Client modification
Soon I’ll post a guide with explanation how to remove the client version check, how to unfreeze video etc.
1. How to remove “Screenshot was saved…” after taking the screenshot
Find string “Screenshot”
004373F2 |. 68 98BA9200 PUSH OFFSET elementclient.0092BA98 ; ASCII "%sScreenshots"
You can make BP at the beginning of the function and press “Print Screen” when client window is active. After tracing, at the end of function, when the screen shot is already created, there is another CALL 00413EA0:
0043796D |> /8B49 24 MOV ECX,DWORD PTR DS:[ECX+24]
00437970 |. |50 PUSH EAX ; /Arg2
00437971 |. |68 FF0000FF PUSH FF0000FF ; |Arg1 = FF0000FF
00437976 |. |E8 25C5FDFF CALL 00413EA0
Inside CALL 00413EA0 we see first instruction JE, and it’s clear that this instruction is unnecessary for us:
00413EC3 /0F84 31010000 JE 00413FFA
->
00413EC3 /E9 32010000 JMP 00413FFA
2. How to unfreeze the client window
Try to find following string “CECGame::Run(), break because CECGameRun::Tick return false”
0042DD17 |. 68 40AB9200 PUSH OFFSET elementclient.0092AB40 ; ASCII "CECGame::Run(), break because CECGameRun::Tick return false"
0042DD1C |. 6A 01 PUSH 1
0042DD1E |. E8 FD5B3100 CALL 00743920
0042DD23 |. BA B0BB9800 MOV EDX,OFFSET elementclient.0098BBB0
0042DD28 |. 83C4 08 ADD ESP,8
0042DD2B |. 85D2 TEST EDX,EDX
0042DD2D |. EB 30 JMP SHORT 0042DD5F
0042DD2F |> 389E 28040000 CMP BYTE PTR DS],BL
0042DD35 |. 0F84 84000000 JE 0042DDBF
We must NOP two instructions:
0042DD2D |. EB 30 JMP SHORT 0042DD5F
0042DD2F |> 389E 28040000 CMP BYTE PTR DS],BL
The result will be:
0042DD17 |. 68 40AB9200 PUSH OFFSET 0092AB40 ; ASCII "CECGame::Run(), break because CECGameRun::Tick return false"
0042DD1C |. 6A 01 PUSH 1
0042DD1E |. E8 FD5B3100 CALL 00743920
0042DD23 |. BA B0BB9800 MOV EDX,OFFSET 0098BBB0
0042DD28 |. 83C4 08 ADD ESP,8
0042DD2B |. 85D2 TEST EDX,EDX
0042DD2D 90 NOP
0042DD2E 90 NOP
0042DD2F 90 NOP
0042DD30 90 NOP
0042DD31 90 NOP
0042DD32 90 NOP
0042DD33 90 NOP
0042DD34 90 NOP
0042DD35 0F84 84000000 JE 0042DDBF
Note: this modification will cause high CPU consumption
3. Bypass Launcher
Piece of cake. Find the string which appear with message box, when you try to launch the client directly: “Please start game from launcher”
0043C5FD |. 75 29 JNE SHORT 0043C628
0043C5FF |. 6A 10 PUSH 10 ; /Type = MB_OK|MB_ICONHAND|MB_DEFBUTTON1|MB_APPLMODAL
0043C601 |. 68 6CA99200 PUSH OFFSET elementclient.0092A96C ; |Caption = "ERROR"
0043C606 |. 68 E4C89200 PUSH OFFSET elementclient.0092C8E4 ; |Text = "Please start game from launcher"
0043C60B |. 50 PUSH EAX ; |hOwner
0043C60C |. FF15 88268B00 CALL DWORD PTR DS:[<&USER32.MessageBoxA> ; USER32.MessageBoxA
The JNE instruction is a key
0043C5FD |. 75 29 JNE SHORT 0043C628
->
0043C5FD EB 29 JMP SHORT 0043C628
Now we can start the client without Launcher
4. Multi-client
As was written above, and as usual, we must find string “Game is currently running”
0043D66B |. 74 1E JE SHORT 0043D68B
0043D66D |. 6A 10 PUSH 10
0043D66F |. 68 6CA99200 PUSH OFFSET 0092A96C ; |Caption = "ERROR"
0043D674 |. 68 1CCB9200 PUSH OFFSET 0092CB1C ; |Text = "Game is currently running. You can't start another process!"
0043D679 |. 6A 00 PUSH 0 ; |hOwner = NULL
0043D67B |. FF15 88268B00 CALL DWORD PTR DS:[<&USER32.MessageBoxA> ; USER32.MessageBoxA
The JE instruction before calling MessageBoxA is useless
0043D66B |. 74 1E JE SHORT 0043D68B
->
0043D66B EB 1E JMP SHORT 0043D68B
Now we can run multiple client
In the attachment you will find simple patcher for Russian official server.
В скором времени, здесь будет выложен материал по модификации клиента: запуск без апдейтера, обход проверки версии клиента, многооконность, разморозка видео и т.д.
Для тех, кто не хочет читать или ждать, в приложении небольшой патчер для русского клиента PW.
P.S. Патчер был написан давно, но, если не ошибаюсь, с того времени основные исполняемые модули клиента не менялись.