May 9, 20241 yr Hello there. I have been trying for a while now to make it so that this script: [iSPOILER] ```[ENABLE] alloc(newmem,2048) label(returnhere) label(originalcode) label(ItemSummonRaid) label(checkcountry) label(failed) label(exit) label(checkleader) newmem: call ps_game.exe+4ECF0 originalcode: pushad movzx eax,word ptr [esi+0x160] movzx ebx,word ptr [edi+0x160] cmp eax,(int)45 je checkcountry cmp ebx,(int)45 je checkcountry jmp ItemSummonRaid checkcountry: cmp eax,ebx je ItemSummonRaid movzx eax,byte ptr [esi+0x12d] movzx ebx,byte ptr [edi+0x12d] cmp eax,ebx jne failed ItemSummonRaid: mov eax,dword ptr ds:[edi+0x58FC] mov ecx,dword ptr ds:[edi+0x5900] lea eax,dword ptr ds:[eax+eax*2] // eax=bag,ecx=slot lea edx,dword ptr ds:[ecx+eax*8] imul edx,edx,4 mov eax,dword ptr ds:[edi+edx+0x1C0] mov eax,dword ptr ds:[eax+30] cmp [eax],(int)100045 //orginal item id popad jne checkleader //success addr exit: jmp returnhere checkleader: push eax //party table push ecx //leader id mov eax,[edi+17f4] mov ecx,[eax+0c] //leader id imul ecx,ecx,8 add ecx,18 mov ecx,[eax+ecx] //leader address cmp edi,ecx //compare address check is leader pop ecx pop eax je 0049e4ea //if yes jmp 0049E517 failed: popad jmp 0049E517 "ps_game.exe"+9E4E1: jmp newmem returnhere: [DISABLE] dealloc(newmem) "ps_game.exe"+9E4E1: call ps_game.exe+4ECF0``` [/iSPOILER] works for sub-leaders, but all of the addresses that I have tried failed. Could someone explain to me how to get the said idea to work? Thank you!
May 9, 20241 yr Author I'm trying to make it work for sub-leaders. int(45) is related to something else, it doesn't have to do with the map.
May 9, 20241 yr Here’s one I modified some time last year - I don’t know if it works properly. Test it on a local server. [ENABLE] alloc(newmem,2048) label(returnhere) label(originalcode) label(success) label(failed) label(exit) newmem: call ps_game.exe+4ECF0 //esi=target player,edi=source player originalcode: pushad // Check if players are the some faction movzx eax,byte ptr [esi+0x12d] movzx ebx,byte ptr [edi+0x12d] cmp eax,ebx jne failed // If the item item is a regular summon rune, exit and use the normal summon proc mov eax,dword ptr ds:[edi+0x58FC] // bag mov ecx,dword ptr ds:[edi+0x5900] // slot lea eax,dword ptr ds:[eax+eax*2] // eax=bag, ecx=slot lea edx,dword ptr ds:[ecx+eax*8] imul edx,edx,4 mov eax,dword ptr ds:[edi+edx+0x1C0] mov eax,dword ptr ds:[eax+30] // eax=stItemInfo cmp [eax],(int)100045 // original item id je exit // Check if the source player is the leader push eax push ecx push ebx mov eax,[edi+17F4] // party table of the leader mov ecx,[eax+0C] // leader index mov ebx,[eax+110] // sub-leader index imul ecx,ecx,8 add ecx,18 mov ecx,[eax+ecx] // leader player address imul ebx,ebx,8 add ebx,18 mov ebx,[eax+ebx] // sub-leader player address // If the source player is the leader or sub-leader, jump to success cmp edi,ecx je success cmp edi,ebx je success pop ecx pop eax pop ebx jmp failed success: pop ecx pop eax pop ebx popad jmp 0049e4ea exit: popad jmp returnhere failed: popad jmp 0049E517 "ps_game.exe"+9E4E1: jmp newmem returnhere: [DISABLE] //code from here till the end of the code will be used to disable the cheat dealloc(newmem) "ps_game.exe"+9E4E1: call ps_game.exe+4ECF0 //Alt: db E8 0A 08 FB FF
May 9, 20241 yr suggestion: i think you should add a couple test instructions. mov eax,dword ptr ds:[edi+edx+0x1C0] // nullptr? test eax,eax je failed ... mov eax,[edi+17F4] // party table of the leader // nullptr? test eax,eax je failed there's no guarantee that either of those pointers is not null.
May 9, 20241 yr Author Here’s one I modified some time last year - I don’t know if it works properly. Test it on a local server. [ENABLE] alloc(newmem,2048) label(returnhere) label(originalcode) label(success) label(failed) label(exit) newmem: call ps_game.exe+4ECF0 //esi=target player,edi=source player originalcode: pushad // Check if players are the some faction movzx eax,byte ptr [esi+0x12d] movzx ebx,byte ptr [edi+0x12d] cmp eax,ebx jne failed // If the item item is a regular summon rune, exit and use the normal summon proc mov eax,dword ptr ds:[edi+0x58FC] // bag mov ecx,dword ptr ds:[edi+0x5900] // slot lea eax,dword ptr ds:[eax+eax*2] // eax=bag, ecx=slot lea edx,dword ptr ds:[ecx+eax*8] imul edx,edx,4 mov eax,dword ptr ds:[edi+edx+0x1C0] mov eax,dword ptr ds:[eax+30] // eax=stItemInfo cmp [eax],(int)100045 // original item id je exit // Check if the source player is the leader push eax push ecx push ebx mov eax,[edi+17F4] // party table of the leader mov ecx,[eax+0C] // leader index mov ebx,[eax+110] // sub-leader index imul ecx,ecx,8 add ecx,18 mov ecx,[eax+ecx] // leader player address imul ebx,ebx,8 add ebx,18 mov ebx,[eax+ebx] // sub-leader player address // If the source player is the leader or sub-leader, jump to success cmp edi,ecx je success cmp edi,ebx je success pop ecx pop eax pop ebx jmp failed success: pop ecx pop eax pop ebx popad jmp 0049e4ea exit: popad jmp returnhere failed: popad jmp 0049E517 "ps_game.exe"+9E4E1: jmp newmem returnhere: [DISABLE] //code from here till the end of the code will be used to disable the cheat dealloc(newmem) "ps_game.exe"+9E4E1: call ps_game.exe+4ECF0 //Alt: db E8 0A 08 FB FF Thank you Cups. I will try this out!
May 9, 20241 yr Author So it is working for Lights but apparently, darks that were trying to use it were seeing "Failed item against *insert their name*."
May 9, 20241 yr Author It is working, actually. All we had to do was to reraid everyone. Thank you Cups again! :)
May 9, 20241 yr suggestion: i think you should add a couple test instructions. mov eax,dword ptr ds:[edi+edx+0x1C0] // nullptr? test eax,eax je failed ... mov eax,[edi+17F4] // party table of the leader // nullptr? test eax,eax je failed there's no guarantee that either of those pointers is not null. If the item and party table were null it never would have reached the point where it loops over party members to see who could be summoned.
May 19, 20241 yr Author If the item and party table were null it never would have reached the point where it loops over party members to see who could be summoned. Hello Cups. Your script seems to work for most, but I have realized that some sub-leaders cannot use the summon stone. Do you know why?
Hello there. I have been trying for a while now to make it so that this script:
[iSPOILER]
```[ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(ItemSummonRaid)
label(checkcountry)
label(failed)
label(exit)
label(checkleader)
newmem:
call ps_game.exe+4ECF0
originalcode:
pushad
movzx eax,word ptr [esi+0x160]
movzx ebx,word ptr [edi+0x160]
cmp eax,(int)45
je checkcountry
cmp ebx,(int)45
je checkcountry
jmp ItemSummonRaid
checkcountry:
cmp eax,ebx
je ItemSummonRaid
movzx eax,byte ptr [esi+0x12d]
movzx ebx,byte ptr [edi+0x12d]
cmp eax,ebx
jne failed
ItemSummonRaid:
mov eax,dword ptr ds:[edi+0x58FC]
mov ecx,dword ptr ds:[edi+0x5900]
lea eax,dword ptr ds:[eax+eax*2] // eax=bag,ecx=slot
lea edx,dword ptr ds:[ecx+eax*8]
imul edx,edx,4
mov eax,dword ptr ds:[edi+edx+0x1C0]
mov eax,dword ptr ds:[eax+30]
cmp [eax],(int)100045 //orginal item id
popad
jne checkleader //success addr
exit:
jmp returnhere
checkleader:
push eax //party table
push ecx //leader id
mov eax,[edi+17f4]
mov ecx,[eax+0c] //leader id
imul ecx,ecx,8
add ecx,18
mov ecx,[eax+ecx] //leader address
cmp edi,ecx //compare address check is leader
pop ecx
pop eax
je 0049e4ea //if yes
jmp 0049E517
failed:
popad
jmp 0049E517
"ps_game.exe"+9E4E1:
jmp newmem
returnhere:
[DISABLE]
dealloc(newmem)
"ps_game.exe"+9E4E1:
call ps_game.exe+4ECF0```
[/iSPOILER]
works for sub-leaders, but all of the addresses that I have tried failed. Could someone explain to me how to get the said idea to work?
Thank you!