theone

http://www.tt2xz.com/download.htm http://jj0571.com/ For official server you shouldn't have to change the token, just emulate the verify server, loopback or pay to use it

try using a verify emulator instead of tcp tunnel

link found at google :P http://www.magicnet.ee/~mani/eL2Walker1.31.zip, if it doesn't works... I can upload it later... this version works fine for C3 servers

It's how many people is online, used by the normal client to display the status "good", "normal", "full", etc...

I guess 10.6.x should works fine with servers that is using a C4 client

what we do to with buffers is to assign some text for buff, so all I have do is whisper the letter or the number, to get the buff/heal... the advange is that I don't need em to be in the same party :P

Invisible items isn't a good option for big servers. - basic action -> move type-walk - You can select yourself even with OOG walker the most efective way I've seen is a server that make players to use a file called protect.dll and beyond C3. EDIT: never try to sit < 101% hp lol

You don't have to decode MD5, just encode the desired password, and change it with an update query

if they sell crystals in shop and let you buy more then 999 stackable items, try to make your adena negative adding crystals or something else, then keep adding until it turns positive again.... its really really old

it's server side, when I was a GM we edited ai.obj for some quest adding more condition checks, and installed patch.dll and injected it into l2server.exe

Using OOG 10.5.8 walker (I've also tried 10.4.9 and 10.5.3) I can't make buy shops, everytime I try it walker gets closed without an error. I'd like to know why it happens

so... that's the actual key... I didn't know it, thx for the info Hint

I can't see the index with the lighter theme, and I can't edit my posts :( The rest is fine, good job Maxtor!!! :) thx ya

For C1 server's token isn't in engine.dll, it's inside network.dll, and use 10.2.3 for C1 server ;) Anyway, i can't be engine.dll OOG walker doesn't use it.

code of patch.exe used to inject the dll, is posted in post pacific: hxxp://www.postpacific.com/forum/viewtopic.php?t=2295 you can see if it's a virus or not... ;Static DLL Injection for MASM by Aphex ;http://www.iamaphex.cjb.net ;unremote@knology.net ;This uses code by Yodah and Freddy K ;What this does: It forces a PE to load a DLL everytime it is ran by ;patching the actual file. No other loaders or memory injectors are needed. ;How it does this: It opens the PE file, adds a section to the end of the file, ;alters the entry point to execute this section first. Then the new code loads ;a dll and jumps back to the original entry point where it runs as normal. ;) ;NOTE: you must add this linker option "/SECTION:.text,RWX" ;ml.exe /coff patch.asm /link /SECTION:.text,RWX /SUBSYSTEM:WINDOWS /OPT:NOREF .386 .model flat, stdcall option casemap:none include \masm32\include\windows.inc include \masm32\include\kernel32.inc include \masm32\include\user32.inc includelib \masm32\lib\kernel32.lib includelib \masm32\lib\user32.lib SEH_STRUCT struct OrgEsp dword 0 OrgEbp dword 0 SaveEip dword 0 SEH_STRUCT ends .data ;-------> Path to EXE to be patched with DLL <------- szTarget byte 'L2Server.exe', 0 .data? dwFile dword ? dwSize dword ? dwBytes dword ? dwImage dword ? dwBuffer dword ? dwHeader dword ? dwLength dword ? dwSections dword ? .data errmsg db 'failed to open l2server.exe',0 sucmsg db 'patching l2server.exe succeeded',0 titlemsg db 'beepbeepboop',0 .code EntryPoint: jmp PatchEnd PatchBegin: jmp SkipData szName byte '.PATCH', 2 dup (0) szLoadLibrary byte 'LoadLibraryA', 0 ;-------> Path to DLL to be patched into EXE <------- szDll byte 'patch.dll', 0 SEH SEH_STRUCT <> _LoadLibrary dword 0 dwKernelBase dword 0 dwEntryPoint dword 0 _DllOff dword 0 SkipData: assume fs:NOTHING pushad call Root Root: pop ebp sub ebp, offset Root push dword ptr [esp + 20h] call Base or eax, eax jz Return mov [ebp + dwKernelBase], eax lea eax, [ebp + offset szLoadLibrary] push eax push [ebp + dwKernelBase] call Address or eax, eax jz Return mov [ebp + _LoadLibrary], eax lea eax, [ebp + offset szDll] push eax call [ebp + _LoadLibrary] mov [ebp + offset _DllOff], eax Return: mov eax, [ebp + dwEntryPoint] mov [esp + 1ch], eax popad jmp eax Base: mov edi, [esp + 4] lea eax, [ebp + offset SehHandler] push eax push dword ptr fs:[0] lea eax, [ebp + offset SEH] assume eax:ptr SEH_STRUCT mov [eax].OrgEsp, esp mov [eax].OrgEbp, ebp lea ebx, [ebp + offset Continue] mov [eax].SaveEip, ebx mov fs:[0], esp assume eax:NOTHING and edi, 0FFFF0000h .while TRUE .if word ptr [edi] == IMAGE_DOS_SIGNATURE mov esi, edi add esi, [esi + 03Ch] .if dword ptr [esi] == IMAGE_NT_SIGNATURE .break .endif .endif Continue: sub edi, 010000h .if edi < 070000000h mov edi, 0BFF70000h .break .endif .endw xchg eax, edi pop dword ptr fs:[0] add esp, 4 ret 4 Address: lea eax, [ebp + offset SehHandler] push eax push dword ptr fs:[0] lea eax, [ebp + offset SEH] assume eax:ptr SEH_STRUCT mov [eax].OrgEsp, esp mov [eax].OrgEbp, ebp lea ebx, [ebp + offset Continue] mov [eax].SaveEip, ebx mov fs:[0], esp assume eax:NOTHING mov esi, [esp + 0ch] .if word ptr [esi] != IMAGE_DOS_SIGNATURE jmp Halt .endif add esi, [esi + 03Ch] .if dword ptr [esi] != IMAGE_NT_SIGNATURE jmp Halt .endif mov edi, [esp + 10h] mov ecx, 150 xor al, al repnz scasb mov ecx, edi sub ecx, [esp + 10h] mov edx, [esi + 078h] add edx, [esp + 0ch] assume edx:ptr IMAGE_EXPORT_DIRECTORY mov ebx, [edx].AddressOfNames add ebx, [esp + 0ch] xor eax, eax .repeat mov edi, [ebx] add edi, [esp + 0ch] mov esi, [esp + 10h] push ecx repz cmpsb .if zero? add esp, 4 .break .endif pop ecx add ebx, 4 inc eax .until eax == [edx].NumberOfNames .if eax == [edx].NumberOfNames jmp Halt .endif mov esi, [edx].AddressOfNameOrdinals add esi, [esp + 0ch] push edx mov ebx, 2 xor edx, edx mul ebx pop edx add eax, esi xor ecx, ecx mov word ptr cx, [eax] mov edi, [edx].AddressOfFunctions xor edx, edx mov ebx, 4 mov eax, ecx mul ebx add eax, [esp + 0ch] add eax, edi mov eax, [eax] add eax, [esp + 0ch] jmp Exit assume edx:nothing Halt: xor eax, eax Exit: pop dword ptr fs:[0] add esp, 4 ret 8 SehHandler proc c pExcept:dword, pFrame:dword, pContext:dword, pDispatch:dword mov eax, pContext assume eax:ptr CONTEXT push SEH.SaveEip pop [eax].regEip push SEH.OrgEsp pop [eax].regEsp push SEH.OrgEbp pop [eax].regEbp mov eax, ExceptionContinueExecution ret SehHandler endp PatchEnd: mov eax, offset PatchEnd sub eax, offset PatchBegin mov dwLength, eax invoke CreateFile, offset szTarget, GENERIC_READ or GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0 .if eax == INVALID_HANDLE_VALUE invoke MessageBox, NULL,addr errmsg,addr titlemsg,MB_OK invoke ExitProcess, 0 .endif mov dwFile, eax invoke GetFileSize, dwFile, 0 mov dwSize, eax add eax, 2000h invoke GlobalAlloc, GMEM_FIXED or GMEM_ZEROINIT, eax mov dwBuffer, eax invoke ReadFile, dwFile, dwBuffer, dwSize, offset dwBytes, 0 mov esi, dwBuffer add esi, 03ch mov eax, dword ptr [esi] mov dwHeader, eax sub eax, 03ch add esi, eax assume esi:ptr IMAGE_NT_HEADERS mov ax, [esi].FileHeader.NumberOfSections mov dwSections, eax inc [esi].FileHeader.NumberOfSections mov eax, [esi].OptionalHeader.AddressOfEntryPoint add eax, [esi].OptionalHeader.ImageBase mov dwEntryPoint, eax mov eax, [esi].OptionalHeader.SizeOfImage mov dwImage, eax add [esi].OptionalHeader.SizeOfImage, 1000h mov [esi].OptionalHeader.AddressOfEntryPoint, eax assume esi:NOTHING mov esi, dwBuffer add esi, dwHeader add esi, 0f8h assume esi:ptr IMAGE_SECTION_HEADER mov eax, 0E0000060h mov [esi].Characteristics, eax mov eax, 28h mov ecx, dwSections imul ecx add esi, eax mov eax, dword ptr [szName] mov dword ptr [esi].Name1, eax mov eax, dword ptr[szName+4] mov dword ptr [esi].Name1+4, eax mov eax, 1000h mov [esi].Misc.VirtualSize, eax mov eax, dwImage mov [esi].VirtualAddress, eax mov eax, dwLength mov [esi].SizeOfRawData, eax mov eax, dwSize mov [esi].PointerToRawData, eax mov eax, 0E0000020h mov [esi].Characteristics, eax assume esi:NOTHING mov edi, dwBuffer add edi, dwSize lea eax, PatchBegin xchg esi, eax mov ecx, dwLength rep movsb invoke SetFilePointer, dwFile, 0, 0, FILE_BEGIN mov eax, dwSize add eax, dwLength invoke WriteFile, dwFile, dwBuffer, eax, offset dwBytes, 0 invoke CloseHandle, dwFile invoke GlobalFree, dwBuffer invoke MessageBox, NULL,addr sucmsg,addr titlemsg,MB_OK invoke ExitProcess, 0 end EntryPoint