Page about Rage of Mages

[ru] [en]  
[0] [1] [2]
Main page
RoM
RoM 2
RoM 2.5
RoM 2.25
Articles
Files
Servers
Archive
Forum

 
  

Speedhack bug fix

Author: Vladimir Chebotarev aka ex-lend
Categories: RoM 2, Technical

The article is intended to read by ones, who are familiar to Assembler programming.
In this article I tried to show how to add your own code into arbitrary place of executable files using add_dll utility using example of fixing speedhack bug.

add_dll operation principle

In case of jump (most useful mode) after your own code you should execute commands, that were rewritten by dll call and return control into original address, for example, using mov edx, 0xADDRESS / jmp edx.

Speedhack bug

Speedhack bug is bug with multiple exit from build without entering it. Because of game error, character in this case will be copied many times to character list and will be handled many times correspondingly. That is why you will attack many times stronger. To fix this bug, one should find handling of 'exit from building' packet and insert check for staying in building at this moment.

Example of solution

For building dll you will need Microsoft Visual Studio 2003/2005/2008 or Microsoft Visual C++ Toolkit 2003 (light-weight, but without IDE).
You should place following files to build directory:
  • a2server_orig.exe - original a2server.exe
  • add_dll.exe
  • server_utils.cpp - source code of the library
    void __declspec(naked) add_player_to_map()
{
        __asm
        {
                push    ebp
                mov     ebp, esp
                sub     esp, 0x0C
                mov     eax, [ecx + 0x4C] // unit
                test    eax, 8
                jz      aptm_already_on_map
                mov     edx, 0x052C40F
                jmp     edx
aptm_already_on_map:
                mov     edx, 0x052C47B
                jmp     edx
        }
}

#define DLL_PROCESS_ATTACH 1
#define DLL_PROCESS_DETACH 2

int __stdcall DllMain(void *hModule, unsigned long ul_reason_for_call, void *lpReserved)
{
	switch(ul_reason_for_call)
	{
		case DLL_PROCESS_ATTACH:
		break;
		case DLL_PROCESS_DETACH:
		break;
	}

	return 1;
}
  • server_utils.def - library definition and list of subroutines being exported
    LIBRARY server_utils
EXPORTS
add_player_to_map       @1
    We set number of subroutine add_player_to_map in dll (1) here.
  • server_utils.mapping - list of addresses in exe, which will be rewritten by dll calls
    0 1 52C409 // fix speedhack
////////// 0: jmp, 1: call
    Call of subroutine number 1 will be written to the address 0x52C409 of executable file using command jmp (0).
  • compile.bat - script for compilation and attaching dll
    @echo off

if exist "%VS90COMNTOOLS%vsvars32.bat" (
call "%VS90COMNTOOLS%vsvars32.bat"
) else (
if exist "%VS80COMNTOOLS%vsvars32.bat" (
call "%VS80COMNTOOLS%vsvars32.bat"
) else (
if exist "%VS71COMNTOOLS%vsvars32.bat" (
call "%VS71COMNTOOLS%vsvars32.bat"
) else (
if exist "%VS70COMNTOOLS%vsvars32.bat" (
call "%VS70COMNTOOLS%vsvars32.bat"
) else (
if exist "%ProgramFiles%\Microsoft Visual C++ Toolkit 2003" (
call "%ProgramFiles%\Microsoft Visual C++ Toolkit 2003\vcvars32.bat"
)
)
)
)
)

cl /c server_utils.cpp /nologo
if errorlevel 1 goto error
link server_utils.obj /nologo /dll /def:server_utils.def /out:server_utils.dll
if errorlevel 1 goto error
copy /y a2server_orig.exe a2server.exe
add_dll a2server.exe server_utils.dll server_utils.mapping

echo Successfully completed!
goto exit

:error

echo Shit happens

:exit
After successful execution of script, server_utils.dll and a2server.exe will appear
Discussion (0)