Delete CRC from WarRock 2008 client
Ok, so after a couple of headaches I guess it´s the time to ask here.
I kinda have some knowledge of how WarRock works (client side). The only thing that prevents me from messing with Chapter I client is the CRC check they added to it. I have modded EngineWar client (which has no CRC check) but I believe my life would be much easier If I could mod the original Chapter I instead of transforming CP3 to CP1.
I have tried editing WarRock.exe and Global.fcl with no success. I managed to point global.fcl to a different folder (faking the file Items.bin in another folder) but somehow the shitty game figures out my trick.
At this moment I have 0 new ideas. Any clues?
Re: Delete CRC from WarRock 2008 client
NOP the function out or make the function always return true. I recommend using ida & searching for the CRC error message.
Re: Delete CRC from WarRock 2008 client
So, your suggestion is to use IDA to dissasemble the exe and then look for the string that is shown when the error is triggered. I have never used IDA before but thanks. If I get stuck I´ll ask here.
EDIT: So I found this in IDA. It seems to be a function, but I don´t know how to edit it so comment out the CRC:
Re: Delete CRC from WarRock 2008 client
There should be a JNZ or JE somewhere. You should look that up in OllyDbg & make it it jump so you edit it to JMP.
Re: Delete CRC from WarRock 2008 client
I´ll try with Olly tomorrow. Thanks for the clue.
So I finally got my hands on OllyDBG. Following your advice CodeDragon, I opened WarRock.exe with it. Then, I searched for "check CRC start" string and I found this:
Code:
CPU Disasm
Address Hex dump Command Comments
0051C03E |. 68 B44B8D00 PUSH OFFSET 008D4BB4 ; /Format = "CheckCRC start"
0051C043 |. 50 PUSH EAX ; |Arg1 => ARG.ECX+1C
0051C044 |. C746 14 02000 MOV DWORD PTR DS:[ESI+14],2 ; |
0051C04B |. E8 AA383100 CALL 0082F8FA ; \WarRock.0082F8FA
0051C050 |. 68 A44B8D00 PUSH OFFSET 008D4BA4 ; /Format = "CheckCRC done"
0051C055 |. 81C6 20010000 ADD ESI,120 ; |
0051C05B |. 56 PUSH ESI ; |Arg1
0051C05C |. E8 99383100 CALL 0082F8FA ; \WarRock.0082F8FA
I think I´m getting closer :) This seems to be an error message. I want to locate the function that triggers it so that it continues with the routine instead of triggering the error
Re: Delete CRC from WarRock 2008 client
Sorry for dobleposting but I think I killed the CRC at last!. I´m going to mess around a little bit and test it. If all goes as it should then I´ll release the trick. THANKS CODEDRAGON.
Re: Delete CRC from WarRock 2008 client
Quote:
Originally Posted by
DarkRaptor
THANKS CODEDRAGON.
You are welcome friend!
Re: Delete CRC from WarRock 2008 client
Good luck Dark! I'm just here waiting, hoping it would work hehe
Re: Delete CRC from WarRock 2008 client
Ok, so I managed to kill the CRC check by editing JNZ to JMP:
Code:
CPU Disasm
Address Hex dump Command Comments
00711C31 \. /EB 35 JMP SHORT 00711C68
00711C33 /. |8B0F MOV ECX,DWORD PTR DS:[EDI] ; Large structure passed on stack or ESP manipulated
00711C35 |. |E8 56D0FFFF CALL 0070EC90
00711C3A |. |50 PUSH EAX ; /<%s>
00711C3B |. |8D5424 54 LEA EDX,[ARG.20] ; |
00711C3F |. |68 C4A38E00 PUSH OFFSET 008EA3C4 ; |Format = "CRC Checksum Error - %s"
00711C44 |. |52 PUSH EDX ; |Arg1
00711C45 |. |E8 B0DC1100 CALL 0082F8FA ; \WarRock.0082F8FA
00711C4A |. |83C4 0C ADD ESP,0C
00711C4D |. |6A 00 PUSH 0 ; /Type = MB_OK|MB_DEFBUTTON1|MB_APPLMODAL
00711C4F |. |68 10548C00 PUSH OFFSET 008C5410 ; |Caption = "Error"
00711C54 |. |8D4424 58 LEA EAX,[ARG.20] ; |
00711C58 |. |50 PUSH EAX ; |Text
00711C59 |. |6A 00 PUSH 0 ; |hOwner = NULL
00711C5B |. |FF15 FC338C00 CALL DWORD PTR DS:[<&USER32.MessageBoxA> ; \USER32.MessageBoxA
00711C61 |. |6A 00 PUSH 0
00711C63 |. |E8 F2081200 CALL 0083255A
00711C68 |> \6A 00 PUSH 0 ; /Arg1 = 0
That allowed me to get rid of the error when trying to mod the maplist.xml.
But when I tried to edit items.bin (using Enconder-Decoder by ToxiicData) I got this error:
Patch problem encountered. Please check the filebox button... blablabla
I found the string using Ollydbg:
Code:
CPU Disasm
Address Hex dump Command Comments
004D43E8 8B95 E0FEFFFF MOV EDX,DWORD PTR SS:[EBP-120]
004D43EE 837A 04 02 CMP DWORD PTR DS:[EDX+4],2
004D43F2 75 18 JNE SHORT 004D440C
004D43F4 A1 E0B7B300 MOV EAX,DWORD PTR DS:[0B3B7E0]
004D43F9 6A 00 PUSH 0
004D43FB 68 10548C00 PUSH OFFSET 008C5410 ; ASCII "Error"
004D4400 68 28E48C00 PUSH OFFSET 008CE428 ; ASCII "Patch problem encountered.
Please click the FILE CHECK button
in the WarRock Launcher.
"
004D4405 50 PUSH EAX
004D4406 FF15 FC338C00 CALL DWORD PTR DS:[<&USER32.MessageBoxA>
004D440C B8 FA414D00 MOV EAX,004D41FA
004D4411 C3 RETN
But I´m stuck here. As far as I understood, the program compare (CMP) two strings (MOV...) and then if they are not the same (JNE) it goes to 004D440C (MOV EAX), which points to this loop
Code:
CPU Disasm
Address Hex dump Command Comments
004D41FA |> /32C0 XOR AL,AL
004D41FC |> |8B4D F4 MOV ECX,DWORD PTR SS:[LOCAL.3]
004D41FF |. |64:890D 00000 MOV DWORD PTR FS:[0],ECX
004D4206 |. |8B4D EC MOV ECX,DWORD PTR SS:[LOCAL.5]
004D4209 |. |5F POP EDI
004D420A |. |5E POP ESI
004D420B |. |33CD XOR ECX,EBP
004D420D |. |5B POP EBX
004D420E |. |E8 48B33500 CALL 0082F55B
004D4213 |. |8BE5 MOV ESP,EBP
004D4215 |. |5D POP EBP
004D4216 |. |C3 RETN
004D4217 |> |8B0D FC8AA000 MOV ECX,DWORD PTR DS:[0A08AFC] ; ASCII "Data\weapondata.bin"
004D421D |. |68 D7000000 PUSH 0D7
004D4222 |. |6A 06 PUSH 6
004D4224 |. |51 PUSH ECX
004D4225 |. |E8 763DFAFF CALL 00477FA0
004D422A |. |83C4 0C ADD ESP,0C
004D422D |. |83F8 01 CMP EAX,1
004D4230 |. |74 0F JE SHORT 004D4241
004D4232 |. |8B15 FC8AA000 MOV EDX,DWORD PTR DS:[0A08AFC] ; ASCII "Data\weapondata.bin"
004D4238 |. |6A 00 PUSH 0
004D423A |. |68 10548C00 PUSH OFFSET 008C5410 ; ASCII "Error"
004D423F |.^|EB AC JMP SHORT 004D41ED
004D4241 |> |8B0D 008BA000 MOV ECX,DWORD PTR DS:[0A08B00] ; ASCII "Data\branch.bin"
004D4247 |. |68 D7000000 PUSH 0D7
004D424C |. |6A 01 PUSH 1
004D424E |. |51 PUSH ECX
004D424F |. |E8 4C3DFAFF CALL 00477FA0
004D4254 |. |83C4 0C ADD ESP,0C
004D4257 |. |83F8 01 CMP EAX,1
004D425A |. |74 0F JE SHORT 004D426B
004D425C |. |8B15 008BA000 MOV EDX,DWORD PTR DS:[0A08B00] ; ASCII "Data\branch.bin"
004D4262 |. |6A 00 PUSH 0
004D4264 |. |68 10548C00 PUSH OFFSET 008C5410 ; ASCII "Error"
004D4269 |.^|EB 82 JMP SHORT 004D41ED
004D426B |> |8B0D F88AA000 MOV ECX,DWORD PTR DS:[0A08AF8] ; ASCII "Data\items.bin"
004D4271 |. |51 PUSH ECX ; /Arg1 => ASCII "Data\items.bin"
004D4272 |. |8D8D E4FEFFFF LEA ECX,[LOCAL.71] ; |
004D4278 |. |C745 FC 01000 MOV DWORD PTR SS:[LOCAL.1],1 ; |
004D427F |. |E8 ACB12300 CALL 0070F430 ; \WarRock.0070F430
004D4284 |. |6A 01 PUSH 1
004D4286 |. |8D95 E4FEFFFF LEA EDX,[LOCAL.71]
004D428C |. |52 PUSH EDX
004D428D |. |8D85 C0FEFFFF LEA EAX,[LOCAL.80]
004D4293 |. |50 PUSH EAX
004D4294 |. |C645 FC 02 MOV BYTE PTR SS:[LOCAL.1],2
004D4298 |. |E8 B3D62300 CALL 00711950
004D429D |. |83C4 0C ADD ESP,0C
004D42A0 |. |8D8D C0FEFFFF LEA ECX,[LOCAL.80]
004D42A6 |. |E8 C5C62300 CALL 00710970 ; [WarRock.00710970
004D42AB |. |8D8D E4FEFFFF LEA ECX,[LOCAL.71]
004D42B1 |. |C645 FC 01 MOV BYTE PTR SS:[LOCAL.1],1
004D42B5 |. |E8 36B32300 CALL 0070F5F0 ; [WarRock.0070F5F0
004D42BA |. |8B0D FC8AA000 MOV ECX,DWORD PTR DS:[0A08AFC] ; ASCII "Data\weapondata.bin"
004D42C0 |. |51 PUSH ECX ; /Arg1 => ASCII "Data\weapondata.bin"
004D42C1 |. |8D8D E4FEFFFF LEA ECX,[LOCAL.71] ; |
004D42C7 |. |E8 64B12300 CALL 0070F430 ; \WarRock.0070F430
004D42CC |. |6A 01 PUSH 1
004D42CE |. |8D95 E4FEFFFF LEA EDX,[LOCAL.71]
004D42D4 |. |52 PUSH EDX
004D42D5 |. |8D85 C0FEFFFF LEA EAX,[LOCAL.80]
004D42DB |. |50 PUSH EAX
004D42DC |. |C645 FC 03 MOV BYTE PTR SS:[LOCAL.1],3
004D42E0 |. |E8 6BD62300 CALL 00711950
004D42E5 |. |83C4 0C ADD ESP,0C
004D42E8 |. |8D8D C0FEFFFF LEA ECX,[LOCAL.80]
004D42EE |. |E8 7DC62300 CALL 00710970 ; [WarRock.00710970
004D42F3 |. |8D8D E4FEFFFF LEA ECX,[LOCAL.71]
004D42F9 |. |C645 FC 01 MOV BYTE PTR SS:[LOCAL.1],1
004D42FD |. |E8 EEB22300 CALL 0070F5F0 ; [WarRock.0070F5F0
004D4302 |. |8B0D 008BA000 MOV ECX,DWORD PTR DS:[0A08B00] ; ASCII "Data\branch.bin"
004D4308 |. |51 PUSH ECX ; /Arg1 => ASCII "Data\branch.bin"
004D4309 |. |8D8D E4FEFFFF LEA ECX,[LOCAL.71] ; |
004D430F |. |E8 1CB12300 CALL 0070F430 ; \WarRock.0070F430
004D4314 |. |6A 01 PUSH 1
004D4316 |. |8D95 E4FEFFFF LEA EDX,[LOCAL.71]
004D431C |. |52 PUSH EDX
004D431D |. |8D85 C0FEFFFF LEA EAX,[LOCAL.80]
004D4323 |. |50 PUSH EAX
004D4324 |. |C645 FC 04 MOV BYTE PTR SS:[LOCAL.1],4
004D4328 |. |E8 23D62300 CALL 00711950
004D432D |. |83C4 0C ADD ESP,0C
004D4330 |. |8D8D C0FEFFFF LEA ECX,[LOCAL.80]
004D4336 |. |E8 35C62300 CALL 00710970 ; [WarRock.00710970
004D433B |. |8D8D E4FEFFFF LEA ECX,[LOCAL.71]
004D4341 |. |C645 FC 01 MOV BYTE PTR SS:[LOCAL.1],1
004D4345 |. |E8 A6B22300 CALL 0070F5F0 ; [WarRock.0070F5F0
004D434A |. |833D 9447CA00 CMP DWORD PTR DS:[0CA4794],5
004D4351 |. |8975 FC MOV DWORD PTR SS:[LOCAL.1],ESI
004D4354 |. |74 7A JE SHORT 004D43D0
004D4356 |. |8D8D 88FEFFFF LEA ECX,[LOCAL.94]
004D435C |. |68 88E48C00 PUSH OFFSET 008CE488 ; /Arg2 = ASCII "m417"
004D4361 |. |51 PUSH ECX ; |Arg1 => OFFSET LOCAL.94
004D4362 |. |E8 59702300 CALL 0070B3C0 ; \WarRock.0070B3C0
004D4367 |. |8BF0 MOV ESI,EAX
004D4369 |. |8D95 A4FEFFFF LEA EDX,[LOCAL.87]
004D436F |. |68 80E48C00 PUSH OFFSET 008CE480 ; /Arg2 = ASCII "m732"
004D4374 |. |52 PUSH EDX ; |Arg1 => OFFSET LOCAL.87
004D4375 |. |C745 FC 06000 MOV DWORD PTR SS:[LOCAL.1],6 ; |
004D437C |. |E8 3F702300 CALL 0070B3C0 ; \WarRock.0070B3C0
004D4381 |. |8B56 18 MOV EDX,DWORD PTR DS:[ESI+18]
004D4384 |. |B9 10000000 MOV ECX,10
004D4389 |. |83C4 10 ADD ESP,10
004D438C |. |3BD1 CMP EDX,ECX
004D438E |. |72 05 JB SHORT 004D4395
004D4390 |. |8B76 04 MOV ESI,DWORD PTR DS:[ESI+4]
004D4393 |. |EB 03 JMP SHORT 004D4398
004D4395 |> |83C6 04 ADD ESI,4
004D4398 |> |3948 18 CMP DWORD PTR DS:[EAX+18],ECX
004D439B |. |72 05 JB SHORT 004D43A2
004D439D |. |8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
004D43A0 |. |EB 03 JMP SHORT 004D43A5
004D43A2 |> |83C0 04 ADD EAX,4
004D43A5 |> |6A 00 PUSH 0 ; /Type = MB_OK|MB_DEFBUTTON1|MB_APPLMODAL
004D43A7 |. |56 PUSH ESI ; |Caption
004D43A8 |. |50 PUSH EAX ; |Text
004D43A9 |. |A1 E0B7B300 MOV EAX,DWORD PTR DS:[0B3B7E0] ; |
004D43AE |. |50 PUSH EAX ; |hOwner => [0B3B7E0] = NULL
004D43AF |. |FF15 FC338C00 CALL DWORD PTR DS:[<&USER32.MessageBoxA> ; \USER32.MessageBoxA
004D43B5 |. |8D8D A4FEFFFF LEA ECX,[LOCAL.87]
004D43BB |. |E8 20D8F2FF CALL 00401BE0 ; [WarRock.00401BE0
004D43C0 |. |8D8D 88FEFFFF LEA ECX,[LOCAL.94]
004D43C6 |. |E8 15D8F2FF CALL 00401BE0 ; [WarRock.00401BE0
004D43CB |.^\E9 2AFEFFFF JMP 004D41FA
I´m stucked here right now. I think there is something I´m missing. I tried to edit JNE to JE and to JMP with no success. Any ideas people?
Re: Delete CRC from WarRock 2008 client
Are you sure your bin file isn't corrupted?
Re: Delete CRC from WarRock 2008 client
To check that problem, I tried the following:
a) Stock items.bin -----> the client launches.
b) Modded items.bin using Enconder and Decoder -----> Error is triggered.
c) PF_0_21.zip items.bin alone -----------> Error is triggered.
Is there anything I´m missing?
I add this just in case: I´m using ollydbg on a 64 bits processor (Intel I5 3570k).
