New pulse parameter.

Bledis · 06/30/2023, 06:20

Hello, has anyone reversed and know how to compute new param in pulse packet?

I recorded some packets:

- pulse 60 1
- pulse 120 0
- pulse 180 1
- pulse 240 0
- pulse 300 0
- pulse 360 0
- pulse 420 0
- pulse 480 1
- pulse 540 0
- pulse 600 1
- pulse 660 0
- pulse 720 1
- pulse 780 1

I dont see pattern :/

Hatz~ · 06/30/2023, 09:32

I guess that with "new param" you're referring to the second argument. In that case the second argument is kind of being generated random. There's a byte array in the game with size 30 and when a new pulse packet is created it generates a random number between 0 and 29 and get the value from that array. ¿Where are the values from the array coming from? Well the values from that array change over time when some game functions are called. This functions call another function, let's name it "check_func", and what "check_func" does is to check recursively if the return address is inside the module NostaleClientX.exe or not, in the case that it is not from the game module it will randomly increment one of the bytes in the array.

If you're interested I can give you the address of the array, the "check_func" and the address where the pulse packet is being generated.

Bledis · 06/30/2023, 15:49

@

If you dont mind it, give it to me

But I am worried that it wont help me in my case.
I have my clientless, gfless client - and I pretty much need to generate it by myself without reading it from client memory.

I tried to reverse engineering implementation but I just got headache just by looking at reversed code[*].

Hatz~ · 06/30/2023, 16:17

Quote:

Originally Posted by Bledis

@

If you dont mind it, give it to me
But I am worried that it wont help me in my case.
I have my clientless, gfless client - and I pretty much need to generate it by myself without reading it from client memory.

I tried to reverse engineering implementation but I just got headache just by looking at reversed code[*].

If you just want to send a pulse packet that is "correct" you can always send "pulse X 0" or change between 0 and 1 randomly for the second parameter. In my case most of the times I've seen the pulse packet the second parameters is most likely 0 so a probability of 0.75 to 0 and 0.25 might be a good idea. You won't probably see a second argument of something greater than 1, it only occurs in some weird scenarios.

The "check_func" address is 0x004caa34
The array address is 0x007246ec
The pulse packet generation code starts at address 0x00717ff5 and ends at 0x0071807c.

I hope this helps

Bledis · 06/30/2023, 17:26

@

Thanks, I appreciate it.

IceTrailer · 07/06/2023, 02:00

#moved