.rdata:0000000000A81468 text "UTF-16LE", 'send package error.',0
Thanks!
Last question, i need to disable validation on Cached, which caused error:
[.\Socket.cpp][10626]Try hack ?, source[1][1], target[8][1310].
i tried to NOP memory on jnz, but it doesnt helps.
Код:
.text:00481954 loc_481954: ; CODE XREF: sub_481720+20Fj
.text:00481954 mov ecx, [esp+50h+var_20]
.text:00481958 call sub_4A01E0
.text:0048195D cmp eax, edi
.text:0048195F mov ecx, [esp+50h+var_3C]
.text:00481963 mov edx, [esp+50h+var_40]
.text:00481967 jnz loc_481B99
.text:0048196D cmp ecx, edx
.text:0048196F jz loc_481B99
Can someone help me? How to bypass this validation
Thanks!
Last question, i need to disable validation on Cached, which caused error:
[.\Socket.cpp][10626]Try hack ?, source[1][1], target[8][1310].
i tried to NOP memory on jnz, but it doesnt helps.
Код:
.text:00481954 loc_481954: ; CODE XREF: sub_481720+20Fj
.text:00481954 mov ecx, [esp+50h+var_20]
.text:00481958 call sub_4A01E0
.text:0048195D cmp eax, edi
.text:0048195F mov ecx, [esp+50h+var_3C]
.text:00481963 mov edx, [esp+50h+var_40]
.text:00481967 jnz loc_481B99
.text:0048196D cmp ecx, edx
.text:0048196F jz loc_481B99
Can someone help me? How to bypass this validation
OK solved.
Written jump after this validation
) How easy..
0xE9 0x481967 0x481975
Solution is done:
I would like to share my approach:
1) you need to create Bypass substring to control input from NPC Html. Expecting input is charname and itemslist.
2) for included charname, you have to find id.
Here is a little problem, because in server itself has only functions for handle IN_WORLD players or same account players. So you need to recall CacheD and create appropriate OP codes in Cached, to get charId from filled charname.
Because Cached is working as Async you need to cerate RequestGetCharId(charname) and also ReplyGetCharName(). Here is some threading problem, because on Reply you probably need to call (0x9E, RequestPackageSendableItemList)to let user fill the item list. So you have to split getiing CharId from Database and sending packet buffer to two separate call outside to processing reply thread.
3) You need to fill structure on User offset 0x2910. This is shared place to input CWahrehouseWithdraw, CWarehouseDesposit. In our case we need to fill out CWarehouseDeposit. So you have to handle this code in C++ or ASM, it is up on you what do you prefere.
Код:
.text:0000000000897350 loc_897350:
.text:0000000000897350 mov rcx, r15
.text:0000000000897353 call sub_429F10 -- lock user structure.
.text:0000000000897358 cmp qword ptr [rbx+588h], 0
.text:0000000000897360 jz loc_898E47
.text:0000000000897366 mov r8d, 556h
.text:000000000089736C mov rdx, rbp
.text:000000000089736F mov rcx, r15
.text:0000000000897372 call sub_4292F0
.text:0000000000897377 mov ecx, 40h
.text:000000000089737C call CWareHouseDeposit_CreateObject -- Create and register object in Server.
.text:0000000000897381 mov qword ptr [rsp+0A68h+var_9C8], rax -- I do not really understand this, maybe it is some inside server map for objects.
.text:0000000000897389 test rax, rax -- object is created?
.text:000000000089738C jz short loc_8973AA -- not created end
.text:000000000089738E xor esi, esi -- fill the input parameters
.text:0000000000897390 mov dword ptr [rsp+0A68h+var_A48], esi
.text:0000000000897394 xor r9d, r9d
.text:0000000000897397 mov r8, rbx
.text:000000000089739A mov rdx, r15
.text:000000000089739D mov rcx, rax
.text:00000000008973A0 call CWareHouseDeposit__CWareHouseDeposit -- Creating object with 4 parameters. pointer to User , pointer to NPC, warehouse type(3), NpcClassId
.text:00000000008973A5 mov rsi, rax
.text:00000000008973A8 jmp short loc_8973AC
.text:00000000008973AA ; ---------------------------------------------------------------------------
.text:00000000008973AA
.text:00000000008973AA loc_8973AA:
.text:00000000008973AA xor esi, esi
.text:00000000008973AC
.text:00000000008973AC loc_8973AC:
.text:00000000008973AC mov rdx, rbx
.text:00000000008973AF mov rcx, rsi
.text:00000000008973B2 call sub_6CD2D0
.text:00000000008973B7 mov [r15+2910h], rsi -- setting the srtructure to User
.text:00000000008973BE mov rcx, r15
.text:00000000008973C1 call sub_429F10 -- unlock user structure.
.text:00000000008973C6 mov rax, [rsi]
.text:00000000008973C9 mov edx, 1
.text:00000000008973CE mov rcx, rsi
.text:00000000008973D1 mov rax, [rax+80h]
.text:00000000008973D8 call rax
.text:00000000008973DA jmp loc_898E47
.text:00000000008973DF ; -------------------------------------------------------------------------
4) After you get CharId and have filled CWarehouseDeposit ,you need to call (0x9E, RequestPackageSendableItemList ) with found charId to shows user item selection list. When the player clicks ok, server sendpackage to cached to save.
5) Cached server by default has some validation for dupping, so it validates if you send items to charater within same account. We need to remove this validation. I have done it by hexing jum into cached. You can do it also from code by writingJump from memoryHook.
Thats it. If someone find better solution, i will be happy to learn
I am still beginner, but trying to selflearn
Sung
