Use xcorona_x64.xem as a ram patcher (latest ogrefest client)

[eipekaihemin]

Hi all,
Just found some patch points to pass XC in x64 client which from ogrefest's GameClient_2100.torrent.

My goal is make it always load loose assets instead of PAZs, and somewhat playable offline (without server/emu).

The hash of that original BlackDesert64.exe is:

Code:

MD5: cb9c14d0a7793f29574f921c213716ab
SHA1: 610aa03922c5aa2886bf59d9c1f0b587e49d3c5a
CRC32: e87901d2

Things in the attachment rar are:

Code:

xc //replace original xc folder with this one.

lucha.exe // launcher, patch 2 points to let the modified xem load.

xem.c // source code of that 2kb xcorona_x64.xem

deTMDstatic.exe // TMD decompressor, rename BlackDesert64.exe to tmds.exe, then it will produce tmdee.bin, which is the clean code (requires restore FTs on IAT). Also works on other x64 themida packed exe/dlls theologically.

ssiiu4.dd64 // some comments and labels for x64dbg.

To use this, you have to replace that 5MB+ xinput1_3.dll with xinput1_2.dll, then run the launcher OR the unpacked 53.2mb exe with dummy args like 1111,2222.

The things in my current xem ram patch are:
a. Access into character creation (LobbyUI) without connection, you can change 0x43D in xcorona_x64.xem to see different PAprocessors load:
03=LoginUI (original)
04=ServerSelect
05=LobbyUI
06=LoadingUI (?, not go anywhere)
07=ClientPlay (black screen only)
0B=FaceCamera (black screen only)

b. always load loose files, NOP out 0x460, 0xF bytes if you still use PAZs (don't know are there XC traps in PAZ loading funcs tho)

PS. IAT-restored code.bin and import trees in xml (pw: same as 02092018A__1_.7z):
mega.nz/#!OzpXlYYY!9n21lT-_Lf9Ic8G8DPmf_tTbmbmsFJUz3VpA0Ott83w

[MentaL]

[Katsu99]

Hi. Ty for share. Can u provide src for launcher?

[eipekaihemin]

Hi. Ty for share. Can u provide src for launcher?

All addr are hardcoded tho...

Code:

STARTUPINFOA si;

    PROCESS_INFORMATION pi;

   void entry(){    unsigned short tmdorig = 0x509c;    unsigned short infi = 0xFEEB;    CreateProcessA("BlackDesert64.exe","BlackDesert64.exe 123,321",0,0,0,0,0,0,&si,&pi);      suky:    unsigned short timtti =0;    ReadProcessMemory(pi.hProcess,0x14317FF98,&timtti,2,0); //0x14317FF98 first themida VM hole, before XC        if(timtti==tmdorig)        WriteProcessMemory(pi.hProcess,0x14317FF98,&infi,2,0);    else        goto suky;       Sleep(1000);    unsigned char paxc = 0xEB;    WriteProcessMemory(pi.hProcess,imbas+0x1F5C3E8,&paxc,1,0); // pass loader    WriteProcessMemory(pi.hProcess,0x14317FF98,&tmdorig,2,0);    ExitProcess(0);
}

[nopeer]

Good work. it looks good. need to be developed further.

[hnzero]

This thing, how to use it, still have to fix the pointer?
This thing, how to use it, still have to fix the pointer?

[hnzero]

我找到了绕过xigncode的方式，但进入游戏后，黑屏。 请告诉我你有办法解决这个XC。 如何使用你的东西？

[eipekaihemin]

This thing, how to use it, still have to fix the pointer?
This thing, how to use it, still have to fix the pointer?

Get the right BlackDesert64.exe from OF (they are down now...),
put xc and lucha.exe in bin64 dir, and do the xinput1_3.dll stuff,
run lucha.exe


ps. this one is mainly made for testing asset mods (undertow.club etc.)...


ps2. there must be

[SERVICE]
TYPE=KR

in the service.ini (each TYPE has its own xem_loader code block in the exe)

[reiza48]

password?