Adding a Higher Level Cap Better Translation!

Hey guys Unzubaru here,

This is just to help explain things here a bit better and in more clear english so people who dont know it too well have a better understanding of it without trawling through the same sentence over and over wondering what he's talking about. I hope this helps and remember! there is always a big beautiful THANKS button with a thumbs up if this helped!
Delete if this isnt needed

First Show...
http://forum.ragezone.com/attachment...-with-bin-.jpg

http://forum.ragezone.com/attachment...with-bin-2.jpg
First of all we have to find the Exp Table in the .exe

Go to Server folder and open your XPTable (the one your server.exe uses) and look at the first offset (the set of numbers and letters) you see, use that, as it is the beginning offset of your XP table in both your Client and Server.

now we go to "search for"->"all the sequences" (Use below sequence?)

Code:

---

pop    edi
  mov    eax, 1
  pop    ebx
  retn
  push    ebp
  push    esi
  push    edi
  add    eax, 388C
  push    ebx
  push    eax

---

you will most probably reach here

Code:

---

0044A14C  |.  5F            pop    edi
0044A14D  |.  B8 01000000  mov    eax, 1
0044A152  |.  5B            pop    ebx
0044A153  |.  C3            retn
0044A154  |>  55            push    ebp
0044A155  |.  56            push    esi
0044A156  |.  57            push    edi
0044A157  |.  05 8C380000  add    eax, 388C
0044A15C  |.  53            push    ebx
0044A15D  |.  50            push    eax
0044A15E  |.  E8 6D99FFFF  call    00443AD0
0044A163  |.  83C4 0C      add    esp, 0C
0044A166  |.  E8 B597FFFF  call    00443920
0044A16B  |.  E8 30BFFFFF  call    004460A0
0044A170  |.  8B2D DC8D8B00 mov    ebp, dword ptr [8B8DDC]
0044A176  |.  8BB5 44390000 mov    esi, dword ptr [ebp+3944]
0044A17C  |.  8B04F5 14F0C7>mov    eax, dword ptr [esi*8+8C7F014]
0044A183  |.  85C0          test    eax, eax
0044A185  |.  8B0CF5 10F0C7>mov    ecx, dword ptr [esi*8+8C7F010]
0044A18C  |.  0F8C A1000000 jl      0044A233
0044A192  |.  7F 08        jg      short 0044A19C
0044A194  |.  85C9          test    ecx, ecx
0044A196  |.  0F82 97000000 jb      0044A233
0044A19C  |>  3BF8          cmp    edi, eax
0044A19E  |.  0F8C 8F000000 jl      0044A233
0044A1A4  |.  7F 08        jg      short 0044A1AE
0044A1A6  |.  3BD9          cmp    ebx, ecx
0044A1A8  |.  0F82 85000000 jb      0044A233

---

notice this line

Code:

---

0044A185  |.  8B0CF5 10F0C7>mov    ecx, dword ptr [esi*8+8C7F010]

---

it is an array with a base pointer 0x8C7F010 (this is not a fixed value, It will change within each .exe ,as an example, i shall use this offset)

just on this line, we "follow in dump"->"Address Constant"
now you can see your exp table, just like this
notice that, we got 08C7F010, but the real start position of the table is 8c7f000, 0x10 bytes before it, remember!

Code:

---

08C7F000  08 00 09 00 0D 00 00 00 0A 00 00 00 09 00 09 00  ...............
08C7F010  00 00 00 00 00 00 00 00 E8 03 00 00 00 00 00 00  ........?......
08C7F020  C4 09 00 00 00 00 00 00 88 13 00 00 00 00 00 00  ?......?......
08C7F030  1C 25 00 00 00 00 00 00 CC 42 00 00 00 00 00 00  %......藼......
08C7F040  E5 74 00 00 00 00 00 00 0F C9 00 00 00 00 00 00  錿......?.....
08C7F050  CC 55 01 00 00 00 00 00 E1 22 02 00 00 00 00 00  蘒.....?.....
08C7F060  41 3F 03 00 00 00 00 00 02 AD 04 00 00 00 00 00  A?.....?.....
08C7F070  EE 5B 06 00 00 00 00 00 08 34 08 00 00 00 00 00  頪.....4.....
08C7F080  0A 41 0A 00 00 00 00 00 0D B7 0C 00 00 00 00 00  .A.......?.....
08C7F090  B6 A3 0F 00 00 00 00 00 87 14 13 00 00 00 00 00  叮.....?.....

---

Unfortunately, there really isnt enough room for the exp table anymore (.exe is clogged ;P)
so, this is the main topic today-- add a new section and move the exp table!

I obviously cannot be certain which version you have for both server/client , that's not important, if your version has got a section with many zeros, you are in luck , just skip the next 4 paragraph, otherwise, Carry on!

tools: lordpe and a hex editor~
open your server with a hex editor.

NOTE: THESE STEPS APPLY TO BOTH CLIENT AND SERVER, START WITH SERVER THEN DO CLIENT ASWELL!

Scroll to the bottom, and insert some bytes I advise you to fill it with int3 or NOP so that, Lord-PE wont butt-rape your PC to hell. do not forget how many bytes you added.

now we open the server(or client) with Lord-PE(the pe-editor built-in), and click sections to see the section table and add section, just like this

http://img14.imageshack.us/img14/4833/lordpe.jpg

and then right click the new section added, give it a suitable name you wish, and fill in the VirtualAddress and RVA blanks with the number of bytes you've just added.(that's ok for the other blanks have been fixed by lord-pe, and i have not time to explain them)
just like this

http://img15.imageshack.us/img15/9549/editsec.jpg

ok now press ok and save the operations then press "rebuild pe" , that's the easist way to add your own section to avoid many calcs! XD

now we copy the whole exp table to the new section just added by us, well what's the address, open it with pe-editor in lord-pe, just remember the offset, and add it with 0x400000 then you got it! and of course do not forget to write you own exp numbers for the new levels, (just no more than 0xFFFFFFFFFFFFFFFF), you got it ?

now we need to fix the variables , the lvl-comparing places , open the server(or client)with your hex editor, and replace
every 0x8C7F010 to your address,
every 0x8C7F010 +0x4 to your address +0x4,
every 0x8C7F010 +0x8 to your address +0x8,
every 0x8C7F010 +0xc to your address +0xc

every 0x8C7F000 to your address -0x10
every 0x8C7F004 to your address -0x10 +0x4

now back to and return to the place we found at the beginning , you 'll find we still need some more addresses to fix, but these are the last ones.

Code:

---

0044A107  |.  8BD8          mov    ebx, eax
0044A109  |.  A1 9CF9C708  mov    eax, dword ptr [8C7F99C] ;this is the high dword of the second level count from back
0044A10E  |.  8BFA          mov    edi, edx
0044A110  |.  3BF8          cmp    edi, eax
0044A112  |.  7F 13        jg      short 0044A127
0044A114  |.  7C 08        jl      short 0044A11E
0044A116  |.  3B1D 98F9C708 cmp    ebx, dword ptr [8C7F998];this is the low dword of the second level count from back

---

the next place is a valididity check , the server must make sure that you can not level up if you are not Rank 3 or higher after all, who is only rank 2 yet level 120?.

Code:

---

0044A127  |> \3B3D 2CF3C708 cmp    edi, dword ptr [8C7F32C];this is the low dword of lvl100
0044A12D  |.  A1 DC8D8B00  mov    eax, dword ptr [8B8DDC] ;this needn't to be fixed.
0044A132  |.  7C 20        jl      short 0044A154
0044A134  |.  7F 08        jg      short 0044A13E
0044A136  |.  3B1D 28F3C708 cmp    ebx, dword ptr [8C7F328] ;this is the low dword of lvl100

---

this place is a MAX_LEVEL check, now mine is 0x133 that's 307 in dec(i have no time to add so many exp tables XD, even this is produced by a little tool written by me)

Code:

---

0044A1A6  |.  3BD9            cmp    ebx, ecx
0044A1A8  |.  0F82 85000000    jb      0044A233
0044A1AE  |>  81FE 33010000    cmp    esi, 133  ;  here (for client you need to set a jmp, because the space is not enough for opcodes
0044A1B4  |.  7D 7D            jge    short 0044A233

---

this is the exp-table check, remember to fix them in runtime(only once is enough)

Code:

---

0044A1BB  |.  8B0D B0F9C708    mov    ecx, dword ptr [8C7F9B0]
0044A1C1  |.  3BC8            cmp    ecx, eax
0044A1C3  |.  75 6E            jnz    short 0044A233
0044A1C5  |.  A1 B4F9C708      mov    eax, dword ptr [8C7F9B4]

---

the last level check (this check is only for server side)

Code:

---

004439E0  /$  8B4424 04        mov    eax, dword ptr [esp+4]
004439E4  |.  85C0            test    eax, eax
004439E6  |.  7E 3D            jle    short 00443A25
004439E8  |.  3D 32010000      cmp    eax, 132;this is the right place
004439ED  |.  7F 36            jg      short 00443A25
004439EF  |.  8B5424 0C        mov    edx, dword ptr [esp+C]

---

and your done :D~ With this you can get an ALMOST unlimited level cap~ and of course you can modify a character with the lvl editor i published.
now have fun and a nice day~ all best wishes.


　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　WaHVeY(Strang eFay) [P.R.C]
　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　2009-3-24 16:51:53

Translated for less Head aches by Unzubaru.

Thanks, with this 'translation' i have added lvl cap 170 on my server.exe =D

sweet man =D, so did this help? Cause with me it was hard to understand everything that he was saying if i just read it through, so i just thought tohelp i would make it less jumpy :P.

I didn't struggle too much with the original, I thought it was pretty good for one who is not a native English speaker... But I know I have helped a few people with it. I think it is hard if you are unsure of the technical process. If you have a good general idea what he is trying to do, the few grammatical anomalies are not a great hurdle.

I hope stragefay isn't too upset by your re-work, because this is his guide. I don't know what attempts you may have tried to make to help him improve his guide before re-making it, but I think I would have tried that first before reproducing an already fine work just to clean up some ambiguities.

I would also have posted this in his thread... mods can shift posts between threads, and in the same thread all responses and queries relate to the same article... here, information becomes a little spread out, and could be difficult to find.

But from the number of queries I had, I agree there was some call for improving some of the terms used. I just hope strangefay isn't offended by this that statement, or this thread in general, and I thank you for keeping the credit for the tutorials origin with strangefay.

Not understand.
Can someone explain?

Quote:

---

Originally Posted by Vahvel

Not understand.
Can someone explain?

---

It's a tutorial... which means it is an explanation... It's kinda hard to explain an explanation, but it if you tell us which bit you are struggling with, we can try to elaborate. :wink:
---EDIT---
Received via PM:-

Quote:

---

Originally Posted by Vahvel

Then you can help me here?
I wish you'd help put level 235.
If possible Thanks.

---

Yes it is possible, but first I would rather do it publicly, so the responses can be searched and used by others.

If you follow this guide by strangefay (or it's originator) you should be able to achieve level 235... or what ever level you want.

If you are struggling with a section, please ask and I and others will surly try to help out. But please be specific, and don't just ask us to re-write the entire guide. I can't answer "How do I follow this guide." in any way other than to say "Read it, then do what it says." Which I'm pretty sure won't help you much.
---EDIT---

Quote:

---

Originally Posted by Vahvel

I am having trouble doing almost anything in the tutorial level of 235.
If by some chance I have my Game.exe Server.exe and you could put to me? In that case I will study.
I think this will help me and others, only by download.
Not everyone understands this tutorial.

---

Dude... many people don't understand this tutorial, which is why strangefay linked executables which are already (at least partially) edited.

This is not an easy tutorial by any means. It is not for beginners, and not for the faint of heart. If you can do this, you can consider it a great achievement.:wink:

The only way we will ever get a better tutorial, that people can follow easier is if those who struggle to follow this one try their hardest to work through it, step by step, and ask the community for help... when we, as a community manage to provide answers that people do understand then we will know what information needs to be in a better guide, and how to phrase it.

I don't really have a problem understanding what strangefay has said, but I haven't tried doing it myself yet. I have helped others do it, and I can only say that going over the same stuff again and again in PMs is tiring and unproductive for the larger community... I will now only provide responses in public with the aim of helping us all to understand this better.

OK.
I do not understand what to do in Olly in the first part of the tutorial.
It speaks Byte to add, but how?
Then say you have to add a section in LordPE, I add and do not understand what they do later.
And my client is 150 level, after all this to work, I can usually ingame Up or I have to edit a level editor?

I Know Add other methods.

Okay... the first part is about finding the Exp table in your executable that is being used. This can be problematic, because some .exes have more than one table, where they have been edited before, and the old table was never blanked.

It may be easier to find the table by searching for

Code:

---

00 00 00 00 00 00 00 00 E8 03 00 00 00 00 00 00

---

selecting that line in the memory view in Olly and searching for references to it.

That should still lead you back to the same piece of code. strangefay found the code, and noted down some instructions that will be pretty common in all clients and servers, and fairly unique to the level table lookup routines. This is a pretty sure fire (guaranteed) way to locate the information that is used in any executable.

I suspect the confusion is that he did not explain where he got this magical set of instructions to search for.

Code:

---

pop edi
mov eax, 1
pop ebx
retn
push ebp
push esi
push edi
add eax, 388C
push ebx
push eax

---

If you still want to try his method (and it's a good one) then right click (context click) on the instructions in the CPU window in Olly, and select "search for" and from that menu "all command sequences" and type in the lines in the code section above.

As in:-
http://a.imagehost.org/0888/OllyLevels1.png
http://a.imagehost.org/0218/OllyLevels2.png

If that turns up no results, I found that reducing the list of command to just the ones after "retn" gave me the right result. :wink:

Many people have complained that LordPE is a pain to use... and it is. A good program, but a pain to use. To add a section, you could also consider referring to Gregoorys' tutorial on using ToPo, or my tutorial on doing it with CFF Explorer Suite. The end result is the same, regardless of the tool used.

OK ..
I found the table XP 100% as in the tutorial.
Now you have to do something that I did not understand.
To find the part of the table of XP and add a section in LordPE I can.
Now there are certain things then I do not understand.


And I would like to know what your Olly?
My is different.

Well, I use (usually) the beta version of ODb v2. It's faster, but doesn't support all the nice plugins in the "stable" ODb v1.x versions.

Other than that, it's clear, I think, that I have customised the colour scheme and fonts... other than the "theme" my Olly is pretty much the same as anyone elses. I hope we are able to see past cosmetics. :wink:

Quote:

---

Now you have to do something that I did not understand.

---

Can you quote the instruction(s) you "do not understand", as that would give me, and others, a better idea what you need help with.

yeh this wasnt to cause offence i just thought it was a bit bitty and stuff, i knew StrangeEfay (if he's the same guy XD) well they were both chinese anyway XD.
though i didnt know him well i dont mean to cause offence here. Just helps peeps like Vahvel who's first language isnt english.

Sorry my English, I'm Brazilian.
The part that I did not understand was after adding a new section.
It speaks before Byte to add, as I add byte? and after I add this new section, I get the section of the table exp? created? and how can I do to make it UP more than the 150 level.

Quote:

---

Scroll to the bottom, and insert some bytes I advise you to fill it with int3 or NOP so that, Lord-PE wont butt-rape your PC to hell. do not forget how many bytes you added.

---

Is this what you mean?

This is already done if you use ToPo or CFF. LordPE only adds a section header, it doesn't increase the size of the executable... so until you add some (initially blank) information in the file, your PE is corrupted.

Basically LordPE only does half the job, and you have to finish it. But not all Hex editors CAN add bytes to the end of a file. Some can only edit bytes that are already there.

But I'm pretty sure the Tutorial tells you to do that bit first, and use LordPE after.

How many bytes you add, is how many bytes you need for your new XP table.

How many bytes that is, depends on how many levels you want to go to.

Basically, if my memory is correct, the formula is 8 times the highest level you want... and add a bit for safety.

My table XP has space for down.
He comes at level 150, i have a lot of "FFFFFFFFFFFFFFFFFF" and below has no value.
Is there any way to put new level below?
And as I put the server to read those level, for him level of 149 and go up to 150, 151, 152 .....

Difficult to say. Who extended your server to 150? They would know.

If the space below that is filled with FF FF FF FF FF FF FF FF is actually read by the server as Experience to level table entries, then all you need to do is write your Exp:Level stuff in there... I guess.

But if the server stops reading on the first FF FF FF FF FF FF FF FF (pretty unreachable) then you will still have to shift the end point.

The stuff after:

Quote:

---

now back to and return to the place we found at the beginning , you 'll find we still need some more addresses to fix, but these are the last ones.

---

will tell you the end point of the actual table the exe is using.

If you have to shift the end point then you need to be sure (absolutely sure with no question of doubt in your mind what-so-ever) that NOTHING else in the exe is using what you believe to be blank space.

Remember, that the program could write to those 00s at any point, and that would mess up your Exp table real bad.

Here some picture of what I say.
To realize that the space is below the table xp.

img: http://www.infernopristontale.com/imagem01.bmp
img: http://www.infernopristontale.com/imagem02.bmp
img: http://www.infernopristontale.com/imagem03.bmp

well Bobsobol to my hexxing knowledge doesnt 0xFFFFFFFF mean White?

Quote:

---

Originally Posted by unzubaru

well Bobsobol to my hexxing knowledge doesnt 0xFFFFFFFF mean White?

---

lol. Does it?

So Does 0x4E616D65 always mean 101 blue, 109 green, 97 red, 78 Alpha? Or can it also mean 1315007845, or the text string "Name"?

The fact is that bytes of data stored in a computer have no meaning what-so-ever until you use them for something... This also means that that data could mean any, and all of those things... and a sneaky thing to do is use the same data to represent two different things, so that one cannot change one value without changing another.

0xFFFFFFFF either means 4294967295 or -1, depending on whether the value is looked at as a QWord, or a UQuad. (That is, whether you consider it a positive integer, or a signed integer)

Either way, it would be pretty hard to increase your XP to the point where you reach that figure... which is why (I suspect) it's there.

@Vahvel: All seems pretty correct to me, except imagem02.bmp where the last value should be 8 bytes not just 6... these are QWords, not a DWord and a Word... that would be a git to calculate anyway.

Looks like you have an uncommonly simple server executable to work with. Well done. :wink:

But as I will do for the servant to read new XP that I to put?
The right would be me to put more value than the level 150 and he would have that normal UP.

Quote:

---

Originally Posted by Vahvel

But as I will do for the servant to read new XP that I to put?
The right would be me to put more value than the level 150 and he would have that normal UP.

---

[en]I don't understand this.
[br]Eu n

[en]I already tested that of putting more below, only that player doesn't pass of the level 149.

[br]Eu ja testei isso de colocar mais abaixo, s

Excellent. Thank you. In which case, the code is not reading the data beyond level 150, or you have not updated the client.

Code:

---

0044A107  |.  8BD8          mov    ebx, eax
0044A109  |.  A1 9CF9C708  mov    eax, dword ptr [8C7F99C] ;this is the high dword of the second level count from back
0044A10E  |.  8BFA          mov    edi, edx
0044A110  |.  3BF8          cmp    edi, eax
0044A112  |.  7F 13        jg      short 0044A127
0044A114  |.  7C 08        jl      short 0044A11E
0044A116  |.  3B1D 98F9C708 cmp    ebx, dword ptr [8C7F998];this is the low dword of the second level count from back

---

These tell the program to stop counting XP, because you can't level any more.

If you have added the level data you wanted, progress through the tutorial from that code section onward.

[br]Excelente. Obrigado. Nesse caso, o c

[en]Then as it would be?
The player arrives at the level 149, after arriving in that level he can UP more% only that if he arrives to the 99% and relogar he would have that UP for the level 150. But he goes back to the 0.

Then I want to know how he has to be in Olly so that Server "Reads" more than the level 149 and it can go reading up to the 150 151 152....

[br] Ent

Okay... the two alternate translations helped me there. Thank you.

If you get the correct level, only after logging out and logging back in, then the client is not modified correctly yet.

If you are not able to level up beyond 149, or 150 then at least one of the two are not looking at the full table.

Remember, this entire tutorial has to be performed on both the server, and the client executable. Their tables and their code must match, or you will have problems.

[br]OK ... as duas tradu

[en] I tried to follow the part of Olly.
I put exactly like him position, and when I am going Upa 1% him of the Mistake.
How does have to leave in the part of the olly?

[br] Tentei seguir a parte do Olly.
Coloquei exatamente como ele posto, e quando vou Upa 1% ele da Erro.
Como tem que deixar na parte do Olly?

I have looked your last post up and down Vahvel in both En and Br and I'm afraid I don't know how to respond helpfully.

I gather you are having trouble with the Olly section... I hope you are not "new" to Olly, as what this guide teaches is quite advanced.

I am also gathering that YOUR client and server are quite different from the releases on these forums... which means someone has already developed them beyond what this guide is illustrating, and they have not shared either their work, or their method with us... so without seeing what you have to work with, I am coming to a loss as to how to help you.

If you know Olly well enough, finding the code by searching for references to the table is not hard... but as your code is clearly not like strangefays, and therefore not what we can see in our executables, I can only rely on your ability to determine what is the correct thing to do.

I presume you don't have the option to use a more standard client and server executable, or you would have done it. I also presume you are not in contact with the person who developed your existing extended level cap, as they could surely help you much better. They have already done this, and they did it in a different manner than this tutorial teaches, and they clearly made some provision for extending further.

I want to change the start of my exp table, example: lvl 1 actually = 10, i want to put 1000(like originals), i need to change something in olly or just change the hex code?

You have to use both.
To change your XP table use Hex Editor.
And after you changed your XP table and you will get xp like 99.99% you have to use olly for the lvl up effect.

Good luck ^^

Quote:

---

Originally Posted by tr1pl3x1

You have to use both.
To change your XP table use Hex Editor.
And after you changed your XP table and you will get xp like 99.99% you have to use olly for the lvl up effect.

Good luck ^^

---

Strictly speaking, Olly makes a pretty good hex editor...

One of the main things I like about it, is the ability to look at the addresses of data as they will be in the memory when the image (executable) is loaded, rather than their offset from the start of the file.

Another good point is that you can limit search and replace activity to a single section of the PE as defined in the header.