[Release][Method]Aeria - Bypass Attack speed hack protection

Mega Byte · 03/12/2010, 02:16

Heya all as you are now awear alt1 has patched the attack speed hack.

This is how I have worked arround it. Please Alt1 Patch it SERVER SIDE for once.

First I found the attack speed buff as one usally does. Had help from jax on that

.
010d0ecb

Then we noticed it had a limiter when we tried to freeze it to anything above 20 or 21 it just did not work.
Here is how to bypass it.

Find what code accesses the attack speed buff:
I used cheat engine
Freeze the addy to 50 or something
I then right clicked on the addy and found what accesses it then i attacked a monster.

The thing I wanted was the last in the list that popped up

I then continued using OllyDBG *you could use cheat engine here but i prefer ollydbg for this*

This is the code function that copy's the attack speed modifyer buff

Code:

00430A00  /$  55            PUSH EBP
00430A01  |.  8BEC          MOV EBP,ESP
00430A03  |.  83EC 08       SUB ESP,8
00430A06  |.  894D F8       MOV DWORD PTR SS:[EBP-8],ECX
00430A09  |.  C745 FC 0000C>MOV DWORD PTR SS:[EBP-4],42C80000
00430A10  |.  8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00430A13  |.  8378 18 00    CMP DWORD PTR DS:[EAX+18],0
00430A17  |.  7E 0C         JLE SHORT TwelveSk.00430A25
00430A19  |.  8B4D 08       MOV ECX,DWORD PTR SS:[EBP+8]
00430A1C  |.  DB41 18       FILD DWORD PTR DS:[ECX+18]
00430A1F  |.  D845 FC       FADD DWORD PTR SS:[EBP-4]
00430A22  |.  D95D FC       FSTP DWORD PTR SS:[EBP-4]
00430A25  |>  D945 FC       FLD DWORD PTR SS:[EBP-4]
00430A28  |.  8BE5          MOV ESP,EBP
00430A2A  |.  5D            POP EBP
00430A2B  \.  C2 0400       RETN 4

Stepping out of the function it had two things calling it I found the mele hit one.

Code:

0048CF5E  |.  52            PUSH EDX                                ; /Arg1
0048CF5F  |.  B9 645A5F00   MOV ECX,TwelveSk.005F5A64               ; |
0048CF64  |.  E8 973AFAFF   CALL TwelveSk.00430A00                  ; \TwelveSk.00430A00

There is also this one for other kinds of attacks

Code:

0048F61E  |.  52            PUSH EDX                                ; /Arg1
0048F61F  |.  B9 645A5F00   MOV ECX,TwelveSk.005F5A64               ; |
0048F624  |.  E8 D713FAFF   CALL TwelveSk.00430A00                  ; \TwelveSk.00430A00

Scrolling down we see a JPE

For Mele one

Code:

0048CF8A  |. /7A 1E         JPE SHORT TwelveSk.0048CFAA

For Skills one

Code:

0048F64A  |. /7A 1E         JPE SHORT TwelveSk.0048F66A

Look for code that could jump or something:
Tests god knows what against 5 im not too sure how TEST operator works all I know is that the jump is not taken when not speed hacking but is taken when speed hacking above 20 soooo.

Code:

0048CF87  |.  F6C4 05       TEST AH,5
0048CF8A  |.  7A 1E         JPE SHORT TwelveSk.0048CFAA

Solution:
Lets force it to not be taken by changing it to a nop.

Mele Hit

Code:

Origionaly
0048CF8A  |.  7A 1E         JPE SHORT TwelveSk.0048CFAA
Change to
0048CF8A      90            NOP
0048CF8B      90            NOP

Skills Hit

Code:

Origionaly
0048F64A  |. /7A 1E         JPE SHORT TwelveSk.0048F66A
Change to
0048F64A      90            NOP
0048F64B      90            NOP

And success.. we can now freeze attack speed buff address which is
010d0ecb

To anything we want.

To apply this alter the code.
You should be able to add
0048CF8A and 0048F64A as byte arrays with length of 2 and set both byte's in them to 90 90
in cheat engine or do it in memory view w/e

I win,

Cymon · 03/12/2010, 02:22

wow, finally som1 smart,
nice work man

Mega Byte · 03/12/2010, 02:26

Thanks

~~Iktov~~ · 03/12/2010, 02:37

I could have found I just fell asleep.

Mega Byte · 03/12/2010, 02:39

lol you snooze you lose Iktov XD but no need to find it now :P

~~Iktov~~ · 03/12/2010, 03:02

Quote:

Originally Posted by Mega Byte

lol you snooze you lose Iktov XD but no need to find it now :P

Bah, whatever I fail anyways.

Mega Byte · 03/12/2010, 03:03

nawh ur all good Iktov

generichaxor · 03/12/2010, 03:04

Cool beans! Now I just need to figure out what the **** you did! lol

Mega Byte · 03/12/2010, 03:56

Remember to nop both as there is one for skills and one for mele *i updated with the new information thanks iktov for confirming that the other one was for different kinds of attack lol*

Shooter_97 · 03/12/2010, 03:57

Thanks so much for all of this, I understand that people are busy but ive tried using this in CE although i can not for the love of *** figure it out so if you please help in idiot terms id be so grateful

Mega Byte · 03/12/2010, 04:17

please do the cheat engine tutorial... you can find it in the c:\program files\cheat engine\ folder prehaps. Try hacking a 2D game first thats single player eg set your score on pinball high or something.

After you have done the tutorial and understand how to use cheat engine you should be able to add
0048EA8A and 0048F3EA as byte arrays with length of 2 and set both byte's in them to 90 90

Or just wait for me to put them into map fun tonight or tomrow lol.

Cymon · 03/12/2010, 14:56

any1 makin new trainers or somthing alike?

gimteoh · 03/12/2010, 15:31

Woot

i am not releasing any bot atm. I am moving from autoit to C# with the help from megabyte.

. If you just need the auto spam key , it will still work. You know where to get it .

killadaho1 · 03/12/2010, 15:56

sneaky sneaky alt 1 thinking they can set a limited on attack speed..smh..smh but good job thx

vtdved · 03/12/2010, 17:31

agree good jub but i dont get why u need speed hacks
>.> + speed hacks ppl using em and get reported most and by that alt 1 will make some security from all hacks 2 many noobs use it