- Joined
- Jan 15, 2008
- Messages
- 34
- Reaction score
- 9
First Show...
Now We Go
Get the Exp Table
now we od "search for"->"all the sequences" (just like this)
you may reach here
notice this line
of course, you know that -- it is an array with a base pointer 0x8C7F010 (this is not a fix value, do find it by yourself,
and now, i'll use this number for example)
just on this line, we "follow in dump"->"Address Constant"
now you can see your exptable, just like this
notice that, we got 08C7F010, but the real start pos is 8c7f000, 0x10 byte before it, remember!
Unfortunately, there are no more spaces for our new level exp!
so, this is the main topic today-- add section and move the exp table!
i do not know which mod-version of server/client you've got, that's not important, if your version had got a section with many zeros, you were luck , just skip the next 4 paregraph(i forgot how to spell this word),otherwise, just look down .
tools: lordpe and a hex editor~
open your server (or client) with a hex editor, scroll to the bottom, and insert some bytes(i advise you to fill them with CC(int3) or 90(nop) instead of 00, for lord-pe will be a violence lord when rebuilding your server(or client)). do not forget how many bytes you added.
now we open the server(or client) with lord-pe(the pe-editor built-in), and click sections to see the section table and add section, just like this
and then right click the new section added, give it a suitable name you wish, and fill in the VA and RVA blanks with the number of bytes you've just added.(that's ok for the other blanks have been fixed by lord-pe, and i have not time to explain them)
just like this
ok now press ok and save the operations then press "rebuild pe" , that's the easist way to add your own section to avoid many calcs! XD
now we copy the whole exp table to the new section just added by od, well what's the address, open it with pe-editor in lord-pe, just remember the voffset, and add it with 0x400000 then you got it! and of course do not forget to write you own exp numbers for the new level, (just no more than 0xFFFFFFFFFFFFFFFF), you got it ?
now we need to fix the variables , the lvl-comparing places , open the server(or client)with your hex editor, and replace
every 0x8C7F010 to your address,
every 0x8C7F010 +0x4 to your address +0x4,
every 0x8C7F010 +0x8 to your address +0x8,
every 0x8C7F010 +0xc to your address +0xc
every 0x8C7F000 to your address -0x10
every 0x8C7F004 to your address -0x10 +0x4
now back to od and return to the place we've found at the beginning , you 'll find we still need some more addresses to fix, but this is the last ones.
the next place is a check , the server must make sure that you can not level up if you still do not turn up your metier to rank 3(or job, i don't know how
to translate this professional word from chinese to english XD)
this place is a MAX_LEVEL check, now mine is 0x133 that's 307 in dec(i have no time to add so much exp tables XD, even this is produced by a little tool written by me)
this is the exp-table check, remember to fix them in runtime(only once is enough)
the last level check (this check is only for server side)
now all done~ with this you could got almost no-limited level~ and of course you can modify a character with the lvl editor i published.
now have fun and a nice day~ all best wishes.
WaHVeY(StrangeFay) [P.R.C]
2009-3-24 16:51:53
___________________
Bins with lvl 150. ofcourse you can add it to 0xFFFFFFFF lvls as you like~
View attachment Client.zip
View attachment Server.zip
___________________
Now We Go
Get the Exp Table
now we od "search for"->"all the sequences" (just like this)
Code:
pop edi
mov eax, 1
pop ebx
retn
push ebp
push esi
push edi
add eax, 388C
push ebx
push eaxyou may reach here
Code:
0044A14C |. 5F pop edi
0044A14D |. B8 01000000 mov eax, 1
0044A152 |. 5B pop ebx
0044A153 |. C3 retn
0044A154 |> 55 push ebp
0044A155 |. 56 push esi
0044A156 |. 57 push edi
0044A157 |. 05 8C380000 add eax, 388C
0044A15C |. 53 push ebx
0044A15D |. 50 push eax
0044A15E |. E8 6D99FFFF call 00443AD0
0044A163 |. 83C4 0C add esp, 0C
0044A166 |. E8 B597FFFF call 00443920
0044A16B |. E8 30BFFFFF call 004460A0
0044A170 |. 8B2D DC8D8B00 mov ebp, dword ptr [8B8DDC]
0044A176 |. 8BB5 44390000 mov esi, dword ptr [ebp+3944]
0044A17C |. 8B04F5 14F0C7>mov eax, dword ptr [esi*8+8C7F014]
0044A183 |. 85C0 test eax, eax
0044A185 |. 8B0CF5 10F0C7>mov ecx, dword ptr [esi*8+8C7F010]
0044A18C |. 0F8C A1000000 jl 0044A233
0044A192 |. 7F 08 jg short 0044A19C
0044A194 |. 85C9 test ecx, ecx
0044A196 |. 0F82 97000000 jb 0044A233
0044A19C |> 3BF8 cmp edi, eax
0044A19E |. 0F8C 8F000000 jl 0044A233
0044A1A4 |. 7F 08 jg short 0044A1AE
0044A1A6 |. 3BD9 cmp ebx, ecx
0044A1A8 |. 0F82 85000000 jb 0044A233
Code:
0044A185 |. 8B0CF5 10F0C7>mov ecx, dword ptr [esi*8+8C7F010]of course, you know that -- it is an array with a base pointer 0x8C7F010 (this is not a fix value, do find it by yourself,
and now, i'll use this number for example)
just on this line, we "follow in dump"->"Address Constant"
now you can see your exptable, just like this
notice that, we got 08C7F010, but the real start pos is 8c7f000, 0x10 byte before it, remember!
Code:
08C7F000 08 00 09 00 0D 00 00 00 0A 00 00 00 09 00 09 00 ...............
08C7F010 00 00 00 00 00 00 00 00 E8 03 00 00 00 00 00 00 ........?......
08C7F020 C4 09 00 00 00 00 00 00 88 13 00 00 00 00 00 00 ?......?......
08C7F030 1C 25 00 00 00 00 00 00 CC 42 00 00 00 00 00 00 %......藼......
08C7F040 E5 74 00 00 00 00 00 00 0F C9 00 00 00 00 00 00 錿......?.....
08C7F050 CC 55 01 00 00 00 00 00 E1 22 02 00 00 00 00 00 蘒.....?.....
08C7F060 41 3F 03 00 00 00 00 00 02 AD 04 00 00 00 00 00 A?.....?.....
08C7F070 EE 5B 06 00 00 00 00 00 08 34 08 00 00 00 00 00 頪.....4.....
08C7F080 0A 41 0A 00 00 00 00 00 0D B7 0C 00 00 00 00 00 .A.......?.....
08C7F090 B6 A3 0F 00 00 00 00 00 87 14 13 00 00 00 00 00 叮.....?.....Unfortunately, there are no more spaces for our new level exp!
so, this is the main topic today-- add section and move the exp table!
i do not know which mod-version of server/client you've got, that's not important, if your version had got a section with many zeros, you were luck , just skip the next 4 paregraph(i forgot how to spell this word),otherwise, just look down .
tools: lordpe and a hex editor~
open your server (or client) with a hex editor, scroll to the bottom, and insert some bytes(i advise you to fill them with CC(int3) or 90(nop) instead of 00, for lord-pe will be a violence lord when rebuilding your server(or client)). do not forget how many bytes you added.
now we open the server(or client) with lord-pe(the pe-editor built-in), and click sections to see the section table and add section, just like this
and then right click the new section added, give it a suitable name you wish, and fill in the VA and RVA blanks with the number of bytes you've just added.(that's ok for the other blanks have been fixed by lord-pe, and i have not time to explain them)
just like this
ok now press ok and save the operations then press "rebuild pe" , that's the easist way to add your own section to avoid many calcs! XD
now we copy the whole exp table to the new section just added by od, well what's the address, open it with pe-editor in lord-pe, just remember the voffset, and add it with 0x400000 then you got it! and of course do not forget to write you own exp numbers for the new level, (just no more than 0xFFFFFFFFFFFFFFFF), you got it ?
now we need to fix the variables , the lvl-comparing places , open the server(or client)with your hex editor, and replace
every 0x8C7F010 to your address,
every 0x8C7F010 +0x4 to your address +0x4,
every 0x8C7F010 +0x8 to your address +0x8,
every 0x8C7F010 +0xc to your address +0xc
every 0x8C7F000 to your address -0x10
every 0x8C7F004 to your address -0x10 +0x4
now back to od and return to the place we've found at the beginning , you 'll find we still need some more addresses to fix, but this is the last ones.
Code:
0044A107 |. 8BD8 mov ebx, eax
0044A109 |. A1 9CF9C708 mov eax, dword ptr [8C7F99C] ;this is the high dword of the second level count from back
0044A10E |. 8BFA mov edi, edx
0044A110 |. 3BF8 cmp edi, eax
0044A112 |. 7F 13 jg short 0044A127
0044A114 |. 7C 08 jl short 0044A11E
0044A116 |. 3B1D 98F9C708 cmp ebx, dword ptr [8C7F998];this is the low dword of the second level count from backto translate this professional word from chinese to english XD)
Code:
0044A127 |> \3B3D 2CF3C708 cmp edi, dword ptr [8C7F32C];this is the low dword of lvl100
0044A12D |. A1 DC8D8B00 mov eax, dword ptr [8B8DDC] ;this needn't to be fixed.
0044A132 |. 7C 20 jl short 0044A154
0044A134 |. 7F 08 jg short 0044A13E
0044A136 |. 3B1D 28F3C708 cmp ebx, dword ptr [8C7F328] ;this is the low dword of lvl100
Code:
0044A1A6 |. 3BD9 cmp ebx, ecx
0044A1A8 |. 0F82 85000000 jb 0044A233
0044A1AE |> 81FE 33010000 cmp esi, 133 ; here (for client you need to set a jmp, for space is not enough for opcodes
0044A1B4 |. 7D 7D jge short 0044A233
Code:
0044A1BB |. 8B0D B0F9C708 mov ecx, dword ptr [8C7F9B0]
0044A1C1 |. 3BC8 cmp ecx, eax
0044A1C3 |. 75 6E jnz short 0044A233
0044A1C5 |. A1 B4F9C708 mov eax, dword ptr [8C7F9B4]
Code:
004439E0 /$ 8B4424 04 mov eax, dword ptr [esp+4]
004439E4 |. 85C0 test eax, eax
004439E6 |. 7E 3D jle short 00443A25
004439E8 |. 3D 32010000 cmp eax, 132;this is the right place
004439ED |. 7F 36 jg short 00443A25
004439EF |. 8B5424 0C mov edx, dword ptr [esp+C]now all done~ with this you could got almost no-limited level~ and of course you can modify a character with the lvl editor i published.
now have fun and a nice day~ all best wishes.
WaHVeY(StrangeFay) [P.R.C]
2009-3-24 16:51:53
___________________
Bins with lvl 150. ofcourse you can add it to 0xFFFFFFFF lvls as you like~
View attachment Client.zip
View attachment Server.zip
___________________
Attachments
Last edited:
its very useful and easy to understand!
:
