EMS - v.20 Addresses

[Oninuva]

Unrandomizer EAX 0-?? - 64641D

Char/Item X - P: 6DE2E4 | O: 344
Char/Item Y - P: 6DE2E4 | O: 348

Unlimited Attack - P: 6DE2E4 | O: D70

No Breath - P: 6DE2E4 | O: 230

Tubi - P: 6DDA9C | O: 2050

Wall Vac - P: 6DD980 | O: Left: 4 | Top: 8 | Right: C | Bottom: 10


[ Scripts ]


MD5 Hash Script : (CEM is attached at the end of post)

Quote:
[ENABLE]

alloc(crc,100)
// 68E3E8 is last hashed memory address
alloc(dump,2675688)
loadbinary(dump,eMS.CEM)
label(back)

4470EC:
jmp crc
nop
back:

crc:
add ecx, dump-401000
mov esi, edi
push ebx
shr esi, 04
jmp back

[DISABLE]

4470EC:
mov esi, edi
push ebx
shr esi, 04

dealloc(crc)
dealloc(dump)

1 Hit God Mode :

Quote:
[ENABLE]

5C5A48:
je 005c5ea4

[DISABLE]

5C5A48:
jne 005c5ea4

Melee God Mode :

Quote:
[ENABLE]

5D045E:
je 005d0717

[DISABLE]

5D045E:
jne 005d0717

Super Tubi :

Quote:
[ENABLE]

469B88:
nop
nop

[DISABLE]

469B88:
jne 00469bc1

Swear Filter :

Quote:
[ENABLE]

43C23F:
nop
nop

[DISABLE]

43C23F:
je 0043c252

Shadow Partner :

Quote:
[ENABLE]

5C3D8C:
jne 005c41de

[DISABLE]

5C3D8C:
je 005c41de

Unlimited Attack + No Breath :

Quote:
[ENABLE]

5D24A8:
xor ecx,ecx

47DA18:
jmp 0047da3d

46B767:
jmp 0046b779

61FFF5:
jmp 0062000a

[DISABLE]

5D24A8:
mov [eax],ecx

47DA18:
jle 0047da3d

46B767:
jle 0046b779

61FFF5:
jle 0062000a

Levitate :

Quote:
[ENABLE]

5FF111:
jne 005ff2ec

[DISABLE]

5FF111:
je 005ff2ec

Pin Unrandomizer :

Quote:
[ENABLE]

alloc(pinunrandom,128)
label(returnhere)

588C9F:
jmp pinunrandom
returnhere:

pinunrandom:
add eax,edx
push edx
shr edx,1
mov [eax],edx
pop edx
cmp byte ptr [eax],0a
jmp returnhere

[DISABLE]

588C9F:
add eax,edx
cmp byte ptr [eax],0a
dealloc(pinunrandom)

Item Vac : (I incline to believe it's not Full Map)

Quote:
[ENABLE]

alloc(code,1024)
label(back)

code:
pushad
mov ecx, [ebp+8]
mov ebx, [ebp-24]
mov [ecx], ebx
mov [ecx+4], eax
mov ecx, eax
mov eax, ebx
lea edx, [eax-19]
mov [ebp-34], edx
lea edx, [ecx-32]
add eax, 19
add ecx, A
mov [ebp-30], edx
mov [ebp-2C], eax
mov [ebp-28], ecx
popad
push eax
push [ebp-24]
lea eax,[ebp-34]
jmp back

46F9E7:
jmp code
nop
nop
back:

[DISABLE]

46F9E7:
push eax
push [ebp-24]
lea eax,[ebp-34]

dealloc(code)

Lag Hack :

Quote:
[ENABLE]

5FDDB6:
jne 005fddc3

[DISABLE]

5FDDB6:
je 005fddc3

Crash Maple : (I dunno if anyone uses this o_O)

Quote:
[ENABLE]

64641D:
jmp 0

[DISABLE]

Uber Vac : (Follow instructions for Ranged)

Quote:
[ENABLE]

alloc(UberY,64)
alloc(CharY,16)
alloc(UberX,64)
alloc(CharX,16)
label(backux)
label(backuy)

UberX:
call 00646318
push eax
mov eax, [6DE2E4]
lea eax, [eax+344]
cmp ebx, eax
je CharX
mov eax, [eax]
//sub eax, 50 // Uncomment this line if you want Ranged !
mov [ebx], eax
pop eax
jmp backux

CharX:
pop eax
mov [ebx], eax
jmp backux

UberY:
call 00646318
push eax
mov eax, [6DE2E4]
lea eax, [eax+348]
cmp edi, eax
je CharY
mov eax, [eax]
mov [edi], eax
pop eax
jmp backuy

CharY:
pop eax
mov [edi], eax
jmp backuy

601812:
jmp UberX
backux:

601877:
jmp UberY
backuy:

[DISABLE]

601812:
call 00646318

601877:
call 00646318

dealloc(UberY)
dealloc(CharY)
dealloc(UberX)
dealloc(CharX)

Timed DupeX :

Quote:
[ENABLE]

registersymbol(DX)
registersymbol(DXListOffset)
registersymbol(DXType)
alloc(DX, 1024)
alloc(DXListOffset, 4)
alloc(DXType,4)
alloc(DXFindChar, 1024)
alloc(ESIList, 1024)
alloc(EDIValue, 4)
alloc(DXMap,4)
label(CompareOffset)
label(StoreESI)
label(DoNormal)
label(LeaveMe)
label(DXMonster)
label(NoDupe)
label(DoVac)

alloc(DXCounter,4)
registersymbol(VacTime)
registersymbol(TotalTime)
alloc(VacTime,4)
alloc(TotalTime,4)
alloc(DXCounter,4)
label(DXPause)
label(DXResetCounter)
label(DXReset)
label(back)

DXCounter:
add [eax],al
add [eax],al

VacTime:
js 0ff90c16
add [eax],al

TotalTime:
or [edi],al
add [eax],al

DXCounter:
sub al,01
add [eax],al

//Original Code
DXListOffset:
add [eax],al
add [eax],al

DXType:
add [eax],al
add [eax],al

DX:
push eax
push ebx
push ecx
push edx
mov ebx,[DXType]
cmp ebx, 00 // 0 = Do Nothing
je NoDupe
cmp ebx, 01
je DXFindChar
cmp ebx, 02
je DoVac
cmp ebx, 03
je DoVac
//Modified Code
cmp ebx, 04
je DXReset
jmp DoNormal

DXFindChar:
mov [esi+114],edi
mov eax,0
mov ebx,DXListOffset
mov ecx,ESIList
mov edx,EDIValue

CompareOffset:
cmp eax,[ebx]
je StoreESI
cmp esi,[ecx+eax*4]
je LeaveMe
inc eax
jmp CompareOffset

StoreESI:
mov [ecx+eax*4],esi
inc eax
mov [ebx],eax
mov [edx],edi

DoVac:
mov eax,[DXCounter]
cmp eax,[VacTime]
inc eax
mov [DXCounter],eax
jae DXPause
//Original
mov ebx,[DXListOffset]
dec ebx
mov ecx,ESIList
mov eax,[ecx+ebx*4]
cmp esi,eax
je DoNormal

mov ebx,[DXType]
cmp ebx, 02
jne DXMonster
mov edi,[eax+114]
jmp DoNormal

DXMonster:
cmp ebx, 03
jne NoDupe
mov edi,[EDIValue]
jmp DoNormal

NoDupe:
mov ebx, 0
mov [DXListOffset],ebx
mov [DXCounter],0

DoNormal:
mov [esi+114],edi

LeaveMe:
pop edx
pop ecx
pop ebx
pop eax
jmp back

DXPause:
cmp eax,[TotalTime]
jae DXResetCounter
jmp DoNormal

DXResetCounter:
mov [DXCounter],0
jmp DoNormal

DXReset:
mov ebx, 0
mov [DXListOffset],ebx
mov [DXCounter],0
mov [DXType],1
jmp DoNormal

600973:
jmp DX
nop
back:

[DISABLE]

600973:
mov [esi+114],edi

dealloc(DXFindChar)
dealloc(DXListOffset)
dealloc(ESIList)
dealloc(DX)
dealloc(EDIValue)
dealloc(DXCounter)
unregistersymbol(DX)
unregistersymbol(DXListOffset)
unregistersymbol(DXType)

Item Filter :

Quote:
[ENABLE]

alloc(itable,4096)
alloc(ifilter,1024)
alloc(icount,4)
label(end)
label(CS)
label(loop)
label(back)

ifilter:
push ebx
push edx
xor ebx,ebx
xor ecx,ecx
mov edx,itable

loop:
cmp ebx,[icount]
je end
cmp eax,[edx+ecx]
je CS
add ecx,4
inc ebx
jmp loop

end:
pop edx
pop ebx
mov [edi+34],eax
mov edi,[ebp-14]
jmp back

CS:
pop edx
pop ebx
mov [edi+34],0
mov edi,[ebp-14]
jmp back

itable:
dd 3D8286
dd 3D8285
// add item IDs here following the syntax above (dd item_id_in_hex)

icount:
dd 02 // also keep in mind that any item added above will increase this with 1

470B45:
jmp ifilter
nop
back:

[DISABLE]

470B45:
mov [edi+34],eax
mov edi,[ebp-14]

Invisible Character : (Yes, client sided)

Quote:
[ENABLE]

5C5B59:
jne 005c5b5f

[DISABLE]

5C5B59:
je 005c5b5f

[Danieru]

Thanks Oninuva ;)
Well, i need to spread some reputation, hehe
Any ways, you have enough (lmao)

Thanks again xD
~~ Come all europeans, let's hack the <cens> out of eMS before we get restarted (More info on eMS homepage)