Quote:
Originally Posted by CharlyBrown001
if im using just the dll from osy on the cm ep2 client the alefclient.exe need ah process point that is missing so im using ollydebug to edit the alefclient.exe working since last day no progress there...
if im using dll and alefclient.exe from osy on the cm ep2 client it works but same problem with no npc mobs and that because its the ep3 client alefclient.exe not the ep2 one im getting HEADACHE here!!! maybe i should get some sleep  |
After DLL_MAIN does some initialization stuff (haven't reversed this part) it ends up going to the following:
The routine at 0x10001a40 starts off by doing doing 2 hooks at hardcoded addresses. This seems to be the main initialization routine.
It hooks 0x5C3260 -> 0x10001660.
The hook checks for a byte coming right after the packet flags, which is at + 11.
if this byte is greater or equal to 2, it gets incremented. You figure out why. Of course it ends up jumping back to the original function.
It hooks 0x4DE5F0 -> 0x10001830.
This hook checks if the packet type is 13. If it is, again it gets the byte coming right after the flags at +11.
If it's >= 3, it gets decremented.
Edit: I forgot to mention, all of the things below this happen only if there is a file called "show_debug_console". Which therefore is more or less useless information as it does not help you people with your server making quest. (Or does it?)
After the hooks, it creates a debug console at 0x10001370.
After that, it calls 0x100013f0. tl;dr this function finds printf and OutputDebugStringA.
It creates a context struct, in which at +0 the old 6 bytes are stored. At +6 the new 6 bytes are stored.
(0xc3, 0x90, 0x90, 0x90, 0x90, 0x90).
It then calls the 0x10001aa0 procedure with each of these structs for different functions.
For OutputDebugStringA it has 0x10001350.
For printf it has 0x10001070.
This means that these two functions are blocked with an immediate ret. (Please correct me if im wrong, I have no idea why you would pass an address of another function if you would just return anyway, so it's kind of confusingg you knowwwww).
Also, notably, the displacement is stored at +7 (DWORD).
After this mumbo jumbo console stuff is done, it proceeds to call a function which dumps the parse_list to a "parse_list.h" file.
With a hardcoded address of 0x8AD1D4 (I think this is a relative address, at 100036c8 it might be the base address of alefclient.)
It took only a couple of minutes to gather all this data. I have not even done any dynamic analysis.
P.S. Olly is very outdated, check out X64DBG for 32bit executables, or you know, get IDA?
Edit: All of this is done from the DLL (since we're talking about dll_main it should be obvious enough.)
Edit: I realize that this might not make sense. It should serve as a tutorial on what you should do in order to make this edit usable through any codemasters client.
its right about packets in textures problem about monsters and npc.I have been worked few days at this and I found a way to get it only the npc but seems I need to rework some packets sometimes npc disappear and appear after few seconds,isnt ok because server gives a delay on actions in game seems I missed something,now im stuck at mobs textures ..if I resolve something I will post the progress.
