I dont unsertand you problem.
Printable View
I dont unsertand you problem.
That's fine, but a memory mapped file isn't a file loaded into memory, it's a file treated as though it where a memory range. And the location in memory you want it mapped is one of the parameters you must pass when mapping the file (or part of it) into memory.Quote:
Originally Posted by Vormav
File Mapping (Windows)That looks smashing. Spot on idea.Quote:
Originally Posted by Vormav
Okay... you are stuck on direct vs. indirect addressing.Quote:
Originally Posted by Vormav
MOV ECX,600F48
Now ECX = 600F48
MOV EAX, 600F48
LEA ECX, EAX
Now ECX contains the address stored at memory location 600F48. ^_^
Also:-
MOV ECX, DWord Ptr [600F48]
Now ECX contains the address pointed to by memory at location 600F48.
Speed, size and availability of registers will determine the method you use.
---EDIT---
I warn you, that's off the top of my head, and it's been -4 INSIDE my house for the last week and a half, I have no heating and am running low on supplies and sleep. :s
Quote:
Originally Posted by bobsobol
I must say you confused me =P again:
My EAX contain random address of ITEM TABLE (item table going to EAX).
Lets see:
MOV ECX,600F48 <- ECX = 600F48 and because 600F48 is empty ECX = 0
MOV EAX, 600F48 <- EAX = 600F48 and because 600F48 is empty EAX = 0 and now I lost ITEM TABLE address...
LEA ECX, EAX <- since this is impossible i assuming that you wanted to say LEA ECX, [EAX] so now ECX = 0 because EAX is 0 at this point
MOV ECX, DWord Ptr [600F48] <- now ECX = 600F48
in the end:
EAX = 0
ECX = 600F48
or I am doing something terribly wrong =P
When PT doing something like this:
MOV ECX,600F48
I need data there (inside 600F48, because is empty) "Stone Axe" or "00 01 01 01" etc.
but because MOV DWORD PTR DS:[600F48],EAX is equal to 600F48 = address of EAX my MOV ECX,600F48 will do MOV ECX, address of EAX so (for example) ECX = 4490020...
PS. if is "-4 INSIDE" than open up some 3D game and get close to CPU ;)
Okay... I just did some practical tests.
In a client (1872) the .RData (import section of PE) is @ 5BD000
MOV ECX,005BD000
ECX = 005BD000
---------
MOV ECX, DWORD [005BD000]
ECX = 75E57C42 (which is the location of the RegOpenKeyExA routine from AdvAPI32.dll, and the DWord stored at location 005BD000)
----------
LEA ECX,[005BD000]
ECX = 5BD000
==========
I'm confused by the final result, because that makes it identical to a MOV, and that's not how it's documented at all. But I have to say, I very rarely resort to using LEA (Load Effective Address). I prefer to use [] relative addressing.
Your table is not much different to the import table. The biggest difference is that Olly has no idea how to label it's contents.
Explanation: I had no idea how EAX was being used in the code you are looking at, I just used it as an example, since you should be able to LEA the contents of memory pointed to by an address in another register... but as I say, I rarely use it. (there are lots of rarely used instructions in Complex Instruction Set CISC CPU architectures)
Also. Please be careful of the term "empty". You should only come across the term "empty" in relation to digital storage you are when dealing with objects. Usually Variant Typed Objects.
Memory is never "empty" (unless it's an address that has no memory module / chip physically plugged in) and registers are never "empty".
Containing the value 0 is not empty. It may mean 0, False, Null, Nil, Failed, Error or "End of [List | Array]" but it should never mean "empty". (Well, maybe if it's representing how much water is in a cup... or such. Even so, it's better to say there is exactly 0 units of water in the cup.)
Specifically, this is very confusing with VB Variant variables (actually objects / custom types) of type Bool, since a Boolean value should only ever hold one of two possible states. They should either be "True" or "False", "On" or "Off", "Positive" or "Negative", "Yes" or "No, 1 or 0. But in VB it can be "True", "False", "Empty" or "Error" which, by definition, makes it far from "Boolean", as they are 4 state variables, not 2 state ones; even if you ignore their extended attributes.
This is very confusing for people moving to, or from VB or VBScript (ASP etc) and anything else.
Should only be the case if the value of the DWord stored at address 00600F48h is 00600F48h. o.OQuote:
MOV ECX, DWord Ptr [600F48] <- now ECX = 600F48
Right now I am doing beta test (on game.exe).
I patched 3 functions that are called when you login into server. Those functions checking item table.
PT can load my file to memory and count items in that file.
However there is a problem when next function is doing this again (this time is checking every second item O.o + its checking some other parts of items)
Problem is here:
EAX contain my content of external file but when this is executed:
EAX-7C = start of my external file in memory and EDX = 01010100, 01010200, 01010300 etc. (this is actually correct, same thing happening on unmodified exe)Code:MOV EDX,DWORD PTR DS:[EAX-7C]
01010100, 01010200, 01010300 etc. is number at the beginning of every item in table, its also offset to memory-mapped file (empty space in .data).
My questions is... WTH? is this?
I will probably load this space to memory and than change EDX into space in memory but before I will do that maybe someone can tell me something more about those magic numbers in front of every item.
They are the UID.
They are the item ID the server and client recognise by... not the WA101 or what-ever NameID.
The NameID is used by the server to look up in OpenItem, and by the client to find "assets" (Icons, ground and worn meshes) but the numeric ID / UID is used like as a key value for most other lookups. I think the GameSave file stores both, and I suspect both are in any packet concerning items. (dropped, picked up, in WH / shop etc)
The code actually indicates the type of item as well... there's info hereabouts in posts, but not exactly a "guide" or "tutorial".
Comes up in questions about "off hand" items and "item holding animation" for items which you hold in your hands (bow, crossbow, wand, stave, axe, sword, longsword etc each have different held item animation).
Gregoo would probably be able to give a more complete (correct) answer, as I know he's done stuff with customs... I never have. I only want the standard base items to work. XD
It should really be covered in the guide "How to add items to table without replace" (or WHY) but I didn't read that very thoroughly and don't remember seeing it mentioned. (I could have just skipped over it)
OK I got my proof of concept (item table in game.exe is deleted) =P
I loaded item from external file (nvm error, its because I did not patch img function).
http://forum.ragezone.com/attachment...1&d=1291928345
Now I should build my offset table (adding items will be very easy) but before I will do that I need to fix security function (I disable it for now =P)... Its function that check item table every 10 sec and if something is wrong its forcing game.exe to quit.
offset to that problem is 00492909 in game.exe I uploaded in other thread.
http://forum.ragezone.com/attachment...nswer-game.rar
Function look like this:
Code:004927A0 /$ A1 C0C95F00 MOV EAX,DWORD PTR DS:[5FC9C0]
004927A5 |. 81EC 80000000 SUB ESP,80
004927AB |. 85C0 TEST EAX,EAX
004927AD |. C705 A84C1003 >MOV DWORD PTR DS:[3104CA8],0
004927B7 |. 0F84 98000000 JE game.00492855
004927BD |. 53 PUSH EBX
004927BE |. 8B1D D4625C00 MOV EBX,DWORD PTR DS:[<&USER32.wsprintfA>; USER32.wsprintfA
004927C4 |. 55 PUSH EBP
004927C5 |. 8B2D 34625C00 MOV EBP,DWORD PTR DS:[<&KERNEL32.lstrcpy>; kernel32.lstrcpyA
004927CB |. 56 PUSH ESI
004927CC |. B8 C0C95F00 MOV EAX,game.005FC9C0
004927D1 |. 57 PUSH EDI
004927D2 |. 8B3D 3C615C00 MOV EDI,DWORD PTR DS:[<&KERNEL32.lstrcat>; kernel32.lstrcatA
004927D8 |. 8BF0 MOV ESI,EAX
004927DA |. 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
004927E0 |> 8B8C24 9400000>/MOV ECX,DWORD PTR SS:[ESP+94]
004927E7 |. 8508 |TEST DWORD PTR DS:[EAX],ECX
004927E9 |. 74 5A |JE SHORT game.00492845
004927EB |. 8B56 FC |MOV EDX,DWORD PTR DS:[ESI-4]
004927EE |. A1 A8456B00 |MOV EAX,DWORD PTR DS:[6B45A8]
004927F3 |. 52 |PUSH EDX
004927F4 |. 50 |PUSH EAX
004927F5 |. 8D4C24 18 |LEA ECX,DWORD PTR SS:[ESP+18]
004927F9 |. 51 |PUSH ECX
004927FA |. FFD3 |CALL EBX
004927FC |. 83C4 0C |ADD ESP,0C
004927FF |. 68 44595D00 |PUSH game.005D5944 ; ASCII "
"
00492804 |. 8D5424 54 |LEA EDX,DWORD PTR SS:[ESP+54]
00492808 |. 52 |PUSH EDX
00492809 |. FFD5 |CALL EBP
0049280B |. 8D4424 10 |LEA EAX,DWORD PTR SS:[ESP+10]
0049280F |. 50 |PUSH EAX
00492810 |. 68 88351003 |PUSH game.03103588
00492815 |. FFD7 |CALL EDI
00492817 |. 8D4C24 50 |LEA ECX,DWORD PTR SS:[ESP+50]
0049281B |. 51 |PUSH ECX
0049281C |. 68 E81E1003 |PUSH game.03101EE8
00492821 |. FFD7 |CALL EDI
00492823 |. A1 AC4C1003 |MOV EAX,DWORD PTR DS:[3104CAC]
00492828 |. 8B0D A84C1003 |MOV ECX,DWORD PTR DS:[3104CA8]
0049282E |. 40 |INC EAX
0049282F |. 41 |INC ECX
00492830 |. A3 AC4C1003 |MOV DWORD PTR DS:[3104CAC],EAX
00492835 |. 2BC1 |SUB EAX,ECX
00492837 |. 83C0 02 |ADD EAX,2
0049283A |. 890D A84C1003 |MOV DWORD PTR DS:[3104CA8],ECX
00492840 |. A3 A44C1003 |MOV DWORD PTR DS:[3104CA4],EAX
00492845 |> 8B4E 2C |MOV ECX,DWORD PTR DS:[ESI+2C]
00492848 |. 83C6 2C |ADD ESI,2C
0049284B |. 85C9 |TEST ECX,ECX
0049284D |. 8BC6 |MOV EAX,ESI
0049284F |.^75 8F \JNZ SHORT game.004927E0
00492851 |. 5F POP EDI
00492852 |. 5E POP ESI
00492853 |. 5D POP EBP
00492854 |. 5B POP EBX
00492855 |> 33C0 XOR EAX,EAX
00492857 |. 81C4 80000000 ADD ESP,80
0049285D \. C2 0400 RETN 4
00492860 > A1 3C4D1003 MOV EAX,DWORD PTR DS:[3104D3C]
00492865 . 40 INC EAX
00492866 . 3D BC020000 CMP EAX,2BC
0049286B . A3 3C4D1003 MOV DWORD PTR DS:[3104D3C],EAX
00492870 . 7D 03 JGE SHORT game.00492875
00492872 . 33C0 XOR EAX,EAX
00492874 . C3 RETN
00492875 > 53 PUSH EBX
00492876 . 56 PUSH ESI
00492877 . 33F6 XOR ESI,ESI
00492879 . 57 PUSH EDI
0049287A . C705 3C4D1003 >MOV DWORD PTR DS:[3104D3C],0
00492884 . 33D2 XOR EDX,EDX
00492886 . B9 40096000 MOV ECX,game.00600940
0049288B . EB 03 JMP SHORT game.00492890
0049288D 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
00492890 > 8B01 MOV EAX,DWORD PTR DS:[ECX]
00492892 . 85C0 TEST EAX,EAX
00492894 . 74 05 JE SHORT game.0049289B
00492896 . 0FAFC2 IMUL EAX,EDX
00492899 . 03F0 ADD ESI,EAX
0049289B > 83C1 1C ADD ECX,1C
0049289E . 42 INC EDX
0049289F . 81F9 AC0A6000 CMP ECX,game.00600AAC
004928A5 .^7C E9 JL SHORT game.00492890
004928A7 . 33C9 XOR ECX,ECX
004928A9 . B8 C40F6000 MOV EAX,game.00600FC4
004928AE . 8BFF MOV EDI,EDI
004928B0 > 8B50 84 MOV EDX,DWORD PTR DS:[EAX-7C]
004928B3 . 85D2 TEST EDX,EDX
004928B5 . 74 14 JE SHORT game.004928CB
004928B7 . 8B58 B8 MOV EBX,DWORD PTR DS:[EAX-48]
004928BA . 8B78 68 MOV EDI,DWORD PTR DS:[EAX+68]
004928BD . 03FB ADD EDI,EBX
004928BF . 0378 BC ADD EDI,DWORD PTR DS:[EAX-44]
004928C2 . 03FA ADD EDI,EDX
004928C4 . 0338 ADD EDI,DWORD PTR DS:[EAX]
004928C6 . 0FAFF9 IMUL EDI,ECX
004928C9 . 03F7 ADD ESI,EDI
004928CB > 8B90 98020000 MOV EDX,DWORD PTR DS:[EAX+298]
004928D1 . 85D2 TEST EDX,EDX
004928D3 . 74 24 JE SHORT game.004928F9
004928D5 . 8B98 14030000 MOV EBX,DWORD PTR DS:[EAX+314]
004928DB . 8BB8 7C030000 MOV EDI,DWORD PTR DS:[EAX+37C]
004928E1 . 03FB ADD EDI,EBX
004928E3 . 03B8 D0020000 ADD EDI,DWORD PTR DS:[EAX+2D0]
004928E9 . 03B8 CC020000 ADD EDI,DWORD PTR DS:[EAX+2CC]
004928EF . 03FA ADD EDI,EDX
004928F1 . 8D51 01 LEA EDX,DWORD PTR DS:[ECX+1]
004928F4 . 0FAFFA IMUL EDI,EDX
004928F7 . 03F7 ADD ESI,EDI
004928F9 > 05 28060000 ADD EAX,628
004928FE . 83C1 02 ADD ECX,2
00492901 . 3D ECDB6A00 CMP EAX,game.006ADBEC
00492906 .^7C A8 JL SHORT game.004928B0
00492908 . 5F POP EDI
00492909 . 81FE 9A8DFBA9 CMP ESI,A9FB8D9A
0049290F . 5E POP ESI
00492910 . 5B POP EBX
00492911 . 74 0A JE SHORT game.0049291D
00492913 . 6A 65 PUSH 65
00492915 . E8 F6B10C00 CALL game.0055DB10
0049291A . 83C4 04 ADD ESP,4
0049291D > B8 01000000 MOV EAX,1
00492922 . C3 RETN
Problem is in red... CMP ESI,A9FB8D9A I just doing force jump from 00492911 to 0049291D.
I would prefer that part enabled because if check is every 10 sec than this function must be important part of security but I don't understand how number A9FB8D9A is created (this number IS different on other versions of game.exe, its some kind of checksum?).
For now I am planing to build offset table, move items UID table outside game.exe, and fix functions (a lot of manual work ;)) and maybe in future additional tool to add items to table.
Okay... IMS that number is all the bytes in the table added together with no overflow checking. (but I could be wrong, it could even be a different function in different game.exe)
Regardless, you do want to implement some function of this nature.
The function needs to know:-
- Start byte
- Length of table
- Correct table checksum value
This would be a good opportunity to replace it with MD5 / SHA1 checksum, but the easiest way for you to do that would probably be to import that function from a DLL. There are lots of free implementations of these (very secure checksums) in C that could be made into a DLL... however, if the checking routine is external, it's very easy for a hacker to replace it with one that doesn't check, and just returns the right checksum.
Additionally, you have identified that the checksum is stored in the .text section... this helps prevent it being changed... but if it isn't changed, then your game.exe is locked to only one item-table file, and the only way to correct it is with Olly, or a hex editor.
You could store the checksum in the file, and change cmp ESI,[OffsetInMemoryLoadedFromFile] and I would suggest the start of the file, so that it doesn't move when items are added.
Alternatively, you could write a program which knows your game.exe and will allow developers to "patch" the exe directly.
Another alternative, may be to get the checksum from the games server, maybe as a web page request. (and I know you are good with those) The problem then, is that a URL can be spoofed, and the API to get a web page can be patched easily.
Which ever method you choose, the easier you make it for Devs, the easier you make it for hackers. Because if we can do it easily, so can they... and there-in lies the problem.
This is a lot of why more people haven't followed this method.
Now; this may be upsetting to hear, but... if all the functions which access the item table and return a value for an item or simply okay the table where exported to a DLL which is linked in the game.exe header, the format of the item table could be completely changed. It could even be a SQLite table. The checksum could be embedded in the DLL and the calculation could be one of a number of different functions selectable at compile time... the DLL it's self could then be compressed and encrypted, obscuring the checksum.
I'm not sure if that idea appeals to you, or that it is even any more secure than any of the others I list. There are probably other ways you could go too.
The programs which hack item details also disable this function the way you have, only at the point they are injected into the game.
GameGuard could block this, and the current version is supposedly harder to disable... XTrap doesn't, but could do, if the game companies paid for that service... but most of them don't.
As you may know, the reason I am loathe to implement a checksum in the string patching libraries, is because a single universal checksum will be broken very quickly. The only way I can imagine individual servers protecting their client for any amount of time is if each one implements a different encryption / signature (checksum) function for their set-up.
Take heart, however, in the fact that the method you are attempting to replace has been broken by every item hacker in PT already. So you can't possibly do any worse unless you leave it disabled as it is now. XD
It may also be worth noting that the function you have disabled is part of the memory which makes up the CLSafeCode... so if you keep the checksum there, it will block a modified checksum client saved to disk, and force hackers to patch the executable only after logging in... as they traditionally do. If you move it out of the main executable, then they can change the checksum on disk and not have to inject a DLL after the game has already connected and got the character details. :s
I've been thinking about it for a while now and I see only small problem with current items security on PT. When I was playing PT I remember they "activated" something on server and range hack was not working (some md5 etc check? But they enable it only for one day, maybe server could not handle it), however knowing where item is I could create my not existing item WP999 and change into existing WP110 using only memory editor, this is working even now. So only security issue I see here is that someone will be able to edit weapon length. If you have some examples of "hack item details" you are talking about than I would like to hear what they where doing because any damage edit will end up with DC4. So only name of item is unprotected?
So lets say I will use MD5 to check item_table.dat and if its incorrect then game will quit (MD5 can be in game.exe, people can't connect with edited .exe anyway). Thats 1st security, after that file is in memory so I need some way to protect memory from point X to Y. For some reason function that I was showing you is not protecting game.exe from item swap (only names of items?). Thats odd (its running every 10 sec)... So I need something better, any suggestions?
I have Item table that start in memory address X and end in Y... so if someone edit it he will get DC/game will quit.
I don't know any
DontTouchMeOrIWillTerminateYou() functions that will protect my memory.
And It would be good to know if I can protect files from modification.
PS. nvm DLL... IMHO important functions should be in game.exe
The names of items come from the server. They exist in the client, but if they are wrong, blank, in a different language etc. makes absolutely no difference. Change the name in OpenItem, and that's what the user sees.
Same applies to all the stats, speed, attack power, damage, health, manna and stamina restore rate etc.
What can user change in item table to his benefit? Not a lot. The item number, and that will lead to a different mesh and icon and no details coming from server... except "You are using an unknown item, please disconnect.", so hacker has to ignore that request to disconnect anyway.
As for getting a different mesh and icon, you can change the smd file for the same item code and not be told to disconnect, and still have an attack range larger than an entire field. XD
That checksum is very simple calculation, and I'm not convinced that it helps a lot.
The only "DontTouchMeOrIWillTerminateYou()" functions come from XTrap or GameGuard... or you can declare your own game.exe to be it's own JIT debugger, and set debug interrupts on write / execute every memory range that is sensitive, responding with TerminateProcess(0).
Essentially, imagine your game.exe required OllyDbg to launch it... it won't start without it. Olly has every memory range set with log functionality enabled in it's .udd file, and it's entire UI is broken so that any trapped event causes the whole lot to crash. That's what you need.
Sandurrs PT clients are already half way there. But that's not very easy to figure out, is only half of the puzzle and would be stealing. VirtualDub is an open source project and, at least in earlier versions, included a built in debugger which trapped illegal instructions and out of range memory accesses and disassembled a fair portion of the code where the error occurred displaying it, and part of the stack in a custom error message. It did this, partly because the developer created VDub for a Collage project, and partly because it relies heavily on external filters written by third parties as .dll files (renamed to .vdf).
I don't know how to do what I have described... which is why I point you to several examples of where it (or something similar) has already been done.
Best of luck to you. :wink:
OK, moving to BETA status now :)
Items are loaded from external file, age/mix working, trading, selling, trowing, taking drops, all working even item protection that PT have work same way.
For now I detected only 2 bugs:
- 1st you can't drop gold, you can pick up gold, trade, buy and everything else that you can do with gold but you can't drop it :/
- 2nd not so annoying is that I see "boxes" when I talk to NPCs "linked to a quests" (I think that there should be info that I am on quest)
http://oi55.tinypic.com/28i85na.jpg
After fixing bugs I need to clean code and add some MD5 protection to items_table.dat, MD5 might be unnecessary but I think it will scree off 99% punks :)
And that should be enough to release game.exe + items_table.dat
"진행중인 퀘스트가 있습니다" or in EPT "You have undergoing Quest". (Another abysmal translation... "You have an ongoing quest" or "You are undergoing a trial" or "You have an active quest" but never "You have undergoing Quest"... that's not English it's just Ingreesh. XD)
Binary search for "C1 F8 C7 E0 C1 DF C0 CE 20 C4 F9 BD BA C6 AE B0 A1 20 C0 D6 BD C0 B4 CF B4 D9" should locate it, if you are struggling with the Korean.
In 1977 this string is located @ 006AADC4 in the .data section in Olly or IDA. :wink:
I did not found cure for bugz yet (i did not had much time) but I 'think' I found something interesting. I might be able to fix pick up bug on EPT.
But I need some info + .exe's
Do you remember if on older jPT's picking up items was working (I think it was but I am not sure now :/) and do you have one of those game.exe?
I also need newest EPT game.exe
I think that problem is in gdi32_SelectObject, or rather in the way that different clients using it.
I might be able to do something about it but I am not promising anything :)
Operz jPT server release works fine with jPT 2400 client. It allows EPT to connect but has the pick-up & drop bugs. (client can't see many items dropped by monsters, and can't pick up any of the ones they can see)
The last EPT client I looked at was 3132, I'm not sure what they are running now.
OK I fixed "boxes" bug ;)
Somehow translation after item table is connected to item table so I have to take it inside.
Now harder bug to fix, gold drop.
@bobsobol
Thank you for informations.
One more question:
Do you have JPT game.exe that was working with server4096.exe and had no drop/pickup bug? I would like to be sure if I am going to fix right function.