Since there wasn't a central location to get these (I've always had to google for them, and finding them is a pain in the butt) I am reposting them.
**DOWNLOAD LINK BELOW TUTORIAL**
**START TUTORIAL**
The reason why these are so useful is that you can load it up in a program like IDA 5.5 and extract just about anything about older clients.
Granted, some things in '07 or '08 runnables, and especially '10 ijji runnables will be terribly different in regards to the layout of parameters, local variables, etc, however this does aid in developing, especially if someone finds a new crash and you are trying to debug it. This is the original point of IDA, (besides malicious data extraction), and it's very useful for what it is.
Note that you cannot use a PDB file with newer clients, however, you can map out newer clients based on the exe + PDB files of newer ones. (explained below.)
An example, I was trying to see if fTime was removed from ZPostShot in the client. I first looked at the jGunZ client:
Now, same function in pseudocode without the structures, variables, etc, identified (I searched for an immediate value of 10034 in decimal):Code:void __cdecl ZPostShot(float fShotTime, D3DXVECTOR3 *pos, D3DXVECTOR3 *to, int sel_type) { void *v4; // eax@1 MCommand *v5; // esi@1 int v6; // eax@1 double v7; // st7@1 unsigned __int64 v8; // qax@1 double v9; // st7@1 unsigned __int64 v10; // qax@1 double v11; // st7@1 unsigned __int64 v12; // qax@1 double v13; // st7@1 unsigned __int64 v14; // qax@1 double v15; // st7@1 unsigned __int64 v16; // qax@1 double v17; // st7@1 MCommandParameter *v18; // eax@2 ZPACKEDSHOTINFO info; // [sp+0h] [bp-20h]@1 int v20; // [sp+14h] [bp-Ch]@1 int (*v21)(); // [sp+18h] [bp-8h]@1 int v22; // [sp+1Ch] [bp-4h]@1 v22 = -1; v21 = _ehhandler__ZPostShot; v20 = v6; v7 = pos->baseclass_0.x; info.fTime = fShotTime; v8 = (unsigned __int64)v7; v9 = pos->baseclass_0.y; info.posx = v8; v10 = (unsigned __int64)v9; v11 = pos->baseclass_0.z; info.posy = v10; v12 = (unsigned __int64)v11; v13 = to->baseclass_0.x; info.posz = v12; v14 = (unsigned __int64)v13; v15 = to->baseclass_0.y; info.tox = v14; v16 = (unsigned __int64)v15; v17 = to->baseclass_0.z; info.toy = v16; info.toz = (unsigned __int64)v17; info.sel_type = sel_type; v5 = ZNewCmd(10034); v4 = operator new(0x10u); v22 = 0; if ( v4 ) MCommandParameterBlob__MCommandParameterBlob((MCommandParameterBlob *)v4, &info, 17); else v18 = 0; v22 = -1; MCommand__AddParameter(v5, v18); ZPostCommand(v5); }
As you can see they look similar. We can tell that sub_4C3B60 is ZNewCMD,Code:nt __cdecl ZPostShot(int a1, int a2, char a3) { int v3; // esi@1 double v4; // st7@1 unsigned __int64 v5; // qax@1 double v6; // st7@1 unsigned __int64 v7; // qax@1 double v8; // st7@1 unsigned __int64 v9; // qax@1 double v10; // st7@1 unsigned __int64 v11; // qax@1 double v12; // st7@1 unsigned __int64 v13; // qax@1 double v14; // st7@1 int v15; // eax@2 int v17; // [sp+4h] [bp-20h]@1 __int16 v18; // [sp+8h] [bp-1Ch]@1 __int16 v19; // [sp+Ah] [bp-1Ah]@1 __int16 v20; // [sp+Ch] [bp-18h]@1 __int16 v21; // [sp+Eh] [bp-16h]@1 __int16 v22; // [sp+10h] [bp-14h]@1 __int16 v23; // [sp+12h] [bp-12h]@1 char v24; // [sp+14h] [bp-10h]@1 int v25; // [sp+20h] [bp-4h]@1 v4 = *(float *)a1; v17 = **(_DWORD **)(*(_DWORD *)(*(_DWORD *)(dword_672F68 + 48) + 12) + 4 * *(_DWORD *)(*(_DWORD *)(dword_672F68 + 48) + 24)); v5 = (unsigned __int64)v4; v6 = *(float *)(a1 + 4); v18 = v5; v7 = (unsigned __int64)v6; v8 = *(float *)(a1 + 8); v19 = v7; v9 = (unsigned __int64)v8; v10 = *(float *)a2; v20 = v9; v11 = (unsigned __int64)v10; v12 = *(float *)(a2 + 4); v21 = v11; v13 = (unsigned __int64)v12; v14 = *(float *)(a2 + 8); v22 = v13; v23 = (unsigned __int64)v14; v24 = a3; v3 = sub_4C3B60(10034); v25 = 0; if ( sub_5CEFAF(0x10u) ) v15 = sub_506030(&v17, 17); else v15 = 0; v25 = -1; sub_507C00(v15); return sub_4C3000(v3); }
sub_5CEFAF is MCommandParameterBlob::MCommandParameterBlob (the constructor for the MCommandParameterBlob class), and sub_507C00(v15) is MCommand::AddParameter.
It returns with ZPostCommand, which we now can see is return sub_4C3000(v3). Then, you can do things like other hooks on ZPostCommand to add custom packets, listed here: http://forum.ragezone.com/f245/using...d-07-a-694379/ We basically have figured out everything. The best part about IDA is, we can label things, convert structures in realtime, etc, all by right clicking on these pseudocode elements and using the dialog options.
If anyone is wondering what client those offsets are for, it's the Xiaolin runnable. You can probably figure it out yourself, and many more things, as a result now. Notice how my offsets match up with Phail's, and also notice that this works for finding virtually any offset of a function, struct, basically anything you want. The Xiaolin runnable is also the '07 runnable, for anyone curious. That concludes the tutorial part. The actual PDBs are listed here in this sendspace link, and contain matching PDBS:
**END TUTORIAL**
**START DOWNLOAD LINK**
Download GunZPDBs.rar from Sendspace.com - send big files the easy way
**END DOWNLOAD LINK**
If anyone has any questions, feel free to ask in this thread. Otherwise, enjoy the download link and mini-tutorial. For legal reasons, I cannot link to the version of IDA I use, as an FYI. I won't tell you how to get it, but if you are truly interested, there is a way to get it, I just won't say how.
note to mods: This isn't active hacking, this is useful for both hackers and server administrators. Armorer vs Weaponsmith, if they both have the same tools, the smarter one of the two will win.
Reply With Quote
