Unpacked Clients for pRO with ways of finding hex codes

[rpacx]

The codes I've posted are these:

search:
85 c0 74 07 c6 05 e7 a2 98 00 01 33 db
replace:
85 c0 eb 07 c6 05 e7 a2 98 00 01 33 db

search:
85 c0 0f 85 d1 00 00 00 0f be 05 19 fe 89 00
replace:
85 c0 90 90 90 90 90 90 0f be 05 19 fe 89 00

search:
e8 42 27 dd ff 3b c6 74 75
replace:
90 90 90 90 90 90 90 90 90

Kindly try these codes first and see if it's still working.

I saw this post but xvi32 didn't find this codes, so i create my own.

I saw my problem here "e8 42 27 dd ff 3b c6 74 75" you extended this up to the next code. I have only like this before: E8 42 27 DD FF Replacing by 90 90 90 90 90

[noobotter]

The codes I've posted are these:

search:
85 c0 74 07 c6 05 e7 a2 98 00 01 33 db
replace:
85 c0 eb 07 c6 05 e7 a2 98 00 01 33 db

search:
85 c0 0f 85 d1 00 00 00 0f be 05 19 fe 89 00
replace:
85 c0 90 90 90 90 90 90 0f be 05 19 fe 89 00

search:
e8 42 27 dd ff 3b c6 74 75
replace:
90 90 90 90 90 90 90 90 90

Kindly try these codes first and see if it's still working.

I saw this post but xvi32 didn't find this codes, so i create my own.

I saw my problem here "e8 42 27 dd ff 3b c6 74 75" you extended this up to the next code. I have only like this before: E8 42 27 DD FF Replacing by 90 90 90 90 90

Created your own what? Unpacked Ragexe.exe? Are you sure that's the latest client?
If so, kindly upload the file on some filehosting and share the link here, let me examine it.

[rpacx]

Created your own what? Unpacked Ragexe.exe? Are you sure that's the latest client?
If so, kindly upload the file on some filehosting and share the link here, let me examine it.

I finally knew it. They were not varying. The codes from Ragexe,Lokiexe & Newirisexe are THE SAME, and it is DIFFERENT TO VALEXE !! Your Posted Codes is for Ragexe,Lokiexe & Newirisexe !! The size of ORIGINAL EXE of Ragexe,Lokiexe & Newirisexe is 1.42mb and for VALEXE is 1.37mb. I have installed the newest installer for ragnarokph.

This is the unpacked EXE.
Unpacked Valexe http://www.mediafire.com/download/nxe56 ... valexe.exe
Unpacked Ragexe http://www.mediafire.com/download/1ccep ... Ragexe.exe

Unpacked RAGEXE,NEWIRISEXE & LOKIEXE
Search:
85 C0 74 07 C6 05 87 71 98 00 01 33 DB
Replace:
85 C0 EB 07 C6 05 87 71 98 00 01 33 DB

Search:
85 C0 0F 85 D1 00 00 00 0F BE 05 A9 CD 89 00
Replace:
85 C0 90 90 90 90 90 90 0F BE 05 A9 CD 89 00

Search:
E8 B2 24 DD FF 3B C6 74 75
Replace:
90 90 90 90 90 90 90 90 90

Unpacked VALEXE
Search:
85 C0 74 07 C6 05 E7 A2 98 00 01 33 DB
Replace:
85 C0 EB 07 C6 05 E7 A2 98 00 01 33 DB

Search:
85 C0 0F 85 D1 00 00 00 0F BE 05 19 FE 89 00
Replace:
85 C0 90 90 90 90 90 90 0F BE 05 19 FE 89 00

Search:
E8 42 27 DD FF 3B C6 74 75
Replace:
90 90 90 90 90 90 90 90 90

But you can use Hexed Ragexe to Valkyrie. This is Reference for those who can't see the codes. If you can't see the codes probably one of the server exe you unpacked and you use the code for different server. I dont know why the developer change the original exe for valkyrie.

Again, If you use the code of noobotter. UNPACKED YOUR RAGEXE,LOKIEXE OR NEWIRISEXE NOT VALEXE..

[noobotter]

@rpacx

How come your valexe is different from the other clients?
This is the last part of patch list from my valkyrie (patched as of today).

810 2013-04-08avalexe.rgz
811 2013_04_Cstar_Eff.gpf
812 2013_Cmoon_gm.gpf
813 2013_ST_LT_DATA.gpf
814 2013_04_10_N6SC.gpf
815 2013_malangdo_loadbgi.gpf
816 2013-02-06bvalexe.rgz
817 2013-04-11avalexe.rgz <<-- Last client patched
818 2013_new_Cart4.gpf
819 2013_bk_hid_gat.gpf
820 2013_04_17_6SC.gpf
821 2013_PRO_NITES.gpf
822 2013_04_17_SCALL.gpf
//823 2013_04_newite6sce.gpf
824 2013_PH_Newdata.gpf
825 2013_PRO6SC.gpf
826 2013_04_newite6sce.gpf
827 2013_04_23_SCALL.gpf
828 2013_04_25_NTIE.gpf
829 2013_04_30_SCALL21.gpf
830 2013_05_08_SCALL.gpf
831 2013_Newite.gpf
832 2013_NEWPT_ITBGFX.gpf
833 2013_0515_SCALL.gpf
834 2013_newp3tafoo.gpf
835 2013_jejecap.gpf
836 2013_05_22_SCALL.gpf

This is for my New Iris (also patched as of today).

631 2013-04-08anewirisexe.rgz
632 2013_04_Cstar_Eff.gpf
633 2013_Cmoon_gm.gpf
634 2013_ST_LT_DATA.gpf
635 2013_04_10_N6SC.gpf
636 2013_malangdo_loadbgi.gpf
637 2013-02-06bnewirisexe.rgz
638 2013-04-11anewirisexe.rgz <<-- Last client patched
639 2013_new_Cart4.gpf
640 2013_bk_hid_gat.gpf
641 2013_04_17_6SC.gpf
642 2013_PRO_NITES.gpf
643 2013_04_17_SCALL.gpf
//644 2013_04_newite6sce.gpf
645 2013_PH_Newdata.gpf
646 2013_PRO6SC.gpf
647 2013_04_newite6sce.gpf
648 2013_04_23_SCALL.gpf
649 2013_04_25_NTIE.gpf
650 2013_04_30_SCALL21.gpf
651 2013_05_08_SCALL.gpf
652 2013_Newite.gpf
653 2013_NEWPT_ITBGFX.gpf
654 2013_0515_SCALL.gpf
655 2013_newp3tafoo.gpf
656 2013_jejecap.gpf
657 2013_05_22_SCALL.gpf

Upon checking both MD5s, they're the same.


So I'm really wondering why you have different clients.
That's the reason why the codes that I've given you are also working on my valexe.

[vhonn]

@bilyakosta

I'm not really sure how heero trace his codes though but I found these codes using ollydbg.

search:
85 c0 74 07 c6 05 e7 a2 98 00 01 33 db
replace:
85 c0 eb 07 c6 05 e7 a2 98 00 01 33 db

search:
85 c0 0f 85 d1 00 00 00 0f be 05 19 fe 89 00
replace:
85 c0 90 90 90 90 90 90 0f be 05 19 fe 89 00

search:
e8 42 27 dd ff 3b c6 74 75
replace:
90 90 90 90 90 90 90 90 90

Since the gdi and kernel imports are available. Try heero's method during the Bifrost patch.
(I haven't tried this method though. )

OPENING MULTIPLE CLIENT WINDOWS
For the first string, search for gdi32.GetStockObject until you find the block that looks something like this:

Code: Select all

* Referenced by a CALL at Address:
|:00788180   
|
:00786E40 83EC60                  sub esp, 00000060
:00786E43 A1401E8800              mov eax, dword ptr [00881E40]
:00786E48 33C4                    xor eax, esp
:00786E4A 8944245C                mov dword ptr [esp+5C], eax
:00786E4E A118F18600              mov eax, dword ptr [0086F118]
:00786E53 53                      push ebx
:00786E54 55                      push ebp
:00786E55 56                      push esi
:00786E56 8B742470                mov esi, dword ptr [esp+70]
:00786E5A 57                      push edi
:00786E5B 50                      push eax
:00786E5C 50                      push eax
:00786E5D 89742428                mov dword ptr [esp+28], esi
:00786E61 8935D06B9600            mov dword ptr [00966BD0], esi
:00786E67 FF1530377E00            call dword ptr [007E3730]
:00786E6D 85C0                    test eax, eax
:00786E6F 7407                    je 00786E78  <----------------- This is what we need to look for
:00786E71 C605EF6B960001          mov byte ptr [00966BEF], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00786E6F(C)
|
:00786E78 33DB                    xor ebx, ebx
:00786E7A 6A77                    push 00000077
:00786E7C 56                      push esi
:00786E7D 895C242C                mov dword ptr [esp+2C], ebx
:00786E81 C744243020667800        mov [esp+30], 00786620
:00786E89 895C2434                mov dword ptr [esp+34], ebx
:00786E8D 895C2438                mov dword ptr [esp+38], ebx
:00786E91 8974243C                mov dword ptr [esp+3C], esi
:00786E95 FF1534377E00            call dword ptr [007E3734]
:00786E9B 68007F0000              push 00007F00
:00786EA0 53                      push ebx
:00786EA1 89442440                mov dword ptr [esp+40], eax
:00786EA5 FF1550377E00            call dword ptr [007E3750]
:00786EAB 6A04                    push 00000004
:00786EAD 89442440                mov dword ptr [esp+40], eax

* Reference To: gdi32.GetStockObject, Ord:0000h
                                  |
:00786EB1 FF1574307E00            Call dword ptr [007E3074]
:00786EB7 89442440                mov dword ptr [esp+40], eax

The code we are after is up gdi32.GetStockObject so scroll up a bit so you can find it.

Search:
85 C0 74 07 C6 05 EF 6B 96 00 01 33 DB
Replace:
85 C0 EB 07 C6 05 5E F6 B9 00 01 33 DB

For the second string, search for kernel32.CreateMutexA

Code: Select all

* Possible StringData Ref from Data Obj ->"Global\%s"
                                  |
:007880DB 68E0168200              push 008216E0
:007880E0 50                      push eax
:007880E1 FF15B8377E00            call dword ptr [007E37B8]
:007880E7 83C418                  add esp, 00000018
:007880EA 56                      push esi
:007880EB 8D8C2424030000          lea ecx, dword ptr [esp+00000324]
:007880F2 51                      push ecx
:007880F3 56                      push esi
:007880F4 56                      push esi

* Reference To: kernel32.CreateMutexA, Ord:0000h
                                  |
:007880F5 FF1580317E00            Call dword ptr [007E3180]
:007880FB 50                      push eax
:007880FC FFD7                    call edi
:007880FE 85C0                    test eax, eax
:00788100 0F85D1000000            jne 007881D7  <----------------- This is what we need to look for
:00788106 0FBE0579F08700          movsx eax, byte ptr [0087F079]
:0078810D 0FBE157AF08700          movsx edx, byte ptr [0087F07A]
:00788114 0FBE0D78F08700          movsx ecx, byte ptr [0087F078]
:0078811B 03D0                    add edx, eax
:0078811D 0FBE0577F08700          movsx eax, byte ptr [0087F077]
:00788124 03D1                    add edx, ecx
:00788126 0FBE0D76F08700          movsx ecx, byte ptr [0087F076]
:0078812D 03D0                    add edx, eax
:0078812F 0FBE0575F08700          movsx eax, byte ptr [0087F075]
:00788136 03D1                    add edx, ecx
:00788138 0FBE0D74F08700          movsx ecx, byte ptr [0087F074]
:0078813F 03D0                    add edx, eax
:00788141 03D1                    add edx, ecx
:00788143 81FAC9020000            cmp edx, 000002C9
:00788149 0F8588000000            jne 007881D7
:0078814F B9E8199600              mov ecx, 009619E8
:00788154 E88745FEFF              call 0076C6E0
:00788159 E86277DEFF              call 0056F8C0  <---------------- This is for disabling GameGuard
:0078815E 3BC6                    cmp eax, esi
:00788160 7475                    je 007881D7

Search:
85 C0 0F 85 D1 00 00 00 0F BE 05 79 F0 87 00
Replace:
85 C0 90 90 90 90 90 90 0F BE 05 79 F0 87 00

That should enable you to run multiple ragnarok clients now.

To disable GameGuard just look at the above code for kernel32.CreateMutexA and look down a bit I marked it already.

Search:
E8 62 77 DE FF
Replace:
90 90 90 90 90

That should disable GameGuard for the pRO client

I tried both ways of finding hex codes on heero unpacked exe but unfortunately i wasn't able to find codes using both tutorials. Any other options?

[rpacx]

@noobotter

I dont know why my valexe is different from others. I reinstalled my RO using Jan 31 2013 Installer.

@vhonn

unpack your own exe. you can try my codes (up there ^^ ) . see if its working.

[heero]

I will look into the clients when I am finished with work to confirm if they are really different. If they are it could just mean that valexe.exe has a different structure of packets probably related to security. I guess they are not as sloppy with security as we think they are. Will update the first post when I finish checking all clients.

[vhonn]

its working fine before but after the patch theres a game guard now and i cant find ways to remove it.. i search every forum .. plz help me..

try this.

search:
85 c0 74 07 c6 05 e7 a2 98 00 01 33 db
replace:
85 c0 eb 07 c6 05 e7 a2 98 00 01 33 db

search:
85 c0 0f 85 d1 00 00 00 0f be 05 19 fe 89 00
replace:
85 c0 90 90 90 90 90 90 0f be 05 19 fe 89 00

search:
e8 42 27 dd ff 3b c6 74 75
replace:
90 90 90 90 90 90 90 90 90


EDIT: btw, as far as I know, clients are packed again so you need to unpack it using stripper(if you don't know how to manual unpack).

I found this on unpacked valexe patch May 22, 2013 and this is working.

[heero]

I checked all the exe files there are some differences but found that only sakexe.exe seems to work for most servers so I am gonna post the unpacked sakexe.exe and will update the first post now.

I tested sakexe.exe on New Chaos, Valkyrie and New Loki and it works for all these servers.

[Fuko]

Picked up the updated sakexe.exe from the first post, but it seems that none of the codes for disabling Gameguard provided in this thread work with it (or I was blind and didn't try all of them)... So i tried picking it out with the disassembler and found this:

Search:
E8 82 2B DD FF 3B C6 74 75

replace:

90 90 90 90 90 90 90 90 90


Working fine for New Chaos at the moment. Just thought I'd share it.