65k damage project

Results 1 to 6 of 6
  1. #1
    Newbie system64x is offline
    MemberRank
    Oct 2019 Join Date
    1Posts

    note 65k damage project

    65k damage project
    Offset WorldSvr.bin package : 083D042D

    MOV WORD PTR DS:[EBX+6],AX


  2. #2
    Member Niicke is offline
    MemberRank
    Apr 2012 Join Date
    BrazilLocation
    61Posts

    Re: 65k damage project

    Quote Originally Posted by system64x View Post
    Offset WorldSvr.bin package : 083D042D

    MOV WORD PTR DS:[EBX+6],AX
    Even if that is enough on the server side, which I believe is not, you still have the client to fix it.
    In ep8 the stack dmg packet parameter is 2 bytes so you need to change it to 4 or 8 (uint32 or uint64) on both server and client

    EP8 Packet Related Info
    this should help in clientside to trace the memory pipe starting from packet handler
    Last edited by Niicke; 4 Weeks Ago at 08:51 PM.

  3. #3
    Registered t2210233 is offline
    MemberRank
    Oct 2018 Join Date
    15Posts

    Re: 65k damage project

    Pointer type (WORD) DMG = 0x00B8DAE4 -105B1

    READ DMG CLIENT
    WRITE POINTER
    007B3D13
    0086830C - mov cx,[esi+06]
    0086871D - movzx ecx,word ptr [esi+06]
    008687F0 - movzx edx,word ptr [esi+06]

  4. #4
    Cabal.RED PwrDex is offline
    True MemberRank
    Jul 2011 Join Date
    /var/log/cabalLocation
    726Posts

    Re: 65k damage project

    Quote Originally Posted by t2210233 View Post
    Pointer type (WORD) DMG = 0x00B8DAE4 -105B1

    READ DMG CLIENT
    WRITE POINTER
    007B3D13
    0086830C - mov cx,[esi+06]
    0086871D - movzx ecx,word ptr [esi+06]
    008687F0 - movzx edx,word ptr [esi+06]
    Can you explan the details behind it?
    RED

  5. #5
    Account Upgraded | Title Enabled! geography is offline
    True MemberRank
    Nov 2009 Join Date
    217Posts

    Re: 65k damage project

    good project! keep up!
    i will test address!

  6. #6
    Member atom0s is offline
    MemberRank
    Dec 2016 Join Date
    127.0.0.1Location
    48Posts

    Re: 65k damage project

    Due to how the game is designed, this will land up requiring more than a simple [few] byte patch to the server and client.
    This is not setup in a manner that will allow for just adjusting the size of 1 thing.

    For the server side, the damage packet generation is here:
    - Beginning of packet construction: 0x083CF41E
    - Writing the damage value: 0x083D042D

    However, keep in mind this is not the last value in the packet and the size is clamped to uint16_t:
    Code:
    .text:083D0418                 mov     cl, [ebp-1FB4h]
    .text:083D041E                 mov     [eax+4], cl
    .text:083D0421                 mov     eax, [ebp-1E14h]
    .text:083D0427                 mov     ebx, [ebp-1F78h]
    .text:083D042D                 mov     [ebx+6], ax
    .text:083D0431                 mov     esi, [ebp-1FB8h]
    .text:083D0437                 mov     eax, [esi+18h]
    .text:083D043A                 mov     [ebx+8], eax
    So there is no way to just edit the mov to deal with the full value here.

    There are a few ways this could be approached, depending on how people want to deal with it.


    1. Patch the packet to be bigger, shift all data after damage 2 bytes.

    In the server, this would require updating the total packet size, adjusting the additional data writes by 2 and then patching the damage value to write the full uint32_t.

    In the client, this would require updating the handler for the damage packet.
    - The damage packet handler is opcode 0xAE: 0x00435EA4
    - The sub-damage packet handler is: 0x00868050 (sub-type opcode is the next uint16_t after the main packets opcode.)

    The damage packet handler determines the type of skill use based on the sub-opcode and then indexes a second handler table for skill/actions.
    The main one for dealing with things that do damage is: 0x00868050

    You would basically need to rewrite most of the handler for this to deal with the shifted data and new packet size.


    2. Move the damage value to the end of the packet, ignoring the original location it is written.

    In the server, this again would require modding the packet size and then adding a custom chunk of code to write the full damage value to the end of the packet.

    In the client, you will have to modify the handler to account for the new location of the data and read it properly.



    3. Add the hiword value of the damage to the end of the packet, leaving the loword in the original place.

    Similar to option 2, this would expand the packet 2 bytes and just append the hiword of the damage that is clamped off to the end of the packet. In the client though, you will have to patch the handler to combine the value back to a proper uint32_t in all locations its used/referenced.


    4. Hooks. (Probably the cleanest way to do this.)

    In the server, inject a hook/cave into the damage handler after the packet is constructed but before its encrypted/sent. Edit the packet contents to adjust the packet size and append the full damage value to the end. (Like mentioned in #2.)

    In the client, inject a hook/cave into the damage handler after the data is being read normally, but before it's put to use.
    (For example, here: 0x008682EE)

    Then you would need to alter the data to be read from the end of the packet instead for the full value, and then adjust the handling of the data to be the full 4 bytes instead.

    Patch wise in the client, you will need to deal with:
    - 0x008682EE
    - 0x0086830C
    - 0x0086832C (Total damage accumlator.)
    - 0x008684A3
    - 0x00868520
    - 0x008685CA
    - 0x008686BC
    - 0x0086871D
    - 0x0086878B
    - 0x008687F0

    Each of the function call usages of damage look to already be valid to take a uint32_t value, so no patching looks to be needed for the actual value display functions.

    This is just accounting for the main damage packet, others may need to be adjusted depending on how the client handles those use-cases for other certain action/skill packets.
    Discord: atom0s#0001 - If someone claims to be me and attempts to sell you something, it's not me. Always check the user id!



Advertisement