[Question] signed integers defined in the client ?

03/24/2018 17:10 multiuses#1
hi there
if someone knows anything about signed integers defined in the client
cuz i tried a lots of times to edit the party matching max level to higher than 127 and it always shows a negative numbers ..
please some expert person to help me :handsdown:
03/25/2018 20:50 multiuses#2
anyone knows ?
03/27/2018 02:06 multiuses#3
still nobody knows ?
03/27/2018 14:40 Iwa13#4
I don't know whether storage type of level is signed or not, probably not.

"push imm8" performs sign extension to operand before pushing the value into stack. So changing "push 6e" to any value that is higher than 127 does not do what we expect. (in that case, value becomes [imm8 FF FF FF] on stack, not [imm8 00 00 00])

This one does work for default max. level (thanks to kanift for testing)
[Only registered and activated users can see links. Click Here To Register...]

Code:
pop edx
movzx eax,al
push eax
push E18B1C
jmp edx
03/28/2018 01:46 multiuses#5
Quote:
Originally Posted by Iwa13 View Post
I don't know whether storage type of level is signed or not, probably not.

"push imm8" performs sign extension to operand before pushing the value into stack. So changing "push 6e" to any value that is higher than 127 does not do what we expect. (in that case, value becomes [imm8 FF FF FF] on stack, not [imm8 00 00 00])

This one does work for default max. level (thanks to kanift for testing)
[Only registered and activated users can see links. Click Here To Register...]

Code:
pop edx
movzx eax,al
push eax
push E18B1C
jmp edx


[Only registered and activated users can see links. Click Here To Register...]

its seems there is a solution but i cant understand where did u get ' call <sro_client.pushzx_al_%d> ' ?
please can u explain more details ?
03/28/2018 02:08 florian0#6
Quote:
Originally Posted by multiuses View Post
where did u get ' call <sro_client.pushzx_al_%d> ' ?
please can u explain more details ?
This technique is called a codecave. "pushzx_al_%d" is a custom defined function containing the instructions listed in the post.
There are many tutorials on basic codecaving. Choose "any" location in the binary that fits the size of these instructions, then redirect the original call to this call.
Make sure that no instructions "go missing" as you are going to possibly override some instructions.
03/28/2018 05:55 multiuses#7
Quote:
Originally Posted by florian0 View Post
This technique is called a codecave. "pushzx_al_%d" is a custom defined function containing the instructions listed in the post.
There are many tutorials on basic codecaving. Choose "any" location in the binary that fits the size of these instructions, then redirect the original call to this call.
Make sure that no instructions "go missing" as you are going to possibly override some instructions.
could u give me some hints ?
i searched about codecaving and found nothing i can use :(
please help if u dont mind ..
03/28/2018 10:51 florian0#8
Doesn't explain as in-depth as it could be, but includes all the required steps.
03/29/2018 08:22 multiuses#9
Quote:
Originally Posted by florian0 View Post
Doesn't explain as in-depth as it could be, but includes all the required steps.
[Only registered and activated users can see links. Click Here To Register...]
I see lots of "INT3" and "NOP" assembles
which one should i choose ?