HP/MP Реген + Скорость в цифрах

Кирилл

Пользователь
Регистрация
31 Июл 2011
Сообщения
120
Лайки
0
Баллы
0
hpmpspeedrgr.jpg

Для работы просто извлеките файл в папку с игрой, но перед этим удалите все файлы там же с расширением .mix или .mixtape

Внимание!

• Могут возникнуть проблемы с видением хп из-за разрешения экрана.
• Игровые платформы (Гарена в том числе) обнаруживают данный хак как чит, используйте дополнительный софт для скрытия, к примеру, гарена мастер для гарены, или же дизейблеры для iCCup.

Исходный код
Код:
// By Skino
#include <windows.h>


#define SPEED_IN_NUMBER_AREA_OFFSET		0x339000
#define SPEED_IN_NUMBER_AREA_SIZE 		534000
#define MOVE_SPEED_ADDRESS				0x33911B
#define ATTACK_SPEED_ADDRESS			0x3392BB

#define HPMP_REGEN_AREA_OFFSET			0x358000
#define HPMP_REGEN_AREA_SIZE 			515000
#define HPMP_REGEN						0x357D20


#define STORM_DLL_503					0x6EB5BE // int     __stdcall SStrNCat(char *base, char *new, int max_length)
#define STORM_DLL_578					0x6EB5A6 // int     __cdecl   SStrVPrintf(char *dest, size_t size, const char *format, ...)



DWORD dwSTORM_578, dwSTORM_503;
DWORD dwRegBuffer;
DWORD dwGameBaseAddress;

float dHP_Regen, dMP_Regen;

char* speedformat = "%0.02f";
char* HPformat  = "%u/%u |CFFF4FB00%.02f";
char* MPformat  = "|CFF0C9FEF%u/%u |CFFF4FB00%.02f";

void __declspec(naked) Replace_String_Hp()
{
	_asm
	{
		FLD dHP_Regen
		SUB ESP,0x8
		FSTP QWORD PTR SS:[ESP] // reg

		PUSH EAX            	// max
		PUSH ECX 				//(first arg...) cur
		PUSH HPformat 		// format
		PUSH 0xFF 				//(32)
		LEA ECX,[ESP+0x110]
		PUSH ECX 				// for result
		CALL dwSTORM_578

		ADD ESP,0x1C 			// fixing stack after funk

		RETN
	}
}

void __declspec(naked) Get_RHP()
{
	_asm
	{
		// original gode
		LEA EAX,[ESP+0x0D8]
		// code cave
			// save normal registers value
		PUSH EAX
		PUSH ECX
		PUSH ESI

			// Get Unit HP regen
		ADD ECX,0x98
		MOV ECX,DWORD PTR DS:[ECX+0x8]
		MOV ESI,dwGameBaseAddress
		MOV ESI,DWORD PTR DS:[ESI+0xAB7788]
		MOV EAX,DWORD PTR DS:[ESI+0x0C]
		MOV ECX,DWORD PTR DS:[ECX*0x8+EAX+0x4]
		MOV ECX,DWORD PTR DS:[ECX+0x7C] // 84 is max hp, 7C is hp regen ...
		MOV dHP_Regen,ECX

			// load normal registers value
		POP ESI
		POP ECX
		POP EAX

		RETN
	}
}

void __declspec(naked) Replace_String_Mp()
{
	_asm
	{
		FLD dMP_Regen
		SUB ESP,0x8
		FSTP QWORD PTR SS:[ESP] // reg

		PUSH EAX            	// max
		PUSH ECX 				//(first arg...) cur
		PUSH MPformat 		// format
		PUSH 0xFF 				//(32)
		LEA ECX,[ESP+0x138]
		PUSH ECX 				// for result
		CALL dwSTORM_578

		ADD ESP,0x1C 			// fixing stack after funk

		RETN
	}
}

void __declspec(naked) Get_RMP()
{
	_asm
	{
		// original gode
		ADD ECX,0x0B8
		// code cave
			// save normal registers value
		PUSH EAX
		PUSH ECX
		PUSH ESI

			// Get Unit HP regen
		MOV ECX,DWORD PTR DS:[ECX+0x8]
		MOV ESI,dwGameBaseAddress
		MOV ESI,DWORD PTR DS:[ESI+0xAB7788]
		MOV EAX,DWORD PTR DS:[ESI+0x0C]
		MOV ECX,DWORD PTR DS:[ECX*0x8+EAX+0x4]
		MOV ECX,DWORD PTR DS:[ECX+0x7C]
		MOV dMP_Regen,ECX

			// load normal registers value
		POP ESI
		POP ECX
		POP EAX

		RETN
	}
}

void __declspec(naked) Move_speed_in_number()
{
	_asm
	{
		MOV EAX,DWORD PTR DS:[ESP]
		MOV dwRegBuffer,EAX

		FLD DWORD PTR SS:[ESP+0x90] // get float in stack
		SUB ESP,0x8
		FSTP QWORD PTR SS:[ESP]  	// (first arg...)  - float
		PUSH speedformat			// format
		PUSH 0x7 	        		// maxstrlen
		PUSH ECX 					// buffer (for result)
		CALL dwSTORM_578			// CALL <JMP.&Storm.#578>

		ADD ESP,0x18 				// clear stack after funk

		CALL dwSTORM_503 			// CALL <JMP.&Storm.#503>
		PUSH dwRegBuffer            // to correct retn out func

		RETN
	}
}

void __declspec(naked) Attack_speed_in_number()
{
	_asm
	{
		MOV EAX,DWORD PTR DS:[ESP]
		MOV dwRegBuffer,EAX

		FLD DWORD PTR SS:[ESP+0x6C] // get float in stack
		SUB ESP,0x8
		FSTP QWORD PTR SS:[ESP]  	// (first arg...)  - float
		PUSH speedformat			// format
		PUSH 0x7 	        		// maxstrlen
		PUSH ECX 					// buffer (for result)
		CALL dwSTORM_578			// CALL <JMP.&Storm.#578>

		ADD ESP,0x18 				// clear stack after funk

		CALL dwSTORM_503 			// CALL <JMP.&Storm.#503>
		PUSH dwRegBuffer            // to correct retn out func

		RETN
	}
}

BOOL APIENTRY DllMain (HINSTANCE hInstDLL, DWORD reason, LPVOID reserved)
{
	if (reason != DLL_PROCESS_ATTACH)
		return true;

	dwGameBaseAddress = (DWORD)GetModuleHandle("game.dll");
	if (!dwGameBaseAddress)
		return true;

	// init all calls and jumps
	dwSTORM_503 = dwGameBaseAddress + STORM_DLL_503;
	dwSTORM_578 = dwGameBaseAddress + STORM_DLL_578;

	DWORD dwOldProtect;

	// Speed in number
	VirtualProtect((void*)(dwGameBaseAddress + SPEED_IN_NUMBER_AREA_OFFSET), SPEED_IN_NUMBER_AREA_SIZE, PAGE_EXECUTE_READWRITE, &dwOldProtect);

	// Move speed
	*(unsigned int*) (dwGameBaseAddress + MOVE_SPEED_ADDRESS + 0x1)  = (unsigned int)Move_speed_in_number - (dwGameBaseAddress + MOVE_SPEED_ADDRESS + 0x5);
	// Attack speed
	*(unsigned int*) (dwGameBaseAddress + ATTACK_SPEED_ADDRESS + 0x1)  = (unsigned int)Attack_speed_in_number - (dwGameBaseAddress + ATTACK_SPEED_ADDRESS + 0x5);

	VirtualProtect((void*)(dwGameBaseAddress + SPEED_IN_NUMBER_AREA_OFFSET), SPEED_IN_NUMBER_AREA_SIZE, dwOldProtect, NULL);



	// Regen
	VirtualProtect((void*)(dwGameBaseAddress + HPMP_REGEN_AREA_OFFSET), HPMP_REGEN_AREA_SIZE, PAGE_EXECUTE_READWRITE, &dwOldProtect);

	// Hook get HP regen
	*(unsigned char*)(dwGameBaseAddress + HPMP_REGEN + 0x417 + 0x0) = 0xE8; // call
	*(unsigned int*) (dwGameBaseAddress + HPMP_REGEN + 0x417 + 0x1)  = (unsigned int)Get_RHP - (dwGameBaseAddress + HPMP_REGEN + 0x417 + 0x5);
	*(unsigned char*)(dwGameBaseAddress + HPMP_REGEN + 0x417 + 0x5) = 0x90;
	*(unsigned char*)(dwGameBaseAddress + HPMP_REGEN + 0x417 + 0x6) = 0x90;
	// JMP
	*(unsigned char*)(dwGameBaseAddress + HPMP_REGEN + 0x46C) = 0xEB;
	// Hook string construct
	*(DWORD*)(dwGameBaseAddress + HPMP_REGEN + 0x476 + 0x0) = 0x90909090;
	*(DWORD*)(dwGameBaseAddress + HPMP_REGEN + 0x476 + 0x4) = 0x90909090;
	*(DWORD*)(dwGameBaseAddress + HPMP_REGEN + 0x476 + 0x8) = 0x90909090;
	*(DWORD*)(dwGameBaseAddress + HPMP_REGEN + 0x476 + 0xC) = 0x90909090;
	*(unsigned char*)(dwGameBaseAddress + HPMP_REGEN + 0x476 + 0x10) = 0x90;
	*(unsigned int*) (dwGameBaseAddress + HPMP_REGEN + 0x476 + 0x11 + 0x1)  = (unsigned int)Replace_String_Hp - (dwGameBaseAddress + HPMP_REGEN + 0x476 + 0x11 + 0x5);
    // Fixing stack after funk
	*(unsigned char*)(dwGameBaseAddress + HPMP_REGEN + 0x492 + 0x0) = 0x90;
	*(unsigned char*)(dwGameBaseAddress + HPMP_REGEN + 0x492 + 0x1) = 0x90;
	*(unsigned char*)(dwGameBaseAddress + HPMP_REGEN + 0x492 + 0x2) = 0x90;


	// Hook get MP regen
	*(unsigned char*)(dwGameBaseAddress + HPMP_REGEN + 0x602 + 0x0) = 0xE8; // call
	*(unsigned int*) (dwGameBaseAddress + HPMP_REGEN + 0x602 + 0x1)  = (unsigned int)Get_RMP - (dwGameBaseAddress + HPMP_REGEN + 0x602 + 0x5);
	*(unsigned char*)(dwGameBaseAddress + HPMP_REGEN + 0x602 + 0x5) = 0x90;
	// JMP
	*(unsigned char*)(dwGameBaseAddress + HPMP_REGEN + 0x69A) = 0xEB;
	// Hook string construct
	*(DWORD*)(dwGameBaseAddress + HPMP_REGEN + 0x6A0 + 0x0) = 0x90909090;
	*(DWORD*)(dwGameBaseAddress + HPMP_REGEN + 0x6A0 + 0x4) = 0x90909090;
	*(DWORD*)(dwGameBaseAddress + HPMP_REGEN + 0x6A0 + 0x8) = 0x90909090;
	*(DWORD*)(dwGameBaseAddress + HPMP_REGEN + 0x6A0 + 0xC) = 0x90909090;
	*(unsigned char*)(dwGameBaseAddress + HPMP_REGEN + 0x6A0 + 0x10) = 0x90;
	*(unsigned int*) (dwGameBaseAddress + HPMP_REGEN + 0x6A0 + 0x11 + 0x1)  = (unsigned int)Replace_String_Mp - (dwGameBaseAddress + HPMP_REGEN + 0x6A0 + 0x11 + 0x5);
	// Fixing stack after funk
	*(unsigned char*)(dwGameBaseAddress + HPMP_REGEN + 0x6B6 + 0x0) = 0x90;
	*(unsigned char*)(dwGameBaseAddress + HPMP_REGEN + 0x6B6 + 0x1) = 0x90;
	*(unsigned char*)(dwGameBaseAddress + HPMP_REGEN + 0x6B6 + 0x2) = 0x90;

	VirtualProtect((void*)(dwGameBaseAddress + HPMP_REGEN_AREA_OFFSET), HPMP_REGEN_AREA_SIZE, dwOldProtect, NULL);

	return true;
}

Скачать:
 
Сверху