[Release][Method]Aeria - 100% Autopill

[Mega Byte]

Assumed use of cheat engine.
I will not explain in detail as I am currently updating map fun with this


FOR THOSE OF YOU WHO DO NOT UNDERSTAND THIS PLEASE DO NOT ASK QUESTIONS.
Learn cheat engine and some asm please

Find autopill autopillhp and autopill chi addresses.

AutoPill: 10AB374
AutoPillHP: 10AB378
AutoPillCHI: 10AB37C

The addresses were off set - 0x20 from last patch
The addresses for code were offset + 0x30 from last patch

Set Autopill to 1 and HP to 5.

Find what accesses AutoPillHP
You will see a few entrys we want the one that compares against 5 the others are just checking if its set to something above 0 etc.

Code:

004BAFA8  |.  833D 78B30A01>CMP DWORD PTR DS:[10AB378],5
Becomes
004BAFA8      833D 78B30A01>CMP DWORD PTR DS:[10AB378],0A

We have to change the 05 to 0A for 100% as it has an imul eax further down and converts it to a % out of 100.

Anyway.

Scrolling down in the code window we can also see another cmp 05 for chi

Code:

004BB0C1  |.  833D 7CB30A01>CMP DWORD PTR DS:[10AB37C],5
Change this to 0A again
Becomming
004BB0C1      833D 7CB30A01>CMP DWORD PTR DS:[10AB37C],0A

*NOTE: I hope that you understand 0A is hex for 10*
Now when we set the autopill address to 1 or 100 etc and the hp and chi values to 10 we actually have 100% autopill.

Now for the "fancy" hax.
We have to prevent the game from altering our auto pill or chi / hp values because it figures out eventually *on update packet from server i think* that we have not got the autopill and turns it off.

Set our AutoPill address to 10 or w/e
Find what writes to our AutoPill address.
Trigger it to change by either fighting and waiting or using a portal. I used a portal.


The very first address that changes it is moving ecx into our address opening it in the code window we see this.

Quote:

00407602 |. 890D 74B30A01 MOV DWORD PTR DS:[10AB374],ECX
00407608 |. 837D FC 00 CMP DWORD PTR SS:[EBP-4],0
0040760C |. 75 14 JNZ SHORT TwelveSk.00407622
0040760E |. C705 78B30A01>MOV DWORD PTR DS:[10AB378],0
00407618 |. C705 7CB30A01>MOV DWORD PTR DS:[10AB37C],0

Ignoring the cmp and the jne we can clearly see that the three moves set our values to 0...
WE DO NOT WANT THIS!
so nop away! our code becomes this.

Auto Pill On

Code:

Origionaly
00407602  |.  890D 74B30A01 MOV DWORD PTR DS:[10AB374],ECX
Changed to
00407602      90            NOP
00407603      90            NOP
00407604      90            NOP
00407605      90            NOP
00407606      90            NOP
00407607      90            NOP

HP and CHI values.

Code:

Origionaly
0040760E  |.  C705 78B30A01>MOV DWORD PTR DS:[10AB378],0
00407618  |.  C705 7CB30A01>MOV DWORD PTR DS:[10AB37C],0
Changed to
0040760E      90            NOP
0040760F      90            NOP
00407610      90            NOP
00407611      90            NOP
00407612      90            NOP
00407613      90            NOP
00407614      90            NOP
00407615      90            NOP
00407616      90            NOP
00407617      90            NOP
00407618      90            NOP
00407619      90            NOP
0040761A      90            NOP
0040761B      90            NOP
0040761C      90            NOP
0040761D      90            NOP
0040761E      90            NOP
0040761F      90            NOP
00407620      90            NOP
00407621      90            NOP

By the way! for anyone who is interested in checking there is an auto pill function here
004BAB70 /$ 55 PUSH EBP
Which checks further down for your action. Eg if you are dead or stunned etc it will not auto pill.
I wonder what happens if we force it to autopill and set state to 1 on death LOL

[rhotar]

Great job dude

it can save some cycles since u dont have to keep written the autopot values(a.ka. freeze em), i hated that of my autopot (you know the code efficiency freak in me).

Btw is there any chance you can share the code ofyour mob finder, im really eager to do some stuff with it, if u cant or wont its cool.


Thanx and keep up the great work

[Mega Byte]

im not sure lol add me on msn *megabyte at nzgames.net.nz* and we can talk

[Cymon]

I wonder why aeria even bothered with thiss patch, all the hacks are getting updated.
atleast by u megabyte

[sascha22]

good job xD

[Iktov]

Quote:

Originally Posted by Cymon

I wonder why aeria even bothered with thiss patch, all the hacks are getting updated.
atleast by u megabyte

Um, it was an update patch. It had nothing to do with hacks. Aeria bothered with the patch because they added new content, mainly being new level cap AKA *** levels.

Anyways good job as always Megabyte.

[matrix17]

can help me on how to find what accesses AutoPillHP? Not so much familiar with olly.

[Iktov]

Quote:

Originally Posted by matrix17

can help me on how to find what accesses AutoPillHP? Not so much familiar with olly.

Put AutoPillHP address into CE. Right click on the address and select "find out what accesses this address". Then go in-game and lose some health with Autopill enabled so that the Autopill does it job: It autopills. You see what you need to see then.

[Mega Byte]

yep and then just look at my above stuff and go insane for a minute or two then you will realise what you can do

[taaaaazq8]

thaaaaanx man u hve speed and attack agine

[Mega Byte]

Updated for new patch!

[Hafus]

Im trying to do this with autoit but i just cant get the code quite right. If someone could post the code for this i would be more than appreciative =)

[Mega Byte]

use C#... there are code samples on the net for WriteProcessMemory tutorials.

You just have to write the bytes i change into those addresses. Mainly 0x90 0x90 into two places.

You should be able to do it in autoit but it would be better to learn C# for commercial and mucking about

[Hafus]

Thanks Mega Byte, Im pretty familiar with C++ and coding in general as its my hobby and career. Ill look into it though! Thanks again

-Hafus

[Mega Byte]

Oh well you can use C++ also. Read up on Write Process Memory and Read Process Memory API's or inject a dll and use memcpy