cmp eax, esi
:00822941 749F je 008228E2
* Possible StringData Ref from Data Obj ->"resNameTable.txt"
|
:00822943 6808C68F00 push 008FC608
:00822948 E8B3BCD9FF call 005BE600
:0082294D 8BC8 mov ecx, eax
:0082294F E81CB4D9FF call 005BDD70
FF 15 5C 82 8B 00 85 C0 74 0A B8 01
Replace:
FF 15 5C 82 8B 00 85 C0 EB 0A B8 01
The 3rd hex code for Multiple Client Window
Code: Select all
* Reference To: mss32._AIL_open_3D_provider@4, Ord:0076h
|
:006E0591 FF153C898B00 Call dword ptr [008B893C]
:006E0597 85C0 test eax, eax
:006E0599 0F85D0FEFFFF jne 006E046F <----------------- 3rd hex code for Mutiple Client Window
:006E059F 8B0DAC95A500 mov ecx, dword ptr [00A595AC]
:006E05A5 51 push ecx
* Reference To: mss32._AIL_3D_speaker_type@4, Ord:0012h
|
:006E05A6 FF1540898B00 Call dword ptr [008B8940]
:006E05AC 83F8FF cmp eax, FFFFFFFF
FF 15 3C 89 8B 00 85 C0 0F 85 D0 FE FF FF 8B 0D AC 95 A5 00
Replace:
FF 15 3C 89 8B 00 85 C0 0F 90 90 90 90 90 8B 0D AC 95 A5 00
If you want the hex code for gameguard look at the 2nd Multiple Client Window hex code I marked it there
Search:
E8 51 FB D8 FF 3B C6 74 9F
Replace:
90 90 90 90 90 90 90 90 90
The method listed below are obsolete and only kept for future reference.
Old method 1
OPENING MULTIPLE CLIENT WINDOWS
For the first string, search for gdi32.GetStockObject until you find the block that looks something like this:
Code: Select all
* Referenced by a CALL at Address:
|:00788180
|
:00786E40 83EC60 sub esp, 00000060
:00786E43 A1401E8800 mov eax, dword ptr [00881E40]
:00786E48 33C4 xor eax, esp
:00786E4A 8944245C mov dword ptr [esp+5C], eax
:00786E4E A118F18600 mov eax, dword ptr [0086F118]
:00786E53 53 push ebx
:00786E54 55 push ebp
:00786E55 56 push esi
:00786E56 8B742470 mov esi, dword ptr [esp+70]
:00786E5A 57 push edi
:00786E5B 50 push eax
:00786E5C 50 push eax
:00786E5D 89742428 mov dword ptr [esp+28], esi
:00786E61 8935D06B9600 mov dword ptr [00966BD0], esi
:00786E67 FF1530377E00 call dword ptr [007E3730]
:00786E6D 85C0 test eax, eax
:00786E6F 7407 je 00786E78 <----------------- This is what we need to look for
:00786E71 C605EF6B960001 mov byte ptr [00966BEF], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00786E6F(C)
|
:00786E78 33DB xor ebx, ebx
:00786E7A 6A77 push 00000077
:00786E7C 56 push esi
:00786E7D 895C242C mov dword ptr [esp+2C], ebx
:00786E81 C744243020667800 mov [esp+30], 00786620
:00786E89 895C2434 mov dword ptr [esp+34], ebx
:00786E8D 895C2438 mov dword ptr [esp+38], ebx
:00786E91 8974243C mov dword ptr [esp+3C], esi
:00786E95 FF1534377E00 call dword ptr [007E3734]
:00786E9B 68007F0000 push 00007F00
:00786EA0 53 push ebx
:00786EA1 89442440 mov dword ptr [esp+40], eax
:00786EA5 FF1550377E00 call dword ptr [007E3750]
:00786EAB 6A04 push 00000004
:00786EAD 89442440 mov dword ptr [esp+40], eax
* Reference To: gdi32.GetStockObject, Ord:0000h
|
:00786EB1 FF1574307E00 Call dword ptr [007E3074]
:00786EB7 89442440 mov dword ptr [esp+40], eax
Search:
85 C0 74 07 C6 05 EF 6B 96 00 01 33 DB
Replace:
85 C0 EB 07 C6 05 5E F6 B9 00 01 33 DB
For the second string, search for kernel32.CreateMutexA
Code: Select all
* Possible StringData Ref from Data Obj ->"Global\%s"
|
:007880DB 68E0168200 push 008216E0
:007880E0 50 push eax
:007880E1 FF15B8377E00 call dword ptr [007E37B8]
:007880E7 83C418 add esp, 00000018
:007880EA 56 push esi
:007880EB 8D8C2424030000 lea ecx, dword ptr [esp+00000324]
:007880F2 51 push ecx
:007880F3 56 push esi
:007880F4 56 push esi
* Reference To: kernel32.CreateMutexA, Ord:0000h
|
:007880F5 FF1580317E00 Call dword ptr [007E3180]
:007880FB 50 push eax
:007880FC FFD7 call edi
:007880FE 85C0 test eax, eax
:00788100 0F85D1000000 jne 007881D7 <----------------- This is what we need to look for
:00788106 0FBE0579F08700 movsx eax, byte ptr [0087F079]
:0078810D 0FBE157AF08700 movsx edx, byte ptr [0087F07A]
:00788114 0FBE0D78F08700 movsx ecx, byte ptr [0087F078]
:0078811B 03D0 add edx, eax
:0078811D 0FBE0577F08700 movsx eax, byte ptr [0087F077]
:00788124 03D1 add edx, ecx
:00788126 0FBE0D76F08700 movsx ecx, byte ptr [0087F076]
:0078812D 03D0 add edx, eax
:0078812F 0FBE0575F08700 movsx eax, byte ptr [0087F075]
:00788136 03D1 add edx, ecx
:00788138 0FBE0D74F08700 movsx ecx, byte ptr [0087F074]
:0078813F 03D0 add edx, eax
:00788141 03D1 add edx, ecx
:00788143 81FAC9020000 cmp edx, 000002C9
:00788149 0F8588000000 jne 007881D7
:0078814F B9E8199600 mov ecx, 009619E8
:00788154 E88745FEFF call 0076C6E0
:00788159 E86277DEFF call 0056F8C0 <---------------- This is for disabling GameGuard
:0078815E 3BC6 cmp eax, esi
:00788160 7475 je 007881D7
85 C0 0F 85 D1 00 00 00 0F BE 05 79 F0 87 00
Replace:
85 C0 90 90 90 90 90 90 0F BE 05 79 F0 87 00
That should enable you to run multiple ragnarok clients now.
To disable GameGuard just look at the above code for kernel32.CreateMutexA and look down a bit I marked it already.
Search:
E8 62 77 DE FF
Replace:
90 90 90 90 90
That should disable GameGuard for the pRO client
Old method 2
OPENING MULTIPLE CLIENTS OF RAGNAROK
First step is to search for WINMM.timeBeginPeriod it should look like the code below
Code: Select all
* Reference To: WINMM.timeBeginPeriod, Ord:0090h
|
:0079FC15 FF15F8E77F00 Call dword ptr [007FE7F8]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0079FBE6(C)
|
:0079FC1B E83087EEFF call 00688350
:0079FC20 56 push esi
:0079FC21 FF150CEA7F00 call dword ptr [007FEA0C]
:0079FC27 6A3F push 0000003F
:0079FC29 8D942425030000 lea edx, dword ptr [esp+00000325]
:0079FC30 56 push esi
:0079FC31 52 push edx
:0079FC32 C684242C03000000 mov byte ptr [esp+0000032C], 00
:0079FC3A E825F30000 call 007AEF64
* Possible StringData Ref from Data Obj ->"Surface"
|
:0079FC3F 68A4BD8900 push 0089BDA4
:0079FC44 8D842430030000 lea eax, dword ptr [esp+00000330]
:0079FC4B 68F8D48300 push 0083D4F8
:0079FC50 50 push eax
:0079FC51 FF15B0E77F00 call dword ptr [007FE7B0]
:0079FC57 83C418 add esp, 00000018
:0079FC5A 56 push esi
:0079FC5B 8D8C2424030000 lea ecx, dword ptr [esp+00000324]
:0079FC62 51 push ecx
:0079FC63 56 push esi
:0079FC64 56 push esi
:0079FC65 FF157CE17F00 call dword ptr [007FE17C]
:0079FC6B 50 push eax
:0079FC6C FFD7 call edi
:0079FC6E 85C0 test eax, eax
:0079FC70 0F85D1000000 jne 0079FD47 <----------------- This is what we need to edit first
:0079FC76 0FBE05A9BD8900 movsx eax, byte ptr [0089BDA9]
:0079FC7D 0FBE15AABD8900 movsx edx, byte ptr [0089BDAA]
:0079FC84 0FBE0DA8BD8900 movsx ecx, byte ptr [0089BDA8]
:0079FC8B 03D0 add edx, eax
:0079FC8D 0FBE05A7BD8900 movsx eax, byte ptr [0089BDA7]
:0079FC94 03D1 add edx, ecx
:0079FC96 0FBE0DA6BD8900 movsx ecx, byte ptr [0089BDA6]
:0079FC9D 03D0 add edx, eax
:0079FC9F 0FBE05A5BD8900 movsx eax, byte ptr [0089BDA5]
:0079FCA6 03D1 add edx, ecx
:0079FCA8 0FBE0DA4BD8900 movsx ecx, byte ptr [0089BDA4]
:0079FCAF 03D0 add edx, eax
:0079FCB1 03D1 add edx, ecx
:0079FCB3 81FAC9020000 cmp edx, 000002C9
:0079FCB9 0F8588000000 jne 0079FD47
:0079FCBF B9680A9800 mov ecx, 00980A68
:0079FCC4 E80745FEFF call 007841D0
:0079FCC9 E89226DDFF call 00572360 <---------------- This is for disabling GameGuard
:0079FCCE 3BC6 cmp eax, esi
:0079FCD0 7475 je 0079FD47
:0079FCD2 68E4D48300 push 0083D4E4
:0079FCD7 E814D6DDFF call 0057D2F0
:0079FCDC 8BC8 mov ecx, eax
:0079FCDE E85DC3DDFF call 0057C040
:0079FCE3 8B942480030000 mov edx, dword ptr [esp+00000380]
:0079FCEA 8B442418 mov eax, dword ptr [esp+18]
:0079FCEE 52 push edx
:0079FCEF 50 push eax
:0079FCF0 E8BBECFFFF call 0079E9B0 <---------------- Take note of this line you will need it later
:0079FCF5 83C408 add esp, 00000008
:0079FCF8 85C0 test eax, eax
:0079FCFA 744B je 0079FD47
:0079FCFC 8D4C2440 lea ecx, dword ptr [esp+40]
Search:
85 C0 0F 85 D1 00 00 00 0F BE 05 A9 BD 89 00
Replace:
85 C0 90 90 90 90 90 90 0F BE 05 A9 BD 89 00
Now remember the line I wanted you to take note of call 0079E9B0 we must search for :0079E9B0 (dont forget the colon thats important) when you find :0079E9B0 it should look like the lines below
Code: Select all
* Referenced by a CALL at Address:
|:0079FCF0
|
:0079E9B0 83EC60 sub esp, 00000060
:0079E9B3 A170E78900 mov eax, dword ptr [0089E770]
:0079E9B8 33C4 xor eax, esp
:0079E9BA 8944245C mov dword ptr [esp+5C], eax
:0079E9BE A138C18800 mov eax, dword ptr [0088C138]
:0079E9C3 53 push ebx
:0079E9C4 55 push ebp
:0079E9C5 56 push esi
:0079E9C6 8B742470 mov esi, dword ptr [esp+70]
:0079E9CA 57 push edi
:0079E9CB 50 push eax
:0079E9CC 50 push eax
:0079E9CD 89742428 mov dword ptr [esp+28], esi
:0079E9D1 8935685D9800 mov dword ptr [00985D68], esi
:0079E9D7 FF1528E77F00 call dword ptr [007FE728]
:0079E9DD 85C0 test eax, eax
:0079E9DF 7407 je 0079E9E8 <----------------- This is what we need to look for
:0079E9E1 C605875D980001 mov byte ptr [00985D87], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0079E9DF(C)
|
:0079E9E8 33DB xor ebx, ebx
:0079E9EA 6A77 push 00000077
:0079E9EC 56 push esi
:0079E9ED 895C242C mov dword ptr [esp+2C], ebx
:0079E9F1 C744243090E17900 mov [esp+30], 0079E190
:0079E9F9 895C2434 mov dword ptr [esp+34], ebx
:0079E9FD 895C2438 mov dword ptr [esp+38], ebx
:0079EA01 8974243C mov dword ptr [esp+3C], esi
:0079EA05 FF152CE77F00 call dword ptr [007FE72C]
:0079EA0B 68007F0000 push 00007F00
:0079EA10 53 push ebx
:0079EA11 89442440 mov dword ptr [esp+40], eax
:0079EA15 FF1548E77F00 call dword ptr [007FE748]
:0079EA1B 6A04 push 00000004
:0079EA1D 89442440 mov dword ptr [esp+40], eax
:0079EA21 FF1570E07F00 call dword ptr [007FE070]
:0079EA27 89442440 mov dword ptr [esp+40], eax
:0079EA2B A138C18800 mov eax, dword ptr [0088C138]
:0079EA30 8D4C2424 lea ecx, dword ptr [esp+24]
:0079EA34 51 push ecx
:0079EA35 895C2448 mov dword ptr [esp+48], ebx
:0079EA39 8944244C mov dword ptr [esp+4C], eax
:0079EA3D FF1530E77F00 call dword ptr [007FE730]
Search:
85 C0 74 07 C6 05 87 5D 98 00 01 33 DB
Replace:
85 C0 EB 07 C6 05 87 5D 98 00 01 33 DB
That should enable you to run multiple ragnarok clients now.
To disable GameGuard just look at the above code for WINMM.timeBeginPeriod and look down a bit I marked it already.
Search:
E8 92 26 DD FF 3B C6 74 75
Replace:
90 90 90 90 90 90 90 90 90
That should disable GameGuard for the pRO client.