I can read dll

[Joshex]

strangely the qt codec files are made by nokia, and they are inregards to different charcter sets latin and extended english ETC.

meh, I'm jst going through the files in the CoH distribution and making out any code I can

I have uncovered 2 things;

1: I know how to write a mission file now. because it just so happened that CoH accidentally saved one mission code as .txt it's a a very simple set-up.
2: geom.pigg contains the information about how to read the .geom files

also I couldn't help but go through the screenshots folder, in the last weeks of Coh I went around looking for interesting billboards:

hmm

call geobin/maps/ it has a list of arena maps. (mapsMisc.pigg)
 and other maps ooooo... I think this is what i will need to set-up a link to for a door that enters for example city hall

Code: [Select]

geobin/maps/Architect/Architect.bin +   geobin/maps/Architect/Architect_Backup.bin :   geobin/maps/Arena/Arena_AbOffice_01/Arena_AbOffice_01.bin 4   geobin/maps/Arena/Arena_Atlas_01/Arena_Atlas_01.bin <   geobin/maps/Arena/Arena_CargoShip_01/Arena_CargoShip_01.bin 2   geobin/maps/Arena/Arena_Eden_01/Arena_Eden_01.bin <   geobin/maps/Arena/Arena_Graveyard_01/Arena_Graveyard_01.bin >   geobin/maps/Arena/Arena_Industrial_01/Arena_Industrial_01.bin G   geobin/maps/Arena/Arena_Industrial_01/WALLTEST_Arena_Industrial_01.bin B   geobin/maps/Arena/Arena_OutbreakRuin_01/Arena_OutbreakRuin_01.bin 4   geobin/maps/Arena/Arena_Perez_01/Arena_Perez_01.bin 8   geobin/maps/Arena/Arena_PocketD_01/Arena_PocketD_01.bin 6   geobin/maps/Arena/Arena_Skyway_01/Arena_Skyway_01.bin @   geobin/maps/Arena/Arena_SmoothCaves_01/Arena_SmoothCaves_01.bin F   geobin/maps/Arena/Arena_SmoothCaves_01/Arena_SmoothCaves_01_audio.bin 4   geobin/maps/Arena/Arena_steel_01/Arena_steel_01.bin 6   geobin/maps/Arena/Arena_Striga_01/Arena_Striga_01.bin 2   geobin/maps/Arena/Arena_Tech_01/Arena_Tech_01.bin :   geobin/maps/Arena/E3_BaseRaid/Audio/E3_BaseRaid_audio.bin .   geobin/maps/Arena/E3_BaseRaid/E3_BaseRaid.bin 1   geobin/maps/City_Zones/City_00_01/City_00_01.bin 1   geobin/maps/City_Zones/City_01_03/city_01_03.bin 1   geobin/maps/City_Zones/City_01_04/city_01_04.bin 1   geobin/maps/City_Zones/City_02_03/City_02_03.bin 1   geobin/maps/City_Zones/City_02_04/City_02_04.bin 1   geobin/maps/City_Zones/City_02_05/City_02_05.bin 1   geobin/maps/City_Zones/City_03_03/City_03_03.bin 1   geobin/maps/City_Zones/City_03_04/City_03_04.bin A   geobin/maps/City_Zones/City_03_04/City_03_04_missionMapStats.bin 1   geobin/maps/City_Zones/City_05_01/City_05_01.bin 1   geobin/maps/City_Zones/City_06_01/City_06_01.bin 1   geobin/maps/City_Zones/City_06_02/City_06_02.bin 1   geobin/maps/City_Zones/Coop_02_01/Coop_02_01.bin 1   geobin/maps/City_Zones/Coop_06_01/Coop_06_01.bin D   geobin/maps/City_Zones/Events/SE2012_Colosseum/SE2012_Colosseum.bin J   geobin/maps/City_Zones/Events/Winter_09_Layout_01/Winter_09_Layout_01.bin J   geobin/maps/City_Zones/Events/Winter_09_Layout_02/Winter_09_Layout_02.bin J   geobin/maps/City_Zones/Events/Winter_09_Layout_03/Winter_09_Layout_03.bin J   geobin/maps/City_Zones/Events/Winter_09_Layout_04/Winter_09_Layout_04.bin J   geobin/maps/City_Zones/Events/Winter_09_Layout_05/Winter_09_Layout_05.bin 9   geobin/maps/City_Zones/Events_HeroCon/Events_HeroCon.bin 3   geobin/maps/City_Zones/Event_06_01/Event_06_01.bin H   geobin/maps/City_Zones/P_City_00_01/# Nova Praetoria in this folder.bin 5   geobin/maps/City_Zones/P_City_00_01/F_City_00_01.bin 5   geobin/maps/City_Zones/P_City_00_01/P_City_00_01.bin G   geobin/maps/City_Zones/P_City_00_02/# Imperial City in this folder.bin 5   geobin/maps/City_Zones/P_City_00_02/F_City_00_02.bin 5   geobin/maps/City_Zones/P_City_00_02/P_City_00_02.bin E   geobin/maps/City_Zones/P_City_00_03/# Neutropolis in this folder.bin 5   geobin/maps/City_Zones/P_City_00_03/F_City_00_03.bin 5   geobin/maps/City_Zones/P_City_00_03/P_City_00_03.bin 5   geobin/maps/City_Zones/P_City_00_04/P_City_00_04.bin G   geobin/maps/City_Zones/P_City_00_05/# People's Park in this folder.bin 5   geobin/maps/City_Zones/P_City_00_05/P_City_00_05.bin N   geobin/maps/City_Zones/P_City_00_06/# The Underground Nova in this folder.bin 5   geobin/maps/City_Zones/P_City_00_06/F_City_00_06.bin 5   geobin/maps/City_Zones/P_City_00_06/P_City_00_06.bin R   geobin/maps/City_Zones/P_City_00_07/# The Underground Imperial in this folder.bin 5   geobin/maps/City_Zones/P_City_00_07/F_City_00_07.bin 5   geobin/maps/City_Zones/P_City_00_07/P_City_00_07.bin U   geobin/maps/City_Zones/P_City_00_08/# The Underground Neutropolis in this folder.bin 5   geobin/maps/City_Zones/P_City_00_08/F_City_00_08.bin 5   geobin/maps/City_Zones/P_City_00_08/P_City_00_08.bin 5   geobin/maps/City_Zones/P_City_00_09/P_City_00_09.bin ;   geobin/maps/City_Zones/VetReward_06_01/VetReward_06_01.bin 5   geobin/maps/City_Zones/V_City_00_01/V_City_00_01.bin A   geobin/maps/City_Zones/V_City_01_01/PierRamWall_V_City_01_01.bin 5   geobin/maps/City_Zones/V_City_01_02/V_city_01_02.bin /   geobin/maps/City_Zones/V_City_02_01/Runway.bin 5   geobin/maps/City_Zones/V_City_02_01/V_city_02_01.bin ;   geobin/maps/City_Zones/V_City_03_01/Pier3_V_City_03_01.bin 5   geobin/maps/City_Zones/V_City_03_01/V_City_03_01.bin ?   geobin/maps/City_Zones/V_City_03_02/AudioBackup/Audioback2.bin :   geobin/maps/City_Zones/V_City_03_02/CanopyTreeClump01.bin 5   geobin/maps/City_Zones/V_City_03_02/V_City_03_02.bin 5   geobin/maps/City_Zones/V_City_04_01/V_City_04_01.bin 5   geobin/maps/City_Zones/V_City_05_01/V_City_05_01.bin 5   geobin/maps/City_Zones/V_City_06_01/V_City_06_01.bin 5   geobin/maps/City_Zones/V_City_06_02/V_City_06_02.bin 3   geobin/maps/City_Zones/V_PvP_02_01/V_PvP_02_01.bin 3   geobin/maps/City_Zones/V_PvP_03_01/V_PvP_03_01.bin 3   geobin/maps/City_Zones/V_PvP_04_01/V_PvP_04_01.bin 3   geobin/maps/City_Zones/V_PvP_05_01/V_PvP_05_01.bin 3   geobin/maps/City_Zones/V_PvP_06_01/V_PvP_06_01.bin 7   geobin/maps/City_Zones/V_Trial_04_02/V_Trial_04_02.bin 7   geobin/maps/City_Zones/V_Trial_04_03/V_Trial_04_03.bin 9   geobin/maps/City_Zones/War_05_01/overhead_light_surg.bin /   geobin/maps/City_Zones/War_05_01/War_05_01.bin *   geobin/maps/maps_TESTING/maps_TESTING.bin +   geobin/maps/maps_TESTING/maps_TESTING1.bin +   geobin/maps/maps_TESTING/maps_TESTING2.bin +   geobin/maps/maps_TESTING/maps_TESTING3.bin
enjoy;



more info physxloader.dll sees to contain a checksum library allong with error lists and a list of Get functions. it's made by Nvidia

[Phaetan]

You have my attention...

 

[The Fifth Horseman]

The .geo files used for environment objects and character models are similar but not identical.
The .bin files in /geobin/object_library appear to be associated with FX and sound FX. I was able to make some sense of the overall structure, although some details aren't as clear as I'd like them to be.

[Codewalker]

The Geobin fornat has been known for a while among quite a few people. The same format is used for the zone maps under maps/ and the library pieces under object_library/. I used to get badge coordinates and other things from them.

The ones under object_library are a combination of multi-part objects (like a helipad that uses several smaller parts put together, or a skyscraper that re-uses the same window a bunch of times), and well as references to the geometry itself which come from the .geo files.

Here's a description of the file format in Guy's XML format:
https://www.dropbox.com/s/it8wrqs96k2fyup/geobin.xml

The 'root' node starts at offset 0x70 in that screenshot you posted, right after the standard .bin file headers.

[Joshex]

wonderful information, I would have done more research last night but my eyes got cloudy, heh..

I believe physxcore.dll should contain the actual physics engine. but I havn't checked yet, Physxloader.dll makes a reference to it.

how I read dll, I open it in wordpad or note pad, I scroll down through it and look for any text I can make out, I then assess what the text is and which part of the gobbltygook (encrypted text) it relates to, even though it's encrypted that really doesn't matter so long as I know what operation I need to redirect the game to.

well I'll review a bit more today. hopefully I can find the map of atlas city hall, from what I see already I'm tempted to try linking the folowing to a door: geobin/maps/City_Zones/City_00_01/City_00_01.bin 1   geobin/maps/City_Zones/City_01_03/city_01_03.bin 1   geobin/maps/City_Zones/City_01_04/city_01_04.bin and see what happens.

have yet to find the door model, as soon as I do I'll script it with a location.

[Codewalker]

physxcore.dll is this. It's used for particles like bullet casings and leaves, as well as client-side simulated objects like the junk from Propel.

Pretty much all the DLLs are third-party libraries and not directly related to game operations; that's why they're DLLs and not just statically linked in to the main program.

[Joshex]

physxcore.dll is this. It's used for particles like bullet casings and leaves, as well as client-side simulated objects like the junk from Propel.

Pretty much all the DLLs are third-party libraries and not directly related to game operations; that's why they're DLLs and not just statically linked in to the main program.

indeed so it is a particle and fluid engine., however i did find out that physxcooking.dll (aka baking) supplied collision based interactions for softbodies, cloth, and convexhull (and tirangle mesh yaddayadda) this is a good candidate for battle physics, using the player's armature/bones as the softbody object during successfull attacks would create that nice flopping on the ground instance.

though it may have just been used for capes and such.

Edit, also it's used for spawning and despawning object instances.

edit2; physxcooking also contains a decyrption key at the bottom.

W00Tango!

stage1a.pigg contains the links to the individual animations, or at least a good deal of them. player_library/animations/(male or fem or huge)/animname.anim (hmm /turrets/Quadoff.anim)

lol "huge/quickbarf.anim"

[Mister Bison]

So, I got a stupid idea.

How legal is it to reverse engineer the executable(s) now that the EULA is down, since there is no service/distribution anymore ? We could just begin some sort of crowd-sourced disassembly of the main game executable. With enough time, we may even obtain all the data structures and protocols.

The Titan team is a very skilled team, but don't underestimate a thousand eyes.

P.S.: after wikipedia-diving (IANAL), it seems we could, if we wanted to interface our server (that we have, yes ? *cough* or invoke Wibbly Wobbly Timey Wimey... Stuff), reverse-engineer the executable to make it inter-operable with our City of Heroes server. And we all lawfully obtained the executable when it was still available by direct linking, but not on the shop page, right... ?

[General Idiot]

And we all lawfully obtained the executable when it was still available by direct linking, but not on the shop page, right... ?

I don't know about you, but personally my existing copy of CoH for both the live and beta servers was downloaded through NCSoft's own launcher, where it was at the time freely available. That they've since discontinued that service doesn't make my copy of the game any less legally obtained.

[GuyPerfect]

How legal is it to reverse engineer the executable(s) now that the EULA is down, since there is no service/distribution anymore ?

It was never illegal to begin with, because the City of Heroes terms of service were not a EULA. They served as a code of conduct, outlining NCsoft's expectations for use of the service.

I'm the only one in the universe who doesn't refer to it as a EULA, and I think that's because I'm the only one in the universe who has ever read it. (-:

With enough time, we may even obtain all the data structures and protocols.

The Titan team is a very skilled team, but don't underestimate a thousand eyes.

Yeah, future tense. Good thinking! (And just what do I mean by that? It could be anything!)

[Kyriani]

All you smarter than me people keep doing what you're doing! I want my coh back =\

[The Fifth Horseman]

We could just begin some sort of crowd-sourced disassembly of the main game executable. With enough time, we may even obtain all the data structures and protocols.

Rule One of League of Disassembling Heroes: Don't talk about the League of Disassembling Heroes.
Rule Two of League of Disassembling Heroes: You don't call them, they call you.

Also, I don't think reverse engineering and crowd-sourcing really mix. How many non-programmers heard of assembly, let alone can figure out what a given sequence of commands does?

[GuyPerfect]

How many non-programmers heard of assembly, let alone can figure out what a given sequence of commands does?

Code: [Select]

XOR r6, r6
NOT r6, r6
ORI 0, r6, r8
SAR r9, r8
JAL PrintR8     /* OMG, r9 wasn't initialized so what is the value of r8???? */


[Joshex]

I've been cooking up a method for us to legally run CoH, the most legal way without changing the game is to have everything on client side (as it currently is but plus a server calculator)

the moment we run a City of heroes server without authorization is the moment we open ourselves up for a world of hurt. so, I have come up with a system for P2P gaming, it will however demand more resources from peoples computers, but the ammount of internet bandwidth needed should stay about the same, one distinct problem I have not been able to think my way around yet is hacking, I suppose with P2P any suspicious statistical changes or suspicious calculative outcomes of such could be crosschecked by a(n) team mate's/opposing player's computer automatically, that way if any change originating from a certain player's client looks odd it gets recalculated from another perspective, if there is a fault then D/C the offending player and make them repatch certain files inregards to the calculation before they can log-in. trying to make the anti-hacking system as automated as possible.

so how will P2P CoH run? simple your computer does your battle calcs and sends any necessary information to the other players in your game area.

for downloading and patching we would need a server, for a shop or billing we would need a server, WW and BM would reqire a server, Log-ins and save files would require a server. everything else could be done P2P thus removing the actual game from the server making us legal.

[CraZboy]

How legal is it to reverse engineer the executable(s) now that the EULA is down, since there is no service/distribution anymore ? We could just begin some sort of crowd-sourced disassembly of the main game executable. With enough time, we may even obtain all the data structures and protocols.

Its a grey area, however, when we reverse engineered Earth and Beyond, we never heard from EA.

http://en.wikipedia.org/wiki/Abandonware

[FatherXmas]

Code: [Select]

XOR r6, r6
NOT r6, r6
ORI 0, r6, r8
SAR r9, r8
JAL PrintR8     /* OMG, r9 wasn't initialized so what is the value of r8???? */


Well it's been a while.  Not quite sure order of destination and target registers.

The first instruction sets r6 to 0 since XORing anything with itself zeros it out.  The NOT then sets r6 to all ones. The next instruction is an OR and ORing anything with all 1s yields all 1s so r8 is now all ones. 

This last instruction, a shift right, I'm not to sure about the order of the operatives.  Your question implies that r8 is shifted by the value in r9.  But if the instruction actually shifts R9 by the value in R8 then R8 is unchanged, all ones (not sure of the data width here or even the CPU this assembler is for). 

If it's the other way around, r8 is shifted by the value in r9 then the result is still all ones as the high order bit, a one, remains as well as shifted right making the value in r9 immaterial.

[The Fifth Horseman]

Code: [Select]

XOR r6, r6
NOT r6, r6
ORI 0, r6, r8
SAR r9, r8
JAL PrintR8     /* OMG, r9 wasn't initialized so what is the value of r8???? */

*chuckle* Nicely played. Actually had to look up ORI and SAR to confirm I'm not getting them wrong.
First line, r6=0
Second line, r6=(2^n)-1 where n is the size of r6 in bits (since I have no idea of the actual register size)
Third line r8=(2^n)-1, indicates the order is source register then destination register (since 0 is the immediate value).
Fourth line, arithmetic shift right. This one does not alter the most significant bit, so r8=(2^n)-1 .

[GuyPerfect]

I would also have accepted -1 as the answer. (-:

[Joshex]

texmaps.pigg as it's name implies contains all the mission map textures. they can be called at texture_library/MAPS/(type of mission map)/mission map.texture AND .dds

some contain prefix numbering for ease of hotlinking. such as 01.texture 5 or = or ;

it takes forever for this file to fully load and especially forever for wordpad to go over the document with all the parsers and libraries that you have installed to decode it (I have a crap ton of stuff installed for gam dev so it unencrypts most of the document and usually gives further encryption keys at the bottom. obviously it will not unencrypt things like image code or or raw scripts for physixs engines

Heheh HAHAHAHHAH I have the door object location mercy I thought it would be in one of the other larger piggs glad I checked geomV1.pigg first

now if I can find a texture to match it I can complete the call string and give it a location. actually I wonder, if I gave it the door model might it automatically link to the texture in the door object's code? (a UV map)

Wait just a tiny minute! heh they give the .bounds files too, WONDERFUL I wont even have to specify a location.

you know what, I'm just gonna make a call to the entire file, it containes routers at the top to direct the client to what it needs.

OK clarifying, V1 contains .bounds only this includes ALL spawn locations for EVERYTHING enemys, event items ETC.

V2 contains the .bin files which in turn contain the model data and rigging as well as texture coordinates (UV maps) and direct links to the corresponding texture file.

we have everything, I knew all this stuff wasn;t hosted on the server, lol all this stuff is hosted on our computers, the server must answer a question and say "yes" or "no" or true or false.

from what I'm seeing here the server is being asked "is server connected? true or false." if true loadfile geomV1.pigg and GeomV2.pigg Else end function.

however this creates a problem and puts us back at square 1, now we need to decrypt the client enough to see what it's asking the server.

bin.pigg is the holy grail reference file that tells the client where to look for any of the various aspects that make up the game allong with redirect scripts. I'd consider this CoH's kernel

herobrowser.dll is nearly entirely decrypted

question, is cityofheroes.exe the client? or does it merely redirect you to another client file? ok aswered my own question, cityofheroes.exe containsthe entire CoH interface and all the calculations for menu related things. (at least thats what I'm reading here.) there is possibly more, i didn;t read the entire document, my eyes are clouding over. sleep.... ok ok a few more lines of text this stuff is good readin... from what it shows here the physics engine is present in cityofheroes.exe as is all of the geometry interpreter.

ok, that sounds like the file to target, though i still don't know what it's asking the server (8000kb is alot to read)


Codewalker, Guy, 5thhorseman anything any of you need from inside cityofheroes.exe? I have nearly the entire file decrypted.

[Rejuvenatrix]

I don't know what the heck you coders are talking about...it's too much tech for me   I don't care if it's illegal or not.  I truly truly don't.  And I'm an upstanding citizen! But I just want to play again. I don't care if there's new content, ever.  I want to fly, and I want my fireball back   Even if we could just run the game privately, like a LAN group, I'd be good with that.  I have a group of SG friends, who would really be happy if we could just play CoH together again. So when one of you geniuses cracks the coding to get this thing running, you will make tons of people happy. Keep plugging at it!  We love you!!!

[dwturducken]

I can follow it, barely, but I can't possibly hope to contribute to it. I feel a little like one of Lee Iacocca's original Mustang design team listening to a current engineering team talk about how they designed the new Mustang. The words make sense, but the discussion is at a level I can't possibly grasp. (ATM )

[Triplash]

I don't know what the heck you coders are talking about...

I'm convinced they see life in that squoogly green Matrix code.

And you should hear them talking to each other IRL. They have a secret language that sounds like the squeal from a dialup modem.

[Kyriani]

I may not get the entirety of what I read... but I think Joshex saying the client pretty much as most if not all of the stuff we need and if they can figure out what/how the client asks the server, they can make the game playable again...

>_>   or maybe that's just me being desperate and grasping at straws because I really dont know wtf all that code stuff means...

[Joshex]

you wouldn't believe how much of the code they have defined to thier own custom terms. theres alot of listings for the location of C files which contain more specific code for certain interactions.

I wonder if they were on the server. probably not though, they have local addresses.

[GuyPerfect]

Codewalker, Guy, 5thhorseman anything any of you need from inside cityofheroes.exe? I have nearly the entire file decrypted.

You do? How about the bytes at 0x459040 in the beta EXE? Here's what it looks like in a hex editor:



Garbled junk? Encrypted text? Actually, that's program code:

Code: [Select]

00859040  8D41 07           LEA     EAX, DWORD PTR [ECX+7]
00859043  99                CDQ
00859044  83E2 07           AND     EDX, 7
00859047  03C2              ADD     EAX, EDX
00859049  57                PUSH    EDI
0085904A  8BF8              MOV     EDI, EAX
0085904C  C1FF 03           SAR     EDI, 3
0085904F  837E 08 00        CMP     DWORD PTR [ESI+8], 0
00859053  74 0B             JE      00859060
00859055  8346 04 01        ADD     DWORD PTR [ESI+4], 1
00859059  C746 08 00000000  MOV     DWORD PTR [ESI+8], 0
00859060  8B46 04           MOV     EAX, DWORD PTR [ESI+4]
00859063  8B56 08           MOV     EDX, DWORD PTR [ESI+8]
00859066  8D14C2            LEA     EDX, DWORD PTR [EDX+EAX*8]
00859069  03D1              ADD     EDX, ECX
0085906B  3B56 18           CMP     EDX, DWORD PTR [ESI+18]
0085906E  76 0B             JBE     0085907B
00859070  C746 28 02000000  MOV     DWORD PTR [ESI+28], 2
00859077  33C0              XOR     EAX, EAX
00859079  5F                POP     EDI
0085907A  C3                RETN
0085907B  8B4E 0C           MOV     ECX, DWORD PTR [ESI+C]
0085907E  8B5424 08         MOV     EDX, DWORD PTR [ESP+8]
00859082  57                PUSH    EDI
00859083  03C8              ADD     ECX, EAX
00859085  51                PUSH    ECX
00859086  52                PUSH    EDX
00859087  E8 C4631800       CALL    009DF450                    ; memcpy
0085908C  017E 04           ADD     DWORD PTR [ESI+4], EDI
0085908F  83C4 0C           ADD     ESP, C
00859092  B8 01000000       MOV     EAX, 1
00859097  5F                POP     EDI
00859098  C3                RETN
And it's part of the communications protocol (for the curious, it copies a number of bits from a buffer into another buffer). Which addresses your earlier concern:

now we need to decrypt the client enough to see what it's asking the server.

This is just one function of many. The EXE contains nearly 23,000 of them. You sure you got those all figured out over the span of a few hours? 'Cause we have information on what they all do, and it took us more than just overnight to get the job done.

Did you know that the EXE contains nicely formatted schemas describing the serialization format of all the .bin files? No joke, you can see the definition of powers.bin for yourself at 0x7BC380. In fact, the EXE contains information on the formats of all of the client files (go figure), either as data or in program code. There's literally nothing there that we don't know by now (or at least have the information we need to know more).

Knowing about the EXE is what enabled me to make Sentinel. Knowing about the EXE is what enabled Codewalker to make Icon. Knowing about the data files is what has enabled Titan Network to maintain resources such as Mids and City of Data over the years.

It's not my intention to be forward or disrespectful, but my concern is that you're in over your head here. Your investigation has been honorable, but your methods are somewhat less than optimal, and I get the impression that you don't wield the expertise necessary to dig very far below the surface. I don't mean to discourage you from continuing your work: by all means, learn as much as you can, because it's wonderful experience. But I do want you and everyone else to be aware that the work you're doing has already been taken care of in spades.

[Joshex]

You do? How about the bytes at 0x459040 in the beta EXE? Here's what it looks like in a hex editor:



Garbled junk? Encrypted text? Actually, that's program code:

Code: [Select]

00859040  8D41 07           LEA     EAX, DWORD PTR [ECX+7]
00859043  99                CDQ
00859044  83E2 07           AND     EDX, 7
00859047  03C2              ADD     EAX, EDX
00859049  57                PUSH    EDI
0085904A  8BF8              MOV     EDI, EAX
0085904C  C1FF 03           SAR     EDI, 3
0085904F  837E 08 00        CMP     DWORD PTR [ESI+8], 0
00859053  74 0B             JE      00859060
00859055  8346 04 01        ADD     DWORD PTR [ESI+4], 1
00859059  C746 08 00000000  MOV     DWORD PTR [ESI+8], 0
00859060  8B46 04           MOV     EAX, DWORD PTR [ESI+4]
00859063  8B56 08           MOV     EDX, DWORD PTR [ESI+8]
00859066  8D14C2            LEA     EDX, DWORD PTR [EDX+EAX*8]
00859069  03D1              ADD     EDX, ECX
0085906B  3B56 18           CMP     EDX, DWORD PTR [ESI+18]
0085906E  76 0B             JBE     0085907B
00859070  C746 28 02000000  MOV     DWORD PTR [ESI+28], 2
00859077  33C0              XOR     EAX, EAX
00859079  5F                POP     EDI
0085907A  C3                RETN
0085907B  8B4E 0C           MOV     ECX, DWORD PTR [ESI+C]
0085907E  8B5424 08         MOV     EDX, DWORD PTR [ESP+8]
00859082  57                PUSH    EDI
00859083  03C8              ADD     ECX, EAX
00859085  51                PUSH    ECX
00859086  52                PUSH    EDX
00859087  E8 C4631800       CALL    009DF450                    ; memcpy
0085908C  017E 04           ADD     DWORD PTR [ESI+4], EDI
0085908F  83C4 0C           ADD     ESP, C
00859092  B8 01000000       MOV     EAX, 1
00859097  5F                POP     EDI
00859098  C3                RETN
And it's part of the communications protocol (for the curious, it copies a number of bits from a buffer into another buffer). Which addresses your earlier concern:

This is just one function of many. The EXE contains nearly 23,000 of them. You sure you got those all figured out over the span of a few hours? 'Cause we have information on what they all do, and it took us more than just overnight to get the job done.

Did you know that the EXE contains nicely formatted schemas describing the serialization format of all the .bin files? No joke, you can see the definition of powers.bin for yourself at 0x7BC380. In fact, the EXE contains information on the formats of all of the client files (go figure), either as data or in program code. There's literally nothing there that we don't know by now (or at least have the information we need to know more).

Knowing about the EXE is what enabled me to make Sentinel. Knowing about the EXE is what enabled Codewalker to make Icon. Knowing about the data files is what has enabled Titan Network to maintain resources such as Mids and City of Data over the years.

It's not my intention to be forward or disrespectful, but my concern is that you're in over your head here. Your investigation has been honorable, but your methods are somewhat less than optimal, and I get the impression that you don't wield the expertise necessary to dig very far below the surface. I don't mean to discourage you from continuing your work: by all means, learn as much as you can, because it's wonderful experience. But I do want you and everyone else to be aware that the work you're doing has already been taken care of in spades.

lol, I know the encrypted portions are program code even a .jpg's encrypted text is program code that tells it the pixel location on x and y and the rgb data in hex.

trust me I'm just browsing to figure out what needs to be done to get the server code atm, that can be figured in about an hour or 2, you say you already know 23000 of them. and yeah I know it contains schematics of all the file formats, I read through a few of them, it was fun to see how they chose to code it.

my next trick will be to completely decompile this file to see what it's asking the server in definite in order to be told it's ok to spawn doors and NPCs, I mean the entire code for the NPC locations and models is on the client side, same with the doors and zone switching triggers.

it's just a matter of making an outside file that tells the client "yeah thats ok go ahead" in lame-mans terms.

I know you guys have alot of stuff figured out, but the above 2 things (probably more than 2 in the actual server code) seem to be something that no one has accomplished yet, hence what I'm trying to figure out.

[srmalloy]

lol, I know the encrypted portions are program code even a .jpg's encrypted text is program code that tells it the pixel location on x and y and the rgb data in hex.

Not exactly; JPG, PNG, and all the other compressed formats store what is essentially pseudo-code and data, not program code; they indicate which operations to perform on the data in the file, but don't contain the code that actually performs the operation. But that description is a useful first approximation -- you can look at it from the perspective of the file format containing the 'program' that the image viewer 'executes' to decompress the data in the file to recreate the image.

[Taceus Jiwede]

Eeeeeeee!!! I love hearing(or seeing in this case) people talk about the things they enjoy/love doing!

Joshex, any news on that sure proof way of getting CoH's IP back from NCSoft?  NCSoft's gates could use a good stormin'.

[Codewalker]

lol, I know the encrypted portions are program code even a .jpg's encrypted text is program code that tells it the pixel location on x and y and the rgb data in hex.

Part of the problem is that you're confusing basic terminology, which makes the rest of your claims seem doubtful. "Encryption" has a very specific meaning, and other than the network protocol in-flight and one very tiny section, there's nothing in the COH client that is encrypted.

"Encrypted text" is even more dubious, because the majority of what you're looking at isn't text at all; it's binary code that is either directly executed by the hardware, or is interpreted as data by a program. It may contain fragments of text that it uses, but without the context those fragments are marginally useful at best.

You probably mean "encoded", but even then, most of it is still not text, nor a "script" of any kind.

and yeah I know it contains schematics of all the file formats, I read through a few of them, it was fun to see how they chose to code it.

Would you mind posting one of them and your interpretation of it? I have a feeling I know what you're seeing, and that it's probably not what you think it is.

to see what it's asking the server in definite in order to be told it's ok to spawn doors and NPCs, I mean the entire code for the NPC locations and models is on the client side

The client doesn't ask for that. The client sits and waits, the server sends messages like "Spawn this NPC at these coordinates doing this animation with these 50 different properties" and "You did 19.72 damage to this NPC".

zone switching triggers.

Those do exist in the client map files (sort of, it doesn't contain ones you can choose like train destinations, but it does have the spawn points), but the client doesn't actually use them.

This is readily apparent with Icon -- walk into one of the tunnels that normally teleports you to another zone and see that there is no freeze in control like there is when clicking a door. The client has no idea that you're standing in a teleport volume -- normally the server would just send an unsolicited "You're now in Steel Canyon, here's the map file to load" message.

it's just a matter of making an outside file that tells the client "yeah thats ok go ahead" in lame-mans terms.

What method are you planning to use to deliver this file to the client and get it to read it?

[JetFlash]

Wow, does that bring back memories.  Haven't coded in Assembler in over 20 years now.  I'm sure I could pick it up again if I had to, but I'm happier doing IT instead of being a code monkey.   

[Kyriani]

Honestly all this technical code stuff just turns my brain inside out. I will just sit quietly and let you smart people do whatever it is you do and pray that you succeed in bringing back my beloved COH. If there is any part of the work that needs doing that is simple data entry or some other menial time consuming task that someone who has no clue how to code can do, then feel free to hit me up cause time is the one resource I have in ABUNDANCE.

[The Fifth Horseman]

I would also have accepted -1 as the answer. (-:

If and only if Printr8That relies on an assumption r8 is treated as a signed integer. :-)
Anyway, neither what I said nor the way I said it was very civil. What I meant is that reverse engineering requires a degree of competence in a fairly niche skill set. I believe that the risks of taking in a well-meaning but clueless person would outweigh the benefits in this scenario - which is why I doubt such a project would be taking in every unknown quantity that comes around.

[GuyPerfect]

If there is any part of the work that needs doing that is simple data entry or some other menial time consuming task that someone who has no clue how to code can do, then feel free to hit me up cause time is the one resource I have in ABUNDANCE.

We write programs to do that for us. (-:

[Mister Bison]

*grabs popcorn*

However this discussion finishes, it'll be fun.

By the way, I know that crowdsourcing and reverse engineering seem to be alien teminology. That was neologism of sorts. All I wanted to convey/suggest was that all the work that has been done by the Titan coders (mapping the executable) could have been done, maybe faster, maybe better (don't underestimate stochastic approaches), made public (while somewhat protected from vandalism) and enjoyed by more people.

And by the way, there are sophisticated disassemblers now that can extract all the assembly into pseudo C-code. Of course all the functions look "f201038"-y at first (that means, meaningless) but that's how you disassemble what you get from real executables, with no debug information. It's just that it's easier to look at (with braces, loops, parameters), and you can name variables/functions in a more humane way. But that, you already knew I guess.

(666th post, I hope nobody is superstitious.)

Edit: rephrased, a bit tired.

[Lucretia MacEvil]

Honestly all this technical code stuff just turns my brain inside out. I will just sit quietly and let you smart people do whatever it is you do and pray that you succeed in bringing back my beloved COH.

This goes for me as well, although I may be prone to some mild fidgeting from time to time.

[Joshex]

Part of the problem is that you're confusing basic terminology, which makes the rest of your claims seem doubtful. "Encryption" has a very specific meaning, and other than the network protocol in-flight and one very tiny section, there's nothing in the COH client that is encrypted.

"Encrypted text" is even more dubious, because the majority of what you're looking at isn't text at all; it's binary code that is either directly executed by the hardware, or is interpreted as data by a program. It may contain fragments of text that it uses, but without the context those fragments are marginally useful at best.

You probably mean "encoded", but even then, most of it is still not text, nor a "script" of any kind.

Would you mind posting one of them and your interpretation of it? I have a feeling I know what you're seeing, and that it's probably not what you think it is.

The client doesn't ask for that. The client sits and waits, the server sends messages like "Spawn this NPC at these coordinates doing this animation with these 50 different properties" and "You did 19.72 damage to this NPC".

Those do exist in the client map files (sort of, it doesn't contain ones you can choose like train destinations, but it does have the spawn points), but the client doesn't actually use them.

This is readily apparent with Icon -- walk into one of the tunnels that normally teleports you to another zone and see that there is no freeze in control like there is when clicking a door. The client has no idea that you're standing in a teleport volume -- normally the server would just send an unsolicited "You're now in Steel Canyon, here's the map file to load" message.

What method are you planning to use to deliver this file to the client and get it to read it?

By encrypted I mean, it's no longer 0's and 1's is it? therefore some form of encryption has been used to change the characters so a random person can't read it, also when it comes down to it, all the programming language we know is binary lol except for specific stuff like colors or sound coordinates. everything else is a bunch of 0's and 1's we just define certain sets of 01010 as = functionname.

I'll post something and my interpretation of it later today, right now I just want to reply to some of the things in your post so you don;t think I'm witless or overly hopeful.

did you ever wonder why everything including the scene change triggers are on the client side and yet they don't work? as a game developer it became obvious to me the moment I saw the .bound files listed. it would make bad sense to have the server constantly checking every character to see where they are (it would be like a worm), not to mention it would take a ton of bandwidth (I've played CoH on dial-up 4.4kb/s so that is obviously not the case.

the thing that actually takes up the time on your computer for loading a new map is clearing the memory of the old map and loading the new map plus server wait response time. infact you'll notice that the loading bar loads relatively quickly then hangs up near the end, this is:  the quick part: is building blah present in memory? Check!, is NPC Blah loaded in memory? Check! ETC., the wait near the end: "hey server, All objects loaded in memory I'm ready. server; um can you wait a sec I'm serving other people atm, first loaded = first served"

the client side does all the collision calcs including the scene trigger collisions. By process of simplistic function and elimination of anything else; they are and must be set-up as follows to work:

On collision with object that contains property "player" send message to server; collision = true and Wait for response - this is the question the client asks or very close to it.

now then, the actual scene switch  (have you ever monitored your connection?) it's merely a ping to see if you are still connected with a few odd KB in data to say a simple short message that the client uses to determine what to do next. what is too long? load map C:\blah\blah\ETC\blah\steelcanyon.map and spawn blahblahblah and blah

(plus it seems a bit redundant to have all the spawn info on the cleint side if the server is gonna tell it all of it all over again every time we interact with those locations).

ok so the actual scene switch will be using a keyword that is already predefined on the client side, this presents a realistic loading situation versus being stuck there for minutes (high speed connection) waiting for the server to be free to send you all that data (and burning itself out fast in the process, some viruses called worms will do similar operations like : load blah.txt 3 billion trillion times)

from what I have seen we already have a long list of predefined terms in the client, I'm willing to bet that the trigger is waiting for a response of one of those terms.

Connectivity, I have several hypotheses of how to do it. 1; tell the cleint where to connect by changing it's target to include the desired file (where you could normally put in an IP address) 2; have the file itself be set to contact the client with the information, 3; both 1 and 2.

from what I can see the server sends very small amounts of simple data. the server says things like; steelcanyon = true, NPCMSliberty = true, Adamstor = true and Adamastor = G2  (spawn point) or Loc00.00.00 and Rot90.00.00, HP =###### End=###### Despawn at Time().

Timing is determined by the server,    Battle cals Could be done on either side though I'm sure they are done on the server for anti- hacking purposes. still that would mean there is a Defined term on the client side with Open/empty brackets. a simple statement by a wouldbe server file would just need to set for example @Joshex PlayerHP(1200) as an answer to a calc. I figure @name would work because the game is set-up to recognise any character we play as our @.

I do remember seeing such statements in the readable portion of the client that are regarding various stats.

pre defined terms are mandatory in most modern quality games, the games WIll understand them if they are sent such.

I will post more later.

Eeeeeeee!!! I love hearing(or seeing in this case) people take about the things they enjoy/love doing!

Joshex, any news on that sure proof way of getting CoH's IP back from NCSoft?  NCSoft's gates could use a good stormin'.

I will put that in motion the moment we hear anything negative from google.

[The Fifth Horseman]

By encrypted I mean, it's no longer 0's and 1's is it? therefore some form of encryption has been used to change the characters so a random person can't read it,

Hexadecimal representation is just a way of representing binary values, not any form of encryption. Four bits per digit, two digits per byte. 0xDEAD5432 = 1101 1110 1010 1101 0101 0100 0011 0010 b

also when it comes down to it, all the programming language we know is binary lol except for specific stuff like colors or sound coordinates. everything else is a bunch of 0's and 1's

Special cases? Since when? Your CPU can't operate on anything but binary. Your RAM and HDD can't store anything but binary.

[FatherXmas]

In the end, it's all ones and zeros.

[Joshex]

Hexadecimal representation is just a way of representing binary values, not any form of encryption. Four bits per digit, two digits per byte. 0xDEAD5432 = 1101 1110 1010 1101 0101 0100 0011 0010 bSpecial cases? Since when? Your CPU can't operate on anything but binary. Your RAM and HDD can't store anything but binary.

true, i was just setting myself up making sure to let people know that I know that typically sounds are represented in hexidecimal numbers yeah even that can be converted to it's binary ancestor, but I just wanted to make sure no one would call me an idiot for forgetting to mention hexidecimal.

[Mister Bison]

true, i was just setting myself up making sure to let people know that I know that typically sounds are represented in hexidecimal numbers yeah even that can be converted to it's binary ancestor, but I just wanted to make sure no one would call me an idiot for forgetting to mention hexidecimal.

Again, you mix terminology. Hexadecimal to binary and backward are not really conversions. It's merely a more compact way of writing it. Like 1 000 000 000 000 and 1.0E12, or "One 1 and 12 zeros". If you really insist, you convert notations, that's all. That's nothing really constructive.

It's the same with assembly. You don't "convert" from 06 07 03 to PUSH POP ADD. It's just another way of reprensenting it that allows a human to directly understand what the processor will do.

And it's not encrypted either.

And if you ever get or have source code, give it all up, don't look at the executable. But you won't find any source in the executable, that's the point. Executable is but a very optimized, computer-understandable conversion (yes, that is a conversion, called "compilation") from source code.

[FatherXmas]

It strikes me that Joshex may be someone brought up on scripting languages that aren't compiled at all and therefore always readable or ones that are partially compiled into p-code (Java) with final JIT native compilation done at runtime but the p-code can be used to get back to the original source.

It can be a very different PoV than those of us brought up on languages that are compiled and not for map file, the source code and a proper debugger, "unblending the frog" wouldn't be possible.

[Joshex]

It strikes me that Joshex may be someone brought up on scripting languages that aren't compiled at all and therefore always readable or ones that are partially compiled into p-code (Java) with final JIT native compilation done at runtime but the p-code can be used to get back to the original source.

It can be a very different PoV than those of us brought up on languages that are compiled and not for map file, the source code and a proper debugger, "unblending the frog" wouldn't be possible.

precisely, my father taught me binary and hex, but the first ever programming I did was with q-basic I did little more than draw a picture on the screen pixel by pixel using "PRINT"

now I focus on Python object oriented code, it is heavily simplistic much like actionscript, yeah from time to time I do use xor and or ETC. but it is indeed a simplistic programming language.

and I'll say this, most game developers now days use something similar, even in CoH's time from what I'm seeing in the cleint file they relied heavily on defining thier own programming terms. because it's just quicker to write scripts that way.

hexadecimal versus binary, I say 'convert' because I used to make game enhancement codes for Game Genie (SNES) they required you to learn that Hexadecimal is actually just another number system, and it's true just instead of 11 it's B. technically in order to read hexadecimal as binary you would have to "convert" it to the propper number system, I suppose it's more of a translation than a conversion though,

[FatherXmas]

Except that Cryptic, Paragon, ArenaNet, Carbine and just about every console or PC/Mac game developer are looking for C and C++ (Objective C for Mac) programmers and not Java, Ruby or Python programmers.  While it's true that for mission creation and the like are scripted, the underlying code that runs that script is still compiled before hand from a proper high level language. 

I'm not talking browser based MMOs since they tend to be written in Java or Javascript/WebGL.

[ROBOKiTTY]

CoH was written in C, so you can't meaningfully decompile that. On the plus side, disassembly gets you close enough to the original thing... not that it's any help without a lot of time and experience with asm.

[Codewalker]

COH was definitely written in C -- Microsoft Visual C 2005 to be exact (its compiler fingerprints are all over the place). That does make the disassembly a little easier to deal with.

Part of the authentication protocol uses a small but important portion written in C++ (it turns out that it's a third-party library linked in). That was a bit of a pain to untangle due to its excessive use of templates and virtual functions. Not impossible, just really annoying.

The frog in a blender is a good example -- you can't get the source code back from a compiled program like you can with obfuscated scripts. The best you can do is generate something that compiles to the same machine code, but you'll be missing important things like what the variables and functions are named, and complex constructs will often be broken down into something simpler.

The ability for entire games to be written in something like JavaScript and run in a canned engine like Unity or Blender's game engine is a very recent phenomena. It's only due to PCs being so incredibly fast and powerful now that the extra bloat from using an interpreted language isn't as detrimental on performance.

[srmalloy]

Anyway, neither what I said nor the way I said it was very civil. What I meant is that reverse engineering requires a degree of competence in a fairly niche skill set.

If this had been dropped in my lap within the first, oh, decade after I left college, I'd be much better set up to work with it; as it is, I've spent way too much time doing datamining and other database work -- the last sixteen years working with an extremely niche programming language and database architecture -- that my to-the-metal programming and reverse-engineering skills have deteriorated. I can look at a specification for how something has to work, or see it in operation, and be able to see the logic for (at least one way) the code can be constructed, and what database structures it would need to interact with, but working backwards from binary to source that can be redeveloped isn't part of my skillset any more.

[Zombie Man]

Any sign of LUA that the Devs were drooling over that was implemented in the last Beta and about to go live that was going to let content designers to much more easily scripted stuff?

[TonyV]

This is just one function of many. The EXE contains nearly 23,000 of them. You sure you got those all figured out over the span of a few hours? 'Cause we have information on what they all do, and it took us more than just overnight to get the job done.

I've hinted at this several times, but didn't know exactly how public you guys wanted this knowledge to be.  But yeah, at this point, I don't think that disassembling the file formats, protocols or client source code is an issue.  At this point, it's a matter of reconstructing a server that obeys those protocols and responds with answers that the client accepts and understands.  Not a trivial challenge to be certain, but it's probably worth noting that a lot of the really tedious, time-consuming work has been completed.  (And not just in the six months since the game has shut down, either.  A lot of this work has been ongoing for literally years; as stated, it was the basis of applications like Sentinel and pulling source data for City of Data and Mids.)

This is one of the reasons I've been so optimistic and insistent that we will have City of Heroes in some form back at some point.

[The Fifth Horseman]

Any sign of LUA that the Devs were drooling over that was implemented in the last Beta and about to go live that was going to let content designers to much more easily scripted stuff?

Correct me if I'm wrong, but wasn't that supposed to be used for controlling things server-side rather than client-side?

[Kyriani]

This is one of the reasons I've been so optimistic and insistent that we will have City of Heroes in some form back at some point.

Can I just say your confidence here fills me with hope that it won't be too long before I am flying through paragon once more!

[Joshex]

COH was definitely written in C -- Microsoft Visual C 2005 to be exact (its compiler fingerprints are all over the place). That does make the disassembly a little easier to deal with.

Part of the authentication protocol uses a small but important portion written in C++ (it turns out that it's a third-party library linked in). That was a bit of a pain to untangle due to its excessive use of templates and virtual functions. Not impossible, just really annoying.

The frog in a blender is a good example -- you can't get the source code back from a compiled program like you can with obfuscated scripts. The best you can do is generate something that compiles to the same machine code, but you'll be missing important things like what the variables and functions are named, and complex constructs will often be broken down into something simpler.

The ability for entire games to be written in something like JavaScript and run in a canned engine like Unity or Blender's game engine is a very recent phenomena. It's only due to PCs being so incredibly fast and powerful now that the extra bloat from using an interpreted language isn't as detrimental on performance.

I really need to learn to type better, I thought I did reference that I noticed there was tons of .c scripts in the client?

fact is they are just scripts, not different than me adding a .py into a game they contain a fuction that cannot be completed with simple preconstructed programming terms like for example GetDamage or such, I do know that C++ is actually very similar to python, I've had people tell me that, then I've had other people tell em it's similar to flash actionscript. I suppose python contains BOTH manners or proramming both simple and complex.

[ROBOKiTTY]

If C++ is similar to Python/ActionScript, it's because Python/ActionScript are heavily influenced by C++. But both abstract away the needless complexities of C++.

C/C++ code is compiled to object code, which is nothing like the intermediate bytecode that Python and ActionScript are compiled to. It's simple enough to decompile bytecode to a form structurally identical with the original, but reconstructing source code from object code is something else entirely.

[GuyPerfect]

I've hinted at this several times, but didn't know exactly how public you guys wanted this knowledge to be.  But yeah, at this point, I don't think that disassembling the file formats, protocols or client source code is an issue.

I don't mind people knowing we've hacked the EXE. By now, I figured it was obvious. It's just good, clean fun! The things that shouldn't be public knowledge are the ones that really don't need to be public...

You know the ones I mean.

[...] I noticed there was tons of .c scripts in the client?

fact is they are just scripts, not different than me adding a .py into a game [...]

Everywhere I look...

It's simple enough to decompile bytecode to a form structurally identical with the original, but reconstructing source code from object code is something else entirely.

That's not a given. In its most rudimentary form, bytecode is simply instructions that generally do not represent the actual machine code of a CPU architecture.

The reason Java and .NET bytecode can be pulled apart so easily is because they're designed to be useful for debugging: when a program bombs, you get a nice detailed report of the problem, including the line numbers where things went awry. That debugging information is what's useful for figuring out what the original probably looked like.

[The Fifth Horseman]

Everywhere I look...

At least he's trying. I've seen people with BSc in CS who can't write a for loop to save their lives (and I'd love to say that's an exaggeration... except one of them admitted as much lately).

[Whiteseeker]

All you smarter than me people keep doing what you're doing! I want my coh back =\

MAN!!!! This this this.

As you could see in my profile, Been on "this site" since I believe 2008, and only 6 posts so far. Amazing huh...I like to just read, but am getting very antsy lately from months of CoX withdraw. Please tell me if you guys have it so it can be played at least on just my compy! I wont tell, I swear!
I had ICON running a bit ago and my wife ran in and started to cry cause she thought for a moment that CoX was back up and running. Man did I feel bad.

[Joshex]

[Codewalker]

I suppose my whole point with this thread at this point in the conversation is to say that, I know enough about game design to notice things when I read through these documents, styles, the way thier code is set-up and how it arbitrarily links to .c scripts and .bounds files.

You're seeing references to .c source files only because a programmer put them there on purpose. They're part of the string table, so you have to find where they're referenced from. In a C program, the compiler will lump all of the strings (text) used by the program together, often eliminate duplicates, and then the actual compiled code will reference those strings.

Here's an example from a relatively simple function that is called when you click a choice in a reward table popup:

Code: [Select]

CPU Disasm
Address   Hex dump          Command                                  Comments
005E2970  /$  51            PUSH ECX
005E2971  |.  A1 E05D6801   MOV EAX,DWORD PTR DS:[1685DE0]
005E2976  |.  56            PUSH ESI
005E2977  |.  8B35 DC3BB900 MOV ESI,DWORD PTR DS:[0B93BDC]
005E297D  |.  57            PUSH EDI
005E297E  |.  6A 5F         PUSH 5F                                  ; arg2 = 95
005E2980  |.  6A 01         PUSH 1                                   ; arg1 = 1
005E2982  |.  68 3F0A0000   PUSH 0A3F                                ; line=2623
005E2987  |.  68 200AAB00   PUSH OFFSET 00AB0A20                     ; ASCII "C:\buildfarm\slave\full_release\release\2400\code\coh\Game\UI\uiNet.c"
005E298C  |.  8BF8          MOV EDI,EAX
005E298E  |.  E8 BD992700   CALL 0085C350                            ; send_pack_bits_debug
005E2993  |.  56            PUSH ESI                                 ; arg2 = [0B93BDC]
005E2994  |.  6A 03         PUSH 3                                   ; arg1 = 3
005E2996  |.  68 400A0000   PUSH 0A40                                ; line = 2624
005E299B  |.  68 200AAB00   PUSH OFFSET 00AB0A20                     ; ASCII "C:\buildfarm\slave\full_release\release\2400\code\coh\Game\UI\uiNet.c"
005E29A0  |.  8BC7          MOV EAX,EDI
005E29A2  |.  E8 A9992700   CALL 0085C350                            ; send_pack_bits_debug
005E29A7  |.  83C4 20       ADD ESP,20
005E29AA  |.  5F            POP EDI
005E29AB  |.  5E            POP ESI
005E29AC  |.  59            POP ECX
005E29AD  \.  C3            RETN

The parts after the semicolons are comments added by me to clarify what some of the lines do for reference. The function name "send_pack_bits_debug" doesn't actually exist in the EXE, it's just something I made up after figuring out what the function at that address does.

As you can see, the machine code is using that string to add a file and line number parameter to certain functions for debugging purposes. The only reason it's there is so that the program can, at run-time, report which source file a particular call came from if there's a problem. Not all calls have this (if they did it would be much easier to reconstruct what everything does), but a few do. Probably ones that the debug code never got removed before releasing it.

I know you've opened the file in a hex editor as I can clearly see, however in a hex editor the entire document will be squigglies (special characters) which are used to represent something else whether its short terms such as AND and XOR or long terms and mathematical calcuations such as get.player.info.object.location() +90.87.23 and movement.speed = 3.4 (just an example it's not actually in the document)

The "squigglies" are X86 machine code; the lowest level of program instructions that are directly executed by the CPU. Get a disassembler and it will turn it into assembly language like I posted above, which is a bit more readable.

Also, .bounds files are just bounding boxes for various bits of geometry. Not too exciting by themselves, though somewhat useful if you were building a map editor or something.

but the fact of the matter is, Wordpad (based on the codecs and programming libraries you have installed) will actually automatically convert some of this text into a legible format not comprised of special characters.

The only thing wordpad might do for you is decode UTF-8, but the COH client doesn't have any of that embedded in the exe, and the French and German message files are long gone. If you just want to look at string tables, you'd be better off grabbing a copy of the strings utility (link goes to a Windows port, pretty much all UNIX systems come with it already). It'll find and show just the ASCII, or Unicode text if you specify, filtering out all the binary portions.

Opening a pigg directly won't get you really anything except a list of filenames from the directory table. The files contained within are compressed -- you need a tool like PiggViewer to extract them.

as I said I'm willing the bet that the server responds to the client with one of those predefined expressions, some of them even have brackets, the brakets are either empty or labeled as Int (integer) or  Bool (true or false switching operation)

The client/server protocol is binary. I'm using the colloquial form of binary to mean "not plain text", not literally using 1s and 0s to represent it. Most often binary data is viewed in hex for convenience.

Code: [Select]

@@CryptoPP@@V?$RSAPrivateKeyTemplate@V?$DecryptorTemplate@V?$OAEP@VSHA@CryptoPP@@V heres what codewalker was talking about in another thread, every time the client connects to the server; the server tells the client "heres how I'm gonna encrypt the packets I send to you"  well ok then the server is using the CryptoPP method the multi listing of cryptopp tells me that this is some type of exteriorly developed encryption syntax. gettign ahold of a copy of CryptoPP would allow us to make our server have the same encryption of it's packets as CoH did. and also decrypt any packets that the client sends

Except you're jumping to conclusions based on seeing some text in a string table instead of actually analyzing where it's used. CryptoPP is the C++ code I was talking about tracing through earlier. However, it's used only during initial login, to talk to the authentication server. The game protocol is encrypted using a different library -- a modified version of the original C reference implementation of Blowfish.

[Codewalker]

more stuff,

Code: [Select]

PromptTeamTeleport it is obvious what would happen if a server file sent this to the client.

Except that the server never actually sends that to a client. The server sends a numerically coded message. The string "PromptTeamTeleport" exists in the client because it's a key that is used to look up a localized message from clientmessages-en.bin to show in the options menu:

Code: [Select]

$ pstring bin/clientmessages-en.bin PromptTeamTeleport
PromptTeamTeleport: Prompt Team Teleport

Code: [Select]

HideSearch
HideSG
HideFriends
HideGFriends
HideGChannels
HideTells
HideInvites
messages sent to the server from the client and saved to the character file (and from the server to the client when loading saved settings). obviously these deal with the hide menu in chat.

These are also all strings that are displayed in the options menu. They have nothing to do with client/server comms.

Actually pretty much everything you've posted comes from the UI system, and are references to messages that are displayed on-screen to the user.

Code: [Select]

----------------------------------------------------------------------
------- BEGIN PHYSICS STEPS ------------------------------------------
----------------------------------------------------------------------


------ %3d -----------------------------------------------------------------
    ** FLYING **
    ** NO ENT COLL **
ControlsInputIgnored, Jumping,
%4d. [%d/%dx]: id=%5d, cur_time=%dms, runTime=%dms (%dms)
        keys:      %s
        pos:       (%1.8f, %1.8f, %1.8f)
      + vel:       (%1.8f, %1.8f, %1.8f)
      + inpvel:    (%1.8f, %1.8f, %1.8f) @ %f
      + pyr:       (%1.8f, %1.8f, %1.8f)
      + misc:      grav=%1.3f, %s%s
      + move_time: %1.3f
      = newpos:    (%1.8f, %1.8f, %1.8f)
        newvel:    (%1.8f, %1.8f, %1.8f)
%s%s
----------------------------------------------------------------------
-------- END PHYSICS STEPS -------------------------------------------
----------------------------------------------------------------------


You've found some more strings used by debug code. The COH client has a lot of debugging stuff left over in it. The above chunk is filled with values and spit out on the console (run the client with -console on the command line to see it) every time you move if you use the /controldebug slash command, which normally requires client access level 9. There are ways around that, and nemerle has been using the output from it to figure out how some of the clientside physics works in order to implement something similar in SEGS. I don't know if his posts on the subject survived their forum crash.

how to tell the client to load steel canyon:

Code: [Select]

sceneLoad, SteelCanyon you might also need

Code: [Select]

finishLoadMap or loadMap

Nope, the map loading code is buried in the guts of the network receive path. Fortunately there's a copy of a subset of it in the demo playback code. How Icon loads Steel Canyon:

CALL 0053AAD0            ; clears out old map
MOV EAX, OFFSET "maps/City_Zones/City_02_01/City_02_01.txt"
CALL 00534160            ; loads the map (fastcall using EAX)

[Kyriani]

Way to crush my hopes and dreams Codewalker =\

Here I was hoping someone found some way to automagically bring back my beloved COH ;_;

I demand that you use your coding powers to bring it back as recompense for destroying my hopes and dreams!

(this was all tongue in cheek but please do something if you can!)

[Taceus Jiwede]

Codewalker that was really interesting and I feel like I learned something.  But now my head hurts.

[Joshex]

Codewalker I have the method you need.

seeing as the server is not active there shoudl be no confirmable anti-hacking software, so when the client asks for encryption we can fix that by using a hook to return a simple statement encryption=true.

doing that will let the client think it's been told how to encrypt the packets even though it's bassically been shrugged off.

http://easyhook.codeplex.com/

by the way, I got help on this idea I can't claim all of it.

[Dragonsire]

Okay I'm poking around in the exe, probably wasting my time looking at things long since figured out...but hey everyone needs a hobby right?

But tracing back some subs I'm confused by...well a bunch of stuff, but at the moment looking at a couple WSASocketA Requests asking for IPV4 Sock Stream, with provider specified protocol etc etc, they all are requesting 127.0.0.1, ....but to be honest i haven't been looking long...way too much to drink and not nearly enough sleep...but before I look at this and just speculate that it's some local internet check, or merely opening a local port, or other should be obvious but at the moment is not...I wanted to be sure that the SAVE COH files used  for ICON, haven't been altered....and if so to what extent...and if they have and that is well pointed out somewhere, I would point out again...way too tired probably to be even looking at this mess off code.

[Arachnion]

Okay I'm poking around in the exe, probably wasting my time looking at things long since figured out...but hey everyone needs a hobby right?

But tracing back some subs I'm confused by...well a bunch of stuff, but at the moment looking at a couple WSASocketA Requests asking for IPV4 Sock Stream, with provider specified protocol etc etc, they all are requesting 127.0.0.1, ....but to be honest i haven't been looking long...way too much to drink and not nearly enough sleep...but before I look at this and just speculate that it's some local internet check, or merely opening a local port, or other should be obvious but at the moment is not...I wanted to be sure that the SAVE COH files used  for ICON, haven't been altered....and if so to what extent...and if they have and that is well pointed out somewhere, I would point out again...way too tired probably to be even looking at this mess off code.

127.0.0.1 is localhost, e.g., you.

Icon is not doing anything malicious or connecting to servers without your notice/approval, rest assured.

[Dragonsire]

127.0.0.1 is localhost, e.g., you.

Icon is not doing anything malicious or connecting to servers without your notice/approval, rest assured.

lol never considered that actually..was more wandering if the file (cityofheroes.exe) had been altered to not communicate to ncsoft etc, and forced local (127.0.0.1..yes i understand what it is). But I have since had some rest...grabbed an older copy of the exe and confirmed it was not altered (at least the section i was looking at). Just didn't want to waste time pulling exe apart only to find some things had been changed in the exe. Assembly isn't fun to read lol

[Dragonsire]

 I've only been poking around for a couple days, but it doesn't seem overly complicated of a layout. Some of it has me scratching my head at first glace, but really so far all I have had time to do was  a quick dirty ASM > C  > .NET conversion just to make reading a little easier, since it's been ages since i looked at assembly. I'm sure all the difficult stuff has been worked out for the most part, but I reactivated (from over a year ago) and been playing swtor..and it just...well sucks. The more I play the less I like it lol So made me dig around and see what progress has been made on City.

I've heard about Plan Z...wish them the best, but I was really hoping any true successor would be open source...built by the community for the community type thing. Because if it does prove viable, and it closes we are back to square one lol. But again, all the best with it.

So I figured I will poke around some, and if a server gets released before i can find anything viable, all the better.