Adding a Higher Level Cap Better Translation!

[unzubaru]

Hey guys Unzubaru here,

This is just to help explain things here a bit better and in more clear english so people who dont know it too well have a better understanding of it without trawling through the same sentence over and over wondering what he's talking about. I hope this helps and remember! there is always a big beautiful THANKS button with a thumbs up if this helped!
Delete if this isnt needed

First Show...

First of all we have to find the Exp Table in the .exe

Go to Server folder and open your XPTable (the one your server.exe uses) and look at the first offset (the set of numbers and letters) you see, use that, as it is the beginning offset of your XP table in both your Client and Server.

now we go to "search for"->"all the sequences" (Use below sequence?)

 pop     edi
  mov     eax, 1
  pop     ebx
  retn
  push    ebp
  push    esi
  push    edi
  add     eax, 388C
  push    ebx
  push    eax

you will most probably reach here

0044A14C  |.  5F            pop     edi
0044A14D  |.  B8 01000000   mov     eax, 1
0044A152  |.  5B            pop     ebx
0044A153  |.  C3            retn
0044A154  |>  55            push    ebp
0044A155  |.  56            push    esi
0044A156  |.  57            push    edi
0044A157  |.  05 8C380000   add     eax, 388C
0044A15C  |.  53            push    ebx
0044A15D  |.  50            push    eax
0044A15E  |.  E8 6D99FFFF   call    00443AD0
0044A163  |.  83C4 0C       add     esp, 0C
0044A166  |.  E8 B597FFFF   call    00443920
0044A16B  |.  E8 30BFFFFF   call    004460A0
0044A170  |.  8B2D DC8D8B00 mov     ebp, dword ptr [8B8DDC]
0044A176  |.  8BB5 44390000 mov     esi, dword ptr [ebp+3944]
0044A17C  |.  8B04F5 14F0C7>mov     eax, dword ptr [esi*8+8C7F014]
0044A183  |.  85C0          test    eax, eax
0044A185  |.  8B0CF5 10F0C7>mov     ecx, dword ptr [esi*8+8C7F010]
0044A18C  |.  0F8C A1000000 jl      0044A233
0044A192  |.  7F 08         jg      short 0044A19C
0044A194  |.  85C9          test    ecx, ecx
0044A196  |.  0F82 97000000 jb      0044A233
0044A19C  |>  3BF8          cmp     edi, eax
0044A19E  |.  0F8C 8F000000 jl      0044A233
0044A1A4  |.  7F 08         jg      short 0044A1AE
0044A1A6  |.  3BD9          cmp     ebx, ecx
0044A1A8  |.  0F82 85000000 jb      0044A233

notice this line

0044A185  |.  8B0CF5 10F0C7>mov     ecx, dword ptr [esi*8+8C7F010]

it is an array with a base pointer 0x8C7F010 (this is not a fixed value, It will change within each .exe ,as an example, i shall use this offset)

just on this line, we "follow in dump"->"Address Constant"
now you can see your exp table, just like this
notice that, we got 08C7F010, but the real start position of the table is 8c7f000, 0x10 bytes before it, remember!

08C7F000  08 00 09 00 0D 00 00 00 0A 00 00 00 09 00 09 00  ...............
08C7F010  00 00 00 00 00 00 00 00 E8 03 00 00 00 00 00 00  ........?......
08C7F020  C4 09 00 00 00 00 00 00 88 13 00 00 00 00 00 00  ?......?......
08C7F030  1C 25 00 00 00 00 00 00 CC 42 00 00 00 00 00 00  %......藼......
08C7F040  E5 74 00 00 00 00 00 00 0F C9 00 00 00 00 00 00  錿......?.....
08C7F050  CC 55 01 00 00 00 00 00 E1 22 02 00 00 00 00 00  蘒.....?.....
08C7F060  41 3F 03 00 00 00 00 00 02 AD 04 00 00 00 00 00  A?.....?.....
08C7F070  EE 5B 06 00 00 00 00 00 08 34 08 00 00 00 00 00  頪.....4.....
08C7F080  0A 41 0A 00 00 00 00 00 0D B7 0C 00 00 00 00 00  .A.......?.....
08C7F090  B6 A3 0F 00 00 00 00 00 87 14 13 00 00 00 00 00  叮.....?.....

Unfortunately, there really isnt enough room for the exp table anymore (.exe is clogged ;P)
so, this is the main topic today-- add a new section and move the exp table!

I obviously cannot be certain which version you have for both server/client , that's not important, if your version has got a section with many zeros, you are in luck , just skip the next 4 paragraph, otherwise, Carry on!

tools: lordpe and a hex editor~
open your server with a hex editor.

NOTE: THESE STEPS APPLY TO BOTH CLIENT AND SERVER, START WITH SERVER THEN DO CLIENT ASWELL!

Scroll to the bottom, and insert some bytes I advise you to fill it with int3 or NOP so that, Lord-PE wont butt-rape your PC to hell. do not forget how many bytes you added.

now we open the server(or client) with Lord-PE(the pe-editor built-in), and click sections to see the section table and add section, just like this

and then right click the new section added, give it a suitable name you wish, and fill in the VirtualAddress and RVA blanks with the number of bytes you've just added.(that's ok for the other blanks have been fixed by lord-pe, and i have not time to explain them)
just like this

ok now press ok and save the operations then press "rebuild pe" , that's the easist way to add your own section to avoid many calcs! XD

now we copy the whole exp table to the new section just added by us, well what's the address, open it with pe-editor in lord-pe, just remember the offset, and add it with 0x400000 then you got it! and of course do not forget to write you own exp numbers for the new levels, (just no more than 0xFFFFFFFFFFFFFFFF), you got it ?

now we need to fix the variables , the lvl-comparing places , open the server(or client)with your hex editor, and replace
every 0x8C7F010 to your address,
every 0x8C7F010 +0x4 to your address +0x4,
every 0x8C7F010 +0x8 to your address +0x8,
every 0x8C7F010 +0xc to your address +0xc

every 0x8C7F000 to your address -0x10
every 0x8C7F004 to your address -0x10 +0x4

now back to and return to the place we found at the beginning , you 'll find we still need some more addresses to fix, but these are the last ones.

0044A107  |.  8BD8          mov     ebx, eax
0044A109  |.  A1 9CF9C708   mov     eax, dword ptr [8C7F99C] ;this is the high dword of the second level count from back
0044A10E  |.  8BFA          mov     edi, edx
0044A110  |.  3BF8          cmp     edi, eax
0044A112  |.  7F 13         jg      short 0044A127
0044A114  |.  7C 08         jl      short 0044A11E
0044A116  |.  3B1D 98F9C708 cmp     ebx, dword ptr [8C7F998];this is the low dword of the second level count from back

the next place is a valididity check , the server must make sure that you can not level up if you are not Rank 3 or higher after all, who is only rank 2 yet level 120?.

0044A127  |> \3B3D 2CF3C708 cmp     edi, dword ptr [8C7F32C];this is the low dword of lvl100
0044A12D  |.  A1 DC8D8B00   mov     eax, dword ptr [8B8DDC] ;this needn't to be fixed.
0044A132  |.  7C 20         jl      short 0044A154
0044A134  |.  7F 08         jg      short 0044A13E
0044A136  |.  3B1D 28F3C708 cmp     ebx, dword ptr [8C7F328] ;this is the low dword of lvl100

this place is a MAX_LEVEL check, now mine is 0x133 that's 307 in dec(i have no time to add so many exp tables XD, even this is produced by a little tool written by me)

0044A1A6  |.  3BD9             cmp     ebx, ecx
0044A1A8  |.  0F82 85000000    jb      0044A233
0044A1AE  |>  81FE 33010000    cmp     esi, 133   ;  here (for client you need to set a jmp, because the space is not enough for opcodes
0044A1B4  |.  7D 7D            jge     short 0044A233

this is the exp-table check, remember to fix them in runtime(only once is enough)

0044A1BB  |.  8B0D B0F9C708    mov     ecx, dword ptr [8C7F9B0]
0044A1C1  |.  3BC8             cmp     ecx, eax
0044A1C3  |.  75 6E            jnz     short 0044A233
0044A1C5  |.  A1 B4F9C708      mov     eax, dword ptr [8C7F9B4]

the last level check (this check is only for server side)

004439E0  /$  8B4424 04        mov     eax, dword ptr [esp+4]
004439E4  |.  85C0             test    eax, eax
004439E6  |.  7E 3D            jle     short 00443A25
004439E8  |.  3D 32010000      cmp     eax, 132;this is the right place
004439ED  |.  7F 36            jg      short 00443A25
004439EF  |.  8B5424 0C        mov     edx, dword ptr [esp+C]

and your done ~ With this you can get an ALMOST unlimited level cap~ and of course you can modify a character with the lvl editor i published.
now have fun and a nice day~ all best wishes.


　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　WaHVeY(Strang eFay) [P.R.C]
　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　2009-3-24 16:51:53

Translated for less Head aches by Unzubaru.

 

[gerson159]

Thanks, with this 'translation' i have added lvl cap 170 on my server.exe =D

 

[unzubaru]

sweet man =D, so did this help? Cause with me it was hard to understand everything that he was saying if i just read it through, so i just thought tohelp i would make it less jumpy .

 

[bobsobol]

I didn't struggle too much with the original, I thought it was pretty good for one who is not a native English speaker... But I know I have helped a few people with it. I think it is hard if you are unsure of the technical process. If you have a good general idea what he is trying to do, the few grammatical anomalies are not a great hurdle.

I hope stragefay isn't too upset by your re-work, because this is his guide. I don't know what attempts you may have tried to make to help him improve his guide before re-making it, but I think I would have tried that first before reproducing an already fine work just to clean up some ambiguities.

I would also have posted this in his thread... mods can shift posts between threads, and in the same thread all responses and queries relate to the same article... here, information becomes a little spread out, and could be difficult to find.

But from the number of queries I had, I agree there was some call for improving some of the terms used. I just hope strangefay isn't offended by this that statement, or this thread in general, and I thank you for keeping the credit for the tutorials origin with strangefay.

 

[Vahvel]

Not understand.
Can someone explain?

 

[bobsobol]

Not understand.
Can someone explain?

It's a tutorial... which means it is an explanation... It's kinda hard to explain an explanation, but it if you tell us which bit you are struggling with, we can try to elaborate.
---EDIT---
Received via PM:-

Then you can help me here?
I wish you'd help put level 235.
If possible Thanks.

Yes it is possible, but first I would rather do it publicly, so the responses can be searched and used by others.

If you follow this guide by strangefay (or it's originator) you should be able to achieve level 235... or what ever level you want.

If you are struggling with a section, please ask and I and others will surly try to help out. But please be specific, and don't just ask us to re-write the entire guide. I can't answer "How do I follow this guide." in any way other than to say "Read it, then do what it says." Which I'm pretty sure won't help you much.
---EDIT---

I am having trouble doing almost anything in the tutorial level of 235.
If by some chance I have my Game.exe Server.exe and you could put to me? In that case I will study.
I think this will help me and others, only by download.
Not everyone understands this tutorial.

Dude... many people don't understand this tutorial, which is why strangefay linked executables which are already (at least partially) edited.

This is not an easy tutorial by any means. It is not for beginners, and not for the faint of heart. If you can do this, you can consider it a great achievement.

The only way we will ever get a better tutorial, that people can follow easier is if those who struggle to follow this one try their hardest to work through it, step by step, and ask the community for help... when we, as a community manage to provide answers that people do understand then we will know what information needs to be in a better guide, and how to phrase it.

I don't really have a problem understanding what strangefay has said, but I haven't tried doing it myself yet. I have helped others do it, and I can only say that going over the same stuff again and again in PMs is tiring and unproductive for the larger community... I will now only provide responses in public with the aim of helping us all to understand this better.

 

[Vahvel]

OK.
I do not understand what to do in Olly in the first part of the tutorial.
It speaks Byte to add, but how?
Then say you have to add a section in LordPE, I add and do not understand what they do later.
And my client is 150 level, after all this to work, I can usually ingame Up or I have to edit a level editor?

 

[lokoboy]

I Know Add other methods.

 

[bobsobol]

Okay... the first part is about finding the Exp table in your executable that is being used. This can be problematic, because some .exes have more than one table, where they have been edited before, and the old table was never blanked.

It may be easier to find the table by searching for

00 00 00 00 00 00 00 00 E8 03 00 00 00 00 00 00

selecting that line in the memory view in Olly and searching for references to it.

That should still lead you back to the same piece of code. strangefay found the code, and noted down some instructions that will be pretty common in all clients and servers, and fairly unique to the level table lookup routines. This is a pretty sure fire (guaranteed) way to locate the information that is used in any executable.

I suspect the confusion is that he did not explain where he got this magical set of instructions to search for.

pop edi
mov eax, 1
pop ebx
retn
push ebp
push esi
push edi
add eax, 388C
push ebx
push eax

If you still want to try his method (and it's a good one) then right click (context click) on the instructions in the CPU window in Olly, and select "search for" and from that menu "all command sequences" and type in the lines in the code section above.

As in:-

If that turns up no results, I found that reducing the list of command to just the ones after "retn" gave me the right result.

Many people have complained that LordPE is a pain to use... and it is. A good program, but a pain to use. To add a section, you could also consider referring to Gregoorys' tutorial on using ToPo, or my tutorial on doing it with CFF Explorer Suite. The end result is the same, regardless of the tool used.

 

[Vahvel]

OK ..
I found the table XP 100% as in the tutorial.
Now you have to do something that I did not understand.
To find the part of the table of XP and add a section in LordPE I can.
Now there are certain things then I do not understand.


And I would like to know what your Olly?
My is different.

 

[bobsobol]

Well, I use (usually) the beta version of ODb v2. It's faster, but doesn't support all the nice plugins in the "stable" ODb v1.x versions.

Other than that, it's clear, I think, that I have customised the colour scheme and fonts... other than the "theme" my Olly is pretty much the same as anyone elses. I hope we are able to see past cosmetics.

Now you have to do something that I did not understand.

Can you quote the instruction(s) you "do not understand", as that would give me, and others, a better idea what you need help with.

 

[unzubaru]

yeh this wasnt to cause offence i just thought it was a bit bitty and stuff, i knew StrangeEfay (if he's the same guy XD) well they were both chinese anyway XD.
though i didnt know him well i dont mean to cause offence here. Just helps peeps like Vahvel who's first language isnt english.

 

[Vahvel]

Sorry my English, I'm Brazilian.
The part that I did not understand was after adding a new section.
It speaks before Byte to add, as I add byte? and after I add this new section, I get the section of the table exp? created? and how can I do to make it UP more than the 150 level.

 

[bobsobol]

Scroll to the bottom, and insert some bytes I advise you to fill it with int3 or NOP so that, Lord-PE wont butt-rape your PC to hell. do not forget how many bytes you added.

Is this what you mean?

This is already done if you use ToPo or CFF. LordPE only adds a section header, it doesn't increase the size of the executable... so until you add some (initially blank) information in the file, your PE is corrupted.

Basically LordPE only does half the job, and you have to finish it. But not all Hex editors CAN add bytes to the end of a file. Some can only edit bytes that are already there.

But I'm pretty sure the Tutorial tells you to do that bit first, and use LordPE after.

How many bytes you add, is how many bytes you need for your new XP table.

How many bytes that is, depends on how many levels you want to go to.

Basically, if my memory is correct, the formula is 8 times the highest level you want... and add a bit for safety.

 

[Vahvel]

My table XP has space for down.
He comes at level 150, i have a lot of "FFFFFFFFFFFFFFFFFF" and below has no value.
Is there any way to put new level below?
And as I put the server to read those level, for him level of 149 and go up to 150, 151, 152 .....

 

[bobsobol]

Difficult to say. Who extended your server to 150? They would know.

If the space below that is filled with FF FF FF FF FF FF FF FF is actually read by the server as Experience to level table entries, then all you need to do is write your Exp:Level stuff in there... I guess.

But if the server stops reading on the first FF FF FF FF FF FF FF FF (pretty unreachable) then you will still have to shift the end point.

The stuff after:

now back to and return to the place we found at the beginning , you 'll find we still need some more addresses to fix, but these are the last ones.

will tell you the end point of the actual table the exe is using.

If you have to shift the end point then you need to be sure (absolutely sure with no question of doubt in your mind what-so-ever) that NOTHING else in the exe is using what you believe to be blank space.

Remember, that the program could write to those 00s at any point, and that would mess up your Exp table real bad.

 

[Vahvel]

Here some picture of what I say.
To realize that the space is below the table xp.

img:

To view the content, you need to sign in or register

img:

To view the content, you need to sign in or register

img:

To view the content, you need to sign in or register

 

[unzubaru]

well Bobsobol to my hexxing knowledge doesnt 0xFFFFFFFF mean White?

 

[bobsobol]

well Bobsobol to my hexxing knowledge doesnt 0xFFFFFFFF mean White?

lol. Does it?

So Does 0x4E616D65 always mean 101 blue, 109 green, 97 red, 78 Alpha? Or can it also mean 1315007845, or the text string "Name"?

The fact is that bytes of data stored in a computer have no meaning what-so-ever until you use them for something... This also means that that data could mean any, and all of those things... and a sneaky thing to do is use the same data to represent two different things, so that one cannot change one value without changing another.

0xFFFFFFFF either means 4294967295 or -1, depending on whether the value is looked at as a QWord, or a UQuad. (That is, whether you consider it a positive integer, or a signed integer)

Either way, it would be pretty hard to increase your XP to the point where you reach that figure... which is why (I suspect) it's there.

@Vahvel: All seems pretty correct to me, except

To view the content, you need to sign in or register

where the last value should be 8 bytes not just 6... these are QWords, not a DWord and a Word... that would be a git to calculate anyway.

Looks like you have an uncommonly simple server executable to work with. Well done.

 

[Vahvel]

But as I will do for the servant to read new XP that I to put?
The right would be me to put more value than the level 150 and he would have that normal UP.