This is regarding your trainer as you could have probably guessed. I've went as far as updating the addresses, and yes I did it correctly. The pointers are still all the same and I managed to make a small trainer in CE to test out if the hacks work. Well, they do but I get disconnected right when the hack is active like I can freeze my HP and I won't disconnect, but once I get hit the disconnect message comes up. Have the hacks been patched or new security measures been put in place? I'm testing this on a private server so there isn't any game guard. Thanks.

its server side detection, and it isnt new.

u just cant freeze ur hp/mp/stm and expect the game not to notice it ^^

thats why ppl kept getting banned using pta and other hacks like it...

i used pta on both oficial and private servers and never got banned. why? i only use stuffs that i know dont get detected like: exp hack, warp, skill train ^^

Some of the private servers (rPT for example) run their own server side anti-cheats which kick/ban you as soon as you are logged.
There are two ways of stopping the logs. The first is to make a HP regen hack (e.g. +30 HP/sec), except this would still get detected at high regens and wouldn't be as effective. The second is to take a look and see how the client changes HP without causing the log error and copy it.

Some of the private servers (rPT for example) run their own server side anti-cheats which kick/ban you as soon as you are logged.
There are two ways of stopping the logs. The first is to make a HP regen hack (e.g. +30 HP/sec), except this would still get detected at high regens and wouldn't be as effective. The second is to take a look and see how the client changes HP without causing the log error and copy it.

May I ask have you been able to accomplish any of these HP hacks? I know the client has a section of code which corresponds to HP - it looks something like this:

mov eax,[02eb2600]
mov cx,[esp+04]
mov [eax+00000124],ecx
mov eax,[02eb2600]
cmp word ptr [eax+00000124],00
jnl initd3d+a21be
mov word ptr [eax+00000124],0000
mov eax,[02eb2600]
mov cx,[eax+00000126]
cmp [eax+00000124],cx
jnge initd3d+a21da
mov [eax+00000124],ecx
mov eax,[02eb2600]
mov dx,[01ba8540]
xor [eax+00000124],dx
jmp initd3d+2cb00

So in there lies what I'm looking for? Or would I have to do something with the HP pointers that you used for your trainer? I'll certainly be testing for an undetected HP hack.

May I ask have you been able to accomplish any of these HP hacks? I know the client has a section of code which corresponds to HP - it looks something like this:

mov eax,[02eb2600]
mov cx,[esp+04]
mov [eax+00000124],ecx
mov eax,[02eb2600]
cmp word ptr [eax+00000124],00
jnl initd3d+a21be
mov word ptr [eax+00000124],0000
mov eax,[02eb2600]
mov cx,[eax+00000126]
cmp [eax+00000124],cx
jnge initd3d+a21da
mov [eax+00000124],ecx
mov eax,[02eb2600]
mov dx,[01ba8540]
xor [eax+00000124],dx
jmp initd3d+2cb00

So in there lies what I'm looking for? Or would I have to do something with the HP pointers that you used for your trainer? I'll certainly be testing for an undetected HP hack.
Yes, I have accomplished both of them, although the second one took a while to figure out.

I have seen that function before, and it isn't really useful as it still causes the client energy bar errors.

Something which should be useful to know is that the 'character data' structure (0x02EB2600 contains a pointer to it in that code), is part of a larger 'user data' structure. The offset of the character data structure within the larger one is 0x388C, and therefore the offset of current HP within this structure is 0x39B0 (0x388C + 0x0124). It is this offset which is used when the client re-calculates HP.

If you want any more help, upload the game.exe you are using and I can give you a few hints in the form of memory addresses.

Something which should be useful to know is that the 'character data' structure (0x02EB2600 contains a pointer to it in that code), is part of a larger 'user data' structure. The offset of the character data structure within the larger one is 0x388C, and therefore the offset of current HP within this structure is 0x39B0 (0x388C + 0x0124). It is this offset which is used when the client re-calculates HP.

So then, that section of code is only a tiny fragment of a larger picture. I'm not exactly sure what you mean by "0x02EB2600 contains a pointer to it in that code". Yes, 0x02EB2600 has 0x0124 as its pointer leading to the user's current HP but you seem to be specifying that 'character data' structure is an actual address. I tried pointing 0x02EB2600 to 0x39B0 and tried different variants but had no luck. Then I recalled something strange to me that comes up in the HP section of code I gave you earlier. The section of code is also followed by the code for STM and MP but the strange part is is that each section ends with a jump towards the same address, which lead me to believe was the start of this larger 'user data' structure. The jump led me to this: mov eax,[008b72c8] - an address used for a pointer and low and behold, right below it is: add eax,0000388c - the offset used for the 'character data' structure. I took 008b72c8 and used the pointer 0x39B0 (0x388C + 0x0124) to get the re-calculated HP. Now my question lies with what do I do with this? Do I freeze it or is it part of something I further need? I'm using PyePT for all this testing, so the address of 02EB2600 is actually 03089ca8. I'll send you a link to download the .exe of the game.

Sorry if I didn't explain this very well. Try and understand this:
struct User_Data
{
BYTE Data[0x388C];

struct Character_Data
{
BYTE Data[0x0124];
short CurrentHP;
short TotalHP;
};
};
So the Character_Data structure is part of the larger User_Data structure, and the offset of the Character_Data structure in the User_Data structure is 0x388C. Hence, the offset of the CurrentHP inside the User_Data structure is 0x388C+0x0124=0x39B0.

The new offset you have found (0x008B72C8), does contain a pointer to the User_Data structure.
*(DWORD*)0x008B72C8 + 0x39B0 == *(DWORD*)0x02EB2600 + 0x0124
So that would still give you the exact same address for the HP.

The reason I told you that offset (0x39B0) was just to point you in the right direction. I have just loaded PyePT.exe up in IDA, so I will give you an address and then you will see where I am coming from. ;)

Yeah, I noticed how "*(DWORD*)0x008B72C8 + 0x39B0 == *(DWORD*)0x02EB2600 + 0x0124" is equal to each other. I'm just not sure what to do with it now. I tried freezing both at the same time and then seperately yet I still receive Disconnect from Server (4) so now I'm stuck at this part.

Here is the code you want, I have highlighted the useful parts.
005575F3 call sub_442D90
005575F8 mov eax, dword_8B7200
005575FD mov ecx, dword_8B72C8
00557603 mov edx, [ecx+39C8h]
00557609 mov esi, eax
0055760B imul esi, eax
0055760E or esi, eax
00557610 mov dword_1BACF24, esi
00557616 add edx, eax
00557618 mov dword_1BACF20, edx
0055761E xor esi, esi
00557620 mov si, [ecx+39B0h]
00557627 imul esi, eax
0055762A and esi, 0FFFFh
00557630 mov dword_1BACF28, esi
00557636 xor [ecx+39C8h], edx
0055763C mov eax, dword_8B72C8
00557641 mov edi, [eax+3A10h]
00557647 mov ecx, dword_1BACF24
0055764D xor edi, ecx
0055764F mov [eax+3A10h], edi
00557655 mov eax, dword_8B72C8
0055765A mov dx, word ptr dword_1BACF28
00557661 xor [eax+39B0h], dx
00557668 call sub_442D70
0055766D call sub_447870
00557672 call sub_4440D0
00557677 call sub_54D440
0055767C call sub_54B530
00557681 push 4
00557683 call sub_444280
00557688 add esp, 4
0055768B call sub_444620
00557690 call sub_40A2F0
This code splits the original HP into the 2 parts, which are XORed together to re-calculate the HP (to avoid hackers like ourselves).

From the code I have highlighted you can see that:

0x008B7200 contains some dword which is used to calculate the xored HP;
0x008B72C8 contains a pointer to the User_Data structure;
0x01BACF28 is the xored HP.
All of the functions which are called at the bottom are used to 'validate' the new data (this is the key).


So, in your hack, you want something like this:
short * pCurrentHP = (short*)( *(DWORD*)0x008B72C8 + 0x39B0 );
short * pTotalHP = (short*)( *(DWORD*)0x008B72C8 + 0x39B2 );
DWORD * pXorHP = (DWORD*)0x01BACF28;
DWORD * pCalcHP = (DWORD*)0x008B7200;

//imitate this process, but using total HP instead of current HP
*pXorHP = ( (*pTotalHP) * (*pCalcHP) ) & 0xFFFF;
*pCurrentHP = (*pTotalHP) ^ (short)(*pXorHP);

//call the same functions that the client does
__asm
{
call cs:[00442D70h]
call cs:[00447870h]
call cs:[004440D0h]
call cs:[0054D440h]
call cs:[0054B530h]
push 4
call cs:[00444280h]
call cs:[00444620h]
call cs:[0040A2F0h]
}

I understand everything you've explained, but what effect is this supposed to have in turn? Take this scenario: You have 80/89 HP, 80 would be the current HP and 89 would be the total HP. The value of the current HP is 5884431 while the value of the total HP is 1638489, making current HP much higher. Why is this? The current HP could be sliced and diced as it is from the procedure of 00557620 - 00557630 into the Xor HP of 51807; then followed by the validation call procedures. Now if you change the following commands: 00557620 mov si, [ecx+39B0h]
into
00557620 mov si, [ecx+39B2h]
then the slicing and dicing would occur with the Total HP instead of the Current HP. This in turn should give a different value for the Xor HP. That change in value isn't happening for me though, so could there be something wrong with what I'm doing? The following code is also changed:
00557661 xor [eax+39B0h], dx
into
00557661 xor [eax+39B2h], dx
Which xor's the Xor HP from the Total Hp. What effect is this supposed to have in turn on the whole HP?

It's kinda complicated if you are doing this from an external trainer, which I assume you are trying to do. That code is not called every time HP changes, it's only called once every few seconds, so if you are changing the code it won't have much of an effect. That's why I imitate that procedure and call it myself in PTApocalypse.

You shouldn't be changing that second line of code (00557661), otherwise it would be changing the total HP instead of current. Instead, you need to make the current HP equal to the total HP before it (0x39B2 => 0x39B0). So it is changing the current HP, but it is using the total HP as the starting value, therefore maximising HP.