Some questions on Dragon Nest SEA hacking, general inquiries and insights.

[junyamada]

Hi, I've just recently started to do some hacking using Cheat Engine on Dragon Nest SEA. I've been reading a couple of guides on how to start with locating values and their base addresses/pointers and was successful on doing it. I just have some questions in regards with how you, experienced/adept guys do your ways.





****You can skip this part****
I also did hack the game SAS: Zombie Assault 3 before doing the dragon nest venture.

So far, what I can do with the flash game is Freeze the values and nop the op code for the barricades so that even the big thing won't be able to get in. Also freezing the health and nop the writing and reading so that your health stays as it is. And with the health values, you can then work on to freezing the ammos and nop for you to have an unlimited ammos and without reloads (well, technically, it will still consume your ammo, but you won't be limited though whenever you reach 0. It will go negative values. It's good for shotguns ^^). And also since changing the values for ammos would trigger an anti-cheat event that would kill you, but by NOP-ing the one that writes to your health, you'd still be alive.

The barricade is 4227776 - 4 byte value. Just start a new, single player game, pause it up, search for the value and look for a group of addresses that will have the same numbers for the first 4-6 digits. Or just count how many barricades that you'll be getting from the map and look for a group of addresses with the same amount. Or you can just freeze the whole value results (which is usually between 8-15 depending on the scale of the map).

For the health, its value is always changing but it stays within the range of 4000000 to 4227776 (As I've been doing it). So if you want to do something about your health, start with searching for a ranged value type from, let's say (like I always do) 4027776 to 4227776.

There's one thing that I've been trying to track down. The Anti Cheat event trigger upon changing the ammo values. I can't seem to get to it XD.

I never got onto their base addresses, as I've read from other sources, flash games are quite different compared to our usual Windows executable? games.

It's a really good, addicting game though .

Anyhow, the rest is up to you .
*************************





I was able to re-create the trainer that Auphmihox has posted, got the codes from Kokoiv's cheat table, re-created and added an addition to it to work with the second client.

I've been trying to hack the zoom limit values on Dragon Nest SEA. I was able to determine the static value of the zoom DragonNest.exe+DADED6 or 011ADE98 or 011ADED6. Now I've been trying to locate the code that sets the limit for that address and I can't seem to find it.

My question is, what are your other ways of hacking/locating what you need to change from the game? I was able to use ollydbg before (Like 4-5 years ago) to remove a trial timer from some applications, that was my first try with it and was successful. It has been way to long, and I don't kind of remember the steps that I did for that.

Can you recommend a link/document/Tutorial about things that could help me locate the values that I need? Assembly/debugger any stuff that had been helpful to you is good enough for me.





I have a question in regards with multi-level pointers. Let's say we have a base address and a pointer that goes to +1+2+3, whenever we froze/nop the value for that base address and it's pointer, does that also affects the pointer addresses that you have went through to get to the static part? I'm thinking that's why we have separate addresses for a specific hack. Let's say, the wall hack, although I didn't try to explore it on my own, but coming from the other post, we have 2 addresses for wallhack that needs to be NOP. 005577C5 005577B8. In regards with that, can we have that as 005577+c5+bb? Does it work like that? Please, do so to correct my mis-usage of the words within this thread. That'll be very much appreciated ^_^.




***I had to re-write this part, pressed down the wrong key on the keyboard and voila, lost the lower portion T_T***

I know, I'm still way far from being good at it. My knowledge about this is just a fragment compared to you guys. But I would really like to learn more .





Anyhow, these are some things that I think is possible for Dragon Nest SEA:

1. An almost 1-hit-KO.
- This is by removing the animation delay of the character/game. To elaborate, the client would send out the attack packet without the animation delay/technical limitation of your character. Speeds up your firing, usage of skills. Specifically, delay in between use of skills/attack.

2. Always enable portals.
- This is by means of removing the event trigger required to activate a portal on a specific map. Just like you'll need to finish off the mobs before you can go to the next stage or leave the game. Since there are times that the monster that you have killed gets bugged down, it stays on your screen and your stuck, cannot leave the map properly. - I wish I could work on this one .

3. Always enable the "F12 exit map".
- Somewhat the same with number 2, but this time, removing the trigger event for the F12 function to display. This would be very useful for Nests if you want to farm for mats.

4. Removing debuff's interface restrictions.
- An example would be a debuff that would restrain you on the ground for a period of time and disables the usage of your hotkeys to cast skills and use attacks. Since it's possible for you to not be affected (In terms of animation, character movement) by NOP-ing the buffs values counter.

5. Teleportation - As done by the other users here ^^.

6. Removing the sending from mailbox limitation.
- This has been done using WPE to interfere with the packet.
- My insight about this is that, judging from the modification posted by the user, the "90" modification for the packet would flag the packet as a premium mail therefore, not being deducted from your daily limit. "Premium mail doesn't deduct your daily sending limit of 5 mails." A loophole from the server? XD
- So with that, we can force/trick the client that we will be sending a premium mail so no deduction will happen from the limit.
- This could also enable us to send 5 items per mail. - Gonna work on this .

7. Magnifying Glass Hack? - I'm not sure, but I feel that this would work.

8. Royal Chest Hack.
One thing that I've been thinking about is how the items disappear from the ground. I've been using 2 clients opened, the other client has a speedhack enabled for faster movement (I usually get the other character to follow me). What I've noticed is that the one that has the speedhack, looses the items quickly from the ground. It would disappear on the speedhacked client, but when I check it out on my other client, the items are still on the ground and you can still pick it up.
- I did another test with this, there are 2 limitations coming from picking up items from the ground, one is from the client and one is from the server. The one for the client is the disappearance of the items when a specific time frame has been reached. The one for the server is when you forced to slow down the game, and the supposedly time frame for the items to disappear has been slowed down. You won't be able to pick up the items whenever you try to.
- I'm not saying that's how it works, it's just an insight of mine. It could be another limitation on the client itself. Whereas it reads the time lapsed from a different location?
- Anyhow, I just like to think of how they would work . It's quite fun... Am I weird?
- I was thinking, what if the Royal chests goes somewhat the same with that? Let's say the royal chest stays on the map every time you enter (Just not visible on your end), but the appearance would only happen whenever the server sends the trigger.

9. Soul/Character bound item transfer.
- I was working with the packets before I started to work with the client itself. I have noticed that every function that you do on game uses off a different format of IDs for items that you deal with. Let's say functions like: storing, moving, selling, trading items.
- As I've noticed, the format of the packet goes with the first part of the packet as an Identifier of the function that you'll be doing, second part of the packet (Let's say 4-6 bytes) goes for the positioning in the inventory and the item. The 3rd part within the packet would be (a byte) for an identifier of the function again. Then lastly, the last part within the packet will be for the item also.
- I did a test before, comparing the packets on how they change and how they differ from each function. I was able to check and found two closely related functions in terms of packet format (Which are trading items {this is moving the item into the trade box} and deleting them off from your inventory). I was able to gather the ID so that I can use the packet to place in a soul bound item into the trade window. Although it gave me an error that the item to be traded is a soul bound, but at least, it worked . (Got tired after that).
- Anyway, I feel that it could be possible to somehow, transfer soul bound items to other characters or even, seal items that are not meant to be sealed (such as gifts).

10. Always summon map Boss.
- It's quite related with numbers 2 and 3. This would summon the boss without the need of a trigger event like you should be together with your party, you need to finish up the remaining mobs, etc.



Things that I think that are not possible to be done:

1. Hacking the enhancement in-game.
- This is one of the first things that I've tried to take a look at using WPE. What I've noticed is that you have 2 portions of enhancing the equipment. One is a filler, and the other one is the "roll the dice".
- If you happen to see the the progress bar whenever you start clicking on the button to enhance (before you hear the clinking sound if it fails or suceeds), that's the filler. A packet will be sent to the server and by then, the server will send back a packet to activate the progress bar. That's the reason why you can always cancel it without any problems.
- The "Roll the Dice" portion happens at the end of the progress bar. I've been checking it out. At the end of the progress bar, the client will send the "real" enhance packet, the server would generate a chance and reply back, the feedback packet is the result.

*** You can use the "real" enhance request packet and send it multiple times, you'll either get your weapon instantly to +6 or nothing XD. But be aware, when you do that, you are skipping the filler process which can be easily seen by other players since they won't see the "anvil and hammer" portion happening on your character, it goes straight to the "Dagger Glows" or "Dagger goes down".***

- This will not be possible since the result is stored already on the server once it receives the "real" enhance request packet.
- Not unless we use a different method, or function within the packet, it won't be possible XD. - By that I mean, let's say, a GM's enhance request packet format is different than what we have as regular players.
- What we are looking for here are loopholes .

2. Same goes with opening up Altea's boxes and other similar things.
- It's also the same with enhancing, there's a filler and there's the "Roll the Dice".

3. Gold hack by changing the values on the client side XD. You know how they work .
- Not unless it's of a different process/function... Again, a loophole .




I've done other things as well such as changing the values for the points and check if there would be any difference, FTG, things that I know that are server sided (But was hoping that there's a a gap in between them).

There we go, it's quite long but I hope you can read through it and give me your insights and things that you can pitch in to help and improve . Tell me what you can say about it, I would love to hear what you think . It's a good exchange of ideas . Thank you so much.

[chankianchiz]

em.....sorry friend.my english bad. I no understand what you write here.And can you Post any hack here?

[shinz14]

I was able to re-create the trainer that Auphmihox has posted, got the codes from Kokoiv's cheat table, re-created and added an addition to it to work with the second client.

can u share your re-create trainer and how u did work it to 2nd client?
im trying many ways to work it but i didnt get it.... kindly share your knowledge
^_^

[XxKotaxX]

I love you, you-re my new god, hope you get to accomplish this.

[junyamada]

em.....sorry friend.my english bad. I no understand what you write here.And can you Post any hack here?

My goal from this thread is to understand more about Programming/Assembly/Debugging, learn the best practices and exchange ideas .

can u share your re-create trainer and how u did work it to 2nd client?
im trying many ways to work it but i didnt get it.... kindly share your knowledge
^_^

Can you tell me what ways you have done to get it to work? Not to be mean, I just want this to be interactive . And to answer your question, yes I'll go and post the trainer once I have an approval coming from the author.

I love you, you-re my new god, hope you get to accomplish this.

I hope so, I just want to learn more about it XD. And don't praise me, I haven't done anything

[Argentino]

Yay for having an account and not having to register, okey lets see, what you have done so far in regard of experimenting is good, and maybe my input can help a little, replies below on the possible things you might be able to do:

1- Cooldowns in most games are hardcoded in the server, you can mess around with animations but the server will prevent you from actually triggering a skill outside of the proper hardcoded time frame for it, the only reason movement no cds work is cause of the way DN sees moevement, this is also why teleport works, you can maybe try to alter plates (cd reduction) instead of skill but this is most likely also hardcoded and calculated server side on a formula that is not visible for the client at all, but maybe and just maybe u can make low grade cooldown reduction plates to calculate as high grade ones, if GM grade plates exist and this work for example then u got urself a godly hack.

2- Pretty sure server will check all entities are dead somewhere server side, you might be able to activate the portal but nothing happens.

3- Should be doable, you can also maybe just capture and spam the return to town and return to field packets.

4- Hmmm interesting one, most likely a mixed sucess here, you might be able to hack it to move around but debuff as in 1 are for sure server side timed.

5- Done already.

6- Same.

7- Item effects if they did it right will be undoable because the triggering of the skill requires the item, you should be able to test this with CE (alter ammount, might sound weird cuz most guides will tell otherwise but sometimes server just does not check properly on these kind of items, cheap check and worth a shoot)/Packet editors (use one on chest x, every dungeon you finish spam that packet and see if it works with no item) with the free ones you get.

8- Unlikely, non permanent entitites are probably part of a formula on map generation time at the server, is either there or not and this calculation probably takes a milisecond, you could probably read the received packet when you enter the chest map and determine if there is chest or not, you could also probably "go back" a map and go back in to spam "chances" of it appearing but this would require you to actually be able to move tru maps at will (not teleporting only) which is most likely also not doable, lots of experimenting for this one for sure.

9- Fat chance this one is not doable either, the item is bound to your character server side and not much to do about that, will be easier to maybe make broken stamps behave like regular ones if anything.

10- A lot of bosses require all entities dead and even zone cleared, the server does check this, only way i could see this working is with PE but still packet might change every time u enter a dungeon.

Now on the other ones i agree, enhancement is indeed as you describe, but if i where to try this i would not mess with it directly (most likely one of the most protected features of this game), since there are more ways than 1 to skin a cat, however very risky considering your name gets broadcasted on wathever +12.

[junyamada]

Yay for having an account and not having to register, okey lets see, what you have done so far in regard of experimenting is good, and maybe my input can help a little, replies below on the possible things you might be able to do:

1- Cooldowns in most games are hardcoded in the server, you can mess around with animations but the server will prevent you from actually triggering a skill outside of the proper hardcoded time frame for it, the only reason movement no cds work is cause of the way DN sees moevement, this is also why teleport works, you can maybe try to alter plates (cd reduction) instead of skill but this is most likely also hardcoded and calculated server side on a formula that is not visible for the client at all, but maybe and just maybe u can make low grade cooldown reduction plates to calculate as high grade ones, if GM grade plates exist and this work for example then u got urself a godly hack.

2- Pretty sure server will check all entities are dead somewhere server side, you might be able to activate the portal but nothing happens.

3- Should be doable, you can also maybe just capture and spam the return to town and return to field packets.

4- Hmmm interesting one, most likely a mixed sucess here, you might be able to hack it to move around but debuff as in 1 are for sure server side timed.

5- Done already.

6- Same.

7- Item effects if they did it right will be undoable because the triggering of the skill requires the item, you should be able to test this with CE (alter ammount, might sound weird cuz most guides will tell otherwise but sometimes server just does not check properly on these kind of items, cheap check and worth a shoot)/Packet editors (use one on chest x, every dungeon you finish spam that packet and see if it works with no item) with the free ones you get.

8- Unlikely, non permanent entitites are probably part of a formula on map generation time at the server, is either there or not and this calculation probably takes a milisecond, you could probably read the received packet when you enter the chest map and determine if there is chest or not, you could also probably "go back" a map and go back in to spam "chances" of it appearing but this would require you to actually be able to move tru maps at will (not teleporting only) which is most likely also not doable, lots of experimenting for this one for sure.

9- Fat chance this one is not doable either, the item is bound to your character server side and not much to do about that, will be easier to maybe make broken stamps behave like regular ones if anything.

10- A lot of bosses require all entities dead and even zone cleared, the server does check this, only way i could see this working is with PE but still packet might change every time u enter a dungeon.

Now on the other ones i agree, enhancement is indeed as you describe, but if i where to try this i would not mess with it directly (most likely one of the most protected features of this game), since there are more ways than 1 to skin a cat, however very risky considering your name gets broadcasted on wathever +12.

Thank you for your feedback on this . Highly appreciated.

1. I'm well aware of what you are stating here, the possibility that I'm thinking of here is not bluntly, no skill cooldown, but the delay in between usage of skills and attack which are limited by the technical aspects of a specific character (such as animation). One of the reasons why I am quite positive on this is because of the results coming from NOP-ing the buffs timer (which actually affects skills as well as long as they display a timer on your character's status bar). One scenario is my character, an Engineer who has a "Demolition" skill as its ultimate. First off, the limitation of the skill. That "Demolition" skill has 2 shots (while restraining you on the ground for 7 seconds), LMB fires off regular attacks while RMB fires off a final attack, ending the skill as well (you can either fire the normal attacks for the whole 7 seconds or just fire a couple and end the "stance"). There are times that whenever I cast that skill while the buffs timer are NOP-ed, the animation of my char won't go onto the "Ultimate" mode, but rather as normal. I was on Manticore's Nest and I tried pressing RMB a lot of times and what happened is that it gave off 3-4 ultimate shots 0.o, wherein, it should've been only a single cast. The party's damage display is off so that I'm only seeing my damages on the boss. I was like getting 4x 68k damages .

- So yeah, this should be more applicable to normal attacks. Skills usage? Yes, they will still be limited by their cooldowns from the server, but skill execution should be faster .

2. I don't know about that, altough that's one of the reasons why I really want to check it out . I want to make sure how the server checks things from the client . I'm just hung up a bit by a bug that happens occasionally while doing dungeons, there are times that when you have cleared all of the enemies and one monster gets killed but stays on your sight, not moving, which then, gets you stuck on the map. So that's pretty much something to look at .

3. . I wish I could, but on DN, whenever I sniff the packets while outside the town, I.E. a dungeon, their respective incoming and outgoing addresses don't display properly, that's one of the reasons why I cannot test these from by interfering with the packets. And also, the packet format becomes different once you are outside of town. You won't be able to re-send them using WPE or RPE even if I pick/locate the correct addresses that the client is connected to.

4. Well, in terms of movement, yes I can move around and not be affected . In terms of how I look onto other people's client, I'm thinking like "this guy has a restraining debuff but why is he still able to move 0.o". Anyhow, I don't usually use these hacks when I'm playing with other people, I want it to be as low profile as possible XD.

- I still haven't checked it out properly using 2 clients side by side. I agree with you, this will apply on character movement and restrictions (in terms of animation). buffs/debuffs 30% increase damage, -%30 damage, %10 critical will be bound from the server. That's something we're not in control of .

5. skip.

6. skip.

7. Yeah, I really wish it was that easy. But WPE/rPE don't seem to work while outside the town (where some of my critical tests could've been applied T_T). I still haven't tried using Charles though, will that even work? XD. Anyhow, I remember one application that I used to use for packet sniffing and sending as well, I used it before (Ragnarok times, around 2003) to obtain the ports and addresses to use for botting . Anyhow, hopefully, I can go ahead and test this out properly. It takes some amount of money in-game T_T.

8. I don't have anything to say about this, It was just a hunch of mine XD.

9. Oh oh, in regards with broken seal stamps and the regular ones, they are still separated (Individualized? how do you call it? Acknowledged as they are) by the server. I've tried that before, inspecting the packets sent by both regular and the incomplete seal stamps. What I've noticed is the, "supposedly identifier" at the end portion of the packet (Which is about a byte) that changes between using a regular one and the incomplete one. It changes from something like "x0" from regular stamps to "xF" for incomplete stamps... Or vice versa...

10. T_T I wish I could test this properly, I've been only successful at using PE on towns T_T.


It would be a devastating thing to test because of that broadcast. Aside from that, Dragon Nest SEA, should I say, has some major loopholes going around. One of them is the inventory/guild inventory access that you can exploit. The guild Inventory, specifically, can still be withdrawn from even if your privilege is just a "Member" without access from Guild Storage. I have tested it out using WPE, I am still yet to test it out on using CE. But this is something I'm quite, not used on doing. I don't like hacks that would devastate, intrude another character (scamming, hacking other players or whatever), that's why I've been only using the speed benefit of the buffs timer, and when I'm farming alone, I use them all the way. I've been testing it out on my other character's "1 man's guild", it's really broken. I mean, can really affect a lot of people...

I, thank you for your insights about this. I really am . I hope to hear more . Thanks.