mitshi flyff (range, teleport, bot) + source : update

[[MPGH]lala]

1 - open game or cheat as admin, order does not matter.

Code:

; +-----------------------------------------------------------------+
; |   mitshi flyff v18 range and teleport coded in asm by: lava     |
; |      requested by  dota2_05301998 and  winterfall on mpgh       |
; |           started project on: 8.28.2015(m.d.y)                  |
; |                updated on 10.2.2015(m.d.y)                      |
; |  if you want to donate to lava:                                 |
; |       BTC: 19X7KKkMZsu4dLC3wd93N3UHiDJdomb6Vd                   |
; +-----------------------------------------------------------------+

.386
.model flat, stdcall
option casemap :none

system proto c :dword
printf proto c :vararg

include windows.inc
include user32.inc
include kernel32.inc
include masm32.inc
includelib msvcrt.lib

includeLib user32.lib
includeLib kernel32.lib
includelib masm32.lib

.data
hellomsg				db				"mitshi flyff v18 tools coded in asm by: lava ^^", 0Dh, 0Ah, "source code: https://www.mpgh.net/forum/showthread.php?t=1028505", 0Dh, 0Ah, 0
cmd1					db				"PAUSE", 0
cmd2					db				"CLS", 0
menu_items				db				"1     - range : 0FF", 0Dh, 0Ah, "2     - shift + mouse click teleport : OFF", 0Dh, 0Ah, "3     - bot : 0FF", 0Dh, 0Ah, "4     - attack skill : 0F", 0dh, 0ah, "5     - exit", 0Dh, 0Ah, "toggle# ", 0
skills_to_use			db				"OF", 0, "F1", 0, "F2", 0, "F3", 0, "F4", 0, "F5", 0, "F6", 0, "F7", 0, "F8", 0, "F9", 0, "left and right arrow keys to move, press delete to activate", 0
skills_to_activate		dd				70h, 71h, 72h, 73h, 74h, 75h, 76h, 77h, 78h
skills_index			dd				0
draw_skills				db				"%c %s %c ", 0
nl						db				0Dh, 0Ah, 0Dh, 0Ah, 0
bo_range				db				0
bo_teleport				db				0
bo_bot					db				0
b_skill					db				0

bbuffer					db				1

loadingmsg				db				"waiting for mitshi flyff", 0Dh, 0Ah, 0
windowname				db				"Mitshi Flyff v18", 0
failedmsg				db				"you dont have enough privileges to edit memory", 0Dh, 0Ah, 0
failedmsg2				db				"theres no free clients", 0Dh, 0Ah, 0
neuz_add				db				"neuz: ", 0

hwnd					HWND			?
pid						dd				?
hproc					HANDLE			?

me32					MODULEENTRY32	<>

ckernel32_dll			db				"kernel32.dll", 0
cmodule32first			db				"Module32First", 0

dw_neuz					dd				?

; range variables
dw_range				dd				?
dw_range_val			dd				?
dw_range_all			dd				?
dw_pointed				dd				?

; teleport variables
dw_x_click				dd				?
dw_y_click				dd				?
dw_z_click				dd				?
dw_x_local_player		dd				?
dw_x_local_player_point	dd				?
dw_y_local_player_point	dd				?
dw_z_local_player_point	dd				?
dw_x					dd				?
dw_y					dd				?
dw_z					dd				?

; bot variables
dw_select				dd				?
dw_select_val			dd				?
dw_target_logging		dd				?
b_log_targets			db				6 dup (?)
dw_target				dd				?
dw_target_val			dd				0
camera_x				dd				0
dw_camera_start			dd				1100228751
dw_is_att				dd				?
dw_is_att_point			dd				?
dw_camera_x				dd				?
dw_camera_z				dd				?
b4_camera_z_val			db				80h, 69h, 08h, 42h


dw_isused				dd				?

snapshot				dd				?

bytes_to_write			db				0EBh, 7Fh, 77h, 00h, 90h, 90h, 75h, 12h
dw_range_section		dd				6
dw_old_range_section	dd				?

dw_null					dd				0
dw_used					dd				?
dw_write_used			dd				10h

result					db				4 DUP(?)

.code
start:
	; setting fancy title ^^
	push offset hellomsg
	call SetConsoleTitle
	
; loading mitshi flyff v18 ---|
	push offset loadingmsg
	call StdOut
	
findwindow_loop:
	push 100
	call Sleep
	
	push offset windowname
	push 0
	call FindWindow
	
	test eax, eax
	je findwindow_loop
	
	mov hwnd, eax
	
	push offset pid
	push eax
	call GetWindowThreadProcessId
	
	push pid
	push 0
	push [8h + 10h + 20h] ; PROCESS_VM_OPERATION + PROCESS_VM_READ + PROCESS_VM_WRITE
	call OpenProcess
	
	test eax, eax
	je end_failed
	
	mov hproc, eax
	
	call get_neuz
	mov dw_neuz, eax
	
	; checking if client is used by another bot
	;mov dw_isused, eax
	;add dw_isused, 71DB38h
	
	;push 0
	;push 4
	;push offset dw_used
	;push dw_isused
	;push hproc
	;call ReadProcessMemory
	
	;cmp dw_used, 10h
	;je end_used_Already
	
	;push 0
	;push 4
	;push offset dw_write_used
	;push dw_isused
	;push hproc
	;call WriteProcessMemory
	
	mov eax, dw_neuz
	
	; setting addresses to edit
		; filling range variables
		mov dw_range, eax
		add dw_range, 28330Dh
		
		mov ecx, dw_range
		mov dw_range_val, ecx
		add dw_range_val, [4Fh +7]
		
		mov dw_range_all, eax
		add dw_range_all, 2835E1h
		
		; filling teleport variables
		mov dw_x_click, eax
		add dw_x_click, 5DB6E4h
		
		mov dw_y_click, eax
		add dw_y_click, 5DB6E8h
		
		mov dw_z_click, eax
		add dw_z_click, 5DB6ECh
		
		mov dw_x_local_player, eax
		add dw_x_local_player, 5E40B8h ; needs to be pointed and + 160h
		
		; filling bot variables
		mov dw_select, eax
		add dw_select, 5E7D68h
		
		mov dw_target_logging, eax
		add dw_target_logging, 2EE48Ah
		
		mov dw_is_att, eax
		add dw_is_att, 5E40B8h
		
		mov dw_camera_x, eax
		add dw_camera_x, 5E5384h
		
		mov dw_camera_z, eax
		add dw_camera_z, 5E53B0h
		
		mov dw_target, eax
		add dw_target, 5EF230h
		
	
	push 0
	push 0
	push 0
	push offset teleport_thread
	push 0
	push 0
	call CreateThread
	
	push 0
	push 0
	push 0
	push offset bot_thread
	push 0
	push 0
	call CreateThread
; ----------------------------|

begin:
	push offset cmd2
	call system
	
	call print_menu
	
	push 1
	push offset bbuffer
	call StdIn
	
	cmp bbuffer, 31h
	je toggle_range
	cmp bbuffer, 32h
	je toggle_teleport
	cmp bbuffer, 33h
	je toggle_bot
	cmp bbuffer, 34h
	je change_skill
	cmp bbuffer, 35h
	jne begin
	
	mov dw_write_used, 12h
	
	push 0
	push 4
	push offset dw_write_used
	push dw_isused
	push hproc
	call WriteProcessMemory
	
	jmp end_process
	
print_menu:
	push offset hellomsg
	call StdOut
	
	; https://www.winasm.net/forum/index.php?showtopic=601
	push offset result
	push dw_neuz
	call dw2hex
	
	push offset neuz_add
	call StdOut
	
	push offset result
	call StdOut
	
	push offset nl
	call StdOut
	
	push offset menu_items
	call StdOut
	
	ret
	
toggle_range:
	call intwice

	lea eax, menu_items
	cmp bo_range, 0
	je range_enable
	
	; disabling range
	mov bo_range, 0
	mov byte ptr [eax + 17], 46h
	mov byte ptr [eax + 18], 46h
	
	; rolling back range
	push 0
	push 1
	push [offset bytes_to_write +2]
	push dw_range
	push hproc
	call WriteProcessMemory
	
	push 0
	push 1
	push [offset bytes_to_write +3]
	push dw_range_val
	push hproc
	call WriteProcessMemory
	
	; for all
	push 0
	push 2
	push [offset bytes_to_write +6]
	push dw_range_all
	push hproc
	call WriteProcessMemory
	
	jmp begin
	
	range_enable:
		; enabling range like title says
		mov bo_range, 1
		mov byte ptr [eax + 17], 4Eh
		mov byte ptr [eax + 18], 20h		
		
		; editing range
		push 0
		push 1
		push offset bytes_to_write
		push dw_range
		push hproc
		call WriteProcessMemory
		
		push 0
		push 1
		push [offset bytes_to_write +1]
		push dw_range_val
		push hproc
		call WriteProcessMemory
		
		; for all
		push 0
		push 2
		push [offset bytes_to_write +4]
		push dw_range_all
		push hproc
		call WriteProcessMemory
		
		jmp begin
		
toggle_teleport:
	call intwice

	lea eax, menu_items
	cmp bo_teleport, 0
	je teleport_enable
	
	; disabling teleport
	mov bo_teleport, 0
	mov byte ptr [eax + 61], 46h
	mov byte ptr [eax + 62], 46h
	
	jmp begin
	
	teleport_enable:
		; enabling teleport
		mov bo_teleport, 1
		mov byte ptr [eax + 61], 4Eh
		mov byte ptr [eax + 62], 20h
		
		push 0
		push 4
		push offset dw_x_local_player_point
		push dw_x_local_player
		push hproc
		call ReadProcessMemory
		mov eax,dw_x_local_player_point
		
		; y
		mov dw_y_local_player_point, eax
		add dw_y_local_player_point, 164h
		
		; z
		mov dw_z_local_player_point, eax
		add dw_z_local_player_point, 168h
		
		; x
		add dw_x_local_player_point, 160h
		
		jmp begin

toggle_bot:
	call intwice
	
	lea eax, menu_items
	cmp bo_bot, 0
	je enable_bot
	
	; disabling bot
	mov bo_bot, 0
	mov byte ptr [eax + 80], 46h
	mov byte ptr [eax + 81], 46h
	
	jmp begin
	
	enable_bot:
		; enabling bot
		mov bo_bot, 1
		mov byte ptr [eax + 80], 4Eh
		mov byte ptr [eax + 81], 20h
		
		mov word ptr [b_log_targets], 3589h
		mov eax, dw_target
		mov dword ptr [b_log_targets+2], eax
		
		push 0
		push 6
		push offset b_log_targets
		push dw_target_logging
		push hproc
		call WriteProcessMemory
		
		push 0
		push 4
		push offset b4_camera_z_val
		push dw_camera_z
		push hproc
		call WriteProcessMemory
		
		jmp begin

change_skill:
	call intwice
	
	jmp print_skills
	
	; mov byte ptr [eax + 80 +28], 4Eh
	
	change_skills_end:
		push offset nl
		call StdOut
		
		lea eax, skills_to_use
		add eax, esi
		add eax, esi
		add eax, esi
		
		push eax
		call StdOut
		
		gettinginput:
			push 27h ; VK_RIGHT
			call GetAsyncKeyState
			cmp ax, 8001h
			jne gettinginput_1
				
				cmp skills_index, 9
				je gettinginput_nothing
				
				inc skills_index
				call print_skills
				jmp gettinginput_nothing
				
			gettinginput_1:
				push 25h ; VK_LEFT
				call GetAsyncKeyState
				cmp ax, 8001h
				jne gettinginput_2
					
					cmp skills_index, 0
					je gettinginput_nothing
					
					dec skills_index
					call print_skills
					jmp gettinginput_nothing
					
			gettinginput_2:
				push 2Eh ; VK_DELETE
				call GetAsyncKeyState
				cmp ax, 8001h
				jne gettinginput_nothing
					
					lea esi, skills_to_use
					add esi, skills_index
					add esi, skills_index
					add esi, skills_index
					
					mov cl, byte ptr [esi]
					mov ch, byte ptr [esi +1]
					
					lea eax, menu_items
					mov byte ptr [eax + 107], cl
					mov byte ptr [eax + 108], ch
					
					jmp begin
			
			gettinginput_nothing:
				push 10
				call Sleep
				
				jmp gettinginput

print_skills:
	push offset cmd2
	call system
	
	mov esi, 0
	skills_loop:
		cmp esi, 10
		je change_skills_end
		
		lea eax, skills_to_use
		add eax, esi
		add eax, esi
		add eax, esi
		
		cmp esi, skills_index
		je right_index
		
		push 20h
		push eax
		push 20h
		
		jmp skills_loop_end
		
		right_index:
			push 5Dh
			push eax
			push 5Bh
			
		skills_loop_end:
			push offset draw_skills
			call printf
			inc esi
			
			jmp skills_loop
			
intwice:
	push 1
	push offset bbuffer
	call StdIn
	
	push 1
	push offset bbuffer
	call StdIn
	
	ret

; damn usefull https://en.wikibooks.org/wiki/X86_Disassembly/Functions_and_Stack_Frames
get_neuz:	
	push pid
	push 8 ; TH32CS_SNAPMODULE
	call CreateToolhelp32Snapshot
	mov snapshot, eax
	
	mov ecx, SIZEOF me32
	mov me32.dwSize, ecx
	
	push offset ckernel32_dll
	call GetModuleHandle
	
	push offset cmodule32first
	push eax
	call GetProcAddress
	
	push offset me32
	push snapshot
	call eax
	
	mov eax, me32.modBaseAddr
	ret
	
end_used_Already:
	push offset failedmsg2
	call StdOut
	
	jmp end_process

end_failed:
	push offset failedmsg
	call StdOut
	
	jmp end_process
	
; end program
end_process:
	push offset cmd1
	call system
	
	push 0
	call ExitProcess
	
teleport_thread:
	cmp bo_teleport, 1
	jne nothing
	
	; shift + mouse clikc teleport system
	push 10h
	call GetAsyncKeyState
	cmp ax, 8000h
	jne nothing
	
	push 1
	call GetAsyncKeyState
	cmp ax, 8001h
	jne nothing
	
	;shift + lbutton is clicked = gonna write new local player pos
		;reading click value but befor sleeping to sync
		;push 100
		;call Sleep
		
		read_again:
			push 0
			push 4
			push offset dw_x
			push dw_x_click
			push hproc
			call ReadProcessMemory
			
			cmp dw_x, 0
			je read_again
		
		push 0
		push 4
		push offset dw_y
		push dw_y_click
		push hproc
		call ReadProcessMemory
		
		add dw_y, 300000
		
		push 0
		push 4
		push offset dw_z
		push dw_z_click
		push hproc
		call ReadProcessMemory
		
		; writing got value
		push 0
		push 4
		push offset dw_x
		push dw_x_local_player_point
		push hproc
		call WriteProcessMemory
		
		push 0
		push 4
		push offset dw_y
		push dw_y_local_player_point
		push hproc
		call WriteProcessMemory
		
		push 0
		push 4
		push offset dw_z
		push dw_z_local_player_point
		push hproc
		call WriteProcessMemory
		
		push 0
		push 4
		push offset dw_null
		push dw_x_click
		push hproc
		call WriteProcessMemory
	
	nothing:
		push 10
		call Sleep
		
		jmp teleport_thread

get_select:
	;push 0
	;push 4
	;push offset dw_select_val
	;push dw_select
	;push hproc
	;call ReadProcessMemory
	
	;add dw_select_val, 20h
	
	;push 0
	;push 4
	;push offset dw_select_val
	;push dw_select_val
	;push hproc
	;call ReadProcessMemory
	
	;mov eax, dw_select_val
	
	
	push 0
	push 4
	push offset dw_is_att_point
	push dw_is_att
	push hproc
	call ReadProcessMemory
	
	add dw_is_att_point, 3F0h
	
	push 0
	push 4
	push offset dw_is_att_point
	push dw_is_att_point
	push hproc
	call ReadProcessMemory
	
	mov eax, dw_is_att_point
	
	ret

set_select:
	push 0
	push 4
	push offset dw_select_val
	push dw_select
	push hproc
	call ReadProcessMemory
	
	add dw_select_val, 20h
	
	push 0
	push 4
	push offset dw_target_val
	push dw_select_val
	push hproc
	call WriteProcessMemory
	
	ret

simulate_attack_key:
	cmp skills_index, 0
	je simulate_attack_key_end
	
		mov esi, skills_index
		dec esi
		
		push 0 ; MAPVK_VK_TO_VSC
		push [skills_to_activate + esi]
		call MapVirtualKey
		
		push eax
		push [skills_to_activate + esi]
		push 100h ; WM_KEYDOWN
		push hwnd
		call PostMessage
	
	simulate_attack_key_end:
		ret

rot_camera:	
	push 0
	push 4
	push offset camera_x
	push dw_camera_x
	push hproc
	call ReadProcessMemory
	
	cmp camera_x, 1135000000
	jg make_camera_x_zero
	
	add camera_x, 60000
	jmp end_of_camera_rot
	
	make_camera_x_zero:
		push 0
		push 4
		push offset dw_camera_start
		push dw_camera_x
		push hproc
		call WriteProcessMemory
		
		ret
	
	end_of_camera_rot:
		push 0
		push 4
		push offset camera_x
		push dw_camera_x
		push hproc
		call WriteProcessMemory
		
		ret

bot_thread:
	cmp bo_bot, 0
	je end_of_bot
	
	call get_select
	cmp eax, 5	
	je end_of_bot
	
	call rot_camera
	
	push 0
	push 4
	push offset dw_target_val
	push dw_target
	push hproc
	call ReadProcessMemory
	
	cmp dw_target_val, 100000000
	jge end_of_bot
	cmp dw_target_val, 10000000
	jl end_of_bot
	
	call set_select
	
	call simulate_attack_key
	
	end_of_bot:
		push 10
		call Sleep
	
	jmp bot_thread
end start

virus scans:
https://virusscan.jotti.org/en-US/fi...job/ukyppgqbng
https://www.virscan.org/scan/671e0d0a...ab5fe1092db412

[Yemiez]

File is clean

/Approved

[Jhem]

Re-approved.

[LegendZero88]

Amazingly good

[nicolaip32]

Bot doesn't work ? Would be great if its detailed.

(teleport - Teleports you where your cursor is pointed )

P.S. Bot with attack skill doesn't work(Hang). But if its only Bot, it works

[Sandy9]

I have found this while scanning your file: 'HEUR/QVM20.1.Malware.Gen'
Explain further please

[Yemiez]

I have found this while scanning your file: 'HEUR/QVM20.1.Malware.Gen'
Explain further please

lol, Heuristics is a common detection found in cheats, comes from imports like ReadProcessMemory/WriteProcessMemory etc.

[kingsh1t]

Hey, how do I use this bot properly, whenever i start the bot the screen just starts going crazy and then it selects mob and changes select without killing mob. it is jus crazy XD, how should i use it?

[xxxwadexxx]

req sir can u make a hack for celestialflyff ^^ more powers and tnx

[[MPGH]lala]

@Yamiez patched ^^