1. //################################################################################
  2. //# Purpose: Skip the Langtype checks inside UILoginWnd::OnCreate and always #
  3. //# makes the registration page open inside UILoginWnd::SendMsg. #
  4. //# Also modifies the CModeMgr::Quit CALL to actually close the client. #
  5. //################################################################################
  7. function ShowRegisterButton() {
  8. //Step 1a - Find the alternate URL string
  9. var offset = exe.findString("http://ro.hangame.com/login/loginstep.asp?prevURL=/NHNCommon/NHN/Memberjoin.asp", RVA);
  10. if (offset === -1)
  11. return "Failed in Step 1 - String missing";
  13. //Step 1b - Find its reference inside UILoginWnd::SendMsg
  14. offset = exe.findCode("68" + offset.packToHex(4), PTYPE_HEX, false);
  15. if (offset === -1)
  16. return "Failed in Step 1 - String reference missing";
  18. //Step 2a - Get the LangType
  19. var LANGTYPE = GetLangType();//Langtype value overrides Service settings hence they use the same variable - g_serviceType
  20. if (LANGTYPE.length === 1)
  21. return "Failed in Step 2 - " + LANGTYPE[0];
  23. //Step 2b - Look for the LangType comparison before the URL reference
  24. var code =
  25. " 83 3D" + LANGTYPE + " 00" //CMP DWORD PTR DS:[g_serviceType], 0
  26. + " 75 AB" //JNE SHORT addr
  27. ;
  29. var codeSuffix =
  30. " 83 3D AB AB AB 00 01" //CMP DWORD PTR DS:[g_isGravityID], 1
  31. + " 75" //JNE SHORT addr
  32. ;
  33. var type = 1;
  35. var offset2 = exe.find(code + codeSuffix, PTYPE_HEX, true, "\xAB", offset - 0x30, offset);
  36. if (offset2 === -1) {
  38. if (offset2 === -1)
  39. {
  40. codeSuffix = codeSuffix.replace(" 83 3D AB AB AB 00 01", " 83 3D AB AB AB 01 01");
  41. offset2 = exe.find(code + codeSuffix, PTYPE_HEX, true, "\xAB", offset - 0x30, offset);
  42. }
  44. if (offset2 === -1)
  45. {
  46. code =
  47. " A1" + LANGTYPE //MOV EAX, DWORD PTR DS:[g_serviceType]
  48. + " 85 C0" //TEST EAX, EAX
  49. + " 0F 85 AB 00 00 00" //JNE addr
  50. ;
  51. type = 2;
  52. offset2 = exe.find(code + codeSuffix, PTYPE_HEX, true, "\xAB", offset - 0x30, offset);
  53. codeSuffix = codeSuffix.replace(" 83 3D AB AB AB 01 01", " 83 3D AB AB AB 00 01");
  54. offset2 = exe.find(code + codeSuffix, PTYPE_HEX, true, "\xAB", offset - 0x30, offset);
  55. }
  56. }
  58. if (offset2 === -1)
  59. return "Failed in Step 2 - Langtype comparison missing";
  61. offset2 += code.hexlength();
  63. //Step 2c - Change the first JNE (LangType JNE) to JMP and goto the Jumped address
  64. if (type == 1) {
  65. exe.replace(offset2 - 2, "EB", PTYPE_HEX);
  66. offset2 += exe.fetchByte(offset2 - 1);
  67. }
  68. else {
  69. exe.replace(offset2 - 6, "90 E9", PTYPE_HEX);
  70. offset2 += exe.fetchDWord(offset2 - 4);
  71. }
  73. //Step 3a - Add 10 to Skip over MOV ECX, OFFSET g_modeMgr and CALL CModeMgr::Quit
  74. offset2 += 10;
  76. //Step 3b - Prep new code (original CModeMgr::Quit will get overwritten by RestoreLoginWindow so create a new function with the essentials)
  77. code =
  78. " 8B 41 04" //MOV EAX,DWORD PTR DS:[ECX+4]
  79. + " C7 40 14 00 00 00 00" //MOV DWORD PTR DS:[EAX+14], 0
  80. + " C7 01 00 00 00 00" //MOV DWORD PTR DS:[ECX],0
  81. + " C3" //RETN
  83. //Step 3c - Allocate space for the code
  84. var free = exe.findZeros(code.hexlength());
  85. if (free === -1)
  86. return "Failed in Step 3 - Not enough free space";
  88. //Step 3d - Insert it
  89. exe.insert(free, code.hexlength(), code, PTYPE_HEX);
  91. //Step 3e - Change the CModeMgr::Quit CALL with a CALL to our function
  92. exe.replaceDWord(offset2 - 4, exe.Raw2Rva(free) - exe.Raw2Rva(offset2));
  94. //Step 4a - Find the prefix string for the button (pressed state)
  95. offset = exe.findString("btn_request_b", RVA);
  96. if (offset === -1)
  97. return "Failed in Step 4 - Button prefix missing";
  99. //Step 4b - Find its reference
  100. offset = exe.findCode(offset.packToHex(4) + " C7", PTYPE_HEX, false);
  101. if (offset === -1)
  102. return "Failed in Step 4 - Prefix reference missing";
  104. //Step 4c - Look for the LangType comparison after the reference
  105. code =
  106. " 83 AB 03" //CMP reg32, 03 ; 03 is for register button
  107. + " 75 25" //JNE SHORT addr
  108. + " A1" + LANGTYPE //MOV EAX, DWORD PTR DS:[g_serviceType]
  109. ;
  111. offset2 = exe.find(code, PTYPE_HEX, true, "\xAB", offset + 0xA0, offset + 0x100);
  112. if (offset2 === -1)
  113. return "Failed in Step 4 - Langtype comparison missing";
  115. //Step 4d - Change the JNE to JMP. This way no langtype check occurs for any buttons
  116. exe.replace(offset2 + 3, "EB", PTYPE_HEX);
  118. return true;
  119. }

ShowRegisterButton.qs