This thread delivers.
SEQ should be an excellent source for opcodes, but I wonder about the structures. Would SEQ even be interested in the structures for, say, bazaar or ldon stuff? Isn't SEQ just interested showing you mob pops, loot drops, etc? If that's the case, there's a fair chance they wouldn't implement any of the data structures since they wouldn't have a use for it. |
They'd have the hard to find structures like player profile and spawn structures. (They tend to change a lot from patch to patch.) Things like ldon could be figures out via packet collecting and viewing. Though I can't get the packet collector to compile nor the pre-compiled to work. =x Guess I get to keep making mine.
|
Quote:
What I did was to run Wireshark on my PC, perform the actions I wanted to collect, then stop the capture and save the packets as a .pcap file. I then transferred the capture file over to my Linux box and ran ShowEQ in replay mode: showeq --playback-tcpdump-file=/tmp/livecap.pcap --log-zone --zone-log-file=/tmp/livecap.txt Once the GUI has loaded and processed the capture, quit and you have a text version of the capture in, e.g. /tmp/livecap.txt Code:
[OPCode: 0x0e98] |
Oh, nice! I will definitely check that out. I already have wireshark and showeq setup, so that wouldn't take much to get going. I guess I better do it soon before the free live thing stops lol...
I still plan to work on Opcodes, but have been pretty busy the past few weeks with RL stuff. Hopefully I can start going on it again really soon :) I know it could make a big difference for the project if we can get more systems working and things like opcodes and packet structures figured out. |
Here is a quick and dirty tutorial on how I found the OP_Charm opcode for Titanium, based on information in the Wiki on
disassembly using IDA. Requirements: The 6.2 Client, The Titanium Client, and an OpCode that is known for the 6.2 client but unknown in Titanium (this is what we want to find). Download IDA Freeware 4.9 from: http://www.hex-rays.com/idapro/idadown.htm Fire up IDA, Select 'New', Select PE Executable, then navigate to your 6.2 eqgame.exe, then let IDA analyse it. This will take several minutes. It will say 'Idle' in the status bar when it has finished. In 6.2, Opcodes are handled in the 'Dispatch' routine at address 45A8B6. To Jump to this address, press G and enter the address 45A8B6. The routine looks like this ( I added the comments down near the bottom): Code:
.text:0045A8B6 We know that for 6.2, OP_Charm is 0x10A1, so the first test that will pass is, is opcode > 0x0A2A, and we jump to loc_45AB94. Move the cursor over the loc_45AB94 in the ja instruction, right click, and select jump to operand, which takes us to 45AB94: Code:
.text:0045AB94 loc_45AB94: ; CODE XREF: sub_45A8B6+77j loc_45ACAC. (Jump to operand as before). Code:
.text:0045ACAC loc_45ACAC: ; CODE XREF: sub_45A8B6+2E5j 0x10A1 - F66 - 9E - 9D = 0, so we jump to 45AD58. Code:
.text:0045AD58 loc_45AD58: ; CODE XREF: sub_45A8B6+413j Code:
.text:00457270 sub_457270 proc near ; CODE XREF: sub_45A8B6+4A3p Now we need to find the same routine in Titanium. Close IDA and start it up again, this time selecting the Titanium eqgame.exe. Let it do it's thing for a few minutes. When IDA is done processing, our goal is to find a routine in the Titanium client that looks the same, or very similar to the one above. In this case, what I did was search for the 'immediate' value, 0x1B3. Press Alt-I, and enter 0x1b3 in the search box. After a few seconds, a list of matches will be displayed. What we are after is one that is: Code:
cmp byte ptr [ebx+1B3h], 0 after. Double click on it and it will take you to the routine. Scroll up a bit and it looks like this: Code:
.text:00453D7B sub_453D7B proc near ; CODE XREF: sub_45B8F0+D1Dp Now we need to work our way backwards. Click on the 'Sub_453D7B' which precedes 'proc near', and then press the X key. This will produce a list of locations that this subroutine is called from. There is only one place, so double click it, and it takes us to: Code:
.text:0045C60C loc_45C60C: ; CODE XREF: sub_45B8F0+BD0j from (just the one location). Double click on it in the result dialog box. This looks more interesting. Code:
.text:0045C4BA loc_45C4BA: ; CODE XREF: sub_45B8F0+B6Fj charm routine if the result is zero. We could continue moving back through the call tree to find if there are any other subtractions being done on the opcode value, but in this case there isn't, 0x12e5 is the opcode for OP_Charm in Titanium. |
Very nice! Much better info than what I was seeing in the Wiki itself lol. So, by using that same logic, I imagine that the known opcodes in Titanium could be used to find opcodes for anniversary or even live. It sounds a bit involved and I don't know much about looking at the IDA output yet, but I think If I can get the hang of it that it might start getting easier.
I guess we would still need to figure out packet structure, and other than packet sniffing, I haven't seen it done really. SOE just needs to give us a peak at their source hehe :P |
As long as Sony doesnt change compilers or their C code for handling Opcodes, you could make what ya might call templates that could easily find any opcodes.
You take the current client, look at the hex before and after the opcode and build these templates to quickly search for new opcodes. Template for a opcode would be like HH HH HH ?? ?? HH HH, where HHs are the common hex codes and the ?? are the unknown/possible opcodes. Then you search the new client using these templates. |
Quote:
|
All times are GMT -4. The time now is 02:12 PM. |
Powered by vBulletin®, Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.