How to find Addresses in Gunz

This is my second gunz tutorial =3
Today I will teach you all how to find
all your favorite hacking functions in an
unpacked gunz.

remember you cant call some one if you don't
know what their number is correct?
So to call the function that lets say makes a slash
we need to know where it is to call it over and over
again to make a lawnmower hack
and this is exactly what I will be teaching :)

You will need:

Ollydebugger
CurrentUnpackedGunz
OldGunzclient+OldGunzaddresses
JGunzclient+JGunzaddresses
FullGunz.pdbDump

Ok lets start simple lets say we want to make a lawnmower hack
How do we find where the function that makes a slash is located
in the Gunz.exe so open up your unpacked gunz in
olly and take a look.

METHOD 1 "PacketIDs"
The function that makes a slash is ZPostShot and ZPostShotMelee
to find these in your current(or any) unpacked gunz client
go to olly and right click in the CPU window->go down to where
it says "Search for"->find and click on "All Reference Text Strings".
This will search all the gunz.exe for referenced text
and most functions can be found by this method.
To find ZPostShot first click on view on the main top bar
and find "references".
(notice that after you do search for reference
text this window should automatically open and you dont have to do this
step)
Right click in the "Reference Window"->click on "search for text"
a popup will appear with checkboxes, make sure you uncheck
"Case Sensitive" and check "Entire Scope".
Now you not knowing what specific text string ZPostShot is
you should use a text that is in the name i.e "Shot" and press
Ctrl+L to search for next until you find the one you think it is.
But I know what ZPostShot is its "Peer.Shot".
so you find it in reference text and click to find it in the CPU window
just press enter or double click.
and you should see something like this:

Code:

  PUSH Unpacked.0065D0B8
  PUSH 2732
  MOV ECX,DWORD PTR SS:[EBP-1B44]
  CALL Unpacked.0050C920

You see the PUSH 2732?
the four digits ->"2732"<- that is the "PacketID"
With this you can find your function.
Just right click on the line where the packet ID is located
and select "Binary"->"Binary Copy".
Now that you have copied to the clip board
Right click->"Search for"->"Binary String"(Ctrl+B)
and in the "HEX +05" space paste the binary(Ctrl+V)
and hit OK.
That will jump you to the function(it should) and it does not
just press Ctrl+L to keep searching.
If you do find it just scroll up to the start of the function
it should look like this (the full ZPostShot function)

Code:

  PUSH EBP
  MOV EBP,ESP
  PUSH -1
  PUSH Unpacked.006367DB
  MOV EAX,DWORD PTR FS:[0]
  PUSH EAX
  MOV DWORD PTR FS:[0],ESP
  SUB ESP,14
  MOV EAX,DWORD PTR DS:[6D3AD8]
  MOV ECX,DWORD PTR DS:[EAX+30]
  MOV EAX,DWORD PTR DS:[ECX]
  MOV EDX,DWORD PTR DS:[EAX]
  PUSH EBX
  PUSH ESI
  MOV ESI,DWORD PTR SS:[EBP+8]
  FLD DWORD PTR DS:[ESI]
  PUSH EDI
  MOV DWORD PTR SS:[EBP-20],EDX
  CALL Unpacked.005925D0
  FLD DWORD PTR DS:[ESI+4]
  MOV WORD PTR SS:[EBP-1C],AX
  CALL Unpacked.005925D0
  FLD DWORD PTR DS:[ESI+8]
  MOV WORD PTR SS:[EBP-1A],AX
  CALL Unpacked.005925D0
  MOV ESI,DWORD PTR SS:[EBP+C]
  FLD DWORD PTR DS:[ESI]
  MOV WORD PTR SS:[EBP-18],AX
  CALL Unpacked.005925D0
  FLD DWORD PTR DS:[ESI+4]
  MOV WORD PTR SS:[EBP-16],AX
  CALL Unpacked.005925D0
  FLD DWORD PTR DS:[ESI+8]
  MOV WORD PTR SS:[EBP-14],AX
  CALL Unpacked.005925D0
  MOV WORD PTR SS:[EBP-12],AX
  MOV AL,BYTE PTR SS:[EBP+10]
  PUSH 2732
  MOV BYTE PTR SS:[EBP-10],AL
  CALL Unpacked.004C6340
  PUSH 10
  MOV ESI,EAX
  CALL Unpacked.0062C25E
  ADD ESP,8
  MOV DWORD PTR SS:[EBP+8],EAX
  XOR EDI,EDI
  CMP EAX,EDI
  MOV DWORD PTR SS:[EBP-4],EDI
  JE L055
  PUSH 11
  LEA ECX,DWORD PTR SS:[EBP-20]
  PUSH ECX
  MOV ECX,EAX
  CALL Unpacked.0050AC40
  JMP L056
  XOR EAX,EAX
  PUSH EAX
  MOV ECX,ESI
  MOV DWORD PTR SS:[EBP-4],-1
  CALL Unpacked.0050D020
  PUSH ESI
  CALL Unpacked.004C6400
  ADD ESP,4
  MOV DWORD PTR SS:[EBP+8],EDI
  PUSHAD
  MOV EAX,EBP
  ADD EAX,4
  MOV EAX,DWORD PTR DS:[EAX]
  MOV DWORD PTR SS:[EBP+8],EAX
  MOV EAX,Unpacked.00481D90
  MOV DWORD PTR SS:[EBP+C],EAX
  POPAD
  MOV EAX,DWORD PTR SS:[EBP+8]
  CMP EAX,Unpacked.00401000
  JBE L077
  CMP EAX,3000000
  JB L082
  PUSH 238D
  CALL Unpacked.004C6340
  PUSH EAX
  CALL Unpacked.004C6400
  ADD ESP,8
  MOV ECX,DWORD PTR SS:[EBP-C]
  POP EDI
  POP ESI
  MOV DWORD PTR FS:[0],ECX
  POP EBX
  MOV ESP,EBP
  POP EBP
  RETN

There you just found your function.
All ZPost functions will have packetIDs so they are easy
to find but what about other functions like the one used
to make a godmode hack? well this is where our JGunz.exe
comes in.

METHOD 2 (WildCards)
Open JGunz(or OldGunz) in Ollydbg
open JGunz GunzFunction.txt in notepad
and press Ctrl+F in notepad
and type "ZModule_HPAP::SetHP"or"ZModule_HPAP::SetAP"
and press enter you will find that
in JGunz ZModule_HPAP::SetHP is located at 0047DDD0
so copy that address and go to JGunz in olly and
click on this button ->and paste the address there
click Ok or press enter
In JGunz the full ZModule_HPAP::SetHP looks like this:

Code:

  MOV EAX,DWORD PTR SS:[ESP+4]
  PUSH ESI
  PUSH EDI
  MOV EDI,ECX
  XOR ECX,ECX
  TEST EAX,EAX
  SETL CL
  DEC ECX
  AND ECX,EAX
  MOV DWORD PTR SS:[ESP+C],ECX
  FILD DWORD PTR SS:[ESP+C]
  FCOM DWORD PTR DS:[EDI+8]
  FSTSW AX
  TEST AH,5
  JPO L017
  FSTP ST
  FLD DWORD PTR DS:[EDI+8]
  CALL JGunz.005533F8
  MOV DWORD PTR SS:[ESP+C],EAX
  MOV AL,BYTE PTR DS:[EDI+18]
  XOR ESI,ESI
  TEST AL,AL
  JE L038
  CALL JGunz.0048E030
  MOV ESI,EAX
  LEA EDX,DWORD PTR DS:[EDI+10]
  ADD ESI,8
  PUSH EDX
  MOV ECX,ESI
  CALL JGunz.00526370
  TEST EAX,EAX
  JE L038
  MOV ECX,EAX
  CALL JGunz.00526210
  TEST AL,AL
  JNZ L038
  MOV ECX,ESI
  CALL JGunz.00526B00
  FILD DWORD PTR SS:[ESP+C]
  MOV CL,BYTE PTR DS:[EDI+18]
  TEST CL,CL
  LEA EAX,DWORD PTR DS:[EDI+10]
  FADD DWORD PTR DS:[5D0444]
  FSTP DWORD PTR DS:[EAX]
  JE L049
  PUSH 4
  PUSH EAX
  MOV ECX,ESI
  CALL JGunz.005263A0
  POP EDI
  POP ESI
  RETN 4

as you can see there is no packetID so we are going to do a Binary
Copy :)

So highlight alittle bit of the fuction i.e:

Code:

  PUSH ESI
  PUSH EDI
  MOV EDI,ECX
  XOR ECX,ECX
  TEST EAX,EAX
  SETL CL
  DEC ECX
  AND ECX,EAX
  MOV DWORD PTR SS:[ESP+C],ECX
  FILD DWORD PTR SS:[ESP+C]
  FCOM DWORD PTR DS:[EDI+8]
  FSTSW AX
  TEST AH,5

Right click and do a Binary Copy and paste it in notepad it should
look like this

Code:

56 57 8B F9 33 C9 85 C0 0F 9C C1 49 23 C8 89 4C 24 0C DB 44 24 0C D8 57 08 DF E0 F6 C4 05

Now to organize it lets space it how it is in olly like so:

Code:

56 
57 
8B F9 
33 C9 
85 C0 0F 9C C1 
49 
23 C8 
89 4C 24 0C 
DB 44 24 0C 
D8 57 08 
DF E0 
F6 C4 05

That in Binary is the equivelant to the ASM above it :)
Ok so from the first 3 lines and the last 2 lines fill it with "??"
yep question makes.
So like this:

Code:

56 
57 
8B F9 
?? ?? 
?? ?? ?? ?? ?? 
?? 
?? ?? 
?? ?? ?? ?? 
?? ?? ?? ?? 
?? ?? ?? 
DF E0 
F6 C4 05

I am doing it this way since I know it will work
but the general rule is that what ever you copy goes through this process
FF FF (If your binary string looks like this the right side after the space should be filled with "??" so it look like FF ??
FF (If there is only 1 pair then nothing needs to be done
FFFF FF (Any pair after the space should be replaced with "??" like so FFFF ??.

Ok so thats in notepad.
Open up your current unpacked gunz in olly
and press Ctrl+B and paste the OP code you just made in notepad :)
into the HEX +05 space and click ok.

The first one you see should be the new function and at the top is the address
where its located.
It should look like this in the current gunz:

Code:

  PUSH EBP
  MOV EBP,ESP
  PUSH ECX
  FLD DWORD PTR DS:[66571C]
  PUSH EBX
  FCOMP DWORD PTR SS:[EBP+8]
  PUSH ESI
  PUSH EDI
  MOV EDI,ECX
  FSTSW AX
  TEST AH,41
  JNZ L014
  FLD DWORD PTR DS:[66571C]
  JMP L015
  FLD DWORD PTR SS:[EBP+8]
  FCOMP DWORD PTR DS:[EDI+8]
  FSTSW AX
  TEST AH,5
  JPE L026
  FLD DWORD PTR DS:[66571C]
  FCOMP DWORD PTR SS:[EBP+8]
  FSTSW AX
  TEST AH,41
  JNZ L028
  MOV DWORD PTR SS:[EBP+8],0
  JMP L028
  MOV EAX,DWORD PTR DS:[EDI+8]
  MOV DWORD PTR SS:[EBP+8],EAX
  MOV ESI,DWORD PTR DS:[EDI+24]
  TEST ESI,ESI
  JE L051
  FLD DWORD PTR SS:[EBP+8]
  MOV EAX,DWORD PTR DS:[ESI]
  FADD DWORD PTR DS:[6506FC]
  XOR EDI,EDI
  TEST EAX,EAX
  FSTP DWORD PTR SS:[EBP+8]
  JE L039
  MOV EDI,EAX
  PUSH 4
  CALL Unpacked.0062C25E
  MOV ECX,DWORD PTR SS:[EBP+8]
  ADD ESP,4
  TEST EDI,EDI
  MOV DWORD PTR DS:[ESI],EAX
  MOV DWORD PTR DS:[EAX],ECX
  JE L081
  PUSH EDI
  CALL Unpacked.0062C28E
  ADD ESP,4
  JMP L081
  MOV AL,BYTE PTR DS:[EDI+18]
  XOR ESI,ESI
  TEST AL,AL
  JE L070
  CALL Unpacked.0049A4D0
  MOV ESI,EAX
  LEA EDX,DWORD PTR DS:[EDI+10]
  ADD ESI,8
  PUSH EDX
  MOV ECX,ESI
  CALL Unpacked.0055EAA0
  TEST EAX,EAX
  JE L070
  MOV ECX,EAX
  CALL Unpacked.0055E8B0
  TEST AL,AL
  JNZ L070
  MOV ECX,ESI
  CALL Unpacked.0055F230
  FLD DWORD PTR SS:[EBP+8]
  MOV CL,BYTE PTR DS:[EDI+18]
  TEST CL,CL
  FADD DWORD PTR DS:[6506FC]
  LEA EAX,DWORD PTR DS:[EDI+10]
  FSTP DWORD PTR DS:[EAX]
  JE L081
  PUSH 4
  PUSH EAX
  MOV ECX,ESI
  CALL Unpacked.0055EAD0
  MOV DWORD PTR SS:[EBP+8],0
  PUSHAD
  MOV EAX,EBP
  ADD EAX,4
  MOV EAX,DWORD PTR DS:[EAX]
  MOV DWORD PTR SS:[EBP+8],EAX
  MOV EAX,Unpacked.00489480
  MOV DWORD PTR SS:[EBP-4],EAX
  POPAD
  MOV EAX,DWORD PTR SS:[EBP+8]
  CMP EAX,Unpacked.00401000
  JBE L095
  CMP EAX,3000000
  JB L100
  PUSH 238D
  CALL Unpacked.004C6340
  PUSH EAX
  CALL Unpacked.004C6400
  ADD ESP,8
  POP EDI
  POP ESI
  POP EBX
  MOV ESP,EBP
  POP EBP
  RETN 4

Congrats you just found ZModule_HPAP::SetHP =3

Here is a list of some I have already found this is currently working for Ijji as of April,02,09.
Addresses
Next Gunz tutorial I will teach you how to make a simple
Dll Hack !

http://www.lethalgaming.net/forum/showthread.php?t=57725