int PrepareExtension()
{
if (preparedextension)
return 0;
preparedextension = true;
std::string init = InitializeSdk();
if (init != "")
{
MessageBoxA(NULL, init.c_str(), "!LAC ERROR!", MB_OK);
return 1;
}
DWORD executestringcmd = dwFindPattern((DWORD)GetModuleHandleA("engine.dll"), 0xFEADBEEF, (BYTE*)"\x55\x8B\xEC\x8B\x45\x08\x56\x8B\xF1\x85\xC0\x74\x22", "xxxxxxxxxxxxx");
if (!executestringcmd)
{
MessageBoxA(NULL, "didnt get stringcmd", "!LAC ERROR!", MB_OK);
Msg("!LAC ERROR! didnt get stringcmd");
return 1;
}
DWORD onquerycvarval = dwFindPattern((DWORD)GetModuleHandleA("engine.dll"), 0xFEADBEEF, (BYTE*)"\x55\x8B\xEC\x8B\x45\x08\x8B\x50\x10\x56", "xxxxxxxxxx");
if (!onquerycvarval)
{
MessageBoxA(NULL, "didnt get query cvar value", "!LAC ERROR!", MB_OK);
Msg("!LAC ERROR! didnt get query cvar value");
return 1;
}
ExecuteStringCmd = (OrigExecuteStringCmd)DetourCreate((BYTE*)executestringcmd, (BYTE*)hooked_ExecuteStringCmd, 6);
ProcessRespondCvarValue = (OrigProcessRespondCvarValue)DetourCreate((BYTE*)onquerycvarval, (BYTE*)hooked_ProcessRespondCvarValue, 6);
return 0;
}
bool cod8::Init()
{
sdk::DrawEngineText = (sdk::DrawEngineText_t)shitsig::FindPattern("\x8b\x44\x24\x04\x80\x38\x00\x0f\x84\x00\x00\x00\x00", "xxxxxxxxx????");
sdk::RegisterShader = (sdk::RegisterShader_t)shitsig::FindPattern("\x8b\x44\x24\x04\x80\x38\x00\x75\x00", "xxxxxxxx?");
sdk::RegisterFont = (sdk::RegisterFont_t)utils::FindPattern("\x8b\x44\x24\x04\x6a\x01\x50\x6a\x18");
sdk::UIShowList = (sdk::UIShowList_t)DetourCreate((void*)shitsig::FindPattern("\xA1\x00\x00\x00\x00\x81\xEC\x00\x00\x00\x00\x80\x78\x0C\x00\x74\x29", "x????xx????xxxxxx"), (void*)newUIShowList, DETOUR_TYPE_NOP_NOP_JMP);
sdk::WorldToScreen = (sdk::WorldToScreen_t)shitsig::FindPattern("\x83\xEC\x0C\x8B\x44\x24\x18\xD9\x00", "xxxxxxxxx");
sdk::GetScreenMatrix = (sdk::GetScreenMatrix_t)shitsig::FindPattern("\xA1\x00\x00\x00\x00\x83\xF8\x03\x77\x0D", "x????xxxxx");
sdk::DrawRotatedPic = (sdk::DrawRotatedPic_t)shitsig::FindPattern("\x83\xEC\x50\xD9\x44\x24\x68", "xxxxxxx");
unsigned long ulEntityMemory = shitsig::FindPattern("\x69\xc0\x00\x00\x00\x00\x05\x00\x00\x00\x00\x83\xb8\xd4\x00\x00\x00\x01", "xx????x????xxxxxxx");
pointers::ulEntities = *(unsigned long*)(ulEntityMemory + 0x7);
pointers::ulEntitiesSize = *(unsigned long*)(ulEntityMemory + 0x2);
unsigned long ulClientInfoMemory = shitsig::FindPattern("\x69\xc9\x00\x00\x00\x00\x6a\x00\x81\xc1\x00\x00\x00\x00", "xx????xxxx????");
pointers::ulClientInfo = *(unsigned long*)(ulEntityMemory + 0xA);
pointers::ulClientInfoSize = *(unsigned long*)(ulEntityMemory + 0x2);
return true;
}
HRESULT __stdcall DirectInput8Create_Detour(
HINSTANCE hinst,
DWORD dwVersion,
REFIID riidltf,
LPVOID* ppvOut,
LPUNKNOWN punkOuter
)
{
HRESULT result;
result = D3D9Hook_DirectInput8Create(hinst, dwVersion, riidltf, ppvOut, punkOuter);
if (result != S_OK)
{
return result;
}
static bool ronce = FALSE;
if (!ronce)
{
LPDIRECTINPUT8A di;
DWORD dwFuncTable = (DWORD)*((DWORD*)*ppvOut);
di = (LPDIRECTINPUT8A)(DWORD)*((DWORD*)*ppvOut);
//OvLog(L"di 0x%x", di);
//OvLog(L"dwFuncTable 0x%x!", dwFuncTable);
VOID **virtualMethodTable;
virtualMethodTable = (VOID**)/*di;*/dwFuncTable;
virtualMethodTable = (VOID**)virtualMethodTable[0];
ronce = TRUE;
//DWORD oldCreateDevice = *((DWORD*)(dwFuncTable + 0x0C)); //4 * 3 (virtualMethodTable[3]) = 12 = 0x0C
DWORD oldEnumDevice = *((DWORD*)(dwFuncTable + 0x10)); //4 * 4 (virtualMethodTable[4]) = 16 = 0x10
DetourCreate(/*virtualMethodTable[4]*/(VOID*)oldEnumDevice, IDirectInput8_EnumDevices_Detour, &Detour_DirectInput_EnumDevices);
D3D9Hook_IDirectInput8_EnumDevices = (TYPE_IDirectInput8_EnumDevices)Detour_DirectInput_EnumDevices.Trampoline;
}
return result;
}
DWORD CreateDetours()
{
// init hooks.
CLogFile logFile = CLogFile("log.txt",true);
logFile.Write("Create Detours...");
logFile.Write("Create Detours Finished...");
fb::DxRenderer* g_dxRenderer = fb::DxRenderer::Singleton( );
// Test Kommentar
//insekt du sau
if( g_dxRenderer == NULL )
{
logFile.Write("Renderer not found...");
}else
{
logFile.Write("Swapchain found %X ... ",g_dxRenderer->pSwapChain);
// try swapchain detour.
if ( VALID( g_dxRenderer->pSwapChain ) )
{
DWORD* vtable = ( DWORD* )g_dxRenderer->pSwapChain;
vtable = ( DWORD* )vtable[0];
// ALTERNATIVE:
DWORD dxgi_base = (DWORD)GetModuleHandle("dxgi.dll") + (DWORD)0x2D9D1;
//DWORD dxgi_base = (DWORD)vtable[8];
oPresent = ( tPresent )DetourCreate( (PBYTE)dxgi_base, (PBYTE)&hkPresent, 5);
logFile.Write("Detoured Swapchain Function: %X -> %X ... ", dxgi_base, (DWORD)oPresent);
}else
{
logFile.Write("Detour failed. Swapchain Invalid. %X ... ", g_dxRenderer->pSwapChain);
}
}
return 0;
}
void HookDebugLoop()
{
hNtdll = (DWORD_PTR)GetModuleHandleW(L"ntdll.dll");
hKernel = (DWORD_PTR)GetModuleHandleW(L"kernel32.dll");
BYTE * WaitForIt = (BYTE *)GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "WaitForDebugEvent");
BYTE * ContinueIt = (BYTE *)GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "ContinueDebugEvent");
if (*WaitForIt == 0xE9 || *WaitForIt == 0x68) //JMP, PUSH
{
MessageBoxW(0, L"kernel32.dll - WaitForDebugEvent is hooked already!", L"Error", MB_ICONERROR);
}
else if (*ContinueIt == 0xE9 || *ContinueIt == 0x68) //JMP, PUSH
{
MessageBoxW(0, L"kernel32.dll - ContinueDebugEvent is hooked already!", L"Error", MB_ICONERROR);
}
else
{
dWaitForDebugEvent = (t_WaitForDebugEvent)DetourCreate(WaitForIt,HookedWaitForDebugEvent, true);
//dContinueDebugEvent = (t_ContinueDebugEvent)DetourCreate(ContinueIt,HookedContinueDebugEvent, true);
}
}
void HookDirectInput()
{
DWORD base = NULL;
DWORD func = NULL;
base = (DWORD)GetModuleHandleW(L"dinput8.dll");
if (!base)
{
return;
}
func = (DWORD)GetProcAddress((HMODULE)base, "DirectInput8Create");
if (!func)
{
Log(L"not DirectInput8Create!");
return;
}
Log(L"got DirectInput8Create...");
DetourCreate((VOID*)func, DirectInput8Create_Detour, &dinptdt);
D3D9Hook_DirectInput8Create = (TYPE_DirectInput8Create)dinptdt.Trampoline;
}
void TSX_Client::Init()
{
ini = new Ini("PrivateServer.ini");
sig = new signature_scanner();
ProcessHandle = GetCurrentProcess();
ProcessID = GetProcessId(ProcessHandle);
Log.Write("ProcessID: %u %04X",ProcessID,ProcessID);
DevButtons = ini->GetInt("DevButtons",0);
HMODULE rsaenh = NULL;
do
{
rsaenh = GetModuleHandle("rsaenh.dll");
Sleep(1);
}
while(rsaenh==NULL);
Log.Write("Unpacked in Memory");
//MessageBox(0,"TSX Paused","Paused",MB_OK);
char* VersionString = (char*)sig->search("6A0168????????6A1268XXXXXXXX");
if (VersionString)
{
Log.Write("Game Version: %s Found at %08X",VersionString,VersionString);
Log.Write("A0");
oldProtection = SetProtection(VersionString,50);
sprintf(VersionString, "%s TSX",VersionString);
SetProtection(VersionString,50,oldProtection);
Log.Write("A0.1");
}
else
{
Log.Write("Game Version Not Found");
}
Log.Write("A1");
char* GGFile = "GameGuard.des";
char* GGFileBackup = "GameGuard.des.bak";
if (ini->GetInt("BypassGameGuard",1))
{
Log.Write("A2");
Log.Write("Attempting to bypass GameGuard");
rename(GGFile,GGFileBackup);
// STEP ZERO: By Tri407tiny!
//005404ED . 53 PUSH EBX
//005404EE . 8BD9 MOV EBX,ECX
//005404F0 . 56 PUSH ESI
//005404F1 . 57 PUSH EDI
//005404F2 . 895D FC MOV DWORD PTR SS:[EBP-0x4],EBX
//005404F5 . EB 04 JMP SHORT TwelveSk.005404FB
//005404F7 . EB 05 JMP SHORT TwelveSk.005404FE
//005404F9 . 3919 CMP DWORD PTR DS:[ECX],EBX
//005404FB > 803B 00 CMP BYTE PTR DS:[EBX],0x0
//005404FE 0F85 181F0000 JNZ TwelveSk.0054241C << Change to JMP as shown below
// The patch
//005404FE /E9 191F0000 JMP TwelveSk.0054241C
//00540503 |90 NOP
byte* GGZero = (byte*)sig->search("538BD95657895DFC",17);
byte GGZeroBytes[] = {0xE9,0x19,0x1F,0x00,0x00,0x90};
if (GGZero)
{
Log.Write("GGZero Found at %08X",GGZero);
oldProtection = SetProtection(GGZero,10);
memcpy(GGZero,GGZeroBytes,sizeof(GGZeroBytes));
SetProtection(GGZero,10,oldProtection);
}
else
{
Log.Write("GGZero Not Found");
}
// STEP ONE:
// Bypassing GameGuard Init
// We want the third one *but maybe we can patch them all? or we should just get a stronger signiture.
//byte* GGBypass1 = NULL;
//byte GGBypass1Bytes[] = {0xE9,0x1E,0x01,0x00,0x00,0x90};
//
//while(GGBypass1 = (byte*)sig->search("0F851D010000",0,true,GGBypass1))
//{
// memcpy(GGBypass1,GGBypass1Bytes,sizeof(GGBypass1Bytes));
//}
// I decided to make a stronger signiture but if we need to we can patch everything.
// Cant remember what this patchs oh well change it to JMP
//00541669 . /0F85 1D010000 JNZ TwelveSk.0054178C
//0054166F . |8D4D D8 LEA ECX,DWORD PTR SS:[EBP-0x28]
//00541672 . |8D95 D8FEFFFF LEA EDX,DWORD PTR SS:[EBP-0x128]
//00541678 . |51 PUSH ECX
//00541679 . |52 PUSH EDX
//0054167A . |57 PUSH EDI
//0054167B . |57 PUSH EDI
//0054167C . |57 PUSH EDI
//0054167D . |6A 01 PUSH 0x1
//0054167F . |57 PUSH EDI
//00541680 . |8D85 C0F4FFFF LEA EAX,DWORD PTR SS:[EBP-0xB40]
//00541686 . |57 PUSH EDI
//00541687 . |8D8D D0FCFFFF LEA ECX,DWORD PTR SS:[EBP-0x330]
//0054168D . |50 PUSH EAX
//0054168E . |51 PUSH ECX
//0054168F . |FF15 78C15500 CALL DWORD PTR DS:[0x55C178]
//00541695 . |85C0 TEST EAX,EAX
byte* GGBypass1 = (byte*)sig->search("0F851D0100008D4D");
byte GGBypass1Bytes[] = {0xE9,0x1E,0x01,0x00,0x00,0x90};
if (GGBypass1)
{
Log.Write("GGBypass1 Found at %08X",GGBypass1);
oldProtection = SetProtection(GGBypass1,10);
memcpy(GGBypass1,GGBypass1Bytes,sizeof(GGBypass1Bytes));
SetProtection(GGBypass1,10,oldProtection);
}
else
{
Log.Write("GGBypass1 Not Found");
}
Log.Write("A3");
// STEP TWO:
// Bypassing GameGuard Error MessageBox's
//00401A70 /$ 81EC E8030000 SUB ESP,0x3E8
//00401A76 |. E8 B5E11300 CALL TwelveSk.0053FC30 <<<< NOP THIS
//00401A7B |. 3D 55070000 CMP EAX,0x755
//00401A80 |. 74 33 JE SHORT TwelveSk.00401AB5 <<<< MAKE JMP
//00401A82 |. 50 PUSH EAX
//00401A83 |. 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+0x4]
//00401A87 |. 68 B4C45500 PUSH TwelveSk.0055C4B4 ; ASCII "[GameGuard Error::%lu]"
//00401A8C |. 50 PUSH EAX
//00401A8D |. E8 4B711400 CALL TwelveSk.00548BDD
//00401A92 |. 83C4 0C ADD ESP,0xC
//00401A95 |. 68 00100000 PUSH 0x1000 ; /Style = MB_OK|MB_SYSTEMMODAL
//00401A9A |. 68 A8C45500 PUSH TwelveSk.0055C4A8 ; |Title = "TwelveSky"
//00401A9F |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+0x8] ; |
//00401AA3 |. 51 PUSH ECX ; |Text
//00401AA4 |. 6A 00 PUSH 0x0 ; |hOwner = NULL
//00401AA6 |. FF15 D0C25500 CALL DWORD PTR DS:[0x55C2D0] ; \MessageBoxA
//00401AAC |. 33C0 XOR EAX,EAX
//00401AAE |. 81C4 E8030000 ADD ESP,0x3E8
//00401AB4 |. C3 RETN
//00401AB5 |> B8 01000000 MOV EAX,0x1
//00401ABA |. 81C4 E8030000 ADD ESP,0x3E8
//00401AC0 \. C3 RETN
// Would be more awesome if we could detour this and log the messages to our log.
Log.Write("A4");
byte* GGBypass2 = (byte*)sig->search("81ECE8030000E8????????3D55070000",6);
if (GGBypass2)
{
Log.Write("GGBypass2 Found at %08X",GGBypass2);
oldProtection = SetProtection(GGBypass2,30);
memset(GGBypass2,0x90,5);
GGBypass2[10]=0xEB;
SetProtection(GGBypass2,30,oldProtection);
}
else
{
Log.Write("GGBypass2 Not Found");
}
// STEP THREE: Bypassing shitty IE errors and junk :)
byte* ggErrorIEPatch = (byte*)sig->search("518B0D????????85C9750433C059C3",9);
if (ggErrorIEPatch)
{
Log.Write("GG Error IE Patch found at %08X",ggErrorIEPatch);
// Write Nops
oldProtection = SetProtection(ggErrorIEPatch,10);
ggErrorIEPatch[0]=0x90;
ggErrorIEPatch[1]=0x90;
SetProtection(ggErrorIEPatch,10,oldProtection);
}
else
{
Log.Write("Failed to find ggErrorIEPatch address");
}
}
else
{
rename(GGFileBackup,GGFile);
}
if (ini->GetInt("MultiClient",1))
{
//00403AB6 > \6A 00 PUSH 0 ; /Title = NULL
//00403AB8 . 68 A8845500 PUSH 005584A8 ; |Class = "TwelveSky"
//00403ABD . FF15 A0825500 CALL DWORD PTR DS:[5582A0] ; \FindWindowA
//00403AC3 . 85C0 TEST EAX,EAX
//00403AC5 . 74 3F JE SHORT 00403B06 ; Patch me to JMP
//6A 00 68 A8 84 55 00 FF 15 A0 82 55 00 85 C0 74 3F
//x x x ? ? ? ? x x ? ? ? ? x x x x
//6A 00 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 3F
byte* MultiClientPatch = (byte*)sig->search("6A0068????????FF15????????85C0743F");
if (MultiClientPatch)
{
oldProtection = SetProtection(MultiClientPatch,20);
Log.Write("MultiClientPatch found at %08X",MultiClientPatch);
MultiClientPatch[15]=0xEB;
SetProtection(MultiClientPatch,20,oldProtection);
}
else
{
Log.Write("Error finding MultiClientPatch");
}
}
if (ini->GetInt("ChangeIP",1))
{
Log.Write("Trying to patch IP");
// Find IP address
//004873AC . 57 PUSH EDI
//004873AD . BF 28B5EC00 MOV EDI,00ECB528 ; ASCII "110.45.184.130"
//004873B2 > 8B04B5 68BBEC>MOV EAX,DWORD PTR DS:[ESI*4+ECBB68]
//004873B9 . 50 PUSH EAX ; /Arg2
//004873BA . 57 PUSH EDI ; |Arg1
//004873BB . B9 20B5EC00 MOV ECX,00ECB520 ; |
//004873C0 . E8 8BA8FFFF CALL 00481C50 ; \TwelveSk.00481C50
//004873C5 . 8904B5 F8BCEC>MOV DWORD PTR DS:[ESI*4+ECBCF8],EAX
//004873CC . A1 20B5EC00 MOV EAX,DWORD PTR DS:[ECB520]
//004873D1 . 46 INC ESI
//004873D2 . 83C7 10 ADD EDI,10
//004873D5 . 3BF0 CMP ESI,EAX
//004873D7 .^ 7C D9 JL SHORT 004873B2
IPAddress = (char*)sig->search_text(ini->GetString("OrigionalIP","110.45.184.130").c_str());
if (IPAddress)
{
//00401930 <FuckupIP>/$ 83EC 08 SUB ESP,8
//00401933 |. 55 PUSH EBP
//00401934 |. 56 PUSH ESI
//00401935 |. 57 PUSH EDI
//00401936 |. 8B7C24 18 MOV EDI,DWORD PTR SS:[ESP+18]
//0040193A |. 8BC7 MOV EAX,EDI
//0040193C |. 33ED XOR EBP,EBP
//0040193E |. 66:C74424 0C 3000 MOV WORD PTR SS:[ESP+C],30
//00401945 |. 33D2 XOR EDX,EDX
//00401947 |. 8D70 01 LEA ESI,DWORD PTR DS:[EAX+1]
//0040194A |. 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
//00401950 |> 8A08 /MOV CL,BYTE PTR DS:[EAX]
//00401952 |. 40 |INC EAX
//00401953 |. 84C9 |TEST CL,CL
//00401955 |.^ 75 F9 \JNZ SHORT 00401950
//DWORD IPFuckupPatchAddress = FindSigniture(0x00401000,0x0045FFFF,(PBYTE)"\x83\xEC\x08\x55\x56\x57\x8B\x7C\x24\x18\x8B\xC7\x33\xED","xxxxxxxxxxxxxx");
Log.Write("IP Address found at %08X",IPAddress);
Log.Write("Patching IP Stuffing up code");
unsigned long ipfuckuppatch = sig->search("83EC085556578B7C24188BC733ED");
if (ipfuckuppatch)
{
oldProtection = SetProtection((byte*)(ipfuckuppatch),10);
*(byte*)(ipfuckuppatch)=0xC3; // RETN
SetProtection((byte*)(ipfuckuppatch),10,oldProtection);
// Get IP address of extendedgames.com using DNS lookup?
strncpy(IPAddress,ini->GetString("ServerIP","DOMAIN").c_str(),15);
if (strcmp(IPAddress,"DOMAIN")==0)
{
Log.Write("Asking for domains ip");
WSADATA wsaData;
int iResult;
DWORD dwError;
struct hostent *remoteHost;
char *host_name;
struct in_addr addr;
// Initialize Winsock
iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
if (iResult != 0)
{
Log.Write("WSAStartup failed: %d", iResult);
}
else
{
host_name = "extendedgames.com";
Log.Write("Calling gethostbyname with %s", host_name);
remoteHost = gethostbyname(host_name);
if (remoteHost == NULL)
{
dwError = WSAGetLastError();
if (dwError != 0) {
if (dwError == WSAHOST_NOT_FOUND) {
Log.Write("Host not found\n");
} else if (dwError == WSANO_DATA) {
Log.Write("No data record found\n");
} else {
Log.Write("Function failed with error: %ld\n", dwError);
}
}
}
else
{
Log.Write("Function returned:");
Log.Write("\tOfficial name: %s", remoteHost->h_name);
Log.Write("\tAlternate names: %s", remoteHost->h_aliases);
Log.Write("\tAddress type: ");
switch (remoteHost->h_addrtype) {
case AF_INET:
Log.Write("AF_INET");
break;
case AF_INET6:
Log.Write("AF_INET");
break;
case AF_NETBIOS:
Log.Write("AF_NETBIOS");
break;
default:
Log.Write(" %d", remoteHost->h_addrtype);
break;
}
Log.Write("\tAddress length: %d", remoteHost->h_length);
addr.s_addr = *(u_long *) remoteHost->h_addr_list[0];
Log.Write("\tFirst IP Address: %s", inet_ntoa(addr));
oldProtection = SetProtection(IPAddress,30);
//sprintf(IPAddress,"%s",inet_ntoa(addr));
strcpy(IPAddress,inet_ntoa(addr));
SetProtection(IPAddress,30,oldProtection);
}
}
}
Log.Write("Patched IP Successfully to %s",IPAddress);
if (ini->GetInt("PatchEncryption",1))
{
Log.Write("Patching Encryption");
GameEncryptAddress = sig->search("518B4424088A088A5001");
if (GameEncryptAddress)
{
Log.Write("Encryption Patched");
byte patch[] = {0xE9,0x9B,0x00,0x00,0x00,0x90};
oldProtection = SetProtection((byte*)GameEncryptAddress+20,10);
memcpy((byte*)(GameEncryptAddress+20),patch,sizeof(patch));
SetProtection((byte*)GameEncryptAddress+20,10,oldProtection);
}
else
{
Log.Write("Failed to patch Encryption");
}
}
}
else
{
Log.Write("Unable to patch");
}
}
else
{
Log.Write("Failed to find IP Address");
}
}
ScreenAddress = (uint*)sig->search("C705XXXXXXXX0500000068B8");
if (ScreenAddress)
{
Log.Write("Found Screen Address");
}
else
{
Log.Write("Failed to find Screen Address");
}
// Get Zone Address
ZoneAddress = (uint*)sig->search("8B0DXXXXXXXX83C1CF83F95A");
if (ZoneAddress)
{
Log.Write("Found Zone Address at %08X",ZoneAddress);
}
else
{
Log.Write("Failed to find Zone Address");
}
// Get packet recv location
// To be able to know the sizes and function addresses for all recv packets
//004077E2 - 8B 4B 04 - mov ecx,[ebx+04]
//004077E5 - 03 C8 - add ecx,eax
//004077E7 - 8B C1 - mov eax,ecx
//004077E9 - 85 C0 - test eax,eax
//004077EB - 89 4B 04 - mov [ebx+04],ecx
//004077EE - 0F8E 03010000 - jng 004078F7
//004077F4 - 56 - push esi
//004077F5 - 57 - push edi
//004077F6 - 8B 73 08 - mov esi,[ebx+08]
//004077F9 - 8A 06 - mov al,[esi]
//004077FB - 3C 18 - cmp al,18
//004077FD - 0F84 80000000 - je 00407883
//00407803 - 3C 19 - cmp al,19
//00407805 - 74 7C - je 00407883
//00407807 - 3C 1A - cmp al,1A
//00407809 - 74 78 - je 00407883
//0040780B - 3C 1B - cmp al,1B
//0040780D - 74 74 - je 00407883
//0040780F - 3C 2C - cmp al,2C
//00407811 - 74 70 - je 00407883
//00407813 - 3C 50 - cmp al,50
//00407815 - 74 6C - je 00407883
//00407817 - 3C 57 - cmp al,57
//00407819 - 74 68 - je 00407883
//0040781B - 3C 77 - cmp al,77
//0040781D - 74 64 - je 00407883
//0040781F - 0FB6 E8 - movzx ebp,al
//00407822 - 8B 43 04 - mov eax,[ebx+04]
//00407825 - C1 E5 02 - shl ebp,02
//00407828 - 8B 8D 10335800 - mov ecx,[ebp+00583310]
//0040782E - 3B C1 - cmp eax,ecx
//00407830 - 0F8C BF000000 - jl 004078F5
//00407836 - 8B 3D 08335800 - mov edi,[00583308] : [07710048]
//0040783C - 8B D1 - mov edx,ecx
//0040783E - C1 E9 02 - shr ecx,02
//00407841 - F3 A5 - repe movsd
//00407843 - 8B CA - mov ecx,edx
//00407845 - 83 E1 03 - and ecx,03
//00407848 - F3 A4 - repe movsb
//0040784A - FF 95 002F5800 - call dword ptr [ebp+00582F00]
//00407850 - 8B 43 04 - mov eax,[ebx+04]
//00407853 - 8B 8D 10335800 - mov ecx,[ebp+00583310]
//00407859 - 3B C1 - cmp eax,ecx
//0040785B - 0F8C 89000000 - jl 004078EA
//00407861 - 8B 53 08 - mov edx,[ebx+08]
//00407864 - 2B C1 - sub eax,ecx
//00407866 - 50 - push eax
//00407867 - 03 CA - add ecx,edx
//00407869 - 51 - push ecx
//0040786A - 52 - push edx
//0040786B - E8 30101400 - call 005488A0
//00407870 - 8B 85 10335800 - mov eax,[ebp+00583310]
//00407876 - 8B 4B 04 - mov ecx,[ebx+04]
//00407879 - 83 C4 0C - add esp,0C
//0040787C - 2B C8 - sub ecx,eax
//0040787E - 89 4B 04 - mov [ebx+04],ecx
//00407881 - EB 67 - jmp 004078EA
//00407883 - 8B 53 04 - mov edx,[ebx+04]
//00407886 - 83 FA 06 - cmp edx,06
//00407889 - 7C 6A - jnge 004078F5
//0040788B - 8A 4E 01 - mov cl,[esi+01]
//0040788E - 84 C9 - test cl,cl
//00407890 - 75 0C - jne 0040789E
//00407892 - 0FB6 C8 - movzx ecx,al
//00407895 - 8B 2C 8D 10335800 - mov ebp,[ecx*4+00583310] !Packet Size
//0040789C - EB 06 - jmp 004078A4
//0040789E - 8B 4E 02 - mov ecx,[esi+02]
//004078A1 - 8D 69 06 - lea ebp,[ecx+06]
//004078A4 - 3B D5 - cmp edx,ebp
//004078A6 - 7C 4D - jnge 004078F5
//004078A8 - 8B 3D 08335800 - mov edi,[00583308] : [07710048] !Recv Buffer
//004078AE - 8B CD - mov ecx,ebp
//004078B0 - 8B D1 - mov edx,ecx
//004078B2 - C1 E9 02 - shr ecx,02
//004078B5 - F3 A5 - repe movsd
//004078B7 - 8B CA - mov ecx,edx
//004078B9 - 83 E1 03 - and ecx,03
//004078BC - 0FB6 C0 - movzx eax,al
//004078BF - F3 A4 - repe movsb
//004078C1 - FF 14 85 002F5800 - call dword ptr [eax*4+00582F00] !Function Call
//004078C8 - 8B 43 04 - mov eax,[ebx+04]
//004078CB - 3B C5 - cmp eax,ebp
//004078CD - 7C 1B - jnge 004078EA
//004078CF - 8B 4B 08 - mov ecx,[ebx+08]
//004078D2 - 2B C5 - sub eax,ebp
//004078D4 - 50 - push eax
//004078D5 - 8D 14 29 - lea edx,[ecx+ebp]
//004078D8 - 52 - push edx
//004078D9 - 51 - push ecx
//004078DA - E8 C10F1400 - call 005488A0
//004078DF - 8B 43 04 - mov eax,[ebx+04]
//004078E2 - 83 C4 0C - add esp,0C
//004078E5 - 2B C5 - sub eax,ebp
//004078E7 - 89 43 04 - mov [ebx+04],eax
//004078EA - 8B 43 04 - mov eax,[ebx+04]
//004078ED - 85 C0 - test eax,eax
//004078EF - 0F8F 01FFFFFF - jg 004077F6
//004078F5 - 5F - pop edi
//004078F6 - 5E - pop esi
//004078F7 - 5D - pop ebp
//004078F8 - 5B - pop ebx
//004078F9 - C2 0800 - ret 0008
//if (ini->GetInt("UseTranslations",1))
//{
// // Scan for pointers we need for the data structure arrays {Item, Monster, NPC, Quest etc...}
// // When found
// LoadTranslationCSVs();
//}
if (ini->GetInt("Halt",0)) {
MessageBox(0,"Halt","TSX Client DLL",0);
}
unsigned long RecvPacketLoop = sig->search("8B2C8D????????EB068B4E028D69063BD57C4D8B3D????????8BCD8BD1C1E902F3A58BCA83E1030FB6C0F3A4FF1485????????");
if (RecvPacketLoop)
{
Log.Write("Found RecvPacketLoop at %08X",RecvPacketLoop);
GameRecvPacketSize = *(size_t**)(RecvPacketLoop+3);
Log.Write("Found GameRecvPacketSize at %08X",GameRecvPacketSize);
GameNetworkInfo = RecvPacketLoop+21;
GameRecvBufferPointer = *(byte***)GameNetworkInfo;
Log.Write("Found GameNetworkInfo at %08X",GameNetworkInfo);
Log.Write("Found GameRecvBufferPointer at %08X",GameRecvBufferPointer);
GameRecvPacketFunctor = *(PacketRecvFunctor**)(RecvPacketLoop+47);
Log.Write("Found GameRecvPacketFunctor at %08X",GameRecvPacketFunctor);
Log.Write("Waiting for network to be Initilized");
while (*GameRecvBufferPointer==NULL)
{
Sleep(10);
}
Sleep(10);
Log.Write("Network Initilized");
if (ini->GetInt("PacketInfo",1))
{
for (int i=0;i<=0xFF;i++)
{
Log.Write("Packet %02X Functor %08X PacketSize %u",i,GameRecvPacketFunctor[i],GameRecvPacketSize[i]);
}
}
if (ini->GetInt("HookPackets",0))
{
RecvBuffer = *GameRecvBufferPointer;
Log.Write("Recv Buffer is at %08X",RecvBuffer);
// Backup Packet Functors
// Should just use memcpy
for (int i=0;i<=0xFF;i++)
{
OrigionalPacketRecvFunctor[i]=GameRecvPacketFunctor[i];
}
// I would prefer this to be hex values for packets to log
if (ini->GetInt("LogPackets",0)) {
for (int i=0;i<0xFF;i++) {
GameRecvPacketFunctor[i] = hookRecvLogPacket;
}
}
if (ini->GetInt("DetourPackets",1))
{
// Hook Packets
if (ini->GetInt("ChangeIP",1)==0)
{
Log.Write("NPC Packet function is at %08X and points too %08X",&GameRecvPacketFunctor[0x19],GameRecvPacketFunctor[0x19]);
GameRecvPacketFunctor[0x19] = MyNPCPacket;
Log.Write("Monster Packet function is at %08X and points too %08X",&GameRecvPacketFunctor[0x1A],GameRecvPacketFunctor[0x1A]);
GameRecvPacketFunctor[0x1A] = MyMonsterPacket;
Log.Write("Gameguard Keypacket function is at %08X and points too %08X",&GameRecvPacketFunctor[0x9A],GameRecvPacketFunctor[0x9A]);
GameRecvPacketFunctor[0x9A] = MyGameguardKeyPacket;
}
Log.Write("Chat Packet function is at %08X and points too %08X",&GameRecvPacketFunctor[0x2A],GameRecvPacketFunctor[0x2A]);
GameRecvPacketFunctor[0x2A] = MyChatPacket;
}
}
}
else
{
Log.Write("Failed to find RecvPacketLoop");
}
// Find Speed Hack
// Just - from gametime a certian small amount eg 0.002 each step through run
//00401768 - 48 - dec eax
//00401769 - D8 05 8CC45500 - fadd dword ptr [0055C48C] : [3B449BA6]
//0040176F - C7 05 602D5800 022B073D - mov [00582D60],3D072B02
//00401779 - D9 1C 24 - fstp dword ptr [esp]
//0040177C - D9 05 542E5800 - fld dword ptr [00582E54] : <<< GameTime
//00401782 - D8 05 8CC45500 - fadd dword ptr [0055C48C]
//00401788 - D9 1D 542E5800 - fstp dword ptr [00582E54] : [4713316F]
//0040178E - 74 11 - je 004017A1
//00401790 - 83 E8 02 - sub eax,02
//00401793 - 75 16 - jne 004017AB
//00401795 - B9 4064AE00 - mov ecx,00AE6440 : [00000000]
GameTimeAdjust=-0.15f;
GameTimeAddress = (float*)sig->search("D905XXXXXXXXD805????????D91D????????");
SpeedHackEnabled=false;
Log.Write("GameTime found at %08X",GameTimeAddress);
Log.Write("Monster Object size is %u",sizeof(MonsterObject));
// Get Uncompress Function
HMODULE HandleGXDCompress = GetModuleHandle("GXDCompress");
uncompress = (uncompress_functor)GetProcAddress(HandleGXDCompress,"uncompress");
Log.Write("GXDCompress.uncompress is at %08X",uncompress);
ZoneID=0;
if (MOBSpawns) delete MOBSpawns;
MOBSpawns = new SpawnInfoManager(ZoneID,"MOB");
if (NPCSpawns) delete NPCSpawns;
NPCSpawns = new SpawnInfoManager(ZoneID,"NPC");
if (ini->GetInt("HookFileLoading",1))
{
Log.Write("Hooking File Loading");
// Create a hook and hook any CreateFileW
// if the file path ends with .IMG or .img
// copy the pathname and prepend data\\ to it.
// check if file exists
// if so call orgional CreateFileW on that otherwise call origional function on the argument path.
// return
//CreateFileW
//LPCTSTR lpFileName,
//DWORD dwDesiredAccess,
//DWORD dwShareMode,
//LPSECURITY_ATTRIBUTES lpSecurityAttributes,
//DWORD dwCreationDisposition,
//DWORD dwFlagsAndAttributes,
//HANDLE hTemplateFile
//detour_CreateFileW = (tCreateFileW) detour.Create("kernel32.dll", "CreateFileW", (BYTE*)hook_CreateFileW, DETOUR_TYPE_JMP);
oCreateFileW = (tCreateFileW) DetourCreate("kernel32.dll", "CreateFileW", hook_CreateFileW, DETOUR_TYPE_JMP);
}
}
