[New Possible Mod Idea] Always Enable sniper_mode ?

[P2933]Step29 · 10/07/2014, 20:50

Hi, Before I say anything I'll release a little info about myself.

I've been playing this game on and off for a while now, since 2011 I believe. I've always been interested in modifying game code to change the rules around. I've been learning and still am, ASMx86 for 4 years on a different game. However I have never done this on S4 league so the enviroment, and methods are very different then what I used to do @ my other game.

I'm also known as a "booster", meaning I don't go around 1 hit KOing everyone with 10x speed and rapid firing everyone. I'd like a bit of 140hp here and 2.1 damage muliplier there.

Onwards now. Back at 2012 there used to be this mod called "X7 Loader" it was made by zYan, to this day I still think that was the best ******* mod ever then all these trainers and ****.

in _eu_weapon.x7 there is a string called "support_sniper_mode", if it's set to 1 then when you right click during gameplay the crosshair will zoom in a little, giving a bit of aim support. If it set to 0 then obviously, it does nothing. And if the string doesn't exist on the <weapon> tag then, obviously it's set to 0 by default.

Back when we had x7 loader I would always used to add sniper mode on my Assult Rifle, Submachine guns and homing guns.

Now that we don't have x7 loader anymore,

the only way to figure this out myself is finding the 0 and 1s.

and so far...it's a mess, but i'm getting there.

anyways it seems that, weirdly even if I force the value to set to 1, it STILL won't work, so I'm looking thur why it wont. I'm still experimenting but I gotta go to work now, has any one else done this before?

PÐPplàÿər · 10/07/2014, 21:05

Pinki's res tool it's working fine.

~~Viroouz~~ · 10/07/2014, 22:21

Try it with the dumped Client and u will get some more Informations about S4 and so.

[P2933]Step29 · 10/08/2014, 09:25

Quote:

Originally Posted by PÐPplàÿər

Pinki's res tool it's working fine.

Did you forget that paticular .x7 is server-sided and is related to the screenshot I just posted?

I went ahead and edited _eu_weapon.x7 and replaced it, Didn't work, no changes on my side.

Quote:

Originally Posted by Viroouz

Try it with the dumped Client and u will get some more Informations about S4 and so.

Honestly the dump doesn't show that much in my personal opinion, Hell we don't even have Pink Calls for other modules in this dump.

GG on that "extra info" however
Really useful.

Omdi · 10/08/2014, 09:41

I am glad to see someone still knows zYan

Actually you could try to hook the xbn decrypt function and modify the files there.
Search for ".xbn" and you should be able to find the encryption (xor)

[P2933]Step29 · 10/08/2014, 18:52

Quote:

Originally Posted by Omdihar

I am glad to see someone still knows zYan
Actually you could try to hook the xbn decrypt function and modify the files there.
Search for ".xbn" and you should be able to find the encryption (xor)

Ahh ok, only issue is I can't find the Function itself @ the dump

Here we have the 8 checks that downloads all those xbn files. I have set up a breakpoint at all of those 8 during the starting of the client and during gameplay, yet not 1 breakpoint has been triggered no matter how long I stay in the game, so I am a bit confused on how it works right here as well

Also, is the xbn files stored on files or does it unload itself on RAM?
and what would happen if, Instead of trying to figure out the decyption, if you can just simply block the downloading of the xbn files instead? Would that work as well? I would imagine it being as simple as a Long JE -> JMP

I've seen your avatar a lot for a long while, 2 years I think, I think you're one of those smart ones and knows a lot about the ASM environment to the S4 league, sorry if my questions sound dumfounded to you

Omdi · 10/08/2014, 19:56

Quote:

I've seen your avatar a lot for a long while, 2 years I think, I think you're one of those smart ones and knows a lot about the ASM environment to the S4 league, sorry if my questions sound dumfounded to you

Probably I am looking so familiar to you because I am the creator of the x7Loader

Lemme show you how to find the encryption

!

I used an old unpacked client but it should not vary much from your client.
Search for ".xbn"

Actually the function decrypts the client-sided xbn/x7 files here.

Starting IDA -> Goto Expression -> 0047EC20
Decompile ... hehehe!

Follow the marked function and decompile it!11!!

Now you have the encryption, but be aware that you can't simply decrypt a whole xbn file by passing it to the xor encryption. As you can see in the function calling the xor encryption, it is decrypting specific bytes. You have to look further in it, I am too lazy to do it by myself

Actually the function calling the xor encrypt is for the client-sided files. You may need to follow the xrefs to the xor encryption to find the function handling the files sent by the server

[P2933]Step29 · 10/09/2014, 00:15

Woo, I had a nice nap today~

Quote:

Originally Posted by Omdihar

Probably I am looking so familiar to you because I am the creator of the x7Loader

Why was it discontinued? That was such a god tier tool right there
It didn't need all this "Injection bypass" bull and anything like that. It was perfect for boosters like me, I loved creating my own x7 files on that thing, especially the ability to play any animations during gameplay, which I just re-created today

Quote:

Lemme show you how to find the encryption !

I used an old unpacked client but it should not vary much from your client.
Search for ".xbn"

Actually the function decrypts the client-sided xbn/x7 files here.

Starting IDA -> Goto Expression -> 0047EC20
Decompile ... hehehe!

Follow the marked function and decompile it!11!!

Now you have the encryption, but be aware that you can't simply decrypt a whole xbn file by passing it to the xor encryption. As you can see in the function calling the xor encryption, it is decrypting specific bytes. You have to look further in it, I am too lazy to do it by myself

Actually the function calling the xor encrypt is for the client-sided files. You may need to follow the xrefs to the xor encryption to find the function handling the files sent by the server

Seems like they removed the .xbn string and made it unreadable, Thanks to your function however I was able to retrive it back via Array of Bytes.

It was moved all the way to 011XXXXX instead of 0040XXXX. Also the Address is red, which states that no XREFs seems to exist for this function, making this function unused?

Well I putted a Tracer Breakpoint on

The Beginning of the Address
The Ending of the Address
Inside the CALL on the Decypt function you highlighted (011465F0) (After mov ecx,[ebp-58])
and
Inside the CALL (MSVCR80. FOPEN_S) (Before the CMP/JNE, ADD ESP,0C)

and putted all 4

when Hack shield was trying to load (with the Bypass DLL obviously).

NONE of them was triggered. after logging in and Starting a Game in Pratice Mode

I went to CE to see if there was a new encpytion for .xbn . I removed the useless 10 (it wasn't 8, opps) checks that they coded

Still just 1. Which only leads to the addresses we already put a breakpoint @ there.

So if the function is not being used at all...How is the client getting the servers .xbns in the first place?

Also, I don't want to be rude by asking, but by any chance do you have a skype that I can add you, so we can discuss about this more without waiting? I have no connections here in the S4 league mod community, so for the most part I've been trying to figure out stuff solo until 3 days ago

Neyil · 10/09/2014, 03:42

The bypass is your problem. Search for hackshield.

[P2933]Step29 · 10/09/2014, 03:53

Quote:

Originally Posted by Neyil

The bypass is your problem. Search for hackshield.

ಠ_ಠ

-PinkiWinki- · 10/09/2014, 07:03

XBN files are sent once every client start in server selection and the encryption is still the same. Also XBN files are not in plain text, it's a simple binary file format.

[P2933]Step29 · 10/09/2014, 07:58

Quote:

Originally Posted by -PinkiWinki-

XBN files are sent once every client start in server selection and the encryption is still the same. Also XBN files are not in plain text, it's a simple binary file format.

Evaluate "Client Start"

Because I put in the Breakpoints for that Encyption Function as fast as I could before the logos shows up., if it's still the same, why does my breakpoint tracer does nothing to it?

onahoe · 10/09/2014, 08:32

Idk but slicktors/xavisions bypass isn't working correctly for me, maybe there's the problem? ;o I can't set breakpoints and the debugger isn't listing anything.. Try again by using a simple 5min bypass. (use ServiceDispatch (Ehsvc.10))

xKemya · 10/09/2014, 14:37

For a 5 min bypass, I think that this still works <<

>>

[P2933]Step29 · 10/09/2014, 16:42

The xavisions bypass works perfectly for me and I am able to put in tracers/breakpoint during gameplay.

So the bypass ISNT the problem
The problem is not being able to find the xbn function inside the client