1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Creating variable AoBs

Method of creating variable AoBs

  1. Goldwing Applegleam
    Game Version:
    NOTICE: I am in no way a professional, do not regard me as such.

    I know that there are plenty of ways of creating variable AoBs. I will not discuss them all right now since I'll make this tutorial for rando's to understand and use. Please, deliver constructive criticism and give me ways to improve this. I love to become better at just about anything.

    Major creds for this clear and insanely useful guide from our beloved died-down MPCforums.

    Alright, Variable AoBs, now what would that be? I guess we all know what an address is right? For maplestory an address can be anything between 00400000 and (I believe) 01FFFFFF. This differs between patches though. But the starting memory point of maplestory has always been 00400000.

    So, let's say you got yourself a nice script that allows you to be the indefinitive expert at the game.

    Code (Text):
    3. //Logo skipper (bypass version)
    4. [Enable]
    5. 007F7DF9:
    6. db 75
    8. [Disable]
    9. 007F7DF9:
    10. db 74

    And then *BOOM* a patch. You really want to continue hacking, because why would anyone play legit?

    So there you are, someone providing a bypass for you already (because that's just how it works) and you only need to update the scripts.

    How does that work? Well, you will need to update the addresses at first. And in some cases the bytes that are changed need to be updated as well.

    To update the addresses you will need variable Array of Bytes. Generally referred to as Variable AoBs from here on out. We are nearing the core of this tutorial now.

    Alright. I’ll start with the most basic, ugly ways to create variable AoBs and will work towards the better, more software aesthetic ones.

    For everything you will need at least a basic understanding of Cheat Engine. Nothing advanced, nothing fancy.

    The first method:

    Go to your Memory View in cheat engine and check the address you want the aob for:

    In our case:
    Code (Text):
    1. 007F7DF9
    Click: "Go to address"
    Follow instructions.


    There you are.

    Alright. Ugly method nr1:
    Take the first bytes from every line for the first 10 lines and fill questionmarks for every bytes that are not the first. (Vague & ineffective, but requires 0 thinking.)

    Code (Text):
    1. MapleStory.exe+3F7DF9 - 74 ?          
    2. MapleStory.exe+3F7DFB - 2B ?          
    3. MapleStory.exe+3F7DFD - 81 ? ? ? ? ?  
    4. MapleStory.exe+3F7E03 - 0F86 ? ? ? ?  
    5. MapleStory.exe+3F7E09 - 5F            
    6. MapleStory.exe+3F7E0A - 88 ? ?        
    7. MapleStory.exe+3F7E0D - C6 ? ? ?    
    8. MapleStory.exe+3F7E11 - 5E            
    9. MapleStory.exe+3F7E12 - 5B            
    10. MapleStory.exe+3F7E13 - C3            
    11. MapleStory.exe+3F7E14 - 6A ?          
    12. MapleStory.exe+3F7E16 - E8 ? ? ? ?    
    13. MapleStory.exe+3F7E1B - 83 ? ?        
    14. MapleStory.exe+3F7E1E - 85 ?          
    And put them in an array:
    Code (Text):
    1. 74 ? 2B ? 81 ? ? ? ? ? 0F86 ? ? ? ? 5F 88 ? ? C6 ? ? ? 5E 5B C3 6A ? E8 ? ? ? ? 83 ? 85 ?
    TA-DA UGLY VARIABLE AoBs! Happy when you are!

    Next semi-ugly method:
    Comparing AoBs from several versions of maplestory/the game you're hacking. This requires more work if you do not already have regular AoBs. This method is more foolproof than the first one because it will most likely result in less addresses as a result of your search.

    Now we'll get to the somewhat better ways to create variable AoBs.

    For this, I will redirect you to this tutorial, I have tried but can not in any way improve or change this tutorial enough to make it worth my time and yours to write it down. Seriously, why don't we just agree that this tutorial is heaven.

    The link is dead, tutorial is posted here:
    Table Of Contents
    1. Purpose of this tutorial
    2. What exactly is an AOB
    3. How to make/find variable AOBs
    4. Questions and answers
    Part 1. Purpose of this tutorial
    Though this is very common sense, seems like many users don't have even a simple idea on how to find variable AOBs. Well, for that reason, i will explain how now.

    Part 2. What exactly is an AOB
    As said in many other tutorials AOB means Array Of Byte.
    When you start a program, it loads its components in your RAM memory. All those strange symbols you see in the bottom part of your cheat engine are bytes. Select a line and copy it. There, you got an array of bytes. A part of the disassembled code.

    Part 3. How to make/find variable AOBs
    You hack happily your game (in this case - Fagstory), but a patch comes and since you got some scripts you know they won't work anymore after the patch and you need to update them. After that you create a stupid thread with topic "How to update scripts". I close it, pointing you to the greatest search engine - google - where you, maybe, after a few hours of noob searching, understand, that you need to update the scripts via AOBs. After another stupid thread which i lock again you understand, that you need to update the addresses and pointers in your scripts via AOBs. Then you search even more after i closed your next thread and you stumble upon the tutorials on CEF on how to update scripts. Then you download a CEM/EXE of the previous version (let's say you have already updated to the next one) and you get AOBs. You take incredibly long AOB, but you still have one. You then go to your new exe, search for the AOB and find yourself with a finger in your mouth, since the search thingy on CE gave you "Nothing found". Here is where you need variable AOBs.

    The first method to get them is to compare two aobs from two different versions. Its not hard to make a variable AOB then. When you have, for example
    ts really easy what to change, isn't it?
    Your variable AOB is AB CD ? ? BA ? ? 0D
    But for this method you need to have AOBs from two different versions.

    Now, the 1337er method needs a look on the opcodes for the unexperienced updaters, when you learn your bytes assembly you won't need to look at them.
    Lets say, that the ridiculously long AOB you took up there is
    Addy: 00F013AA; Aob: 89 35 4C 30 F0 00 A1 90 33 F0 00 3B C6 75 1C 68 1C 21 F0 00 68 14 21 F0 00 E8 14 05 00 00 83 C4 08 C7 05 90 33 F0 00 02 00 00 00
    Now lets go to the region you took it from:
    Code (Text):
    2. 00F013AA - 89 35 4c 30 f0 00 - mov [00f0304c],esi
    3. 00F013B0 - a1 90 33 f0 00 - mov eax,[00f03390]
    4. 00F013B5 - 3b c6 - cmp eax,esi
    5. 00F013B7 - 75 1c - jne 00f013d5
    6. 00F013B9 - 68 1c 21 f0 00 - push 00f0211c
    7. 00F013BE - 68 14 21 f0 00 - push 00f02114
    8. 00F013C3 - e8 14 05 00 00 - call 00f018dc
    9. 00F013C8 - 83 c4 08 - add esp,08
    10. 00F013CB - c7 05 90 33 f0 00 02 00 00 00 - mov [00f03390],00000002
    A bunch of shit beyond your comprehension, isn't it?
    But heeey, what's that? Near the addys there are some parts of our AOB. Yeah, near 00F013AA stays 89 35 4c 30 f0 00, which is the first part from our AOB.
    Those are the bytes, and this whole array is the array of bytes. Now lets look at it again. Lets take only the first line for now.
    Code (Text):
    1. 00F013AA - 89 35 4c 30 f0 00 - mov [00f0304c],esip
    What do we see here? A mov command with first byte 89 (which means mov, if you check some more addresses), followed by what you move and where you move it. Take a look:
    Yes, the bytes are in reverse order. Google knows why, if you're interested. So, hmm, what can possibly change the next patch. The mov command? Yes, of course, but then it will mean, that they patched the hack. The register (esi)? - yes, but this happens really rare. The pointer? Yes, for sure! So, what do we have to do, to make this AOB variable?
    Elementary, my dear Watson. Ok, not so dear Watson, since you're no Watson. Take the pointer bytes out.
    So you get 89 35 ? ? ? ?. Now, lets take a look on the second addy.
    Here is the same. A1 means mov eax, 90 33 f0 00 is the address that will change, most likely. Then - A1 ? ? ? ?
    89 35 ? ? ? ? A1 ? ? ? ? until now.
    Here is easy. But keeping in mind, that the registry will most likely not change you should leave it like that.
    Here. That's a jump opcode - 75 means jne, 1c means how many addresses it jumps.
    The formula is <Addy> + 2 (because of the jump (75)) + 1c (in this case) bytes. If they make changes to this memory region 1c will be inaccurate, so try with 75 ?
    A push - 68 ? ? ? ?
    Another one - 68 ? ? ? ?
    A call - e8 ? ? ? ? (since the address it calls changes all the time)
    Some more shit - 83 c4 ?
    The final mov
    C7 05 (moving) ? ? ? ? (where) 02 ? ? ? ? (what). Here you can delete the question marks after the 02 since they are useless and wont bring up anything good.
    Now combine all parts of the array.
    In the end, your AOB should look like 89 ? ? ? ? A1 ? ? ? ? 3B C6 75 ? 68 ? ? ? ? 68 ? ? ? ? E8 ? ? ? ? 83 C4 ? C7 05 ? ? ? ? 02
    Note, that a call is 10 bytes (00F013C3 - e8 14 05 00 00 - call 00f018dc) and since each time the addy the call... umm... calls changes, so when you see E8 you automatically know, that the next 4 double bytes wont be the same next patch: E8 ? ? ? ?. Its the same with several kinds of opcodes you should learn.
    That's it.

    Part 4. Questions and Answers
    Q: Uhh... what is this used for?
    A: I don't know, i just randomly wrote it.

    Q: Okay, i followed your tutorial, but my AOB still doesn't find a shit
    A: You did something wrong or didn't took out a possible variable.

    Q: ?
    A: >_>

    snoopy likes this.