Hacks without Registers

[magicalimp]

Given a hint as to what can be done with dREAPER, I decided to explore the capabilities. The capabilities being that you do not have to use your limited amount of debug registers [4].

To use hacks without registers, you must use dREAPER to access the Memory, or change the assembly code. To do this, right click the address in Memory View (in your CE/UCE) and click assemble (assuming you've released the core). Here's some (notice the word some) ways to use this:

Quote:

Jne --> Je or vice versa (really simple lolz)

Address 62BEDD (No-hit Godmodev1): Change Assemble from jne 0062c668 to je 0062c668
Address 625C96 (No-hit Godmodev2): Change Assemble from jne 00625f5b to je 00625f5b
Address 6198CB (Full Godmode): Change Assemble from jne 00619eb6 to je 00619eb6
Address 62BF27 (Fake Miss Godmode): Change Assemble from je 0062c3b3 to jne 0062c3b3
Address 65C04C (Speed Walk): Change Assemble from je 0065c0d4 to jne 0065c0d4
Address 65C67D (Levitate): Change Assemble from je 0065c858 to jne 0065c858
Address 6199BF (Dark Sight): Change Assemble from jne 006199cc to je 006199cc
Address 617B80 (Shadow Partner): Change Assemble from je 00618000 to jne 00618000
Address 65BB23 (Glide): Change Assemble from je 0065bba3 to jne 0065bba3

Quote:

Unrandomizer (Yes, it gets it's own seperate section)

Assemble Codes: (Original Code is and eax,00007fff)
----------------------------------------------------------------
Manipulating Strength
and eax, 00000000 (Roll 13 Str)
and eax, 00000001 (Roll Str and Dex ONLY)
and eax, 00000002 (Roll Str and Int ONLY)
----------------------------------------------------------------
Using Mov (moves the value after the comma into the EAX of that Address
mov eax, 00000000 (Roll 13 Str)
mov eax, 00000001 (Roll 13 Dex)
mov eax, 00000002 (Roll 13 Int)
mov eax, 00000003 (Roll 13 Luk)
mov eax, 11111111 (Stab) [Change this however you like]
mov eax, 11111113 (Swing) [Change this however you like]
mov eax, 11111115 (Underswing: Not using spear/polearm) (Swing: Using Spear/Polearm) [Change this however you like]
mov esp, 0 (Crash Maple :P)

P.S. Can someone find out how to manipulate dex, int, or luk and some other stat?

Quote:

Changing the Assembly code (other than deleting a 'n' or adding one)
----------------------------------------------------------------
Swear Hack: 451C9F : nop --> Click 'Yes'

To turn swear hack off modify assembly with je 00451cbd, then click 'Yes'
----------------------------------------------------------------
Speed Attack: 43166A : mov eax, 00000000 (fastest attack)
----------------------------------------------------------------
Fast Attack: 430628 : mov eax, 00000000 (fastest attack)
----------------------------------------------------------------
Unlimited Jump: 65B936 : nop --> Click 'Yes' [P.S. You probably don't want to do this]

If you want to Change Unlimited Jump back to normal, rewrite assembly with je 0065bb20, then click 'Yes'
----------------------------------------------------------------
Fly Hack: 65B874 : nop --> Click 'Yes'

If you want to turn fly hack off, replace nop with je 0065b92e
----------------------------------------------------------------
Super Tubi: 48820E: nop --> Click 'Yes'

Original Assembly code: jne 00488247
----------------------------------------------------------------
Uber-KnockBack: 65FC45: jb 0065fce5

Original Assembly Code: jae 0065fce5
----------------------------------------------------------------
Meso Drop Value: 658333: mov eax, 0000xxxx

xxxx is the value of the amount of mesos you want to drop in Hexidecimal:
10 - A
50000 - C350
Figure the rest out on your own

Original Code: mov [esi+000000bc],eax
----------------------------------------------------------------
Lag (freeze) Hack: 65B31D: nop --> Click 'Yes'

Original Code: test eax,eax
----------------------------------------------------------------

Quote:

CSEAX: Because it's that cool
----------------------------------------------------------------
CSEAX X: mov eax, xxxxxxxx

Where xxxxxxxx is your Char X in hexidecimal

Original Code: mov [ebx],eax
----------------------------------------------------------------
CSEAX Y: mov eax, xxxxxxxx

Where xxxxxxxx is your Char Y in hexidecimal

Original Code: mov [edi],eax
----------------------------------------------------------------

I found these with experimentation, luck, and some knowledge of the language. For instance, mov eax, xxxxxxxx assigns xxxxxxxx to the EAX, so unrandomizer is set to go. After testing with getting rid of or adding an n to jne/je, I was left with the addresses in the other. Speed attack and Fast attack were the same concept as Unrandomizer, so it was set to go. Meso Drop value is also the same as Unrandomizer, but it is prefered if you keep the original function incase you want to be able to enter in the money you want to drop. The function on Uber-Knockback originally said Jump if above or equal to (J-A-E), and I just made it the exact opposite (same concept as jne --> je [Jump if not equal to] --> [Jump if equal to]). As for swear, Unlimited Jump, fly and tubi, I noticed (probably by pure luck) that the name was Swear Filter, meaning it filtered somethings. I decided to get rid of the filter entirely by replacing the function at the swear address with nop (code that does absolutely nothing). Surprisingly it worked. I decided to do that with Unlimited Jump, Lag, Fly, and Super Tubi as well, and what do you know? They worked.

EXAMPLE: [No-Hit godmode]

First, go to address 62BEDD (I'm assuming you know how to do that, since you're using dREAPER)
Second, right click, then click assemble, like this:

Third: Make the correct changes to the assembly code like this:

Then click OK, and it should be ok :P

Oh and, someone test these, to see if they work for you as well. Thanks :D

[11/26/06]: .CT added

[magicalimp]

Bump. No one going to comment after 57 view?

[Monkey Piro]

Hey im trying to test this out but im not sure which part to input into the assemble.
FOR EXAMPLE:
Address 62BEDD (No-hit Godmode): Change Assemble from jne 0062c668 to je 0062c668

with this one would i just paste Change Assemble from jne 0062c668 to je 0062c668 into the assemble box?

[Monkey Piro]

Hey im trying to test this out but im not sure which part to input into the assemble.
FOR EXAMPLE:
Address 62BEDD (No-hit Godmode): Change Assemble from jne 0062c668 to je 0062c668

with this one would i just paste Change Assemble from jne 0062c668 to je 0062c668 into the assemble box?

[edit] sorry for double post here guys... My net was lagging and wasnt sure whether or not it had gone through :/

Anyway thanks for clearing that up haven't got to testing it yet but i will be sure to test out later.

[magicalimp]

Ok, i'm going to upload a pic of that example...

[spocken]

just what I needed thanks dude :)

[magicalimp]

Added HOW I got the code too.

So these codes work?

[Monkey Piro]

Nice work i just tested the no hit godmode one and it worked, can't be bothered testing the others atm because i'm tired however i assume they should work too seeing how they are basically the same as godmode.

P.S hopefully this will put an end to those who complain about the maximum debug registers.

Keep it up.

[magicalimp]

Can someone post how to change EIP in Assembly? >.<

[wix]

To find it you just need to go to the address >> right click >> change register at this location >> zf [x] [ ] >>> look at the assemble and that's it

And if you want to do it with disable part then just remeber the orginal code