Show damage over 6 digits (Normal Attack)

[Angel]

I found some guide in russian to modify the exe and show normal damage over 32767, someone could make a guide or create a diff to patch an exe and show the damage over 999k digits?

I can barely change src code, modify an executable without a guide is impossible for me ;S


Old Guide in Russian




Thanks.

[Cydh]

need translation. XD

[PewN]

need translation. XD

 

 

For Ragnarok Renewal , the old guide for the old version and EXE server .. And so, more detailed, but little guidance as it has done for Sucker 17/06/2009, but the example of the latest version of the EXE file Ragnarok Renewal I do not know what exact version (just updated from the Korean server at the time of writing the theme ..) deployed file 3928149 bytes Almost from the beginning .. And so we will need some debugger / dizasembler..na your choice, I will show an example ollydbg, because that it is for * Blondes * all intuetivnoe clear and simple) and has a mass of possibilities, which, for example, we will be enough) even need half an hour of free time and tea Introduction to ollydbg miss, we do not ask for anything special .. Problem Statement: We believe that the on the server, as mentioned in the subject line (updated: at the end of Hyde added required) has been changed. should be made ​​on the client: 1. fix the size of the package, which gets the client from the server ( 0x8a ) from 29 bytes to 33 bytes (because we added 4 bytes to the end of the package, with additional information about dmge) 2. correct / add the code that parses the packet ( 0x8a ), ie be 4 byte dmgu of 2 parts by 2 bytes and pass on) Solution: Open the EXE file debugger when it load it load import / biblioteki..proanaliziruet code, it stops at the point of entry. It will look here correct size readable package .. logically assumes that the client has a table with a packet length. need to find it) approach can be found as much, for example, you can use a search of the constants in OllyDbg (not the best, but for the example will do. Just know that is a function that inizializiruet package list, so it's easy to find .. No. full of start viewing the top where it is used .. There will be immediately evident that in most cases, 0x8a constant use not for the fact that we ischemia) and we happened to get to the address / location where the cursor (highlighted by a gray stripe on the top the figure). We look here a function that does something interesting (ollydbg function allocates a black brace on the left in Figure signed red if code scroll up / down, you can find the beginning and end brackets) look at the circled piece of code. See .. that there are using the number of our package 0x8a and after calling a function, the value zapisyvaetsya 1D, 1D and it is 29 in hexadecimal .. looks like the right place for us. If you examine the code, we see that there is the same makes no room for other packages. If the details of this piece of code, a local variable zapisyvaetsya packet number

 

lea eax, [local.4] 
... 
mov [local.4], 8A

 

pushitsya on the stack as an argument to a call to the object, to which reference peredaetsya chereh ecx

push eax 
mov ecx, blah blah

 

call function of demand, which bring back into eax address where to write size for a given packet number

 

call blah blah

 

written on the packet size in the address, which returned the feature

mov dword ptr: [eax], 1d

 

There can be a lot of things to figure out how to fix the size, just remember the address to which the written value 1D and writes The desired value of 0x21 (0x21 = 33 in desyatirichnoy ..) 

(well, if you take a little more time and tea, we can dynamically change the size of packets initialization with ... or a text file, allegedly in self-HRee ... takiezhe tables / lists is for all - sprites itemov, skills .. blah blah .. and a cup of tea can be all it's fast and easy to do) The first part is done. Now the client will read all 33 bytes of transmit and parse as necessary .. Now you have to find a place where it parses packets. finds! Switch on the packet number .. (Because we know what it is ...) For example, click the search of all switches (same place where there was a constant search for all .. search for-> all know that a dedicated switch (circled in red and gray), this is a switch on the packet number, we need look at it. A click on the shortcut menu, and go to go to the case is the code that parses come address ebp + ffffa62b, it's just for some reason did not show debugger their normally a negative zanchenie) damage2 word'om read (2 bytes) in ecx and pushitsya as 9th argument damage1 also chitaetsya word'om and pushitsya as 6th argument. (movsx prolongs values ​​up 16, 32 bit, etc. .. and write the first operanad) then we need to write the code to build our 4-byte dmgi of 2 values ​​for 2 bytes) to write the code, we need a place, and now it is not. Therefore put on the space jump (you can file at the bottom, you can Yeshe where .. as you like first jam in the free space in the file (0x007212a4), instead of using movsx (because it takes longer than this jmp, the remaining 2 bytes, filled with NOPs debugger, which in this case is not required. nop - instruction which does nothing) in the place where he is going to jump, we have established damage2 of 2 parts and zapiysvaetsya in ecx (as it was in the original team movsx, only now there's a full damage2) then jump on obrtano 0x005D9922, to continue the code, so once again it does not rewrite. (CX - lower 2 bytes ecx)

 

mov cx, word ptr: [EBP + FFFFA62F]; put in cx upper 2 bytes of damage2 
shl ecx, 10; mix left by 16 bits, so they are in the upper 2 bytes ecx 
mov CX, Word ptr: [EBP + FFFFA62B] , write the lower 2 bytes of damage2 CX 
jmp 005D9922; jam back to the continuation of the original code

 

Further, instead of reading damage1, set just below the jump back to where we collected damage2. Gather there full damage1 (opyatzhe in ecx, as was the case with movsx) 

and jam back to 0x005D9937

 

mov cx, word ptr: [EBP + FFFFA62D]; put in cx upper 2 bytes of damage1 
shl ecx, 10; mix left by 16 bits, so they are in the upper 2 bytes ecx 
mov CX, Word ptr: [EBP + FFFFA626] , write the lower 2 bytes of damage1 CX 
jmp 005D9937; jam back to the continuation of the original code

 

part: In addition to patches on the client, you will need a small izmneniya clif.c on the server for a simple action / attack are using the package 0x8a. Packet length 29 bytes. It is a place for dmgi the left hand (2 bytes) and the right-hand (2 bytes). Since we want to transfer to 4 bytes on each hand) to expand the package from 29 to 33 bytes ( 2 bytes for each dmge) To fix this, or in the code below is what all zabivaetsya default, including 0 version) taking defaynom packet_len (cmd) (this is the easiest option (IMG: style_emoticons / default / ani_no.gif ) ) or open packet_db.txt and add bottom line (the correct version of the package for you ...)

 

0x008a, 33

 

If you used packet_db.txt, then the same must be corrected to take a long package of packet_db [packet_ver] [cmd], because at current Revision eateny in all functions are using defayn of clif.h

# Define SERVER 0 
# define packet_len (cmd) packet_db [SERVER] [cmd]. len

 

it will not return you to Correctly length, and takes forever clogged poumochaniyu value (IMG: style_emoticons / default / ani_omg.gif ) (bug or crafty intent? (IMG: style_emoticons / default / ani_rice.gif )) 

It is better to write your defayn if you do not have ... something like:

# Define get_packet_len (cmd) (packet_db [clif_config.packet_db_ver] [cmd]. Len)

 

or

 

# Define get_packet_len (bl_src, cmd) (packet_db [((struct map_session_data *) bl_src) -> packet_ver] [cmd]. Len)

 

and wherever we wanted to get the right size of the package, for our version, use these defayny (IMG: style_emoticons / default / ani_ok.gif ) Next clif.c otkryaem function int clif_damage (struct block_list * src, struct block_list * dst, unsigned int tick, int sdelay, int ddelay, int damage, int div, int type, int damage2); dmgi correct the record in the bag

 

...         if (battle_config.hide_woe_damage map_flag_gvg && (src-> m)) {                 WBUFW (buf, 22) = damage? div: 0;                 WBUFW (buf, 27) = damage2? div: 0;         } else {                 WBUFW (buf , 22) = GetWord (damage, 0);                 WBUFW (buf, 27) = GetWord (damage2, 0);         }         WBUFW (buf, 24) = div;         WBUFB (buf, 26) = type;         WBUFW (buf, 29) = GetWord (damage, 1);         WBUFW (buf, 31) = GetWord (damage2, 1); ...

 

and if you do not correct the length of the packet in the code, and made ​​their defayn .. then take long to fix unforgettable package (in all functions, which are using the package 0x8a .. vzyatitem, sit down, stand up ..) 

function example in toyzhe clif_damage ... (If you've fixed the code, it does not need it ..)

 

# Define get_packet_len (cmd) (packet_db [clif_config.packet_db_ver] [cmd]. Len) ... if (Disguised (DST)) {                 clif_send (buf, get_packet_len (0x8a), DST, AREA_WOS);                 WBUFL (buf, 6) =-DST-> ID;                 clif_send (buf, get_packet_len (0x8a), DST, SELF);         } else                 clif_send (buf, get_packet_len (0x8a), DST, AREA);         if (Disguised (src)) {                 WBUFL (buf, 2 ) =-src-> ID;                 if (Disguised (DST))                         WBUFL (buf, 6) = DST-> ID;                 if (Damage> 0) WBUFW (buf, 22) = -1;                 if (damage2> 0) WBUFW (buf, 27) = -1;                 clif_send (buf, get_packet_len (0x8a), src, SELF);

 

this backend ready ... Conclusion: Done: 1. Modified packet size 0x8a. Why do we find the function initialize the package list and change the start value for the size of the package. 2. Improved the handling of the new package size with more information on Demag in the last 4 bytes That's probably lured address in the packet) count yourself ... it feels right or it may change the package? I have not tested it, but in general everything is clear) and should work, and if something is not, correct the problem should not arise. Get You can increase the limit to 999,999 dmgi display to, for example, 999 999 999 (9 digits) ... get a more lazy (IMG: style_emoticons / default / smile.gif ) Here's the address and the values ​​that need to change, they change the limit to 9 digits (for the same EXE, old. dizasemblere possible to see when will enter the values ​​that these values changed ..) <mixture is> <originalnoe_znachenie> <значение_на_которое_следует zamenit_originalnoe>

 

17945B: B9 E9 
17945C: 3F 37 
17945D: 42 21 
17945E: 0F 18 
179 563: CC C0 
1794B0: 8B E9 
1794B1: C1 19 
​​1794B2: BF 21 
1794B3: 0A 18 
1794B4: 00 00 
1794B5: 00 90 
1794B6: 00 90 
2FB597: 00 81 
2FB598: 00 F9 
2FB599: 00 7F 
2FB59A: 00 96 
2FB59B: 00 98 
2FB59D: 00 7D 
2FB59E: 00 07 
2FB59F: 00 BE 
2FB5A0: 00 07 
2FB5A4: 00 EB 
2FB5A5: 00 28 
2FB5A6: 00 81 
2FB5A7: 00 F9 
2FB5A8: 00 FF 
2FB5A9: 00 E0 
2FB5AA: 00 F5 
2FB5AB: 00 05 
2FB5AC: 00 7D 
2FB5AD: 00 07 
2FB5AE: 00 BE 
2FB5AF: 00 08 
2FB5B3: 00 EB 
2FB5B4: 00 19 
2FB5B5: 00 81 
2FB5B6: 00 F9 
2FB5B7: 00 FF 
2FB5B8: 00 C9 
2FB5B9: 00 9A 
2FB5BA: 00 3B 
2FB5BB: 00 7D 
2FB5BC: 00 07 
2FB5BD: 00 BE 
2FB5BE: 00 09 
2FB5C2: 00 EB 
2FB5C3: 00 0A 
2FB5C4: 00 B9 
2FB5C5: 00 FF 
2FB5C6: 00 C9 
2FB5C7: 00 9A 
2FB5C8: 00 3B 
2FB5C9: 00 BE 
2FB5CA: 00 09 
2FB5CE: 00 8B 
2FB5CF: 00 C1 
2FB5D0: 00 BF 
2FB5D1: 00 0A 
2FB5D2: 00 00 
2FB5D3: 00 00 
2FB5D4: 00 00 
2FB5D5: 00 99 
2FB5D6: 00 F7 
2FB5D7: 00 FF 
2FB5D8: 00 B8 
2FB5D9: 00 67 
2FB5DA: 00 66 
2FB5DB: 00 66 
2FB5DC: 00 66 
2FB5DD: 00 89 
2FB5DE: 00 55 
2FB5DF: 00 C0 
2FB5E0: 00 F7 
2FB5E1: 00 E9 
2FB5E2: 00 C1 
2FB5E3: 00 FA 
2FB5E4: 00 02 
2FB5E5: 00 8B 
2FB5E6: 00 C2 
2FB5E7: 00 C1 
2FB5E8: 00 E8 
2FB5E9: 00 1F 
2FB5EA: 00 03 
2FB5EB: 00 D0 
2FB5EC: 00 8B 
2FB5ED: 00 CA 
2FB5EE: 00 8B 
2FB5EF: 00 C1 
2FB5F0: 00 99 
2FB5F1: 00 F7 
2FB5F2: 00 FF 
2FB5F3: 00 B8 
2FB5F4: 00 67 
2FB5F5: 00 66 
2FB5F6: 00 66 
2FB5F7: 00 66 
2FB5F8: 00 89 
2FB5F9: 00 55 
2FB5FA: 00 C4 
2FB5FB: 00 F7 
2FB5FC: 00 E9 
2FB5FD: 00 C1 
2FB5FE: 00 FA 
2FB5FF: 00 02 
2FB600: 00 8B 
2FB601: 00 CA 
2FB602: 00 C1 
2FB603: 00 E9 
2FB604: 00 1F 
2FB605: 00 03 
2FB606: 00 D1 
2FB607: 00 8B 
2FB608: 00 CA 
2FB609: 00 8B 
2FB60A: 00 C1 
2FB60B: 00 99 
2FB60C: 00 F7 
2FB60D: 00 FF 
2FB60E: 00 B8 
2FB60F: 00 67 
2FB610: 00 66 
2FB611: 00 66 
2FB612: 00 66 
2FB613: 00 89 
2FB614: 00 55 
2FB615: 00 C8 
2FB616: 00 F7 
2FB617: 00 E9 
2FB618: 00 C1 
2FB619: 00 FA 
2FB61A: 00 02 
2FB61B: 00 8B 
2FB61C: 00 C2 
2FB61D: 00 C1 
2FB61E: 00 E8 
2FB61F: 00 1F 
2FB620: 00 03 
2FB621: 00 D0 
2FB622: 00 8B 
2FB623: 00 CA 
2FB624: 00 8B 
2FB625: 00 C1 
2FB626: 00 E9 
2FB627: 00 8C 
2FB628: 00 DE 
2FB629: 00 E7 
2FB62A: 00 FF

[Kichi]

bumb