99.999% and dont lvl up

Someone kindly sent me a saved html page from Mazzeis MIB post... I've only translated up to the end of the Introduction section so far, but it seems to fit what I was thinking was going on very well, and it tells how it is, not just what I was thinking.

I Mazzei doesn't mind, I'll post my translation here, and full credit to them. ^_^

@rxaicy: :o Checksum... that would match with some strange code I've seen in other successfully patched clients and servers, but is it necessary? Can we not patch out the checksum check, or read what it is compared to and write that back to the exe?

Quote:

---

Originally Posted by rxaicy

The reason is easy, you must make a new checksum which is related to exp table in client.exe..If you are able to use "od",you can soulute it easily.After the FF FF FF FF FF FF FF FF FF,you will see the checksum..Recently,i am very busy,someone who has this trouble can post your client.exe to my email: ou-xi-qian@163.com.And i will fix it as soon as possible.

---

Okie. You say right. A checksum code appear when you add new exp table.

Quote:

---

Originally Posted by bobsobol

Someone kindly sent me a saved html page from Mazzeis MIB post... I've only translated up to the end of the Introduction section so far, but it seems to fit what I was thinking was going on very well, and it tells how it is, not just what I was thinking.

I Mazzei doesn't mind, I'll post my translation here, and full credit to them. ^_^

---

Bobsobol no problem, I do not mind and even appreciate, my English is rusty (Brazilian slang):D:.
I come from the area of Linux and have a tendency to end very technical texts in English so I did the tutorial here on ragezone, but the problem of the topic here is the same if we had the forum in Brazil.
count me in that I can help.

Hi All,

I know this post is a bit old, so sorry DK if I did bump it back up. I do want to get this issue of level up resolved if you do not mind T.T.

Okay, I have gone over both StrangeFay’s and microamazing’s guide for moving the xp table. Each time I have placed in the new xp table, there was no “checksum” that was created after the sequence of “FF FF FF FF FF FF FF FF FF” that rxaicy mentions. I have followed the guide thoroughly and over 200 times at that. Unless, I am repeatedly making the same mistake over and over again.

In Strangefay’s, he had mentioned to add in the new section via Lord-Pe and then use LPE to rebuild. However, that did not generate the new checksum that I have seen in other level 150 based clients. So I am curious as to how they come about and such.

I mean here is a screen shot from the checksum from the original exp table till level 120:
Img 1:

http://img297.imageshack.us/img297/918/image0b.jpg

So how exactly did that value come about? The view next to it is an ss from PE-Explorer of the same values.

Here are the some of the checksum values that are present at the end of other level 150 clients that have been posted here:

Img 2:

http://img297.imageshack.us/img297/2354/image3pk.jpg

Img: 3

http://img140.imageshack.us/img140/4412/image4ht.jpg

So Rxaicy mentions to search in Olly. What exactly do you search for in olly to find the old checkum? And where at that?

I mean I got the following checksums via running the checksums options in hexworkshop, but this is incorrect right?

http://img21.imageshack.us/img21/2008/image5gh.jpg

And more importantly, how do you arrive at the new checksum? I mean hexworkshop has a “checksum” generator, do you use that to generate one?

I guess the gist of what I am trying to ask is where is this new checksum is appearing and where is the appropriate location to replace it. In my personal opinion, do agree with both Rxaicy and Zaharavn that the value after the “FF FF FF FF FF FF FF FF FF” is responsible for completing table and allowing for a proper level up. I have been follow the guides that I mentioned before several times, and there have been no success at all. With regards to the server that I am testing the client against, it is Shagpubs Endless v2 version. Every single of the proper leveling clients I have test work find against it. Except the one that I modify by moving the xp table.

So if anyone can provide an insight on the matter, I am sure everyone here will be greatly thankful. Thank you in advance for your help.

PS- DK if you this should be a new topic of it own, please do feel free to move around my post. Thank you ^^.

Complete disassembly of relevant code:-

Code:

---

        ...
        ...
        ...
        CMP EDI,78                ; Level 120
        JGE SHORT Jmp_ExitFunc
        CALL Sub_ExpChecksumCalc
        MOV ECX,DWORD PTR DS:[Var_ExpChkSum1]
        CMP ECX,EAX
        JNE SHORT Jmp_ExitFunc
        MOV EAX,DWORD PTR DS:[Var_ExpChkSum2]
        CMP EAX,EDX
        JNE SHORT Jmp_ExitFunc
        ...
        ...
        ...
Jmp_ExitFunc:
        POP EDI
        POP ESI
        POP EBX
        XOR EAX,EAX
        INC EAX
        POP EBP
        POP ECX
        POP ECX
        RETN

Sub_ExpChkSum:
        MOV EAX,DWORD PTR DS:[Var_Level0]
        MOV ECX,DWORD PTR DS:[5ACD14]
        PUSH EBX
        PUSH EBP
        PUSH ESI
        PUSH EDI
        XOR ESI,ESI
        XOR EDI,EDI
        XOR EBX,EBX
        XOR EBP,EBP
        JMP SHORT Jmp_EndLoop
Jmp_Loop:
        PUSH ECX                ; Arg4
        ADD ESI,1
        PUSH EAX                ; Arg3
        ADC EDI,0
        PUSH EDI                ; Arg2
        PUSH ESI                ; Arg1
        CALL Sub_CryptDouble                ; game.Sub_CryptDouble(w,x,y,z)
        MOV ECX,DWORD PTR DS:[ESI*8+5ACD14]
        ADD EBX,EAX
        MOV EAX,DWORD PTR DS:[ESI*8+Var_Level0]
        ADC EBP,EDX
Jmp_EndLoop:
        MOV EDX,EAX
        AND EDX,ECX
        CMP EDX,-1
        JNE SHORT Jmp_Loop
        POP EDI
        POP ESI
        MOV EDX,EBP
        POP EBP
        MOV EAX,EBX
        POP EBX
        RETN

Sub_CryptDouble:                ;Sub_CryptDouble(w,x,y,z)
        MOV EAX,DWORD PTR SS:[Arg2]              ; game.Sub_CryptDouble(guessed Arg1,Arg2,Arg3,Arg4)
        MOV ECX,DWORD PTR SS:[Arg4]
        OR ECX,EAX
        MOV ECX,DWORD PTR SS:[Arg3]
        JNE SHORT Jmp_AltMethod
        MOV EAX,DWORD PTR SS:[Arg1]
        MUL ECX
        RETN 10
Jmp_AltMethod:
        PUSH EBX
        MUL ECX
        MOV EBX,EAX
        MOV EAX,DWORD PTR SS:[Arg1]
        MUL DWORD PTR SS:[Arg4]
        ADD EBX,EAX
        MOV EAX,DWORD PTR SS:[Arg1]
        MUL ECX
        ADD EDX,EBX
        POP EBX
        RETN 10

---

All addresses symbolised, so it doesn't matter where those addresses are in your executable.

Sub_ExpChkSum can be determined by the code.
Sub_CryptDouble is called from Sub_ExpChkSum, but also by many other routines. Sub_ExpChkSum is only called from that code fragment at the start which happens only when a player levels up.

Var_ExpChkSum1 and Var_ExpChkSum2 are (in the default 120 client, stored after the double FFFFFFFFFFFFFFFF (= 18446744073709551615) at the end of the Experience table. You may, or may not have updated their location. They are only referenced by the code fragment at the top, which (IMHO) is probably the easiest way to locate it in Olly.

As far as I can see, these routines iterate through the Experience table adding each value to a checksum, which is then returned in ECX and EDX, and compared to the values of Var_ExpChkSum back in the main level up code.

I've spoken to Osirus off the forum and know he is still struggling to break into the code and find what ECX and EDX should be, but I will wait for him to play with the info I've already shared. This is just a summery of that for the rest of you. I hope it makes sense.

To help you locate and remember these addresses when using Olly, remember to use the Label options it provides when you press ":". ^_^

---EDIT---

My translation of Mazzeis MIB tutorial is up.