WindowMode ( DC After Login )

I would recommend closing one issue before working on another.

If there are checksum routines, they will address the data being checked... probably near the start of the data, but possibly before, and running into it. Select an area of memory covering all your data, and maybe a bit before and a bit after, then search for references in code.

The routine you are looking for will iterate (loop) through memory addresses reading them and summing them with a register or memory value. It may be a function that is called. You may have to "understand" all the other routines which access that memory, set a breakpoint on (or before) each referencing instruction, and as they are reached, trace them to "understand" what they are doing. Some may be obvious enough just from the listing, but as you "understand" that this is not the routine you are looking for, you can remove breakpoints.

When you find the right one, you either need to disable it, or match the memory it compares against with the number it has calculated.

Whether you need to NOP, or change JNZ to JMP all depends on the code you are trying to disable. I would always NOP out code I remove, but you can JMP over the NOPs you fill in to save CPU cycles. (Actually, it usually doesn't unless you are skipping more than a couple of words, but it may still save level 1 cache space.)

If a jump happens when a match is made JZ (jump if zero) or JNZ (jump if not zero) JE (jump if equal) JNE (jump if not equal) JG (jump if greater) or JL (jump if less) and you don't ever want that match to be made, NOP it out, and JMP the NOPs. You may want to clear the CMP or OR or XOR before it that sets the flag in the fist place as it is now redundant, and NOP out the code that is now always skipped to clarify that that is now free space you could add a new routine in.

If you always want the match to be made, change the JZ, JNZ etc. to a JMP.

There are other forms of comparison, as each instruction sets flags, but the common ones are CMP, OR, XOR, TEST and sometimes LEA. CMP compares two registers and sets Z (zero) and E (equal) on a match. It also sets for less than or greater than so you can JG or JL (Jump Less or Jump Greater), XOR is somewhat quicker as it performs a binary exclusive or. Since any number XORed with it's self is always 0 you can JZ or JNZ based on an XOR comparison very easily, but you can't JG or JL.

There are also JC and JNC against the Carry flag, which is set if there is any overflow in the previous operation. For example, if you add 1 to 4294967295 in a 32 bit register, the answer is 0 carry 1, because you have exceeded the storage space of the register. PT uses carry in some of it's checksum routines, but it's also used for "overflow" checking.

If a CALL is made that you don't want to ever be called, you can make it's first line a RET or NOP out the CALL, and optionally JMP the NOPs. If you want to replace only one particular call to that function you will definitely want to choose the latter approach, but if you want a global removal of that routine, the former is the quick way.

You can also NOP out all CALLs to a subroutine, and then NOP out the entire routing freeing that for new code. (Actually it's free from the moment you remove the last call to it, but a bunch of useless NOPs that nothing points to kind of stands out when you are looking for a nice "Code Cave"; it compresses better when you zip it up too.)

hmm
so...
bob, u think in start of Itemtable there's a place who called to a checksun ?

is in same place of start of table?

its became to more easy if i'am right...

No no... sorry, you misunderstand. I shall try to explain more clearly.

Okay, as an example, I want to store a table of the numbers 1 to 10 as 32-bit DWord at address 0x00400000. So, my table stores the DWords:-

Code:

---

0x00400000 : 0x00000001
0x00400004 : 0x00000002
0x00400008 : 0x00000003
0x0040000C : 0x00000004
0x00400010 : 0x00000005
0x00400014 : 0x00000006
0x00400018 : 0x00000007
0x0040001C : 0x00000008
0x00400020 : 0x00000009
0x00400024 : 0x0000000A

---

I want to ensure nobody messes this table up, so I make a checksum, which is all the numbers added together. Too simple to be effective, but simple is what I'm aiming for.

Now I iterate through the table and compare my result with a const. I'll use BASIC synatx, again for simplicity.

Code:

---

Const ChkRight = 0x0000003D
Dim i as Double
Dim Chk as Double

Chk=0
For i=0x00400000 to 0x00400024 Step 4
  Chk=Chk+DPeek(i)
Next i
If Chk=ChkRight Then
  MsgBox(0, "Checksum OK", "Table is untamperd.", MB_OK)
Else
  MsgBox(0, "Checksum Fail!", "Table has been modified.", MB_OK)
  Exit -1
EndIf

---

The "const" is processed by the parser, and filled in before compilation time, so it will not be in the Data area anywhere... however, if you look at the "LameCrypt" code in your original release with the new map, it encrypts all of the Exp table, and 16 (IMS) bytes before that memory section. ^_^ That enables it to "hide" the built-in IP string "127.0.0.1" as well as that Exp table.

Some of the checksum routines in PT are made like that, they cover more than one table, or just a few bytes before and a few bytes after.

Of course the *CLSAFE_CODE covers the entire Code and Data section of the main executable... so if you are using that server side, that will always DC you. -.- But I'm sure you knew that. When it's only a few bytes before and / or a few bytes beyond, I suspect that is done only so you don't find the routine when searching for code that references the table. :wink:

Searching for references to 0x00400000 would find the "For" statement, or rather it's Asm equivalent, if the routine where the one illustrated. But the "For" could just as easily be "For i=0x0038FFF0 to 0x00400028 Step 4" if ChkRight is adjusted accordingly. And that is why I suggest working your way back from the start of the table.

Give me your game which you want to fix，after i fix it，i will post it to you。。

@rxaicy
where and how i can start to search ?
i wanna learn by myself, but with some help
if u can add me i will like so much...
but, what can i do ?

@bob, i understend how the code work, but i wanna to know a way to find this in client...
+P

I think I have said, to find the code, you will have to look at references to the table. Then just read, and trace them to see which one is iterating through all bytes (or Words or DWords or even Quads, but usually DWords) in the table and summing up their value.

You have some idea what the code you are looking for will look like, and you know the data it will reference. What more do you need to know? :ehh:

hmmm i understend now, i will try something... tnks =D