TSXClient - DLL Development

[Mega Byte]

Managed to make a script to fix the character select background its a Cheat Engine auto assembler script so you will need to copy and paste it into cheat engine and assign it to the table. Click Memory view then Tools auto assembler then paste it in and go file Assign to table.

It sets the background picture to one relevant to the characters faction and in character create it sets it relevant to the faction selected.

Code:

// This script will fix the background at character select screen in Twelve Sky 2
// Programed by MegaByte

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)

label(CharacterSelect)
label(CharacterSelectCharacterExists)
label(CharacterCreate)

label(Guanyin)
label(Fujin)
label(Jinong)

label(Done)
label(SetBackground)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
push eax
push ecx

//ecx contains sub screen
cmp ecx,2 // Char select
je CharacterCreate

CharacterSelect:
// See if character selected
mov ecx,[0118AEDC]
// Check if character exists in that slot
mov eax,1844
imul eax,ecx
add eax,0115EA00
mov ecx,[eax]

cmp ecx,0
jnz CharacterSelectCharacterExists

// If it does get faction value
// Otherwise set background here
MOV EAX,94D
JMP Done

CharacterSelectCharacterExists:
// Get character faction in ECX
add eax,2C // Offset to faction to add to eax
mov ecx,[eax] // Read faction into ecx
jmp SetBackground

CharacterCreate:
// Get Faction value in ecx
mov ecx,[011632F4]
jmp SetBackground

SetBackground:
CMP ecx,2
JE Jinong
CMP ecx 1
JE Fujin
Guanyin:
MOV EAX,94F
JMP Done
Fujin:
MOV EAX,950
JMP Done
Jinong:
MOV EAX,951
JMP Done

Done:
// Set background image
MOV [0118AED4],EAX

pop ecx
pop eax

// Origional Code
originalcode:
mov [ebp-4C],ecx
cmp dword ptr [ebp-4C],01

exit:
jmp returnhere

"TwelveSky2.exe"+62FB7:
jmp newmem
nop
nop
returnhere:

"TwelveSky2.exe"+62D69:
mov [edx+0000826C],00000001

"TwelveSky2.exe"+62D78:
mov [eax+0000826C],00000001

"TwelveSky2.exe"+62D87:
mov [ecx+0000826C],00000001

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"TwelveSky2.exe"+62FB7:
mov [ebp-4C],ecx
cmp dword ptr [ebp-4C],01
//Alt: db 89 4D B4 83 7D B4 01

"TwelveSky2.exe"+62D69:
mov [edx+0000826C],0000094F

"TwelveSky2.exe"+62D78:
mov [eax+0000826C],00000950

"TwelveSky2.exe"+62D87:
mov [ecx+0000826C],00000951

How I found info out to make it

Code:

Find what writes to Faction Value
When its written too set the background to the faction background
It turns out its set right above the nop we just did for gender so we can detour it and put our own code in Hurray

Selected character background
Find the address of selected character 0 1 2

Found it at 0118AEDC
Near it is other interesting stuff like character animation pose rotation etc
0118AEDC Selected Character
0118AEE4 Pose 0 Standing 1 Unsheath ready to attack 2 3 sword down defensive stance 4

1 3 5 7 are attacking like things
0 2 4 6 are standing still things

0118AEE8 Action Can be set to trigger Game Start
0118AEEC Frame
0118AF00 Direction
0118AEE0 Character Create selected weapon
0118AED8 Sub screen eg char select char create

0118AED4 Character Select Background

2377 = Gyunin Loader
2378 = Madin Loader
2379 = Fujin Loader
2380 = Login Screen
2381 = Server Page 2?
2382 = Server Page 3? or just alterntive login screens.. hmm
2383 = Gyunyuin
2384 = Fujin
2385 = Jinong

Find what writes to it

Changing Selected Char
0046721E - 89 91 74820000             - mov [ecx+00008274],edx
00467224 - 83 3D D8E91501 00          - cmp dword ptr [0115E9D8],00
0046722B - 7E 05                      - jle 00467232
0046722D - E9 37060000                - jmp 00467869
00467232 - 8B 45 E8                   - mov eax,[ebp-18]
00467235 - 8B 88 74820000             - mov ecx,[eax+00008274]

Character Created
00469C1D - 89 91 74820000             - mov [ecx+00008274],edx
00469C23 - 8B 45 B4                   - mov eax,[ebp-4C]
00469C26 - C7 80 7C820000 00000000    - mov [eax+0000827C],00000000
00469C30 - 8B 4D B4                   - mov ecx,[ebp-4C]
00469C33 - C7 81 80820000 01000000    - mov [ecx+00008280],00000001
00469C3D - 8B 55 B4                   - mov edx,[ebp-4C]

Loaded Characters
00462DF8 - 89 91 74820000             - mov [ecx+00008274],edx
00462DFE - EB 32                      - jmp 00462E32
00462E00 - 8B 45 E0                   - mov eax,[ebp-20]
00462E03 - 69 C0 44180000             - imul eax,eax
00462E09 - 8B 4D C4                   - mov ecx,[ebp-3C]
00462E0C - 8B 91 74820000             - mov edx,[ecx+00008274]


We can now detour each and manage the background accordingly

[Robsus]

2381 = Server Page 2?
2382 = Server Page 3? or just alterntive login screens.. hmm


This could be for a second password login screen. ts2 has within its coding some 2nd password screen, but its not activated at age, nor mayn. A GM once told me this. And I remember it being there at ts2 china.

It's a code with numbers which you need to click with your mouse (to prevent keyloggers i think).

btw, its just a guess if its related.

[Mega Byte]

Ah yes but the security page can just use character background I think.

The ID numbers of course corresponding to IMG files which we can edit so we can have a Please Create or select a character background.

Been trying to find out how to change the create character's armor and gear so it dosnt look like high level gear as its misleading for a new player like they will make a char and go oh it will look like this when it does not.

[strikeraid]

This might be a couple months too late, but I've finally gotten signature scanning to work and I'm very pleased. Who would have known that I made 1 small little syntax error all those months ago and have only recently noticed.

I just wanted to show my appreciation to Mega Byte for this amazing thread. I followed your source for the signature scanning and I'm amazed at how far back that thread goes. 2004 i believe? All the recent signature scanning code is written with page long code and I'm just amazed at how efficiently this way is.

I've been wanting to contact iktov2 and see if he would give me pointers on how to find those instructions that would allow me to trigger game functions such as skill hotbar keys. Any help would be appreciated.

Thanks again.

[Mega Byte]

Good work I suppose, I too have looked around for signiture code, this one was origionaly given too me by powerfear but it was coded by somone unknown I did read a blog or something of who coded it on Game Deception.

Anyway there is some writing in this thread that talks about triggering game functions.
Basicaly find the function, find its paramaters pushed into stack when it is called any any values in ECX EAX etc that must be there.

Then preserve the stack so you don't want to break it. The easiest way is to use __asm to call the function pushing the arguments the same way the game does and just making a function that accepts the arguments. as pointers or something.

The arguments passed too a function are always on a 32bit game or app a 4 byte so that is an unsigned integer or a uint_ptr to another address in memory. You can assume functions return void * which is stored in eax. if you dont know a paramater try using void pointer of some kind.use ollydbg breakpoints or w/e to look at what paramaters the game passes too the function and try to understand what they must be that way.

I think my posts above have how to find and use game chat and game information calls. that might get you started.

You can find addresses with cheat engine and then find what writes/accesses them to try to find code. *providing you are using VEH debugger in CE*

You can get a plugin for ollydbg which uses IDA's graphing to show you a graph of code which can help analyse it a lot. Theres a few floating around Ill post a text list of my plugins for ollydbg sometime soon as im about to goto bed.

Also you can look for referenced text strings, intermodular calls, or just change JNZ's or JE's to JMP or NOP to see how it effects code to help identify what code to use.

If you nop a function and its push's generally if its not an important one ie returning something of use then it will not work and game will not crash. Eg if you find the chat sending call and nop it it wont crash and it wont send chat.

Good luck if you get good at finding game functions you can make game hook bots easily!

[shad0wboss]

lol mega...i've stopped playing the aeria TS2 since it's full of bs and you don't get anything by the end of the day and shuts off the computer. GL on your project and my next mmo definitely would be your TS2 private server :/

[Mr_Troy22]

Quote:

Originally Posted by Mega Byte

Good work I suppose, I too have looked around for signiture code, this one was origionaly given too me by powerfear but it was coded by somone unknown I did read a blog or something of who coded it on Game Deception.

Anyway there is some writing in this thread that talks about triggering game functions.
Basicaly find the function, find its paramaters pushed into stack when it is called any any values in ECX EAX etc that must be there.

Then preserve the stack so you don't want to break it. The easiest way is to use __asm to call the function pushing the arguments the same way the game does and just making a function that accepts the arguments. as pointers or something.

The arguments passed too a function are always on a 32bit game or app a 4 byte so that is an unsigned integer or a uint_ptr to another address in memory. You can assume functions return void * which is stored in eax. if you dont know a paramater try using void pointer of some kind.use ollydbg breakpoints or w/e to look at what paramaters the game passes too the function and try to understand what they must be that way.

I think my posts above have how to find and use game chat and game information calls. that might get you started.

You can find addresses with cheat engine and then find what writes/accesses them to try to find code. *providing you are using VEH debugger in CE*

You can get a plugin for ollydbg which uses IDA's graphing to show you a graph of code which can help analyse it a lot. Theres a few floating around Ill post a text list of my plugins for ollydbg sometime soon as im about to goto bed.

Also you can look for referenced text strings, intermodular calls, or just change JNZ's or JE's to JMP or NOP to see how it effects code to help identify what code to use.

If you nop a function and its push's generally if its not an important one ie returning something of use then it will not work and game will not crash. Eg if you find the chat sending call and nop it it wont crash and it wont send chat.

Good luck if you get good at finding game functions you can make game hook bots easily!

I'd recommend this way for calling a function :

Code:

	void sendMessage(int c, char *s) //This function is a __thiscall, so this will NOT work
	{
		((void (__cdecl*)(int,char*))ts_send) (c,s);
	}

or a __thiscall function (function that requires a class pointer)

Code:

void sendMessage(int c, char *s)
{
         ((void (__thiscall*)(LPVOID,int,char*))ts_send)(ts_sendecx,c,s); //ts_sendecx is the object pointer
}

[Mega Byte]

Ahh so thats how you can call functions that are members of a class.
Shall try it later thanks

[NEV3RM1ND]

Is it almost done? How many % left, just for know where you are atm

[Mega Byte]

Well im not getting any help so I cant be bothered. Might look at it more later.

[NEV3RM1ND]

Quote:

Originally Posted by Mega Byte

Well im not getting any help so I cant be bothered. Might look at it more later.

Well... If I can do anything, just tell me, Ill try to help you if you need some help ^^

[jobanane2]

wat new about the tsx mega??

[TheHunterZ]

hey wat % of the work is done?

[MrTs2-Adict]

private server??

[TheHunterZ]

yea!!