This is my second gunz tutorial =3
Today I will teach you all how to find
all your favorite hacking functions in an
unpacked gunz.
remember you cant call some one if you don't
know what their number is correct?
So to call the function that lets say makes a slash
we need to know where it is to call it over and over
again to make a lawnmower hack
and this is exactly what I will be teaching :)
You will need:
Ollydebugger
CurrentUnpackedGunz
OldGunzclient+OldGunzaddresses
JGunzclient+JGunzaddresses
FullGunz.pdbDump
Ok lets start simple lets say we want to make a lawnmower hack
How do we find where the function that makes a slash is located
in the Gunz.exe so open up your unpacked gunz in
olly and take a look.
METHOD 1 "PacketIDs"
The function that makes a slash is ZPostShot and ZPostShotMelee
to find these in your current(or any) unpacked gunz client
go to olly and right click in the CPU window

->go down to where
it says "Search for"->find and click on "All Reference Text Strings".
This will search all the gunz.exe for referenced text
and most functions can be found by this method.
To find ZPostShot first click on view on the main top bar
and find "references".

(notice that after you do search for reference
text this window should automatically open and you dont have to do this
step)
Right click in the "Reference Window"->click on "search for text"
a popup will appear with checkboxes, make sure you uncheck
"Case Sensitive" and check "Entire Scope".
Now you not knowing what specific text string ZPostShot is
you should use a text that is in the name i.e "Shot" and press
Ctrl+L to search for next until you find the one you think it is.
But I know what ZPostShot is its "Peer.Shot".
so you find it in reference text and click to find it in the CPU window
just press enter or double click.
and you should see something like this:
Code:
PUSH Unpacked.0065D0B8
PUSH 2732
MOV ECX,DWORD PTR SS:[EBP-1B44]
CALL Unpacked.0050C920
You see the PUSH 2732?
the four digits ->"2732"<- that is the "PacketID"
With this you can find your function.
Just right click on the line where the packet ID is located
and select "Binary"->"Binary Copy".
Now that you have copied to the clip board
Right click->"Search for"->"Binary String"(Ctrl+B)
and in the "HEX +05" space paste the binary(Ctrl+V)
and hit OK.
That will jump you to the function(it should) and it does not
just press Ctrl+L to keep searching.
If you do find it just scroll up to the start of the function
it should look like this (the full ZPostShot function)
Code:
PUSH EBP
MOV EBP,ESP
PUSH -1
PUSH Unpacked.006367DB
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0],ESP
SUB ESP,14
MOV EAX,DWORD PTR DS:[6D3AD8]
MOV ECX,DWORD PTR DS:[EAX+30]
MOV EAX,DWORD PTR DS:[ECX]
MOV EDX,DWORD PTR DS:[EAX]
PUSH EBX
PUSH ESI
MOV ESI,DWORD PTR SS:[EBP+8]
FLD DWORD PTR DS:[ESI]
PUSH EDI
MOV DWORD PTR SS:[EBP-20],EDX
CALL Unpacked.005925D0
FLD DWORD PTR DS:[ESI+4]
MOV WORD PTR SS:[EBP-1C],AX
CALL Unpacked.005925D0
FLD DWORD PTR DS:[ESI+8]
MOV WORD PTR SS:[EBP-1A],AX
CALL Unpacked.005925D0
MOV ESI,DWORD PTR SS:[EBP+C]
FLD DWORD PTR DS:[ESI]
MOV WORD PTR SS:[EBP-18],AX
CALL Unpacked.005925D0
FLD DWORD PTR DS:[ESI+4]
MOV WORD PTR SS:[EBP-16],AX
CALL Unpacked.005925D0
FLD DWORD PTR DS:[ESI+8]
MOV WORD PTR SS:[EBP-14],AX
CALL Unpacked.005925D0
MOV WORD PTR SS:[EBP-12],AX
MOV AL,BYTE PTR SS:[EBP+10]
PUSH 2732
MOV BYTE PTR SS:[EBP-10],AL
CALL Unpacked.004C6340
PUSH 10
MOV ESI,EAX
CALL Unpacked.0062C25E
ADD ESP,8
MOV DWORD PTR SS:[EBP+8],EAX
XOR EDI,EDI
CMP EAX,EDI
MOV DWORD PTR SS:[EBP-4],EDI
JE L055
PUSH 11
LEA ECX,DWORD PTR SS:[EBP-20]
PUSH ECX
MOV ECX,EAX
CALL Unpacked.0050AC40
JMP L056
XOR EAX,EAX
PUSH EAX
MOV ECX,ESI
MOV DWORD PTR SS:[EBP-4],-1
CALL Unpacked.0050D020
PUSH ESI
CALL Unpacked.004C6400
ADD ESP,4
MOV DWORD PTR SS:[EBP+8],EDI
PUSHAD
MOV EAX,EBP
ADD EAX,4
MOV EAX,DWORD PTR DS:[EAX]
MOV DWORD PTR SS:[EBP+8],EAX
MOV EAX,Unpacked.00481D90
MOV DWORD PTR SS:[EBP+C],EAX
POPAD
MOV EAX,DWORD PTR SS:[EBP+8]
CMP EAX,Unpacked.00401000
JBE L077
CMP EAX,3000000
JB L082
PUSH 238D
CALL Unpacked.004C6340
PUSH EAX
CALL Unpacked.004C6400
ADD ESP,8
MOV ECX,DWORD PTR SS:[EBP-C]
POP EDI
POP ESI
MOV DWORD PTR FS:[0],ECX
POP EBX
MOV ESP,EBP
POP EBP
RETN
There you just found your function.
All ZPost functions will have packetIDs so they are easy
to find but what about other functions like the one used
to make a godmode hack? well this is where our JGunz.exe
comes in.
METHOD 2 (WildCards)
Open JGunz(or OldGunz) in Ollydbg
open JGunz GunzFunction.txt in notepad
and press Ctrl+F in notepad
and type "ZModule_HPAP::SetHP"or"ZModule_HPAP::SetAP"
and press enter you will find that
in JGunz ZModule_HPAP::SetHP is located at 0047DDD0
so copy that address and go to JGunz in olly and
click on this button ->

and paste the address there
click Ok or press enter
In JGunz the full ZModule_HPAP::SetHP looks like this:
Code:
MOV EAX,DWORD PTR SS:[ESP+4]
PUSH ESI
PUSH EDI
MOV EDI,ECX
XOR ECX,ECX
TEST EAX,EAX
SETL CL
DEC ECX
AND ECX,EAX
MOV DWORD PTR SS:[ESP+C],ECX
FILD DWORD PTR SS:[ESP+C]
FCOM DWORD PTR DS:[EDI+8]
FSTSW AX
TEST AH,5
JPO L017
FSTP ST
FLD DWORD PTR DS:[EDI+8]
CALL JGunz.005533F8
MOV DWORD PTR SS:[ESP+C],EAX
MOV AL,BYTE PTR DS:[EDI+18]
XOR ESI,ESI
TEST AL,AL
JE L038
CALL JGunz.0048E030
MOV ESI,EAX
LEA EDX,DWORD PTR DS:[EDI+10]
ADD ESI,8
PUSH EDX
MOV ECX,ESI
CALL JGunz.00526370
TEST EAX,EAX
JE L038
MOV ECX,EAX
CALL JGunz.00526210
TEST AL,AL
JNZ L038
MOV ECX,ESI
CALL JGunz.00526B00
FILD DWORD PTR SS:[ESP+C]
MOV CL,BYTE PTR DS:[EDI+18]
TEST CL,CL
LEA EAX,DWORD PTR DS:[EDI+10]
FADD DWORD PTR DS:[5D0444]
FSTP DWORD PTR DS:[EAX]
JE L049
PUSH 4
PUSH EAX
MOV ECX,ESI
CALL JGunz.005263A0
POP EDI
POP ESI
RETN 4
as you can see there is no packetID so we are going to do a Binary
Copy :)
So highlight alittle bit of the fuction i.e:
Code:
PUSH ESI
PUSH EDI
MOV EDI,ECX
XOR ECX,ECX
TEST EAX,EAX
SETL CL
DEC ECX
AND ECX,EAX
MOV DWORD PTR SS:[ESP+C],ECX
FILD DWORD PTR SS:[ESP+C]
FCOM DWORD PTR DS:[EDI+8]
FSTSW AX
TEST AH,5
Right click and do a Binary Copy and paste it in notepad it should
look like this
Code:
56 57 8B F9 33 C9 85 C0 0F 9C C1 49 23 C8 89 4C 24 0C DB 44 24 0C D8 57 08 DF E0 F6 C4 05
Now to organize it lets space it how it is in olly like so:
Code:
56
57
8B F9
33 C9
85 C0 0F 9C C1
49
23 C8
89 4C 24 0C
DB 44 24 0C
D8 57 08
DF E0
F6 C4 05
That in Binary is the equivelant to the ASM above it :)
Ok so from the first 3 lines and the last 2 lines fill it with "??"
yep question makes.
So like this:
Code:
56
57
8B F9
?? ??
?? ?? ?? ?? ??
??
?? ??
?? ?? ?? ??
?? ?? ?? ??
?? ?? ??
DF E0
F6 C4 05
I am doing it this way since I know it will work
but the general rule is that what ever you copy goes through this process
FF FF (If your binary string looks like this the right side after the space should be filled with "??" so it look like FF ??
FF (If there is only 1 pair then nothing needs to be done
FFFF FF (Any pair after the space should be replaced with "??" like so FFFF ??.
Ok so thats in notepad.
Open up your current unpacked gunz in olly
and press Ctrl+B and paste the OP code you just made in notepad :)
into the HEX +05 space and click ok.
The first one you see should be the new function and at the top is the address
where its located.
It should look like this in the current gunz:
Code:
PUSH EBP
MOV EBP,ESP
PUSH ECX
FLD DWORD PTR DS:[66571C]
PUSH EBX
FCOMP DWORD PTR SS:[EBP+8]
PUSH ESI
PUSH EDI
MOV EDI,ECX
FSTSW AX
TEST AH,41
JNZ L014
FLD DWORD PTR DS:[66571C]
JMP L015
FLD DWORD PTR SS:[EBP+8]
FCOMP DWORD PTR DS:[EDI+8]
FSTSW AX
TEST AH,5
JPE L026
FLD DWORD PTR DS:[66571C]
FCOMP DWORD PTR SS:[EBP+8]
FSTSW AX
TEST AH,41
JNZ L028
MOV DWORD PTR SS:[EBP+8],0
JMP L028
MOV EAX,DWORD PTR DS:[EDI+8]
MOV DWORD PTR SS:[EBP+8],EAX
MOV ESI,DWORD PTR DS:[EDI+24]
TEST ESI,ESI
JE L051
FLD DWORD PTR SS:[EBP+8]
MOV EAX,DWORD PTR DS:[ESI]
FADD DWORD PTR DS:[6506FC]
XOR EDI,EDI
TEST EAX,EAX
FSTP DWORD PTR SS:[EBP+8]
JE L039
MOV EDI,EAX
PUSH 4
CALL Unpacked.0062C25E
MOV ECX,DWORD PTR SS:[EBP+8]
ADD ESP,4
TEST EDI,EDI
MOV DWORD PTR DS:[ESI],EAX
MOV DWORD PTR DS:[EAX],ECX
JE L081
PUSH EDI
CALL Unpacked.0062C28E
ADD ESP,4
JMP L081
MOV AL,BYTE PTR DS:[EDI+18]
XOR ESI,ESI
TEST AL,AL
JE L070
CALL Unpacked.0049A4D0
MOV ESI,EAX
LEA EDX,DWORD PTR DS:[EDI+10]
ADD ESI,8
PUSH EDX
MOV ECX,ESI
CALL Unpacked.0055EAA0
TEST EAX,EAX
JE L070
MOV ECX,EAX
CALL Unpacked.0055E8B0
TEST AL,AL
JNZ L070
MOV ECX,ESI
CALL Unpacked.0055F230
FLD DWORD PTR SS:[EBP+8]
MOV CL,BYTE PTR DS:[EDI+18]
TEST CL,CL
FADD DWORD PTR DS:[6506FC]
LEA EAX,DWORD PTR DS:[EDI+10]
FSTP DWORD PTR DS:[EAX]
JE L081
PUSH 4
PUSH EAX
MOV ECX,ESI
CALL Unpacked.0055EAD0
MOV DWORD PTR SS:[EBP+8],0
PUSHAD
MOV EAX,EBP
ADD EAX,4
MOV EAX,DWORD PTR DS:[EAX]
MOV DWORD PTR SS:[EBP+8],EAX
MOV EAX,Unpacked.00489480
MOV DWORD PTR SS:[EBP-4],EAX
POPAD
MOV EAX,DWORD PTR SS:[EBP+8]
CMP EAX,Unpacked.00401000
JBE L095
CMP EAX,3000000
JB L100
PUSH 238D
CALL Unpacked.004C6340
PUSH EAX
CALL Unpacked.004C6400
ADD ESP,8
POP EDI
POP ESI
POP EBX
MOV ESP,EBP
POP EBP
RETN 4
Congrats you just found ZModule_HPAP::SetHP =3
Here is a list of some I have already found this is currently working for Ijji as of April,02,09.
Addresses
Next Gunz tutorial I will teach you how to make a simple
Dll Hack !
http://www.lethalgaming.net/forum/showthread.php?t=57725