Counter Measure for Rupiah drop bug!

[Eliana Gherbaz]

@Eliana Gherbaz How did you manage to make the HTSSettings converter? I have spent 6 months on this project without success because I have not located a key nor have I been able to successfully make an encryption tool that works for it and I just got jacked for $50 from that scammer Yagamy aka Gerardo Galacia Marin.

Well that took me like 3 months, because on that time (4 years ago) i didn't know how to read ASM neither C++ so first 2 months was for learning on those languages, then almost 2 weeks to find the keys for server and client, 1 week + some days to discover which fields of the files goes to server side only and lastly less than 3 days to make the exe that compiles HTSetting and HTScript.

And I have to say that it was not easy for me too to find the keys, "yes the keyS" because it is not just 1. and each of them have 40 bytes each and those 40 bytes are not near each other (at least not on my files, dont know in other versions)

The compiler indeed is very simple to make after you know what it does.

Is this editable through HEX or Resource only?

It is not a Resource (if we are talking about the same, like: .model .stack .data..etc.<--inside the exe .... and Resources-->out side of the program and can be editable by programs like ResHack, XN Resource Editor and so on.

I did it with HEX because it is just a CMP inside the code that you have to change simple as that.

for the logic to be follow:
when you do some on client that needs server side operations, your client send "some" to server, then when the server receives your "some" server makes a LOGICAL operation(s) to decide what to do. CMP/TEST etc opcodes are always fallowed by conditional jumps, so lets say server thinks like this: "this guy want to drop some, do I allowed or not?", if i allowed i will jump to "x" and if i dont i will go to "y". So you only need to JMP/JNZ/JE/JB/JA etc to where you want. (no need to NOP code, you just NOP when you change instructions and the newer ones use less space than the older).

@Eliana Gherbaz for disable dupee gift master discple how sir?

Well i didnt fix that bug because i was lazy to make the fix on my dll, server dont keep record of the gift you have received, that is why you can up and down lvl and receive the gift forever. What I did instead of writing some code that keeps track of gift received, was disabling the function performed for the server when you request for Master, by HEX editing the CMP. In my case (files), you can only ask for a master if you are below lvl 60, so servers CMP if the requester lvl is above 59, if it is, then the request is rejected, so what i did was changing that 59 for 0, because the min lvl when you start the game is always 1, that way no one can ask for a master.

BTW did you guys know that MASTER/DISCIPLE was developed by Hanbit as the MARRIAGE system of Tantra?, that is why icons have hearts xD. Don't know who changed the name to MASTER/DIS.

Have fun debugging
Regards

[jbeitz107]

@Avara As you can see there, it is not just one line but, the entire argument.

[A v a r a]

Well that took me like 3 months, because on that time (4 years ago) i didn't know how to read ASM neither C++ so first 2 months was for learning on those languages, then almost 2 weeks to find the keys for server and client, 1 week + some days to discover which fields of the files goes to server side only and lastly less than 3 days to make the exe that compiles HTSetting and HTScript.

And I have to say that it was not easy for me too to find the keys, "yes the keyS" because it is not just 1. and each of them have 40 bytes each and those 40 bytes are not near each other (at least not on my files, dont know in other versions)

The compiler indeed is very simple to make after you know what it does.

Can you share at least the links where did you learn making the compiler? Please accept me as your guest :)

[TantraRex]

@jbeitz107

you wrong mate

you must be block offset

0047EB96
0047EB97
0047EB9C
0047EBA1

and change argument with NOP's

[A v a r a]

@jbeitz107

you wrong mate

you must be block offset

0047EB96
0047EB97
0047EB9C
0047EBA1

and change argument with NOP's

Base on his screenshot he was not wrong maybe he forgot to mention those but the screenshot says it all.

[TantraRex]

@A v a r a im just make sure and so any people can understand no offense ^_^

[A v a r a]

@Avara As you can see there, it is not just one line but, the entire argument.

Yeah I realized that one too after a little while and after I saw your first screenshot. So all good for me. Appreciate your help.

[Eliana Gherbaz]

Can you share at least the links where did you learn making the compiler? Please accept me as your guest :)

I code the compiler in Visual Basic with VS.

For learning how to read assembler I just google "How to read ASM" and found a lot tutos, and for the C++ instructions I used Microsoft MSDN.

- - - Updated - - -

@Avara As you can see there, it is not just one line but, the entire argument.

What you are showing here is a call to a function/method that have 1 parameter (Arg1), you are not in the function, you are just on the call. If you want my advise, just find the switch that is called when you send the request to server, go to that switch and read the first lines of that code, then on the first lines you will see server compares with a value and jump depending on it, that value is the clue and was the value that i changed.

As an example of what i'm talking



The first line is the start of the switch
2do line compares the value you selected on the swict with 7
3rd and 4th goes to corresponding function depending on the result of the compare.

in high code language that is same as:

var EAX= value you selected
if(EAX >7)
{ xfunct()}
else
{yfunct()}

in that case if EAX have any value above 7 (8,9,10.....), xfuntion will be called and below or equal 7 yfunction will be called
now just suppose that yfunction is the one you want to call when you send 7 or above, then you just need to change 1 line of that code, for example JA for JB and thats all.
if(EAX >7) ----> if(EAX <7) JA=jump if above, JB= jumps if below

Of course this is just an example code, it is not the code you have to change on server for rejecting rupiah drop.

ADVISE: to change a program behavior, first you need to well know how program behaves. Changing code just as crazy with out knowing what that code does is not recomended and can lead your program to bugs. For example: on the code above, first you need to know what xfunction and yfunction does and what parameters they need to execute correctly, if you NOP your code w/o knowin who other function use what you NOP, for sure at some point your program will crash. so again on the above example, before changing JA for JB, you need to know who else use that switch, and if their code will not be compromised with that change etc etc etc,

I don't have any reason to lie when i say that i only changed 1 line of code.

Regards

- - - Updated - - -

I want to mention some of your screen.

on your screen you are just selecting 3 lines of opcodes, so lets say that you NOP those 3 lines, then what about the previous one? where code moves to the register ECX what is stored on the data segment at EBX+C, to be used as a parameter of the function called on the line 3rd of your selection? do you know what is returned on the ECX register after calling that function that you will NOP? what will happend with the rest of the code (below what you NOP) if they use ECX or any of the general registers (EAX, ECX, EDX....) w/o been updated because you NOPed the function? (EAX always stores the return value of a function call, for the other registers you can check their use at https://en.wikipedia.org/wiki/X86_assembly_language) is any opcode below that use those general registers before updating them? for example the returned value on EDX register was cleared with XOR EDX,EDX but what about the rest?
to be brief i will just talk about EAX:
EAX = 5 before function is called
EAX = 1 after function returns

so lets say that in any of the next lines you have some like this:
DEC EAX (means: decrements by 1, so EAX=0 if you don't NOP, EAX=4 if you NOP)
TEST EAX,EAX (means: is EAX==0?, is YES if you don't NOP, is NO if you NOP)
JE HTLaun..... (means that will jump to that code if the result of TEST was YES)

meaning that if you just NOP then all your below code breaks.

[Eliana Gherbaz]

After almost a year of my last post in this thread, i will share the logic I follow to disable any kind of character drop at server side.
I will not say which line of the code you need to change not because i dont want to say which one is, is because for sure my Zonesrv dont have same offsets as yours, or at least my offsets are not the same as jbeitz107 offsets he shows in his post #62, for example what I have on the offset 0047EB96 is this:



and what jbeitz107 have on 0047EB96 is PUSH ECX.

Lets remember that I said that the only thing I did to disable any kind of drop from characters was to change 1 line of the code in the zoneSrv, well lets see what server do when receives the request to drop:


as you may see the first thing server do when receive the request, is check if the character requesting the drop belongs to GM clan:
if( eTNClan_GM == pMob[conn].MOB.byTrimuriti ) return;

if so, then it performs a return, meaning that nothing will be done if the char requesting is a GM. We all know that GMs are not able to drop anything to floor right?

By knowing that CSP_REQ_ITEM_DROP have a value of 1209 that belongs to a switch and that the eTNClan_GM is equal to 10, I searched on the Zone dump file for "Case 1209" finding this ASM code:



as you may see the code is comparing some data segment address with 10=0A
CMP BYTE PTR DS:[ESI+60C1650],0A
in this line server is comparing if the character requesting the drop is a GM.
where BYTE PTR DS:[ESI+60C1650] is where pMob[conn].MOB.byTrimuriti is stored and 0A is eTNClan_GM

the next line is a jump if equal (JE=jump if equal), which means "if the value compare is equal to 10 (GM) then go to 48CE56"
those 2 ASM lines are this in C++ code : if( eTNClan_GM == pMob[conn].MOB.byTrimuriti ) return;

so 48CE56 is the address to perform the return in that method w/o doing anything. All I did in the code was to change that JE for a JMP which means jump always, that forces the server to always reject the request to drop as I mentioned in my other posts in this thread.

[carlreman]

Hi, my server is Tantra Online Kathana VI ~ Neo Oriental Fantasy MMORPG, when you try to drop from inventory server will reject the request, server don't crash, but your inventory gets blocked, at that point all you need to do to unblock it is unequipped anything from your char

As expected from Tantra Online Kathana VI ~ Neo Oriental Fantasy MMORPG it has the best Developer I encountered so far.
It fixes bug in no time and active most of the time.

But I would say, Tantra Surya is the best server I played! unfortunately its closed.
Its best in terms of using old Mandara and its far viewing distance from mobs and players, detailed objects, custom god skills and characters and its old school exp grinding, unfortunately they don't have active GM.

P.S. Its off topic, just an avid Tantra Player passing by.

[dirtybird]

Hi guys what if they disable looting of rupiahs can i still dupe rupiahs? Reply asap :)

[daisuki]

No, it will not crash the zone. unless, you modified a different offset, jbeitz and I tried that one and

worked without issues. We already did a couple of trial and errors before jbeitz shared that image, due to someone who's taking the advantage of what we have found and selling that information.credits also to eliana who provided good clues.

It seems mine looks different from you guys can someone help how to find its offset similar to your 0047E96?

[Eliana Gherbaz]

@daisuki you are not inside HTLauncher Module, you are inside ntdll module as you show in your pict.
So right click inside any part of the CPU window, then select View and then select HTLauncher, then you will be inside the HTLauncher Module.

Other way is to use: Go to/Expression 2 times.

[Shichibukai]

You may also press f9 if i'm not mistaken

[daisuki]

@daisuki you are not inside HTLauncher Module, you are inside ntdll module as you show in your pict.
So right click inside any part of the CPU window, then select View and then select HTLauncher, then you will be inside the HTLauncher Module.

Other way is to use: Go to/Expression 2 times.

Thank you Eliana your such a bigh help. I'm just a newbie in running a server! Also thank you for reply my message in your board.