About SOD crown !

[Raxthu]

Im trying edit attributes of SOD crown like + 1speed to add hp or attack power, but i dont know where to start , please help me an idea. Thanks for reed !

 

[0KaL]

You can try start by here.

00436367      833D B0A54D03>CMP DWORD PTR DS:[34DA5B0],1

Or can try here.

00580E78  |.  83F8 01       CMP EAX,1

Crown of Bellatra

Addresses to magicpt correct? Perhaps not has additional correct, but the values begin by ouch

 

[bobsobol]

@0KaL: This information cannot be verified, and so is not useful.

There is no MagicPT release here, and these addresses do not relate to anything similar I have tried.

Are they client, or server addresses? I presume they are server.

 

[0KaL]

@bobsobol lol? the values are correct yes! If you understand a little know where it is made the counts for SOD. The client it is only visual, in the server are effects, and to where know on magicpt, not has fixed the damage on server, or am wrong? the codes that liberated are the speed giving the value +1. Not I came say as it is made the speed, only cited by where start.

 

[bobsobol]

Ahh... I see now.

The reason I presumed server-side is because client side addresses are even less useful, as they change even between versions for the same server and, yet again, you have not provided any reference to the source client version.

No, I rarely run Clans, so I did not know that there was any speed difference. However, I can see that this information (while quite possibly correct for you) is pretty useless for anyone who does not have exactly the same setup as you, and you are seem unprepared to provide such details as may bridge that information gap. This angers me. :grr:

Again, this is a personal view I am airing, and it's not my place to say that this information is not of some value to someone. However, it is not information in a form I would prefer to see here. Simply because of the limitations imposed upon it's use.

I would be happy to see it specified that the code needs to be found within the client, and a more complete listing of instructions either side of the offsets in your first response. From that we could search our client for similar code fragments. I would find it most preferable if you gave some information as to how you located these offsets in your client, (the MagicPT client) so we could attempt a similar process in our client. But, you chose to provide offsets for a client we do not have available to us here, and cannot easily find in a more general English web search.

All links related to MagicPT either lead to RaGEZONE posts, or

You must be registered to see links

--- EDIT ---
Possibly OTT, but the

Spoiler

concealed technical exposé in

You must be registered to see links

represents what I consider useful information.

Address offsets, which can often be misinterpreted and are usually *very* specific to one particular setup are stripped for those very reasons. Even so, the quoted code comes from the most commonly available, and most used executable.

Second best would be QunatumFusion 187x, and when I use my client, I link to a download for it.

As much other information is provided as practical, to make the readers search simple, rather than the alternative which simply allows the writer to brag. tt1:
---/EDIT ---

What files I do have for MagicPT, I was made to promise not to share or discuss. If I am not allowed to discuss developing these files, I do not see why you should discuss a development which could apply to any client in terms which are only useful on those same, "not for development or modification" files. tt1:

I will not break my oath. It is possible that the files I was passed in private contain information which is more sensitive than other "releases". But if so many other people are developing these files in public, I wish someone would tell us where the publicly available and usable files may be found. Either that, or [highlight]stop dangling them in front of our noses and out of reach of our teeth![/highlight]

That said, I hope Raxthu finds your post useful, and less insulting and annoying than I do.

 

[jvfl]

@ 0KaL and bobsobol

00436367 833D B0A54D03>CMP DWORD PTR DS:[34DA5B0],1

Is correct this above...

00580E78 |. 83F8 01 CMP EAX,1

this comparation, if I remember, verify the code. if end ( 1 ) , POP register.
Hugs.

 

[bobsobol]

I'm sorry... could you miss the point any more, jvfl? [highlight]WE DON'T HAVE MAGICPT!!![/highlight]

So, let's try on a different client... say, Majesty as that's the closest release we have, that we could try:-

00436364 test eax,eax
00436366 je short 0043637A
00436368 push 5C71AC                                      ; ASCII "true"
0043636D push eax
0043636E call esi

Not there.

00436364 test eax,eax
00436366 je short 0043637A
00436368 push 5C71AC                                      ; ASCII "true"
0043636D push eax
0043636E call esi

Nothing useful there either.

Right.... let's try the old faithful 1872...

0043635B mov eax,[8C901C]
00436360 cmp eax,32
00436363 jge 00436645
00436369 lea ecx,[esp+10]
0043636D shl eax,6

Not even close... next,

00580E74 push esi                                         ; /Arg3
00580E75 push offset KPT1872(NoXTrap).005E57F4            ; |Arg2 = ASCII "szDeleteChaSecessionFinish"
00580E7A push offset KPT1872(NoXTrap).0340B178            ; |Arg1 = KPT1872(NoXTrap).340B178
00580E7F call 0057FB50                                    ; \KPT1872(NoXTrap).0057FB50

Interesting, but utterly unrelated... are you starting to see how pointless those offsets are without the correct executable to look at them in?

Fine, lets ignore the address offsets.

Let's try the search method I mentioned. We only have one command to go on, and we know the addresses provided are useless to us, so the most descriptive search we can use is "CMP DWORD PTR [CONST],1" So we have some choices:-

0040153E cmp dword ptr [6E53E4],1
0040153E cmp dword ptr [6E53E4],1
0040911F cmp dword ptr [5F1A1C],1
00409240 cmp dword ptr [5F1A1C],1
00410B43 cmp dword ptr [5F1DC4],1
00411CD9 cmp dword ptr [33C7E64],1
004167DC cmp dword ptr [8C9254],1
0042BC0B cmp dword ptr [71EBA0],1
0042E726 cmp dword ptr [8C4D54],1
0043E916 cmp dword ptr [90221C],1
00473404 cmp dword ptr [30CF860],1
00478F85 cmp dword ptr [30873F0],1
004790EC cmp dword ptr [310F7CC],1
0047944B cmp dword ptr [310F7CC],1
0047C6F4 cmp dword ptr [30874D0],1                        ; Default case of switch KPT1872(NoXTrap).47C5CA
004835A0 cmp dword ptr [30916E8],1
00487F09 cmp dword ptr [30916BC],1
0048811B cmp dword ptr [30916C0],1
0048A76D cmp dword ptr [30D006C],1
0048B2AF cmp dword ptr [30D006C],1
0048D720 cmp dword ptr [30CE390],1
0048F755 cmp dword ptr [30CB470],1
004966D9 cmp dword ptr [30D0154],1
00496923 cmp dword ptr [30CF4D8],1
004969A6 cmp dword ptr [30CF4D4],1
00496E94 cmp dword ptr [30CF4D8],1                        ; Default case of switch KPT1872(NoXTrap).496C74
004982AF cmp dword ptr [30CF898],1
0049C396 cmp dword ptr [30CFFD8],1                        ; Case 4 of switch KPT1872(NoXTrap).49C336
0049E697 cmp dword ptr [30CFFDC],1                        ; Default case of switch KPT1872(NoXTrap).49E44B
004A4EF5 cmp dword ptr [308742C],1
004A6986 cmp dword ptr [310F860],1
004A77D0 cmp dword ptr [310F7CC],1
004A7B4B cmp dword ptr [310F7CC],1
004B07C0 cmp dword ptr [310F7CC],1
004C391B cmp dword ptr [313F010],1
004C7DEF cmp dword ptr [313EF88],1
004DEB80 cmp dword ptr [32C1E68],1                        ; KPT1872(NoXTrap).004DEB80(guessed Arg1)
004DF6B0 cmp dword ptr [32C1E68],1                        ; KPT1872(NoXTrap).004DF6B0(guessed Arg1)
004DF700 cmp dword ptr [32C1E68],1                        ; KPT1872(NoXTrap).004DF700(guessed void)
004DF7B0 cmp dword ptr [32C1E68],1                        ; KPT1872(NoXTrap).004DF7B0(guessed void)
004DF7D0 cmp dword ptr [32C1E68],1
004EB1B6 cmp dword ptr [71A59C],1
004EB400 cmp dword ptr [71A59C],1
004ED560 cmp dword ptr [71A59C],1
004ED784 cmp dword ptr [71A59C],1
004ED9DD cmp dword ptr [71A59C],1
004EDC28 cmp dword ptr [71A59C],1
0050A603 cmp dword ptr [6D9BD8],1
0050EB65 cmp dword ptr [32D03B8],1
0055DC47 cmp dword ptr [33BF1E8],1
0055E3AC cmp dword ptr [3382280],1
00573CAC cmp dword ptr [3444428],1                        ; Case 14 of cascaded IF KPT1872(NoXTrap).573C9E
0057EF79 cmp dword ptr [3448DA8],1
0057F1A0 cmp dword ptr [3448DA8],1                        ; KPT1872(NoXTrap).0057F1A0(guessed Arg1,Arg2,Arg3,Arg4,Arg5)
005802BA cmp dword ptr [34EA7E8],1
00589270 cmp dword ptr [39EE3D0],1
00592035 cmp dword ptr [6E49A0],1                        ; Default case of switch KPT1872(NoXTrap).591F9E
005920F2 |cmp dword ptr [6E49A0],1
0059A551 cmp dword ptr [6E49A0],1
0059A875 cmp dword ptr [6E49A0],1
005AC77D cmp dword ptr [43F0200],1
005AD0EE cmp dword ptr [6E49A0],1
005ADD28 cmp dword ptr [6E49A0],1                         ; KPT1872(NoXTrap).005ADD28(guessed Arg1)
005ADD51 cmp dword ptr [6E49A0],1                         ; KPT1872(NoXTrap).005ADD51(guessed Arg1)
005AE226 cmp dword ptr [6E49A0],1
005AE978 cmp dword ptr [43EFB28],1                        ; KPT1872(NoXTrap).005AE978(guessed Arg1)
005AEA6F cmp dword ptr [43EFB28],1
005AEEFD cmp dword ptr [6E49A0],1
005AF224 cmp dword ptr [6E49A0],1
005B1031 cmp dword ptr [6E49A0],1
005B272D cmp dword ptr [6E49A0],1
005B3048 cmp dword ptr [6E49A0],1
005B30CE cmp dword ptr [6E49A0],1
005B3179 cmp dword ptr [6E49A0],1
005B339F cmp dword ptr [6E49A0],1
005B340E cmp dword ptr [6E49A0],1
005B34B3 cmp dword ptr [6E49A0],1                         ; Default case of cascaded IF KPT1872(NoXTrap).5B3486
005B391E cmp dword ptr [6E49A0],1
005B3979 cmp dword ptr [6E49A0],1
005B3A4B cmp dword ptr [6E49A0],1
005B3A8D cmp dword ptr [6E49A0],1
005B5704 cmp dword ptr [6E4994],1
005B5839 cmp dword ptr [6E4994],1                         ; Case 0 of cascaded IF KPT1872(NoXTrap).5B5830
005B6BA1 cmp dword ptr [6E4994],1
005B6C1F cmp dword ptr [6E4994],1
005B7351 cmp dword ptr [6E49A0],1
005B7399 cmp dword ptr [6E49A0],1

87 choices to be precise. Now... that's the less common command, I really don't fancy searching for all instances of "CMP EAX,1". :

*I* assume that nobody here has any files which I can't easily get a public link for. Also, if the files I'm referencing aren't "as common as dirt" I provide a link to where they may be obtained. That seems like a fair assumption because, although it may be incorrect, it would be unfair to assume otherwise when that is just as likely to be incorrect. Do you see?

With that in mind, there is not enough information here for someone who knows how to use Olly, is reasonably familiar with the code and understands x86 assembler to have the foggiest idea what to do with this information. (I would know what to do with it if I had the MagicPT client, but remember I'm assuming I don't)

That's not fobbing off n00bs, that's just plain rude to everyone! It says "To join this club and be worthy of me speaking to you, you must have l33t friends who share secret files with you and nobody else." Do you see how freekin' rude that is now? Do you get it?!!

If you don't want to share your secret files with us, don't suggest developments we may like to try with them... because we can't. You won't let us! So you aren't giving us anything we can use.

</RANT>

--- EDIT ---
I'm uploading a copy of the client installer I have for MagicPT, since that just came from their website before it was closed. It's massive though, my miserly 30Mb/s connection is going to take 1½ hrs to upload it, and I have to sleep. (need to be up in 4hrs time for work)

--- EDIT2 ---
>

You must be registered to see links

<

And thanks to RingZero, who had uploaded to 4Shared below before I was up.

 

[RingZero]

Files magic:

You must be registered to see links

GL ^^

 

[bobsobol]

Aha! This routine is unique to MagicPT client.

00436360 push ebp
00436361 mov ebp,[esi+27C]
00436367 cmp dword ptr [34DA5B0],1
0043636E jne short Label
00436370 add ebp,24
00436373 mov [esi+27C],ebp
00436379 cmp dword ptr [esi+27C],320
00436383 jle short Label
00436385 mov dword ptr [esi+27C],320
Label:
0043638F pop ebp
00436390 cmp [esi+4780],ebp
00436396 jne short 0043639E
00436398 mov [esi+214],ebp
0043639E mov [esi+4788],ebp
004363A4 ret

It is called from what has become the end of the message loop looking at chat input?

In 1872:-

0042CC25 imul ecx
0042CC27 sar edx,5
0042CC2A mov eax,edx
0042CC2C shr eax,1F
0042CC2F add edx,eax
0042CC31 add edx,edi
0042CC33 cmp edx,150
0042CC39 mov [esi+27C],edx
0042CC3F jle short 0042CC4B
0042CC41 mov dword ptr [esi+27C],[COLOR="#FF0000"]150[/COLOR]
[COLOR="#FF0000"]0042CC4B cmp [esi+4780],ebp[/COLOR]

Magic code has been modified to:-

0042CE25 imul ecx
0042CE27 sar edx,5
0042CE2A mov eax,edx
0042CE2C shr eax,1F
0042CE2F add edx,eax
0042CE31 add edx,edi
0042CE33 cmp edx,320
0042CE39 mov [esi+27C],edx
0042CE3F jle short 0042CE4B
0042CE41 mov dword ptr [esi+27C],[COLOR="#FF0000"]320[/COLOR]
0042CE4B [COLOR="#FF0000"]call 00436360    ;Leads to new routine above[/COLOR]

Is this functionality only in Magic? Is that why you referenced that specific client?

More analysis after work, so I'm not late. ^_^ Thanks for the helpful missing piece RingZero.

 

[jvfl]

bob, the new routine seems add values in others.
example:
add 100 of HP
cmp value, if 1, add more 100 RES.

or not, seems a comparation a value, if greater or equal, not add value in char.

 

[bobsobol]

Okay... analise the other instruction.

00580E5B |. lea eax,[esp+48]
00580E5F |. push eax                                         ; /Arg3 => offset LOCAL.15
00580E60 |. push esi                                         ; |Arg2
00580E61 |. push offset Magic.005E9D90                       ; |Arg1 = ASCII "CNFlag="
00580E66 |. mov dword ptr [34DA5B0],0                        ; |
00580E70 |. call 0057FA10                                    ; \Magic.0057FA10
00580E75 |. add esp,0C
[highlight]00580E78 |. cmp eax,1[/highlight]
00580E7B |. pop esi
00580E7C |. jne short Label
00580E7E |. lea ecx,[esp+44]
00580E82 |. push ecx                                         ; /Arg1 => offset LOCAL.15
00580E83 |. call Jump                                        ; 005B10BC \Magic.005B1064
00580E88 |. add esp,4
00580E8B |. mov [34DA5B0],eax
Label:
00580E90 |> pop edi
00580E91 |> add esp,80                                       ; Default case of switch Magic.580CBA
00580E97 \. ret

Jump:
005B10BC \$ jmp Loop                                         ; 005B1064

Loop:
005B1064 /$ push esi                                         ; Magic.005B1064(guessed Arg1)
005B1065 |. mov esi,[esp+8]
005B1069 |. jmp short Skip                                   ; 005B106C
005B106B |> /inc esi
Skip
005B106C |> |movzx eax,byte ptr [esi]
005B106F |. |push eax                                        ; /Arg1
005B1070 |. |call 005B65F0                                   ; \Magic.005B65F0
005B1075 |. |test eax,eax
005B1077 |. |pop ecx
005B1078 |.^\jne short Skip                                  ; 005B106B
005B107A |. movzx ecx,byte ptr [esi]
005B107D |. inc esi
005B107E |. cmp ecx,2D
005B1081 |. mov edx,ecx
005B1083 |. je short Opt1                                    ; 005B108A
005B1085 |. cmp ecx,2B
005B1088 |. jne short Opt2                                   ; 005B108E
Opt1:
005B108A |> movzx ecx,byte ptr [esi]
005B108D |. inc esi
Opt2:
005B108E |> xor eax,eax
Inner:
005B1090 |> /cmp ecx,30                                      ; Switch (cases 30..39, 2 exits)
005B1093 |. |jl short 005B109F
005B1095 |. |cmp ecx,39
005B1098 |. |jg short 005B109F
005B109A |. |sub ecx,30
005B109D |. |jmp short 005B10A2
005B109F |> |or ecx,FFFFFFFF                                 ; Default case of switch Magic.5B1090
005B10A2 |> |cmp ecx,-1                                      ; Cases 30 ('0'), 31 ('1'), 32 ('2'), 33 ('3'), 34 ('4'), 35 ('5'), 36 ('6'), 37 ('7'), 38 ('8'), 39 ('9') of switch Magic.5B1090
005B10A5 |. |je short Exit                                   ; 005B10B3
005B10A7 |. |lea eax,[eax*4+eax]
005B10AA |. |lea eax,[eax*2+ecx]
005B10AD |. |movzx ecx,byte ptr [esi]
005B10B0 |. |inc esi
005B10B1 |.^\jmp short Inner                                 ; 005B1090
Exit:
005B10B3 |> cmp edx,2D
005B10B6 |. pop esi
005B10B7 |. jne short 005B10BB
005B10B9 |. neg eax
005B10BB |> ret
005B10BC \$^jmp Loop

CALL 005B65F0 leads to another largeish routine with another CALL to 005B903B which seems to be wide char string handling with some error handling etc. It's all pretty in-depth, and I want to find the "glue" to a "regular" executable first.

In 1872 the code is here

0057CF1B |. lea eax,[esp+48]
0057CF1F |. push eax                                         ; /Arg3 => offset LOCAL.15
0057CF20 |. push esi                                         ; |Arg2
0057CF21 |. push offset KPT1872.005E51DC                     ; |Arg1 = ASCII "CNFlag="
0057CF26 |. mov dword ptr [3444500],0                        ; |
0057CF30 |. call 0057BAD0                                    ; \KPT1872.0057BAD0
0057CF35 |. add esp,0C
[highlight]0057CF38 |. cmp eax,1[/highlight]
0057CF3B |. pop esi
0057CF3C |. jne short Label                                  ; 0057CF50
0057CF3E |. lea ecx,[esp+44]
0057CF42 |. push ecx                                         ; /Arg1 => offset LOCAL.15
0057CF43 |. call Jump                                        ; 005AD18C \KPT1872.005AD134
0057CF48 |. add esp,4
0057CF4B |. mov [3444500],eax
Label:
0057CF50 |> pop edi
0057CF51 |> add esp,80                                       ; Default case of switch KPT1872(NoXTrap).57CD7A
0057CF57 \. ret

And the only changes seem to be the offsets. (which is normal with a re-compile)

So while this is clearly checking for clan number, I don't think it is changed.

bob, the new routine seems add values in others.
example:
add 100 of HP
cmp value, if 1, add more 100 RES.

or not, seems a comparation a value, if greater or equal, not add value in char.

Hmm... okay, lets look at the code in my first analysis again... Humanize it a bit more:-

MyGlobal equ d 34DA5B0h

macro Local op1,op2
{
	op1*4+op2
}

Start:
	imul ecx
	sar edx, 5
	mov eax, edx
	shr eax, 31
	add edx, eax
	add edx, edi
	cmp edx, 800
	mov [Local 159,esi], edx
	jle NewCall
	mov d[Local 159,esi], 800
NewCall:
	call NewRoutine
	nop
	nop
	nop
	nop
	; ... etc.
NewRoutine:
	push ebp
	cmp edx, 800
	mov ebp, [Local 159,esi]
	mov [Local 159,esi], edx
	jle NewCall
	mov d[Local 159,esi], 800
	push ebp
	mov ebp, [Local 159,esi]
	cmp d[MyGlobal], 1
	jne Label1
	add ebp, 24h
	mov [Local 159,esi], ebp
	cmp d[Local 401,esi], 800
	jle Label1
	mov d[Local 401,esi], 800
Label1:
	pop ebp
	cmp [Local 4576,esi], ebp
	jne Label2
	mov [Local 133,esi], ebp
Label2:
	mov [Local 4788,esi], ebp
	ret

This code is using more fasm style syntax (d[x] equivalent to dword ptr [x], and fasm style macros etc.) If a number doesn't end in "h" (without quotes) it is decimal.

I don't see anything about it adding 100 to anything, but I do see some nasty recursion by CALLs which should fill up the stack frame. :/:

Will make the returns very confusing too. I wonder if that's intentional? Or rather... I assume it is, but wonder if it is an optimization or and obfuscation. (recursive algorithms are very powerful and compact, but an arse to re-read XD)