Old Item Mall / Old Mainpop

~~modyuasty3~~ · 03/04/2020, 10:15

Hello guy's today i make this system in server with media.pk but is have something wrong where i can fix this I THINK This want some C++ Code to fix?

here when press button to buy item from Item mall get Crash ..

This System i can't find file or how make it in my system ! i hope helps !

florian0 · 03/04/2020, 19:58

Quote:

Originally Posted by modyuasty3

This System i can't find file or how make it in my system ! i hope helps !

The buttons are still there. They are just hidden in CIFMainFrame::OnCreate

Code:

this->m_btnSkill->ShowGWnd(false);
this->m_btnAction->ShowGWnd(false);
this->m_btnParty->ShowGWnd(false);
this->m_btnCharacter->ShowGWnd(false);
this->m_btnQuest->ShowGWnd(false);
this->m_btnApprentice->ShowGWnd(false);

The part starts at 006a28ff and ends at 006a295f. You need to either JMP that part, or fill it with NOPs entirely.

~~modyuasty3~~ · 03/04/2020, 22:52

Quote:
Originally Posted by florian0
The buttons are still there. They are just hidden in CIFMainFrame::OnCreate
Code:
this->m_btnSkill->ShowGWnd(false);
this->m_btnAction->ShowGWnd(false);
this->m_btnParty->ShowGWnd(false);
this->m_btnCharacter->ShowGWnd(false);
this->m_btnQuest->ShowGWnd(false);
this->m_btnApprentice->ShowGWnd(false);
The part starts at 006a28ff and ends at 006a295f. You need to either JMP that part, or fill it with NOPs entirely.

i think you know how make it to working but i am not know what do to is work done

Explain more that I am learning from you to increase my experience in this field ! i hope you help me to add this system

sarkoplata · 03/06/2020, 02:54

@

if you share the proper pk2 files for the Item Mall, I'll share the asm fixes, if I can fix them.

paradise1992 · 03/11/2020, 16:59

Quote:

Originally Posted by sarkoplata

@ if you share the proper pk2 files for the Item Mall, I'll share the asm fixes, if I can fix them.

qq909047432 · 03/13/2020, 17:28

Quote:

Originally Posted by sarkoplata

@ if you share the proper pk2 files for the Item Mall, I'll share the asm fixes, if I can fix them.

florian0 · 03/14/2020, 18:31

Quote:

Originally Posted by modyuasty3

i think you know how make it to working but i am not know what do to is work done Explain more that I am learning from you to increase my experience in this field ! i hope you help me to add this system

This is one call to ShowGWnd. It's a

. The function address is stored in EAX and read from the virtual function table at offset 0x5c.

A function call in general consists of PUSH and CALL (and maybe ADD ESP, x). Each PUSH is likely to be that argument of a function call. ShowGWnd has only one argument. You can see that because there is only one PUSH. PUSH EBX will pass a 0 to the function (because EBX was set no 0 waaaaayyyyyyy earilier in that function). So ShowGWnd(false). But we don't know what to modify with ShowGWnd(false). The object to modify is stored in ECX. It's also called the

(Ghidra named it 'this' automatically). 'This' comes from the result of [ESI + 0x7dc], which is m_btnInventory.

I know it's m_btnInventory because I have seen 0x7dc before. Right here:

This part retrives a control with the ID 0xC (12). And 12 is our Inventory Button. I got the ID from ifmainpopup.txt

So in order to make the stuff show instead of hide, you could just skip calling ShowGWnd. That means you replace the PUSH and the CALL with a NOP.

Since you now learned something, you can go and test it out. My proposed change does show the buttons, but not the background. But have no fear. The call for hiding the background is a little below the region I proposed. You only need to recognize the virtual call and the parameter. Replace it with NOP, done.

ZαKuRα · 03/14/2020, 19:46

Quote:

Originally Posted by florian0

This is one call to ShowGWnd. It's a . The function address is stored in EAX and read from the virtual function table at offset 0x5c.

A function call in general consists of PUSH and CALL (and maybe ADD ESP, x). Each PUSH is likely to be that argument of a function call. ShowGWnd has only one argument. You can see that because there is only one PUSH. PUSH EBX will pass a 0 to the function (because EBX was set no 0 waaaaayyyyyyy earilier in that function). So ShowGWnd(false). But we don't know what to modify with ShowGWnd(false). The object to modify is stored in ECX. It's also called the (Ghidra named it 'this' automatically). 'This' comes from the result of [ESI + 0x7dc], which is m_btnInventory.

I know it's m_btnInventory because I have seen 0x7dc before. Right here:

This part retrives a control with the ID 0xC (12). And 12 is our Inventory Button. I got the ID from ifmainpopup.txt

So in order to make the stuff show instead of hide, you could just skip calling ShowGWnd. That means you replace the PUSH and the CALL with a NOP.

Since you now learned something, you can go and test it out. My proposed change does show the buttons, but not the background. But have no fear. The call for hiding the background is a little below the region I proposed. You only need to recognize the virtual call and the parameter. Replace it with NOP, done.

thanks for sharing all your knowledge always without selfishness

only need to fix the quest that does not come out

sarkoplata · 03/14/2020, 19:53

Quote:

Originally Posted by ZαKuRα

thanks for sharing all your knowledge always without selfishness

only need to fix the quest that does not come out

You can use the new quest window.

PHP Code:



void CGInterface::SwitchQuestWindow()
{
    return reinterpret_cast<void(__thiscall*)(CGInterface*)>(0x007990E0)(this);
}

fanyaodd · 03/18/2020, 14:43

Quote:

Originally Posted by florian0

This is one call to ShowGWnd. It's a . The function address is stored in EAX and read from the virtual function table at offset 0x5c.

A function call in general consists of PUSH and CALL (and maybe ADD ESP, x). Each PUSH is likely to be that argument of a function call. ShowGWnd has only one argument. You can see that because there is only one PUSH. PUSH EBX will pass a 0 to the function (because EBX was set no 0 waaaaayyyyyyy earilier in that function). So ShowGWnd(false). But we don't know what to modify with ShowGWnd(false). The object to modify is stored in ECX. It's also called the (Ghidra named it 'this' automatically). 'This' comes from the result of [ESI + 0x7dc], which is m_btnInventory.

I know it's m_btnInventory because I have seen 0x7dc before. Right here:

This part retrives a control with the ID 0xC (12). And 12 is our Inventory Button. I got the ID from ifmainpopup.txt

So in order to make the stuff show instead of hide, you could just skip calling ShowGWnd. That means you replace the PUSH and the CALL with a NOP.

Since you now learned something, you can go and test it out. My proposed change does show the buttons, but not the background. But have no fear. The call for hiding the background is a little below the region I proposed. You only need to recognize the virtual call and the parameter. Replace it with NOP, done.

I still don't understand. Can you elaborate？

florian0 · 03/18/2020, 16:46

Quote:

Originally Posted by fanyaodd

I still don't understand. Can you elaborate？

Okay. Lets go.

Load up your favourite disassembler. I'm using x32dbg.

I gave away the addresses to look at. Explaining how I got there is part of another story.

Press Ctrl+G, enter the address you want to go to:

Now we got the location where the ShowGWnd(false) is called. From my post before we know PUSH and CALL are the important parts of a function call.

Select the PUSH instruction. Press Space to open the assembler. It will show the current instruction.

Enter "NOP" to replace it with a No-Operation. Make sure to tick the "Fill with NOP" Box.

Replace the PUSH and the CALL with NOPs. When you are done, it should look like this:

Repeat this step until you replaced all ShowGWnd(false) calls:

After that, press Ctrl+P to open the Patches-Window. Press "Patch File" to export a patched binary. You can not use the file you opened (e.g. sro_client.exe), so choose a different name.

sro_client_ruined.exe sounds like a good choice to me:

Now you are done. You have successfully patched the client. The icons are now visible. What's left is the background image. Use your acquired knowledge to analyze the code right below of what to patched to find another CALL thats using [edx+5C]. Thats the background. Replace it with NOP and the visuals are fine.

fanyaodd · 03/19/2020, 09:13

Quote:
Originally Posted by florian0
The buttons are still there. They are just hidden in CIFMainFrame::OnCreate
Code:
this->m_btnSkill->ShowGWnd(false);
this->m_btnAction->ShowGWnd(false);
this->m_btnParty->ShowGWnd(false);
this->m_btnCharacter->ShowGWnd(false);
this->m_btnQuest->ShowGWnd(false);
this->m_btnApprentice->ShowGWnd(false);
The part starts at 006a28ff and ends at 006a295f. You need to either JMP that part, or fill it with NOPs entirely.

Can you share the restored Old ItemMall?

bilalctn · 10/10/2020, 15:56

Pls Help ?

Emerald Garden SRO · 10/10/2020, 16:30

Quote:

Originally Posted by bilalctn

Pls Help ?

florian0 said above:

Quote:

Now you are done. You have successfully patched the client. The icons are now visible. What's left is the background image. Use your acquired knowledge to analyze the code right below of what to patched to find another CALL thats using [edx+5C]. Thats the background. Replace it with NOP and the visuals are fine.

If someone would post a sro_client.exe with the working old item mall would be great.

bilalctn · 10/10/2020, 17:19

Quote:

Originally Posted by Emerald Garden SRO

florian0 said above:

If someone would post a sro_client.exe with the working old item mall would be great.

i dont understand bro

Quote:

Originally Posted by Emerald Garden SRO

florian0 said above:

If someone would post a sro_client.exe with the working old item mall would be great.

which code ?

Quote:

Originally Posted by florian0

Okay. Lets go.

Load up your favourite disassembler. I'm using x32dbg.

I gave away the addresses to look at. Explaining how I got there is part of another story.

Press Ctrl+G, enter the address you want to go to:

Now we got the location where the ShowGWnd(false) is called. From my post before we know PUSH and CALL are the important parts of a function call.

Select the PUSH instruction. Press Space to open the assembler. It will show the current instruction.

Enter "NOP" to replace it with a No-Operation. Make sure to tick the "Fill with NOP" Box.

Replace the PUSH and the CALL with NOPs. When you are done, it should look like this:

Repeat this step until you replaced all ShowGWnd(false) calls:

After that, press Ctrl+P to open the Patches-Window. Press "Patch File" to export a patched binary. You can not use the file you opened (e.g. sro_client.exe), so choose a different name.

sro_client_ruined.exe sounds like a good choice to me:

Now you are done. You have successfully patched the client. The icons are now visible. What's left is the background image. Use your acquired knowledge to analyze the code right below of what to patched to find another CALL thats using [edx+5C]. Thats the background. Replace it with NOP and the visuals are fine.

Bro Help pls