Magic Speedhack

[delinquent]

Ok I had enough of people at private servers they pissing me off. They think my peace caasting hack is doing damage ill show them real damage anyone know how this magic speedhack is done? Im going to release clients with heaps of stuff...

Thanks

[huhuhaha]

Go check on my post about old code hack patch for v2.95.
The one that you need is
- no cast delay
- no magic pause (pause/stop after shoot)
- speed trap (no dc if too fast)

It is easy to map it to 2.191/2.20 and above.

[delinquent]

I tried mapping it but like I found the area to put it but since your code is very different it doesnt have like a Before and After.... so im not sure im doing putting it in the right place.... also what is .text or something

[delinquent]

Code: Select all

no cast delay
-------------
004646A1  |. 8D5424 3C                lea     edx, dword ptr [esp+3C]
004646A5  |. 8D8D E0D30600            lea     ecx, dword ptr [ebp+6D3E0]
004646AB  |. 52                       push    edx
004646AC  |. C74424 40 00000000       mov     dword ptr [esp+40], 0
004646B4  |. E8 87BF0300              call    HelFart.004A0640
004646B9  |. FF15 64124B00            call    dword ptr [<&WINMM.timeGetTime>]              ;  WINMM.timeGetTime
004646BF  |. 8985 74D30600            mov     dword ptr [ebp+6D374], eax

004646A1     EB 22                    jmp     short HelFart.004646C5
004646A3     90                       nop
004646A4     90                       nop

speed trap
----------
00461F08   . 8B8D 98980600            mov     ecx, dword ptr [ebp+69898]

00461F08     E9 D6280000              jmp     HelFart.004647E3
00461F0D     90                       nop

magic pause
-----------
.text:004624E5                 push    eax
.text:004624E6                 mov     [esp+0F4h+var_D8], esi
.text:004624EA                 call    sub_4A0640
.text:004624EF                 call    timeGetTime  ; Get system time, in milliseconds

004624E5   . 50                       push    eax
004624E6   . 897424 1C                mov     dword ptr [esp+1C], esi

004624E5    -E9 B6ED1900              jmp     HelFart.006012A0

006012A0   50                         push    eax
006012A1   C74424 1C 01000000         mov     dword ptr [esp+1C], 1
006012A9  -E9 3C12E6FF                jmp     HelFart.004624EA

These 3 correct? I try map them again
see those .text: what is that?

[huhuhaha]

ignore that .txt thingie. It is bcoz I copied the lines from IDA pro.

for no cast delay search for this code sequence
push 4
push 0FA314D5h

for no magic pause it will be slightly more difficult. also you need to change the jump to different address. It is about 50 lines above the code referencing to "Network Traffic..."

[delinquent]

Woot I can shoot while it is still casting thanks huhuhaha, now im working on having no pause and I still got to do the speedtrap. Thanks alot man

[delinquent]

ignore that .txt thingie. It is bcoz I copied the lines from IDA pro.

for no cast delay search for this code sequence
push 4
push 0FA314D5h

for no magic pause it will be slightly more difficult. also you need to change the jump to different address. It is about 50 lines above the code referencing to "Network Traffic..."

When you say

for no magic pause it will be slightly more difficult. also you need to change the jump to different address. It is about 50 lines above the code referencing to "Network Traffic..."

Do you mean that I need to chane the jump the address that is about 50 lines about the Network Traffic or are you saying that I just need to change the jump but what im looking for is about 50 lines above the Network Traffic lag ._.??

Also how will I find speedtrap, I think the exe has changed significantly

[huhuhaha]

1. the code that you need to modify is about 50 lines above the code referencing to Network Traffic...
2. You need to change it to jump to a code cave, I used additional section.
3. speed trap never change much. it is just couple line below 'cmp esi, 12C'. That part will after that will dc you if you attack/shoot faster than 300ms. So you just make a jump to force you to ignore that shoot/attack instead of dc.

[delinquent]

1. the code that you need to modify is about 50 lines above the code referencing to Network Traffic...
2. You need to change it to jump to a code cave, I used additional section.
3. speed trap never change much. it is just couple line below  'cmp    esi, 12C'. That part will after that will dc you if you attack/shoot faster than 300ms. So you just make a jump to force you to ignore that shoot/attack instead of dc.

Okay, so should I use a a tool that finds code caves like Tsongies code cave tool? Cause im not suer how to find them

I saw your code had memory offsets in the 600000s how did you add the additional section

[huhuhaha]

I use lordpe to add the new section. You don't really need to do so.
the empty part at the end of the code section should be ok, although if you intend to patch it into the exe instead of memory patching, you will need to rebuild the exe so that the vsize=psize (virtual size = physical size).

[delinquent]

I use lordpe to add the new section. You don't really need to do so.
the empty part at the end of the code section should be ok, although if you intend to patch it into the exe instead of memory patching, you will need to rebuild the exe so that the vsize=psize (virtual size = physical size).

Ahh so that is why you don't see any room left at the end of the code and before

[delinquent]

For the speedtrap I can't find cmp esi, 12C erm O_O It just says item not found...


EDIT: Maybe it is just 300 not 12C i check

[delinquent]

I couldn't find anything about 50 lines above but I looked about 70 lines below and found this....


0045786A . 52 PUSH EDX
0045786B . C74424 1C 0000>MOV DWORD PTR SS:[ESP+1C],0
00457873 . E8 A8830300 CALL H2test.0048FC20
00457878 . FF15 48F24900 CALL DWORD PTR DS:[<&WINMM.timeGetTime>] ; WINMM.timeGetTime

[delinquent]

I just finished making modifications but when I finished I couldn't find the fucking Save All Modifications it was like it dispeared wtf? I am using ollydbg do you know why this happend huhuhaha? Is it because I set something outside the breakpoint ..? If so is there a way to extend it

[Kinky]

I thought u were'nt gonna do magic hack because it messes up the game neway PM me what version this is for.