WindowMode ( DC After Login )

[microamazing]

so, i am testing a new client...
and i add a windowmode in that client. thats is working...
but, there is a checksun in same place who is getting me DC after login, not is DC(4) ...
i think is, cos Windowmode is a GM function, and when i push that function they search by hotuk.ini ( GM mode, and all take by it ) , so , they dont find, and get dc, thats is my teory =/
so i need to find the checksun to make it right; and my teory is base in the fact of winmode is working, when i put in ptreg.rgx "Windowmode" "1", he login with window mode and get DC after login, and when i put "windowmode" "0" i dont get dc, and dont login with window mode ....

anyone here know something about it?
tnks for all helping

 

[bobsobol]

Funny, someone else just asked me about the same thing yesterday.

You are trying to get Window Mode without GM. Does your server log "Focus Changed" errors? That will DC you. If you are not GM, you are not allowed to switch window, if you are not full screen, the OS switches windows briefly all the time. I patched this out of a client before, but that was QF 1873.

There are XTrap and game.exe checks against "focus" (the active window) throughout the games operation.

 

[microamazing]

18:57:12 - Name GM ) / IP ( 127.0.0.1 ) Focus Changed ( OllyDbg - game -(trad)-font ok- )

yeah, i saw 'focus changed'
so, this is xtrap function?
how i can fix it ?
add me at msn ?
dexter376@hotmail.com
tnks for all!!!

 

[bobsobol]

It's not an XTrap function, as such. It's checked by the client, but XTrap checks it as well, so it's checked in multiple places.

Some of the checks simply force focus back to the game (which is irritating) most send a packet to the server, and if it gets lots in a short time period it will DC you.

So to avoid the DC, you only have to stop the packets going out. But it's probably as well to remove all the functions that check for focus, because otherwise, you are working in notpad, on IRC or in a dreaded IM like MSN and the game keeps coming to the front of whatever you are doing, and stealing your keyboard and mouse input. XD

I believe I patched out some 5 to 8 different routines, and the method required was different for each. Some are part of another routine which is useful, others are calls to a focus check and then return. So some you can just skip the call, and others you need to NOP out the focus checking routines or turn JNZ or JZ into JMP.

When I looked at the English client, it does far less of this as Window mode is legal even for non-GMs in EPT... it's only discouraged by the launcher turning it off each time you start the game. If you remember to untick full-screen in the launcher before each time you play, you are allowed to log in to EPT and play in a window.

 

[microamazing]

hmmmmm
can u explain more?
like...
how i will find this "calls" and JNZ to skip?

 

[bobsobol]

Hmm... It was some time ago, and I spent about 2 weeks cleaning them all out, but.

I can see calls to USER32.GetForgroundWindow(), that will be part of it. The other common way to check for loss of focus is when processing Windows messages, to process the Windows Message Queue, with WM_SetFocus, WM_KillFocus, WM_Activate etc. USER32.GetActiveWindow() can also be used to some extent.

I believe I was looking into remapping, and adding new keyboard controls when I started stumbling on these things, and taking them out because they are annoying... and by modern standards "bad practice".

Focus "stealing" triggers some anti-keylogger and malware alerts, but most decent (home) versions will skip this on a "full screen" application. Because of games and screen-savers. Our Educational LAN security logged it with the Domain Controller.

It's not advisable as it goes against the entire principal of having a multi-threaded, multi-user, multi window desktop co-operative operating system.

 

[microamazing]

hmmm and have another away to make it ?
and i will find this
" USER32.GetForgroundWindow()"
in "all intermodular call" ?

 

[bobsobol]

Oh, sorry, yea in "all intermodular calls".

I'm not sure of any other way... you know I normally document anything I'm doing here on RZ, because in all honesty one forgets exactly what you did very quickly otherwise. These changes are probably present in the ZPT client I uploaded to the release section a little while ago, but the number of slight changes I was doing here and there, left right and centre with no particular plan or intention for the client other than to just "see what I could do" I really can't remember all the bit's and pieces I messed with.

hotuk.ini translations, window mode relaxation, Vista compliance (partial but incomplete), handes.dll removal, XTrap cleaning, XML authorization code in the resources, resources after KPTTrans, font fix-ups (did get tutorialed) re-texturing Ric and some low level monsters (which I'm now trying to remember with moons), remapping keys and a sub-program (which I abandoned as a "bad way to do it") to allow Quake / WoW style AWSD style movement... and probably more that won't spring to mind until someone else mentions trying something similar.

I was actually looking at code, trying to make sense of it, editing it to confirm it was what I thought it was and then moving on to another bit of code, rather than "trying to find the code that does X". It was quite a productive way to work, but very disorganised.

Moral: Always document what you do, even if it doesn't work out. You NEVER know when you might want to do that, or something related again. XD

I'm sorry I can't remember more, and I'm sorry I'm stuck in Linux until I can get back to my Vista install CD and start restoring backups. : For now, I'm confident that you will find "most" of the threads from the functions I've already mentioned. If you don't get them all, I hope I will be able to help more come next w/e or so.

 

[breaker1845]

Moral: Always document what you do, even if it doesn't work out. You NEVER know when you might want to do that, or something related again. XD

100% correct, any work related to coding or design is vital that you make logs of dates times and brief description of what you did. It is part of the Software Development Cycle =). I know this is only for a video game but still important to keep logs as if you get a job related to coding software it will become a habit for yourself to keep logs. Also I know they are a real pain in the butt documenting everything you did and you want to take shortcuts but don't because you will end up kicking yourself in the end because you can't understand it.

Back on topic, I can't really help you unless it's possible to open your client in vb and check the code. Then I will be able to find the calls and edit them.

 

[bobsobol]

lol. It would take considerable effort to write (even) PT in VB alone. Don't get me wrong, VB is a fantastic Rapid Application Development Environment, but it's really not for writing video games. I've written Solitare (Patients as we call it here) and SokoBan (Box Man) in VB5 & 6, but they don't rely on vertical blanking or frame buffers, let alone a 3D engine.

Actually, I don't think that dates and times are very important, unless you are keen to remember what you didn't know at the time you last looked at a piece of code.

 

[microamazing]

uhhu tnks BOB, so now i have some away to start a search,
so. i need more of ur help =x
i need to find and 'disable' item checksun...
i try to change somethings in itens, like ur size, and get DC(4) , i this is checksun, like Skill checksun, but i know how i will can find it?

tnks A LOT MAN!!!

 

[breaker1845]

Dates and times are always useful to have just incase something happens.

 

[rxaicy]

notice three API: SetForegroundWindow GetForegroundWindow GetSystemMetrics

 

[microamazing]

huhuhu TNKS rxaicy, i will try somthings about it =P
but... need to nop?skip?
u can help me with more ? =x
MAN TNKS a lot SO MUCH !!!
uhsdauhsad
kiss for all

 

[microamazing]

@ RXAICY ILOVE U SO MUCHHHHHHHHHHHHH
now, about the item checksun, i know something? ( theres who get dc(4)

 

[bobsobol]

I would recommend closing one issue before working on another.

If there are checksum routines, they will address the data being checked... probably near the start of the data, but possibly before, and running into it. Select an area of memory covering all your data, and maybe a bit before and a bit after, then search for references in code.

The routine you are looking for will iterate (loop) through memory addresses reading them and summing them with a register or memory value. It may be a function that is called. You may have to "understand" all the other routines which access that memory, set a breakpoint on (or before) each referencing instruction, and as they are reached, trace them to "understand" what they are doing. Some may be obvious enough just from the listing, but as you "understand" that this is not the routine you are looking for, you can remove breakpoints.

When you find the right one, you either need to disable it, or match the memory it compares against with the number it has calculated.

Whether you need to NOP, or change JNZ to JMP all depends on the code you are trying to disable. I would always NOP out code I remove, but you can JMP over the NOPs you fill in to save CPU cycles. (Actually, it usually doesn't unless you are skipping more than a couple of words, but it may still save level 1 cache space.)

If a jump happens when a match is made JZ (jump if zero) or JNZ (jump if not zero) JE (jump if equal) JNE (jump if not equal) JG (jump if greater) or JL (jump if less) and you don't ever want that match to be made, NOP it out, and JMP the NOPs. You may want to clear the CMP or OR or XOR before it that sets the flag in the fist place as it is now redundant, and NOP out the code that is now always skipped to clarify that that is now free space you could add a new routine in.

If you always want the match to be made, change the JZ, JNZ etc. to a JMP.

There are other forms of comparison, as each instruction sets flags, but the common ones are CMP, OR, XOR, TEST and sometimes LEA. CMP compares two registers and sets Z (zero) and E (equal) on a match. It also sets for less than or greater than so you can JG or JL (Jump Less or Jump Greater), XOR is somewhat quicker as it performs a binary exclusive or. Since any number XORed with it's self is always 0 you can JZ or JNZ based on an XOR comparison very easily, but you can't JG or JL.

There are also JC and JNC against the Carry flag, which is set if there is any overflow in the previous operation. For example, if you add 1 to 4294967295 in a 32 bit register, the answer is 0 carry 1, because you have exceeded the storage space of the register. PT uses carry in some of it's checksum routines, but it's also used for "overflow" checking.

If a CALL is made that you don't want to ever be called, you can make it's first line a RET or NOP out the CALL, and optionally JMP the NOPs. If you want to replace only one particular call to that function you will definitely want to choose the latter approach, but if you want a global removal of that routine, the former is the quick way.

You can also NOP out all CALLs to a subroutine, and then NOP out the entire routing freeing that for new code. (Actually it's free from the moment you remove the last call to it, but a bunch of useless NOPs that nothing points to kind of stands out when you are looking for a nice "Code Cave"; it compresses better when you zip it up too.)

 

[microamazing]

hmm
so...
bob, u think in start of Itemtable there's a place who called to a checksun ?

is in same place of start of table?

its became to more easy if i'am right...

 

[bobsobol]

No no... sorry, you misunderstand. I shall try to explain more clearly.

Okay, as an example, I want to store a table of the numbers 1 to 10 as 32-bit DWord at address 0x00400000. So, my table stores the DWords:-

0x00400000 : 0x00000001
0x00400004 : 0x00000002
0x00400008 : 0x00000003
0x0040000C : 0x00000004
0x00400010 : 0x00000005
0x00400014 : 0x00000006
0x00400018 : 0x00000007
0x0040001C : 0x00000008
0x00400020 : 0x00000009
0x00400024 : 0x0000000A

I want to ensure nobody messes this table up, so I make a checksum, which is all the numbers added together. Too simple to be effective, but simple is what I'm aiming for.

Now I iterate through the table and compare my result with a const. I'll use BASIC synatx, again for simplicity.

Const ChkRight = 0x0000003D
Dim i as Double
Dim Chk as Double

Chk=0
For i=0x00400000 to 0x00400024 Step 4
  Chk=Chk+DPeek(i)
Next i
If Chk=ChkRight Then
  MsgBox(0, "Checksum OK", "Table is untamperd.", MB_OK)
Else
  MsgBox(0, "Checksum Fail!", "Table has been modified.", MB_OK)
  Exit -1
EndIf

The "const" is processed by the parser, and filled in before compilation time, so it will not be in the Data area anywhere... however, if you look at the "LameCrypt" code in your original release with the new map, it encrypts all of the Exp table, and 16 (IMS) bytes before that memory section. ^_^ That enables it to "hide" the built-in IP string "127.0.0.1" as well as that Exp table.

Some of the checksum routines in PT are made like that, they cover more than one table, or just a few bytes before and a few bytes after.

Of course the *CLSAFE_CODE covers the entire Code and Data section of the main executable... so if you are using that server side, that will always DC you. -.- But I'm sure you knew that. When it's only a few bytes before and / or a few bytes beyond, I suspect that is done only so you don't find the routine when searching for code that references the table.

Searching for references to 0x00400000 would find the "For" statement, or rather it's Asm equivalent, if the routine where the one illustrated. But the "For" could just as easily be "For i=0x0038FFF0 to 0x00400028 Step 4" if ChkRight is adjusted accordingly. And that is why I suggest working your way back from the start of the table.

 

[rxaicy]

Give me your game which you want to fix，after i fix it，i will post it to you。。

 

[microamazing]

@rxaicy
where and how i can start to search ?
i wanna learn by myself, but with some help
if u can add me i will like so much...
but, what can i do ?

@bob, i understend how the code work, but i wanna to know a way to find this in client...
+P