本帖最后由 小强 于 2022-12-1 17:38 编辑
[Java] 纯文本查看 复制代码 // 玩家頂傷
00C7D6C0 -> db 2147483647.00000
// 楓幣丟出的最大限制
00917612 -> db 2000000000
// ADBoard 最大長度
00A5CBCF -> 7F
// 說話頻率限制 Bypass (預設狀態是 0x74/JE)
004B2A70 -> JMP (db EB)
// 兩秒內說話次數限制 (預設狀態是 0x73/JNB)
004B2ABA -> JMP (db EB)
// 說話字數長度限制 (預設是 46)
// -- This can be modified to reach up to 256 characters ;)
009E9385 -> db 127
// 髒話限制 (預設是 0x75/JNZ)
008702FA -> JE (db 74)
// Tubi + Super Tubi
004A76E5 -> NOP (db 90 90) ; !this->m_bExclRequestSent
004A7705 -> NOP (db 90 90) ; bIgnoreDeadState || this->m_pCharacterData.characterStat.nHP > 0
004A7716 -> NOP (db 90 90) ; get_update_time() - this->m_tExclRequestSent >= tTimeInterval
// Droppable NX
00531844 -> NOP (db 90 90 90 90 90 90)
00531856 -> NOP (db 90 90 90 90 90 90)
// 技能特效更改 Bypass
00B8234A -> JMP (db EB)
// AP Check Removal (nAP > 200, "Please use AP")
00B82429 -> JMP (db EB)
// 讓GM可以丟東西 (預設限制是 0x74/JE)
00531515 -> JMP (db EB)
// 讓GM可以丟楓幣 (預設限制是 0x74/JE)
00917505 -> JMP (db EB)
// Let GM/Admins 可以攻擊 (預設限制是 0x74/JE)
00A7B859 -> JMP (db EB)
00A838A8 -> JMP (db EB)
00A882E4 -> JMP (db EB)
00A95DA6 -> JMP (db EB)
00A8C554 -> JMP (db EB)
// Bound Jump Foothold Bypass (Floor Jump) 地板跳躍
00AA89AF -> NOP (db 90 90 90 90 90 90)
00AA89BE -> NOP (db 90 90 90 90 90 90)
00AA89F1 -> NOP (db 90 90 90 90 90 90)
00AA8A00 -> NOP (db 90 90 90 90 90 90)
00AA8A22 -> NOP (db 90 90 90 90 90 90)
00AA8B17 -> NOP (db 90 90 90 90 90 90)
// Falldown Foothold Bypass (Infinite Flash Jumps)
00A7B4DB -> NOP (db 90 90)
00A7B4DD -> NOP (db 90 90 90 90 90 90)
// 刪除角色拔掉刪角確認 No-PIC bypass (Fake PIC)
00675C15 -> JMP
[AppleScript] 纯文本查看 复制代码 // Pre-BB Gr2D DirectX 窗口模式客戶端啟動 ( << 直接視窗化的意思)
00B4F535 -> MOV DWORD PTR DS:[D8E7D0], 1
00B52A18 -> MOV EAX, 0
// 啟用圖形 Gr2D FPS 切換
00B52D2C -> NOP (db 90 90)
00B52D2E -> NOP (db 90 90 90 90)
[AppleScript] 纯文本查看 复制代码 加密/客戶端更改
// 客戶端語言環境 (GMS 客戶端語言環境是 08)
004BB5F1 -> 4F
// IGcipher Encryption Keys
// -- IGcipher::innoHash
00BB3B3E -> C65053F2
// -- IGcipher::innoDecrypt
00BB3C3B -> C65053F2
// -- IGcipher::innoEncrypt
00BB3BD3 -> C65053F2
// Rename ijl15.dll, ty justin
01160092 -> db 'ijl15.dll'
// CLogo client modifications.
006B23CA -> modify 514 to 0FF to remove the ability to skip CLogo.
006B2427 -> modify to millisecond time. ex 0x915E is a 37.2 second long intro.
006B24AE -> modify to 7F, though unncessary. length interval check for Wizet.
// Disable CLogo entirely.
-> NOP address 006B1F7D~006B1F90
006B1F7D 90 NOP
006B1F7E 90 NOP
006B1F7F 90 NOP
006B1F80 90 NOP
006B1F81 90 NOP
006B1F82 90 NOP
006B1F83 90 NOP
006B1F84 90 NOP
006B1F85 90 NOP
006B1F86 90 NOP
006B1F87 90 NOP
006B1F88 90 NOP
006B1F89 90 NOP
006B1F8A 90 NOP
006B1F8B 90 NOP
006B1F8C 90 NOP
006B1F8D 90 NOP
006B1F8E 90 NOP
006B1F8F 90 NOP
006B1F90 90 NOP
006B1F91 90 NOP
[AppleScript] 纯文本查看 复制代码 登錄介面修改
// Move the Login Screen Dialogue Box to coordinates
006A25B6 -> Change -0x2C to new Y-value
006A258B -> Change -0x60 to new X-value
-- For integer coordinates > 0x7F adjustment:
-- You must remove the last DWORD and move all remaining assignment up.
-- Then, push an integer rather than a single byte.
006A2570 |. 89BE 4C010000 MOV DWORD PTR DS:[ESI+14C], EDI
006A2576 |. 8D8E 58010000 LEA ECX, DWORD PTR DS:[ESI+158]
006A257C |. C645 FC 0B MOV BYTE PTR SS:[EBP-4], 0B
006A2580 |. E8 E4923500 CALL 009FB869
006A2585 68 00010000 PUSH 100
006A258A |. 90 NOP
006A258B |. 90 NOP
006A258C |. 90 NOP
006A258D |. 5B POP EBX
// 修改 usernames/password 的界面顏色
006A2B47 -> Change 0xFF[5D3C1D] -> To your own Hex Color Code. [Ex: 0xFF000000 is Black]
// 移動登入按鈕座標:
006A283F -> 0x4F
006A2841 -> 0x4C
// 移動密碼欄位
006A2C78 -> 0x29
006A2C7A -> 0x28
// 移動ID欄位
006A2BDC -> 0xF
006A2BDE -> 0x28
// 移動保存email欄位
006A28B9 -> 0x16
006A28BB -> 0x17
// Checkmark(那個勾勾)
006A2E8C -> 0x17
006A2E8F -> 0x16
// 關閉跳到官網的按鈕
006A2A98 -> 0x58
006A2A9A -> -0x61 (Enable: 0x57)
// 關閉邀請按鈕
006A2A21 -> 0x44 (Enable: 0x58)
006A2A23 -> -0x55 (Enable: 0xF)
// 移動忘記ID按鈕
006A2930 -> 0x52
006A2932 -> 0xD
// 忘記密碼的左標軸
006A29A7 -> 0x67
006A29A9 -> 0xD
// 關閉遊戲的座標軸
006A2B0F -> 0x52
006A2B11 -> 0xAE
[AppleScript] 纯文本查看 复制代码 這是舊的 Windows 8 漏洞修復
// Windows 8, 8.1, and 10 Support (Pre-BB)
// ** First Method - Performing a kernel32 2000ms sleep code-cave.
// AoB: 68 00 08 00 00 ?? FF 15 ?? ?? ??
// -> Address Call [006035E2]
006035E2 |. E8 C9DC5D00 CALL <JMP.&dinput8.DirectInput8Create>
// -> Address Call [006035ED]
006035ED |. E8 7A297900 CALL 00D95F6C
// -> Address Code Cave [00D95F6C]
00D95F6C $ 90 NOP
00D95F6D . 90 NOP
00D95F6E . 90 NOP
00D95F6F . 90 NOP
00D95F70 . 68 00200000 PUSH 2000 ; /Timeout = 8192. ms
00D95F75 . FF15 E0D1C600 CALL NEAR DWORD PTR DS:[<&kernel32.Sl>; \Sleep
00D95F7B .^ E9 72D686FF JMP 006035F2
00D95F80 90 NOP
00D95F81 90 NOP
00D95F82 90 NOP
00D95F83 90 NOP
[AppleScript] 纯文本查看 复制代码 這些是定制的隨機測試
// Modify the background color of item description tooltips
// Hex value represents binary representation. Values are in ARGB format.
// Orion Colors: [Default=0x32630F3D] [Premium=0xA007070A]
00A0106C 0F8 and eax, 3FFFC0h -> 25 [C0 00 FF 3F]
00A01071 0F8 add eax, 0A0000040h -> 05 [40 00 00 A0]
// To allow unique TVmedia on MapleTV's (assign each media to NPC ID)
// we must modify the addresses below.
// the objective here is to nop the two pop ecx, nop the randomizer calls,
// and modify the mov edi, eax register to mov edi, [edx] for ptr [edx+0]->dwTemplateID
// *all below addresses are for v90.
00763247 56 PUSH ESI
00763248 FFB0 40040000 PUSH DWORD PTR DS:[EAX+440]
0076324E |. C745 FC 10000>MOV [LOCAL.1], 10
-------------------------------------------------------------
00763255 90 NOP
00763256 90 NOP
00763257 90 NOP
00763258 90 NOP
00763259 90 NOP
0076325A 90 NOP
0076325B 90 NOP
0076325C 8B3A MOV EDI, DWORD PTR DS:[EDX]
-------------------------------------------------------------
0076325E 8D45 08 LEA EAX, DWORD PTR SS:[EBP+8]
代碼:
更新:這是我關於將“WZ”擴展名修改為您自己的註釋。它適用於任何客戶端版本。
Modifying the game client's ResMan "WZ" extension to our own.
; To easily find the extensions, use the AoB: 77 00 7A 00
; -------------------------
; PE Unicode String Dump:
; -------------------------
00B520FA PUSH 00CC61A8 ; %s.wz
00B51D0D PUSH 00CC6214 ; Base.wz
; ------------------
; Assembly Section:
; ------------------
00CC61A8 unicode 0, <%s.wz>,0
00CC6214 unicode 0, <Base.wz>,0
; Unicode stores characters as two bytes:
; [25 00] -> %
; [73 00] -> s
; [2E 00] -> .
; [77 00] -> w
; [7A 00] -> z
; We modify the unicode and change it to a <.or> extension with
; the following bytes:
; [6F 00] -> o
; [72 00] -> r
; Nexon iterates all files under %s.wz EXCEPT for Base, so we
; must change from the 'Base.wz' unicode to 'Base.or':
; [42 00] -> B
; [61 00] -> a
; [73 00] -> s
; [65 00] -> e
; [2E 00] -> .
; [77 00] -> w => [6F 00] -> o
; [7A 00] -> z => [72 00] -> r
; Nexon may check for Base.wz in the MapleStory module, but
; not 'List.wz' as that is in two different DLLs. In order
; to use 'List.or', two additional files must be updated.
; -> Canvas.DLL - Modify 'List<.wz>' to 'List<.or>'
; -> PCOM.dll - Modify 'List<.wz>' to 'List<.or>'
; NOTE: It is infinitely easier to open up a Hex Editor like HxD,
; search for the AoB as hex bytes, and update the raw string there.
; No need to go through the trouble of messing with DB/DD values in olly.
| 
发表于 2022-12-1 17:36:35
