A Guide with explanation how to modify the Jade Dynasty client
Инструкция по модификации игрового клиента
Русский вариант здесь
As usual, we will use OllyDbg to disassemble the client and make some useful code correction. You can choose another debugger if you wish, the modifying technique doesn’t change
At the beginning, I’ll provide all steps with pictures.
Note: I use Russian client and addresses are differ from other clients
1. How to remove “Screenshot was saved…” after taking the screenshot
Attach debugger to the JD client (or open it in debugger). In CPU window “Right click -> Search for -> Referenced string”
In “Text strings referenced” window call text searching “Right click -> Search for text” and enter “screenshot” into dialog box.
We know that the screenshot always saved in “Screenshot” folder, so we must find following text “Screenshots”
Select this address and press Enter to follow it in CPU window.
Ok, above we see format string for screenshot filename (you can change it…), so that means that we found needed function. If you wish you can go to the function beginning and set BP (break point) at the first instruction, return to the game and press “print screen”. BP stoped the process and you can manually trace the function.
So, we find out that there is a call at end of function.
Select this call and press Enter (follow the instruction)
Hm, we got it. First JE instruction is unnecessary and we changed it to jump
004192A3 |. 0F84 31010000 JE 004193DA
->
004192A3 /E9 32010000 JMP 004193DA
2. Removing buildings
This modification will remove all static objects. In early version of Perfect World, this patch gave opportunity to walk thru all objects, but now this bug closed (also closed in JD).
Following piece of code is for Russian client. For other clients, you can use binary search and try to find first bytes from this function: 51 56 8B F1 57 33 FF D9
00432940 /$ 51 PUSH ECX ; elementclient.00432940(guessed Arg1)
00432941 |. 56 PUSH ESI
00432942 |. 8BF1 MOV ESI,ECX
00432944 |. 57 PUSH EDI
00432945 |. 33FF XOR EDI,EDI
00432947 |. D946 10 FLD DWORD PTR DS:[ESI+10]
0043294A |. D80D B84AA000 FMUL DWORD PTR DS] ; FLOAT 0.5000000
00432950 |. D95C24 08 FSTP DWORD PTR SS:[LOCAL.0]
00432954 |> D94424 08 FLD DWORD PTR SS]
00432958 |. D804BD 103EAA FADD DWORD PTR DS:[EDI*4+0AA3E10]
0043295F |. D85C24 10 FCOMP DWORD PTR SS:[ARG.1]
00432963 |. DFE0 FSTSW AX
00432965 F6C4 01 TEST AH,01
00432968 75 65 JNE SHORT 004329CF
0043296A D94424 10 FLD DWORD PTR SS:[ESP+10]
0043296E |. D81CBD 103EAA FCOMP DWORD PTR DS:[EDI*4+0AA3E10]
00432975 |. DFE0 FSTSW AX
00432977 |. F6C4 41 TEST AH,41
0043297A |. 0F84 6E010000 JE 00432AEE
Changing JNE instruction to JMP will prevent client from drawing scene objects
00432968 75 65 JNE SHORT 004329CF
->
00432968 EB 65 JMP SHORT 004329CF
3. Remove limitation for Camera distance
4. Jump hack
5. Video un-freeze
(c) Dwar