Page about Rage of Mages

[ru] [en]  
[0] [1] [2]


Speedhack bug fix

Author: Vladimir Chebotarev aka ex-lend
Categories: RoM 2, Technical

The article is intended to read by ones, who are familiar to Assembler programming.
In this article I tried to show how to add your own code into arbitrary place of executable files using add_dll utility using example of fixing speedhack bug.

add_dll operation principle

In case of jump (most useful mode) after your own code you should execute commands, that were rewritten by dll call and return control into original address, for example, using mov edx, 0xADDRESS / jmp edx.

Speedhack bug

Speedhack bug is bug with multiple exit from build without entering it. Because of game error, character in this case will be copied many times to character list and will be handled many times correspondingly. That is why you will attack many times stronger. To fix this bug, one should find handling of 'exit from building' packet and insert check for staying in building at this moment.

Example of solution

For building dll you will need Microsoft Visual Studio 2003/2005/2008 or Microsoft Visual C++ Toolkit 2003 (light-weight, but without IDE).
You should place following files to build directory:
  • a2server_orig.exe - original a2server.exe
  • add_dll.exe
  • server_utils.cpp - source code of the library
    void __declspec(naked) add_player_to_map()
                    push    ebp
                    mov     ebp, esp
                    sub     esp, 0x0C
                    mov     eax, [ecx + 0x4C] // unit
                    test    eax, 8
                    jz      aptm_already_on_map
                    mov     edx, 0x052C40F
                    jmp     edx
                    mov     edx, 0x052C47B
                    jmp     edx
    #define DLL_PROCESS_ATTACH 1
    #define DLL_PROCESS_DETACH 2
    int __stdcall DllMain(void *hModule, unsigned long ul_reason_for_call, void *lpReserved)
    	return 1;
  • server_utils.def - library definition and list of subroutines being exported
    LIBRARY server_utils
    add_player_to_map       @1
    We set number of subroutine add_player_to_map in dll (1) here.
  • server_utils.mapping - list of addresses in exe, which will be rewritten by dll calls
    0 1 52C409 // fix speedhack
    ////////// 0: jmp, 1: call
    Call of subroutine number 1 will be written to the address 0x52C409 of executable file using command jmp (0).
  • compile.bat - script for compilation and attaching dll
    @echo off
    if exist "%VS90COMNTOOLS%vsvars32.bat" (
    call "%VS90COMNTOOLS%vsvars32.bat"
    ) else (
    if exist "%VS80COMNTOOLS%vsvars32.bat" (
    call "%VS80COMNTOOLS%vsvars32.bat"
    ) else (
    if exist "%VS71COMNTOOLS%vsvars32.bat" (
    call "%VS71COMNTOOLS%vsvars32.bat"
    ) else (
    if exist "%VS70COMNTOOLS%vsvars32.bat" (
    call "%VS70COMNTOOLS%vsvars32.bat"
    ) else (
    if exist "%ProgramFiles%\Microsoft Visual C++ Toolkit 2003" (
    call "%ProgramFiles%\Microsoft Visual C++ Toolkit 2003\vcvars32.bat"
    cl /c server_utils.cpp /nologo
    if errorlevel 1 goto error
    link server_utils.obj /nologo /dll /def:server_utils.def /out:server_utils.dll
    if errorlevel 1 goto error
    copy /y a2server_orig.exe a2server.exe
    add_dll a2server.exe server_utils.dll server_utils.mapping
    echo Successfully completed!
    goto exit
    echo Shit happens
After successful execution of script, server_utils.dll and a2server.exe will appear
Discussion (0)