- Joined
- Mar 15, 2006
- Messages
- 451
- Reaction score
- 285
This is not actually Experience Bar Bug, it's Experience Bug =)
and usually u can meet it in servers with high rates, when Experience Bar overflows number 9, or doens't show exp progress, so u have to reselect character
Why this happens? If you will take a look on Exp values in Char Info Window, when killing some mobs and making lvl up, you will notice that Obtained Exp is just added to the current Exp value and nothing else is done
The point is that GS sends just obtained exp, and even when character levels up, main.exe uses calculated Value from Exp Table to set new value for New Needed Exp, so if you have different formulas in GS and Main of calcing Exp, you will have double Exp Bug , of course you can fix this 2 bugs by changing packets in main and GS, and it's not really hard, but we will fix just first bug, because not all of the servers change Exp formulas.
How we gonna do it? First let's take a look how gs do all the work:
1. Character obtains Exp
2. GS Adds Obtained Exp to the Current Exp value
3. Checks if Current Exp >= Needed Exp
4. And if this comparation results TRUE,
a. In Current Exp value GS moves Needed Exp value
b. In Needed Exp value moves next Needed Exp value for next lvl, from the Exp table
(and now attention)
c.Sends Lvl up to main.exe
5. Sends Obtained Exp to main.exe
First i thought that if i will just make step 4a in main.exe it will solve all the problems, but i forgot that GS first sends Lvl up and then Obtained Exp. We don't need to ADD value of Obtained Exp after Lvl Ups in main.exe, because when we fix all in Lvl Up proc, first packet after Lvl up with Obtained Exp spoils all the things =)
The solution is using a flag. When we receive Lvl Up in main.exe, we fix all the poop, Set Flag, and in Function that adds Obtained Exp we check if the flag is Set we don't need to add that value, we just skip this step and reset the flag. With this we will have fixed Exp in main.exe cool, no more character Reselection
We won't use dll for this thing, because we will just add a little code in main.exe, of course people who understand codding and programming can use their own DLL
Now i will try to explain how to find functions and what code to add
1. Open main.exe in ollydbg and go to the end of it, u will find empty space there. Some mains through error "Unable to locate data in executbale file", when u try to add some code. To check if there is space, select 1 empty line -> RB -> View -> Executable file, there u will find real empty space, check the picture.
This space might be not enough to add our code. Some mains have additional sections, may be there weren't delete after unpacking, or may be were added by someone, for example all 97 mains have this sections, there u have a lot of empty space. Other mains that i had to work with have enough space. But if u don't have empty sections and u don't have enough space at the end of the file, then you will have add additional sections =)
2. Here is our section, your main may have just 1 JMP. If you will scroll down you will find a lot of empty space, a lifetime empty space
But anyway we just need an empty space =)
3. Now we will find switch for packet codes. RB -> Search for -> All switches
Now with all your attention in appeared window find switch (cases 0..F4)
4. When you've found it - RB -> List switch cases and find there F3 value, and follow it.
5. Below F3 case find first switch, select this line, RB -> Go to -> Case 3
F3 03 - codes of Selected Char Info packet
F3 05 - codes of Level Up packet
In SelectedCharInfo proc we will find were is tored data of Current and Needed Exp
6. Step into SelectedCharInfo proc. In that proc -> RB -> Go to -> Next Procedure. Then begin to scroll up until u find code like on the image
Look at the underlined lines - EAX+10 and EAX+34, remember these offsets
+10 and +34, +10 - for Current Exp, +34 - for needed Exp, these values may be different in different mains
7. Now go back to the found procs SelectedCharInfo and LvlUp, and step into LvlUp function. RB -> go to -> next procedure. Once again scroll up until you find code like on the image
Now look on the underlined line and remember what register you have there, i have EAX, remember it. Look below at the CALL, we will hook it. Now write somewhere this call command, or press SPACE and copy it.
8. Now go to our empty space.
We will need at list 1 register, but not the one that was mentioned in last step, EAX for is resereved (remember from last step?), i need value from it, so use another one(EBX, ECX, EDX). I used ECX. Since we gonna use it, we have to save data that this register contains, so we will use STACK, we will put value from ECX register and then we will restore it.
Also we will need 1 byte memory for a flag, let's use our empty space =) I used offset 3 lines above of function, there I will store flag data. And don't forget to call the function that we have hooked =)
Take a look on the code:
Now remember the offset of the function beginning(0x08B690DD) and go to the place, that we have found in step 7(lvl up proc + hooked function, use "-" key =) )
Now replace that call with the call to your function. Lvl up function is done, let's fix Obtained exp function =)
9. Go to the first switch we have found and go to CASE 16 (22.)
10. Step into the underlined function in the CASE 16 (22.), RB -> Go to -> Next procedure, and scroll up until u find code like on the image(You will meet 1 "Hash table full", it will help to find the code)
Remember 2 lines marked with arrows.
ADD ESI, ECX ; here obtained exp is added =)
11. Go to the offset where we added our first function, and add second.
First we have check our flag, if it's set, then we just skip ADD command, then reset flag, we will reset it no matter it was set or not =)
Look at the code:
Remember offset of second function(0x08B690F7).
12. Go back to the function that adds Obtained Exp(step 10). Remember those 2 marked lines? NOP'em - select them -> Binary -> Fill with NOPs.
Then Select first NOP and add there CALL to our second function.
And that's all, no more Exp Bar Bug =)
Don't know about S3EP2 but for other mains will work
Once again i used drakan mu server, thx them
and usually u can meet it in servers with high rates, when Experience Bar overflows number 9, or doens't show exp progress, so u have to reselect character
Why this happens? If you will take a look on Exp values in Char Info Window, when killing some mobs and making lvl up, you will notice that Obtained Exp is just added to the current Exp value and nothing else is done
The point is that GS sends just obtained exp, and even when character levels up, main.exe uses calculated Value from Exp Table to set new value for New Needed Exp, so if you have different formulas in GS and Main of calcing Exp, you will have double Exp Bug , of course you can fix this 2 bugs by changing packets in main and GS, and it's not really hard, but we will fix just first bug, because not all of the servers change Exp formulas.
How we gonna do it? First let's take a look how gs do all the work:
1. Character obtains Exp
2. GS Adds Obtained Exp to the Current Exp value
3. Checks if Current Exp >= Needed Exp
4. And if this comparation results TRUE,
a. In Current Exp value GS moves Needed Exp value
b. In Needed Exp value moves next Needed Exp value for next lvl, from the Exp table
(and now attention)
c.Sends Lvl up to main.exe
5. Sends Obtained Exp to main.exe
First i thought that if i will just make step 4a in main.exe it will solve all the problems, but i forgot that GS first sends Lvl up and then Obtained Exp. We don't need to ADD value of Obtained Exp after Lvl Ups in main.exe, because when we fix all in Lvl Up proc, first packet after Lvl up with Obtained Exp spoils all the things =)
The solution is using a flag. When we receive Lvl Up in main.exe, we fix all the poop, Set Flag, and in Function that adds Obtained Exp we check if the flag is Set we don't need to add that value, we just skip this step and reset the flag. With this we will have fixed Exp in main.exe cool, no more character Reselection
We won't use dll for this thing, because we will just add a little code in main.exe, of course people who understand codding and programming can use their own DLL
Now i will try to explain how to find functions and what code to add
1. Open main.exe in ollydbg and go to the end of it, u will find empty space there. Some mains through error "Unable to locate data in executbale file", when u try to add some code. To check if there is space, select 1 empty line -> RB -> View -> Executable file, there u will find real empty space, check the picture.
This space might be not enough to add our code. Some mains have additional sections, may be there weren't delete after unpacking, or may be were added by someone, for example all 97 mains have this sections, there u have a lot of empty space. Other mains that i had to work with have enough space. But if u don't have empty sections and u don't have enough space at the end of the file, then you will have add additional sections =)
2. Here is our section, your main may have just 1 JMP. If you will scroll down you will find a lot of empty space, a lifetime empty space
But anyway we just need an empty space =)
3. Now we will find switch for packet codes. RB -> Search for -> All switches
Now with all your attention in appeared window find switch (cases 0..F4)
4. When you've found it - RB -> List switch cases and find there F3 value, and follow it.
5. Below F3 case find first switch, select this line, RB -> Go to -> Case 3
F3 03 - codes of Selected Char Info packet
F3 05 - codes of Level Up packet
In SelectedCharInfo proc we will find were is tored data of Current and Needed Exp
6. Step into SelectedCharInfo proc. In that proc -> RB -> Go to -> Next Procedure. Then begin to scroll up until u find code like on the image
Look at the underlined lines - EAX+10 and EAX+34, remember these offsets
+10 and +34, +10 - for Current Exp, +34 - for needed Exp, these values may be different in different mains
7. Now go back to the found procs SelectedCharInfo and LvlUp, and step into LvlUp function. RB -> go to -> next procedure. Once again scroll up until you find code like on the image
Now look on the underlined line and remember what register you have there, i have EAX, remember it. Look below at the CALL, we will hook it. Now write somewhere this call command, or press SPACE and copy it.
8. Now go to our empty space.
We will need at list 1 register, but not the one that was mentioned in last step, EAX for is resereved (remember from last step?), i need value from it, so use another one(EBX, ECX, EDX). I used ECX. Since we gonna use it, we have to save data that this register contains, so we will use STACK, we will put value from ECX register and then we will restore it.
Also we will need 1 byte memory for a flag, let's use our empty space =) I used offset 3 lines above of function, there I will store flag data. And don't forget to call the function that we have hooked =)
Take a look on the code:
Code:
[B]PUSH ECX[/B] ; save ECX data
[B]MOV ECX, [DWORD DS:EAX+34][/B] ; get Needed Exp value (use your offset, mine is +34)
[B]MOV [DWORD DS:EAX+10], ECX[/B] ; set Current Exp value to Needed Exp value (use your offset, mine is +10)
[B]MOV [BYTE DS:8B690D5], 1[/B] ; set flag
[B]POP ECX[/B] ; restore ECX data
[B]CALL 0047C040[/B] ; we hooked that function, in step 7 you saved somewhere it, now you will have to write it here
[B]RETN [/B]; return from the function
Now remember the offset of the function beginning(0x08B690DD) and go to the place, that we have found in step 7(lvl up proc + hooked function, use "-" key =) )
Now replace that call with the call to your function. Lvl up function is done, let's fix Obtained exp function =)
9. Go to the first switch we have found and go to CASE 16 (22.)
10. Step into the underlined function in the CASE 16 (22.), RB -> Go to -> Next procedure, and scroll up until u find code like on the image(You will meet 1 "Hash table full", it will help to find the code)
Remember 2 lines marked with arrows.
ADD ESI, ECX ; here obtained exp is added =)
11. Go to the offset where we added our first function, and add second.
First we have check our flag, if it's set, then we just skip ADD command, then reset flag, we will reset it no matter it was set or not =)
Look at the code:
Code:
[B]TEST [BYTE DS:8B690D5], 1[/B] ; check flag
[B]JNZ SHORT 08B69102 [/B]; if flag is set, then skip ADD command
[B]ADD ESI, ECX [/B]
[B]MOV ECX, 55C4C20[/B] ; these last 2 instructions we took from main, we remembered them in step 10
[B]MOV [BYTE DS:8B690D5], 0[/B] ; reset flag
[B]RETN[/B] ; return from function
Remember offset of second function(0x08B690F7).
12. Go back to the function that adds Obtained Exp(step 10). Remember those 2 marked lines? NOP'em - select them -> Binary -> Fill with NOPs.
Then Select first NOP and add there CALL to our second function.
And that's all, no more Exp Bar Bug =)
Don't know about S3EP2 but for other mains will work
Once again i used drakan mu server, thx them
Last edited: