- Joined
- Jan 28, 2009
- Messages
- 1,320
- Reaction score
- 616
I will show you how to add WindowMode and remove focus checks so you can connect in WindowMode as a player and not get kicked by server.
Im using KPT 2.42.8 game.exe if you planing to use JPT, other PT or different version of KPT you will have to fix some offsets (by some i mean a lot of them i will mark them as <-fixed in code)
Its a time consuming job but its not as hard as you might think (easiest way to do that is to use IDA Pro and see what else is writing to that address, compare CALL, PUSH, CMP and MOV with old function because they are leading to same place 99% of time).
IDA will show you that:
And believe it or not its great help.
Why Im not using IDA than? Answer is simple assembling in it its not user friendly
First we need a space to put new code in there so:
- start your PE Editor, Im using CFF Explorer (
- open your game.exe (File>Open)
- go to "Section Headers [x]" (its in the list on the left side)
- right click on empty space and "Add Section (Empty Space)"
- CFF Explorer will ask about space size, type 1000 (or even more if you planing to put some more code in there)
- lets name this new section ".NewCode"
- now lets create one more section and lets name it ".NewData"
- you can hold your data in code section, Im creating two sections because I would like to have more control over code and data Im adding
- we have new sections now its time to change flags
- right click on your newly created section and press "Change Section Flags" and check:
"is readable", "is executable", "contain code" for .NewCode
"is readable", "is writable", "contains initialized data" for .NewData
- (File>Save) and thats all for CFF Explorer part
Now its time for OllyDbg (
- start your OllyDbg press (Ctrl+A to analyze code, Shift+F9 to pass exception to program, if needed)
- go to newly created section (Ctrl+G), in my case adress is 044C5000
- lets put some new code there (BTW, you don't need NOPs Im only adding them to save some space so i can change/add/edit some functions without fixing offsets all the time, but if you removing NOPs remember to fix offsets in your game.exe, all game.exe's have NOPs between functions and you will see that will help us soon)
- its assemble time:
- you can select this part in game.exe i attached and do binary copy than past to your client or assemble it line by line (press SPACE and start typing, without "044C5000 90" parts OFC! )
- you will not see ; ASCII "WindowMode" yet, we are going to add it now
- select everything you add to your game.exe right click on selected area and "copy to executable>selection"
- window will pop up, right click again and select "save file" (be sure you have copy of original game.exe somewhere)
- open game.exe file again, do Ctrl+A (Shift+F9 if needed) and this time go to 044C6000
- put there this:
- Select it, right click and chose "Follow in dump>selection" you should see WindowMode in Hex dump
- save changes to game.exe again
- go to 00436629 and fix JMP:
to your new "trigger" for WindowMode
- go to 00436D37 and fix call:
to your new address:
- now find this:
You can press Ctrl+S and search for sequence of commands:
until you find same function.
- we are interested in part I colored in red
- lets change it to:
- CALL game.044C5014 its new function we added, be sure offset is correct
- save changes again and this time go to 004E43F0, you will see this:
- select it, right click and do "binary>fill with NOPs" on selection
- edit whole function so it will look like function below (i know this look nearly the same as function above and you could just do jump to the part that is different and than jump back to original function but i prefer "clean" code, beside if you move this function to the end of file it will have huge impact to how fast game will start, so lets keep it where it should be )
- few NOPs on the end save us this time and whole function is where it should be
- select your changes and save
- now lets go to the "004E40D0"
- select and NOP function you see (from 004E40D0 to 004E4162) than change it to this:
- save changes again
- client can start in window mode now but it will DC if you login as a normal player because server will notice focus change, we are going to fix that now
-go to 00415150 and change:
to:
(JE to JMP to alwas do jump)
(SetForegroundWindow)
- go to 00430A6F and change:
to:
(GetForegroundWindow)
- go to 0044047C and change:
to:
(GetSystemMetrics)
- save those changes
- open ptReg and add
"WindowMode" "1"
to enable window mode, change 1 to 0 to disable.
- All the <-fixed shows what you need to find when you adding this to other game.exe.
Xtrap is disabled (not removed), to enable it go to 005A3730 and start adding this:
To remove Xtrap use bobsobol tutorial (http://forum.ragezone.com/f562/guide-removing-redundant-code-from-executables-646926/)
When you start this client camera_wave_off and maximized window will be your default setting (from Gregoory tutorials)
(when i was writing this tutorial i found 1 wrong offset (and fixed it) to .data in my game.exe but it was working so if you find something wrong write it here)
Credits:
- quantumfusion (code parts are from his 1873_quantumfusion.exe)
- Gregoory (for his interesting tutorials)
- rxaicy (for pointing out somwhere about SetForegroundWindow, GetForegroundWindow, GetSystemMetrics)
- bobsobol (for his interesting posts that helped me to understand PT code)
- Me (for writing tutorial and adding WindowMode to new KPT client)
- many others who think that they have anything to do with this code ;-)
"This is a free tutorial: files used here are not for sale, rent, or auction"
"If you bought this, you have been scammed" :laugh:
ENJOY!!!!11
Im using KPT 2.42.8 game.exe if you planing to use JPT, other PT or different version of KPT you will have to fix some offsets (by some i mean a lot of them i will mark them as <-fixed in code)
Its a time consuming job but its not as hard as you might think (easiest way to do that is to use IDA Pro and see what else is writing to that address, compare CALL, PUSH, CMP and MOV with old function because they are leading to same place 99% of time).
IDA will show you that:
Code:
.data:008E09E8 dword_8E09E8 dd ? ; DATA XREF: sub_44C503D-408EB33o
.data:008E09E8 ; sub_436520+10o ...
And believe it or not its great help.
Why Im not using IDA than? Answer is simple assembling in it its not user friendly
First we need a space to put new code in there so:
- start your PE Editor, Im using CFF Explorer (
You must be registered to see links
)- open your game.exe (File>Open)
- go to "Section Headers [x]" (its in the list on the left side)
- right click on empty space and "Add Section (Empty Space)"
- CFF Explorer will ask about space size, type 1000 (or even more if you planing to put some more code in there)
- lets name this new section ".NewCode"
- now lets create one more section and lets name it ".NewData"
- you can hold your data in code section, Im creating two sections because I would like to have more control over code and data Im adding
- we have new sections now its time to change flags
- right click on your newly created section and press "Change Section Flags" and check:
"is readable", "is executable", "contain code" for .NewCode
"is readable", "is writable", "contains initialized data" for .NewData
- (File>Save) and thats all for CFF Explorer part
Now its time for OllyDbg (
You must be registered to see links
- start your OllyDbg press (Ctrl+A to analyze code, Shift+F9 to pass exception to program, if needed)
- go to newly created section (Ctrl+G), in my case adress is 044C5000
- lets put some new code there (BTW, you don't need NOPs Im only adding them to save some space so i can change/add/edit some functions without fixing offsets all the time, but if you removing NOPs remember to fix offsets in your game.exe, all game.exe's have NOPs between functions and you will see that will help us soon)
- its assemble time:
- you can select this part in game.exe i attached and do binary copy than past to your client or assemble it line by line (press SPACE and start typing, without "044C5000 90" parts OFC! )
Code:
044C5000 90 NOP
044C5001 90 NOP
044C5002 90 NOP
044C5003 90 NOP
044C5004 90 NOP
044C5005 90 NOP
044C5006 90 NOP
044C5007 90 NOP
044C5008 90 NOP
044C5009 90 NOP
044C500A 90 NOP
044C500B 90 NOP
044C500C 90 NOP
044C500D 90 NOP
044C500E 90 NOP
044C500F 90 NOP
044C5010 90 NOP
044C5011 90 NOP
044C5012 90 NOP
044C5013 90 NOP
044C5014 0FBF05 0B604C04 MOVSX EAX,WORD PTR DS:[44C600B] [COLOR="Magenta"]<-fixed[/COLOR]
044C501B 83F8 01 CMP EAX,1
044C501E 74 06 JE SHORT game.044C5026
044C5020 A1 E8098E00 MOV EAX,DWORD PTR DS:[8E09E8] [COLOR="Magenta"]<-fixed[/COLOR]
044C5025 C3 RETN
044C5026 F7D8 NEG EAX
044C5028 C3 RETN
044C5029 90 NOP
044C502A 90 NOP
044C502B 90 NOP
044C502C 90 NOP
044C502D 90 NOP
044C502E 90 NOP
044C502F 90 NOP
044C5030 90 NOP
044C5031 90 NOP
044C5032 90 NOP
044C5033 90 NOP
044C5034 90 NOP
044C5035 90 NOP
044C5036 90 NOP
044C5037 90 NOP
044C5038 90 NOP
044C5039 90 NOP
044C503A 90 NOP
044C503B 90 NOP
044C503C 90 NOP
044C503D A1 A0935F00 MOV EAX,DWORD PTR DS:[5F93A0] [COLOR="Magenta"]<-fixed[/COLOR]
044C5042 68 00604C04 PUSH game.044C6000 ; ASCII "WindowMode" [COLOR="Magenta"]<-fixed[/COLOR]
044C5047 50 PUSH EAX
044C5048 68 02000080 PUSH 80000002
044C504D E8 CEF408FC CALL game.00554520 [COLOR="Magenta"]<-fixed[/COLOR]
044C5052 83C4 0C ADD ESP,0C
044C5055 85C0 TEST EAX,EAX
044C5057 74 1C JE SHORT game.044C5075
044C5059 50 PUSH EAX
044C505A E8 EDE30EFC CALL game.005B344C [COLOR="Magenta"]<-fixed[/COLOR]
044C505F 83C4 04 ADD ESP,4
044C5062 83F8 01 CMP EAX,1
044C5065 75 0E JNZ SHORT game.044C5075
044C5067 66:C705 0B604C04>MOV WORD PTR DS:[44C600B],1 [COLOR="Magenta"]<-fixed[/COLOR]
044C5070 A1 A0935F00 MOV EAX,DWORD PTR DS:[5F93A0] [COLOR="Magenta"]<-fixed[/COLOR]
044C5075 -E9 2612F7FB JMP game.004362A0
044C507A 90 NOP
044C507B 90 NOP
044C507C 90 NOP
044C507D 90 NOP
044C507E 90 NOP
044C507F 90 NOP
044C5080 90 NOP
044C5081 90 NOP
044C5082 90 NOP
044C5083 90 NOP
044C5084 90 NOP
044C5085 90 NOP
044C5086 90 NOP
044C5087 90 NOP
044C5088 90 NOP
044C5089 90 NOP
044C508A 90 NOP
044C508B 90 NOP
044C508C 90 NOP
044C508D 90 NOP
- you will not see ; ASCII "WindowMode" yet, we are going to add it now
- select everything you add to your game.exe right click on selected area and "copy to executable>selection"
- window will pop up, right click again and select "save file" (be sure you have copy of original game.exe somewhere)
- open game.exe file again, do Ctrl+A (Shift+F9 if needed) and this time go to 044C6000
- put there this:
Code:
044C6000 57 PUSH EDI
044C6001 696E 64 6F774D6F IMUL EBP,DWORD PTR DS:[ESI+64],6F4D776F
044C6008 64: PREFIX FS: ; Superfluous prefix
044C6009 65:0000 ADD BYTE PTR GS:[EAX],AL
- Select it, right click and chose "Follow in dump>selection" you should see WindowMode in Hex dump
- save changes to game.exe again
- go to 00436629 and fix JMP:
Code:
JMP 004362A0
Code:
JMP 044C503D
- go to 00436D37 and fix call:
Code:
CALL 004362A0
Code:
CALL 044C503D
- now find this:
Code:
00416580 /$ 83EC 44 SUB ESP,44
00416583 |. 53 PUSH EBX
00416584 |. 55 PUSH EBP
00416585 |. 56 PUSH ESI
00416586 |. 8B7424 5C MOV ESI,DWORD PTR SS:[ESP+5C]
0041658A |. 57 PUSH EDI
0041658B |. 8B7C24 58 MOV EDI,DWORD PTR SS:[ESP+58]
0041658F |. 56 PUSH ESI ; /String2
00416590 |. 68 00267300 PUSH game.00732600 ; |String1 = game.00732600
00416595 |. 893D D8387300 MOV DWORD PTR DS:[7338D8],EDI ; |
0041659B |. FF15 34325C00 CALL DWORD PTR DS:[<&KERNEL32.lstrcpyA>] ; \lstrcpyA
004165A1 |. E8 4AA80F00 CALL game.00510DF0
004165A6 |. E8 45CD0400 CALL game.004632F0
004165AB |. 68 14525C00 PUSH game.005C5214 ; ASCII "hotuk.ini"
004165B0 |. E8 6BFF0100 CALL game.00436520
004165B5 |. 68 04525C00 PUSH game.005C5204 ; ASCII "ShortCut.ini"
004165BA |. E8 F1070200 CALL game.00436DB0
004165BF |. 56 PUSH ESI
004165C0 |. E8 BBD4FFFF CALL game.00413A80
004165C5 |. 8B35 EC315C00 MOV ESI,DWORD PTR DS:[<&KERNEL32.Initial>; kernel32.InitializeCriticalSection
004165CB |. 83C4 0C ADD ESP,0C
004165CE |. 68 DC257300 PUSH game.007325DC ; /pCriticalSection = game.007325DC
004165D3 |. FFD6 CALL ESI ; \InitializeCriticalSection
004165D5 |. 68 E8217300 PUSH game.007321E8 ; /pCriticalSection = game.007321E8
004165DA |. FFD6 CALL ESI ; \InitializeCriticalSection
004165DC |. 68 68E86F00 PUSH game.006FE868 ; /pCriticalSection = game.006FE868
004165E1 |. FFD6 CALL ESI ; \InitializeCriticalSection
004165E3 |. FF15 F4315C00 CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; [GetTickCount
004165E9 |. 50 PUSH EAX
004165EA |. E8 33D21900 CALL game.005B3822
004165EF |. 83C4 04 ADD ESP,4
004165F2 |. E8 79DB0C00 CALL game.004E4170
[COLOR="Red"]004165F7 |. A1 F4098E00 MOV EAX,DWORD PTR DS:[8E09F4]
004165FC |. 8B35 EC098E00 MOV ESI,DWORD PTR DS:[8E09EC]
00416602 |. 8B2D F0098E00 MOV EBP,DWORD PTR DS:[8E09F0]
00416608 |. A3 C88D5F00 MOV DWORD PTR DS:[5F8DC8],EAX
0041660D |. A1 E8098E00 MOV EAX,DWORD PTR DS:[8E09E8]
00416612 |. 33DB XOR EBX,EBX
00416614 |. 3BC3 CMP EAX,EBX
00416616 |. 8935 C08D5F00 MOV DWORD PTR DS:[5F8DC0],ESI
0041661C |. 892D C48D5F00 MOV DWORD PTR DS:[5F8DC4],EBP
00416622 |. A3 44C25F00 MOV DWORD PTR DS:[5FC244],EAX[/COLOR]
00416627 |. 75 11 JNZ SHORT game.0041663A
You can press Ctrl+S and search for sequence of commands:
Code:
SUB ESP,44
PUSH EBX
PUSH EBP
PUSH ESI
MOV ESI,DWORD PTR SS:[ESP+5C]
PUSH EDI
MOV EDI,DWORD PTR SS:[ESP+58]
until you find same function.
- we are interested in part I colored in red
- lets change it to:
Code:
004165EF |. A1 F4098E00 MOV EAX,DWORD PTR DS:[8E09F4] [COLOR="Magenta"]<-fixed[/COLOR]
004165F4 |. 8B35 EC098E00 MOV ESI,DWORD PTR DS:[8E09EC] [COLOR="Magenta"]<-fixed[/COLOR]
004165FA |. 8B2D F0098E00 MOV EBP,DWORD PTR DS:[8E09F0] [COLOR="Magenta"]<-fixed[/COLOR]
00416600 |. A3 C88D5F00 MOV DWORD PTR DS:[5F8DC8],EAX [COLOR="Magenta"]<-fixed[/COLOR]
00416605 |. E8 0AEA0A04 CALL game.044C5014 [COLOR="Magenta"]<-fixed[/COLOR]
0041660A |. 33DB XOR EBX,EBX
0041660C |. 83C4 04 ADD ESP,4
0041660F |. 3BC3 CMP EAX,EBX
00416611 |. 8935 C08D5F00 MOV DWORD PTR DS:[5F8DC0],ESI [COLOR="Magenta"]<-fixed[/COLOR]
00416617 |. 892D C48D5F00 MOV DWORD PTR DS:[5F8DC4],EBP [COLOR="Magenta"]<-fixed[/COLOR]
0041661D |. A3 44C25F00 MOV DWORD PTR DS:[5FC244],EAX [COLOR="Magenta"]<-fixed[/COLOR]
00416622 |. 90 NOP
00416623 |. 90 NOP
00416624 |. 90 NOP
00416625 |. 90 NOP
00416626 |. 90 NOP
- CALL game.044C5014 its new function we added, be sure offset is correct
- save changes again and this time go to 004E43F0, you will see this:
Code:
004E43F0 /$ 8B0D A0C86E00 MOV ECX,DWORD PTR DS:[6EC8A0]
004E43F6 |. 33C0 XOR EAX,EAX
004E43F8 |. 81EC 84000000 SUB ESP,84
004E43FE |. 3BC8 CMP ECX,EAX
004E4400 |. 75 0C JNZ SHORT game.004E440E
004E4402 |. A3 2C782E03 MOV DWORD PTR DS:[32E782C],EAX
004E4407 |. 81C4 84000000 ADD ESP,84
004E440D |. C3 RETN
004E440E |> 3905 885D2E03 CMP DWORD PTR DS:[32E5D88],EAX
004E4414 |. 0F85 D9000000 JNZ game.004E44F3
004E441A |. 8B9424 8800000>MOV EDX,DWORD PTR SS:[ESP+88]
004E4421 |. A1 28782E03 MOV EAX,DWORD PTR DS:[32E7828]
004E4426 |. 53 PUSH EBX
004E4427 |. 55 PUSH EBP
004E4428 |. 56 PUSH ESI
004E4429 |. 57 PUSH EDI
004E442A |. BE 01000000 MOV ESI,1
004E442F |. 56 PUSH ESI
004E4430 |. 52 PUSH EDX
004E4431 |. 8935 2C782E03 MOV DWORD PTR DS:[32E782C],ESI
004E4437 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004E4439 |. 50 PUSH EAX
004E443A |. FF51 18 CALL DWORD PTR DS:[ECX+18]
004E443D |. B9 A4060000 MOV ECX,6A4
004E4442 |. 33C0 XOR EAX,EAX
004E4444 |. BF 905D2E03 MOV EDI,game.032E5D90
004E4449 |. F3:AB REP STOS DWORD PTR ES:[EDI]
004E444B |. 897424 10 MOV DWORD PTR SS:[ESP+10],ESI
004E444F |. BD 88B42C03 MOV EBP,game.032CB488
004E4454 |. BB A8C86E00 MOV EBX,game.006EC8A8
004E4459 |. 8DA424 0000000>LEA ESP,DWORD PTR SS:[ESP]
004E4460 |> 85ED /TEST EBP,EBP
004E4462 |. 74 58 |JE SHORT game.004E44BC
004E4464 |. 807D 00 00 |CMP BYTE PTR SS:[EBP],0
004E4468 |. 74 52 |JE SHORT game.004E44BC
004E446A |. 833B 00 |CMP DWORD PTR DS:[EBX],0
004E446D |. 74 4D |JE SHORT game.004E44BC
004E446F |. 33C0 |XOR EAX,EAX
004E4471 |> 8A88 40B42C03 |/MOV CL,BYTE PTR DS:[EAX+32CB440]
004E4477 |. 884C04 14 ||MOV BYTE PTR SS:[ESP+EAX+14],CL
004E447B |. 40 ||INC EAX
004E447C |. 84C9 ||TEST CL,CL
004E447E |.^75 F1 |\JNZ SHORT game.004E4471
004E4480 |. 8BC5 |MOV EAX,EBP
004E4482 |. 8BD5 |MOV EDX,EBP
004E4484 |> 8A08 |/MOV CL,BYTE PTR DS:[EAX]
004E4486 |. 40 ||INC EAX
004E4487 |. 84C9 ||TEST CL,CL
004E4489 |.^75 F9 |\JNZ SHORT game.004E4484
004E448B |. 8D7C24 14 |LEA EDI,DWORD PTR SS:[ESP+14]
004E448F |. 2BC2 |SUB EAX,EDX
004E4491 |. 4F |DEC EDI
004E4492 |> 8A4F 01 |/MOV CL,BYTE PTR DS:[EDI+1]
004E4495 |. 47 ||INC EDI
004E4496 |. 84C9 ||TEST CL,CL
004E4498 |.^75 F8 |\JNZ SHORT game.004E4492
004E449A |. 8BC8 |MOV ECX,EAX
004E449C |. C1E9 02 |SHR ECX,2
004E449F |. 8BF2 |MOV ESI,EDX
004E44A1 |. F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWORD PTR D>
004E44A3 |. 8BC8 |MOV ECX,EAX
004E44A5 |. 8B4424 10 |MOV EAX,DWORD PTR SS:[ESP+10]
004E44A9 |. 83E1 03 |AND ECX,3
004E44AC |. F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:>
004E44AE |. 50 |PUSH EAX
004E44AF |. 8D4C24 18 |LEA ECX,DWORD PTR SS:[ESP+18]
004E44B3 |. 51 |PUSH ECX
004E44B4 |. E8 E7F5FFFF |CALL game.004E3AA0
004E44B9 |. 83C4 08 |ADD ESP,8
004E44BC |> 8B7424 10 |MOV ESI,DWORD PTR SS:[ESP+10]
004E44C0 |. 46 |INC ESI
004E44C1 |. 83C3 04 |ADD EBX,4
004E44C4 |. 83C5 40 |ADD EBP,40
004E44C7 |. 81FB 34E36E00 |CMP EBX,game.006EE334
004E44CD |. 897424 10 |MOV DWORD PTR SS:[ESP+10],ESI
004E44D1 |.^7C 8D \JL SHORT game.004E4460
004E44D3 |. 5F POP EDI
004E44D4 |. 5E POP ESI
004E44D5 |. 5D POP EBP
004E44D6 |. 5B POP EBX
004E44D7 |> 8B9424 8800000>MOV EDX,DWORD PTR SS:[ESP+88]
004E44DE |. 52 PUSH EDX
004E44DF |. E8 ECFBFFFF CALL game.004E40D0
004E44E4 |. 83C4 04 ADD ESP,4
004E44E7 |. B8 01000000 MOV EAX,1
004E44EC |. 81C4 84000000 ADD ESP,84
004E44F2 |. C3 RETN
004E44F3 |> A3 2C782E03 MOV DWORD PTR DS:[32E782C],EAX
004E44F8 \.^EB DD JMP SHORT game.004E44D7
- select it, right click and do "binary>fill with NOPs" on selection
- edit whole function so it will look like function below (i know this look nearly the same as function above and you could just do jump to the part that is different and than jump back to original function but i prefer "clean" code, beside if you move this function to the end of file it will have huge impact to how fast game will start, so lets keep it where it should be )
Code:
004E43F0 /$ A1 A0C86E00 MOV EAX,DWORD PTR DS:[6EC8A0] [COLOR="Magenta"]<-fixed[/COLOR]
004E43F5 |. 81EC 84000000 SUB ESP,84
004E43FB |. 56 PUSH ESI
004E43FC |. 33F6 XOR ESI,ESI
004E43FE |. 3BC6 CMP EAX,ESI
004E4400 |. 75 10 JNZ SHORT game.004E4412
004E4402 |. 8935 2C782E03 MOV DWORD PTR DS:[32E782C],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E4408 |. 33C0 XOR EAX,EAX
004E440A |. 5E POP ESI
004E440B |. 81C4 84000000 ADD ESP,84
004E4411 |. C3 RETN
004E4412 |> 56 PUSH ESI
004E4413 |. 68 28782E03 PUSH game.032E7828 [COLOR="Magenta"]<-fixed[/COLOR]
004E4418 |. 56 PUSH ESI
004E4419 |. E8 A2FB0A00 CALL <JMP.&DSOUND.#1> [COLOR="Magenta"]<-fixed[/COLOR]
004E441E |. 85C0 TEST EAX,EAX
004E4420 |. 0F85 D1000000 JNZ game.004E44F7
004E4426 |. 8B9424 8C00000>MOV EDX,DWORD PTR SS:[ESP+8C]
004E442D |. A1 28782E03 MOV EAX,DWORD PTR DS:[32E7828] [COLOR="Magenta"]<-fixed[/COLOR]
004E4432 |. 53 PUSH EBX
004E4433 |. 55 PUSH EBP
004E4434 |. 57 PUSH EDI
004E4435 |. BE 01000000 MOV ESI,1
004E443A |. 56 PUSH ESI
004E443B |. 52 PUSH EDX
004E443C |. 8935 2C782E03 MOV DWORD PTR DS:[32E782C],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E4442 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004E4444 |. 50 PUSH EAX
004E4445 |. FF51 18 CALL DWORD PTR DS:[ECX+18]
004E4448 |. B9 A4060000 MOV ECX,6A4
004E444D |. 33C0 XOR EAX,EAX
004E444F |. BF 905D2E03 MOV EDI,game.032E5D90 [COLOR="Magenta"]<-fixed[/COLOR]
004E4454 |. F3:AB REP STOS DWORD PTR ES:[EDI]
004E4456 |. 897424 10 MOV DWORD PTR SS:[ESP+10],ESI
004E445A |. BD 88B42C03 MOV EBP,game.032CB488 [COLOR="Magenta"]<-fixed[/COLOR]
004E445F |. BB A8C86E00 MOV EBX,game.006EC8A8 [COLOR="Magenta"]<-fixed[/COLOR]
004E4464 |> 85ED /TEST EBP,EBP
004E4466 |. 74 58 |JE SHORT game.004E44C0
004E4468 |. 807D 00 00 |CMP BYTE PTR SS:[EBP],0
004E446C |. 74 52 |JE SHORT game.004E44C0
004E446E |. 833B 00 |CMP DWORD PTR DS:[EBX],0
004E4471 |. 74 4D |JE SHORT game.004E44C0
004E4473 |. 33C0 |XOR EAX,EAX
004E4475 |> 8A88 40B42C03 |/MOV CL,BYTE PTR DS:[EAX+32CB440] [COLOR="Magenta"]<-fixed[/COLOR]
004E447B |. 884C04 14 ||MOV BYTE PTR SS:[ESP+EAX+14],CL
004E447F |. 40 ||INC EAX
004E4480 |. 84C9 ||TEST CL,CL
004E4482 |.^75 F1 |\JNZ SHORT game.004E4475
004E4484 |. 8BC5 |MOV EAX,EBP
004E4486 |. 8BD5 |MOV EDX,EBP
004E4488 |> 8A08 |/MOV CL,BYTE PTR DS:[EAX]
004E448A |. 40 ||INC EAX
004E448B |. 84C9 ||TEST CL,CL
004E448D |.^75 F9 |\JNZ SHORT game.004E4488
004E448F |. 8D7C24 14 |LEA EDI,DWORD PTR SS:[ESP+14]
004E4493 |. 2BC2 |SUB EAX,EDX
004E4495 |. 4F |DEC EDI
004E4496 |> 8A4F 01 |/MOV CL,BYTE PTR DS:[EDI+1]
004E4499 |. 47 ||INC EDI
004E449A |. 84C9 ||TEST CL,CL
004E449C |.^75 F8 |\JNZ SHORT game.004E4496
004E449E |. 8BC8 |MOV ECX,EAX
004E44A0 |. C1E9 02 |SHR ECX,2
004E44A3 |. 8BF2 |MOV ESI,EDX
004E44A5 |. F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWORD PTR D>
004E44A7 |. 8BC8 |MOV ECX,EAX
004E44A9 |. 8B4424 10 |MOV EAX,DWORD PTR SS:[ESP+10]
004E44AD |. 83E1 03 |AND ECX,3
004E44B0 |. F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:>
004E44B2 |. 50 |PUSH EAX
004E44B3 |. 8D4C24 18 |LEA ECX,DWORD PTR SS:[ESP+18]
004E44B7 |. 51 |PUSH ECX
004E44B8 |. E8 E3F5FFFF |CALL game.004E3AA0 [COLOR="Magenta"]<-fixed[/COLOR]
004E44BD |. 83C4 08 |ADD ESP,8
004E44C0 |> 8B7424 10 |MOV ESI,DWORD PTR SS:[ESP+10]
004E44C4 |. 46 |INC ESI
004E44C5 |. 83C3 04 |ADD EBX,4
004E44C8 |. 83C5 40 |ADD EBP,40
004E44CB |. 81FB 34E36E00 |CMP EBX,game.006EE334 [COLOR="Magenta"]<-fixed[/COLOR]
004E44D1 |. 897424 10 |MOV DWORD PTR SS:[ESP+10],ESI
004E44D5 |.^7C 8D \JL SHORT game.004E4464
004E44D7 |. 5F POP EDI
004E44D8 |. 5D POP EBP
004E44D9 |. 5B POP EBX
004E44DA |> 8B9424 8C00000>MOV EDX,DWORD PTR SS:[ESP+8C]
004E44E1 |. 52 PUSH EDX
[COLOR="Red"]004E44E2 |. E8 E9FBFFFF CALL game.004E40D0[/COLOR] [COLOR="Magenta"]<-fixed[/COLOR]
004E44E7 |. 83C4 04 ADD ESP,4
004E44EA |. B8 01000000 MOV EAX,1
004E44EF |. 5E POP ESI
004E44F0 |. 81C4 84000000 ADD ESP,84
004E44F6 |. C3 RETN
004E44F7 |> 8935 2C782E03 MOV DWORD PTR DS:[32E782C],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E44FD \.^EB DB JMP SHORT game.004E44DA
- few NOPs on the end save us this time and whole function is where it should be
- select your changes and save
- now lets go to the "004E40D0"
Code:
[COLOR="Red"]004E44E2 |. E8 E9FBFFFF CALL game.004E40D0[/COLOR] [COLOR="Magenta"]<-fixed[/COLOR]
Code:
004E40D0 /$ 56 PUSH ESI
004E40D1 |. 33F6 XOR ESI,ESI
004E40D3 |. 57 PUSH EDI
004E40D4 |. 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C]
004E40D8 |. 56 PUSH ESI
004E40D9 |. 68 34782E03 PUSH game.032E7834 [COLOR="Magenta"]<-fixed[/COLOR]
004E40DE |. 56 PUSH ESI
004E40DF |. 893D 885D2E03 MOV DWORD PTR DS:[32E5D88],EDI [COLOR="Magenta"]<-fixed[/COLOR]
004E40E5 |. 8935 34782E03 MOV DWORD PTR DS:[32E7834],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E40EB |. 8935 38782E03 MOV DWORD PTR DS:[32E7838],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E40F1 |. 8935 3C782E03 MOV DWORD PTR DS:[32E783C],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E40F7 |. 8935 40782E03 MOV DWORD PTR DS:[32E7840],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E40FD |. 8935 44782E03 MOV DWORD PTR DS:[32E7844],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E4103 |. 8935 48782E03 MOV DWORD PTR DS:[32E7848],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E4109 |. 8935 4C782E03 MOV DWORD PTR DS:[32E784C],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E410F |. 8935 50782E03 MOV DWORD PTR DS:[32E7850],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E4115 |. 8935 54782E03 MOV DWORD PTR DS:[32E7854],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E411B |. E8 A0FE0A00 CALL <JMP.&DSOUND.#1> [COLOR="Magenta"]<-fixed[/COLOR]
004E4120 |. 3BC6 CMP EAX,ESI
004E4122 |. 7C 34 JL SHORT game.004E4158
004E4124 |. A1 34782E03 MOV EAX,DWORD PTR DS:[32E7834] [COLOR="Magenta"]<-fixed[/COLOR]
004E4129 |. 3BC6 CMP EAX,ESI
004E412B |. 74 1E JE SHORT game.004E414B
004E412D |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004E412F |. 6A 02 PUSH 2
004E4131 |. 57 PUSH EDI
004E4132 |. 50 PUSH EAX
004E4133 |. FF51 18 CALL DWORD PTR DS:[ECX+18]
004E4136 |. 3BC6 CMP EAX,ESI
004E4138 |. 7D 11 JGE SHORT game.004E414B
004E413A |. A1 34782E03 MOV EAX,DWORD PTR DS:[32E7834] [COLOR="Magenta"]<-fixed[/COLOR]
004E413F |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
004E4141 |. 50 PUSH EAX
004E4142 |. FF52 08 CALL DWORD PTR DS:[EDX+8]
004E4145 |. 8935 34782E03 MOV DWORD PTR DS:[32E7834],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E414B |> B8 01000000 MOV EAX,1
004E4150 |. 5F POP EDI
004E4151 |. A3 58782E03 MOV DWORD PTR DS:[32E7858],EAX [COLOR="Magenta"]<-fixed[/COLOR]
004E4156 |. 5E POP ESI
004E4157 |. C3 RETN
004E4158 |> 5F POP EDI
004E4159 |. 8935 58782E03 MOV DWORD PTR DS:[32E7858],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E415F |. 33C0 XOR EAX,EAX
004E4161 |. 5E POP ESI
004E4162 \. C3 RETN
- save changes again
- client can start in window mode now but it will DC if you login as a normal player because server will notice focus change, we are going to fix that now
-go to 00415150 and change:
Code:
JNZ SHORT 0041515F
Code:
JMP SHORT 0041515F
(SetForegroundWindow)
- go to 00430A6F and change:
Code:
JE SHORT 00430AA4
Code:
JMP SHORT 00430AA4
- go to 0044047C and change:
Code:
JE SHORT 00440492
Code:
JMP SHORT 00440492
- save those changes
- open ptReg and add
"WindowMode" "1"
to enable window mode, change 1 to 0 to disable.
- All the <-fixed shows what you need to find when you adding this to other game.exe.
Xtrap is disabled (not removed), to enable it go to 005A3730 and start adding this:
Code:
005A3730 /$ 6A 00 PUSH 0 ; /ExitCode = 0
005A3732 |. FF15 C0315C00 CALL DWORD PTR DS:[<&KERNEL32.GetCurrent>; |[GetCurrentProcess
005A3738 |. 50 PUSH EAX ; |hProcess
005A3739 |. FF15 08315C00 CALL DWORD PTR DS:[<&KERNEL32.TerminateP>; \TerminateProcess
005A373F \. C3 RETN
To remove Xtrap use bobsobol tutorial (http://forum.ragezone.com/f562/guide-removing-redundant-code-from-executables-646926/)
When you start this client camera_wave_off and maximized window will be your default setting (from Gregoory tutorials)
(when i was writing this tutorial i found 1 wrong offset (and fixed it) to .data in my game.exe but it was working so if you find something wrong write it here)
Credits:
- quantumfusion (code parts are from his 1873_quantumfusion.exe)
- Gregoory (for his interesting tutorials)
- rxaicy (for pointing out somwhere about SetForegroundWindow, GetForegroundWindow, GetSystemMetrics)
- bobsobol (for his interesting posts that helped me to understand PT code)
- Me (for writing tutorial and adding WindowMode to new KPT client)
- many others who think that they have anything to do with this code ;-)
"This is a free tutorial: files used here are not for sale, rent, or auction"
"If you bought this, you have been scammed" :laugh:
ENJOY!!!!11
Attachments
You must be registered for see attachments list