qf has messed up both his client and server too much. IMHO, its not worth to use any of them.
Printable View
qf has messed up both his client and server too much. IMHO, its not worth to use any of them.
I agree. But there are many things that can be learned by comparing them to the originals.
I'd rather compare my old ones with the officials. :lol:
This can't be good.
Original
ET22Code:005CBAD3 |. push 1 ; /Arg2 = 1
005CBAD5 |. push edi ; |Arg1
005CBAD6 |. call 005D19A8 ; \Main.005D19A8
005CBADB |. pop ecx
005CBADC |. pop ecx
005CD299 |> cmp eax,6D ; Const 109
Looks like 6D (109) or 6E (110) where the 4096 max level, and in some places it's changed to 151, and other 119.Code:005CBAD3 |. push 1 ; /Arg2 = 1
005CBAD5 |. push edi ; |Arg1
005CBAD6 |. nop
005CBAD7 |. pop ecx
005CBAD8 |. mov dh,8
005CBADA |. add [ecx+59],bl
005CD299 |> cmp eax,77 ; Const 119 (was 109)
But this NOP over the first byte of a call is really not a good edit. :$:
The skipped code is this:-So aside from the fact that this neglects to pull the stack back another 4 bytes, writes rubbish to 2 bytes in an almost random memory location, it also misses the essential feasibility check that the routine it should have called was providing.Code:005D19A8 /$ push esi ; 4096.005D19A8(guessed Arg1,Arg2)
005D19A9 |. push dword ptr [esp+0C] ; /Size => [Arg2]
005D19AD |. xor esi,esi ; |
005D19AF |. push dword ptr [esp+0C] ; |Addr => [Arg1]
005D19B3 |. inc esi ; |
005D19B4 |. call [<&KERNEL32.IsBadWritePtr>] ; \KERNEL32.IsBadWritePtr
005D19BA |. test eax,eax
005D19BC |. je short 005D19C0
005D19BE |. xor esi,esi
005D19C0 |> mov eax,esi
005D19C2 |. pop esi
005D19C3 \. ret
well, ATM I'm using Server4096.. Can you tell me the possible "bugs" in it?
The only "edits" to 4096 server (as far as I'm aware) are the inclusion of code to load SQL.dll and Clan.dll, to replace the functionality normally provided by PristonSQLdll.dll that was never leaked and someone was too stupid to be able to reverse engineer from it's clearly labelled exports and the code that uses it, so instead they wrote another implementation and hacked it in as well, and wrote a "null" PristonSQLdll.dll. :$:
There are many bugs in SQL.dll and Clan.dll. (the originals) But Gregoos' are much cleaner.
I still say they need re-writing in C. Or we should remove them and go back to writing a proper, working PristonSQLdll.dll. But there are some "logging" functions that would be much harder to implement from the interfaces to PristonSQLdll.dll. I don't think the ones in SQL.dll and Clan.dll are inherently bad.
--- EDIT ---
Another?
BeforeAfterCode:005BA28D |. call 005C0430
005BA292 |. add esp,8
Really doesn't look right.Code:005BA28D |. mov al,5C
005BA28F |. mov dh,8
005BA291 |. dd 08C48300
Missing call leads toWhich is essentially a call convention converter for the routines it calls. They are, a complex switch case, and two string formatters.Code:005C0430 /$ mov ecx,[esp+8]
005C0434 |. lea eax,[esp+0C]
005C0438 |. push esi
005C0439 |. mov esi,[esp+8]
005C043D |. push eax
005C043E |. push ecx
005C043F |. push esi
005C0440 |. call 005BF210
005C0445 |. push eax
005C0446 |. push esi
005C0447 |. call 005C0460
005C044C |. push esi
005C044D |. call 005C03A0
005C0452 |. add esp,18
005C0455 |. pop esi
005C0456 \. ret
Not investigating further, it just can't be right.
I'm still getting PMs on this issue... and I don't like to share bulk data collections with just one of two people.
I would rather finish writing up my findings on this properly before releasing anything, but I may as well share how far I've got as this seems to be of such great concern. (at least to some who already know the basis of their server is flawed but don't know how or why)
This information is very basic (it gets more so the further on you read, as I haven't finished documenting what I think, or know is going on) but it lists all the changes in the disassembly of ET2v2 (by Shagpub) compared to the original Operz 4096 server.
As Gregoo has pointed out, RZ forum formatting ability is just not up to some jobs, so I've attached this comparison as a compiled HTML help file (.chm) packed up in a RAR archive.
I need tables with columns or you just can't read the info and make sense of it.
What sense you can make of it is also up to you. :scared:
Some major changes (moving tables out, changing the port number etc.) are necessary, or at least intentional and serve a very good purpose. Some "carpet bombing" with a hex editor will have no effect on your server even though it's totally trashed the code, because roughly 75% of the code is only executed when the program runs (as originally intended) as a client, and is never run in when *MODE SERVER.
So... yea, it's crap... but that doesn't actually matter for what you want to do with it.:D:
Some places there is actually some *very good* optimisation of the assembler that MSCV blindly spat out from the C source code. (no machine made cloths are ever as good as those professionally tailored by hand :wink: but we wouldn't have enough cloths to change every day if everything had to be hand tailored to fit, the same is true for code)
With all that said and done... please see the attachment if you want to learn just exactly what was changed from the original release to the most common base for all KPT servers ever since.:thumbup:
im still guessing whats the 'messy' GFantasy code :p, as i think im still have all the 'original' patches somewhere ;)
Oh, gosh! What's messy?I could go on, but it's insulting to your hard work. As I say, most of the tools I use where not available when you(s) where working on the base KPT server, and the techniques I use to avoid these problems... I don't know how I would achieve without those tools.
- LordPE has made an arse of the PE file structure
- hex editing has altered instructions that where valid into a certain "Fatal Exception" all over the place
- GFantasy is bigger than it needs to be (waste of memory)
- GFantasy is located in an area of memory the C++ compiler often "thinks" is safe to use for heap allocation(or, so I suspect)
- GFantasy overloads tables in the main executable (partly) but does not remove them, and because it still partly relies on data in them, if you even zero fill them the server crashes (half done job)
With what you had to hand, you achieved wonders. With the tools we have now... it should not EVER be done this way.
I hope you understand?
Also, I lament the fact that what was done, using what tool and what method was never documented either. (at least not in English or anywhere I can find) Which is why
- I'm trying to document the changes now, so we can re-create the good work in a less aggressive manner, and remove the unfortunate consequentness of the environment in which it was achieved
- When ever I work on new ideas (like sharing my labels via extending the Export table, or writing SQL setup) I clearly document everything I do and share any source code I use.
Ouch, it hurts a bit, lol, but no pain, no gain :) as im was (or i mean still i am) a noob :) things like good critizism helps to getting better.
Yeah lordPE does a lots of weird things, but well was the only tool i knew that would let me someway "expand" the work area, since olly is great but was in need to found more area where to re-write things like encryption. Yet still area have lots of "waste space" i left it intentionally for future changes wich could come without need to keep changing sizes. But i would appreciate some guidance on better tools :)
About C++ compiler area? Well that is new knowledge for me, i used that area since it was the first next available location, and game itself never uses that unless explicit jumps, the area reserved by each exe file is own, so it shouldnt had to be a trouble with anything.
About hex editing thats weird since i did every change directly with olly, and never without an external hex-editor, so im not sure wich that means exactly... >.<, but could be true that the olly constant search & replace done with ports.
Hmm about tables im not totally sure since i only moved 2 or 3, i tried to locate all the possible references to that area, but i didnt blanked original bcos was too lazy :(, on this probably i should had put a little more work, but by the time i begin to mess with tables im also was tired of this stuff.
Also im sure some of the following works was based on the noobish stuff i did. So all documentation really only kept for myself as was hard to understand by then and very few could follow me. So i had to begin to explain use of lordpe & olly with everyone :(, so i had to setup a small forum for that things or explain it by msn.
Anyway not sure if would be some helpfull by now, but im gonna try later to post all original "patches" i can found from my backups, since today many can read it :)
It probably would be useful. Thanks. :):
I think the patches are well designed, and poorly implemented. LordPE is a good tool that is *very* hard to use correctly, and *very very* easy to make a complete bollocks of. The job it's done is pretty good, considering how bad it could have been. Using a hex editor on a PE file is like using a sledge hammer to put a nail in a wall... you can do it, but you really want to hold right next to the head and gently tap... or forget any "find and replace" tool that may be in it. :wink:
It's possible to make a similar mess if you use an open memory dump displayed as hex bytes and search and replace from there... but it's easier to take note of Ollehs' disassembly, and what kind of section you are searching. If you do that, you win a lollipop.
I also know you aren't the only person who worked on the ET2 v2 server Shagpub released, and I know he wasn't. Just as I know some talented people from the Chinese sites worked on 4096 before Operz released it.
I suspect that they put in SQL.dll and Clan.dll code... but I'm pretty sure someone else put in PristonSQLdll.dll before them, and that who ever did that should have removed it and put SQL.dll and Clan.dll in it's place in the same way they did PristonSQLdll.dll. (It's stupidly named, but implemented better, even though it's not so complete... and in our releases, has been made defunct and redundant)
The GFantasy section should, IMHO, have been implemented like PristonSQLdll.dll as well. However, there are other alternatives.
- If all the client only code and data was assessed and removed before GFantasy work, there would have been plenty of space in Olly to put what-ever we liked. :wink:
- If CFF Explorer Suite had been around, it could have added several sections with protections similar to .text, .data and .rdata and resized them as needed.
- The LoadLibrary() calls used to implement SQL.dll and Clan.dll are better than the GFantasy section... but I know people are scared to implement DLLs in their client. And so the GFantasy idea becomes KPTTrans section in clients. :(:
In my arsenal (which would not have been in anybodies, when the KPT base servers where worked on) are CFF Explorer, PE Explorer (which often disassembles more clearly than even Olly) and ODB2. (which still doesn't implement the "plug-in" system of ODB1 but is a far better base disassembler and debugger)
I also have MadEdit and the fact that I've always installed international language support, and only UK English translations in every Windows install since Windows 2000, which is now (Vista & Win7) the default to allow me to look up Korean and Japanese strings. CFF Explorer can convert the file offset to a memory offset that I can use in Olly. :wink: (So.. No, I wouldn't edit the strings in MadEdit as hexing Exes is bahd! M'kay? {Okay, I may but I'd have to do several Hail Mary's and a couple of Our Fathers' for it later :lol:} I would use Olly to look up references to that string.)
IDA Pro can actually produce a flow chart of how code is executed, and gets completely confused with Shagpubs' server because so much code is so broken the CPU couldn't understand it, so how can a disassembler? :lol: (It gets even more confused by every version of SQL.dll and Clan.dll I've been able to look at with it)
Microsoft have been forced to disclose the structure of PE files in great detail because of projects like LordPE, (gratz to y0da, the original master or all things PE) Wine, HX DOS Extender etc. and MSDN blog articles like this one or it's more recent second part.
I also use a mixture of modern assemblers like FASM and GOAsm which have the edge over the traditional MASM / TASM variants available back in 2002. For example, FASM will compile and link in one pass, and thus allows great control over where sections are, how they are aligned and what protection they have etc. from the source code. (not limited linker switches) Go32 will allow you to call any API in any other PE (.exe, .dll, .des, .ocx, .scr etc.) without any header file for it, because it will use the export section of the executable AS a header. So undocumented APIs are not a problem. ^_^
I don't suppose you ever had access to, and kept source for SQL.dll and Clan.dll telatoro? Everyone has been hacking them in Olly and Hex editors ever since their release and aside from anything else, they are compiled as "Debug" builds, but distributed without the .pdb files they are linked to. :(:
If we had the source, we could not only compile as "Release" when we had them how we want them, we could also make the popular changes in source before compiling, port them to use newer MS SQL access APIs or even use another Database engine all-together. :D:
Sadly SQL.dll (2004), Clan.Dll(2004) & PristonSQL.dll (2002) are older than whenever i had access to them, as i first knew them in 2005, next to it the date of oldest created file that i have. Sadly just have some Olly patches on this zip MEGAUPLOAD - The leading online storage and file delivery service wich is mostly all i have left.
Good to know that -KPT-Endless-Tower-Update-V2.2 did not fall into blender before release :wink:
All looks very interesting. Some of the languages I can't determine (not Latin, not SHIFT-JIS, not traditional or simplified Chinese, not EUC-KR... ??? WTF!) Patch1.txt (Portuguese) should be interesting for anyone looking at the packet encoding. It's not the right way to list it, but all the information is there.
I love the commenting in kick player asm.txt, even though some is inaccurate. It looks so much like stuff I do, and then look back at and go "No... that's not right, I misinterpreted that." :lol:
Thanks so much for these teletoro. :thumbup1:
i wish i could understand all this stuff... =/