In this little tutorial we will learn some Reverse Engineering by updating without errors the function in charge of showing the Icons in the Atlantica inventory.
We will use x64dbg for this purpose, you can download it from its official site at:
The first thing we have to be clear about is what we are going to update in order to be able to locate ourselves properly. In this case, we understand that the files responsible for displaying the Icons of the Items that are in the inventory are the .tga images located in Atlantica\DUI\Image and have the name: ITEMIMGxx_40X40_00_000.tga where xx represents the number of said image, in the case of the version that we will update, which is 3.23.xx, starts from 0 to 37, meaning that we have a total of 38 .tga image files and in hexadecimal they would be 26h, which is the number to which we will focus, ok let's go.
1.- Open Atlantica.exe with x64dbg then right click then: Search for/Current Module/String references
2.- Now we need to find the Constant(s) in charge of reading and writing the Icons within the ITEMIMGxx_40X40_00_000.tga files to start, we will write in the References Tab dui\\image
As we can see we did not find anything that alludes to what we are looking for, in this case it should be ITEMIMG.
Now let's try dui/image/itemimg
Bingo, we found 2 commands pointing to DUI/Image/ITEMIMG%d_40X40_00_000.tga where %d is the variable that will determine which file to read from 0 to 26h
Now right click on the instruction and click Follow in disassembler
We already know that version 3.23 has a total of 38 .tga files that contain the Icons of the Items, these are counted from 0-37, which in Hexadecimal would be 26h (38d)
This limit must not be exceeded or it will cause the Client to crash, unless we update everything that applies. The good news is that right now we will learn how to do it correctly, please pay attention and slowly go through each step.
As we can see in the instructions that we see in the disassembler, there is already important data to pay attention to, the first one we see is the 26h that already points to the top of the files that it supports in the offset -> 0x00734FED press F2 to put a BreakPoint in said offset, in the second instance we see another instruction that points to a constant (58h) the complete instruction is: lea esi, ds:[edi+ebx*4+0x58] at offset -> 0x00734FF3 let's also put a BreakPoint in said instruction and Let's write down the number 58h in the notepad since this number will become part of the formula that we will have to build to update everything correctly.
Now I am going to explain how this subroutine works to clearly understand what each thing means.
cmp ebx, 0x26 at offset->0x00734FED does a comparison with ebx if it doesn't exceed the supported file limit, if it doesn't then skip to the next instruction. Then lea esi, ds:[edi+ebx*4+0x58] at offset->0x00734FF3 set esi at address edi+ebx*4+0x58 (edi=start of the buffer created to write and read the data corresponding to some parts that make up DUI) (ebx=the number extracted from the request that the client made of the requested file, if for example it is requested to read the file ITEMIMG20 then ebx will be = 14h) (*4+0x58= these values are the following , is multiplied by 4 because each file occupies 4 bytes and 58 belongs to the buffer space that this function will be occupying) I know well that the buffer created by the operator has a total of 28C bytes because I did this update a long time ago, in We will see it for a while, but in advance I tell you that this is the value of said space created for these functions and for the part that corresponds to ITEMIMG here we can see that it starts at 0x58 of 28C.
Later we have a call to memset ( call 0x00B0DF20 ) at offset-> 00735012 this function temporarily generates a space to be able to print DUI/Image/ITEMIMG%d_40X40_00_000.tga with the requested value.
Then we have a call ( call 0x00408DFB ) at offset-> 0x00735029 which is in charge of printing the variable %d thus obtaining the complete patch which in this example would be 20 thus printing in the temporary space created by memset DUI/Image/ITEMIMG20_40X40_00_000 .tga
Finally, in this small subroutine we have a call ( call 0x00734C5C ) at offset->0x0073503A which is in charge of reading the content of said file.
The last call is just to end the subroutine and successfully return.
Now that we understand how this little subroutine works, let's find the variable used to locate those subroutines belonging to the 28C space I mentioned earlier. To do this, we go to the beginning of the same subroutine that we have just analyzed to offset->00734FD3 and right click on the mouse, then on Find references to/Selected address(es) or Ctrl+R
As we can see, we find only one address, let's do as the previous step in Follow in disassembler.
As we can see in these instructions we find another 26h we must put another BreakPoint in that instruction at offset->00735361 but we still haven't found the variable we are looking for, how do I know we haven't found it? this is achieved with experience but for now you will have to trust my word XD
Now let's continue in the search and go to the beginning of this subroutine as shown in the image and click on Find references to/Selected Address(es)
Now we see that 4 addresses were found, but we are not going to review all of them since I did it for you and it is not worth wasting time detailing this, it is enough to know that the last address is what we are looking for more quickly, it is certain that searching in the other 3 we would find it but we have to search more, in the fourth address it is a little higher, let's enter the fourth offset found.
Ok in this subroutine we find the Variable that calls the main DUI routine and the variable that interests us from the subroutines in which ITEMIMG is nested. ( Main Variable -> mov eax, dword ptr ds:[esi+0x12B2C] at offset -> 008182A2 ) this is located at the address of DUI Manager and then it in turn locates the nested subroutines in another buffer or space where it is located ITEMIMG in the bytes mentioned before 28C ( mov esi, dword ptr ds:[eax+0x1C5C] at offset->008182A8 ) write down in the notepad the constant 1C5C since this is the variable that will always locate the address corresponding to the subroutines that control ITEMIMG in part, specifically from 0x58.
Ok now let's go back to the strings tab and look at the second DUI/Image/ITEMIMG%d_40X40_00_000.tga we found
Once we enter this subroutine we see the same as the previous one, except that instead of 58h we have an F4h, let's put BreakPoint in cmp ebx, 0x26 -> 0x007353B5 and in lea esi, ds:[edi+ebx*4+0xF4] ->007353BB and just as we noted 58h earlier, let's also note F4h in notepad as this will be part of the formula.
3.- Now we need to locate the main DUI routine and within said routine we will also find the instructions of the subroutine that interests us, in this version 3.23 it is easy to find the main routines because there is text that helps to locate them easily, in the Valofe version these rascals They took out these texts, but when one already has experience in this, it is easily achieved in any way, in this case we only have to write in the String References tab Search ( duimanager ) and click on Follow in Disassembler
A little higher up we can already see the call operator in charge of creating the space under which the main DUI routine will work with 3FF0h bytes at offset ->00516651 let's put a Breakpoint at said offset, then further down we have the constant that will be used as variable to find the main DUI routine each time it is needed: offset->0051667C
Now we enter the call where the routines are by pressing the enter key in said call at offset->0051666E
As we can see we have already located the subroutine that contains the instructions that we are interested in, now we will really start. Let's put a Breakpoint in push 0x28C at offset->0055A4A9, we had previously mentioned about this number that belongs to the creation of the space that will handle all the instructions related to alternate DUI functions, among them is ITEMIMG and these instructions are inside the call that precedes the operator that creates the space, you can also see that there is the locator constant of this subroutine with the number that we got earlier and that I told you to write down in notepad 1C5C. to this number located at offset->0055A4CD right click and then click Find References to/Constant: 1C5C and just leave it there for later, now back to where we were.
Now we must enter the call that contains the instructions that we need to change, we locate ourselves in said call at offset->0055A4C1 and press the enter key. we are not going to detail what each constant does in this subroutine since we would not finish any more and besides we are not interested, let's focus on what interests us, we go down a bit until we reach the end of this thread and before the return we see a 27h and the famous F4h that we already knew, here we will begin to build the formulas to start changing things, they will wonder why a 27h and not a 26h which is what we have been analyzing, it happens that this 27 will be in charge of formatting the space to be used starting from F4h and 4 more bytes are taken to avoid overflows, and let us remember that before F4h there was a 58h that must be respected, and the instructions are configured to respect said 58h, since if we analyze the whole subroutine, we do not we will find nothing that invades or impacts on the happy 58h and this is because later it will also be formatted, put a Breakpoint in the push 0x27 and in lea edi, ds:[esi+0xF4].
Also right click on lea edi, ds:[esi+0xF4] and then Find References to/ Constant: F4
Now we are moving in the search down until we find the two Breakpoints that we have previously set in red and we check the one above those two to check if it impacts the same.
As we can see if it is related to what we are working on since it has a 27h and we also see a -9C in the instruction ( or dword ptr ds:[eax-0x9C], 0xFFFFFFFF ) in the offset->0x00733393 and this is not another thing that the famous 58h do not believe me? Well I'll explain it to you in another way, for this we perform the following mathematical operation: 27h*4=9C then F4-9C=58h therefore here is where I told you that the 58 would also be formatted and this time together with the F4 only that the operation is performed in this way and is the same.
Put Breakpoint in push 0x27 in lea eax, ds:[ecx+0xF4] and in ( or dword ptr ds:[eax-0x9C], 0xFFFFFFFF )
Okay, we continue. Now let's go back to the previous thread, let's briefly observe the coding to reach a conclusion of the form that should be updated, so far we are clear that the start of the instructions that interest us between 0-28C is 58h and we also know that 27 is the limit to multiply and we know that we have to multiply *4 so let's start by clarifying [ 27h*4 = 9C]
Continuing with this logic, we must now apply the following to the formula we want to build:
58 +27*4 = F4 and we know that F4 contains another pipeline with the same logic therefore:
58 +27*4 = F4 +27*4 = 190h let's stop here at 190 to discuss in this thread about this constant at offset->00737DBB above rep stosd is a lea edi, ds:[esi+0x190] this gives us says that another configuration completely unrelated to ITEMIMG will be worked from this offset, this is the reason for the crashes, if an overflow occurs the data will overwrite this segment which already contains other data unrelated to ITEMIMG and when the client requests this data by another reason and find discrepancies, it will generate an error ending in a crash of the client.
Now, knowing this, if we want to update the start from 58h to support the number of files we want, we must run the offsets of everything that is from 190h
I just looked at the Valofe Client and it already goes by ITEMIMG72_40X40_00_000.tga and this is to say 73d = 49h therefore a suitable formula for this update would be:
58 +4A*4 = 180 +4A*4 = 2A8
So the construction would look like this:
1.- 58 +27*4 = F4 +27*4 = 190h
2.- 58 +4A*4 = 180+4A*4 = 2A8
What does this mean? it means that 190h will now become 2A8 and so on, we would have to modify the rest of the offsets that are affected by this change until ending at 280h, which is the end of encoding in this subroutine in lea ecx, ds:[esi+0x280] in the offset->00737D54 if we start to analyze it does not make sense to disown so much by moving all those offsets, so in this particular case to reduce unnecessary changes, what is best for us is to move the 58h and the F4. We know well that the size of this space is 28C so we are going to calculate the total space we need for our update and we make the formula as follows:
27h*4 = 9C + 27h*4 = 138h <- this is the total size in bytes that ITEMIMG occupies.
We now know that to date Valofe is in ITEMIMG72_40X40_00_000 that the real value would be 73d = 49h but we must upload one more to follow the logic of the original instructions, therefore 49h +1 = 4A and then the formulas would be like this:
1.- 27h*4 = 9C + 27h*4 = 138h
2.- 4Ah*4 =128 +4Ah*4 = 250h
The total needed is now 250h bytes instead of 138h bytes
Now that we know the total, let's make the formula to update, what we are going to do is move the 58h where the current buffer size ends, which is 28C, now this will be the start of ITEMIMG:
1.- 58h +27h*4 = F4 +27h*4 = 190
2.- 28C +4A *4 = 3B4+4A *4 = 4DC
Now 28C = 4DC that will be the new size of the buffer that the operator will generate.
Now 58h = 28C therefore we must replace this constant to this new value.
Now F4 = 3B4 so you have to replace that constant with that new value.
Now 27h = 4A therefore we must replace this constant to this new value.
Note that by updating in this way, we will not affect the rest of the instructions that are in the range of 0-28C since we are above them, on the other hand it is more convenient since for future updates it would be easier since the changes would be subtle.
Having all this data, we can start with our update, let's start by changing the constants 26h and 27h
1.- 26h +1 = 27
2.- 49h +1 = 4A
We go to offset-> 0x00735361 and change 26h to 49h
We go to offset-> 0x00734FED and change 26h to 49h
We go to offset-> 0x007353B5 and change 26h to 49h
Now let's change 27h
We go to offset-> 0x00737DC3 and change 27h to 4A
We go to offset-> 0x0073338A and change 27h to 4A
Now let's change the size of the space that the operator should create, go to offset->0x0055A4A9 and change 28C to 4DC
Now let's change the constant F4 to 3B4 according to the formula we built:
1.- 58 + 27*4 = F4 +27*4 = 190
2.- 28C+4A*4 = 3B4+4A*4 = 4DC
We go to offset-> 0x00737DC9 and change F4 to 3B4
We go to offset-> 0x007353BB and change F4 to 3B4
We go to offset-> 0x0073338C and change F4 to 3B4
Now we have to upgrade the 58h and -9C we saw earlier which is mathematically the same as 58 in its final run.
According to the formula:
1.- 27*4 = 9C
2.- 4A*4 =128
We go to offset-> 0x00733393 and change 9C to 128h
We go to offset-> 0x00734FF3 and change 58h to 28C which will be the new start of ITEMIMG, but here there is a problem that must be solved in a particular way, in assembly an instruction that is above 80h consumes 3 more bytes therefore if we adjust in said offset when inserting 28C it will overcome the above mentioned and the result will be to distort the following instruction, the solution to this problem is to move the instruction to a new offset and then return to the corresponding address all by means of a simple jump, we need to achieve a empty place in which to insert the instruction without affecting anything, you can do two things, one create a new sector in the client to have room to spare for future updates or get a current empty space in the same module that we are working to make this simple operation, since it will not take up much space, the second mentioned will be what we will do but first press the space bar to To copy the complete instruction from 58h and the one that follows it as well since it will disappear when you put the jmp in exchange for the original instruction, copy each one as is in notepad and save said data, then press escape.
I took it upon myself to find an available place to insert the instructions.
At offset-> 0x00734FF3 which is where the 58h is insert the next hop jmp 0x00C3B7C1 positioned in the jump created press the enter key and now insert lea esi, ds:[edi+ebx*4+0x28C] and then cmp dword ptr ds :[esi], 0x0 and then return via another simple jump jmp 0x00734FFA
With this, it only remains to save and run the client to verify that everything is correct, press Ctrl+P to save all the changes, if you carefully followed all the steps, you will have made a successful update, congratulations! (Note: not to discourage you but this is a simple update to do, there are hundreds of regulations that you have to know about other updates, I made this tutorial with this segment because it seems to me one of the easiest to do since it has very few changes , cheer up, don't stop, it's not easy but with perseverance everything is possible! )
A gift for you, files ITEMIMG updates.