I've never actually used the zoom hack as I've had no purpose for it. I'll take a look now and see if I can explain it any simpler :P
The unfreeze thing is easy though - I'll explain that too when I get back.
Ok, I cheated a bit to arrive at this method by starting at the
, but this method should hopefully work after updates without relying on code sequences - I think they have compiled the new client using a different compiler version or perhaps used optimisations or something... I don't know. All I know is that all my old code snippets don't match anymore, so something is quite different in the general code structure.
It's one thing to give offsets and stuff to do something, but I feel it's nicer to explain how and why you do something... "give a man a fish" and all that :P
So, here's how to find the offsets for zoom hack and how to patch it, from first principles.
In game:
Zoom out fully
Search in CE for float value of 20.0 - select truncated option
Zoom in a click or two
Search for decreased value
Zoom in another click or two
Search for decreased value
You should now have one value in the list that is fully truncated to a decimal number, which decreases or increases by 1 each time you zoom in or out respectively. That's the offset we're interested in.
Just to double check its the right one, double click it to add it to your address list in CE, then freeze it. Now, when you zoom in or out in game, it should start zooming then bounce back to the position it was in.
Make a note of this address and load up OllyDbg, attach to elementclient and let it run.
In the memory view window, click somewhere and hit Ctrl+G and go to the address you just found in CE. Right click it and add a memory breakpoint on write access.
Now go in game and zoom
out.
It should break at 0x439F11 (in v612)
If we examine the section of code around there, we can inspect what's happening when you zoom out...
Code:
00439F0D |. D94424 20 FLD DWORD PTR SS:[ARG.1]
00439F11 |. D956 40 FST DWORD PTR DS:[ESI+40]
00439F14 |. D8D9 FCOMP ST(1)
00439F16 |. DFE0 FSTSW AX
00439F18 |. F6C4 41 TEST AH,41
00439F1B |.^ 0F85 1DFFFFFF JNE elementclient.00439E3E
FLD DWORD PTR SS:[ARG.1] - Here we are loading the zoom value that the client is requesting that we go to on to the FPU register stack (at ST0)
FST DWORD PTR DS:[ESI+40] - Here we store that value from ST0 to some destination memory location, in this case, ESI+40 - which is the address we found in CE
FCOMP ST(1) - Now we compare that value with the value that is stored in the FPU register stack at ST1 - If you breakpoint here, you can see that this has already been loaded with a value of 20.0000000000000 (we are allowed to zoom to any value between 1.0 and 20.0)
FSTSW AX - This stores the result of that last comparison into EAX, well, the lower 2 bytes of EAX
Next we are basically comparing if the truncated result of the comparison was equal or not.
JNE elementclient.00439E3E -
Jump if
Not
Equal
If it wasn't equal, we jump back somewhere (i.e., the code which lets us zoom out) else it prevents zooming out.
So what we want to do is take that jump regardless of the comparison result, so we replace the JNE opcode with a JMP.
To do this, click on the JNE line in OllyDbg and hit space which allows us to modify the opcode. Just change the JNE to JMP - the opcode sizes are different, so Olly will automatically add an extra NOP after the instruction to pad out the extra byte.
Now test it - you should be able to zoom out as far as you like ^_^
So, we have a working zoom hack, but of course we don't want to load up a debugger every time we want to use it, so lets modify the actual elementclient file.
This is pretty simple...
First make a backup copy of your original elementclient.exe file in case something goes tits-up.
Now, just right click anywhere in the code section in Olly and right click -> Copy to executable -> all modifications. Then click 'Copy All'. When you close the little window that pops up, it will say something like
Code:
---------------------------
File changed
---------------------------
Dump of file 'C:\Perfect World Entertainment\Perfect World International\element\elementclient.exe' differs from original. Do you want to save modified file to disk? If you answer 'Yes', you will be asked for the filename. If you answer 'No', you will lose any changes you have made.
---------------------------
Yes No Cancel
---------------------------
Just click Yes, save as elementclient.exe and it's all done ^_^
