Jump to content

Recommended Posts

Posted

I find this forum extremely lacking in information for users on extenders, and the only semi-useful shares are pieces of code written by developers which are of no use to the average user or new-comer to the L2 Official experience. Many people also believe that as a result of commercially available extenders, such as dvampire and depmax, that there is no need for the average L2Off server owner to write their own extenders. But there are many things that neither dvampire or depmax do which can be of use to some.

So I have decided to write this little guide, with the full source-code included, that will show first of all how to create an IDA Pro Database for your L2Server.exe, and then how to remove the length limit from the //announce GM command using an extender.
I'm aiming this guide towards people who maybe know a little C++ but feel intimidated by the prospects of creating an extender, but rest assured, the basic's are quite easy once you get into it.

This guide is written for the dvampire L2Server.exe and so any addresses mentioned will only be valid for that exe, that also applies to the source.
Source -> http://rapidshare.com/files/394471289/Extender.rar.html
Attaching Guide -> http://www.maxcheaters.com/topic/75684-guide-attaching-an-extender/

The first thing you need when starting with extenders is IDA Pro, this program will disassemble the L2Server.exe into assembly, which is invaluable to any extender developer.
Some ASM knowledge is required, but the basics required to create simple but useful extenders are pretty easy to learn.


So, lets start by creating an IDA Pro database. Once you have downloaded and installed IDA Pro, you must open the 64bit version. You do not require a 64bit operating system to do this, so it is better you create an IDA database on your PC and not your server.
Once opened, you will be prompted by the "Welcome to IDA!" screen.
welcometl.jpg

The icon on the task bar, and at the top left of the welcome screen, should have a red "64" at the top right corner.
37924696.jpg

This means you are running the 64bit version of IDA Pro, if you do not see the red "64" you are running the wrong version.

Click the "New" button, and then IDA Pro will open and prompt you with the "New Disassembly Database" window.
newqm.jpg

Double click the "PE Executable" Icon and IDA will then ask you to locate the PE Executable you wish to disassemble, which is your L2Server.exe, so navigate to your L2Server.exe and select it.
selectx.jpg

You will now be prompted with the "PE Executable file loading wizard", with the latest version of IDA Pro, you don't have to change any of the analysis options to get a decent database, but the more advanced users may want/need to change some settings to get a correct analysis. If you want to change these settings, check the "Analysis Options" box and click next. I typically uncheck "Delete instructions with no xrefs" and "Create offset if data xref to seg32 exists" (After analysis and string generation I usually re-enable the 2nd option and reanalze to fix the data that should be offsets, without breaking unicode strings). Then just keep clicking next until the wizard closes.
IDA may then ask you to locate various .dll files depending on what other extenders are already attached to the L2Server.exe you have loaded, you can either locate these files and load them, or just click cancel as they are not necessary for the creation of the database. IDA will also ask if you wish to locate the debug information file, which you don't have, so click No. ( It doesn't matter if you click yes or no, as IDA will not find that file either way )
Now IDA will start analysing your L2Server.exe, depending on your computer's performance this process could take 5 minutes, or something like 20 minutes. For me it takes no longer than 5 minutes, and you can tell when it has finished by the auto analysis status icon on the toolbar, which looks like a yellow circle when IDA is still analysing, and it will turn green when it is done, you will also see "The initial autoanalysis has been finished" in the output window at the bottom of the IDA screen. Older versions of IDA will automatically generate strings on completion of the analysis, but the version I'm using doesn't, and so I go to View->Open Subviews->Strings (or SHIFT+F12) to generate the strings.

Congratulations. You have now created your IDA Database.


Now comes the more difficult part, now you have created your IDA Database you need to use it to find and fix the length limit for the //announce function.

For peoeple who aren't familliar with the structure of the l2server it may be difficult at first to find your way around, but after a while it becomes pretty easy. NCSoft has made our job as extender developers a lot easier because of the way they handle crashes, anyone who has seen a LinError.txt will have noticed the call-stack dump containing a lot of function names, and this is ultimately the easiest way to find a function you are looking for, by searching in the IDA Strings window for the name of the function.

The function we need to find is the builder command handler function for the //announce command. So to start looking, go to the strings window, click search at the top of the screen, and then click search under that (or ALT+T Shortcut), and then as we are looking for the announce function, type announce into the box and hit enter. As your analysis may not go exactly the same as mine, and you may be using a different L2Server.exe, the strings that your search picks up may not be in the same order as mine.
The first result I get is 'set_interval_announce', which is another GM command, but not the one we are looking for, so I hit CTRL+T to find the next result, and my next results are, critannounce, delannounce, setannounce, and then the command we are looking for... announce. This string is the command which is stored in the builder command handler array, and you can use this string to find the announce function but it is easier to carry on searching for the actual announce function. So CTRL+T once more brings us  to exactly what we are looking for, BuilderCmd_announce, this string is the function name used by the L2Server for LinErrors, and so is referenced from the function we need.

So I hit enter in the Strings window, and that then opens the location of the string in the IDA View window, by using the keyboard shortcut CTRL+X IDA will then show you the xref's to that string. Click OK and IDA will now jump to where that string is referenced in our BuilderCmd_announce function. If you don't know assembly, this is the point where you will be quite confused by what is on the screen, and so I would suggest learning some basic assembly before attempting this.

For this part I am going to assume anyone reading this far knows some assembly and so you should be able to follow this pretty easily. I happen to know the reason for the character limit is because the L2Server copies only a maximum of 50 characters into the buffer which is sent to the "BroadcastToAllUser_Announce" function, which actually sends the announcement to the players ingame. To overcome this problem is an incredibly simple operation. The easiest way to find what we need to change is look for where the announcement string is copied into the buffer to be sent to the players, which is at the address 0x450A5E. The correct way to fix this function would be to overwrite the address in the builder command handler array for this function with a completely new function and rewrite the command handler function itself. But a much easier and much quicker way is to simply send the whole announce command string to the broadcast function instead of the buffer which contains the maxixmum 50 chars. The full announcement string is sent to the function from the builder command handler in the register r8, and at the top of the function the server moves the string (r8) into r12, so all we need to do is move r12 to rcx (the first argument register) for the function call rather than the limited buffer. To do this we need to replace the code at 0x450A63, with "mov rcx, r12". Which in opcode form is 498BCC, and as the code we are replacing is 8 bytes, and our new code is only 3, we must remember NOP the area, which means writing 0x90, for 5 bytes after our code. So we write 498BCC9090909090 to 0x450A63.

And it's done!

You could also just write the changes into the L2Server.exe using a hex editor, but that's far less fun.
The code for these changes can be found here: http://rapidshare.com/files/394471289/Extender.rar.html
And I hope that this guide helps more people become extender developers, because we are a rare breed in L2 these days, and it would be great to see more people doing things for themselves, rather than relying on dvampire or depmax to do everything for them.

Check this link for a guide of how to attach an extender to your L2Server.exe -> http://maxcheaters.com/forum/index.php?topic=154347.0

  • Like 2
  • Thanks 1
Posted

For the other people!!!!

 

 

China Exe Address(WHICH BTW IS THE LATEST BUILD AND THEREFOR SUPERIOR TO NORMAL C4 AND DVAMP EXE):

0x0043F7D6

 

Normal C4 Exe Address (Open PP / L2storm - amped 2.0a versions):

0x00450416

 

 

PS: Chicken helps you code.

 

Posted

so use it then, the only reason I didn't is because I don't redistribute other people's work without their permission, plus as this was only a demonstration project to replace 4 bytes, it wasn't needed... or I would of included my memory writing class.

Posted

:o Really great.

Very good job.

 

/offtopic: you are little anarchy?

 

/offtopic2: when you are giving to s/o +1 karma, you are losing one of yours?

  • 2 weeks later...
Posted

does it matter if i compile the source in 32-bit machine or 64-bit machine?

 

It would be fairly bad to try an inject a 32bit dll into a 64bit application ;)

  • 1 month later...
  • 4 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...