Unpacked Clients for pRO with ways of finding hex codes

[heero]

for those who were asking/doubting the link that i posted. you can ask the mods to verify my hexed/unpacked client.

to explain a little bit for those who are not knowledgeable with regards to hexing and modifying executable files; the original RO client was compressed/packed to a certain size, (usually 1.33mb) by the compiler used by the developer of Ragnarok. by doing so this will make the .exe have smaller size but still capable of running properly.

whenever you unpack your client to get it ready for modification; the program untangle the strings adding extra bytes to each sectors to allow the system ready what's currently inside. (the very same reason why some antivirus falsely recognize unpacked client as malware). by making it readable for the system you'll have the capability to add or replace hex strings inside...

to make the explanation short... if you unpacked a "PACKED" file. of course it'll become larger...

and again for those who were asking/doubting the link i previously posted on page six; i clearly stated that "i intentionally included the hexed for the sake of those who can't do the hexing. but as what other mods/admins reminds us is we should hex our own clients. to prevent getting hacked."

as to the mods/admins: i do apologize for the disturbance that it caused to your members. i just merely trying to help them since this is what i've been doing a very long time @ BAPT.


hnd po aq nakikipg away. just for all to to have an idea.

Im just curious about your unpacked exe file being bigger than what heero posted here. We all know that the packed exe file is just 1.3mb.

Your file is about 5.0mb size while heero file is just about 4.52mb.... can you explain why???



See the comparison??? your unpacked file[left image] is bigger than heeros unpacked file [right image]

vhonn, I already told him to warn users if they wish to use his files so lets not dig around anymore and let users decide. The first topic is already updated and we dont need to ask such questions anymore.

[boytawad]

Updated 01/25/2013
Unpacked ragexe.exe http://www.mediafire.com/?jknf0vjeyu9zl4q
Since all servers of pRO now use the same exe file you can just rename this to your specific server. (valexe.exe for Valkyrie, newirisexe.exe for New Iris, and so on)
The file above is for people who don't know how to unpack ragexe.exe

figured I should post this since people have been having problems with multiple window hexing
Belladonas Guide - credit for the original posts

OPENING MULTIPLE CLIENT WINDOWS
For the first string, search for gdi32.GetStockObject until you find the block that looks something like this:

Code: Select all

* Referenced by a CALL at Address:
|:00788180   
|
:00786E40 83EC60                  sub esp, 00000060
:00786E43 A1401E8800              mov eax, dword ptr [00881E40]
:00786E48 33C4                    xor eax, esp
:00786E4A 8944245C                mov dword ptr [esp+5C], eax
:00786E4E A118F18600              mov eax, dword ptr [0086F118]
:00786E53 53                      push ebx
:00786E54 55                      push ebp
:00786E55 56                      push esi
:00786E56 8B742470                mov esi, dword ptr [esp+70]
:00786E5A 57                      push edi
:00786E5B 50                      push eax
:00786E5C 50                      push eax
:00786E5D 89742428                mov dword ptr [esp+28], esi
:00786E61 8935D06B9600            mov dword ptr [00966BD0], esi
:00786E67 FF1530377E00            call dword ptr [007E3730]
:00786E6D 85C0                    test eax, eax
:00786E6F 7407                    je 00786E78  <----------------- This is what we need to look for
:00786E71 C605EF6B960001          mov byte ptr [00966BEF], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00786E6F(C)
|
:00786E78 33DB                    xor ebx, ebx
:00786E7A 6A77                    push 00000077
:00786E7C 56                      push esi
:00786E7D 895C242C                mov dword ptr [esp+2C], ebx
:00786E81 C744243020667800        mov [esp+30], 00786620
:00786E89 895C2434                mov dword ptr [esp+34], ebx
:00786E8D 895C2438                mov dword ptr [esp+38], ebx
:00786E91 8974243C                mov dword ptr [esp+3C], esi
:00786E95 FF1534377E00            call dword ptr [007E3734]
:00786E9B 68007F0000              push 00007F00
:00786EA0 53                      push ebx
:00786EA1 89442440                mov dword ptr [esp+40], eax
:00786EA5 FF1550377E00            call dword ptr [007E3750]
:00786EAB 6A04                    push 00000004
:00786EAD 89442440                mov dword ptr [esp+40], eax

* Reference To: gdi32.GetStockObject, Ord:0000h
                                  |
:00786EB1 FF1574307E00            Call dword ptr [007E3074]
:00786EB7 89442440                mov dword ptr [esp+40], eax

The code we are after is up gdi32.GetStockObject so scroll up a bit so you can find it.

Search:
85 C0 74 07 C6 05 EF 6B 96 00 01 33 DB
Replace:
85 C0 EB 07 C6 05 5E F6 B9 00 01 33 DB

For the second string, search for kernel32.CreateMutexA

Code: Select all

* Possible StringData Ref from Data Obj ->"Global\%s"
                                  |
:007880DB 68E0168200              push 008216E0
:007880E0 50                      push eax
:007880E1 FF15B8377E00            call dword ptr [007E37B8]
:007880E7 83C418                  add esp, 00000018
:007880EA 56                      push esi
:007880EB 8D8C2424030000          lea ecx, dword ptr [esp+00000324]
:007880F2 51                      push ecx
:007880F3 56                      push esi
:007880F4 56                      push esi

* Reference To: kernel32.CreateMutexA, Ord:0000h
                                  |
:007880F5 FF1580317E00            Call dword ptr [007E3180]
:007880FB 50                      push eax
:007880FC FFD7                    call edi
:007880FE 85C0                    test eax, eax
:00788100 0F85D1000000            jne 007881D7  <----------------- This is what we need to look for
:00788106 0FBE0579F08700          movsx eax, byte ptr [0087F079]
:0078810D 0FBE157AF08700          movsx edx, byte ptr [0087F07A]
:00788114 0FBE0D78F08700          movsx ecx, byte ptr [0087F078]
:0078811B 03D0                    add edx, eax
:0078811D 0FBE0577F08700          movsx eax, byte ptr [0087F077]
:00788124 03D1                    add edx, ecx
:00788126 0FBE0D76F08700          movsx ecx, byte ptr [0087F076]
:0078812D 03D0                    add edx, eax
:0078812F 0FBE0575F08700          movsx eax, byte ptr [0087F075]
:00788136 03D1                    add edx, ecx
:00788138 0FBE0D74F08700          movsx ecx, byte ptr [0087F074]
:0078813F 03D0                    add edx, eax
:00788141 03D1                    add edx, ecx
:00788143 81FAC9020000            cmp edx, 000002C9
:00788149 0F8588000000            jne 007881D7
:0078814F B9E8199600              mov ecx, 009619E8
:00788154 E88745FEFF              call 0076C6E0
:00788159 E86277DEFF              call 0056F8C0  <---------------- This is for disabling GameGuard
:0078815E 3BC6                    cmp eax, esi
:00788160 7475                    je 007881D7

Search:
85 C0 0F 85 D1 00 00 00 0F BE 05 79 F0 87 00
Replace:
85 C0 90 90 90 90 90 90 0F BE 05 79 F0 87 00

That should enable you to run multiple ragnarok clients now.

To disable GameGuard just look at the above code for kernel32.CreateMutexA and look down a bit I marked it already.

Search:
E8 62 77 DE FF
Replace:
90 90 90 90 90

That should disable GameGuard for the pRO client

hi sir, the link to belladonas guide isnt working, can you please double check? and is there also a link for the stripper? i would like to download it from your link. thank you anzei and heero

[anzei]

Im just curious about your unpacked exe file being bigger than what heero posted here. We all know that the packed exe file is just 1.3mb.

Your file is about 5.0mb size while heero file is just about 4.52mb.... can you explain why???



See the comparison??? your unpacked file[left image] is bigger than heeros unpacked file [right image]

do i need to re-explain everything from the top??? did you even studied any programming language or anything related to programming?

reminder: this message doesn't mean to flame.

1st of all. i already stated on my post that includes the link to "i intentionally included the hexed for the sake of those who can't do the hexing. but as what other mods/admins reminds us is we should hex our own clients. to prevent getting hacked."
2nd. i've been working @ botter ako paramihan tayo, (a local forum to cater needs of locals or those who can't understand english) for almost 3 years and been serving them without any problem at all.
3rd. BEFORE ASKING QUESTIONS, DO IT YOURSELF...

TO GIVE THE EXPLANATION THAT YOU NEED, well fine. as i've said. why don't you do it yourself to understand better.
packed executable files have their hex strings tangled and compressed in a way that they'll be having smaller size yet running smoothly. upon using any unpacking software; you're untangling the hex strings by adding additional bytes (in hex) to the executable files. based upon the discretion of the unpacking software (stripper 2.07 , stripper 2.11; i've been using stripper 2.11) it will produce different result for each trial. WANT PROOF??? DO IT YOURSELF. i don't need to explain everything for a member. it's not our job to feed you everything. "we share, DO YOUR PART"


if you want proof that i've been working also as an administrator then see here
BOTTER AKO, PARAMIHAN TAYO?

one of the mods here, admin fox, has been my acquaintance too and currently my fellow admin @ the said site.

so stop whining and start studying so you would know WHY


"i fear that the admins/mods will be the one criticizing me, yet they've showed exemplary behavior and being more understanding than those who recently joined and already criticizing others work without having enough knowledge on the thingy..."

kudos admins and mods.

[anzei]

hi sir, the link to belladonas guide isnt working, can you please double check? and is there also a link for the stripper? i would like to download it from your link. thank you anzei and heero

i think belladonnas guide not available anymore. the best guide you can find as of the moment is heero's guide. been looking for belladona's guide too but run out of luck.

with regards to the stripper, you can use the the 2.11 version

here's the link, btw, av will find this file infected. as it's false alarm

[boytawad]

hi sir, the link to belladonas guide isnt working, can you please double check? and is there also a link for the stripper? i would like to download it from your link. thank you anzei and heero

i think belladonnas guide not available anymore. the best guide you can find as of the moment is heero's guide. been looking for belladona's guide too but run out of luck.

with regards to the stripper, you can use the the 2.11 version

here's the link, btw, av will find this file infected. as it's false alarm

you dont have to explain yourself anzei, ive been using your client from BAPT for months and i can say that ive got some good stuff now and still i dont get hacked, if thats what people wants to hear, youve helped us without asking for aything in return so thank you, also for the stripper HAH!

[subkristen]

just want to update the hex codes for pRO server as of episode 27: bifrost

same procedure as with heero. )

january 23 2013

85 C0 74 07 C6 05 EF 6B 96 00 01 33 DB
85 C0 EB 07 C6 05 EF 6B 96 00 01 33 DB

Pra dual login
85 C0 0F 85 D1 00 00 00 0F BE 05 79 F0 87 00
85 C0 90 90 90 90 90 90 0F BE 05 79 F0 87 00

Pra madisable game guard
E8 62 77 DE FF
90 90 90 90 90

Hi anzei,

I appreciate your help
Can you enlighten us what this code is for?:

Code: Select all

january 23 2013

85 C0 74 07 C6 05 EF 6B 96 00 01 33 DB
85 C0 EB 07 C6 05 EF 6B 96 00 01 33 DB

Thanks.

-- Edited --
I Figured it out myself =))
Thanks again for providing us updated Hex Codes.

[anzei]

you dont have to explain yourself anzei, ive been using your client from BAPT for months and i can say that ive got some good stuff now and still i dont get hacked, if thats what people wants to hear, youve helped us without asking for aything in return so thank you, also for the stripper HAH!

glad to be of service. as always and will always be.

Can you enlighten us what this code is for?:

Code: Select all

january 23 2013

85 C0 74 07 C6 05 EF 6B 96 00 01 33 DB
85 C0 EB 07 C6 05 EF 6B 96 00 01 33 DB

Thanks.

-- Edited --
I Figured it out myself =))
Thanks again for providing us updated Hex Codes.

sure no prob. again thanks to our superiors. i've learned so much from them and glad to be of service.

[heero]

Since Belladonas site went down I have added all the files I used for this post they are already in the first page.

[vhonn]

do i need to re-explain everything from the top??? did you even studied any programming language or anything related to programming?

reminder: this message doesn't mean to flame.

1st of all. i already stated on my post that includes the link to "i intentionally included the hexed for the sake of those who can't do the hexing. but as what other mods/admins reminds us is we should hex our own clients. to prevent getting hacked."
2nd. i've been working @ botter ako paramihan tayo, (a local forum to cater needs of locals or those who can't understand english) for almost 3 years and been serving them without any problem at all.
3rd. BEFORE ASKING QUESTIONS, DO IT YOURSELF...

TO GIVE THE EXPLANATION THAT YOU NEED, well fine. as i've said. why don't you do it yourself to understand better.
packed executable files have their hex strings tangled and compressed in a way that they'll be having smaller size yet running smoothly. upon using any unpacking software; you're untangling the hex strings by adding additional bytes (in hex) to the executable files. based upon the discretion of the unpacking software (stripper 2.07 , stripper 2.11; i've been using stripper 2.11) it will produce different result for each trial. WANT PROOF??? DO IT YOURSELF. i don't need to explain everything for a member. it's not our job to feed you everything. "we share, DO YOUR PART"


if you want proof that i've been working also as an administrator then see here
BOTTER AKO, PARAMIHAN TAYO?

one of the mods here, admin fox, has been my acquaintance too and currently my fellow admin @ the said site.

so stop whining and start studying so you would know WHY


"i fear that the admins/mods will be the one criticizing me, yet they've showed exemplary behavior and being more understanding than those who recently joined and already criticizing others work without having enough knowledge on the thingy..."

kudos admins and mods.

Why so defensive???? LOL!!! this is Openkore forums and not BAPT!!!

Don't you have any respect to the admins on this forum? Bragging your forums here and being an admin there, you should be ashamed of yourself. You think your forum is better than this forum? what would you feel if someone promoting their forums on your forum? Common dude you know DELICADESA mean do you???!!!!

Ow and before I forgot I joined as member a few months earlier than you so we are both newbie so don't put yourself in the front sit, it doesn't make you a better man.

[anzei]

geez bro i don't know what you really want to happen. 1st you criticized my help, and when i explained everything and found nothing wrong with it started flaming my explanation. "THIS CONVERSATION DOESN'T HAVE ANY DIRECTION"

Why so defensive???? LOL!!! this is Openkore forums and not BAPT!!!

Don't you have any respect to the admins on this forum? Bragging your forums here and being an admin there, you should be ashamed of yourself. You think your forum is better than this forum? what would you feel if someone promoting their forums on your forum? Common dude you know DELICADESA mean do you???!!!!

Ow and before I forgot I joined as member a few months earlier than you so we are both newbie so don't put yourself in the front sit, it doesn't make you a better man.

oh geez?? respect to admins you say?? please men, get a life, i'm not trying to brag whatever i have to admins here. i'm just merely pointing out that i've been working "too" and not saying that the forum i'm currently working at is better than this. mind you dude, i didn't even told you that i've been here longer than you. what i said is, you've just recently joined yet started criticizing others work.

and no, i have respect to admins and mods here, i'm even grateful to them due to their knowledge and expertise with regards to the said programs and procedures.

and again, I DON'T BRAG MY FORUM. BECAUSE WE'VE BEEN SUPPORTING AND TELLING MEMBERS TO VISIT HERE BECAUSE THIS IS BETTER THAN OURS, AS I'VE SAID I ONLY SERVE LOCALS WHO CANNOT UNDERSTAND ENGLISH OR THOSE WHO CAN'T FOLLOW COMPLEX INSTRUCTIONS.

and please man, you should be the one ashamed of your self... why? you keep flaming my messages and telling me i'm too defensive. yeah i'm quite defensive to those people who are too OFFENSIVE. delikadesa you say?? then... mahiya ka narin sa admin. SILA WALANG SINABING MASAMA SAKIN KAHIT KAUNTI. IKAW PATULOY ANG PAG KUTYA MO.

if you're gonna reply another flame message, don't expect me to reply again. i rest my case... this'll continue and wont end. this has no direction, you'll just end up flaming every reply that i'll do, and i'll end up explaining everything. people like you are the likes who just loves flaming other peoples messages. so. yeah i quit...

"i didn't came here to argue. i came here to help."


to the administrators and moderators: i do apologize for the inconvenience that i've brought. i was only trying to help and ending being questioned/criticized. sorry for the inconvenience...