Your best bet to getting around all the indirection is to hardware breakpoint the input and output buffers, or look for a known constant or an api file like CreateFileA.OELABOELA wrote: Fri Jan 01, 2021 10:23 am I will look into it. Any other hints you can give me on reversing tqplat? The dll seems scattered or obfuscated.
Re: Client: Using decrypted server.dat
12I have hooked the function and dumped all of the .ini into new files that are actually readable now.Diab wrote: Fri Jan 01, 2021 6:26 pm Your best bet to getting around all the indirection is to hardware breakpoint the input and output buffers, or look for a known constant or an api file like CreateFileA.
Re: Client: Using decrypted server.dat
13We already have a tool for those files and encryption: https://gitlab.com/conquer-online/tools/file-manager
Re: Client: Using decrypted server.dat
14Thanks for releasing this :-)! Will be trying this on older versions of clients and definitely let you guys know the outcome :-)!
Re: Client: Using decrypted server.dat
15I'm sure you can use these methods to make it work with any CO2 client, but I'm curious to see what you get.Mugaru wrote: Mon Jan 04, 2021 12:29 pm Thanks for releasing this :-)! Will be trying this on older versions of clients and definitely let you guys know the outcome :-)!
sincerely,
adrian
software engineer
adrian
software engineer
Re: Client: Using decrypted server.dat
16Here are my findings for the 5517 client.
I've been private messaging with Adrian about removing the blacknull check from the client, since you can't find it with string reference.
Adrian found out that you can find it in the HEX window in OllyDBG, so from that point he was able to play around with the jumps around that opcode. (Thanks for the help with that).
After that i've been following the guide in the first post of this topic, from which i posted my opcodes up here.
The issue with this is that i am not able to change the row amount or names in the outerserver.xml, so for example you have server names like Lucky7, you can change it to Lucky8 or Tests1 but if you use a name which is longer or shorter it won't load the servers anymore.
Its the same with the rows in the XML file, if you remove rows, to keep only 1 server group and 1 server, the 'custom' server.dat won't load, you will see an empty server list.
If anybody else know the answer to this problem, feel free to post it :-), for now this is the start of my try.
My guess here is that the client loads the original server.dat and saves the row count and the names somewhere in the memory, to check those later.
I'm still debugging the client, but for now i've got no new info, when i have, i'll post it here.
#Update
I added the last OPCode in the code tags of this post which should be changed to make it work.
After i changed that last one, i was able to load my own serverlist.
Code: Select all
00764CE7 = tmpnam
00764D9A = DeleteFileA (Call)
007B714F = Push EDX
007B7150 = FOPEN
007B7149 = Should be changed from JGE to JMP.
After that
007B7158 = MOV EDX [FILE THAT WILL BECOME THE SERVER.DAT] (i used: MOV EDX, 00940450 // ini/ItemtypeSub.dat )
007B715E = JMP 007B714F
00765716 = JE Conquer-.007657A0 > This JE should be changed to JNZ
I've been private messaging with Adrian about removing the blacknull check from the client, since you can't find it with string reference.
Adrian found out that you can find it in the HEX window in OllyDBG, so from that point he was able to play around with the jumps around that opcode. (Thanks for the help with that).
After that i've been following the guide in the first post of this topic, from which i posted my opcodes up here.
The issue with this is that i am not able to change the row amount or names in the outerserver.xml, so for example you have server names like Lucky7, you can change it to Lucky8 or Tests1 but if you use a name which is longer or shorter it won't load the servers anymore.
Its the same with the rows in the XML file, if you remove rows, to keep only 1 server group and 1 server, the 'custom' server.dat won't load, you will see an empty server list.
If anybody else know the answer to this problem, feel free to post it :-), for now this is the start of my try.
My guess here is that the client loads the original server.dat and saves the row count and the names somewhere in the memory, to check those later.
I'm still debugging the client, but for now i've got no new info, when i have, i'll post it here.
#Update
I added the last OPCode in the code tags of this post which should be changed to make it work.
After i changed that last one, i was able to load my own serverlist.
Re: Client: Using decrypted server.dat
17I'm glad you did it!Mugaru wrote: Wed Jan 06, 2021 1:37 pm Here are my findings for the 5517 client.
#UpdateCode: Select all
00764CE7 = tmpnam 00764D9A = DeleteFileA (Call) 007B714F = Push EDX 007B7150 = FOPEN 007B7149 = Should be changed from JGE to JMP. After that 007B7158 = MOV EDX [FILE THAT WILL BECOME THE SERVER.DAT] (i used: MOV EDX, 00940450 // ini/ItemtypeSub.dat ) 007B715E = JMP 007B714F 00765716 = JE Conquer-.007657A0 > This JE should be changed to JNZ
I added the last OPCode in the code tags of this post which should be changed to make it work.
After i changed that last one, i was able to load my own serverlist.
this should work fine on 5517 client. thank you, @Mugaru.
sincerely,
adrian
software engineer
adrian
software engineer
