ExJam

In a bid to compete with xadet’s blog I have realised I must post something useful on here, so I have come up with the idea of this tutorial which is rather patronisingly title ‘My First Inject DLL’, how whimsical of me. Also this allows me to continue the TRose.exe name colour tutorial properly, which expect to come very soon (I can’t be bothered to wait for Ruff to come back up, I am just going to do it without running ROSE )

In this tutorial we will make an EXE to inject our DLL into ROSE Online, or any other program, but of course this tutorial will focus on ROSE, we will also learn how to do hook code and how to call functions in the ROSE online exe, how exciting does that sound? Very.

So go ahead and create a new solution and add a win32 console application project, tick Empty Project so visual studio does not create worthless code that we do not want! Note that this first project will be for the EXE so name it something applicable, such as ‘My First Injector’!

Obviously the first thing to do with our new project is add a main.cpp file and put in the default code:

int main(int argc, char** argv){
	return 0;
}

Brilliant start I would say, now we have to add #include as pretty much every function we use will be from the windows API! Before we can attempt to inject any dll we must start the application so we shall use CreateProcess for that.

So here is a snippet showing you how to use it:

char* exename = "TRose.exe @TRIGGER_SOFT@ _server 127.0.0.1"

STARTUPINFOA si = { sizeof( si ) };
PROCESS_INFORMATION pi;

if(!CreateProcessA(NULL, exename, NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi)){
	printf("Failed to CreateProcess for trose.exe!\n");
	return 0;
}

Once we have called CreateProcessA, if it succeeds, it will return the new process handle in ‘PROCESS_INFORMATION pi;’ struct, we can now use this handle for injecting our dll, I went ahead and put the actual injection code in a separate function, ill paste the code below and then explain it to you:

bool InjectDLL(HANDLE hProcess, const char* dll){
	DWORD dwWritten;
	LPVOID pStringInRemoteProcess;

	if(!hProcess) return false;
	pStringInRemoteProcess = VirtualAllocEx(hProcess, 0, strlen(dll)+1, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

	if(pStringInRemoteProcess == NULL) return false;

	WriteProcessMemory(hProcess, pStringInRemoteProcess, dll, strlen(dll)+1, &dwWritten);
	if(dwWritten != strlen(dll)+1) return false;

	CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA"), pStringInRemoteProcess, 0, 0);
	return true;
}

So yes this looks complicated, but it is all required! Basically, we use VirtualAllocEx so we can allocate memory in the remote process (TRose.exe) with which to write the dll name, as obviously we cannot call a function across processes with its parameters coming from our process! WriteProcessMemory then writes this dll name to the previously allocated memory. Now the main code, CreateRemoteThread, this does as named, it creates a new thread in the remote process of TRose.exe! This code automatically runs the function LoadLibraryA which is imported from kernel32.dll, and passes it the argument of the pointer to the previously allocated memory which contains our dll’s name!

That was complicated and it is not important that you understand it as the windows API is funtastic, the main point of this tutorial is to teach you about the actual inject dll, not the exe which injects it!

So my final code for the main procedure is:

int main(int argc, char** argv){
	const char* dllname = "myfirstinject.dll";
	char* exename = "TRose.exe @TRIGGER_SOFT@ _server 127.0.0.1";

	STARTUPINFOA si = { sizeof( si ) };
	PROCESS_INFORMATION pi;

	if(!CreateProcessA(NULL, exename, NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi)){
		printf("Failed to CreateProcess for trose.exe!\n");
		return 0;
	}

	if(!InjectDLL(pi.hProcess, dllname)){
		printf("Failed to inject the dll!\n");
		return 0;
	}

	printf("Successfully injected the dll to TRose.exe!\n");

	return 0;
}

You should customise that code to include your dll’s name and the IP of the server you will be connecting to!

Now we shall add a new project to the solution for the dll, set it as a win32 console application but then in the wizard that comes up select DLL for the application type and tick the empty project again .

Once again add a main.cpp or whatever you like to call it and add the entry point code, it is slightly different for a dll:

#include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved){
	UNREFERENCED_PARAMETER(hModule);
	UNREFERENCED_PARAMETER(lpReserved);

	switch(ul_reason_for_call){
		case DLL_PROCESS_ATTACH:
			break;
		case DLL_PROCESS_DETACH:
			break;
	};

	return TRUE;
}

So now is where the magic happens, the main point in this tutorials existence and it only took 730 words to get here! Yay!

I am sure you can decipher the code above, UNREFERENCED_PARAMETER is a macro used to prevent the compiler giving me warnings about unreferenced formal parameters, from the switch cases I believe it is simple that the code we will be writing will be in the ATTACH section but I have included the detach case if you wanted to do any clean up or dumping .

The first thing we are going to do is rival xadet’s recent post on sending chat messages to ROSE but hopefully our end result will be prettier because we are using C++ and not that .NET managed rubbish.

We are going to hide the code in a header file so it can be reused in your other applications, so go ahead and create a file called ‘RoseAPI.hpp’ or whatever you want, but that is what I am calling mine .

Because the function which adds text messages to the chatbox is actually a class function we need to create a fake class, following the naming convention from xadet’s tutorial I shall call it CIT_MGR, it will be defined simply by adding a small declaration to the header, I have also added a function which returns the IT_MGR class from the TRose memory by casting 0×697AD0 (which is the location of this class in TRose.exe) to a CIT_MGR* pointer.

class CIT_MGR {};

static inline CIT_MGR* IT_MGR(){
	return reinterpret_cast<CIT_MGR*>(0x697AD0);
}

That was simple, now it gets a bit more complicated, we must define the function declaration which is:

typedef void (__thiscall IT_MGR::*PTR_AddChatText)(const char* message, int type, unsigned int customColour);

As you can see it uses the __thiscall mechanism which states it is a call to a class function, this looks like a typical function pointer, you can read more about them here.

The next part requires some trickery due to how class function pointers work, due to the nature of class pointers we cannot directly convert an address to a class pointer which is why I have found this rediculous method:

const int addr_TR_AddChatText = 0x48D890;
static const PTR_AddChatText TR_AddChatText = *((PTR_AddChatText*)&addr_TR_AddChatText);

#define AddChatText (IT_MGR()->*TR_AddChatText)

This may look silly but oh well, the advantage we have over xadet’s methods is the pure usability of my code, no ASM required, just pure C++ trickery going on here. The first variable has the address to the function, this is then followed by the function pointer, as you can see I have crazy pointer casting going on as this is the only way to prevent any compiler errors about converting an int to a class function pointer. The define I have added is for usability, it allows the code to be easily called, thus allowing me the functionality of:

AddChatText("I am a chat message", ChatType::ALL, 0);

How handy and neat and tidy and stuff is that final code, the method to get it may have been messy due to the use of class function pointers but I am sure you will let me off with that as it is hidden away in a header file anyway!

There is only one problem with this, we have no way of really using this AddChatText as we can’t add the text when the DLL is attached as the game is only just starting! We need some sort of trigger… Some sort of ‘hook’…

How about when the client uses a / command?! Genius plan.

To do this we need to place a hook where our code will be executed whenever the client attempts to send a chat message beginning with a ‘/’, to do this we are going to hook the send packet location! Hurray.

First off I am going to provide you with a generic function used to hook code:

void ApplyJmpHook(unsigned char* code, unsigned char* location, int nops = 0){
	DWORD oldProtect;
	VirtualProtect(code, 5 + nops, PAGE_EXECUTE_READWRITE, &oldProtect);
	code[0] = 0xE9;
	*(int*)(code+1) = (int)location - ((int)code + 5);
	if(nops > 0) memset(code + 5, 0x90, nops);
	VirtualProtect(code, 5 + nops, oldProtect, &oldProtect);
}

ApplyJmpHook takes 3 parameters, the code to place the hook and where this hook will redirect to, it also allows a specified amount of NOP commands to be added after the JMP. In this function you can see VirtualProtect being used, this is because the executable memory in an exe is usually protected against writing, VirtualProtect allows us to write over the code memory. The rest of the code is merely writing the code to memory, 0xE9 is the prefix for the JMP command, then I write the address for the JMP, then 0×90 is a NOP command.

Beautiful. Now this function can be used in such a way like ApplyJmpHook(roseCode, &MyFunction, 1); In order to apply this hook we need to know where the SendPacket code is, I am not going to show you how to find it as that would be another long tutorial, instead I am kind and provide you with this address to use: 0×00402D5E and I shall also inform you that this hook needs 0 NOPs . (NOP is used to allow OllyDBG to read the code properly after we have modified it, if our code overwrites only half of a command we need to NOP the other half of it!)

There is just one more problem with this, we can’t make it JMP directly to a C++ function as it will not have the correct arguments and will lead to errors! So first we must make a little wrapper function like the one below:

static const char* TROSE_PacketEncryption = reinterpret_cast<const char*>(0x00405020);
static _declspec(naked) void ASMOnSendPacket(){
	_asm{
		PUSH ECX
		PUSH ESI
		CALL CppOnSendPacket
		POP ECX
		CALL TROSE_PacketEncryption
		POP ESI
		RETN 0x04
	}
}

Hurray, now we can declare a function CppOnSendPacket and hook the ROSE code using:
(Note that we must apply the hook in the DLL_ATTACH code!)

bool CppOnSendPacket(char* packet);
ApplyJmpHook((unsigned char*)0x00402D5E, (unsigned char*)&ASMOnSendPacket, 0);

Now it is just a matter of reading the packet, detecting if it is a chat packet and reading the chat message to look for our / commands!

bool __stdcall CppOnSendPacket(char* packet){
	unsigned short size = *(unsigned short*)packet;
	unsigned short command = *(unsigned short*)(packet + 2);

	if(command == 0x783 && size > 7){
		char* message = packet+6;
		if(_strcmpi(message, "/hello") == 0){
			AddChatText("Hello Mr. ROSE Man", ChatType::SYSTEM, 0);
		}
	}

	return true;
}

WOOOT! So now when a player types /hello in game they should be presented with a friendly message saying “Hello Mr. ROSE Man”, how lucky are they!

That is the end of this absolutely massive tutorial! At this point it is currently 1820 words long and took a long time to write haha oh well. This tutorial was needed as it is a prerequisite for other tutorials such as the name colour tutorial part 3 (which I have already wrote 500 words of but realised I needed an inject dll to continue!) and the upcoming tutorial on creating 100% custom dialogs in ROSE!

As usual the source for this tutorial is available, download it here.

1909 words, nice.

admin C++, Open Source, Programming, ROSE Online, Reverse Engineering, Tutorials

I just figured out how to do this so I thought I would share it, any of you out there using C++ with ROSE dlls like TriggerVFS.dll will have before used messy code like:

TriggerVFSDLL = LoadLibrary(_T("TriggerVFS.dll"));
if(TriggerVFSDLL == NULL) return;
OpenVFS = (EXPORT_OpenVFS)GetProcAddress(TriggerVFSDLL, "_OpenVFS@8");
CloseVFS = (EXPORT_CloseVFS)GetProcAddress(TriggerVFSDLL, "_CloseVFS@4");

There is a much better way to do this, most of the time when using dlls you link them to the compiler with .LIB files, which most people assume can only be made when you have the source code. This is not true! There is an easy way to create a .LIB, in this example I will be using TriggerVFS.dll.

So lets make a new project in Visual Studio, create a new project with type of “Win32 Console Application” when the project creation wizard comes up set the Application Type to DLL (NOT static library!!) tick the Empty Project option or the wizard will generate a bunch of rubbish we don’t want! Yay blank project, add a new header file and we shall start some code .

First we must get a list of all the functions we want to import and their formats, luckily ages ago there was a release of a VFS class to use the dll (it is where that code above with the GetProcAddress stuff is from) so all the hard work reversing has been done for us, hurray .

Here is the code from the old original header file:

typedef INDEXHANDLE (__stdcall *EXPORT_OpenVFS)          (const char *idxfile, const char *mode);
typedef DWORD       (__stdcall *EXPORT_CloseVFS)         (INDEXHANDLE handle);

And cleaned up to show only the format:

INDEXHANDLE __stdcall OpenVFS(const char *idxfile, const char *mode);
DWORD __stdcall CloseVFS(INDEXHANDLE handle);

So now we know these two functions we can go ahead and add them to this header file like this:
(I changed DWORD to unsigned long as DWORD is a definition found in windows.h files, no need.)

#ifdef TRIGGERVFS_EXPORTS
#define TRIGGERVFS_API __declspec(dllexport)
#else
#define TRIGGERVFS_API __declspec(dllimport)
#endif

typedef unsigned long INDEXHANDLE;
typedef unsigned long FILEHANDLE;

extern "C" TRIGGERVFS_API INDEXHANDLE _stdcall OpenVFS(const char* idxfile, const char* mode);
extern "C" TRIGGERVFS_API unsigned long _stdcall CloseVFS(INDEXHANDLE handle);

You may be wondering what the #ifdef is all about, it is there so we can reuse this header file for both creating the library and using the library in your applications. As we are building this library we have to define TRIGGERVFS_EXPORTS, to do this, open project properties, go to C/C++ -> Preprocessor -> Preprocessor definitions and add the value TRIGGERVFS_EXPORTS to the list.

extern “C” is required or the compiler will decorate the functions in a c++ style which basically adds a bunch of letters and symbols to the name which describe what arguments the function takes.

_stdcall is the ‘calling convention’ used in TriggerVFS.dll

So that’s the header file complete (well missing the rest of the functions, but I am not going to post them ALL!)

Now add a .cpp file to the project, in this we will just provide dummy functions to make the compiler create the dll and lib.

#include "TriggerVFS.h" //If this is what you called the header from before!

extern "C" TRIGGERVFS_API INDEXHANDLE _stdcall OpenVFS(const char* idxfile, const char* mode){
    return 0;
}

extern "C" TRIGGERVFS_API unsigned long _stdcall CloseVFS (INDEXHANDLE handle){
    return 0;
}

This should be sufficient for everything to work nicely, open project properties and change C/C++ -> Optimization -> Whole Program Optimization to No or whenever you use the generated libraries you will get some annoying warnings .

Go ahead and hit compile, note that you only should use the .lib file, not the generated .dll as that will just have our dummy functions, instead go steal the TriggerVFS.dll from your ROSE directory .

Now feel free to include your new header and link your .lib in your program and the linker will automagic fixup the dll imports so we can use TriggerVFS.dll without nasty winapi calls .

Here is my final solution TriggerVFS .lib it also includes a class for working with VFS, very similar to the one already available.

admin C++, Open Source, Programming, ROSE Online, Tutorials

I was bored so I decided to figure out the China-ROSE Patch format, and I have nothing better to do so I shall release it here. Expect a ‘China-ROSE Patch Stealer’ program to come out soon .

http://update.iqicheng.com/
1. Vertions.zip {Use Password 1}
2. ServerList.zip {No Password}
3. Using ‘vertions’ patch versions, /_67555_patchlist.zip
4. /_67555_patchlist.zip {Use Password 1}
5. Patch Files: /_67555_patchlistPath/1_2019_2723778792.zip
- Where 67555 == 1 << 16 | 2019
- 2723778792 = ROSE hash of filename (same thing as quest hashes)

Password 1:
3asfqvf`~sdvo?uoyk;jqad85tuiuw*riha3lkpuj,ghfz10/sf9hg.,jfts1fsdf

Serverlist.lst Fileformat:
Text based format, open in text editor to seee Basically its “ServerName, ip, ip, unk” with mix of whitespace and tabs inbetween

Vertions.lst Fileformat:
This is just a list of file versions on each line (0×0D0A seperator..)

Patchlist Fileformat:
dword version
dword count {
byte unk
dword version
dword CRC-32
dword strlen
string filename
dword strlen
string vfsname
}
byte password length
string password for zips!

admin Open Source, ROSE Online, Reverse Engineering

I am sure everyone knows that the ROSE Online servers are rubbish at protecting against SQL Injections. There are vulnerable queries everywhere, making it rather annoying when it comes to patching them.

Even if you fix one injection someone will come along and exploit a different one. To prevent this why not patch every single SQL query in the server? Sounds good to me.

Finding and patching every query manually would be one giant pain in the ass though, so I decided to come up with a better solution.

So I asked myself the question: Where does every query end up going? Eventually they all have to go through one bit of code to be sent to the MSSQL Server.

So i opened the login server and made OllyDGB show me a list of all referenced text strings, looked down, found “{CALL UserAuthenticate(’%s’);}”, sounded good to me, put a breakpoint on it and went to login. Followed the breakpoint and ended up in a function in ODBC32.dll called SQLExecDirectA.

So that is the function that all ROSE servers use to send off their SQL queries, how exciting.

The first step was to hook this function! Easy enough, make a new dll, use LoadLibrary to get the ODBC32.dll handle, GetProcAddress to get the location of SQLExecDirectA. Using this dynamic method makes it work on any server that uses ODBC32.dll, much nicer than writing down all the addresses!

Blah blah blah, after the fun ASM stuff we end up with a query string, what do we do with that? We have to use some cleverness to scan it and decided whether or not it is safe or a meany! There are a few problems with this as queries can come in many different forms, first you need to filter out all the rubbish.

I started by making my code remove all strings (anything within ” and ‘) and all comments (anything in /**/). Then I decided to create a list of banned keywords, this includes things such as ‘–’ and ‘..’ both of which are handy in an attack (– to comment out the rest of code after attack and .. used to select databases) I had to be careful to make sure this would not block any existing queries in ROSE. Doing some research I found multiple methods of ‘evading’ these sorts of filtering methods and decided to also ban a few other keywords such as EXEC which can be used in a fashion like EXEC(”SEL” + “ECT * FROM ” + … etc) which splits up a keywords to evade detection.

Another filter method is to allow only one query per transaction, so if a query was like “SELECT * FROM UserInfo WHERE user=”; DELETE * IMMAHAXOR;–” it would be prevented. This stops pretty much every SQL injection attack as long as they are not hiding their query using methods such as EXEC, but due to the keyword banning that would be stopped aswell. I found only one case where this single transaction would be prevent a real ROSE query and that was with ”DELETE FROM tblWS_MEMO WHERE (intSN IN (SELECT TOP”, so I added an exception for this.

On contrary to what I posted on the Ruff-Rose forums I have decided I will not release the full source code but I will release a framework with an empty SQL scanning function (so basically you have to do the hard bit). I might consider a binary release at some point in the future after I have confirmed my fix is fully functioning.

Download the frameworkz: ODBC32 SQL Scanner Framework (you need to edit ScanSQLStatement.cpp)

admin C++, Programming, ROSE Online, Reverse Engineering, Tutorials

Do you know what sucks? When you want to write the next part of a tutorial but your server is not online! How rude is that?

In the mean time I have been occupying myself by doing nothing, what a great use of my time!

Although I could have easily finished that oh so nice looking .CHR editor which I think I shall put effort in to do now, but it is mega effort .

However, I recently reformatted my computer due to the aforementioned virus and can no longer get a good colour scheme going in Visual Studio! I hate it, very annoying!

On an unrelated note, exams suck, although only 2 days of school left ever ever (then I am off to university), but yes exams until the 18th June, not fun at all. Oh well it has to be done!

This was a rather uninteresting and pointless blog post, so I don’t know why I even bothered, other than to tell you I will probably work more on my CHR editor. That could have been a much quicker post if I just used that sentance but then you would not have got latest information on pointless things.

Oh yeah I have been working more on the new Ruff-Guru, it now has a beautiful banner and a lovely drop down menu thingy, here is a beautiful picture for you:

 

admin Ruff-Guru, Uncategorized

Today I found an iframe exploit on the website, every index.php page had code added to the bottom creating an iframe pointing to a (most likely) malicious website.

I have not visited the website but it is highly likely that the page is designed to infect your computers through browser based exploits.

I highly suggest you scan your computer with a program such as Spybot S&D.

Sorry for this, I had a virus on my computer and I believe it stole my FTP login details, password changed and now this should not happen again!

admin Uncategorized

Soo I have finally started part 2, thanks to Ruff being brought back online gogo deebee powarr.

The first step its to return to where we were last time, so open ROSE Online, find a player that is gonna be sitting around for a while, attach OllyDBG and go to the code we found last time (address: 0×00487F92, Ctrl+G for goto!)

Now we should establish where exactly the colour to draw the player name is coming from. The first thing is to identify which argument the colour is which is passed to the function, below I have a lovely picture showing you some info . As you can see from the screenshot I placed a breakpoint on the player name draw function, and observed the values in the stack (the stack is shown in the bottom right window.) It is unsure how many arguments there are in the stack but you can guess that it will be atleast 6 as that is how many there are until the player name!

Looking at the values there is one which is 0xFFFFFFFF, that looks very interesting, remember that a colour can have up to 4 components: red, green, blue and alpha, all of which can have a value between 0 and 255. A value of 0xFFFFFFFF indicates 4 colours all of which have the value 255, that means it is the colour white with 100% alpha (solid, no transparency.)

See how I said in the first tutorial reverse engineering is more about the thinking than the technical skill! Now that we have realised it is ‘argument 4′ we can count backwards from the function call all the PUSH commands until we get to number 4 this shows us where the argument is added. The PUSH command ‘pushes’ a value onto the top of the stack; knowing that the stack is used for arguments and such things we know that these are the values that get passed to the function!

So now we have that argument 4 we see that it is added by a command ‘PUSH ECX’, so lets be clever and see what sets that value of ECX. Look up a few lines and BAM there it is at 0×00487F61: MOV ECX,DWORD PTR SS:[ESP+14]. Right this is interesting, it gets the value from the stack, now you must know the stack is not used purely for function calls but also sometimes used for local variables inside a function. One problem with this is that the stack moves around quite a bit, although it does have a base, at the moment it uses ESP+0×14, but it could be something else. Oh well, lets look upwards in the code and try and find anything which could be of some use! Nothing too obvious on there, so I suggest at this point we go to the first line of the function (0×00487D00 SUB ESP,78) and place a breakpoint.

Once the code hits this breakpoint it is simply stepping through till we see anything setting a value of 0xFFFFFFFF, note that a ’step over’ (F8) will be sufficient for this as the value is set in a local variable so we will not need to go into any called functions!

Wow that was very quick and easy, it gets set in the very next line!! I bet you were not expecting it to be that easy! Note how it is only setting the register EAX, which means it is very temporary at the moment! We must find where it uses this EAX now, so this really is as simple as looking down to see where EAX is used!

Right, we can see that the value in EAX is now being copied to the location ESP+0×10, note how that is very similar to the ESP+0×14 we found earlier, I told you how the stack can move around! .

Now we have pretty much all information we will need to manipulate name colours, the next (and final) part of this mini-tutorial series will show you how to set this value and will involve actually writing some assembly instead of reading it! YAYYY!

(Sorry if you were expecting to do that in this part 2 thingy, I just felt as this section began getting big it would be good to seperate the tutorial here as the next part will also be rather large! Oh and i also apologise for that very large block of text at the beginning, pictures are indeed prettier.)

admin ROSE Online, Reverse Engineering, Tutorials

Long time no post!

I will finish the tutorial when Ruff-Rose comes back online which should be very soon as deebee has been very hard at work with his mega database skills recovering all the data that was lost to those meany hackers! I have hopefully fixed the flaw which allowed their hack so it should not happen again (hopefully ).

Obviously I cannot actually carry on with the tutorial till I can connect to a server again, otherwise I would have done it by now, so that is something for all you to look forward to, yayyy .

Oh also I updated that Other Projects page which had nothing on for a long time!

Lately I have been working on a new version of Ruff-Guru as Dae has decided that he doesn’t have the time to maintain it; that prompted a complete overhaul of the backend of ruff-guru and hopefully a very prettier, easier to use frontend for anyone of you who happen to use it.

Don’t really have that much to show you from it as I have spent a very long time working purely on the backend of it, which is a massive job, reading in all that STB data, prosesessing it to get rid of the crap and then spitting out a lovely MySQL database for the web server to use .

Here is a picture of a lovely unfinished table which I stole the style from ruff-rose.com for:

(Why did i post a picture? Because it makes my website look prettier.)

admin Uncategorized

So I am bored and don’t really have anything to do so I have decided to write a tutorial to help people better understand reverse engineering, and hopefully show them it is not as hard as it looks! Ability to read ASM is necessary but reverse engineering is more about using your brain, you have to think, hmmm if I want to track down this particular function how could I go about it.

Assembly language is very basic, no where near as complicated as it looks, I am not going to teach you it but you can learn alot about it from here:
http://webster.cs.ucr.edu/AoA/DOS/index.html

And there is also a great instruction list here to lookup unknown instructions:
http://courses.ece.illinois.edu/ece390/books/labmanual/inst-ref-general.html

You will need OllyDBG and some basic assembly knowledge!

So to start with, run ROSE and connect to whatever server you play on!

Now open up OllyDBG and go File->Attach, try and find TRose.exe in the list, I look for ‘C:\Program Files\Triggersoft\RuffRose\TRose.exe’ in the Path column, but that obviously will not be the same path for everyone! So hit the attach button and leave it for a second whilst ollydbg attaches itself.

The first thing it will do is ‘pause’ trose.exe so go Debug->Run (or F9) this will enable ROSE to run normally, get ingame so you are running around enjoying yourself, this is where the fun starts.

So the aim of this tutorial is to add name colours for players who reach a certain level such as in Ruff-Rose where peoples names become orange at level 210.

In order to do this we need to find where in TRose.exe this name drawing goes on, the first thing is to show the code for TRose.exe as by default the code for ntdll is usually shown. To do this hit the blue button in the toolbar with E on or View->Executable Modules (Alt+E). This should bring up a list of dlls and exes, hit the column header saying path to order them alphabetically and look for  ’C:\Program Files\Triggersoft\RuffRose\TRose.exe’ or whatever your TRose.exe path is, double click on it (sometimes you have to do this twice for the code of trose.exe to come up, the picture below shows how it should look now)

Right, so now we need to find where it actually draws the other characters names! In order to do this we need to go ingame and actually position ourselves at a point where someone’s name is visible on screen. Now we need to use our brain a little, I am sure most of you know that the znzin.dll is what handles the rendering for ROSE Online, so we can start by looking at this.

In the executable modules list right click on znzin.dll and click View Names (Ctrl+N), this will show all the Exports and Imports from znzin, hit the ‘Name’ column header to order it alphabetically. So using our brain we are trying to look for something that draws text, hmmm maybe if we scroll down and look for functions with names like ‘drawXXXXXXX’.

We do not know which one is used by ROSE to draw player names so we should place a breakpoint on one at a time, this will pause the execution of ROSE and allow us to view what is happening when the code gets to those functions. To place a breakpoint click on each drawFontXXX, select it and press F2 (or Right Click->Toggle Breakpoint, F2 is much quicker though!) Once you have placed your first breakpoint it should look like this:

So now we have our breakpoint click on the ROSE Window to make it attempt to render (ROSE does not waste resources by rendering when the window is not active) ollydbg should come up and ROSE should be ‘frozen’ it should look something like below, note in the Stack View in the bottom right it shows us pretty much what text this call is drawing, in the first break it always is the current player’s name, mine shows RuffRoseDevs (my clan name). Obviously this is not the correct drawFont as it shows my clan name, we are looking for the player’s name that is on screen (the one you found sitting around doing nothing earlier.)

Just to make sure we are going to hit F9 a few times (Run/Resume) to see if this particular drawFont is used for more than just clan names (they might be using the same drawFont for both clan names and player names) if you do this a few times ROSE should stop hitting breakpoints as all the rendering should be finished and if we did not see the other player’s name then this is not the correct function! Go back to the names window in znzin and remove the breakpoint of the first drawFont function and apply it to the second function.

Do the exact same procedure as before and look for the player’s name, wow it does not appear on this function, amazing… Lets try the next one…

SUCCESS!

Right now we have which function it is, go to the stack window and at the very top of it there is a line saying RETURN to TRose.00487F98, when a function is called it puts the return address at the top of the stack so it knows where to return to once the fuction is finished, this is that address. Right click on it and select Follow in Disassembler (or hit Enter..), this will take you to a line saying ADD ESP, 0×1C, if you scroll up one line you will have the function call (the return address is of course going to be after the call or we will have an infinite loop!) We should remember this address, a handy way is to just add a comment (right click on the call and hit Comment or press ‘;’ on the keyboard) type something like “Draws other player’s name”. Now if you ever lose this address (0×00487F92) then you can right click anywhere in trose.exe and go ‘Search For->User Defined Comment’.

That is it for the first part of this tutorial thingy, so far we have managed to find where the player’s name is being drawn, this is first vital step.

In the next part I will teach you about the colouring stuff, how exciting!

admin ROSE Online, Reverse Engineering, Tutorials

I feel like I should keep you informed as it my blog stats tell me that people do actually come here on a daily basis!
So here is a preview of the CHR Editor so far, I have updated the rendering to include effects as well as just the animation render, to provide you with an example we have a lovely glowy-handed ’stony1′, as it is named in the .CHR file!

You can click on any monster in the list and it renders it using the first animation available, click on a different animation in the animation list and it renders it, here you can see I have Attack selected and the render does indeed show an attack!

admin C++, Open Source, Programming, ROSE Online