1. //###########################################################################
  2. //# Purpose: Restore the original code that created the Login Window inside #
  3. //# CLoginMode::OnChangeState function and Add supporting Changes #
  4. //# to make it work #
  5. //###########################################################################
  7. function RestoreLoginWindow() {
  9. //Step 1a - Find the code where we need to make client call the login window
  10. var code =
  11. " 50" //PUSH EAX
  12. + " E8 AB AB AB FF" //CALL g_ResMgr
  13. + " 8B C8" //MOV ECX, EAX
  14. + " E8 AB AB AB FF" //CALL CResMgr::Get
  15. + " 50" //PUSH EAX
  16. + " B9 AB AB AB 00" //MOV ECX, OFFSET g_windowMgr
  17. + " E8 AB AB AB FF" //CALL UIWindowMgr::SetWallpaper
  18. + " 80 3D AB AB AB 00 00" //CMP BYTE PTR DS:[g_Tparam], 0 <- The parameter push + call to UIWindowManager::MakeWindow originally here
  19. + " 74 13" //JZ SHORT addr1 - after the JMP
  20. + " C6 AB AB AB AB 00 00" //MOV BYTE PTR DS:[g_Tparam], 0
  21. + " C7 AB AB 04 00 00 00" //MOV DWORD PTR DS:[EBX+0C], 4 <- till here we need to overwrite
  22. + " E9" //JMP addr2
  23. ;
  25. var codeOffset = exe.findCode(code, PTYPE_HEX, true, "\xAB");
  26. // newer exes have g_tParam located past 00nnnn, so we need to expand the search!
  27. if (codeOffset === -1)
  28. {
  29. code = code.replace(" 80 3D AB AB AB 00", " 80 3D AB AB AB 01");
  30. code = code.replace(" C6 AB AB AB AB 00", " C6 AB AB AB AB 01");
  31. codeOffset = exe.findCode(code, PTYPE_HEX, true, "\xAB");
  32. }
  34. if (codeOffset === -1)
  35. return "Failed in Step 1";
  37. //Step 1b - Extract the MOV ECX, g_windowMgr statement
  38. var movEcx = exe.fetchHex(codeOffset + 14, 5);
  40. //==============================================//
  41. // Next we need to find UIWindowMgr::MakeWindow //
  42. //==============================================//
  44. //Step 2a - Find offset of NUMACCOUNT
  45. var offset = exe.findString("NUMACCOUNT", RVA);
  46. if (offset === -1)
  47. return "Failed in Step 2 - NUMACCOUNT not found";
  49. //Step 2b - Find the UIWindowMgr::MakeWindow call
  50. code =
  51. movEcx //MOV ECX, OFFSET g_windowMgr
  52. + " E8 AB AB AB FF" //CALL UIWindowMgr::MakeWindow
  53. + " 6A 00" //PUSH 0
  54. + " 6A 00" //PUSH 0
  55. + " 68" + offset.packToHex(4) //PUSH addr ; ASCII "NUMACCOUNT"
  56. ;
  58. var o2 = exe.findCode(code, PTYPE_HEX, true, "\xAB");
  59. if (o2 === -1)
  60. return "Failed in Step 2 - MakeWindow not found";
  62. //Step 2c - Extract the Function address relative to target location
  63. var windowMgr = ((o2 + 10 + exe.fetchDWord(o2 + 6)) - (codeOffset + 24 + 2 + 5 + 5)).packToHex(4)
  65. //Step 3a - Prepare the code to overwrite with - originally present in old clients
  66. code =
  67. " 6A 03" //PUSH 3
  68. + movEcx //MOV ECX, OFFSET g_windowMgr
  69. + " E8" + windowMgr //CALL UIWindowMgr::MakeWindow
  70. + " EB 09" //JMP SHORT addr ; skip over to the MOV [EBX+0C], 4
  71. //90".repeat(11) //Bunch of NOPs
  72. ;
  74. //Step 3b - Overwrite with the code.
  75. exe.replace(codeOffset + 24, code, PTYPE_HEX);
  77. //===============================================//
  78. // Now for some additional stuff to make it work //
  79. //===============================================//
  81. //Step 4a - Force the client to send old login packet irrespective of LangType (Also inside CLoginMode::ChangeState)
  82. // all JZ will be NOPed out
  83. var LANGTYPE = GetLangType();//Langtype value overrides Service settings hence they use the same variable - g_serviceType
  84. if (LANGTYPE.length === 1)
  85. return "Failed in Step 4 - " + LANGTYPE[0];
  87. code =
  88. " 80 3D AB AB AB 00 00" //CMP BYTE PTR DS:[g_passwordencrypt], 0
  89. + " 0F 85 AB AB 00 00" //JNE addr1
  90. + " A1" + LANGTYPE //MOV EAX, DWORD PTR DS:[g_serviceType]
  91. + " AB AB" //TEST EAX, EAX - (some clients use CMP EAX, EBP instead)
  92. + " 0F 84 AB AB 00 00" //JZ addr2 -> Send SSO Packet (ID = 0x825. was 0x2B0 in Old clients)
  93. + " 83 AB 12" //CMP EAX, 12
  94. + " 0F 84 AB AB 00 00" //JZ addr2 -> Send SSO Packet (ID = 0x825. was 0x2B0 in Old clients)
  95. ;
  96. offset = exe.findCode(code, PTYPE_HEX, true, "\xAB");
  98. if (offset === -1) {
  99. code = code.replace(" A1", " 8B AB"); //MOV reg32_A, DWORD PTR DS:[g_serviceType]
  100. offset = exe.findCode(code, PTYPE_HEX, true, "\xAB");
  101. }
  103. if (offset === -1)
  104. return "Failed in Step 4 - LangType comparison missing";
  106. offset += code.hexlength();
  108. if (exe.fetchUByte(offset) === 0x83 && exe.fetchByte(offset + 2) === 0x0C)//create a JMP to location after the JZs
  109. var repl = "EB 18";
  110. else
  111. var repl = "EB 0F";
  113. exe.replace(offset - 0x11, repl, PTYPE_HEX);
  115. /*===========================================================================================================================
  116. Shinryo: We need to make the client return to Login Interface when Error occurs (such as wrong password, failed to connect).
  117. For this in the CModeMgr::SendMsg function, we set the return mode to 3 (Login) and pass 0x271D as idle value
  118. and skip the quit operation.
  119. =============================================================================================================================
  120. First we need to find the g_modeMgr & mode setting function address. The address is kept indirectly =>
  121. MOV ECX, DWORD PTR DS:[Reference]
  122. MOV EAX, DWORD PTR DS:[ECX]
  123. MOV EDX, DWORD PTR DS:[EAX+18]
  124. now ECX + C contains g_modeMgr & EDX is the function address we need. But these 3 instructions are not always kept together as of recent clients.
  125. ===========================================================================================================================*/
  127. //Step 5a - First we look for one location that appears always after g_modeMgr is retrieved
  128. code =
  129. " 6A 00" //PUSH 0
  130. + " 6A 00" //PUSH 0
  131. + " 6A 00" //PUSH 0
  132. + " 68 F6 00 00 00" //PUSH F6
  133. + " FF" //CALL reg32_A or CALL DWORD PTR DS:[reg32_A+const]
  134. ;
  136. offset = exe.findCode(code, PTYPE_HEX, false);
  137. if (offset === -1)
  138. return "Failed in Step 5 - Unable to find g_modeMgr code";
  140. //Step 5b - Find the start of the function
  141. code =
  142. " 83 3D AB AB AB AB 01" //CMP DWORD PTR DS:[addr1], 1
  143. + " 75 AB" //JNE addr2
  144. + " 8B 0D" //MOV ECX, DWORD PTR DS:[Reference]
  145. ;
  147. var offset = exe.find(code, PTYPE_HEX, true, "\xAB", offset - 30, offset);
  148. if (offset === -1)
  149. return "Failed in Step 5 - Start of Function missing";
  151. //Step 5c - Extract the reference and construct the code for getting g_modeMgr to ECX + C & mode setter to EDX (same as shown initially)
  152. var infix =
  153. exe.fetchHex(offset + code.hexlength() - 2, 6) //MOV ECX, DWORD PTR DS:[Reference]
  154. + " 8B 01" //MOV EAX, DWORD PTR DS:[ECX]
  155. + " 8B 50 18" //MOV EDX, DWORD PTR DS:[EAX+18]
  156. ;
  158. //Step 5d - Find how many PUSH 0s are there. Older clients had 3 arguments but newer ones only have 3
  159. var pushes = exe.findAll("6A 00", PTYPE_HEX, false, "", offset + code.hexlength() + 4, offset + code.hexlength() + 16);
  161. //Step 5e - Find error handler = CModeMgr::Quit
  162. code =
  163. " 8B F1" //MOV ESI,ECX
  164. + " 8B 46 04" //MOV EAX,DWORD PTR DS:[ESI+4]
  165. + " C7 40 14 00 00 00 00" //MOV DWORD PTR DS:[EAX+14], 0
  166. + " 83 3D" + LANGTYPE + " 0B" //CMP DWORD PTR DS:[g_serviceType], 0B
  167. + " 75 1D" //JNE SHORT addr1 -> after CALL instruction below
  168. + " 8B 0D AB AB AB 00" //MOV ECX,DWORD PTR DS:[g_hMainWnd]
  169. + " 6A 01" //PUSH 1
  170. + " 6A 00" //PUSH 0
  171. + " 6A 00" //PUSH 0
  172. + " 68 AB AB AB 00" //PUSH addr2 ; ASCII "http://www.ragnarok.co.in/index.php"
  173. + " 68 AB AB AB 00" //PUSH addr3 ; ASCII "open"
  174. + " 51" //PUSH ECX
  175. + " FF 15 AB AB AB 00" //CALL DWORD PTR DS:[<&SHELL32.ShellExecuteA>]
  176. + " C7 06 00 00 00 00" //MOV DWORD PTR DS:[ESI],0 (ESI is supposed to have g_modeMgr but it doesn't always point to it, so we assign it another way)
  177. ;
  178. /*==============================================================================
  179. Shinryo:
  180. The easiest way would be probably to set this value to a random value instead of 0,
  181. but the client would dimmer down/flicker and appear again at login interface.
  182. ===============================================================================*/
  184. offset = exe.findCode(code, PTYPE_HEX, true, "\xAB");
  186. if (offset === -1) {//For recent client g_hMainWnd is directly pushed instead of assigning to ECX first
  188. code = code.replace(" 75 1D 8B 0D AB AB AB 00", " 75 1C"); //remove the ECX assignment and fix the JNE address accordingly
  189. code = code.replace(" 51 FF 15 AB", " FF 35 AB AB AB 00 FF 15 AB"); //replace PUSH ECX with PUSH DWORD PTR DS:[g_hMainWnd]
  191. offset = exe.findCode(code, PTYPE_HEX, true, "\xAB");
  193. if (offset === -1)
  194. {
  195. // and newer clients push hwndParent further, so !
  196. code = code.replace(" FF 35 AB AB AB 00 FF 15 AB", " FF 35 AB AB AB 01 FF 15 AB");
  197. offset = exe.findCode(code, PTYPE_HEX, true, "\xAB");
  198. }
  199. }
  201. if (offset === -1)
  202. return "Failed in Step 5 - Unable to find SendMsg function";
  204. //Step 5f - Construct the replacement code
  205. var replace =
  206. " 52" //PUSH EDX
  207. + " 50" //PUSH EAX
  208. + infix //MOV ECX,DWORD PTR DS:[Reference]
  209. //MOV EAX,DWORD PTR DS:[ECX]
  210. //MOV EDX,DWORD PTR DS:[EAX+18]
  211. + " 6A 00".repeat(pushes.length) //PUSH 0 sequence
  212. + " 68 1D 27 00 00" //PUSH 271D
  213. + " C7 41 0C 03 00 00 00" //MOV DWORD PTR DS:[ECX+0C],3
  214. + " FF D2" //CALL EDX
  215. + " 58" //POP EAX
  216. + " 5A" //POP EDX
  217. ;
  219. //replace += " 90".repeat(code.hexlength() - replace.hexlength()); // Bunch of NOPs
  220. replace += " EB" + (code.hexlength() - replace.hexlength() - 2).packToHex(1); //Skip to the POP ESI
  222. //Step 5g - Overwrite the SendMsg function.
  223. exe.replace(offset, replace, PTYPE_HEX);
  225. //==========================================================================//
  226. // Extra for certain 2013 - 2014 clients. Need to fix a function to return 1//
  227. //==========================================================================//
  229. if (exe.getClientDate() >= 20130320 && exe.getClientDate() <= 20140226) {
  231. //Step 6a - Find offset of "ID"
  232. offset = exe.findString("ID", RVA);
  233. if (offset === -1)
  234. return "Failed in Step 6 - ID not found";
  236. //Step 6b - Find its reference
  237. // PUSH 1
  238. // PUSH 0
  239. // PUSH addr; "ID"
  240. offset = exe.findCode("6A 01 6A 00 68" + offset.packToHex(4), PTYPE_HEX, false);
  241. if (offset === -1)
  242. return "Failed in Step 6 - ID reference not found";
  244. //Step 6c - Find the new function call in 2013 clients
  245. // PUSH EAX
  246. // CALL func
  247. // JMP addr
  248. offset = exe.find("50 E8 AB AB AB 00 EB", PTYPE_HEX, true, "\xAB", offset - 80, offset);
  249. if (offset === -1)
  250. return "Failed in Step 6 - Function not found";
  252. //Step 6d - Extract the called address
  253. var call = exe.fetchDWord(offset + 2) + offset + 6;
  255. //Step 6e - Sly devils have made a jump here so search for that.
  256. offset = exe.find("E9", PTYPE_HEX, false, "", call);
  257. if (offset === -1)
  258. return "Failed in Step 6 - Jump Not found";
  260. //Step 6f - Now get the jump offset
  261. call = offset + 5 + exe.fetchDWord(offset+1);//rva conversions are not needed since we are referring to same code section.
  263. //Step 6g - Search for pattern to get func call <- need to remove that call
  264. // PUSH 13
  265. // CALL DWORD PTR DS:[addr]
  266. // AND EAX, 000000FF
  267. offset = exe.find(" 6A 13 FF 15 AB AB AB 00 25 FF 00 00 00", PTYPE_HEX, true, "\xAB", call);
  268. if (offset === -1)
  269. return "Failed in Step 6 - Pattern not found";
  271. //Step 6h - This part is tricky we are going to replace the call with xor eax,eax & add esp, c for now since i dunno what its purpose was anyways. 13 is a hint
  272. // XOR EAX, EAX
  273. // ADD ESP, 0C
  274. // NOP
  275. exe.replace(offset + 2, " 31 C0 83 C4 0C 90", PTYPE_HEX);
  276. }
  278. return true;
  279. }
  281. //==============================================================//
  282. // Disable for Unneeded Clients - Only VC9+ Client dont have it //
  283. //==============================================================//
  284. function RestoreLoginWindow_() {
  285. return (exe.getClientDate() > 20100803);
  286. }

RestoreLoginWindow.qs