Your best bet to getting around all the indirection is to hardware breakpoint the input and output buffers, or look for a known constant or an api file like CreateFileA.OELABOELA wrote: Fri Jan 01, 2021 10:23 am I will look into it. Any other hints you can give me on reversing tqplat? The dll seems scattered or obfuscated.
Client: Using decrypted server.dat
12I have hooked the function and dumped all of the .ini into new files that are actually readable now.Diab wrote: Fri Jan 01, 2021 6:26 pm Your best bet to getting around all the indirection is to hardware breakpoint the input and output buffers, or look for a known constant or an api file like CreateFileA.
Client: Using decrypted server.dat
13We already have a tool for those files and encryption: https://gitlab.com/conquer-online/tools/file-manager
Interested in my work?
If you wanna learn more about me and my projects: visit my portfolio website. There, you can find my free, open-source work and articles about game development. Due to contractual restrictions: I am not available for job requests or volunteer work.
About Me | GitLab Profile | Website
If you wanna learn more about me and my projects: visit my portfolio website. There, you can find my free, open-source work and articles about game development. Due to contractual restrictions: I am not available for job requests or volunteer work.
About Me | GitLab Profile | Website
Client: Using decrypted server.dat
14Thanks for releasing this :-)! Will be trying this on older versions of clients and definitely let you guys know the outcome :-)!
Client: Using decrypted server.dat
15I'm sure you can use these methods to make it work with any CO2 client, but I'm curious to see what you get.Mugaru wrote: Mon Jan 04, 2021 12:29 pm Thanks for releasing this :-)! Will be trying this on older versions of clients and definitely let you guys know the outcome :-)!
sincerely,
adrian
software engineer
adrian
software engineer
Client: Using decrypted server.dat
16Here are my findings for the 5517 client.
I've been private messaging with Adrian about removing the blacknull check from the client, since you can't find it with string reference.
Adrian found out that you can find it in the HEX window in OllyDBG, so from that point he was able to play around with the jumps around that opcode. (Thanks for the help with that).
After that i've been following the guide in the first post of this topic, from which i posted my opcodes up here.
The issue with this is that i am not able to change the row amount or names in the outerserver.xml, so for example you have server names like Lucky7, you can change it to Lucky8 or Tests1 but if you use a name which is longer or shorter it won't load the servers anymore.
Its the same with the rows in the XML file, if you remove rows, to keep only 1 server group and 1 server, the 'custom' server.dat won't load, you will see an empty server list.
If anybody else know the answer to this problem, feel free to post it :-), for now this is the start of my try.
My guess here is that the client loads the original server.dat and saves the row count and the names somewhere in the memory, to check those later.
I'm still debugging the client, but for now i've got no new info, when i have, i'll post it here.
#Update
I added the last OPCode in the code tags of this post which should be changed to make it work.
After i changed that last one, i was able to load my own serverlist.
Code: Select all
00764CE7 = tmpnam
00764D9A = DeleteFileA (Call)
007B714F = Push EDX
007B7150 = FOPEN
007B7149 = Should be changed from JGE to JMP.
After that
007B7158 = MOV EDX [FILE THAT WILL BECOME THE SERVER.DAT] (i used: MOV EDX, 00940450 // ini/ItemtypeSub.dat )
007B715E = JMP 007B714F
00765716 = JE Conquer-.007657A0 > This JE should be changed to JNZ
I've been private messaging with Adrian about removing the blacknull check from the client, since you can't find it with string reference.
Adrian found out that you can find it in the HEX window in OllyDBG, so from that point he was able to play around with the jumps around that opcode. (Thanks for the help with that).
After that i've been following the guide in the first post of this topic, from which i posted my opcodes up here.
The issue with this is that i am not able to change the row amount or names in the outerserver.xml, so for example you have server names like Lucky7, you can change it to Lucky8 or Tests1 but if you use a name which is longer or shorter it won't load the servers anymore.
Its the same with the rows in the XML file, if you remove rows, to keep only 1 server group and 1 server, the 'custom' server.dat won't load, you will see an empty server list.
If anybody else know the answer to this problem, feel free to post it :-), for now this is the start of my try.
My guess here is that the client loads the original server.dat and saves the row count and the names somewhere in the memory, to check those later.
I'm still debugging the client, but for now i've got no new info, when i have, i'll post it here.
#Update
I added the last OPCode in the code tags of this post which should be changed to make it work.
After i changed that last one, i was able to load my own serverlist.
Client: Using decrypted server.dat
17I'm glad you did it!Mugaru wrote: Wed Jan 06, 2021 1:37 pm Here are my findings for the 5517 client.
#UpdateCode: Select all
00764CE7 = tmpnam 00764D9A = DeleteFileA (Call) 007B714F = Push EDX 007B7150 = FOPEN 007B7149 = Should be changed from JGE to JMP. After that 007B7158 = MOV EDX [FILE THAT WILL BECOME THE SERVER.DAT] (i used: MOV EDX, 00940450 // ini/ItemtypeSub.dat ) 007B715E = JMP 007B714F 00765716 = JE Conquer-.007657A0 > This JE should be changed to JNZ
I added the last OPCode in the code tags of this post which should be changed to make it work.
After i changed that last one, i was able to load my own serverlist.
this should work fine on 5517 client. thank you, @Mugaru.
sincerely,
adrian
software engineer
adrian
software engineer
Client: Using decrypted server.dat
18Can you fix the link for the first two files?adrian wrote: Thu Dec 31, 2020 4:30 pm I didn't have time to take a look on latest patch files. it's a bit confusing how TQ is handling these files encryption. but is it all that you want: "decrypt the ItemType.dat" ?
It says the files are broken when I download them.
Client: Using decrypted server.dat
19Download links are working, but i uploaded them to mega for you.DAZ1337 wrote: Tue Feb 23, 2021 6:52 amCan you fix the link for the first two files?adrian wrote: Thu Dec 31, 2020 4:30 pm I didn't have time to take a look on latest patch files. it's a bit confusing how TQ is handling these files encryption. but is it all that you want: "decrypt the ItemType.dat" ?
It says the files are broken when I download them.
https://mega.nz/file/UgJQ3BCZ#GvLcQUzwV ... MBsUjq5uCg
Client: Using decrypted server.dat
20I mean inside the file is broken, I think?Mugaru wrote: Tue Feb 23, 2021 9:03 amDownload links are working, but i uploaded them to mega for you.DAZ1337 wrote: Tue Feb 23, 2021 6:52 amCan you fix the link for the first two files?adrian wrote: Thu Dec 31, 2020 4:30 pm I didn't have time to take a look on latest patch files. it's a bit confusing how TQ is handling these files encryption. but is it all that you want: "decrypt the ItemType.dat" ?
It says the files are broken when I download them.
https://mega.nz/file/UgJQ3BCZ#GvLcQUzwV ... MBsUjq5uCg