Xemectrum

Hi, i saw alot of people asking how to Convert/Find/Update TWMS to MSEA.
Lets start with a simple script, NoKnockBack.

To be able to fully understand how it works, you need to have basic knowledge on how find aob.

From:http://bbs.yoyo-do.com/thread-585313-1-1.html
TWMS SCRIPT:
//v103 no knockback
[ENABLE]
008C6A70:
mov [ebp+0c],0
mov [ebp+10],0
jmp 008C6AA1

[DISABLE]//39 5D 0C 75 05 39 5D 10 74 27 8B 45 F0 DB 45 10 <<< wow the author is so nice to give this aob =)
008C6A70:
cmp [ebp+0c],ebx
jne 008C6A7A
cmp [ebp+10],ebx
je 008C6AA1
mov eax,[ebp-10]
fild dword ptr [ebp+10]

Ok from what we can see, the author have give us the aob of the main address, which is 39 5D 0C 75 05 39 5D 10 74 27 8B 45 F0 DB 45 10.

Now go to cheat engine and search for the aob, make sure you are searching from 00400000.
You should have a address now which is 009CA3BF.

Now we go to the address, we will see something similar to the script, which is the disable part :



You will see something like jne ztltaskmemallocimp+5b6fe9. To find the ztltaskmemallocimp+5b6fe9 address, simply right click and follow it. you will have the address. It should be 009CA3C9.

008C6A70: << main address found by aob
cmp [ebp+0c],ebx
jne 008C6A7A << we found out it is 009CA3C9
cmp [ebp+10],ebx
je 008C6AA1 << find yourself =)
mov eax,[ebp-10]
fild dword ptr [ebp+10]


It is the disable part in the twms. So now we got the disable part updated.

Now for the enable part.
008C6A70:<< we already know the main address, update this.
mov [ebp+0c],0
mov [ebp+10],0
jmp 008C6AA1 <<< now we have to find this. Always find pattern, similarity. This address is same with the disable part, je 008C6AA1. So we now know what to do right? =)

So your final NoKnockBack Script for MSEAv82 should be:
[ENABLE]
009CA3BF:<< main address
mov [ebp+0c],0
mov [ebp+10],0
jmp 009CA3F0 << same as je at disable part


[DISABLE]
009CA3BF: << main address
cmp [ebp+0c],ebx
jne 009CA3C9 << found by following the zlt
cmp [ebp+10],ebx
je 009CA3F0 << same as the jmp at enable part, found by following the zlt
mov eax,[ebp-10]
fild dword ptr [ebp+10]

How is this hack useful?
Use with 1hit blink godmode, so you wont get knocked back on the 1st hit to activate blink GM.

What if we do not have aob?!?!?!
Find the opcode for the main address is:
008C6A70:
cmp [ebp+0c],ebx

So we know the opcode is cmp [ebp+0c],ebx.
Msea address is normally, NORMALLY larger than twms. So we go to 00800000 to start searching from there.

Go to your cheatengine, memory view, search, find assembly code.
Search for cmp [ebp+0c],ebx. You should find alot alot of addresses.

If there are alot of results, change op code to find. So cmp [ebp+0c],ebx give alot of address, so we search for the third op code, cmp [ebp+10],ebx. You will realise that you will get a few only. now go through one by one the result you got, by double clicking at the address in the result box. Below the opcode should be a je and on top of it should be a jne. So you look for pattern.

008C6A70:
cmp [ebp+0c],ebx << the main address opcode that you want to find
jne 008C6A7A << jne at top
cmp [ebp+10],ebx << opcode you searching for
je 008C6AA1 << je at bottom

And sorry for my poor english.

Have fun =)

do i have to search manually for 009CA3BF

chanyongkit wrote:do i have to search manually for 009CA3BF

"Go to address"

Nice tut but i must clarify something on this. The aobs that they give are not always "paired" with ours(MSEA). Meaning the offsets might be different in some cases.

Simple hacks are easy to update in this way but for harder hacks which you have like a gazillion lines to update have different offsets.

Take for example:
[ENABLE]
008C6A70:
mov [ebp+0c],0
mov [ebp+10],0
jmp 008C6AA1

[DISABLE]//39 5D 0C 75 05 39 5D 10 74 27 8B 45 F0 DB 45 10
008C6A70:
cmp [ebp+0c],ebx
jne 008C6A7A
cmp [ebp+10],ebx
je 008C6AA1
mov eax,[ebp-10]
fild dword ptr [ebp+10]

This is from TWMS right ? At times when u cant do a direct search for aob you have to remove the offsets or even shorten the aob due to opcode changes and replace it with wildcards. More information on this can be found at http://theoklibrary.org for deeper explanations on how to replace offsets with wildcards and so on. Now, in this case since they gave us an aob let me explain how opcodes are represented in array of bytes

cmp[ebp+0c],ebx = 39 5d 0c
jne 008c6a7a = 75 05
cmp [ebp+10],ebx = 39 5d 10
je 008C6AA1 = 74 27
mov eax,[ebp-10] = 8b 45 F0
fild dword ptr [ebp+10] = DB 45 10

So can you see the picture now ? opcodes are represented in bytes forming an Array Of Bytes. Now i will remove the offset and replace it with wildcards. Wildcards are represented in "?" to tell that this "?" will change.

So when u remove all the offsets, you will get this
So, with this aob which is for no KnockBack,you can save this aob for your next patch to update and so on.

Thx wizme for your excellent tut.

Jeof wrote:Nice tut but i must clarify something on this. The aobs that they give are not always "paired" with ours(MSEA). Meaning the offsets might be different in some cases.

Simple hacks are easy to update in this way but for harder hacks which you have like a gazillion lines to update have different offsets.

Take for example:
[ENABLE]
008C6A70:
mov [ebp+0c],0
mov [ebp+10],0
jmp 008C6AA1

[DISABLE]//39 5D 0C 75 05 39 5D 10 74 27 8B 45 F0 DB 45 10
008C6A70:
cmp [ebp+0c],ebx
jne 008C6A7A
cmp [ebp+10],ebx
je 008C6AA1
mov eax,[ebp-10]
fild dword ptr [ebp+10]

This is from TWMS right ? At times when u cant do a direct search for aob you have to remove the offsets or even shorten the aob due to opcode changes and replace it with wildcards. More information on this can be found at http://theoklibrary.org for deeper explanations on how to replace offsets with wildcards and so on. Now, in this case since they gave us an aob let me explain how opcodes are represented in array of bytes

cmp[ebp+0c],ebx = 39 5d 0c
jne 008c6a7a = 75 05
cmp [ebp+10],ebx = 39 5d 10
je 008C6AA1 = 74 27
mov eax,[ebp-10] = 8b 45 F0
fild dword ptr [ebp+10] = DB 45 10

So can you see the picture now ? opcodes are represented in bytes forming an Array Of Bytes. Now i will remove the offset and replace it with wildcards. Wildcards are represented in "?" to tell that this "?" will change.

So when u remove all the offsets, you will get this

Code: Select all

39 5D ? 75 ? 39 5D ? 74 ? 8B 45 ? DB 45 ?

So, with this aob which is for no KnockBack,you can save this aob for your next patch to update and so on.

Thx wizme for your excellent tut.

when you are using , you're basically using unknown variable.
Sometimes if the offset is diff, it do not much difference.

who says offset are not important ? It does make alot of differences but for cases in this, the offsets are the same so we're lucky. Try updating a script where offsets + opcodes are changed, a pain in the ass job, where given AoBs are useless when trying to convert.

yap i agree with jeof, u nid to find the aob that change, but i do not noe the aob for the asm command, so a easy way is to, see pattern again =) get 2 version of the aob and see what changes and replace with ?. haha.

lol ok changed =)

yup, well something like this. =) and you spelled my name wrongly

Jeof wrote: who says offset are not important ? It does make alot of differences but for cases in this, the offsets are the same so we're lucky. Try updating a script where offsets + opcodes are changed, a pain in the ass job, where given AoBs are useless when trying to convert.

instant drtop for an example. i didn't update one of the offset and it work just fine

when i search for AoB what do i search from:? to:?