Relic

As far as I can tell, that offset isn't used to show/hide the damage number. I don't think it's possible to do so via the MsgMagicEffect packet. Looking at the MsgMagicEffect.Process function in ghidra, these are the only 2 places where that offset is referenced: As you can see, it's only being used by ToxicFog and PoisonStar spells.

Yeah my bad, forgot to mention to use the x32 version. No, the two shouldn't affect each other. In the above edit, all we're doing is changing (patching) the instruction bytes at the static address 0x004ED6F4 from "FF E1" (jmp ecx) to "EB 16" (jmp 0x004ED70C). For a custom resolution edit, you'd be patching a completely different address (or addresses) .

I'll give a quick breakdown on how I went about patching this. Assembly basics, debugging assembly and DLL injecting/hooking is beyond the scope of this tutorial. You'll need to learn/practice this on your own if you want to understand what's truly happening. So when you open > 2 clients, a browser window pops up and takes you to "http://co.91.com/signout/". We can use this URL string to see where it's being accessed in the client. For this tutorial I'm assuming you'll be using x64dbg as the debugger. You should also have 2 version 5187 clients open. 1. Open up Conquer.exe in a debugger 2. Go to "Symbols" tab => double click "Conquer.exe" module 3. Right click => Search For => Current Module => String references 4. Enter the URL "http://co.91.com/signout/" 5. Double click on the first result 6. Set a breakpoint (F2) In order to launch conquer within x64dbg you'll need to set the "blacknull" process argument: 1. Open File => Change Command Line => Add "blacknull" to end of line (will look like "../path/to/conquer/conquer.exe" blacknull) 2. Close the session (square icon) 3. Restart the session (refresh icon) When you restart, the breakpoint we set earlier should be hit. From here you: 1. Click on the "Call Stack" tab 2. Double click on the second entry You should see some code similar to this: Notice the "jmp ecx" instruction at address "0x004ED6F4". We want to patch this so it jumps to address "0x004ED70C" which essentially skips the multi-client check logic: 1. Click space => change "jmp ecx" to "jmp 0x004ED70C" Now you can either directly patch the Conquer.exe with this instruction change (not recommended) or you can write your own DLL to inject. To patch directly: 1. Right click => Patches => Patch File => Save As Conquer.exe 2. Save your old Conquer.exe, replace with this new one To patch via C++ DLL it would look something like this which you'd compile and inject into the Conquer.exe: void Patch(char* dst, char* src, int size) { DWORD oldprotect; VirtualProtect(dst, size, PAGE_EXECUTE_READWRITE, &oldprotect); memcpy(dst, src, size); VirtualProtect(dst, size, oldprotect, &oldprotect); } void Patch(int address, const char* opcodes, int size) { Patch((char*)address, (char*)opcodes, size); } DWORD WINAPI MyThread(LPVOID lpParameter) { // Overwrites the memory at this address by two of our own bytes Patch(0x004ED6F4, "\xEB\x16", 2); return 0; } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { CreateThread(NULL, 0, MyThread, NULL, 0, NULL); break; } case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } If you have any questions let me know.

The base hooking code is from InfamousNoone's CSV3 project, https://subversion.assembla.com/svn/conquerserverv3/CSV3Hook/CSV3Hook.cpp.