Script Making Tut's

[Burned Your]

Hex, Dec & Bin:
WHat the hell are those?
Hex is a short of Hexadecimal, Dec is a short of Decimal and Bin is a short of Binary.

Hexadecimal are base-16 numbers, which means it has 16 digits. We, the humen, use the base-10 numbers, the decimal numbers. Decimal numbers are the normal numbers we know and that we use every day. (0-9, while hexadecimal uses 0-F)

This is how hexadecimal works:
0-9, like the normal numbers we know, (Decimal) but instead of 10 we start using letters, A, B, C, D, E and F. (F is like 15, but since 0 is the first digit, F is the 16th digit - base-16 as I said)
But what if we have an hexadecimal number that uses only numbers, and not letters? how would we know its hexadecimal number and not decimal?
Simply, 0x will come before the number. if we got hexadecimalic 1337 we will write 0x1337. (Or 1337h, 'h' for hexadecimal, but this is used in masm, also 'd' and 'b' for deciaml and binary.)
However, binary is only base-2, it has only 0 and 1 in it. As I said in the last chapter, 1 binray digit = 1 bit. (Binary digIT)
But we use the binary digits in a whole diffrent way than other numbers, every number represents an hexadecimalic number.
1 - Bit is on.
0 - Bit is off.
Which means, if we got:
1000 (Binary) it's not 1000, not 1, it turns the most left bit on.
The left bit is 0x8, (hexadecimalic then we got 0x4, 0x2 and 0x1. (though they are still the samem 0-9 and 0x0-0x9, but it matters) That means 1000 binray = 0x8.
8421 - this is the order of digits. when the bit is on (1) the digit will stay as it is, if the bit is off, (0) the digit will turn to 0.

Example:
1111 - Will turn on all the bits, so the result is 0xF. but how?
8421 - Because all the bits are on. here comes the part that makes it matters if the digits are hexadecimal or decimal.
0x8+0x4+0x2+0x1 = F (0x4+0x2+0x1 = 7, +0x8 = 0x7+0x8 = 0xF)

Lets see another example:
1010 Would make the 2nd and 4th bits on, which means
8020 (0x8+0x2 = A, remember? after 9 the letters will come, so A = 10)
0001 Would be 0x1, because the bits of 8, 4 and 2 are off (0) and only the bit of 0x1 is on. 0+0+0+1 = 1.

Bytes & Bits:
What are the bytes used for?
Every op-code has bytes, every byte represents diffrent op-code.
Op-code is the assembly code. the bytes 74 06 will je short+6(+2 bytes - the formula of short jumping) bytes of the current address. 74 is the byte that represents je short.
Bytes will always be 2 hexadecimalic digits, means, 8 bits. (1 bit = 1 binary digits, 4 binary digits are 1 digit of a byte, so 8 bits = 1 byte)
One of the most important things about bytes is that bytes = opposite value, value = opposite bytes! remember that!!! when your bytes are 10 00 the value is 0001. When your value is 1337 your bytes are 37 13.

Now, that you know enough, its time for updating:
As you know, there are only slightly changes between the patchs, so lets say our address is 613FDE then it won't change to something like 9157FA in 1 patch... (Unless its dynmic)
So lets say last version the address was 613FDE, so we'll change the scan range to max of 00900000. (In case some addresses passed the 800000...) this should speed up the scan...

Getting the Array of Bytes:
In the lower part of the memory view, press Ctrl+G and go to the address you wish to get aob's for and copy about 4-16 bytes. (recommanded manuly, and not copy paste - big change of bsod... just carfull not to press any keys. )
[IMG]file:///C:/DOCUME%7E1/Joe/LOCALS%7E1/Temp/moz-screenshot.jpg[/IMG][IMG]http://howdoicheat.***********.com/Aob1.jpg[/IMG]

Scanning for the aob's:
Just look at the pic:
[IMG]http://howdoicheat.***********.com/Aob2.jpg[/IMG]
We took the aob's of our address, scanned for them in "Array of Bytes" type and the magic is being done.

Getting the AoB's with a .CEM file:
Open the process list, press the "Open File" button, open your cem and go to the address you wish to get aob's for.
Get the aob's, open another engine, attach to maple and scan! remember - smaller range, faster speed.

Getting AoB's without a CEM, MapleStory.exe or even an engine:
This should be really easy for far jumps (that we didn't used db) and stuff... (like lock imul eax,edx,05483FC3 )

Lets take this script and analyze it:
[IMG]chrome://skype_ff_toolbar_win/content/cb_transparent_l.gif[/IMG][IMG]chrome://skype_ff_toolbar_win/content/famfamfam/gb.gif[/IMG][IMG]chrome://skype_ff_toolbar_win/content/space.gif[/IMG][IMG]chrome://skype_ff_toolbar_win/content/space.gif[/IMG][IMG]chrome://skype_ff_toolbar_win/content/space.gif[/IMG][IMG]chrome://skype_ff_toolbar_win/content/space.gif[/IMG]00443322[IMG]chrome://skype_ff_toolbar_win/content/cb_transparent_r.gif[/IMG]:
je 007789F3 - 0F 84 CB 56 33 00

The formula of far jump:
Current_Address + 06 + Bytes_To_Jump = Address_To_Jump_To
(Remember, bytes = opposite value - read more about it in [Only registered and activated users can see links. ], the auto assembly page)
Example:
443322 + 06 + 003356CB (Those are the bytes, 0F 84 are the bytes of far je) is actually 7789F3 - the address we jump to!

So by that script:
[IMG]chrome://skype_ff_toolbar_win/content/cb_transparent_l.gif[/IMG][IMG]chrome://skype_ff_toolbar_win/content/famfamfam/gb.gif[/IMG][IMG]chrome://skype_ff_toolbar_win/content/space.gif[/IMG][IMG]chrome://skype_ff_toolbar_win/content/space.gif[/IMG][IMG]chrome://skype_ff_toolbar_win/content/space.gif[/IMG][IMG]chrome://skype_ff_toolbar_win/content/space.gif[/IMG]00443322[IMG]chrome://skype_ff_toolbar_win/content/cb_transparent_r.gif[/IMG]:
je 007789F3
we know the few first bytes we gotta scan are 0F 84 CB 56 33 00 and that the address should be (usally, the addresses in maple goes only forward...) after [IMG]chrome://skype_ff_toolbar_win/content/cb_transparent_l.gif[/IMG][IMG]chrome://skype_ff_toolbar_win/content/famfamfam/gb.gif[/IMG][IMG]chrome://skype_ff_toolbar_win/content/space.gif[/IMG][IMG]chrome://skype_ff_toolbar_win/content/space.gif[/IMG][IMG]chrome://skype_ff_toolbar_win/content/space.gif[/IMG][IMG]chrome://skype_ff_toolbar_win/content/space.gif[/IMG]00443322[IMG]chrome://skype_ff_toolbar_win/content/cb_transparent_r.gif[/IMG]; just scan and everything before 443322 wouldn't be that address. And even if you get a few, try each one or set a breakpoint? (You CAN set a breakpoint in ems, can you..? )

Also, the formula of short jump is:
Address + 02 + Bytes_To_Jump = Destination.
Example:
00400000:
db 74 02 //This is jump 00400004. (Current_Address + 2 + Bytes to jump = 2 = 4 = 00400000+4 = 00400004)

(Notice this is also for reversed jump, "Not" the bytes + 2 + Bytes to jump backwards, example: 74 FE would jump from the next address to the current. 74+2 bytes after it = FF+the byte after it - is the address after that jump-FE, not FE, its -1)

Updating pointers:
Look at my pointer:
00808d1c, offset 8.
How can I get the aob's of it?
Piece of cake.
Go to the memory view, click on the menu "Search -> Assembly Scan" and look for "* [your pointer] *". (* is a wildcard, though it works find without it...)

In my case I would search for [00808d1c].
Now we know what address store it in the registers and change its values. Ofcourse, in the next version it will store that pointer again and change to those values again, so we will just scan for the address we've found and the pointer address should be in brackets. (thoese are brackets: [])
Also the offset, should be somewhere in there, but offsets don't change much.
Pic:
[IMG]http://howdoicheat.***********.com/Aob3.jpg[/IMG]

*Note: Make your cem's in game, so it will saves the values that are normal in-game, not before it, just log on your character, don't be lazy.


Scripting: (Not EIP...)
Every script needs a few things to make it work:
Label/Jump back to code. (Label is easier, more comftable...)
Allocationg - Placing a bigger piece of code in an empty memory.
Jumping to the allocationg and nop.
*Note: Usally, we will crash when not using the old memory, so we will have to make changes and then write our code, for example:
mov eax,faded
mov [ebp+0c],eax
or after the code:
inc eax //Orginal Memory
inc eax //Orginal Memory
sub eax,2 //Muhahahaha

Lets make this simple on/off script:
Code: [enable]
Alloc(GodModeOn,32)
Alloc(CheckIf,32)
Alloc(GodModeOff,32)
Registersymbol(Secks)
Label(Back)

Secks:
dd 0

666543: //God mode address?
jmp CheckIf //Jumping to allocation...
nop //Noping...
Back: //This is actually 666549. (666543+5 Jump bytes+1 Nop bytes)

CheckIf:
cmp [Secks],0
je GodModeOff
jmp GodModeOn

GodModeOff:
cmp eax,[ebp-4] //Check if you got it...
je 6679F5 //If you did - it jumps
jmp Back //Else, continue executing the code.

GodModeOn:
cmp eax,[ebp-4] //Compares again if you got hit...
jne 6679F5 //If you did, it wouldn't jump.
jmp Back //Executing out code.
[disable]
Dealloc(CheckIf)
Dealloc(GodModeOn)
Dealloc(GodModeOff)
Unregistersymbol(Secks)
666543:
je 6679F5

Q&A:

Q: Why did you made that compare?
A: Because I already compares the value of "Secks" which changes the zf (Zero Flag) state not acoording to getting hit by a monster or not, so we gotta check again if we did got it and set the zf acoording to that compare.

Q: Why did you compared it with eax,[ebp-4]?
A: First thing came up.

Q: WIL THIES WORKKZ FOR GMS?!
A: I DUNO PLIZ TEST AND +REP IF WURKS!

Q: If the addresses were real, would this work?
A: Yes, depends if the compare is real too.

Before we'll continue to Code-Caving - Scripts that uses EIP, I wanna see if you really understand it, this is a real script that works for gms, you don't have even to bypass:
Code: [enable]
Alloc(Check,31)
Alloc(Logged,31)
Alloc(Type,31)
Label(Back)

488699: //Pin type address
jmp Check
nop
Back:

Check:
cmp [809130],4 //4 = Pin menu is open
je Type //If pin menu is open, activate pin type.
jmp Logged //Else, deactivates.

Logged: //When logged.
cmp edx,6f //Compares edx with 6F. (Dun ask me, thats the compare that checks wether you can type or if it will open the pin menu)
jbe 0048860b //Orginal memory.
jmp Back //Continue executing our code if we didn't jumped.

Type: //If we're not logged in,
cmp edx,6f //Compares again,
jae 0048860b //Activate.
jmp Back //And continue executing our code.

//Created by Symbol O_o
[disable]
488699: //Disables.
jae 0048860b //I made this script yesterday...

I don't know if this would work inside the game, because it does change the memory, still... (The allocation...) but you can try.

Code-Caving scripts to use debug registers:
All we gotta do here, is an allocation (and registersymbol if you're lazy...) and then set eip instead of using an address in the script or labels, this is easier than normal scripting...
Lets see that On/Off God Mode script: (Won't work for now, but you can update the addresses...)
Code: [enable]
//EIP: CheckIf
Alloc(CheckIf,32)
Alloc(GodModeOn,32)
Alloc(GodModOff,32)
Registersymbol(CheckIf)
Registersymbol(ChangeMyValue)

CheckIf:
cmp [ChangeMyValue],0
je GodModeOff
jmp GodModeOn

GodModeOff:
cmp eax,[ebp-4] //Replace with the real check.
je Address_To_Jump //Replace that with the address you jump to...

GodModeOn:
cmp eax,[ebp-4] //Replace with the real check.
jne Address_To_Jump //You know...
[disable]


Hope you know what you know to change.

This was made with some help of a school friend aswell.

~Burned

Like it, Thanks It

[ChumbaWumba]

does this mean i can use these hexidecimal values to packet edit if i incorporated it and sent those modified packets so it would be more server side so i can like gain 1000 exp from a snail kinda thing?

[akillaz]

thats a realy good qustion can u?

[avihai123]

Iwant to know that too man that its posdile?


Sorry my English im Fro Israel =)

[5256552]

you can get 1000 exp from snail?