Forsaken World collaboration
 

I am looking for help mapping the opcodes for PWE's latest game Forsaken World. It's a whole new ball game; every single code is different.

My main computer apparently can't launch the game because of its new protection not working properly on certain x64 configurations; and my other computer is too slow to be painfully working on it.

I can provide the tool for you to hook to the game client and it will dump the opcodes whenever something is sent to the server (you will need NET Framework 4.0 though); or you can grab MHS and setup breakpoints + scripts to dump manually.

Download:
- the tool can be downloaded from the attachment and it works for all PWE games.
- you will need NET Framework 4.0 to run it ([Only registered and activated users can see links. Click Here To Register...])
- you may also need MS C++ 2010 Redistributable ([Only registered and activated users can see links. Click Here To Register...])
(EDIT: I posted the MS C++ 2008 Redistributable earlier which won't work; needs the 2010 version)

Requirement:
- your own FW CB account
- some knowledge of hexadecimals and offsets will make things easier

For starters, here are some current offsets for the latest client:

Send function address = 0x7876B0
Base = 0xD14280

Self player's structure = [Base + 0x20] + 0x24

NPC hash list = [[[Base + 0x20] + 0xc] + 0x20] + 0x18
NPC sequential list = [[[Base + 0x20] + 0xc] + 0x20] + 0x48
NPC's name offset = 0x1c8
NPC's unique Id = 0x150 (8 bytes long = 64 bit) (example: 0x8000000000001A56)

Player's hash list = [[[Base + 0x20] + 0xc] + 0x1c] + 0x18
Player's sequential list = [[[Base + 0x20] + 0xc] + 0x1c] + 0x88
Player name's offset = 0x54c
Player's Id = 0x220 (also 8 bytes = 64 bit)

Loot hash list = [[[Base + 0x20] + 0xc] + 0x24] + 0x18
Loot's name = 0x1e0
Loot's unique Id = 0x130 (8 bytes)

Opcodes format:
============
Cancel = "001D"
NormalAttack = "02001C"
Select = "{0:X16}0007"
Interact = "{0:X16}0046" (engage dialog with NPC)
UseInventory = "{0:X8}00{1:X2}01000032" where {0} = item Id, {1} = inventory slot
UseEquipment = "{0:X8}00{1:X2}00000032" where {0} = item Id, {1} = equipment slot
UseSkill = "{0:X16}0102000000000000000000000000{1:X8}0020 " where {0} = target Id, {1} = skill Id

Opcodes function in C#
================+
Example how to use:

:( don't have an account there, or I would love to have a go at it lol

Registered for CB, waiting on any email notification from them.

Awaiting approval for CB. Then of cource, I'll join collaboration

BTW, in your attach you've forgot PWDump.dll =/

It's embedded resource in the net assembly; should work fine. You can try it on PW.

interesting that theyre using 8 bytes long ids now... any clue as to why? :o

I can't imagine they have THAT many NPCs

They're just making it a harder time for us which is kinda stupid really; their protection is very lame and stupid; only hurt legitimate players (like me can't start the game).

At least they force me to rewrite my bot to support both 32bit and 64bit Ids in one bot.

I use XP 64bit, oh well might be in for some issues if I try that game, but I'm already used to it by now, couldn't even connect my phone to my PC cos the software didn't support my windows. Have to mail my own applications to my phone to use them *sighs*

Oh well, I'm pretty sure it won't stop anyone from doing what they want with their games, especially not you lol :D

After selecting the process elementclient and clicking button Analyze, I get the following error dialog box(c/p):
---------------------------
elementclient (3340)
---------------------------
Unable to hook process.
---------------------------
OK
---------------------------

I have .NET Framework 4.0 and I also tried after reinstalling MS C++ Redistributable. When I say reinstall I mean "repair" because I had full installation of Visual Studio 2008 already installed and appart from remove, repair was the only option left. PWEDump analyze failed before and after with same error.

Attempted PW version was PWI 446 (current) as well as one version before current patch, numeric version of which I do not recall.

System specs are:
Windows XP 32bit (eng)
Intel Pentium 4 3.20Ghz
3070Mb RAM

Reason for reporting this issue is not my desire to use it on PW, just wanted to test if all is ok, in case I do get CB key for Forsaken World, which I have not received as of yet.

Did you get a popup about missing MSVCR100.DLL? I built the DLL in VS2010 and it's linking with this version. If you are missing this, you can google and download it and place in the Windows\System32 folder.

Other than that, I don't see any other possible problem. You can view the source code by using Reflector (free). The hooking process is straight forward.

EDIT: I gave the link to the MS C++ 2008 Redistributable by mistake on my first post; you need the 2010 version which now has the correct link.

The 2010 version of MS C++ Redistributable did the trick, it now works as it should. Thanks for the modified link.

Just for reference, no, I did not get a popup about missing MSVCR100.DLL before.

here is a dump of some things.

Vuduy what all do you need? I'd be glad to help but do you just want me to record and dump it here? Or are you looking for specific stuff?

Anything that is useful. Example, cast skills, get the dump and formalize the opcodes; different type of skills may have different opcodes eg. instant cast skill (no cast time) vs normal cast skills.

Also get opcodes for summoning/stowing pets, feeding pets, and any other activities with pets.

Get opcodes for inventory item usage, like using pots, using mounts, or any other special items.

Get opcodes for buying, selling, repairing.

Also, find data offsets like HP, MP, level, gender, etc... all the useful properties for NPC, player and provisions.

heck [Only registered and activated users can see links. Click Here To Register...] . they still have alot of beta keys for free

Thank you serahah, I wasn't aware of this giveaway before and I really wish I was, beacuse in the mean time, while I had nothing to do (after PW MS got shut down), I went and found my fix in EVE Online.

While injecting Python isn't exactly what I was hoping for, it keeps me busy these days, so I'll stick with it for a little while longer, before I "go back" to FW.

Public closed beta starts today. Let the cracking and hacking begins!

On a side note, it's better to use SINS 2.1.x to get data. It has the same packet capture and it also supports memory snapshot. Will be easier to find offsets.

w8 for us work... =]... im playing beta 4

Reporting in, PW/FW player since CBT of PW. Some may recognize my name, I hope, I like to feel important.

I have a small IRC server we can use to colab if need be.

Well, so far, nobody contributes anything; and my bot supports FW almost 100%.

The few things still missing are some pet's offsets and quest list/structures.

It seems like most of the pet's information is stored in a packed bits of some sort. I can get the offset for the data whenever information changes; but I still cannot decode it.

FW seems to lock up each time I search what accesses an address for some reason, PW never did that and it's basically the same game reskinned and retooled.

Not sure if i'm missing something, been out of the loop for a while.

Its built in anti-hack does that. Basically, it searches the process list for cheatengine.exe, and any other popular debuggers including Olly and Visual Studio (devenv.exe). If any of these processes exist, then it locks up.

Try putting a break point will also terminate the client. It's not as easy compared to other PWE games.

I want to see a pserver of this game so I'll try to see what I can pick up with MS Network Monitor. Be advise, I'm a total noob doing this kind of stuff so if anything I send is helpful, let me know.

It wouldn't be helpful.

Packets are ARC4 encrypted, so monitoring them with a external tool would be useless.
Also, building a pserver requires :

a) leaked server files (PW's newest leak was 1.2.8 server)
b) an emulator

and I doubt both will ever happen for FW.

Then if I may ask how can I reverse the game. Even tried with Olly's IsDebuggerPresent plugin but still won't work. Well, was able to attach IDA's debugger but didn't seem to do any good either. My computer got really slow.

hey if someone also play beta add me as friends im on the german realm my name is nazrezim and im in the guild Scrubs a guild with much people from the old ms.

Sweetlady,

A friend of mine said that FW uses Armadillo packer, which may explain why you cannot attach any debugger to it.

I never checked, as I have no interest in FW (will be same cash shop shit as PW in a few months), but maybe this helps ya.

Cheers

It's easily bypassable, using kernelmode's CE debugger is enough.

Thank you both 2981611 and micecats. I'll take a look at it tonight after work or tomorrow. I haven't really played much but I'm sure it's already a cash machine so that's why I wanna reverse it as much as my brain cells allow me and make a bot for it.

Cheers :mofo:


Edit1: My system does not support DBVM :(
Only works on Intel CPU.

Edit2: Olly Advanced did the trick for olly which is really great. Also found some plugins for IDA too but when I attach after a couple of seconds I can't select a mob or npc. But still can't use CE. Is there a MHS kernel mode debugging?

Anyway, IDK how you were able to retrieve all those offsets, it all seems too complicated and time consuming for me. PWI was much easier.

Bump!!;)

Use VMWare with a 32 bit OS

Edit : Anybody playing on EU server ?

I actually have Windows 7 64 bits installed. But gonna give it a try. Thanks a lot Mice. I've installed VMware workstation and player but I still don't understand how to use this. I need to install a new OS to use on VM. That's not what I want.

AutoIt seems to work just fine to form a basic bot,
my problem is that i never managed to detect when a mob dies,
so the bot will move to the next one..

If you found smtin that I didnt, maybe you can take my idea and develop it further :)

K, I've installed VMWare with Windows 7 32 bit. Created a shared folder to my C; drive so I can access the game and CE. But when I attach CE's debugger it still crashes the game.

You can read pixel from Mob's bar, if it's not there, then move to another mob, or read value from target's address (probably boolean 1 when targeted 0 when nothing), I'll look into it, when I have time.

Win7 is well known to have a lot of problems with CE, you should have installed XP on your VMWare instead.

Dang, gonna see if I still have an xp disc somewhere. Thx Mice

Edit 1: Well, the cracked xp I have installs fine when you boot from disc, format and install. But on a VM it asks for the cdkey. I'm so lucky. Guess I'll have to stick to olly only.

Well, LordPE confirmed it's Armadillo 1.71.

Now Called Winlicence.
Cool, my friend was right.

This whole unpacking stuff is quite new to me. Althought I'm able to attach olly and IDA I'm still not able to attach CE or MHS's debugger. It's all quite frustrating.

This might be a really stupid question but is it legal for a game's protection software to run parts of it's code in kernel mode? And I quote from winlicense site: ''WinLicense runs parts of its code in Kernel Mode to implement the most advanced techniques against modern cracking, making it a unique protector.''