[Guide] How to add WindowMode to PT.

[Vormav]

I will show you how to add WindowMode and remove focus checks so you can connect in WindowMode as a player and not get kicked by server.

Im using KPT 2.42.8 game.exe if you planing to use JPT, other PT or different version of KPT you will have to fix some offsets (by some i mean a lot of them i will mark them as <-fixed in code)
Its a time consuming job but its not as hard as you might think (easiest way to do that is to use IDA Pro and see what else is writing to that address, compare CALL, PUSH, CMP and MOV with old function because they are leading to same place 99% of time).
IDA will show you that:

.data:008E09E8 dword_8E09E8    dd ?                    ; DATA XREF: sub_44C503D-408EB33o
.data:008E09E8                                         ; sub_436520+10o ...

And believe it or not its great help.
Why Im not using IDA than? Answer is simple assembling in it its not user friendly

First we need a space to put new code in there so:
- start your PE Editor, Im using CFF Explorer (

You must be registered to see links

)
- open your game.exe (File>Open)
- go to "Section Headers [x]" (its in the list on the left side)
- right click on empty space and "Add Section (Empty Space)"
- CFF Explorer will ask about space size, type 1000 (or even more if you planing to put some more code in there)
- lets name this new section ".NewCode"
- now lets create one more section and lets name it ".NewData"
- you can hold your data in code section, Im creating two sections because I would like to have more control over code and data Im adding
- we have new sections now its time to change flags
- right click on your newly created section and press "Change Section Flags" and check:
"is readable", "is executable", "contain code" for .NewCode
"is readable", "is writable", "contains initialized data" for .NewData
- (File>Save) and thats all for CFF Explorer part

Now its time for OllyDbg (

You must be registered to see links

- start your OllyDbg press (Ctrl+A to analyze code, Shift+F9 to pass exception to program, if needed)
- go to newly created section (Ctrl+G), in my case adress is 044C5000
- lets put some new code there (BTW, you don't need NOPs Im only adding them to save some space so i can change/add/edit some functions without fixing offsets all the time, but if you removing NOPs remember to fix offsets in your game.exe, all game.exe's have NOPs between functions and you will see that will help us soon)
- its assemble time:
- you can select this part in game.exe i attached and do binary copy than past to your client or assemble it line by line (press SPACE and start typing, without "044C5000 90" parts OFC! )

044C5000   90               NOP
044C5001   90               NOP
044C5002   90               NOP
044C5003   90               NOP
044C5004   90               NOP
044C5005   90               NOP
044C5006   90               NOP
044C5007   90               NOP
044C5008   90               NOP
044C5009   90               NOP
044C500A   90               NOP
044C500B   90               NOP
044C500C   90               NOP
044C500D   90               NOP
044C500E   90               NOP
044C500F   90               NOP
044C5010   90               NOP
044C5011   90               NOP
044C5012   90               NOP
044C5013   90               NOP
044C5014   0FBF05 0B604C04  MOVSX EAX,WORD PTR DS:[44C600B] [COLOR="Magenta"]<-fixed[/COLOR]
044C501B   83F8 01          CMP EAX,1
044C501E   74 06            JE SHORT game.044C5026
044C5020   A1 E8098E00      MOV EAX,DWORD PTR DS:[8E09E8] [COLOR="Magenta"]<-fixed[/COLOR]
044C5025   C3               RETN
044C5026   F7D8             NEG EAX
044C5028   C3               RETN
044C5029   90               NOP
044C502A   90               NOP
044C502B   90               NOP
044C502C   90               NOP
044C502D   90               NOP
044C502E   90               NOP
044C502F   90               NOP
044C5030   90               NOP
044C5031   90               NOP
044C5032   90               NOP
044C5033   90               NOP
044C5034   90               NOP
044C5035   90               NOP
044C5036   90               NOP
044C5037   90               NOP
044C5038   90               NOP
044C5039   90               NOP
044C503A   90               NOP
044C503B   90               NOP
044C503C   90               NOP
044C503D   A1 A0935F00      MOV EAX,DWORD PTR DS:[5F93A0] [COLOR="Magenta"]<-fixed[/COLOR]
044C5042   68 00604C04      PUSH game.044C6000                       ; ASCII "WindowMode" [COLOR="Magenta"]<-fixed[/COLOR]
044C5047   50               PUSH EAX
044C5048   68 02000080      PUSH 80000002
044C504D   E8 CEF408FC      CALL game.00554520 [COLOR="Magenta"]<-fixed[/COLOR]
044C5052   83C4 0C          ADD ESP,0C
044C5055   85C0             TEST EAX,EAX
044C5057   74 1C            JE SHORT game.044C5075
044C5059   50               PUSH EAX
044C505A   E8 EDE30EFC      CALL game.005B344C [COLOR="Magenta"]<-fixed[/COLOR]
044C505F   83C4 04          ADD ESP,4
044C5062   83F8 01          CMP EAX,1
044C5065   75 0E            JNZ SHORT game.044C5075
044C5067   66:C705 0B604C04>MOV WORD PTR DS:[44C600B],1 [COLOR="Magenta"]<-fixed[/COLOR]
044C5070   A1 A0935F00      MOV EAX,DWORD PTR DS:[5F93A0] [COLOR="Magenta"]<-fixed[/COLOR]
044C5075  -E9 2612F7FB      JMP game.004362A0
044C507A   90               NOP
044C507B   90               NOP
044C507C   90               NOP
044C507D   90               NOP
044C507E   90               NOP
044C507F   90               NOP
044C5080   90               NOP
044C5081   90               NOP
044C5082   90               NOP
044C5083   90               NOP
044C5084   90               NOP
044C5085   90               NOP
044C5086   90               NOP
044C5087   90               NOP
044C5088   90               NOP
044C5089   90               NOP
044C508A   90               NOP
044C508B   90               NOP
044C508C   90               NOP
044C508D   90               NOP

- you will not see ; ASCII "WindowMode" yet, we are going to add it now

- select everything you add to your game.exe right click on selected area and "copy to executable>selection"
- window will pop up, right click again and select "save file" (be sure you have copy of original game.exe somewhere)
- open game.exe file again, do Ctrl+A (Shift+F9 if needed) and this time go to 044C6000
- put there this:

044C6000   57               PUSH EDI
044C6001   696E 64 6F774D6F IMUL EBP,DWORD PTR DS:[ESI+64],6F4D776F
044C6008   64:              PREFIX FS:                               ; Superfluous prefix
044C6009   65:0000          ADD BYTE PTR GS:[EAX],AL

- Select it, right click and chose "Follow in dump>selection" you should see WindowMode in Hex dump

- save changes to game.exe again


- go to 00436629 and fix JMP:

JMP 004362A0

to your new "trigger" for WindowMode

JMP 044C503D

- go to 00436D37 and fix call:

CALL 004362A0

to your new address:

CALL 044C503D

- now find this:

00416580  /$ 83EC 44        SUB ESP,44
00416583  |. 53             PUSH EBX
00416584  |. 55             PUSH EBP
00416585  |. 56             PUSH ESI
00416586  |. 8B7424 5C      MOV ESI,DWORD PTR SS:[ESP+5C]
0041658A  |. 57             PUSH EDI
0041658B  |. 8B7C24 58      MOV EDI,DWORD PTR SS:[ESP+58]
0041658F  |. 56             PUSH ESI                                 ; /String2
00416590  |. 68 00267300    PUSH game.00732600                       ; |String1 = game.00732600
00416595  |. 893D D8387300  MOV DWORD PTR DS:[7338D8],EDI            ; |
0041659B  |. FF15 34325C00  CALL DWORD PTR DS:[<&KERNEL32.lstrcpyA>] ; \lstrcpyA
004165A1  |. E8 4AA80F00    CALL game.00510DF0
004165A6  |. E8 45CD0400    CALL game.004632F0
004165AB  |. 68 14525C00    PUSH game.005C5214                       ;  ASCII "hotuk.ini"
004165B0  |. E8 6BFF0100    CALL game.00436520
004165B5  |. 68 04525C00    PUSH game.005C5204                       ;  ASCII "ShortCut.ini"
004165BA  |. E8 F1070200    CALL game.00436DB0
004165BF  |. 56             PUSH ESI
004165C0  |. E8 BBD4FFFF    CALL game.00413A80
004165C5  |. 8B35 EC315C00  MOV ESI,DWORD PTR DS:[<&KERNEL32.Initial>;  kernel32.InitializeCriticalSection
004165CB  |. 83C4 0C        ADD ESP,0C
004165CE  |. 68 DC257300    PUSH game.007325DC                       ; /pCriticalSection = game.007325DC
004165D3  |. FFD6           CALL ESI                                 ; \InitializeCriticalSection
004165D5  |. 68 E8217300    PUSH game.007321E8                       ; /pCriticalSection = game.007321E8
004165DA  |. FFD6           CALL ESI                                 ; \InitializeCriticalSection
004165DC  |. 68 68E86F00    PUSH game.006FE868                       ; /pCriticalSection = game.006FE868
004165E1  |. FFD6           CALL ESI                                 ; \InitializeCriticalSection
004165E3  |. FF15 F4315C00  CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; [GetTickCount
004165E9  |. 50             PUSH EAX
004165EA  |. E8 33D21900    CALL game.005B3822
004165EF  |. 83C4 04        ADD ESP,4
004165F2  |. E8 79DB0C00    CALL game.004E4170
[COLOR="Red"]004165F7  |. A1 F4098E00    MOV EAX,DWORD PTR DS:[8E09F4]
004165FC  |. 8B35 EC098E00  MOV ESI,DWORD PTR DS:[8E09EC]
00416602  |. 8B2D F0098E00  MOV EBP,DWORD PTR DS:[8E09F0]
00416608  |. A3 C88D5F00    MOV DWORD PTR DS:[5F8DC8],EAX
0041660D  |. A1 E8098E00    MOV EAX,DWORD PTR DS:[8E09E8]
00416612  |. 33DB           XOR EBX,EBX
00416614  |. 3BC3           CMP EAX,EBX
00416616  |. 8935 C08D5F00  MOV DWORD PTR DS:[5F8DC0],ESI
0041661C  |. 892D C48D5F00  MOV DWORD PTR DS:[5F8DC4],EBP
00416622  |. A3 44C25F00    MOV DWORD PTR DS:[5FC244],EAX[/COLOR]
00416627  |. 75 11          JNZ SHORT game.0041663A

You can press Ctrl+S and search for sequence of commands:

SUB ESP,44
PUSH EBX
PUSH EBP
PUSH ESI
MOV ESI,DWORD PTR SS:[ESP+5C]
PUSH EDI
MOV EDI,DWORD PTR SS:[ESP+58]

until you find same function.

- we are interested in part I colored in red
- lets change it to:

004165EF  |. A1 F4098E00    MOV EAX,DWORD PTR DS:[8E09F4] [COLOR="Magenta"]<-fixed[/COLOR]
004165F4  |. 8B35 EC098E00  MOV ESI,DWORD PTR DS:[8E09EC] [COLOR="Magenta"]<-fixed[/COLOR]
004165FA  |. 8B2D F0098E00  MOV EBP,DWORD PTR DS:[8E09F0] [COLOR="Magenta"]<-fixed[/COLOR]
00416600  |. A3 C88D5F00    MOV DWORD PTR DS:[5F8DC8],EAX [COLOR="Magenta"]<-fixed[/COLOR]
00416605  |. E8 0AEA0A04    CALL game.044C5014 [COLOR="Magenta"]<-fixed[/COLOR]
0041660A  |. 33DB           XOR EBX,EBX
0041660C  |. 83C4 04        ADD ESP,4
0041660F  |. 3BC3           CMP EAX,EBX
00416611  |. 8935 C08D5F00  MOV DWORD PTR DS:[5F8DC0],ESI [COLOR="Magenta"]<-fixed[/COLOR]
00416617  |. 892D C48D5F00  MOV DWORD PTR DS:[5F8DC4],EBP [COLOR="Magenta"]<-fixed[/COLOR]
0041661D  |. A3 44C25F00    MOV DWORD PTR DS:[5FC244],EAX [COLOR="Magenta"]<-fixed[/COLOR]
00416622  |. 90             NOP
00416623  |. 90             NOP
00416624  |. 90             NOP
00416625  |. 90             NOP
00416626  |. 90             NOP

- CALL game.044C5014 its new function we added, be sure offset is correct
- save changes again and this time go to 004E43F0, you will see this:

004E43F0  /$ 8B0D A0C86E00  MOV ECX,DWORD PTR DS:[6EC8A0]
004E43F6  |. 33C0           XOR EAX,EAX
004E43F8  |. 81EC 84000000  SUB ESP,84
004E43FE  |. 3BC8           CMP ECX,EAX
004E4400  |. 75 0C          JNZ SHORT game.004E440E
004E4402  |. A3 2C782E03    MOV DWORD PTR DS:[32E782C],EAX
004E4407  |. 81C4 84000000  ADD ESP,84
004E440D  |. C3             RETN
004E440E  |> 3905 885D2E03  CMP DWORD PTR DS:[32E5D88],EAX
004E4414  |. 0F85 D9000000  JNZ game.004E44F3
004E441A  |. 8B9424 8800000>MOV EDX,DWORD PTR SS:[ESP+88]
004E4421  |. A1 28782E03    MOV EAX,DWORD PTR DS:[32E7828]
004E4426  |. 53             PUSH EBX
004E4427  |. 55             PUSH EBP
004E4428  |. 56             PUSH ESI
004E4429  |. 57             PUSH EDI
004E442A  |. BE 01000000    MOV ESI,1
004E442F  |. 56             PUSH ESI
004E4430  |. 52             PUSH EDX
004E4431  |. 8935 2C782E03  MOV DWORD PTR DS:[32E782C],ESI
004E4437  |. 8B08           MOV ECX,DWORD PTR DS:[EAX]
004E4439  |. 50             PUSH EAX
004E443A  |. FF51 18        CALL DWORD PTR DS:[ECX+18]
004E443D  |. B9 A4060000    MOV ECX,6A4
004E4442  |. 33C0           XOR EAX,EAX
004E4444  |. BF 905D2E03    MOV EDI,game.032E5D90
004E4449  |. F3:AB          REP STOS DWORD PTR ES:[EDI]
004E444B  |. 897424 10      MOV DWORD PTR SS:[ESP+10],ESI
004E444F  |. BD 88B42C03    MOV EBP,game.032CB488
004E4454  |. BB A8C86E00    MOV EBX,game.006EC8A8
004E4459  |. 8DA424 0000000>LEA ESP,DWORD PTR SS:[ESP]
004E4460  |> 85ED           /TEST EBP,EBP
004E4462  |. 74 58          |JE SHORT game.004E44BC
004E4464  |. 807D 00 00     |CMP BYTE PTR SS:[EBP],0
004E4468  |. 74 52          |JE SHORT game.004E44BC
004E446A  |. 833B 00        |CMP DWORD PTR DS:[EBX],0
004E446D  |. 74 4D          |JE SHORT game.004E44BC
004E446F  |. 33C0           |XOR EAX,EAX
004E4471  |> 8A88 40B42C03  |/MOV CL,BYTE PTR DS:[EAX+32CB440]
004E4477  |. 884C04 14      ||MOV BYTE PTR SS:[ESP+EAX+14],CL
004E447B  |. 40             ||INC EAX
004E447C  |. 84C9           ||TEST CL,CL
004E447E  |.^75 F1          |\JNZ SHORT game.004E4471
004E4480  |. 8BC5           |MOV EAX,EBP
004E4482  |. 8BD5           |MOV EDX,EBP
004E4484  |> 8A08           |/MOV CL,BYTE PTR DS:[EAX]
004E4486  |. 40             ||INC EAX
004E4487  |. 84C9           ||TEST CL,CL
004E4489  |.^75 F9          |\JNZ SHORT game.004E4484
004E448B  |. 8D7C24 14      |LEA EDI,DWORD PTR SS:[ESP+14]
004E448F  |. 2BC2           |SUB EAX,EDX
004E4491  |. 4F             |DEC EDI
004E4492  |> 8A4F 01        |/MOV CL,BYTE PTR DS:[EDI+1]
004E4495  |. 47             ||INC EDI
004E4496  |. 84C9           ||TEST CL,CL
004E4498  |.^75 F8          |\JNZ SHORT game.004E4492
004E449A  |. 8BC8           |MOV ECX,EAX
004E449C  |. C1E9 02        |SHR ECX,2
004E449F  |. 8BF2           |MOV ESI,EDX
004E44A1  |. F3:A5          |REP MOVS DWORD PTR ES:[EDI],DWORD PTR D>
004E44A3  |. 8BC8           |MOV ECX,EAX
004E44A5  |. 8B4424 10      |MOV EAX,DWORD PTR SS:[ESP+10]
004E44A9  |. 83E1 03        |AND ECX,3
004E44AC  |. F3:A4          |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:>
004E44AE  |. 50             |PUSH EAX
004E44AF  |. 8D4C24 18      |LEA ECX,DWORD PTR SS:[ESP+18]
004E44B3  |. 51             |PUSH ECX
004E44B4  |. E8 E7F5FFFF    |CALL game.004E3AA0
004E44B9  |. 83C4 08        |ADD ESP,8
004E44BC  |> 8B7424 10      |MOV ESI,DWORD PTR SS:[ESP+10]
004E44C0  |. 46             |INC ESI
004E44C1  |. 83C3 04        |ADD EBX,4
004E44C4  |. 83C5 40        |ADD EBP,40
004E44C7  |. 81FB 34E36E00  |CMP EBX,game.006EE334
004E44CD  |. 897424 10      |MOV DWORD PTR SS:[ESP+10],ESI
004E44D1  |.^7C 8D          \JL SHORT game.004E4460
004E44D3  |. 5F             POP EDI
004E44D4  |. 5E             POP ESI
004E44D5  |. 5D             POP EBP
004E44D6  |. 5B             POP EBX
004E44D7  |> 8B9424 8800000>MOV EDX,DWORD PTR SS:[ESP+88]
004E44DE  |. 52             PUSH EDX
004E44DF  |. E8 ECFBFFFF    CALL game.004E40D0
004E44E4  |. 83C4 04        ADD ESP,4
004E44E7  |. B8 01000000    MOV EAX,1
004E44EC  |. 81C4 84000000  ADD ESP,84
004E44F2  |. C3             RETN
004E44F3  |> A3 2C782E03    MOV DWORD PTR DS:[32E782C],EAX
004E44F8  \.^EB DD          JMP SHORT game.004E44D7

- select it, right click and do "binary>fill with NOPs" on selection

- edit whole function so it will look like function below (i know this look nearly the same as function above and you could just do jump to the part that is different and than jump back to original function but i prefer "clean" code, beside if you move this function to the end of file it will have huge impact to how fast game will start, so lets keep it where it should be )

004E43F0  /$ A1 A0C86E00    MOV EAX,DWORD PTR DS:[6EC8A0] [COLOR="Magenta"]<-fixed[/COLOR]
004E43F5  |. 81EC 84000000  SUB ESP,84
004E43FB  |. 56             PUSH ESI
004E43FC  |. 33F6           XOR ESI,ESI
004E43FE  |. 3BC6           CMP EAX,ESI
004E4400  |. 75 10          JNZ SHORT game.004E4412
004E4402  |. 8935 2C782E03  MOV DWORD PTR DS:[32E782C],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E4408  |. 33C0           XOR EAX,EAX
004E440A  |. 5E             POP ESI
004E440B  |. 81C4 84000000  ADD ESP,84
004E4411  |. C3             RETN
004E4412  |> 56             PUSH ESI
004E4413  |. 68 28782E03    PUSH game.032E7828 [COLOR="Magenta"]<-fixed[/COLOR]
004E4418  |. 56             PUSH ESI
004E4419  |. E8 A2FB0A00    CALL <JMP.&DSOUND.#1> [COLOR="Magenta"]<-fixed[/COLOR]
004E441E  |. 85C0           TEST EAX,EAX
004E4420  |. 0F85 D1000000  JNZ game.004E44F7
004E4426  |. 8B9424 8C00000>MOV EDX,DWORD PTR SS:[ESP+8C] 
004E442D  |. A1 28782E03    MOV EAX,DWORD PTR DS:[32E7828] [COLOR="Magenta"]<-fixed[/COLOR]
004E4432  |. 53             PUSH EBX
004E4433  |. 55             PUSH EBP
004E4434  |. 57             PUSH EDI
004E4435  |. BE 01000000    MOV ESI,1
004E443A  |. 56             PUSH ESI
004E443B  |. 52             PUSH EDX
004E443C  |. 8935 2C782E03  MOV DWORD PTR DS:[32E782C],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E4442  |. 8B08           MOV ECX,DWORD PTR DS:[EAX]
004E4444  |. 50             PUSH EAX
004E4445  |. FF51 18        CALL DWORD PTR DS:[ECX+18]
004E4448  |. B9 A4060000    MOV ECX,6A4
004E444D  |. 33C0           XOR EAX,EAX
004E444F  |. BF 905D2E03    MOV EDI,game.032E5D90 [COLOR="Magenta"]<-fixed[/COLOR]
004E4454  |. F3:AB          REP STOS DWORD PTR ES:[EDI]
004E4456  |. 897424 10      MOV DWORD PTR SS:[ESP+10],ESI
004E445A  |. BD 88B42C03    MOV EBP,game.032CB488 [COLOR="Magenta"]<-fixed[/COLOR]
004E445F  |. BB A8C86E00    MOV EBX,game.006EC8A8 [COLOR="Magenta"]<-fixed[/COLOR]
004E4464  |> 85ED           /TEST EBP,EBP
004E4466  |. 74 58          |JE SHORT game.004E44C0 
004E4468  |. 807D 00 00     |CMP BYTE PTR SS:[EBP],0
004E446C  |. 74 52          |JE SHORT game.004E44C0
004E446E  |. 833B 00        |CMP DWORD PTR DS:[EBX],0
004E4471  |. 74 4D          |JE SHORT game.004E44C0
004E4473  |. 33C0           |XOR EAX,EAX
004E4475  |> 8A88 40B42C03  |/MOV CL,BYTE PTR DS:[EAX+32CB440] [COLOR="Magenta"]<-fixed[/COLOR]
004E447B  |. 884C04 14      ||MOV BYTE PTR SS:[ESP+EAX+14],CL
004E447F  |. 40             ||INC EAX
004E4480  |. 84C9           ||TEST CL,CL
004E4482  |.^75 F1          |\JNZ SHORT game.004E4475
004E4484  |. 8BC5           |MOV EAX,EBP
004E4486  |. 8BD5           |MOV EDX,EBP
004E4488  |> 8A08           |/MOV CL,BYTE PTR DS:[EAX]
004E448A  |. 40             ||INC EAX
004E448B  |. 84C9           ||TEST CL,CL
004E448D  |.^75 F9          |\JNZ SHORT game.004E4488
004E448F  |. 8D7C24 14      |LEA EDI,DWORD PTR SS:[ESP+14]
004E4493  |. 2BC2           |SUB EAX,EDX
004E4495  |. 4F             |DEC EDI
004E4496  |> 8A4F 01        |/MOV CL,BYTE PTR DS:[EDI+1]
004E4499  |. 47             ||INC EDI
004E449A  |. 84C9           ||TEST CL,CL
004E449C  |.^75 F8          |\JNZ SHORT game.004E4496
004E449E  |. 8BC8           |MOV ECX,EAX
004E44A0  |. C1E9 02        |SHR ECX,2
004E44A3  |. 8BF2           |MOV ESI,EDX
004E44A5  |. F3:A5          |REP MOVS DWORD PTR ES:[EDI],DWORD PTR D>
004E44A7  |. 8BC8           |MOV ECX,EAX
004E44A9  |. 8B4424 10      |MOV EAX,DWORD PTR SS:[ESP+10]
004E44AD  |. 83E1 03        |AND ECX,3
004E44B0  |. F3:A4          |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:>
004E44B2  |. 50             |PUSH EAX
004E44B3  |. 8D4C24 18      |LEA ECX,DWORD PTR SS:[ESP+18]
004E44B7  |. 51             |PUSH ECX
004E44B8  |. E8 E3F5FFFF    |CALL game.004E3AA0 [COLOR="Magenta"]<-fixed[/COLOR]
004E44BD  |. 83C4 08        |ADD ESP,8
004E44C0  |> 8B7424 10      |MOV ESI,DWORD PTR SS:[ESP+10]
004E44C4  |. 46             |INC ESI
004E44C5  |. 83C3 04        |ADD EBX,4
004E44C8  |. 83C5 40        |ADD EBP,40
004E44CB  |. 81FB 34E36E00  |CMP EBX,game.006EE334 [COLOR="Magenta"]<-fixed[/COLOR]
004E44D1  |. 897424 10      |MOV DWORD PTR SS:[ESP+10],ESI
004E44D5  |.^7C 8D          \JL SHORT game.004E4464
004E44D7  |. 5F             POP EDI
004E44D8  |. 5D             POP EBP
004E44D9  |. 5B             POP EBX
004E44DA  |> 8B9424 8C00000>MOV EDX,DWORD PTR SS:[ESP+8C]
004E44E1  |. 52             PUSH EDX
[COLOR="Red"]004E44E2  |. E8 E9FBFFFF    CALL game.004E40D0[/COLOR] [COLOR="Magenta"]<-fixed[/COLOR]
004E44E7  |. 83C4 04        ADD ESP,4
004E44EA  |. B8 01000000    MOV EAX,1
004E44EF  |. 5E             POP ESI
004E44F0  |. 81C4 84000000  ADD ESP,84
004E44F6  |. C3             RETN
004E44F7  |> 8935 2C782E03  MOV DWORD PTR DS:[32E782C],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E44FD  \.^EB DB          JMP SHORT game.004E44DA

- few NOPs on the end save us this time and whole function is where it should be
- select your changes and save

- now lets go to the "004E40D0"

[COLOR="Red"]004E44E2  |. E8 E9FBFFFF    CALL game.004E40D0[/COLOR] [COLOR="Magenta"]<-fixed[/COLOR]

- select and NOP function you see (from 004E40D0 to 004E4162) than change it to this:

004E40D0  /$ 56             PUSH ESI
004E40D1  |. 33F6           XOR ESI,ESI
004E40D3  |. 57             PUSH EDI
004E40D4  |. 8B7C24 0C      MOV EDI,DWORD PTR SS:[ESP+C]
004E40D8  |. 56             PUSH ESI
004E40D9  |. 68 34782E03    PUSH game.032E7834 [COLOR="Magenta"]<-fixed[/COLOR]
004E40DE  |. 56             PUSH ESI
004E40DF  |. 893D 885D2E03  MOV DWORD PTR DS:[32E5D88],EDI [COLOR="Magenta"]<-fixed[/COLOR]
004E40E5  |. 8935 34782E03  MOV DWORD PTR DS:[32E7834],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E40EB  |. 8935 38782E03  MOV DWORD PTR DS:[32E7838],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E40F1  |. 8935 3C782E03  MOV DWORD PTR DS:[32E783C],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E40F7  |. 8935 40782E03  MOV DWORD PTR DS:[32E7840],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E40FD  |. 8935 44782E03  MOV DWORD PTR DS:[32E7844],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E4103  |. 8935 48782E03  MOV DWORD PTR DS:[32E7848],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E4109  |. 8935 4C782E03  MOV DWORD PTR DS:[32E784C],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E410F  |. 8935 50782E03  MOV DWORD PTR DS:[32E7850],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E4115  |. 8935 54782E03  MOV DWORD PTR DS:[32E7854],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E411B  |. E8 A0FE0A00    CALL <JMP.&DSOUND.#1> [COLOR="Magenta"]<-fixed[/COLOR]
004E4120  |. 3BC6           CMP EAX,ESI
004E4122  |. 7C 34          JL SHORT game.004E4158
004E4124  |. A1 34782E03    MOV EAX,DWORD PTR DS:[32E7834] [COLOR="Magenta"]<-fixed[/COLOR]
004E4129  |. 3BC6           CMP EAX,ESI
004E412B  |. 74 1E          JE SHORT game.004E414B
004E412D  |. 8B08           MOV ECX,DWORD PTR DS:[EAX]
004E412F  |. 6A 02          PUSH 2
004E4131  |. 57             PUSH EDI
004E4132  |. 50             PUSH EAX
004E4133  |. FF51 18        CALL DWORD PTR DS:[ECX+18]
004E4136  |. 3BC6           CMP EAX,ESI
004E4138  |. 7D 11          JGE SHORT game.004E414B
004E413A  |. A1 34782E03    MOV EAX,DWORD PTR DS:[32E7834] [COLOR="Magenta"]<-fixed[/COLOR]
004E413F  |. 8B10           MOV EDX,DWORD PTR DS:[EAX]
004E4141  |. 50             PUSH EAX
004E4142  |. FF52 08        CALL DWORD PTR DS:[EDX+8]
004E4145  |. 8935 34782E03  MOV DWORD PTR DS:[32E7834],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E414B  |> B8 01000000    MOV EAX,1
004E4150  |. 5F             POP EDI
004E4151  |. A3 58782E03    MOV DWORD PTR DS:[32E7858],EAX [COLOR="Magenta"]<-fixed[/COLOR]
004E4156  |. 5E             POP ESI
004E4157  |. C3             RETN
004E4158  |> 5F             POP EDI
004E4159  |. 8935 58782E03  MOV DWORD PTR DS:[32E7858],ESI [COLOR="Magenta"]<-fixed[/COLOR]
004E415F  |. 33C0           XOR EAX,EAX
004E4161  |. 5E             POP ESI
004E4162  \. C3             RETN

- save changes again

- client can start in window mode now but it will DC if you login as a normal player because server will notice focus change, we are going to fix that now

-go to 00415150 and change:

JNZ SHORT 0041515F

to:

JMP SHORT 0041515F

(JE to JMP to alwas do jump)
(SetForegroundWindow)

- go to 00430A6F and change:

JE SHORT 00430AA4

to:

JMP SHORT 00430AA4

(GetForegroundWindow)

- go to 0044047C and change:

JE SHORT 00440492

to:

JMP SHORT 00440492

(GetSystemMetrics)

- save those changes

- open ptReg and add
"WindowMode" "1"
to enable window mode, change 1 to 0 to disable.

- All the <-fixed shows what you need to find when you adding this to other game.exe.

Xtrap is disabled (not removed), to enable it go to 005A3730 and start adding this:

005A3730  /$ 6A 00          PUSH 0                                   ; /ExitCode = 0
005A3732  |. FF15 C0315C00  CALL DWORD PTR DS:[<&KERNEL32.GetCurrent>; |[GetCurrentProcess
005A3738  |. 50             PUSH EAX                                 ; |hProcess
005A3739  |. FF15 08315C00  CALL DWORD PTR DS:[<&KERNEL32.TerminateP>; \TerminateProcess
005A373F  \. C3             RETN

To remove Xtrap use bobsobol tutorial (http://forum.ragezone.com/f562/guide-removing-redundant-code-from-executables-646926/)

When you start this client camera_wave_off and maximized window will be your default setting (from Gregoory tutorials)

(when i was writing this tutorial i found 1 wrong offset (and fixed it) to .data in my game.exe but it was working so if you find something wrong write it here)


Credits:

- quantumfusion (code parts are from his 1873_quantumfusion.exe)
- Gregoory (for his interesting tutorials)
- rxaicy (for pointing out somwhere about SetForegroundWindow, GetForegroundWindow, GetSystemMetrics)
- bobsobol (for his interesting posts that helped me to understand PT code)
- Me (for writing tutorial and adding WindowMode to new KPT client)
- many others who think that they have anything to do with this code ;-)

"This is a free tutorial: files used here are not for sale, rent, or auction"
"If you bought this, you have been scammed" :laugh:

ENJOY!!!!11

 

[zaharavn]

Okie Man. But you post guide, it's hard to understand for a newbie ^_^...

 

[bobsobol]

Hmm... Nice to see others taking up the gauntlet.

This guide seems reasonably easy to follow, considering what is required... however, I have made WindowMode available to players (non-GM) without adding code using the QuantumFusion client... so I suspect this is doing more than is strictly necessary.

I've just skimmed this tutorial for now, but I don't see why it's easier to search for references with IDA than Olly v2, provided he is configured correctly.

IDK how you feel, but if you use the DLL method I mentioned (you can add a DLL import reference with CFF really easy BTW ) new code addresses don't matter (dynamic) and new sections aren't necessary. Internal addresses (to call out from) can usually be found with the search for sequence of commands as you have shown... especially if you use Ollys' wildcards for Byte, Word, DWord, Quad Register / memory addresses.

I'll take some time to try and follow this through as you say... but it looks like you are doing the right things, taking a slightly different approach to the one I took. Usually this means we can combine the best of both, so I'll let you know if I find easier / more complete methods as I go through. My way didn't maximise the window (for example) but it didn't add new code either, I just replaced what was already there.

Extra special thanks for your first tutorial... this is what I always wanted RZ to be. GZ on crediting your predecessors, and leveraging links to other tutorials here. Provided we don't alienate the authors so much they take their tutorials down, this is the best way to "grow" the information resource.

Well done.

 

[Vormav]

Thx,

I must try your way of adding code via .DLL but when I was hooking some functions in PT before my code slowed a bit, also in game i was getting bit more LAG, nothing to worry about but with more players it could be bad.

I hooked GetActiveWindow and GetForegroundWindow before and PT newer "slowed down" when some window jumped in front of you it was still as fast as if you where in PT window... but PT was starting like 20 sec. Thats why i give up on hooking. Now PT starting in less than 1 sec. (no window "focus" hooking yet, but maybe i will add this to PT one day)


Reason why i like IDA better (only in analyzing) is:

VS​

In complex functions I can see what is writing to what, I have fast preview if i put cursor over anything, IDA showing me pseudocode so it will help me get WTH!!1 but IDA is bad when it comes to assembling and you have to generate .dif files, than patch .exe with them.

 

[bobsobol]

Looks like IDA changed a lot since I last used it. I was just disassembling to source, and then rebuilding the executable with fresh Assemble, Link build process. Resource sections where always lost, and loads of stuff had to be done by hand, because IDA didn't understand them. It couldn't "edit" the executable like Olly can.

But patch files are good, and you may have noticed I create patches for source executables. A binary differencing program which can patch multiple sources to a single destination are good, and I've read of Reversers using a patch-maker which can hunt for instructions at any location in the code and make a patch, which would be awesome, as you could make a patch that would work on anyones' game.exe. What I tried needed you to write a program in the patch-makers own mini-language and I couldn't get it specific enough not to patch places that where wrong, but loose enough not to miss the patch on some versions.

I can see I'll have to play with newer versions of IDA. Your screenshot looks awesome for deciding on logical label names to give to routines in the code. I often start out giving a routine an cursory name like Sub_DDrawInit, and then find out that the actual DDraw initialisation is in another sub-routine, and the one I called Sub_DDrawInit is setting up the Window, calling the DirectDraw initialisation, calling another routine which creates a surface, and another to create a back buffer, then applying a callback for frame buffer swapping and attaching the surface to the window it created. XD So my initial name is still correct, but too general in the context of all the other routines involved.

As for slowing the game down... if you only replace or remove code, it shouldn't slow down. But depending on the OS, the frame rate will drop when the window is not active, because of the way Windows allocates CPU time. You will notice that you can "Optimize processor time" for "Applications" or "Background Services" the default being Applications on a Workstation (or consumer) version of the OS, and Background Services for Server versions... but the if you have two CPU intensive windows running (command lines running a big zip or something) and watch the task manager while you switch active windows, you will also see that the one the user is actively interacting with usually gets the lions share of the CPU time.

Before Vistas DWM (and when it is turned off by PT) the fast frame buffer surfaces don't work if they are not the foremost window either, which makes rendering the frames slower. It shouldn't affect the network communication and AI though. (meaning you shouldn't get more timeouts and resends from it)

If you dynamically load and unload your DLL during game time, that will be bad. XD It's a slow process. But since I include it as an import to go with the PE, that slow loading happens before the game starts up, and never again. If you needed to choose (load a DLL if it's there and carry on if it's not) you should do so during the initial start-up, during the first IDB_LOADIMG splash or something. Of course you should also unload your DLL before quitting too, but I've not seen a "clean exit" routine in game.exe, it just finds process 0 and kills it. XD Oh well, so long as your are not on Win9x the kernel will take care of it for you. In Win95 & 98 this left the DLL in memory taking up space that is never used, and that's why you had to keep rebooting your PC every now and then as it got really slow.

Double post alert! I'm afraid nobody has commented since I last did.

I started trying to work through this and became confused and stuck... here are my notes...

I'm glad you chose to make two new sections and set their flags. Note, if people use this method it becomes harder to patch code with injection (not impossible). If people place level or item tables in a new section, it should not be "writeable" to achieve the same kind of hampering.

Strictly speaking, if you add code to an executable, but not writeable section, or constant data table in a read only section, if a DLL attempts to modify it the kernel will flag up an illegal operation / instruction application failure. So now you know what Windows means when it says that. XD There are APIs that a DLL can use to change the securities in these sections at run-time, but it's a lot more work for the "would be" hacker, and if you are cleaver, you can check these section protections before allowing "game save" (or similar) and spot if injection has broken those securities. Then the injection code will have to disable that as well.

How far you choose to go with that is up to you, it all adds code and slows down operation. For example, you could check the securities on every frame update to catch cheaters quicker, but that will slow down game play considerably. If you are really keen (and I have researched this enough to be able to do it yet) you can carefully manipulate the SEH (Structured Exception Handler) of your game.exe, so that "illegal instruction" or "illegal memory access" is handled by your code before the kernel shuts your application down, so you could use that to send a hacking report to your server, or reconfigure a fake environment for your hacker to have fun trying fruitlessly to patch. Anything to slow them down or wind them up right? I would be tempted to get game.exe to upload the DLL they are trying to inject to my server, or somewhere else I can get at it so I can see what exactly they are trying to do.

- go to newly created section (Ctrl+G), in my case adress is 044C5000

The "newbie" way of showing this is to open the memory window ('M' on the toolbar) shows the address that .NewCode is loaded in to. Ctrl+G is a nice shortcut for those that know what they are doing. (as per, Zaharas' comment)

if you removing NOPs remember to fix offsets in your game.exe, all game.exe's have NOPs between functions and you will see that will help us soon

also note that some CPUs execute JMP & CALL instructions faster if the destination is "aligned" to DWord addresses. 0x044C5014 is, 0x044C503D is not. Anything that ends in 0, 4, 8 or C is, 1, 2, 3, 5, 6, 7, 9, A, B, D, E and F are not. This is only noticable if you are calling more than 5 or 6 times a second, and becomes more noticable the more offten the call is made. It's also only true of some CPUs. There is a difference between AMD and Intel, and to a lesser extent between model and stepping numbers of the same manufacturer.

Real noobie guide. (extraneous information which can confuse removed)
Ctrl+G -> 044C5014 -> Assemble

movsx eax,word ptr [44C600B]
cmp eax,1
je short 044C5026
mov eax,[8E09E8]
ret
neg eax
ret

line by line.

Ctrl+G -> 044C503D -> Assemble

mov eax,[5F93A0]
push 044C6000
push eax
push 80000002
call 00554520
add esp,0C
test eax,eax
je short 044C5075
push eax
call 005B344C
add esp,4
cmp eax,1
jne short 044C5075
mov word ptr [44C600B],1
mov eax,[5F93A0]
jmp 004362A0

line by line.

Note that there are some aspects of Ollies' disassembly dump that Olly can't assemble; in quite that form. If you changed then name of game.exe then game.[address] won't assemble. But without game. prefix, Olly will see that the module is the main executable.

The various segments and such are not important, in Win*** and my Olly can't assemble a line that includes them, though it can show them in the disassembly list. DS: as the program is built to Win32 standard "flat" model all data is referenced as DS, and DS, BS, CS, ES are all equal and all 0. My list shows "ret" instead of "RETN"... case is irrelevent, RETN is a "Near" return, but in the "flat" model all returns are "near". Olly can Assemble RET or RETN, they are exactly equivalent.

The "n" postfix is a hang over from DOS/16-bit programming where your sub-routines where in the ES (extra segment) with all addresses offset by it's base, and you main code was in the CS (code segment) with their addresses offset by it's base. You could RETN (without re-calculating the base offsets) if your subroutine was only ever called by another routine in the same segment... so the base offset hasn't changed. Again, in flat model, CS, DS, BS & ES are all 0 all the time in Win32. It's Intel strangeness, because ia32 and x64 processors are backwards compatible right back to the 8080 8-bit CPU, most commonly used as an alternative to Zilogs Z80 for CP/M systems... Most other CPU manufacturers change the entire instruction set when they upgrade address and bus space. This has made the Intel architecture very successful, but it means they have to fill the CPU with instruction sets, and models which are never used. The BIOS boots in 16-bit mode, the OS kernel jumps that mode to 32-bit (unless your OS is DOS or MINIX, in which case you are limited to jumping to Enhanced, Protected or Extended mode with an extender like HiMem.sys, EMM386.sys or some DPMI extender like DOS4G(W), HX DOS or CWSDPMI etc.) once you are in 32-bit mode, concepts like base segment offsets (to get 640 Meg out of a 16-bit address space which can normally only see 64K) near and far jumps and calls are meaningless.
​

Okay, history lesson over, and since Olly only debugs Win32 programs, why does it list these things? Only because it defaults to MASM syntax for it's display list, and the Microsoft Assembler (M-Asm or MASM) is a 16-bit DOS assembler which MS stuck 32-bit extensions on to to allow it to build Win32 executables for Visual Studio. MASM still thinks in DOS terms, so MASM is at fault for this archaic nonsense. XD You can configure Olly not to list a lot of it (as I do) and some of it confuses Olly when you are assembling. Olly will add "Short" to many JMP statements if it is possible too, so you can leave those out. I will also mention that Olly can't assemble [Arg1] etc, it requires the [ESP+4] style writing, and will update the listing to [Arg1] after you run the analysis again. I always clean up these things in Ollies "Copy as table" listings before posting, and you can achieve a lot of it with Ollies "options" window, but not all.

Don't tell people to input ASCII as Assembler! Please? That is WAY too confusing, and Olly can't Assemble "PREFIX FS:" anyway, it's a broken and illegal instruction when interpreted as a code listing. Instead, select the dump below the listing for the .NewCode section, and Ctrl+G -> 044C6000 from there. Tap Ctrl+E to binary edit, move to the top edit-box (ASCII) and type "WindowMode" before clicking OK.

You can press Ctrl+S and search for sequence of commands:

No, I can't. I can right click and "Search for" -> "Sequence of commands..." but Ctrl+S does nothing noticeable. XD (IDK why, different version of Olly maybe?)

The sequence:-

SUB ESP,44
PUSH EBX
PUSH EBP
PUSH ESI
MOV ESI,DWORD PTR SS:[ESP+5C]
PUSH EDI
MOV EDI,DWORD PTR SS:[ESP+58]

is not found anywhere in the block. Again, this is down to being specific about the section offsets, so the following code is found easily:-

SUB ESP,44
PUSH EBX
PUSH EBP
PUSH ESI
MOV ESI,DWORD PTR [ESP+5C]
PUSH EDI
MOV EDI,DWORD PTR [ESP+58]

This should work weather you list the default segments or not.

This code section confused even me:-

004165EF  |. A1 F4098E00    MOV EAX,DWORD PTR DS:[8E09F4] <-fixed
004165F4  |. 8B35 EC098E00  MOV ESI,DWORD PTR DS:[8E09EC] [COLOR=#ff00ff]<-fixed[/COLOR]
004165FA  |. 8B2D F0098E00  MOV EBP,DWORD PTR DS:[8E09F0] [COLOR=#ff00ff]<-fixed[/COLOR]
00416600  |. A3 C88D5F00    MOV DWORD PTR DS:[5F8DC8],EAX [COLOR=#ff00ff]<-fixed[/COLOR]
00416605  |. [COLOR=#ff0000]E8 0AEA0A04    CALL game.044C5014 [/COLOR][COLOR=#ff00ff]<-fixed[/COLOR]
0041660A  |. 33DB           XOR EBX,EBX
0041660C  |. 83C4 04        ADD ESP,4
0041660F  |. 3BC3           CMP EAX,EBX
00416611  |. 8935 C08D5F00  MOV DWORD PTR DS:[5F8DC0],ESI [COLOR=#ff00ff]<-fixed[/COLOR]
00416617  |. 892D C48D5F00  MOV DWORD PTR DS:[5F8DC4],EBP [COLOR=#ff00ff]<-fixed[/COLOR]
0041661D  |. A3 44C25F00    MOV DWORD PTR DS:[5FC244],EAX [COLOR=#ff00ff]<-fixed[/COLOR]
00416622  [COLOR=#ff0000]|. 90             NOP[/COLOR]
00416623  [COLOR=#ff0000]|. 90             NOP[/COLOR]
00416624  [COLOR=#ff0000]|. 90             NOP[/COLOR]
00416625  [COLOR=#ff0000]|. 90             NOP[/COLOR]
00416626  [COLOR=#ff0000]|. 90             NOP[/COLOR]

First confusion is that the first few lines are the same... and only what I've highlighted in red is different.

Second problem is that I can't possibly assemble only 5 NOP instructions in that area because the first two replace "jne short 0041663A" and the next six will replace "mov ebp,[5C32C4]" (or "mov ebp,[<&User32.GetSystemMetrics>]" as it shows in my disassembly). So I can NOP twice or 8 times, but not 5.

Now since the instructions following that are the other parameters to GetSystemMetrics() I presume that twice would be better. Especially as we are going to call EBP later on, and I would think that calling the address pointed to by the memory location 5F8DC4 (000001E0) will be very very bad.

Looking at all of that, you are no longer making the Jump if not Zero, so you can stop CoMParing EAX to EBX. The result of the comparison will be lost in the GetSystemMetrics() call anyway?

You can't Assemble the line "CALL <JMP.&DSOUND.#1>" in Olly either. If you give it the right address it will then list it as "<JMP.&DSOUND.#1>", but you already told us to NOP the code which had that address in. XD

And that's as far as I got.

Biggest problem is that I don't understand what I'm trying to achieve by what I'm doing. I guess it all becomes clear towards the end, but it is hard to work through when you are following blindfold. Any issues or difference in my experience compared to yours I can't work around because I don't yet know what this action is supposed to achieve.

So there is definitely room for improvement, and I hope you wont take that too hard. You can see I re-read and re-write whole sections of my Tutorials many times over... and then add or re-write sections as I get feedback from people.

The human mind is a very creative thing, and each one of us perceives something different in information as we read it. One has to take ones hat off to "in a nutshell" authors, because writing something almost everyone understands is very, very hard.

 

[Vormav]

No, I can't. I can right click and "Search for" -> "Sequence of commands..." but Ctrl+S does nothing noticeable. XD (IDK why, different version of Olly maybe?)

I can... Im using olly 1.10... i have a lot of plugins but i don't change short cuts.

Don't tell people to input ASCII as Assembler! Please? That is WAY too confusing, and Olly can't Assemble "PREFIX FS:"

Yeah i forgot bout this 'cuz i do binary copy all the time.

First confusion is that the first few lines are the same... and only what I've highlighted in red is different.

What can i say... use turbodiff (plugin for IDA) and you will see everything.

AS for the rest, at first I was planing to make release out of it but it would be same as if I would post some code and did not name functions or add any explanations what is doing what.

In the end tutorial was getting larger and larger and I still did not put everything in there so i left it like it is now. For some people it would help find functions I changed to get window mode and I posted newest KPT game.exe (changed and unchanged) because I know what keeping people from using newest KPT game.exe is lack of window mode for users. KPT client have a lot of fixes and I think its good time to move from very old PT clients to new.

 

[bobsobol]

I agree. Time to change.

I see some updates, so I will try again. :

 

[rxaicy]

haha``good job.Vormav .IDA is perfect..but i only like ollydbg..

---------- Post added at 02:12 PM ---------- Previous post was at 01:45 PM ----------

i have one simple method to make it,but i cannot use english to explain to you,if you are interest in it, i can post you a copy of my game.exe to study..i want to share my skill..hehe..

 

[Casper112]

Nice guide again vormav, to bad my knowledge about olly isnt enough to try this out.. I tried some other guides of you but i failed big time there also..

guess i have to study olly, to make things easier for me xD

Liked*

 

[Vormav]

Nice guide again vormav, to bad my knowledge about olly isnt enough to try this out.. I tried some other guides of you but i failed big time there also..

guess i have to study olly, to make things easier for me xD

Liked*

Its old and not worth todays standards tutorial but if you trying to do your client window mode easy way than download D3DWindower, copy dll and .ini of that app to PT directory, attach it to game.exe with CFF explorer and call it at the beginning, its a hook and not really good method for window mode in PT but it will add you cool features like FPS counter on window frame =P

 

[Casper112]

Its old and not worth todays standards tutorial but if you trying to do your client window mode easy way than download D3DWindower, copy dll and .ini of that app to PT directory, attach it to game.exe with CFF explorer and call it at the beginning, its a hook and not really good method for window mode in PT but it will add you cool features like FPS counter on window frame =P

Thanks, i will give that a try xD

Btw i tried another program before(dxwnd), and i could start the game in window mode, but when the game finish loading i DC when i spawn or few seconds after

( as far as i know this happenends cuz window mode is only for GM )

what makes this program different?

 

[bobsobol]

Every program of that nature either left me with a DC or an error log telling me my video hardware wouldn't give it a fullscreen resolution it needed so it wasn't going to run at all... but only if XTrap was still running. I've never needed to modify the game to run in a window without XTrap... but some versions are fussy about Are you admin, am I the topmost window, and others aren't.

 

[Casper112]

Every program of that nature either left me with a DC or an error log telling me my video hardware wouldn't give it a fullscreen resolution it needed so it wasn't going to run at all... but only if XTrap was still running. I've never needed to modify the game to run in a window without XTrap... but some versions are fussy about Are you admin, am I the topmost window, and others aren't.

Ya well , i test it, and i get after 5-10 seconds dc, after i spawn ingame..

Any1 wanna put me on the right direction for making client window mode?
Ive tried a few tuts from different sites, but my knowledge of Olly is way to bad..

maybe i should learn first some easier things with olly, but i have really no clue where to start..

Any help here is appreciated

Thanks

 

[Vormav]

Ya well , i test it, and i get after 5-10 seconds dc, after i spawn ingame..

Any1 wanna put me on the right direction for making client window mode?
Ive tried a few tuts from different sites, but my knowledge of Olly is way to bad..

maybe i should learn first some easier things with olly, but i have really no clue where to start..

Any help here is appreciated

Thanks

You need to change those 3:

SetForegroundWindow
GetForegroundWindow
GetSystemMetrics

D3DWindower have emulation of those so game should not DC even when you use Xtrap.

You talking about server where you are admin (you can hex your executable)?
I did not play with window mode since I wrote that, can you upload your game.exe I will have a look.

 

[Casper112]

You need to change those 3:

SetForegroundWindow
GetForegroundWindow
GetSystemMetrics

.

Ya i tried those settings but they dinnt help much...

You need to change those 3:
You talking about server where you are admin (you can hex your executable)?

Ya, i'm trying to create a server for me and my friends just to have fun.

I did not play with window mode since I wrote that, can you upload your game.exe I will have a look.

I use the ET3 no Xtrap client and server files from trungnt88

I will PM you the game.exe now.

Thank you that you want to take a look

 

[bobsobol]

Should just be a matter of putting

*화면모드 창모드
(왕초보가이드) 포장단체주문환영 /0

in the client hotuk.ini and being admin.

The real trick is just not to check that you are admin when creating the window.

 

[Vormav]

Should just be a matter of putting

*화면모드 창모드
(왕초보가이드) 포장단체주문환영 /0

in the client hotuk.ini and being admin.

The real trick is just not to check that you are admin when creating the window.

It need to look like this:

MFC40.DLL Copyright-2002 /0
#Copyright-2002 Copyright-2002 Copyright-2002 ^^
#망사똥꼬팬티속깜장개미 망사똥꼬팬티속깜장개미 망사똥꼬팬티속깜장개미 ^^
*화면모드 창모드
(왕초보가이드) 포장단체주문환영 /0

To even start my kPT :

And I am still admin, need more modifications XD

But as he said hes bad with hexing and stuff so I send him back his OTP.exe modified to use dxwindower and less CPU load option =P

 

[bobsobol]

MFC40.DLL Copyright-2002 /0

Never needed in anything but EPT

And anything that starts # or // is ignored. So I have NO idea what you have done to your KPT. XD

dxwindower was a good call. It worked as well for me as PT under Wine. :

 

[Vormav]

MFC40.DLL Copyright-2002 /0

Never needed in anything but EPT

And anything that starts # or // is ignored. So I have NO idea what you have done to your KPT. XD

dxwindower was a good call. It worked as well for me as PT under Wine. :

A bit strange but yes it will not start unless I add those lines O__o

PT worked under Wine for you? When I first started PT under wine I thought that my PC back to Pentium Pro times

 

[Casper112]

ya vormav did fix the client for me so i can use the DxWnd to play window mode

First i had a problem with the chat function.

The screen went down when you press enter and when you press enter again it went good again.

What i did was exactly what bobso & vormav told above this post only with BR hotuk client sided

//janela
*È­¸é¸ðµå ¼­¹ö¸ðµå

Or better said

  //janela
*화면모드 서버모드

after i put these in the client the screen dinnt pop down anymore