DriftCity Client

[Fyyre]

Here is a brief 'howto' I wrote:

This 'howto' assumes you are capible of unpacking Asprotect on your own. Or are making some dll to patch memory.

If having trouble, here is some detail for you:

0x43CC84 <<-- OEP

PUSH 74
PUSH DriftCit.0089D488
CALL DriftCit.0083CFDC
XOR EBX, EBX
MOV DWORD PTR SS:[EBP-20], EBX
PUSH EBX
MOV EDI, DWORD PTR DS:[86C0EC] ; kernel32.GetModuleHandleA
CALL EDI
CMP WORD PTR DS:[EAX], 5A4D
JNZ SHORT DriftCit.0083CCC4
MOV ECX, DWORD PTR DS:[EAX+3C]

searching for 66 81 38 4D 5A 75 1F 8B 48 3C 03 C8 81 39 50 45 00 00 75 12 0F B7 41 18 3D 0B 01 00 00 74 1F 3D 0B 02 00 00 74 05 from within
context of DriftCity.exe will bring you to the OEP.

Now, let us remove the launcher nag we get when attempt to start DriftCity.exe directly.

Start from WinMain. If you are unable to locate... search for binary pattern: 83 C4 04 B0 01 C3 B8 38 11 00 00

function begins with:

mov eax, 0x1138

once here, scroll down the disasm a bit...

notice the error messages "HanAuthForClient.dll not found.", "This program needs to be started from game homepage.", etc...

Skipping to the point (if know what you are doing already, you should single step, and patch the obvious jxx instructions).

CMP EAX, 1
JNZ SHORT DriftCit.004D4937 <<-- (change to JMP ) 0xeb 0x34

next...

cmp eax, 5
je 4d4a56 <<-- (change to JMP ) change to 0xeb 0x56

next, patch where above jmp lands...

test al, al
jmp 004D4A86 <<-- (change to JMP ) 0xEB 0x22

Okay... that takes care of the nag.

Next, we disable GameGuard. Look down some at the disassembly, until you see:


CMP EAX, 0B7
JNZ SHORT $+14
MOV EAX, 309
ADD ESP, 1138
RETN 10
CALL address

MOV ECX, DWORD PTR DS:[8E8EA0]
MOV EAX, DWORD PTR DS:[ECX]

CALL DWORD PTR DS:[EAX+4] ; <<-- This calls InitGameGuard

TEST AL, AL ; <<-- test for success ( bool )
JNZ SHORT 12_.004D4B44 ; <<-- if we fail, JNZ is not taken

How to disable? Simple.

NOP both the call addr and test al, al instruction (since test is no longer needed..), and change
the JE to JMP:

90 NOP
90 NOP
90 NOP
90 NOP
90 NOP
EB 0E JMP SHORT 12_.004D4B42


Save modifications to the .exe file -- that is all.


-Fyyre

[MentaL]

[Military]

Thank you sir.

[ARTYOMT]

Awesome DC will soon be revived to comunity

[ccleanerz]

good job (thank)

[Fyyre]

Surely, I hope it is useful.

Here is the DriftCity.exe I unpack from Ver. 03i (linked in Detour thread) -- note, I modified this binary so he attempts connections to localhost ( 127.0.0.1 ).

VirusTotal scan results

Unpacked DriftCity binary

[ARTYOMT]

Drift City will soon finally go private server and no more donating it yeah!

[nerdyguy64]

Surely, I hope it is useful.

Here is the DriftCity.exe I unpack from Ver. 03i (linked in Detour thread) -- note, I modified this binary so he attempts connections to localhost ( 127.0.0.1 ).

VirusTotal scan results

Unpacked DriftCity binary

How did you edit the client to connect to 127.0.0.1? Did you reverse engineer the client?

---------- Post added at 07:17 PM ---------- Previous post was at 07:16 PM ----------

What client version is this for?

[wesman2232]

Nice job. Once Checkpoint or someone gets a server up, please be sure to tell me.

[Fyyre]

Anyone may do it:

Code:

48 6F 73 74 00 00 00 00  41 75 74 68 00 00 00 00   Host....Auth....
31 30 2E 31 32 2E 31 34  2E 37 35 00 25 73 2F 69   10.12.14.75.%s/i
6E 69 74 2F 6E 65 74 77  6F 72 6B 2E 74 78 74 00   nit/network.txt.

See the above IP address? Replace it with IP you wish to connect to. The NULL byte must be preserved at the end of this string .75 (i.e. 0x37 0x35) where 0x00 is the NULL byte at end of string.

How did you edit the client to connect to 127.0.0.1? Did you reverse engineer the client?

---------- Post added at 07:17 PM ---------- Previous post was at 07:16 PM ----------

What client version is this for?

0.3i or such? See first posting.

-Fyyre

[ccleanerz]

Anyone may do it:

Code:

48 6F 73 74 00 00 00 00  41 75 74 68 00 00 00 00   Host....Auth....
31 30 2E 31 32 2E 31 34  2E 37 35 00 25 73 2F 69   10.12.14.75.%s/i
6E 69 74 2F 6E 65 74 77  6F 72 6B 2E 74 78 74 00   nit/network.txt.

See the above IP address? Replace it with IP you wish to connect to. The NULL byte must be preserved at the end of this string .75 (i.e. 0x37 0x35) where 0x00 is the NULL byte at end of string.

-Fyyre

Ah ! thanks again :)

[nerdyguy64]

Anyone may do it:

Code:

48 6F 73 74 00 00 00 00  41 75 74 68 00 00 00 00   Host....Auth....
31 30 2E 31 32 2E 31 34  2E 37 35 00 25 73 2F 69   10.12.14.75.%s/i
6E 69 74 2F 6E 65 74 77  6F 72 6B 2E 74 78 74 00   nit/network.txt.

See the above IP address? Replace it with IP you wish to connect to. The NULL byte must be preserved at the end of this string .75 (i.e. 0x37 0x35) where 0x00 is the NULL byte at end of string.


0.3i or such? See first posting.

-Fyyre

Thank you for helping, do I just open it in hex edit. Excuse my lack of knowledge on this. Im guessing its hex edit, thanks again!

Oh if you dont mind, I have the Green Tea Sever stuff (zoneserver) and I set it up in SQL. But I was wondering how do you connect to it. I understand that nobody has gotten game play yet, but I just want to play around with it. I open the 3 zoneserver executable but how do I try and connect to 127.0.0.1 the client freezes and it crashes at the loading screen. If you dont mind could you point me in the right direction with this?

-Dan

(oh does it madder if you dont open the 3 trafficAgent, I just opened the 3 zoneserver, but there are 2 other zoneservers that it doesn't say to open )

[Fyyre]

I am not any expert on this (in same boat, cannot get everything working and play) -- but the server(s) listen on any available interface(IP address), so when client attempts to connect via localhost (127.0.0.1), it is guarantee a port listening for this connection request.

If you look at console window of the ZoneServer when client is attempting to connect, you should see some error message there, or in the log files.. if client crashing when you attempt to run it.... what version of Windows is it ?

And hex editor, yes -- like WinHex.

-Fyyre

Thank you for helping, do I just open it in hex edit. Excuse my lack of knowledge on this. Im guessing its hex edit, thanks again!

Oh if you dont mind, I have the Green Tea Sever stuff (zoneserver) and I set it up in SQL. But I was wondering how do you connect to it. I understand that nobody has gotten game play yet, but I just want to play around with it. I open the 3 zoneserver executable but how do I try and connect to 127.0.0.1 the client freezes and it crashes at the loading screen. If you dont mind could you point me in the right direction with this?

-Dan

(oh does it madder if you dont open the 3 trafficAgent, I just opened the 3 zoneserver, but there are 2 other zoneservers that it doesn't say to open )

[CheckPoint]

If the client successfully connects,after the authentication it should display a HanIPCheck error.If you can't unpack the client,you should use the connect hook I posted a few posts earlier.Along with the DriftDetour(Unless if you got the ZoneServer connected to the database via the ODBC driver),it should let you get to the server select screen.In order to get a working serverlist,create a serverlist.txt inside your ZoneServer folder and paste the following:

Code:

100 NameOfServer 192.168.0.100 11011	192.168.0.100 11021	192.168.0.100 11031	192.168.0.100 11041	100

Where 100 is the ServerID specified in ZoneServerConfig.ini,11011-11041 are the listener ports,and NameOfServer is your server's name.On most client(except for 0.3-0.5i),it will retrieve a faulty character list.Once you do create a character and manage to create a game session,your client will most likely crash at the end of loading.

[nerdyguy64]

I am not any expert on this (in same boat, cannot get everything working and play) -- but the server(s) listen on any available interface(IP address), so when client attempts to connect via localhost (127.0.0.1), it is guarantee a port listening for this connection request.

If you look at console window of the ZoneServer when client is attempting to connect, you should see some error message there, or in the log files.. if client crashing when you attempt to run it.... what version of Windows is it ?

And hex editor, yes -- like WinHex.

-Fyyre

Well im running Windows Vista Home Premium 32 bit. Is it ok if I download the 2007 client and use your executable? Or do I have to use 0.5f (the version you use) to run it? Im gonna play around with it, see what I can do.

-Dan

---------- Post added at 09:31 PM ---------- Previous post was at 09:22 PM ----------

If the client successfully connects,after the authentication it should display a HanIPCheck error.If you can't unpack the client,you should use the connect hook I posted a few posts earlier.Along with the DriftDetour(Unless if you got the ZoneServer connected to the database via the ODBC driver),it should let you get to the server select screen.In order to get a working serverlist,create a serverlist.txt inside your ZoneServer folder and paste the following:

Code:

100 NameOfServer 192.168.0.100 11011	192.168.0.100 11021	192.168.0.100 11031	192.168.0.100 11041	100

Where 100 is the ServerID specified in ZoneServerConfig.ini,11011-11041 are the listener ports,and NameOfServer is your server's name.On most client(except for 0.3-0.5i),it will retrieve a faulty character list.Once you do create a character and manage to create a game session,your client will most likely crash at the end of loading.

Did you explain this is your other post, DriftDetour and the hook connection to get pass the hanIPcheck? Ill take a look at it and see if I can get it to the server list.

I understood about 3/4 of what you said. When you say create a serverlist.txt, which ZoneServer folder, is it all 5 or just one? Oh what do you mean by 0.3-0.5i, I know they are version numbers but aren't those like the 2007 client but just updated a little bit? Again forgive my lack of knowledge on this, I just want to gather as much information about the client I can. Why does it crash at the end of loading, im guessing thats because it retrieves a faulty character list. Will 0.3-0.5i work, will they retrieve a valid character list? Sorry for 20 questions.

-Dan

---------- Post added at 10:01 PM ---------- Previous post was at 09:31 PM ----------

Thank you for helping, do I just open it in hex edit. Excuse my lack of knowledge on this. Im guessing its hex edit, thanks again!

Oh if you dont mind, I have the Green Tea Sever stuff (zoneserver) and I set it up in SQL. But I was wondering how do you connect to it. I understand that nobody has gotten game play yet, but I just want to play around with it. I open the 3 zoneserver executable but how do I try and connect to 127.0.0.1 the client freezes and it crashes at the loading screen. If you dont mind could you point me in the right direction with this?

-Dan

(oh does it madder if you dont open the 3 trafficAgent, I just opened the 3 zoneserver, but there are 2 other zoneservers that it doesn't say to open )

Excuse me for asking this, but what is a NULL byte. Cant I just replace the ip (127.0.0.1) with another ip? Is that possible or is there something else I have to do. I just talking about your hacked client, I know that you have to do more to a client that hasn't been hacked but Im wondering about the ip thing.

-Dan

---------- Post added at 10:14 PM ---------- Previous post was at 10:01 PM ----------

Again im sorry for 20 questions, im new at this

Im trying to edit the 2007 client (you put instructions on how to do that (first post)) but I cant find any of the binary, Hex or unicode you posted (WinMain I think is Unicode, but im not sure). But I scrolled down and I saw a huge part was just zeros :


005CEB69 00 DB 00
005CEB6A 00 DB 00
005CEB6B 00 DB 00
005CEB6C 00 DB 00
005CEB6D 00 DB 00
005CEB6E . 00000000 DD 00000000
005CEB72 00000000 DD 00000000
005CEB76 00000000 DD 00000000
005CEB7A 00000000 DD 00000000
005CEB7E 00000000 DD 00000000


this is the same for the hex dump. What does this mean. Id like to try and edit my client and use that. Any thoughts?

-Dan

I dont have any knowledge of reverse engineering or assembly code for that madder, but I still want to play around with it.

[wesman2232]

Hope some of you get this working, I personally have no clue what you're talking about other than hex editing :P