before we start, I must say that these methods described here are results of my study and some testing/failing process I came up with. it was intended to be used in my Koga project, that is still coming alive next year (maybe). so, none of this was released before, and this is the first place I'm sharing this, and hope you enjoy.
I'm assuming you are familiar to CO2 client files, ollydbg and the basic assembly instructions (JMP, JNZ, JGE, CMP, PUSH, MOV, etc)...
this was not supposed to work with CO3 (Conquer 3) clients, but should work fine with any CO2 client that uses the encrypted "Server.dat".
btw, this walkthrough was made over the v5967 client. but following these steps you might be able to do it on any client. anyway, for other versions specific modifications, see the other versions topic.
the guide consists in some steps in order to make it from a clean client without modifications:
- replace TQAnp and TQPlat
- bypass the "blacknull" verification (video)
- loading decrypted Server.dat (video)
- "gzipping" the decrypted Server.dat
- other versions
- final considerations
*you are permitted to share this anywhere you want, but only if the credits are going together.*
1 - replace TQAnp and TQPlat
replace TQAnp and TQPlat dlls with nulled ones (backup your originals).
this must be done, so you will be able to debug the client with ollydbg. the credits goes to "Ultimation" from Epvpers.
2- bypass the "blacknull" verification (video)
this must be done, so we can continue to debug from the start of the process in the ollydbg.
run "Conquer.exe" from ollydbg and keep resuming any stop until you see the "Please run Play.exe file." alert.
note: make sure you are searching from the top of the strings window, otherwise you may not find the "blacknull" string.
double click the "blacknull" string and you will get into the address on the modules window. scroll a little to top, and you will see something like this:
select "JGE" instruction (in my case 00602B5C) and press space (assemble shortcut), and change "JGE" to "JMP". this will follow that address every time (JMP) and not only if after the comparison the value in the memory is greater or equal (JGE).
next step, back to the "blacknull" string, go down till you see "JNZ" instruction. select "JNZ" instruction (in my case 00602BA7) and press space, and change "JNZ" to "JE". you may get something like this:
in the new "Conquer.exe" window, right click and select "Save file". don't forget to save with a different name, like "Conquer-Play-Bypass.exe", to keep the original file as backup.
you can see the video walkthrough below:
Code: Select all
https://www.youtube.com/watch?v=00tYpUcmDpc3- loading decrypted Server.dat (video)
note: remember to open the "play-bypass Conquer.exe" in ollydbg for this step, otherwise you will may not be able to debug from the very beginning of the process, where the server.dat is actually decrypted to be used by the client.
rename your client's "Server.dat" to "Server2.dat" or anything else, to make the client not find your "Server.dat". you will see the login screen like this:
go to the client's folder, enter the debug folder and search for the last modified file, you will see a message in the log file, saying something like this:
close the client and re-rename the file to "Server.dat".
run "Conquer.exe" from ollydbg, wait for it to load, but do not touch the play button. change to "Conquer" module if needed (right click, then select "View", then select "Conquer" module, and search all referenced strings.
search for the start of the message we got when client did not found the "Server.dat". like "Error in Decrypt file" and set a breakpoint at that string.
look upward until you see an ASCII string ".dat" (in my case, 007CEC7B) and set a breakpoint here.
from this breakpoint, you can restart debug from ollydbg and debug by yourself to get the addresses and see how the client does handle the "Server.dat". I will skip this for you and give you a resume:
1. "Server.dat" is loaded into memory.
2. it is decrypted by the client and saved into a 4 char name temp file, like "s***".
3. client unzip the file (it's gzip compression) and loads outenserver.xml into memory.
4. client uses the data loaded to create login screen and the other stuff.
so, from this point, all we have to do is to make the client load the file we want in the place of temp "s***" file. to do this, we search for referenced strings and the look for a file path that we want to use (our hidden "Server.dat" will be this file).
I will take "ini/quickpay.dat" as my decrypted "Server.dat".
save the dump address (it's the address after the "PUSH" instruction, 00912F18 in my case), we will use it later.
now, go back to the last breakpoint set (that ".dat" ASCII string), and look up until you see a "MSVCR90.tmpnam" call, like this one:
note: you can also right click and select "Search for", and select "All intermodular calls", and search for "MSVCR90.tmpnam", and don't worry, there is only one (at least at this version of mine, but there should be only one), and set a breakpoint here.
here is the tricky part: how to change the file path that it will load decrypted gzip file.
below the "tmpnam" breakpoint, scrolling down, you may see a "KERNEL32.DeleteFileA" call, set a breakpoint in the "CALL" instruction above this:
run until stop at this breakpoint. step into this call. scroll down and get to the first "MSVCR90.fopen" call (screenshot) and set a breakpoint here and also in the "PUSH ECX" instruction above.
note: see the "PUSH EDX" instruction above the "fopen" call? it's the path parameter of the "open" function call. it pushes the value in memory at "EDX" address to be used in the read file function.
right below the "PUSH ECX" instruction, you will see a "JGE" instruction.
change the "JGE" into "JMP" instruction, maintaining the address where it will go to (008525C8 in my case).
go to that address and assemble to "MOV EDX,[PUT THE ADDRESS OF THE FILE YOU CHOSE HERE]", in my case it will be "MOV EDX,00912F18".
on the "NOP" line below, we jump back to that "PUSH EDX" where it loads the path of the "fopen" function, so we assemble to "JMP 008525BF" in my case.
it will end like this:
now, save all modifications to a new executable. right click in modules window, select "Copy to executable", then select "All modifications", select "Copy all".
in the new "Conquer.exe" window, right click and select "Save file". don't forget to save with a different name, like "Conquer-Server.dat-Bypass.exe", to keep the original file as backup.
you can see the video walkthrough below:
Code: Select all
https://www.youtube.com/watch?v=n_xVi2lYej84- "gzipping" the decrypted Server.dat
if you open the new executable we created you will see that no server will be shown in the login screen. that's because that file we have selected to replace our decrypted "Server.dat" does not exist (yet).
grab the "outenserver.xml" (attached to the post), and use 7-Zip to create a gzip file:
right click the file, select "7-Zip", select "Add to the file..." And you will see the 7-Zip options window.
you must use this settings in order the client can read the file correctly:
format: gzip
compression level: Ultra
compression method: Deflate
dictionary size: 32KB
word size: 64
note: don't forget to rename the gzip file to "quickpay.dat" or whatever file name you chose.
Place the file in "ini" folder (or the correct folder according to the file path you chose) and start the game again from the new executable.
5- other versions
for other versions, I'll be updating this section with specific modifications needed to got it working on other clients. if you have found anything you want to share, let me know.
v5517 (thanks to @Mugaru)
Mugaru wrote: Wed Jan 06, 2021 1:37 pm Here are my findings for the 5517 client.
#UpdateCode: Select all
00764CE7 = tmpnam 00764D9A = DeleteFileA (Call) 007B714F = Push EDX 007B7150 = FOPEN 007B7149 = Should be changed from JGE to JMP. After that 007B7158 = MOV EDX [FILE THAT WILL BECOME THE SERVER.DAT] (i used: MOV EDX, 00940450 // ini/ItemtypeSub.dat ) 007B715E = JMP 007B714F 00765716 = JE Conquer-.007657A0 > This JE should be changed to JNZ
I added the last OPCode in the code tags of this post which should be changed to make it work.
After i changed that last one, i was able to load my own serverlist.
6- final considerations
this method allows you not only modifying the servers info and changing the IP, name and icon to yours without using any hooks or dll injections, but also to keep your file in secret as "Server.dat" is still needed by the client to do the decrypt or the client will fail.
enjoy your decrypted (+hidden) "Server.dat".
don't forget to leave a feedback.
