[WTS/Help] Freight system between accounts

sungsung

Путник
Пользователь
Сообщения
16
Розыгрыши
0
Репутация
0
Реакции
2
Баллы
85
Hi to all.,

I wanted to ask you for advice, or someone who would be able to sell me a piece of code.

I have been trying for several days to solve the problem with the freight system on the C4 PTS assembly.

The path I went is: Hook on two functions:
0052b410 0052b5af 0111126c void CDB :: RequestPackageSendToTarget
00816fa0 00817730 0e6c7834 void User :: RequestPackageSend (const unsigned char * packet)


On npc I added a new action that I handle and call fcition and reassign packets to the client.
However, I still can't achieve the desired effect so that I get the correct TargetDbId into the "RequestPackageSendToTarget" function, which I send by packet.

Can anyone help me?

Thanks Sung
 

Update: Almost done, last thing what am i facing is this weird error
1622145142707.png

Tried full-text search in IDA, no luck :)
Could someone share the real address/or where this error comes from ?

I am using C4PTS.
Thanks.
 
.rdata:0000000000A81468 text "UTF-16LE", 'send package error.',0
 
.rdata:0000000000A81468 text "UTF-16LE", 'send package error.',0
Thanks!

Last question, i need to disable validation on Cached, which caused error:
[.\Socket.cpp][10626]Try hack ?, source[1][1], target[8][1310].

i tried to NOP memory on jnz, but it doesnt helps.

Код:
.text:00481954 loc_481954:                             ; CODE XREF: sub_481720+20Fj
.text:00481954                 mov     ecx, [esp+50h+var_20]
.text:00481958                 call    sub_4A01E0
.text:0048195D                 cmp     eax, edi
.text:0048195F                 mov     ecx, [esp+50h+var_3C]
.text:00481963                 mov     edx, [esp+50h+var_40]
.text:00481967                 jnz     loc_481B99
.text:0048196D                 cmp     ecx, edx
.text:0048196F                 jz      loc_481B99

Can someone help me? How to bypass this validation :)

Thanks!

Last question, i need to disable validation on Cached, which caused error:
[.\Socket.cpp][10626]Try hack ?, source[1][1], target[8][1310].

i tried to NOP memory on jnz, but it doesnt helps.

Код:
.text:00481954 loc_481954:                             ; CODE XREF: sub_481720+20Fj
.text:00481954                 mov     ecx, [esp+50h+var_20]
.text:00481958                 call    sub_4A01E0
.text:0048195D                 cmp     eax, edi
.text:0048195F                 mov     ecx, [esp+50h+var_3C]
.text:00481963                 mov     edx, [esp+50h+var_40]
.text:00481967                 jnz     loc_481B99
.text:0048196D                 cmp     ecx, edx
.text:0048196F                 jz      loc_481B99

Can someone help me? How to bypass this validation :)
OK solved.
Written jump after this validation :)) How easy..

0xE9 0x481967 0x481975

Solution is done:

I would like to share my approach:
1) you need to create Bypass substring to control input from NPC Html. Expecting input is charname and itemslist.
2) for included charname, you have to find id.
Here is a little problem, because in server itself has only functions for handle IN_WORLD players or same account players. So you need to recall CacheD and create appropriate OP codes in Cached, to get charId from filled charname.

Because Cached is working as Async you need to cerate RequestGetCharId(charname) and also ReplyGetCharName(). Here is some threading problem, because on Reply you probably need to call (0x9E, RequestPackageSendableItemList)to let user fill the item list. So you have to split getiing CharId from Database and sending packet buffer to two separate call outside to processing reply thread.
3) You need to fill structure on User offset 0x2910. This is shared place to input CWahrehouseWithdraw, CWarehouseDesposit. In our case we need to fill out CWarehouseDeposit. So you have to handle this code in C++ or ASM, it is up on you what do you prefere.

Код:
.text:0000000000897350 loc_897350:                  
.text:0000000000897350                 mov     rcx, r15
.text:0000000000897353                 call    sub_429F10  -- lock user structure.
.text:0000000000897358                 cmp     qword ptr [rbx+588h], 0
.text:0000000000897360                 jz      loc_898E47
.text:0000000000897366                 mov     r8d, 556h
.text:000000000089736C                 mov     rdx, rbp
.text:000000000089736F                 mov     rcx, r15
.text:0000000000897372                 call    sub_4292F0
.text:0000000000897377                 mov     ecx, 40h
.text:000000000089737C                 call    CWareHouseDeposit_CreateObject -- Create and register object in Server.
.text:0000000000897381                 mov     qword ptr [rsp+0A68h+var_9C8], rax -- I do not really understand this, maybe it is some inside server map for objects.
.text:0000000000897389                 test    rax, rax  -- object is created?
.text:000000000089738C                 jz      short loc_8973AA -- not created end
.text:000000000089738E                 xor     esi, esi   -- fill the input parameters
.text:0000000000897390                 mov     dword ptr [rsp+0A68h+var_A48], esi
.text:0000000000897394                 xor     r9d, r9d
.text:0000000000897397                 mov     r8, rbx
.text:000000000089739A                 mov     rdx, r15
.text:000000000089739D                 mov     rcx, rax
.text:00000000008973A0                 call    CWareHouseDeposit__CWareHouseDeposit  -- Creating object with 4 parameters. pointer to User , pointer to NPC, warehouse type(3), NpcClassId
.text:00000000008973A5                 mov     rsi, rax
.text:00000000008973A8                 jmp     short loc_8973AC
.text:00000000008973AA ; ---------------------------------------------------------------------------
.text:00000000008973AA
.text:00000000008973AA loc_8973AA:                            
.text:00000000008973AA                 xor     esi, esi
.text:00000000008973AC
.text:00000000008973AC loc_8973AC:                            
.text:00000000008973AC                 mov     rdx, rbx
.text:00000000008973AF                 mov     rcx, rsi
.text:00000000008973B2                 call    sub_6CD2D0
.text:00000000008973B7                 mov     [r15+2910h], rsi  -- setting the srtructure to User
.text:00000000008973BE                 mov     rcx, r15
.text:00000000008973C1                 call    sub_429F10   -- unlock user structure.
.text:00000000008973C6                 mov     rax, [rsi]
.text:00000000008973C9                 mov     edx, 1
.text:00000000008973CE                 mov     rcx, rsi
.text:00000000008973D1                 mov     rax, [rax+80h]
.text:00000000008973D8                 call    rax
.text:00000000008973DA                 jmp     loc_898E47
.text:00000000008973DF ; -------------------------------------------------------------------------

4) After you get CharId and have filled CWarehouseDeposit ,you need to call (0x9E, RequestPackageSendableItemList ) with found charId to shows user item selection list. When the player clicks ok, server sendpackage to cached to save.
5) Cached server by default has some validation for dupping, so it validates if you send items to charater within same account. We need to remove this validation. I have done it by hexing jum into cached. You can do it also from code by writingJump from memoryHook.

Thats it. If someone find better solution, i will be happy to learn :) I am still beginner, but trying to selflearn :)

Sung
 

Вложения

  • jnz.png
    jnz.png
    3,3 КБ · Просмотры: 18
Последнее редактирование модератором:
  • Мне нравится
Реакции: kick
Назад
Сверху Снизу