-
Help to find out
Hi all.
Looking for so me help to find out solution on how to realise function get mob on target .
MMORPG Requiem Online.
OllyDBG show the ligne where initialise function take mob on target.
[Only registered and activated users can see links. Click Here To Register...]
whene i m trying to inject my code to call this function
Code:
pushad
pushfd
mov ecx,WID // to read WID im using ReadInt(0xa48e40)+0x320
mov edx,0x7c29e0 // function adress
push ecx //
mov ecx,[0xa48e40]
call edx // call function
retn
after injecting this code im getting inside of client Toon have on target empty HP bar witout mob name...
and after 2 sec client crash.
Looks like on the moment whene function was called code dont disposed enoughe arguments .
If i attach OllyDBG to client at the ligne
the value ecx not corespond to WID of mob on the CE.
-
Maybe you should restore the stack with POPFD and POPAD?
Code:
pushad
pushfd
mov ecx,WID // to read WID im using ReadInt(0xa48e40)+0x320
mov edx,0x7c29e0 // function adress
push ecx //
mov ecx,[0xa48e40]
call edx // call function
popfd
popad
retn
-
I tryed restore all registers. But client froze before that.
It still taking empty HP bar on target & crash.
-
what IDA PRO say about function is it __fastcall?
I see that edx is used.. but it is used as function address so probably not parameter..
if it is fastcall try.. typedef'ing it
Code:
typedef void (__fastcall * t_Mob)(int param);
t_Mob mobFunction = (t_Mob)0x7c29e0;
mobFunction(&0xa48e40); //<-- find out what is at 0xa48e40 offset.. maybe it is buffer
In other words if not fastcall function..
you must fix stack.. Try this
Code:
push ebp
mov ebp, esp
mov ecx,WID // to read WID im using ReadInt(0xa48e40)+0x320
mov edx,0x7c29e0 // function adress
push ecx //
mov ecx,[0xa48e40]
call edx // call function
retn
-
with this game crashed witout showing empty HP bar
probably [0xa48e40] is buffer
-
can you add ollydbg to your game? or game is protected?
if you can add ollydbg.. or atleast.. attach ollydbg to game.. while it's running.. Resume Threads etc..
Then your DLL you are injecting.. breakpoint on the code you added should be a __declspec(naked) function maybe you forgot this.
Run it line by line.. and find out which line it crashes.. most likely.. the bad parameter yup
Code:
__declspec(naked) void MOB(int WID)
{
__asm{
pushad
pushfd
push ebp
mov ebp, esp
mov ecx,WID // to read WID im using ReadInt(0xa48e40)+0x320
mov edx,0x7c29e0 // function adress
push ecx //
mov ecx,[0xa48e40]
call edx // call function
popad
popfd
ret
}
}
break point it.. I think it will crash at either
call edx..
or somewhere inside edx function.. find out differences where registers look messed up.. between your code and official code..
Then you have to somehow either create buffer yourself.. or if buffer is important.. somehow point it properly.. maybe this address [0xa48e40] will not be found in DLL's asm... since it's part of game exe.
-
Thx for good idea to check where my cod stop working ...
by putting on direct in cod the WID of mob it worked ....now need only find how read rite that value from memory ....
-
pkedpker
I'm trying to decipher the packets with a java program that I created based on the post: PHP Code:
# ifndef _INFINITY_TALE_CRYPT_
# define _INFINITY_TALE_CRYPT_
# include <string.h>
laEncrypt int (char * data, int length)
{
int size = length;
data [4] ^ = 0x76;
for (int i = 5; i <size; i + +)
data [i] ^ = data [i-1];
return 1;
}
laDecrypt int (char * data, int length)
{
int size = length;
char k = data [4];
char j = 0;
data [4] ^ = 0x76;
for (int i = 5; i <size; i + +)
{
j = data [i];
data [i] ^ = k;
k = j;
}
return 1;
}
# endif
by SaiMs
a) Let's take a look at a sample header and decrypt it.
crypt char [] = {0x0A, 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00, 0x00, 0x01};
or Simply
[INT32] [CHAR8] [char []]
[HEADER] [Packet ID] [DATA]
0A 00 00 00 64 00 00 00 00 01 (HEX)
0x0A is the LENGTH of the packet and is not needed in the decryption process.
This is an INT, little-endian and uses the first 4 bytes to find how long is the TOTAL length.
0x0A = 10 in decimal, the length of this packet is indeed 10.
ENF NOTE: Packet headers are NOT encrypted.
1.b) Let's step through the encryption.
PHP Code:
data [4] ^ = 0x76;
We skip to the packet id, and xor it with 0x76 (magic #).
This Reveals the packet ID, so in this case:
64 XOR 12 = 0x76 You can use a calculator if you want sci, These Are the results accurate I have checked with Them Bravo's posts. (I assume he used traitor's sniffer or we, I'll be releasing my own soon with the GUI)
After the header, we have a for loop:
PHP Code:
data [i] ^ = data [i-1];
It starts at 5, we are finished with the header and the packet id.
This is just some logic xor swap.
Grab the first byte,
PHP Code:
j = data [i];
xor it with k, WHICH IS packet id (init)
PHP Code:
j = data [i] ^ = k;
make new k value, the date we just produced
PHP Code:
k = j;
I need to send a message in the chat all, change the program and be accepted on the target server. But the packages necessary to decipher ... can you help me? the program did not work ..
the game is AIKA.
---------- Post added at 04:16 PM ---------- Previous post was at 04:15 PM ----------
if necessary, I can create a decryption call. Help me please
-
^ that is not java its C/C++, looks like you just copy pasted that out of aika section and have no idea what it does or how to use it. Try trying
-
Well .. I did not understand your comment ... I translated the text above for java. I glued a package aika HEX ... but did not work ... Accurate method of decryption and encryption, so that if I create a chat spam ... can also do it with honor! O.o. .. Type capture the package through the ollydgb honor, and use the method of enc-desc and I am repeating it like a repeating structure. auhauhauah ... My English is very bad. pkedpker you, I believe, is one of the people who have an understanding of the functioning of routines aika ... Help me