Page 1 of 31

Unpacked Clients for pRO with ways of finding hex codes

Posted: 27 Sep 2012, 11:54
by heero
Unpacked exe links Updated 07/29/2014
You can use either one of these unpacked ragexe
unpacked ragexe.exe by heero, http://www.mediafire.com/download/5e996 ... 9-2014.zip
unpacked sakexe.exe by heero, http://www.mediafire.com/download/up0na ... 9-2014.zip
unpacked f2pexe.exe by heero, http://www.mediafire.com/download/gfp0k ... 9-2014.zip

The files above are for people who don't know how to unpack Ragnarok exe

figured I should post this since people have been having problems with multiple window hexing
Belladonas - credit for the original posts
Old guide - http://forums.openkore.com/viewtopic.php?p=33

Files used along with this post:
(OBSOLETE no longer used) Ragexe.exe unpacker - http://www.mediafire.com/?8ie73qzx9bnz0ll
(New) Video on how to unpack ragexe.exe - http://forums.openkore.com/viewtopic.ph ... 39#p223339
URSoft W32DASM V8.93 - http://www.exetools.com/disassemblers.htm
XVI32 Hex Editor - http://www.chmaas.handshake.de/delphi/f ... /xvi32.htm

Latest method to finding Hex Codes.
Seems like some of the codes have reverted back to the older way they were referenced I am posting another guide here.
The 1st hex code for Multiple Client Window.

Code: Select all

* Reference To: user32.FindWindowA, Ord:00E4h
                                  |
:008219C4 FF1574878B00            Call dword ptr [008B8774]
:008219CA 85C0                    test eax, eax
:008219CC 7407                    je 008219D5  <----------------- 1st Hex code for Multiple Client Window
:008219CE C6057B24A70001          mov byte ptr [00A7247B], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:008219CC(C)
|
:008219D5 53                      push ebx
:008219D6 57                      push edi
:008219D7 33FF                    xor edi, edi
:008219D9 6A77                    push 00000077
:008219DB 56                      push esi
:008219DC 897DA0                  mov dword ptr [ebp-60], edi
:008219DF C745A430118200          mov [ebp-5C], 00821130
:008219E6 897DA8                  mov dword ptr [ebp-58], edi
:008219E9 897DAC                  mov dword ptr [ebp-54], edi
:008219EC 8975B0                  mov dword ptr [ebp-50], esi
Search:
FF 15 74 87 8B 00 85 C0 74 07 C6 05
Replace:
FF 15 74 87 8B 00 85 C0 EB 07 C6 05

The 2nd hex code for Multiple Client Window

Code: Select all

* Reference To: kernel32.CreateMutexA, Ord:005Dh
                                  |
:008228D1 FF15E0818B00            Call dword ptr [008B81E0]
:008228D7 50                      push eax

* Reference To: kernel32.WaitForSingleObject, Ord:037Fh
                                  |
:008228D8 FF155C828B00            Call dword ptr [008B825C]
:008228DE 85C0                    test eax, eax
:008228E0 740A                    je 008228EC  <----------------- 2nd hex code for Multiple Client Window

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0082292E(C), :00822941(C), :00822969(C)
|
:008228E2 B801000000              mov eax, 00000001
:008228E7 E9B4030000              jmp 00822CA0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:008228E0(C)
|
:008228EC 0FBE0DD5519800          movsx ecx, byte ptr [009851D5]
:008228F3 0FBE05D6519800          movsx eax, byte ptr [009851D6]
:008228FA 0FBE15D4519800          movsx edx, byte ptr [009851D4]
:00822901 03C1                    add eax, ecx
:00822903 0FBE0DD3519800          movsx ecx, byte ptr [009851D3]
:0082290A 03C2                    add eax, edx
:0082290C 0FBE15D2519800          movsx edx, byte ptr [009851D2]
:00822913 03C1                    add eax, ecx
:00822915 0FBE0DD1519800          movsx ecx, byte ptr [009851D1]
:0082291C 03C2                    add eax, edx
:0082291E 0FBE15D0519800          movsx edx, byte ptr [009851D0]
:00822925 03C1                    add eax, ecx
:00822927 03C2                    add eax, edx
:00822929 3DC9020000              cmp eax, 000002C9
:0082292E 75B2                    jne 008228E2
:00822930 B908E1A600              mov ecx, 00A6E108
:00822935 E8F683FDFF              call 007FAD30
:0082293A E851FBD8FF              call 005B2490  <---------------- This is for disabling GameGuard
:0082293F 3BC6                    cmp eax, esi
:00822941 749F                    je 008228E2

* Possible StringData Ref from Data Obj ->"resNameTable.txt"
                                  |
:00822943 6808C68F00              push 008FC608
:00822948 E8B3BCD9FF              call 005BE600
:0082294D 8BC8                    mov ecx, eax
:0082294F E81CB4D9FF              call 005BDD70
Search:
FF 15 5C 82 8B 00 85 C0 74 0A B8 01
Replace:
FF 15 5C 82 8B 00 85 C0 EB 0A B8 01

The 3rd hex code for Multiple Client Window

Code: Select all

* Reference To: mss32._AIL_open_3D_provider@4, Ord:0076h
                                  |
:006E0591 FF153C898B00            Call dword ptr [008B893C]
:006E0597 85C0                    test eax, eax
:006E0599 0F85D0FEFFFF            jne 006E046F  <----------------- 3rd hex code for Mutiple Client Window
:006E059F 8B0DAC95A500            mov ecx, dword ptr [00A595AC]
:006E05A5 51                      push ecx

* Reference To: mss32._AIL_3D_speaker_type@4, Ord:0012h
                                  |
:006E05A6 FF1540898B00            Call dword ptr [008B8940]
:006E05AC 83F8FF                  cmp eax, FFFFFFFF
Search:
FF 15 3C 89 8B 00 85 C0 0F 85 D0 FE FF FF 8B 0D AC 95 A5 00
Replace:
FF 15 3C 89 8B 00 85 C0 0F 90 90 90 90 90 8B 0D AC 95 A5 00

If you want the hex code for gameguard look at the 2nd Multiple Client Window hex code I marked it there
Search:
E8 51 FB D8 FF 3B C6 74 9F
Replace:
90 90 90 90 90 90 90 90 90

The method listed below are obsolete and only kept for future reference.
Old method 1

OPENING MULTIPLE CLIENT WINDOWS
For the first string, search for gdi32.GetStockObject until you find the block that looks something like this:

Code: Select all

* Referenced by a CALL at Address:
|:00788180   
|
:00786E40 83EC60                  sub esp, 00000060
:00786E43 A1401E8800              mov eax, dword ptr [00881E40]
:00786E48 33C4                    xor eax, esp
:00786E4A 8944245C                mov dword ptr [esp+5C], eax
:00786E4E A118F18600              mov eax, dword ptr [0086F118]
:00786E53 53                      push ebx
:00786E54 55                      push ebp
:00786E55 56                      push esi
:00786E56 8B742470                mov esi, dword ptr [esp+70]
:00786E5A 57                      push edi
:00786E5B 50                      push eax
:00786E5C 50                      push eax
:00786E5D 89742428                mov dword ptr [esp+28], esi
:00786E61 8935D06B9600            mov dword ptr [00966BD0], esi
:00786E67 FF1530377E00            call dword ptr [007E3730]
:00786E6D 85C0                    test eax, eax
:00786E6F 7407                    je 00786E78  <----------------- This is what we need to look for
:00786E71 C605EF6B960001          mov byte ptr [00966BEF], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00786E6F(C)
|
:00786E78 33DB                    xor ebx, ebx
:00786E7A 6A77                    push 00000077
:00786E7C 56                      push esi
:00786E7D 895C242C                mov dword ptr [esp+2C], ebx
:00786E81 C744243020667800        mov [esp+30], 00786620
:00786E89 895C2434                mov dword ptr [esp+34], ebx
:00786E8D 895C2438                mov dword ptr [esp+38], ebx
:00786E91 8974243C                mov dword ptr [esp+3C], esi
:00786E95 FF1534377E00            call dword ptr [007E3734]
:00786E9B 68007F0000              push 00007F00
:00786EA0 53                      push ebx
:00786EA1 89442440                mov dword ptr [esp+40], eax
:00786EA5 FF1550377E00            call dword ptr [007E3750]
:00786EAB 6A04                    push 00000004
:00786EAD 89442440                mov dword ptr [esp+40], eax

* Reference To: gdi32.GetStockObject, Ord:0000h
                                  |
:00786EB1 FF1574307E00            Call dword ptr [007E3074]
:00786EB7 89442440                mov dword ptr [esp+40], eax
The code we are after is up gdi32.GetStockObject so scroll up a bit so you can find it.

Search:
85 C0 74 07 C6 05 EF 6B 96 00 01 33 DB
Replace:
85 C0 EB 07 C6 05 5E F6 B9 00 01 33 DB

For the second string, search for kernel32.CreateMutexA

Code: Select all

* Possible StringData Ref from Data Obj ->"Global\%s"
                                  |
:007880DB 68E0168200              push 008216E0
:007880E0 50                      push eax
:007880E1 FF15B8377E00            call dword ptr [007E37B8]
:007880E7 83C418                  add esp, 00000018
:007880EA 56                      push esi
:007880EB 8D8C2424030000          lea ecx, dword ptr [esp+00000324]
:007880F2 51                      push ecx
:007880F3 56                      push esi
:007880F4 56                      push esi

* Reference To: kernel32.CreateMutexA, Ord:0000h
                                  |
:007880F5 FF1580317E00            Call dword ptr [007E3180]
:007880FB 50                      push eax
:007880FC FFD7                    call edi
:007880FE 85C0                    test eax, eax
:00788100 0F85D1000000            jne 007881D7  <----------------- This is what we need to look for
:00788106 0FBE0579F08700          movsx eax, byte ptr [0087F079]
:0078810D 0FBE157AF08700          movsx edx, byte ptr [0087F07A]
:00788114 0FBE0D78F08700          movsx ecx, byte ptr [0087F078]
:0078811B 03D0                    add edx, eax
:0078811D 0FBE0577F08700          movsx eax, byte ptr [0087F077]
:00788124 03D1                    add edx, ecx
:00788126 0FBE0D76F08700          movsx ecx, byte ptr [0087F076]
:0078812D 03D0                    add edx, eax
:0078812F 0FBE0575F08700          movsx eax, byte ptr [0087F075]
:00788136 03D1                    add edx, ecx
:00788138 0FBE0D74F08700          movsx ecx, byte ptr [0087F074]
:0078813F 03D0                    add edx, eax
:00788141 03D1                    add edx, ecx
:00788143 81FAC9020000            cmp edx, 000002C9
:00788149 0F8588000000            jne 007881D7
:0078814F B9E8199600              mov ecx, 009619E8
:00788154 E88745FEFF              call 0076C6E0
:00788159 E86277DEFF              call 0056F8C0  <---------------- This is for disabling GameGuard
:0078815E 3BC6                    cmp eax, esi
:00788160 7475                    je 007881D7
Search:
85 C0 0F 85 D1 00 00 00 0F BE 05 79 F0 87 00
Replace:
85 C0 90 90 90 90 90 90 0F BE 05 79 F0 87 00

That should enable you to run multiple ragnarok clients now.

To disable GameGuard just look at the above code for kernel32.CreateMutexA and look down a bit I marked it already.

Search:
E8 62 77 DE FF
Replace:
90 90 90 90 90

That should disable GameGuard for the pRO client


Old method 2
OPENING MULTIPLE CLIENTS OF RAGNAROK
First step is to search for WINMM.timeBeginPeriod it should look like the code below

Code: Select all

* Reference To: WINMM.timeBeginPeriod, Ord:0090h
                                  |
:0079FC15 FF15F8E77F00            Call dword ptr [007FE7F8]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0079FBE6(C)
|
:0079FC1B E83087EEFF              call 00688350
:0079FC20 56                      push esi
:0079FC21 FF150CEA7F00            call dword ptr [007FEA0C]
:0079FC27 6A3F                    push 0000003F
:0079FC29 8D942425030000          lea edx, dword ptr [esp+00000325]
:0079FC30 56                      push esi
:0079FC31 52                      push edx
:0079FC32 C684242C03000000        mov byte ptr [esp+0000032C], 00
:0079FC3A E825F30000              call 007AEF64

* Possible StringData Ref from Data Obj ->"Surface"
                                  |
:0079FC3F 68A4BD8900              push 0089BDA4
:0079FC44 8D842430030000          lea eax, dword ptr [esp+00000330]
:0079FC4B 68F8D48300              push 0083D4F8
:0079FC50 50                      push eax
:0079FC51 FF15B0E77F00            call dword ptr [007FE7B0]
:0079FC57 83C418                  add esp, 00000018
:0079FC5A 56                      push esi
:0079FC5B 8D8C2424030000          lea ecx, dword ptr [esp+00000324]
:0079FC62 51                      push ecx
:0079FC63 56                      push esi
:0079FC64 56                      push esi
:0079FC65 FF157CE17F00            call dword ptr [007FE17C]
:0079FC6B 50                      push eax
:0079FC6C FFD7                    call edi
:0079FC6E 85C0                    test eax, eax
:0079FC70 0F85D1000000            jne 0079FD47  <----------------- This is what we need to edit first
:0079FC76 0FBE05A9BD8900          movsx eax, byte ptr [0089BDA9]
:0079FC7D 0FBE15AABD8900          movsx edx, byte ptr [0089BDAA]
:0079FC84 0FBE0DA8BD8900          movsx ecx, byte ptr [0089BDA8]
:0079FC8B 03D0                    add edx, eax
:0079FC8D 0FBE05A7BD8900          movsx eax, byte ptr [0089BDA7]
:0079FC94 03D1                    add edx, ecx
:0079FC96 0FBE0DA6BD8900          movsx ecx, byte ptr [0089BDA6]
:0079FC9D 03D0                    add edx, eax
:0079FC9F 0FBE05A5BD8900          movsx eax, byte ptr [0089BDA5]
:0079FCA6 03D1                    add edx, ecx
:0079FCA8 0FBE0DA4BD8900          movsx ecx, byte ptr [0089BDA4]
:0079FCAF 03D0                    add edx, eax
:0079FCB1 03D1                    add edx, ecx
:0079FCB3 81FAC9020000            cmp edx, 000002C9
:0079FCB9 0F8588000000            jne 0079FD47
:0079FCBF B9680A9800              mov ecx, 00980A68
:0079FCC4 E80745FEFF              call 007841D0
:0079FCC9 E89226DDFF              call 00572360  <---------------- This is for disabling GameGuard
:0079FCCE 3BC6                    cmp eax, esi
:0079FCD0 7475                    je 0079FD47
:0079FCD2 68E4D48300              push 0083D4E4
:0079FCD7 E814D6DDFF              call 0057D2F0
:0079FCDC 8BC8                    mov ecx, eax
:0079FCDE E85DC3DDFF              call 0057C040
:0079FCE3 8B942480030000          mov edx, dword ptr [esp+00000380]
:0079FCEA 8B442418                mov eax, dword ptr [esp+18]
:0079FCEE 52                      push edx
:0079FCEF 50                      push eax
:0079FCF0 E8BBECFFFF              call 0079E9B0  <---------------- Take note of this line you will need it later
:0079FCF5 83C408                  add esp, 00000008
:0079FCF8 85C0                    test eax, eax
:0079FCFA 744B                    je 0079FD47
:0079FCFC 8D4C2440                lea ecx, dword ptr [esp+40]
The first line I marked above is what we need to edit.

Search:
85 C0 0F 85 D1 00 00 00 0F BE 05 A9 BD 89 00
Replace:
85 C0 90 90 90 90 90 90 0F BE 05 A9 BD 89 00

Now remember the line I wanted you to take note of call 0079E9B0 we must search for :0079E9B0 (dont forget the colon thats important) when you find :0079E9B0 it should look like the lines below

Code: Select all

* Referenced by a CALL at Address:
|:0079FCF0   
|
:0079E9B0 83EC60                  sub esp, 00000060
:0079E9B3 A170E78900              mov eax, dword ptr [0089E770]
:0079E9B8 33C4                    xor eax, esp
:0079E9BA 8944245C                mov dword ptr [esp+5C], eax
:0079E9BE A138C18800              mov eax, dword ptr [0088C138]
:0079E9C3 53                      push ebx
:0079E9C4 55                      push ebp
:0079E9C5 56                      push esi
:0079E9C6 8B742470                mov esi, dword ptr [esp+70]
:0079E9CA 57                      push edi
:0079E9CB 50                      push eax
:0079E9CC 50                      push eax
:0079E9CD 89742428                mov dword ptr [esp+28], esi
:0079E9D1 8935685D9800            mov dword ptr [00985D68], esi
:0079E9D7 FF1528E77F00            call dword ptr [007FE728]
:0079E9DD 85C0                    test eax, eax
:0079E9DF 7407                    je 0079E9E8  <----------------- This is what we need to look for
:0079E9E1 C605875D980001          mov byte ptr [00985D87], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0079E9DF(C)
|
:0079E9E8 33DB                    xor ebx, ebx
:0079E9EA 6A77                    push 00000077
:0079E9EC 56                      push esi
:0079E9ED 895C242C                mov dword ptr [esp+2C], ebx
:0079E9F1 C744243090E17900        mov [esp+30], 0079E190
:0079E9F9 895C2434                mov dword ptr [esp+34], ebx
:0079E9FD 895C2438                mov dword ptr [esp+38], ebx
:0079EA01 8974243C                mov dword ptr [esp+3C], esi
:0079EA05 FF152CE77F00            call dword ptr [007FE72C]
:0079EA0B 68007F0000              push 00007F00
:0079EA10 53                      push ebx
:0079EA11 89442440                mov dword ptr [esp+40], eax
:0079EA15 FF1548E77F00            call dword ptr [007FE748]
:0079EA1B 6A04                    push 00000004
:0079EA1D 89442440                mov dword ptr [esp+40], eax
:0079EA21 FF1570E07F00            call dword ptr [007FE070]
:0079EA27 89442440                mov dword ptr [esp+40], eax
:0079EA2B A138C18800              mov eax, dword ptr [0088C138]
:0079EA30 8D4C2424                lea ecx, dword ptr [esp+24]
:0079EA34 51                      push ecx
:0079EA35 895C2448                mov dword ptr [esp+48], ebx
:0079EA39 8944244C                mov dword ptr [esp+4C], eax
:0079EA3D FF1530E77F00            call dword ptr [007FE730]
Now we just search for the line we marked.

Search:
85 C0 74 07 C6 05 87 5D 98 00 01 33 DB
Replace:
85 C0 EB 07 C6 05 87 5D 98 00 01 33 DB

That should enable you to run multiple ragnarok clients now.

To disable GameGuard just look at the above code for WINMM.timeBeginPeriod and look down a bit I marked it already.

Search:
E8 92 26 DD FF 3B C6 74 75
Replace:
90 90 90 90 90 90 90 90 90

That should disable GameGuard for the pRO client.

Re: Unpacked Clients for pRO with ways of finding hex codes

Posted: 27 Sep 2012, 11:58
by bilyakosta
you're a heero indeed!!! \m/
ima do this now. thanks so much for the time and effort!!! kudos to you and your team!! :D

Re: Unpacked Clients for pRO with ways of finding hex codes

Posted: 27 Sep 2012, 12:02
by heero
Post replies here if you have problems with the client. I did'nt do much testing with this since I am kinda busy as well.

Re: Unpacked Clients for pRO with ways of finding hex codes

Posted: 27 Sep 2012, 12:03
by SeemsLegit
I really need to know these assembly workaround T_T ...

thank you very much heero !!

will test now..

Re: Unpacked Clients for pRO with ways of finding hex codes

Posted: 27 Sep 2012, 12:18
by bilyakosta
just want to ask, is there a working no SP tele?

Re: Unpacked Clients for pRO with ways of finding hex codes

Posted: 27 Sep 2012, 12:50
by orange193
I downloaded the file under mediafire and renamed the .exe to my server (New Iris) and overwrite my current .exe but it seems like the gameguard is still active. Did I miss something sir heero?

Re: Unpacked Clients for pRO with ways of finding hex codes

Posted: 27 Sep 2012, 13:01
by heero
orange193 wrote:I downloaded the file under mediafire and renamed the .exe to my server (New Iris) and overwrite my current .exe but it seems like the gameguard is still active. Did I miss something sir heero?
I take it you did'nt read my first post READ IT AGAIN FROM TOP TO BOTTOM and dont give me the too long did'nt read answer or I may have to stop updating this.
bilyakosta wrote:just want to ask, is there a working no SP tele?
Sorry I no longer do that kind of thing since I am a bit busy, I am only focusing on what is needed nothing more.

Re: Unpacked Clients for pRO with ways of finding hex codes

Posted: 27 Sep 2012, 15:04
by orange193
I apologize for my stupidity I thought it was a ready-to-go .exe

Thanks for the guide and have a Good Day.

Re: Unpacked Clients for pRO with ways of finding hex codes

Posted: 27 Sep 2012, 18:49
by Mackoy
Thank you, heero. It works 100%.

Re: Unpacked Clients for pRO with ways of finding hex codes

Posted: 27 Sep 2012, 20:24
by ras007
Hi Sir Heero,

I used to hex my own client but ever since they changed it so that you need to unpack it first I haven't been able to figure it out.
What I mean is, I can hex my own client but I would need the unpacked ragexe first.

Would you mind telling me what program I need to use to unpack the ragexe? I tried using stripperX but its not working and the output is messed up.
Could you create a guide for that part so we could do the hexing ourselves starting from the packed ragexe?

Thanks!