Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

removing a check in the maplestory client (v83)

Experienced Elementalist
Joined
Mar 12, 2015
Messages
238
Reaction score
43
Hello everyone,

I want to remove a certain check in the maplestory client, the "You're lacking Level x Skills" popup when you still have to distribute sp in a previous class (see attachments for screenshot)

I'm certain this is handled in the client and not the server (it never even reaches DistributeSPHandler). So there is no workaround server sided.
I know there are ways to remove stuff like this. I have used Olly before to "implement some hacks" before, but I have no idea how to find these addresses myself.

If someone could explain how that is done or just tell me what addresses i need to look at + what to change I would be eternally greatfull!
It is for v83.

Thanks in advance!
 

Attachments

You must be registered for see attachments list
Last edited by a moderator:
Junior Spellweaver
Joined
Sep 16, 2017
Messages
156
Reaction score
36
This feels like a scenario where I'd follow these steps.

whenever I need to edit some particular client features that I have no clue where to find, or if I'm too lazy to trace all the way from the opcode, there's a few steps I perform:

- Get ingame, perform the action you're interested in modifying, see if any special text messages show up (in the case of NX dropping, "You can't drop this item").

- Search for that string in STREDIT:
Las Systos - removing a check in the maplestory client (v83) - RaGEZONE Forums


- In IDA, search for occurrences of that particular string ID:
Las Systos - removing a check in the maplestory client (v83) - RaGEZONE Forums


- The client picks a string to show on screen by passing the string ID to a function. This is done via a push [stringID] instruction, so, among the results of the previous IDA search, you'll need to check for that. Usually there's only one or two, especially when the string ID is a very specific one (as in, ID 2195 will give you a lot less unrelated results than ID 1000).

- Once you're at this point, it's a matter of finding where the check you want to modify is at. It's gonna be a conditional jump, as that's the most common way in which if or switch constructs are translated, so running tests with OllyDBG, by putting breakpoints on the jumps (only the conditional ones: JMP <address> is always taken, so that won't be of any use to you) right before the string ID push instruction.
Test in different situations (in your case, both with droppable and non droppable items), check where the differences are (OllyDBG tells you whether a conditional jump is being taken or not, during breakpoint analysis), and you can then try to edit to get your desired outcome.

Although that example was for droppable items, it applies for your case aswell, with a few modifications:

- In STREDIT, you'll need to search for Content LIKE '%lacking%' . This because Nexon decided that, in the case of 4th job skill points, the error message was gonna be "You are lacking" instead of "You're lacking", so using more keywords in your search would exclude that.

- Once you got the string IDs, you can search for them in IDA like shown in the example above (they're close to eachother, so you'll just need to search for one and you'll find the other two aswell).

- Now that you found the area, look for conditional jumps (hint: pseudocode in IDA makes your day a lot easier for this. Pressing Tab from the main instructions window will translate the current function in pseudocode). You might wanna use OllyDBG to test edits to these jumps, I'm assuming you already know how to edit and breakpoint in there.

Goodluck. c:
 
Upvote 0
Experienced Elementalist
Joined
Mar 12, 2015
Messages
238
Reaction score
43
First of all, thanks a lot for the answer, wasn't expecting too much tbh :D

Now a very noob question, how do i open v83.idb (downloaded from sunnyboy's library of idb's)
I have downloaded IDA 7.0 freeware and opened the program, but I can't seem to open the .idb file.

On sunnyboy's thread it mentions idag.exe, I do not see such an application, just ida64.exe
 
Upvote 0
Junior Spellweaver
Joined
Sep 16, 2017
Messages
156
Reaction score
36
Mmm, you might wanna look into getting the full version 6.1; you should be able to find it in this thread, one of the reuploads in the latest posts there should still be up.

You'll be able to open the IDB file by using idag.exe that's in there (the 64bit version seems to have some issues, so you should use the 32bit one in any case).
 
Upvote 0
Experienced Elementalist
Joined
Mar 12, 2015
Messages
238
Reaction score
43
The link in that thread was dead, but I got another working one now.
I seem to be stuck on the last part, I've found the push function in IDA but to be honest I have no clue what to do now.
I've opened OllyDbg and I've found the the address of the push and I see the JMP right beneath it like in IDA.

IDA:
mAhkuBJ - removing a check in the maplestory client (v83) - RaGEZONE Forums


OllyDbg:
nmI5JjK - removing a check in the maplestory client (v83) - RaGEZONE Forums
 

Attachments

You must be registered for see attachments list
Upvote 0
Junior Spellweaver
Joined
Sep 16, 2017
Messages
156
Reaction score
36
That's not a conditional jump though: JMP is always taken regardless of the current registers values.

You're gonna need to look for the condition that allows for regular SP assignment (aka with enough skillpoints in the previous jobs) to skip that message.

Las Systos - removing a check in the maplestory client (v83) - RaGEZONE Forums


As you can see in the picture, there's a JL ("Jump if lower") right above the string ID pushing: this means that, if EBX is lower than EAX when the comparison at address 8AD15F is performed, you won't be shown that message.

Since you want this to happen also when the message window would be shown (that is, judging by the conditional, when EBX >= EAX), your best bet is to change that JL 008AD224 into JMP 008AD224.
You're gonna need to look for this same situation for the other two error messages aswell (for 3rd and 4th jobs).


EDIT: if I were you, I'd right-click in the OllyDBG window > open the bottom menu "Appearance" > "Highlightning" > select "Jumps n Calls". Makes it a lot easier to identify different jumps, as conditional jumps will receive a red font color. c:
 
Upvote 0
Experienced Elementalist
Joined
Mar 12, 2015
Messages
238
Reaction score
43
Everything you say seems logical and I seem to understand it myself, which is why its weird to me that it doesn't work when I change the JL to JMP. It still does the same in game, as if nothing has changed.

Las Systos - removing a check in the maplestory client (v83) - RaGEZONE Forums


When I change the JL to JMP it puts a NOP on 008AD168, I don't know if thats bad or not tho

As the red line on the side indicates it goes all the way down to 008AD224 which should mean it works, right?
 
Upvote 0
Junior Spellweaver
Joined
Sep 16, 2017
Messages
156
Reaction score
36
Actually, you haven't changed the checks for the 2nd job skillpoints yet: you're currently looking at the portion that pushes string ID 0DB5, aka 3509 in decimal; you'll need to do the same for string IDs 0DB6 and 0DB7. Specifically 0DB6 (3510) is the one that checks whenever you put points in the 2nd job skills:

Las Systos - removing a check in the maplestory client (v83) - RaGEZONE Forums

(from STREDIT)

There'll be two other portions of code similar to the one you edited, either above or below that, so you can modify those in the same way.


When I change the JL to JMP it puts a NOP on 008AD168, I don't know if thats bad or not tho

As the red line on the side indicates it goes all the way down to 008AD224 which should mean it works, right?

The NOP is required. Keeping in mind that we'll always want to preserve the number of bytes at any position in the code, we can look at the jumps; between the address and the instruction columns, in Olly, there's a column that shows you the bytes that compose each operation:

JL 008AD224 = 0F 8C BB 00 00 00
JMP 008AD224 = E9 BC 00 00 00

Since there's one less byte, for this JMP instruction, an extra NOP at the end ("No operation") is appended.

And yes, the red line means that the latest debug followed that jump. c:
 
Upvote 0
Experienced Elementalist
Joined
Mar 12, 2015
Messages
238
Reaction score
43
Ok now I feel stupid for being so blind, I thought the 0DB5 was the one I was testing...
It works now! Thanks so much for explaining this and your patience :D
 
Upvote 0
Junior Spellweaver
Joined
Sep 16, 2017
Messages
156
Reaction score
36
Anytime c:
It's all just a matter of trial and error in the end, but if you have any other doubts, feel free to ask.
 
Upvote 0
Back
Top