[Tutorial] How to Detour the Kal Mainserver

[Matynator]

some1 can give me a example for realtime pimp please?^^

best example and practice is looking at the mainserver itself CItemDefence__ChangePrefix is what you are looking for.. or weapon..
if you can figure out how those functions work you can easely make your own realtimes.

 

[blub95]

ok thanks :3

 

[Darn]

some1 can give me a example for realtime pimp please?^^

Spoiler

Pseudocode from decompiled mainserver.

signed int __userpurge CItemWeapon::ChangePrefix<eax>(int a1<ecx>, DWORD a2<ebx>, DWORD a3<edi>, DWORD a4<esi>, int a5, int a6, int a7, int a8)
{
  signed int v9; // [sp+0h] [bp-4Ch]@33
  signed int v10; // [sp+4h] [bp-48h]@31
  signed int v11; // [sp+8h] [bp-44h]@29
  int v12; // [sp+Ch] [bp-40h]@25
  int v13; // [sp+14h] [bp-38h]@6
  int v14; // [sp+18h] [bp-34h]@1
  int v15; // [sp+34h] [bp-18h]@14
  signed int i; // [sp+38h] [bp-14h]@8
  int v17; // [sp+3Ch] [bp-10h]@8
  int v18; // [sp+40h] [bp-Ch]@8
  int v19; // [sp+48h] [bp-4h]@8

  v14 = a1;
  if ( CItem::IsState(a1, 1) || a6 >= 0 && a6 )
    return 0;
  if ( *(_DWORD *)(v14 + 44) )
    v13 = *(_DWORD *)(*(_DWORD *)(v14 + 44) + 32);
  else
    v13 = 0;
  v17 = v13;
  v18 = sub_406E10(1, 100);
  v19 = CItem::IsState(v14, 64);
  for ( i = 0; i < 2; ++i )
  {
    if ( v18 <= *(_DWORD *)(a7 + 4 * i) )
    {
      v17 = *(_DWORD *)(a8 + 4 * i);
      break;
    }
  }
  if ( v13 == v17 )
  {
    if ( v19 )
    {
      CDBSocket::Write(a2, a3, a4, 21, (unsigned int)"dddbb");
      CItem::SubState(v14, 64);
      CItem::SendItemInfo(v14, a2, a3, a4, (void *)a5, 92);
      return 1;
    }
    *(_DWORD *)(v14 + 96) -= 5;
    if ( *(_DWORD *)(v14 + 96) <= 0 )
    {
      CPlayer::Write(a2, a3, a4, a5, 91, (unsigned int)"db");
      CDBSocket::Write(a2, a3, a4, 3, (unsigned int)"ddwdbddd");
      if ( CItem::GetLevel(v14) >= 40 )
      {
        if ( CItem::GetLevel(v14) - 40 >= 20 )
          v12 = 20;
        else
          v12 = CItem::GetLevel(v14) - 40;
        if ( *(_DWORD *)(*(_DWORD *)(v14 + 40) + 72) == 1 )
        {
          if ( *(_DWORD *)(v14 + 104) >= 20 )
            v11 = 20;
          else
            v11 = *(_DWORD *)(v14 + 104);
          v10 = v11;
        }
        else
        {
          if ( *(_DWORD *)(v14 + 100) >= 20 )
            v9 = 20;
          else
            v9 = *(_DWORD *)(v14 + 100);
          v10 = v9;
        }
        CItem::InsertItem(a2, a3, a4, a5, 27, 517, 0, dword_4D5F90[v10] + dword_4D5F38[v12], -1);
      }
      CBase::Delete((void *)v14);
    }
    else
    {
      CPlayer::Write(a2, a3, a4, a5, 91, (unsigned int)"db");
      CDBSocket::Write(a2, a3, a4, 18, (unsigned int)"ddb");
    }
  }
  else
  {
    v15 = CItem::FindPrefix(v17);
    if ( !v15 )
      return 0;
    *(_DWORD *)(v14 + 44) = v15;
    CDBSocket::Write(a2, a3, a4, 19, (unsigned int)"ddbb");
    if ( v19 )
      CItem::SubState(v14, 64);
    CItem::SendItemInfo(v14, a2, a3, a4, (void *)a5, 92);
  }
  return 1;
}

you could do something like this

  KItem Item((int*)ItemPointer);

  int IID = Item.GetIID();
  int PID = Item.GetPID();
  int OldOtp = Item.GetOTP();
  int OTP = OldOtp + 2;
 
  CDBSocket::Write(17, "ddbbb", IID, PID, 9, OTP, 0);
  Item.SetOTP(OTP);
  CItem::SendItemInfo(ItemPointer, PlayerPointer, 92);

increase ontarget point by 2

int KItem::GetPID(){
	return this->ItemArray[32];
}

int KItem::GetIID(){
	return this->ItemArray[9];
}

int KItem::GetOTP(){
	return this->ItemArray[28];
}

int KItem::SetOTP(int x){
	return this->ItemArray[28] = x;
}

 

[Plucky]

nice work

 

[Ozi]

any idea how to solve this problem ?

- Thanks

 

[Matynator]

any idea how to solve this problem ?

- Thanks

The error itself told you what the problem is.. "Access is denied" <---

run cmd with administrator rights and it should solve your problem...
the title of your cmd window tells me you didn't run it with admin rights it should say:

"Administrator: c:\Windows\SysWOW64\cmd.exe"

instead of

"c:\Windows\SysWOW64\cmd.exe"

cheers..

 

[Ozi]

still have another problem could u do a photo tutorial for this step please cuz i can't do it well.

Thanks

 

[NewBarry]

Hi guys. I am not sure if I should post my question here or in the help section. But since its related to this post, I will just try my luck.
So I followed the steps of this Tutorial and it turns out that I dont get a hello world message .

So I could compile the source code without any errors and included the dll into the obsedian.ini file:
REMOVED

But didnt get the expected result:

Any ideas?
-Barry

EDIT: mainsvr output:

 

[Matynator]

Hi guys. I am not sure if I should post my question here or in the help section. But since its related to this post, I will just try my luck.
So I followed the steps of this Tutorial and it turns out that I dont get a hello world message .

So I could compile the source code without any errors and included the dll into the obsedian.ini file:
REMOVED

But didnt get the expected result:

Any ideas?
-Barry

EDIT: mainsvr output:

might be a good idea to actually detour the functions in?...

 

[NewBarry]

Good Point Matynator . Thank you for that.

edit: removed the question. Since I made a mistake and fixed it by following the steps PROPERLY .

 

[NewBarry]

hi its me again .
Sry I know i am asking a lot, but it rly bothers me now.

So I read a lot in this thread and tried a few things (learning by doing).
I now belive to understand how to correctly setup a detour. So this should be the detour for CPlayer_ChatCommand:

static void (__thiscall *ChatCommand)(void *thispointer,const char *a2) = (void (__thiscall*)(void *thispointer,const char *a2))0x00461080;


void __fastcall Hooked_ChatCommand(void *thispointer, void* _edx,  const char *a2)
{
    ConsoleWriteBlue("chatcommand: %s", a2);
    ChatCommand(thispointer,a2);
    // Do your stuff here
}

Now my question is. Why do I need that "void* _edx" as second parameter? What is stored in _edx?

Thanks a lot
-Barry

 

[Bloodx]

edx gets passed at second parameter by Hooking __thiscall Function as __fastcall - it's a dead parameter

 

[NewBarry]

Hi, its me again .
So I am trying to detour this function:

/----- (00439FB0)
signed int __usercall CMonster::Create<eax>(DWORD a1<ebx>, DWORD a2<edi>, DWORD a3<esi>, int a4, int a5)

and I did it like this:

static void (__thiscall *CMonster_Create)(void *thispointer,int a1,int a2) = (void (__thiscall*)(void *thispointer,int a1,int a2))0x00439FB0;


void __fastcall Hooked_CMonster_Create(void *thispointer,void* _edx,int a1,int a2)
{
    cout<<"Monster::create: a1= "<<a1<<endl;
    CMonster_Create(thispointer, a1,a2);

}

Why is the cout method crashing the server?

And optional question: Is CMonster::create being called if a Monster respawns?

Thanks a lot
-Barry

 

[Bloodx]

well, GameServer::Monster::Create is signed int __cdecl CMonster__Create(int a1, int a2) - so no ecx is passed .

static int(__cdecl *oCMonster_Create)(int a1,int a2) = (int (__cdecl*)(int a1,int a2))0x00439FB0;

signed int __cdecl CMonster_Create(int a1, int a2)
{
 std::cout << "GameServer::Monster::Create Prameter: " << a1 << std::endl;
 oCMonsterCreate(a1,a2);
}

 

[NewBarry]

Hi guys,
I got 2 questions.

1) How did you guys come up with the function names? I mean are these names in the script file all made up by you and is possibly even wrong or is there a reliable source behind it?

2) I tried a few thinks in IDA and made VERY LITTLE progress . But I still want to make sure that I am on the "right path". So everytime a player pointer is given to the next function, is the information on the same place as before? (like the name at [pointer + 32], PID at [pointer + 452],admin at pointer + 456]...,)

thx a lot
-Barry

 

[EternalBane]

1) Yes, not all of them are correct (for example some skill functions). There is no server side source (we got just client side).

2) In all functions (in pointer) information allways will be on the same place, cause it's pointer to object.

 

[NewBarry]

Hi guys, I got two more questions .


1(solved the first question ) Can someone explain me what var_24 means. Reference from CMonsterTowerBoss::create:


2(solved) How can I safe values into a register + number.

Because this example doesnt work (or rather gives me a compiler error):

{
    DWORD pID;
     __asm mov pID,016h
     cout<<"pID: "<<pID<<endl;
     __asm lea [ebp+1337], pID
}

Thanks a lot
-Barry

Edit: I wanna safe sth into ebp-36

 

[Bloodx]

MemcpyEx((DWORD)0x0048347D, (DWORD)"\xE8\x5E\x8A\xFB\xFF", 5);

SoulDestruction Wisdom Based.

 

[Esquire]

How To solve those problems ~

Here Is Folder Detours Express

-Thanks

 

[Trocin]

How To solve those problems ~

Here Is Folder Detours Express

-Thanks

detours;

You must be registered to see links

#pragma comment(lib,"Detours/detours.lib")
#undef UNICODE
#include "Detours/detours.h"

#pragma pack(1)