Will basicly be a guide on how to add your own CFG options etc.
[hr]
Essentials:
A Brain.
Ollydbg.
HxD.
~Warning: Reading Assembly can cause headaches~
Basics such as Jumps, Mov, Calls etc.
We are going to be using OllyDbg in this, yours may have a slightly different layout to mine but in the end it will be v2.00 OllyDbg
Download is: http://www.ollydbg.de/odbg200.zip
I think I might be running one of the v2.0 beta's not 100% sure.
First off lets run it, if your on vista/win7 then run it as admin. When it is open we will want some extra information so click on the blue icon with an "E" as well as the yellow one with a "B". This will open the Executable Modules and the Breakpoints.
Get the layout of how you want it, mine looks like this:
http://img823.imageshack.us/img823/9967/pic1x.png
-------------------------------------------
This is a lot of useless knowledge.
-------------------------------------------
Okay I'm going to open up a random executable and try explain the basics of ASM.
http://img227.imageshack.us/img227/9246/pic2e.png
Okay first thing first make sure your in the correct module, which is always the exe name, you can see at the top of the CPU window that it says swgkadoo module, if you ever need to change module then in the Executable Modules window just double click and it will change to that.
In assembly you have registers which hold the data, EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI, EPI as well as AL and a few others.
Push in ASM just means push value onto the stack and pop means pop off the stack.
Essential commands is really Mov, Call and RET (RETN).
Mov EAX, EBP - Move Value EBP into EAX.
Call - Call Address, Will go to a new address and run the code/asm there until it hits a RET/RETN which means RETURN which will go back to the original place the call was made.
There are SUB, MUL, IMUL, INC, DEC, ADD, CMP etc.
Most you can guess what they mean, Sub = Subtract, Mul = Multiply, IMul = Integer Multiply, Inc = Increment, Dec = Decrement, Add = Add, Cmp = Compare.
How they are layed out is for example Mul EAX, EBX
Multiply the value in EAX and EBX and store it in EAX. This applies to all of them but INC and DEC which only requires one address.
JMPs - There are loads of Jumps there are JMP, JE, JGE, JLE, Jmp is Jump to address. JE is Jump to Address when Empty. JGE Jumps if it is greater than or equal to and JLE Jumps if it is less than or equal to. There are lot more different ways for Jumps but these are the common most seen ones.
There are also logic gates such as OR, AND, XOR etc and few commands you might see often are SHR and LEA and there are a lot more if you want to know what they do go do some extra reading.
Creating your own involves editing the header in a executable to say there is more space in X Part of the executable, if you want you can do this I will be finding and using free space where possible in this tutorial I will not explain anymore of expanding an executable. The free space will be mentioned in the demonstration part.
How calls should be structured.
What important calls (To this topic) do what (List of about 8 of them)
CALL 00A9CEF0 - Pushes a default value on however if a .cfg option is found it will place that into AL register (Bool)
CALL 00A9CEA0 - Pushes a default value on however if a .cfg option is found it will place that into EAX register (Int)
CALL 00A9CF90 - Read a string from a .cfg save it in swg machine options .iff file.
CALL 00B8DA10 - Reads .cfg and places value into pointer given and saves to swg machine options .iff file (Bool)
CALL 00B8DA30 - Reads .cfg and places value into pointer given and saves to swg machine options .iff file (Float)
CALL 00B8DA50 - Reads .cfg and places value into pointer given and saves to swg machine options .iff file (Int)
CALL 00A89530 - This is for debug flags - Not needed in the modifications.
These are the calls we will be using in the example, will give an example of the first one which is:
00A9CEF0 (Bool)
So here is how it will be in the code:
1. Boolean (0 Or 1)
2. Whatever=
3. [Whatever]
4. CALL 00A9CEF0
5.MOV BYTE PTR DS:[Whatever],AL
line 1, the default value for if the boolean is not in the .cfg
line 2, in the CFG will be like AllowMultipleInstances=
line 3, in the CFG will be like [ClientGame]
line 4, call check and then place value into AL
line 5, Move the value in AL into the Address Whatever, the Address will be read by the game to do whatever, the address in the example will be the FPS Address.
Full Example:
PUSH 0 -- Default Value False
PUSH 1875078 -- Push value from this address
PUSH 1866C3C -- Push value from this address (ClientGame)
CALL 00A9CEF0 -- Call the function
MOV BYTE PTR DS:[19111C0],AL -- Move the value into Address
A different example of a call will be given later in "Adding New Config Options" which will be using CALL 00B8DA30. Push value from this address will be made clearer in the actual example.
When SWGEmu.exe (Or SWGANH.exe) was opened in Ollydbg and I was on the correct Module (Executable name) I right clicked in the CPU Window, Search For, All Referenced Strings
Once its finished searching I did ctrl + f and searched for limitFrameRate and found (You can see in the screenshot)
http://img844.imageshack.us/img844/9887/pic3n.png
Text strings referenced in SWGEmu, item 39990
Address = 00AA4F6E
Command = PUSH OFFSET SWGEmu.018ADE2C
Comments = ASCII "Clock::limitFrameRate QPC failed"
Somewhere in the highlighted area (Inbetween the two jumps):
http://img692.imageshack.us/img692/1769/pic4z.png
Contained the address for the FPS Cap, now there are only two possible addresses it can be:
19446D4 or 19446D0
Its 19446D0, last address to be used, to check to make sure it is get a memory editor (T-Search, L'Spiro MHS, Cheat Engine etc) add that address and change the value and check in game to see what difference it has made.
Now you have the address you can make external programs to edit the address (C++ Code Example is in this section somewhere) and you can now exploit ASM to add an extra .cfg option to allow you to create your own CFG option which you can set the cap.
Step by step, slowly adding in the new config option.
[hr]
Essentials:
A Brain.
Ollydbg.
HxD.
~Warning: Reading Assembly can cause headaches~
--- OllyDbg v2.00 and You ---
Basics of ASMBasics such as Jumps, Mov, Calls etc.
We are going to be using OllyDbg in this, yours may have a slightly different layout to mine but in the end it will be v2.00 OllyDbg
Download is: http://www.ollydbg.de/odbg200.zip
I think I might be running one of the v2.0 beta's not 100% sure.
First off lets run it, if your on vista/win7 then run it as admin. When it is open we will want some extra information so click on the blue icon with an "E" as well as the yellow one with a "B". This will open the Executable Modules and the Breakpoints.
Get the layout of how you want it, mine looks like this:
http://img823.imageshack.us/img823/9967/pic1x.png
-------------------------------------------
This is a lot of useless knowledge.
-------------------------------------------
Okay I'm going to open up a random executable and try explain the basics of ASM.
http://img227.imageshack.us/img227/9246/pic2e.png
Okay first thing first make sure your in the correct module, which is always the exe name, you can see at the top of the CPU window that it says swgkadoo module, if you ever need to change module then in the Executable Modules window just double click and it will change to that.
In assembly you have registers which hold the data, EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI, EPI as well as AL and a few others.
Push in ASM just means push value onto the stack and pop means pop off the stack.
Essential commands is really Mov, Call and RET (RETN).
Mov EAX, EBP - Move Value EBP into EAX.
Call - Call Address, Will go to a new address and run the code/asm there until it hits a RET/RETN which means RETURN which will go back to the original place the call was made.
There are SUB, MUL, IMUL, INC, DEC, ADD, CMP etc.
Most you can guess what they mean, Sub = Subtract, Mul = Multiply, IMul = Integer Multiply, Inc = Increment, Dec = Decrement, Add = Add, Cmp = Compare.
How they are layed out is for example Mul EAX, EBX
Multiply the value in EAX and EBX and store it in EAX. This applies to all of them but INC and DEC which only requires one address.
JMPs - There are loads of Jumps there are JMP, JE, JGE, JLE, Jmp is Jump to address. JE is Jump to Address when Empty. JGE Jumps if it is greater than or equal to and JLE Jumps if it is less than or equal to. There are lot more different ways for Jumps but these are the common most seen ones.
There are also logic gates such as OR, AND, XOR etc and few commands you might see often are SHR and LEA and there are a lot more if you want to know what they do go do some extra reading.
--- Space Management ---
Spare Space in Executables, there is not much free space in executables just because of they want to make the executables small so you got to either find redundant code which isn't ever called/used and find free space or you can create your own.Creating your own involves editing the header in a executable to say there is more space in X Part of the executable, if you want you can do this I will be finding and using free space where possible in this tutorial I will not explain anymore of expanding an executable. The free space will be mentioned in the demonstration part.
--- SWG Client Layout in ASM And Essential Calls ---
Information how things need to be structured.How calls should be structured.
What important calls (To this topic) do what (List of about 8 of them)
CALL 00A9CEF0 - Pushes a default value on however if a .cfg option is found it will place that into AL register (Bool)
CALL 00A9CEA0 - Pushes a default value on however if a .cfg option is found it will place that into EAX register (Int)
CALL 00A9CF90 - Read a string from a .cfg save it in swg machine options .iff file.
CALL 00B8DA10 - Reads .cfg and places value into pointer given and saves to swg machine options .iff file (Bool)
CALL 00B8DA30 - Reads .cfg and places value into pointer given and saves to swg machine options .iff file (Float)
CALL 00B8DA50 - Reads .cfg and places value into pointer given and saves to swg machine options .iff file (Int)
CALL 00A89530 - This is for debug flags - Not needed in the modifications.
These are the calls we will be using in the example, will give an example of the first one which is:
00A9CEF0 (Bool)
So here is how it will be in the code:
1. Boolean (0 Or 1)
2. Whatever=
3. [Whatever]
4. CALL 00A9CEF0
5.MOV BYTE PTR DS:[Whatever],AL
line 1, the default value for if the boolean is not in the .cfg
line 2, in the CFG will be like AllowMultipleInstances=
line 3, in the CFG will be like [ClientGame]
line 4, call check and then place value into AL
line 5, Move the value in AL into the Address Whatever, the Address will be read by the game to do whatever, the address in the example will be the FPS Address.
Full Example:
PUSH 0 -- Default Value False
PUSH 1875078 -- Push value from this address
PUSH 1866C3C -- Push value from this address (ClientGame)
CALL 00A9CEF0 -- Call the function
MOV BYTE PTR DS:[19111C0],AL -- Move the value into Address
A different example of a call will be given later in "Adding New Config Options" which will be using CALL 00B8DA30. Push value from this address will be made clearer in the actual example.
--- Identifying what does what ---
Here is how I got the frame rate.When SWGEmu.exe (Or SWGANH.exe) was opened in Ollydbg and I was on the correct Module (Executable name) I right clicked in the CPU Window, Search For, All Referenced Strings
Once its finished searching I did ctrl + f and searched for limitFrameRate and found (You can see in the screenshot)
http://img844.imageshack.us/img844/9887/pic3n.png
Text strings referenced in SWGEmu, item 39990
Address = 00AA4F6E
Command = PUSH OFFSET SWGEmu.018ADE2C
Comments = ASCII "Clock::limitFrameRate QPC failed"
Somewhere in the highlighted area (Inbetween the two jumps):
http://img692.imageshack.us/img692/1769/pic4z.png
Contained the address for the FPS Cap, now there are only two possible addresses it can be:
19446D4 or 19446D0
Its 19446D0, last address to be used, to check to make sure it is get a memory editor (T-Search, L'Spiro MHS, Cheat Engine etc) add that address and change the value and check in game to see what difference it has made.
Now you have the address you can make external programs to edit the address (C++ Code Example is in this section somewhere) and you can now exploit ASM to add an extra .cfg option to allow you to create your own CFG option which you can set the cap.
--- Adding New Config Options ---
Example adding the setframespersecond config option.Step by step, slowly adding in the new config option.