Hello !
I would like to release and share my work (Not all of that belong to my work like gateway exploit fix by Dizzie)
Let's Start :
BR ASM
Remove GS Dumps:
(RVA Offsets)
Code:
0x7FB2E0 - { 0xE9, 0xDF, 0x06, 0x00, 0x00, 0x90 }
0x8037A0 - { 0xE9, 0x1D, 0x04, 0x01, 0x90 }
Modify SM Rates:
(RVA Offsets)
0x40D75F - { 0x42 }
0x40D7FF - { 0x42 }
0x40D8DD - { 0x42 }
Also BR
Code:
this->_levelCapOffset_1 = (0x004D0DF2 + 2);
this->_masteryCapOffset_1 = (0x00479172 + 1); //v027 [4 bytes]
this->_disableDumps_1 = 0x008037A0; //retn + nop
this->_disableDumps_2 = 0x007FB2E0; //retn + nop
//debug [disable any messages in gameserver window]
this->_disableMsg_1 = (0x007D4700); //retn
this->_petLevelCapOffset_1 = (0x004C19F0 + 3); //0x64 [v027]
ECSRO
Code:
0047584D |. 3C 5A CMP AL,5A (Change 5A=90)
^ For max lvl GameServer
Code:
005B53FC |> 80BC24 5803000>CMP BYTE PTR SS:[ESP+358],46
(46 = skills lv 70)
^client side to make skills over lv 70 showed (Change 46 for example to 5A means skills lv 90 will appear) {That's if u will work on an old client of ecsro and need to add skills of lv 90 or more}
------------------------------------
This Exploit works with any server files :
Gateway Exploit fix (the exploit allow u to send SMC packet of {receive new patch} which cause stopping gateway service
Code:
right click -> Search for -> All commands
write there:
PUSH 6308
Change 6308 to anything else (gateway will be longer able to accept auto-update from smc) > so u could use the original gateway for adding your update then close it and use this one {will allow client to update with no problems}
Code:
change 631D opcode to something else
< VSRO only
-------------------------------------------
Agent server Exploit (Packets of crash)
Code:
Paket : 8 {8 ; 0}
Veri Boyutu : 129 Byte {129 ; 0}
Toplam Büyüklük : 532 Byte {449 ; 83}
Veri Hz : 0.9 KB/Sn
Yakalama Zaman : 25.06.2013 22:43:46:552
==================================================
[25.06.2013 22:43:46:552]
00000000 25 00 00 50 00 00 0E 41 41 75 26 98 AE 82 E8 BB %..P...A Au&ک®‚è»
00000010 00 00 00 19 00 00 00 99 25 03 DD BA 18 E0 1A C3 .......™ %.ف؛.à.أ
00000020 D9 F4 5D 1B B4 69 6A AB 48 1C 21 09 00 00 50 00 ظô].´ij« H.!...P.
00000030 00 10 47 48 EC 19 A3 DA 2F E9 0E 00 01 20 00 00 ..GHى.£ع /é... ..
00000040 0B 00 41 67 65 6E 74 53 65 72 76 65 72 00 05 00 ..AgentS erver...
00000050 0D 60 00 00 01 01 00 05 20 0B 00 0D 60 00 00 00 .`...... ...`...
00000060 01 00 01 C3 02 05 00 00 00 02 05 00 0D 60 00 00 ...أ.... .....`..
00000070 01 01 00 05 60 06 00 0D 60 00 00 00 03 00 02 00 ....`... `.......
00000080 02
Packet
----------------------------------------------------
SWSRO offsets
Code:
[serv lvl cap]
0x0046d73d -> cmp al, 78
[serv mastery limit]
0x00515963 -> cmp eax,14a
********************************
[client pt matching]
pt match : 0x004d4465
pt match : 0x004d43e7
pt match : 0x004d4448
pt search :0x004d4465
[client mastery]
mastery1: 0x00451390 -> push 12c
mastery2: 0x00451452 -> push 12c
--------------------------------------------------------
SMC account connect with global
Code:
First you need to send an request packet
just send an packet with opcode: 0x7200
After that you receive the packet 0xb200
The structure is as followed:
01 01 49 51 CF D0 45 00 00 00 04 05 00 61 64 6D
69 6E 16 40 00 DD 07 05 00 02 00 15 00 08 00 19
00 2B 00 5A 03 00
byte - error flag
byte - new user flag
byte - ip1
byte - ip2
byte - ip3
byte - ip4
uint32 - userID
uint16 - username_strlen
stringASCII - username
byte - local
uint16 - serverID
uint32 - something with an time i didn't figure 100% out what this is.
now there will be 12 unknown bytes
byte - if there will be an new user or not.
-----------------------------------------------------------
VSRO fully gameserver config
Code:
SR_GameServer
{
certification (str),port -> certification ip and port ex: "127.0.0.1", 32000
certification_ip_bind (str?) -> certification ip "127.0.0.1"
ReportConnectionLog -> unknown
MaxSendQueDepth (int) -> unknown
PromptAtClose -> is user dummy who could close gs accidently ? :D
WritePerLogToText -> write log ? unknown
CONTROL_NOTIFY_SPAWN_UNIQUE_MONSTER_MSG (enabled by default, ON) -> prints notice in gs window if unique appears
DO_NOT_SPAWN_MONSTER_OVER_MAX_SERVICE_LEVEL (enabled by default, ON) -> Probably wont spawn monsters that are above level cap that is set.
ENTERWORLD_LIMIT_CONDITION_FLEAMARKET (enabled by default) -> unknown
ENTERWORLD_LIMIT_CONDITION_TRADE (ENABLED BY DEFAULT) -> unknown
CAN_WEARING_CONDITION_TRIJOB_EQUIP (ENABLED BY DEFAULT) -> unknown
CAN_WEARING_CONDITION_FREEBATTLE_EQUIP (ENABLED BY DEFAULT) -> unknown
MONSTER_AGGRO_LINK_DECREASE_RATIO (unknown, should be int) -> decrease aggro ammount ? O_o unknown, not tested
ExpRatio -> Experience ratio (individual)
ExpRatioParty -> Experience ratio (in party)
DropItemRatio -> Item drop ratio (overall)
DropGoldAmountCoef -> Gold drop amount multiplyer
HwanGainFactor (berserker gaining speed) -> Berzerker gain speed ? not tested
ShowFormulaDetail -> unknown
ShowGameServerDisplay -> allow showing details in gamesrv window
PCSpeedRatio -> unknown
GiantMonster_SpawnRatio -> ratio for spawning giant monsters
WINTER_EVENT_2009 (EVENT_ON) -> winter event enabled ?
EnableScheduleJobLogFatal -> unknown
SET_FEE_RATE -> probably, fortress fee rate [buy]
SELL_FEE_RATE -> probably, fortress fee rate [sell]
PARTYMONSTER_SPAWN (ON/OFF) ???? -> should we spawn party monsters ?
GAMEWORLD_ENTRY_UNTOUCHABLE_TIME (ON/OFF) ???? -> probably, 5 seconds before exiting game and such shit timer
MAX_SQUAD_MEMBER_COUNT (int?) -> probably, party max members
<! UNKNOWN SETTINGS CONTEXT !>
<! i think, that's the max level limit for party matching restriction, or something like that ^_^ !>
ENTER_LIMIT_CONDITION_ENTRY (int) -> unknown
ENTER_LIMIT_CONDITION_PARTY (int) -> unknown
ENTER_LIMIT_CONDITION_GAME_WORLD_ASSIGNED (on/off) -> unknown
ENTER_LIMIT_CONDITION_JOB_CLOTHES_PUT_ON(on/off) -> unknown
ENTER_LIMIT_CONDITION_JOB_CLOTHES_TAKE_OFF (ON/OFF) -> unknown
ENTER_LIMIT_CONDITION_LEVEL_MINIMUM_NUM (INT) -> unknown
ENTER_LIMIT_CONDITION_LEVEL_MAXIMUM_NUM (INT) -> unknown
ENTER_LIMIT_CONDITION_MAX_LEVEL_MINIMUM_NUM (INT) -> unknown
ENTER_LIMIT_CONDITION_MAX_LEVEL_MAXIMUM_NUM (INT) -> unknown
ENTER_LIMIT_CONDITION_ENTRY_MAXIMUM_NUM (INT) -> unknown
<! UNKNOWN SETTINGS CONTEXT !>
<! entering some world restrictions ? O_o !>
ENTER_LIMIT_CONDITION_RIDE_COS_RIDING (ON/OFF) -> has to ride cos ?
ENTER_LIMIT_CONDITION_RIDE_COS_NOT_RIDING (ON/OFF) -> has to be not riding cos ?
ENTER_LIMIT_CONDITION_TRADE_COS_RIDING(ON/OFF) -> has to ride trade pet ?
ENTER_LIMIT_CONDITION_TRADE_COS_NOT_RIDING(ON/OFF) -> has to be not riding trade pet ?
ENTER_LIMIT_CONDITION_FRPVP_VOUCHER_PUT_ON(ON/OFF) -> has to wear pvp voucher ?
ENTER_LIMIT_CONDITION_FRPVP_VOUCHER_TAKE_OFF(ON/OFF)-> has to be not wearing pvp voucher ?
ENTER_LIMIT_CONDITION_TEMPLE_ASSOCIATION (ON/OFF) -> unknown, maybe, cant be in temple association ?
<! UNKNOWN SETTINGS CONTEXT !>
<! entering some world restrictions ? O_o !>
ENTER_LIMIT_CONDITION_TEMPLE_ASSOCIATION_MINIMUM_N UM (INT) -> unknown, mby job lvl ? (1-5)
ENTER_LIMIT_CONDITION_TEMPLE_ASSOCIATION_RATE_MERC HANT_HUNTER (INT) -> unknown, mby job lvl ? (1-5)
ENTER_LIMIT_CONDITION_TEMPLE_ASSOCIATION_RATE_THIE F (INT) -> unknown, mby job lvl ? (1-5)
USER_COUNTING_ON_TEMPLE_ASSOCIATION (ON/OFF) -> unknown, but means if user is at temple association, but WHAT ?!
FAILED_ENTER_WORLD_TO_SPECIAL_TARGET_SWITCH(ON/OFF) -> unknown
NOTEXIST_PARTY_RESTRICTION_ATTACK (ON) -> unknown
NOTEXIST_PARTY_RESTRICTION_ITEM (ON/OFF) -> unknown
NOTEXIST_PARTY_RESTRICTION_EXP (ON/OFF) -> unknown
}
--------------------------------------------------------
VSRO rates FIX
Code:
Individual experience ratio
0042714C F6C4 50 TEST AH,42
Party experience ratio
004271F5 F6C4 42 TEST AH,42
Item drop rate
004272A0 F6C4 42 TEST AH,42
Gold drop amount rate
00427349 F6C4 42 TEST AH,42
HWLAN (berserker) gain factor
004273CA |. F6C4 44 TEST AH,42
Bypass creation of huge .dmp files (less lags)
00964060 81EC 6C060000 SUB ESP,66C
***************************************8
Change all to
jmp 009642FD
--------------------------------------------------------------------
ECSRO files fixes
Code:
Mastery:
CMP EAX,(max mastery in hex)
Max Level:
CMP AL,(max lv in hex)
ASCII .\GObjPC.cpp
ASCII Clamp () ==> min(%d) exceeded max (%d) value), File %s, Line: %d
QWord (8.-byte) stack alignment
CMP BYTE PTR DS:[ESI+58],(max lv in hex)
Fix job suit bug:
search for call 00726760 (the first) /CALL 00724240
go to this call
scroll till
007267B9 >^\E9 12DFFFFF jmp 007246D0
007267BE >^ E9 8DDFFFFF jmp 00724750
mark them and exchange to NOP
Fix Shinmoo bug:
Search jnz short 0074B125 / JNE SHORT 00748B85
Modify JNZ short 0074B125 and JNE SHORT 0074B143 / JNE SHORT 00748BA3 to JMP
Fix Ban bug:
0047FC2B |. /76 05 jbe short 0047FC32 ; fix, jmp
Fix right click skill disable:
go to 0060C827
From 0060C83E to 0060C860 ALL NOP
Then
CPU Disasm
Address Hex dump Command Comments
0060C839 |. E8 92D1E0FF CALL 004199D0
0060C83E 8B02 MOV EAX,DWORD PTR DS:[EDX]
0060C840 B9 43485F00 MOV ECX,005F4843
0060C845 21C8 AND EAX,ECX
0060C847 3BC1 CMP EAX,ECX
0060C849 74 17 JE SHORT 0060C862
0060C84B EB 65 JMP SHORT 0060C8B2
NOP
NOP
...
Add GM box paste:
To 005018C3
change to jmp 009C96C4
Then to 005E0AE9
change to jmp 009C96FE
to 009C96C4
New Code:
009C96C4 60 pushad
009C96C5 8B0D 04F5A900 mov ecx, dword ptr [A9F504]
009C96CB 8B89 40030000 mov ecx, dword ptr [ecx+340]
009C96D1 85C9 test ecx, ecx
009C96D3 74 1D je short 009C96F2
009C96D5 83BF 18010000 10 cmp dword ptr [edi+118], 10
009C96DC 72 08 jb short 009C96E6
009C96DE 8B87 04010000 mov eax, dword ptr [edi+104]
009C96E4 EB 06 jmp short 009C96EC
009C96E6 8D87 04010000 lea eax, dword ptr [edi+104]
009C96EC 50 push eax
009C96ED E8 FE5CAFFF call 004BF3F0
009C96F2 61 popad
009C96F3 E8 D83CF5FF call 0091D3D0
009C96F8 ^ E9 CB81B3FF jmp 005018C8
009C96FD 90 nop
009C96FE 60 pushad
009C96FF 8B0D 04F5A900 mov ecx, dword ptr [A9F504]
009C9705 8B89 40030000 mov ecx, dword ptr [ecx+340]
009C970B 85C9 test ecx, ecx
009C970D 74 0A je short 009C9719
009C970F 8B4424 44 mov eax, dword ptr [esp+44]
009C9713 50 push eax
009C9714 E8 D75CAFFF call 004BF3F0
009C9719 61 popad
009C971A E8 51A7A5FF call 00423E70
009C971F ^ E9 CA73C1FF jmp 005E0AEE
009C9724 90
Again > Not all of that work done by me but (ECSRO ~ Agent are done by me)
Regards,
Dr.Abdelfattah