[Memory Editing]Addresses 5/31/08

[Sychotix]

Here is all that I have found so far.

+Rep if you find this of any use or think that its helpful... all that type of stuff...

Please do not post these anywhere or claim they are yours. I would post them in a .dll format, but I lost my compiler and I cannot find another torrent to download it.

Begining to run slow:
[013A2894]+0x16C
Explanation: I don't know if this is useful at all, but editing this effects how quickly you take off.

Camera Angle:
013A292C

Movement State:
[013A2894]+0x180
Explanation: You can do a constant sprint (even beyond your stamina limit) if frozen at 3

Jump Height:
[013A2894]+0x17C

Slowfall (might also be called jump angle?):
[013A2894]+0x48
Explanation: If frozen at 1, it sorta acts like a slowfall (still does damage if you would have fallen from your original height). Can also be used for other things

Speed:
[013A2894]+0x150

Underwater Effect:
01F52220
Explanation: If frozen to .3, you will get a sort of underwater effect.

X Coord:
[013A2894]+0x2C

Y Coord:
[013A2894]+0x34

Z Coord:
[013A2894]+0x30

Y Jump Length?:
[013A2894]+0x4C
Explanation: I THINK it effects how far you jump along the Y axis. I could not find its counterpart for the x axis however anywhere around its location.

[Forb1d]

Good post now make a 1 hit kill =P

[UnknOwned]

Not that i play AOC or ever will but this is defnatly a good start on AOC offset mapping. +Rep

GJ

[Modsiw]

How safe is this to use? I have heard that Funcom has already banned players.

[Sychotix]

its just as safe as if you were using hacks for WoW. As long as your not a dumbass running around bragging that you are hacking... you should be fine. The only chance of getting banned is if they patch (which would void all the addresses anyways) and get an antihack, or they see you in action using the hack.

[Modsiw]

So if no one sees me I will be quite safe right?

[Sychotix]

you should be yes, unless they decide to implement some anti-hack like warden which you dont know comes in (even warden is bullshit though)

[betawarz]

i've been poking around in aoc for the past two or three days looking at functions, and what they do. i suspect that combo cooldowns are handled client-side, just because of some of the effects i've witnessed when there's server lag, and stuff.

the only thing i've been able to do so far is tell the client that i've hit the correct combo directional key when in fact i've hit any directional key (hitting the wrong one still satisfies the combo). i'm thinking this can be extended to completely remove combos, but i haven't gotten that far, yet.

i'll post my findings when i do find something. but, if you want to poke around with me, i've been focusing on 0x007627A in the most current patch version. (6/1/0.

the two function calls look like this

Code:

mov     edx, [esi+44h]
push    0
push    edx
call    my_initcombo
mov     ecx, ebx
call    my_handlecombo
pop     edi
pop     esi
pop     ebx
mov     esp, ebp
pop     ebp
retn    4

i've named the initial my_initcombo, because it appears to handle bringing up the combo input dialog, and the second one my_handlecombo, because it seems to handle which keys youve entered.

[betawarz]

I should also note that the prior mentioned address for the "movement state" does not affect anything. Freezing the value at 3 does nothing, and it never appears to change, anyways.

Edit: I take this back, it does change. It has changed to 4, from 3. I'm not sure what it does though - messing with it doesn't appear to affect running speed, or stamina at all.

[Sirmabus]

Small forum FYI that must be 0x7627A0 since that address is invalid. An extra '0' at the end.

[betawarz]

Small forum FYI that must be 0x7627A0 since that address is invalid. An extra '0' at the end.

err, no. the additional zero would go at the beginning of the address.

[Sirmabus]

Hi ya's ole'Sirmabus new here.

First of all thanks for your post.
I would have PM'ed you, but I can't yet since I don't have the points.

Are you talking virtual address, or file offset?
Having the most current client (USA that is) open in IDA, if you look at the ".text" segment it doesn't even start until the standard 401000 (yes, not considering the PE header). 7627A is less then 401000.


Number theory, if you prefix a number with zero's it doesn't change it's value. I.E. 00000000000000000000001 is still '1'; no matter if it's hex, octal, or decimal, etc.
Although using eight digits is pretty because it sort of tells you the number is 32bits.

In IDA virtual address 7627A0 is inside a function that has strings of "combo"
At file offset 7627A puts me in one of the many cString'ish destructor functions.

We have a different client version?
Mine MD5: 4FA92E36ADD093435D03A58D1C726E1E

[Sychotix]

I should also note that the prior mentioned address for the "movement state" does not affect anything. Freezing the value at 3 does nothing, and it never appears to change, anyways.

Edit: I take this back, it does change. It has changed to 4, from 3. I'm not sure what it does though - messing with it doesn't appear to affect running speed, or stamina at all.

works just fine for me... the pointer/offset should not change for only that specific address...

[betawarz]

Sirmabus,

Yes, using IDA that address should still be correct. This address works for me in OllyDbg, also. I'm looking at AgeOfConan.exe, of course. Here's a larger snippet of the code section, including the .text lines...

Code:

.text:00760256                 call    sub_759D40
.text:0076025B                 test    al, al
.text:0076025D                 jz      short loc_7602A0
.text:0076025F                 push    edi
.text:00760260                 mov     ecx, ebx
.text:00760262                 call    my_combo        ; <"OutOfStamina">
.text:00760267                 test    al, al
.text:00760269                 mov     ecx, ebx
.text:0076026B                 jz      short loc_760288
.text:0076026D                 mov     edx, [esi+44h]
.text:00760270                 push    0
.text:00760272                 push    edx
.text:00760273                 call    my_initcombo
.text:00760278                 mov     ecx, ebx
.text:0076027A                 call    my_handlecombo
.text:0076027F                 pop     edi
.text:00760280                 pop     esi
.text:00760281                 pop     ebx
.text:00760282                 mov     esp, ebp
.text:00760284                 pop     ebp
.text:00760285                 retn    4

Sychotix,

I just tried this again, and nothing seems to be affected. What 'works' ? What does this value do, and you're just freezing it at 3? It doesn't even change for me when I run, or run out of stamina, so freezing appears to have no affect.

[Sychotix]

http://i79.photobucket.com/albums/j1...ak/picture.jpg

is a 2 when normal running, 1 when walking, 3 when sprinting (i think it changes to 3). Freezing at 3 results in always sprinting even when you are out of stamina.

If the address is different for you, press backspace to walk... scan for 1... press backspace to run, scan for 2... rinse and repeat. You will get an address eventually but it will be dynamic (meaning changing every time you log out. Do a pointer search and there you go!.

EDIT: btw ill poke in that area for you. Ill let you know the results.

EDIT 2: Found two things near it but I could not find any jump which would give you that effect... there was a jump that you could NOP which would not use ANY effects... ill try again in a second....