I can read dll

[dwturducken]

I can follow it, barely, but I can't possibly hope to contribute to it. I feel a little like one of Lee Iacocca's original Mustang design team listening to a current engineering team talk about how they designed the new Mustang. The words make sense, but the discussion is at a level I can't possibly grasp. (ATM )

[Triplash]

I don't know what the heck you coders are talking about...

I'm convinced they see life in that squoogly green Matrix code.

And you should hear them talking to each other IRL. They have a secret language that sounds like the squeal from a dialup modem.

[Kyriani]

I may not get the entirety of what I read... but I think Joshex saying the client pretty much as most if not all of the stuff we need and if they can figure out what/how the client asks the server, they can make the game playable again...

>_>   or maybe that's just me being desperate and grasping at straws because I really dont know wtf all that code stuff means...

[Joshex]

you wouldn't believe how much of the code they have defined to thier own custom terms. theres alot of listings for the location of C files which contain more specific code for certain interactions.

I wonder if they were on the server. probably not though, they have local addresses.

[GuyPerfect]

Codewalker, Guy, 5thhorseman anything any of you need from inside cityofheroes.exe? I have nearly the entire file decrypted.

You do? How about the bytes at 0x459040 in the beta EXE? Here's what it looks like in a hex editor:



Garbled junk? Encrypted text? Actually, that's program code:

Code: [Select]

00859040  8D41 07           LEA     EAX, DWORD PTR [ECX+7]
00859043  99                CDQ
00859044  83E2 07           AND     EDX, 7
00859047  03C2              ADD     EAX, EDX
00859049  57                PUSH    EDI
0085904A  8BF8              MOV     EDI, EAX
0085904C  C1FF 03           SAR     EDI, 3
0085904F  837E 08 00        CMP     DWORD PTR [ESI+8], 0
00859053  74 0B             JE      00859060
00859055  8346 04 01        ADD     DWORD PTR [ESI+4], 1
00859059  C746 08 00000000  MOV     DWORD PTR [ESI+8], 0
00859060  8B46 04           MOV     EAX, DWORD PTR [ESI+4]
00859063  8B56 08           MOV     EDX, DWORD PTR [ESI+8]
00859066  8D14C2            LEA     EDX, DWORD PTR [EDX+EAX*8]
00859069  03D1              ADD     EDX, ECX
0085906B  3B56 18           CMP     EDX, DWORD PTR [ESI+18]
0085906E  76 0B             JBE     0085907B
00859070  C746 28 02000000  MOV     DWORD PTR [ESI+28], 2
00859077  33C0              XOR     EAX, EAX
00859079  5F                POP     EDI
0085907A  C3                RETN
0085907B  8B4E 0C           MOV     ECX, DWORD PTR [ESI+C]
0085907E  8B5424 08         MOV     EDX, DWORD PTR [ESP+8]
00859082  57                PUSH    EDI
00859083  03C8              ADD     ECX, EAX
00859085  51                PUSH    ECX
00859086  52                PUSH    EDX
00859087  E8 C4631800       CALL    009DF450                    ; memcpy
0085908C  017E 04           ADD     DWORD PTR [ESI+4], EDI
0085908F  83C4 0C           ADD     ESP, C
00859092  B8 01000000       MOV     EAX, 1
00859097  5F                POP     EDI
00859098  C3                RETN
And it's part of the communications protocol (for the curious, it copies a number of bits from a buffer into another buffer). Which addresses your earlier concern:

now we need to decrypt the client enough to see what it's asking the server.

This is just one function of many. The EXE contains nearly 23,000 of them. You sure you got those all figured out over the span of a few hours? 'Cause we have information on what they all do, and it took us more than just overnight to get the job done.

Did you know that the EXE contains nicely formatted schemas describing the serialization format of all the .bin files? No joke, you can see the definition of powers.bin for yourself at 0x7BC380. In fact, the EXE contains information on the formats of all of the client files (go figure), either as data or in program code. There's literally nothing there that we don't know by now (or at least have the information we need to know more).

Knowing about the EXE is what enabled me to make Sentinel. Knowing about the EXE is what enabled Codewalker to make Icon. Knowing about the data files is what has enabled Titan Network to maintain resources such as Mids and City of Data over the years.

It's not my intention to be forward or disrespectful, but my concern is that you're in over your head here. Your investigation has been honorable, but your methods are somewhat less than optimal, and I get the impression that you don't wield the expertise necessary to dig very far below the surface. I don't mean to discourage you from continuing your work: by all means, learn as much as you can, because it's wonderful experience. But I do want you and everyone else to be aware that the work you're doing has already been taken care of in spades.

[Joshex]

You do? How about the bytes at 0x459040 in the beta EXE? Here's what it looks like in a hex editor:



Garbled junk? Encrypted text? Actually, that's program code:

Code: [Select]

00859040  8D41 07           LEA     EAX, DWORD PTR [ECX+7]
00859043  99                CDQ
00859044  83E2 07           AND     EDX, 7
00859047  03C2              ADD     EAX, EDX
00859049  57                PUSH    EDI
0085904A  8BF8              MOV     EDI, EAX
0085904C  C1FF 03           SAR     EDI, 3
0085904F  837E 08 00        CMP     DWORD PTR [ESI+8], 0
00859053  74 0B             JE      00859060
00859055  8346 04 01        ADD     DWORD PTR [ESI+4], 1
00859059  C746 08 00000000  MOV     DWORD PTR [ESI+8], 0
00859060  8B46 04           MOV     EAX, DWORD PTR [ESI+4]
00859063  8B56 08           MOV     EDX, DWORD PTR [ESI+8]
00859066  8D14C2            LEA     EDX, DWORD PTR [EDX+EAX*8]
00859069  03D1              ADD     EDX, ECX
0085906B  3B56 18           CMP     EDX, DWORD PTR [ESI+18]
0085906E  76 0B             JBE     0085907B
00859070  C746 28 02000000  MOV     DWORD PTR [ESI+28], 2
00859077  33C0              XOR     EAX, EAX
00859079  5F                POP     EDI
0085907A  C3                RETN
0085907B  8B4E 0C           MOV     ECX, DWORD PTR [ESI+C]
0085907E  8B5424 08         MOV     EDX, DWORD PTR [ESP+8]
00859082  57                PUSH    EDI
00859083  03C8              ADD     ECX, EAX
00859085  51                PUSH    ECX
00859086  52                PUSH    EDX
00859087  E8 C4631800       CALL    009DF450                    ; memcpy
0085908C  017E 04           ADD     DWORD PTR [ESI+4], EDI
0085908F  83C4 0C           ADD     ESP, C
00859092  B8 01000000       MOV     EAX, 1
00859097  5F                POP     EDI
00859098  C3                RETN
And it's part of the communications protocol (for the curious, it copies a number of bits from a buffer into another buffer). Which addresses your earlier concern:

This is just one function of many. The EXE contains nearly 23,000 of them. You sure you got those all figured out over the span of a few hours? 'Cause we have information on what they all do, and it took us more than just overnight to get the job done.

Did you know that the EXE contains nicely formatted schemas describing the serialization format of all the .bin files? No joke, you can see the definition of powers.bin for yourself at 0x7BC380. In fact, the EXE contains information on the formats of all of the client files (go figure), either as data or in program code. There's literally nothing there that we don't know by now (or at least have the information we need to know more).

Knowing about the EXE is what enabled me to make Sentinel. Knowing about the EXE is what enabled Codewalker to make Icon. Knowing about the data files is what has enabled Titan Network to maintain resources such as Mids and City of Data over the years.

It's not my intention to be forward or disrespectful, but my concern is that you're in over your head here. Your investigation has been honorable, but your methods are somewhat less than optimal, and I get the impression that you don't wield the expertise necessary to dig very far below the surface. I don't mean to discourage you from continuing your work: by all means, learn as much as you can, because it's wonderful experience. But I do want you and everyone else to be aware that the work you're doing has already been taken care of in spades.

lol, I know the encrypted portions are program code even a .jpg's encrypted text is program code that tells it the pixel location on x and y and the rgb data in hex.

trust me I'm just browsing to figure out what needs to be done to get the server code atm, that can be figured in about an hour or 2, you say you already know 23000 of them. and yeah I know it contains schematics of all the file formats, I read through a few of them, it was fun to see how they chose to code it.

my next trick will be to completely decompile this file to see what it's asking the server in definite in order to be told it's ok to spawn doors and NPCs, I mean the entire code for the NPC locations and models is on the client side, same with the doors and zone switching triggers.

it's just a matter of making an outside file that tells the client "yeah thats ok go ahead" in lame-mans terms.

I know you guys have alot of stuff figured out, but the above 2 things (probably more than 2 in the actual server code) seem to be something that no one has accomplished yet, hence what I'm trying to figure out.

[srmalloy]

lol, I know the encrypted portions are program code even a .jpg's encrypted text is program code that tells it the pixel location on x and y and the rgb data in hex.

Not exactly; JPG, PNG, and all the other compressed formats store what is essentially pseudo-code and data, not program code; they indicate which operations to perform on the data in the file, but don't contain the code that actually performs the operation. But that description is a useful first approximation -- you can look at it from the perspective of the file format containing the 'program' that the image viewer 'executes' to decompress the data in the file to recreate the image.

[Taceus Jiwede]

Eeeeeeee!!! I love hearing(or seeing in this case) people talk about the things they enjoy/love doing!

Joshex, any news on that sure proof way of getting CoH's IP back from NCSoft?  NCSoft's gates could use a good stormin'.

[Codewalker]

lol, I know the encrypted portions are program code even a .jpg's encrypted text is program code that tells it the pixel location on x and y and the rgb data in hex.

Part of the problem is that you're confusing basic terminology, which makes the rest of your claims seem doubtful. "Encryption" has a very specific meaning, and other than the network protocol in-flight and one very tiny section, there's nothing in the COH client that is encrypted.

"Encrypted text" is even more dubious, because the majority of what you're looking at isn't text at all; it's binary code that is either directly executed by the hardware, or is interpreted as data by a program. It may contain fragments of text that it uses, but without the context those fragments are marginally useful at best.

You probably mean "encoded", but even then, most of it is still not text, nor a "script" of any kind.

and yeah I know it contains schematics of all the file formats, I read through a few of them, it was fun to see how they chose to code it.

Would you mind posting one of them and your interpretation of it? I have a feeling I know what you're seeing, and that it's probably not what you think it is.

to see what it's asking the server in definite in order to be told it's ok to spawn doors and NPCs, I mean the entire code for the NPC locations and models is on the client side

The client doesn't ask for that. The client sits and waits, the server sends messages like "Spawn this NPC at these coordinates doing this animation with these 50 different properties" and "You did 19.72 damage to this NPC".

zone switching triggers.

Those do exist in the client map files (sort of, it doesn't contain ones you can choose like train destinations, but it does have the spawn points), but the client doesn't actually use them.

This is readily apparent with Icon -- walk into one of the tunnels that normally teleports you to another zone and see that there is no freeze in control like there is when clicking a door. The client has no idea that you're standing in a teleport volume -- normally the server would just send an unsolicited "You're now in Steel Canyon, here's the map file to load" message.

it's just a matter of making an outside file that tells the client "yeah thats ok go ahead" in lame-mans terms.

What method are you planning to use to deliver this file to the client and get it to read it?

[JetFlash]

Wow, does that bring back memories.  Haven't coded in Assembler in over 20 years now.  I'm sure I could pick it up again if I had to, but I'm happier doing IT instead of being a code monkey.   

[Kyriani]

Honestly all this technical code stuff just turns my brain inside out. I will just sit quietly and let you smart people do whatever it is you do and pray that you succeed in bringing back my beloved COH. If there is any part of the work that needs doing that is simple data entry or some other menial time consuming task that someone who has no clue how to code can do, then feel free to hit me up cause time is the one resource I have in ABUNDANCE.

[The Fifth Horseman]

I would also have accepted -1 as the answer. (-:

If and only if Printr8That relies on an assumption r8 is treated as a signed integer. :-)
Anyway, neither what I said nor the way I said it was very civil. What I meant is that reverse engineering requires a degree of competence in a fairly niche skill set. I believe that the risks of taking in a well-meaning but clueless person would outweigh the benefits in this scenario - which is why I doubt such a project would be taking in every unknown quantity that comes around.

[GuyPerfect]

If there is any part of the work that needs doing that is simple data entry or some other menial time consuming task that someone who has no clue how to code can do, then feel free to hit me up cause time is the one resource I have in ABUNDANCE.

We write programs to do that for us. (-:

[Mister Bison]

*grabs popcorn*

However this discussion finishes, it'll be fun.

By the way, I know that crowdsourcing and reverse engineering seem to be alien teminology. That was neologism of sorts. All I wanted to convey/suggest was that all the work that has been done by the Titan coders (mapping the executable) could have been done, maybe faster, maybe better (don't underestimate stochastic approaches), made public (while somewhat protected from vandalism) and enjoyed by more people.

And by the way, there are sophisticated disassemblers now that can extract all the assembly into pseudo C-code. Of course all the functions look "f201038"-y at first (that means, meaningless) but that's how you disassemble what you get from real executables, with no debug information. It's just that it's easier to look at (with braces, loops, parameters), and you can name variables/functions in a more humane way. But that, you already knew I guess.

(666th post, I hope nobody is superstitious.)

Edit: rephrased, a bit tired.

[Lucretia MacEvil]

Honestly all this technical code stuff just turns my brain inside out. I will just sit quietly and let you smart people do whatever it is you do and pray that you succeed in bringing back my beloved COH.

This goes for me as well, although I may be prone to some mild fidgeting from time to time.

[Joshex]

Part of the problem is that you're confusing basic terminology, which makes the rest of your claims seem doubtful. "Encryption" has a very specific meaning, and other than the network protocol in-flight and one very tiny section, there's nothing in the COH client that is encrypted.

"Encrypted text" is even more dubious, because the majority of what you're looking at isn't text at all; it's binary code that is either directly executed by the hardware, or is interpreted as data by a program. It may contain fragments of text that it uses, but without the context those fragments are marginally useful at best.

You probably mean "encoded", but even then, most of it is still not text, nor a "script" of any kind.

Would you mind posting one of them and your interpretation of it? I have a feeling I know what you're seeing, and that it's probably not what you think it is.

The client doesn't ask for that. The client sits and waits, the server sends messages like "Spawn this NPC at these coordinates doing this animation with these 50 different properties" and "You did 19.72 damage to this NPC".

Those do exist in the client map files (sort of, it doesn't contain ones you can choose like train destinations, but it does have the spawn points), but the client doesn't actually use them.

This is readily apparent with Icon -- walk into one of the tunnels that normally teleports you to another zone and see that there is no freeze in control like there is when clicking a door. The client has no idea that you're standing in a teleport volume -- normally the server would just send an unsolicited "You're now in Steel Canyon, here's the map file to load" message.

What method are you planning to use to deliver this file to the client and get it to read it?

By encrypted I mean, it's no longer 0's and 1's is it? therefore some form of encryption has been used to change the characters so a random person can't read it, also when it comes down to it, all the programming language we know is binary lol except for specific stuff like colors or sound coordinates. everything else is a bunch of 0's and 1's we just define certain sets of 01010 as = functionname.

I'll post something and my interpretation of it later today, right now I just want to reply to some of the things in your post so you don;t think I'm witless or overly hopeful.

did you ever wonder why everything including the scene change triggers are on the client side and yet they don't work? as a game developer it became obvious to me the moment I saw the .bound files listed. it would make bad sense to have the server constantly checking every character to see where they are (it would be like a worm), not to mention it would take a ton of bandwidth (I've played CoH on dial-up 4.4kb/s so that is obviously not the case.

the thing that actually takes up the time on your computer for loading a new map is clearing the memory of the old map and loading the new map plus server wait response time. infact you'll notice that the loading bar loads relatively quickly then hangs up near the end, this is:  the quick part: is building blah present in memory? Check!, is NPC Blah loaded in memory? Check! ETC., the wait near the end: "hey server, All objects loaded in memory I'm ready. server; um can you wait a sec I'm serving other people atm, first loaded = first served"

the client side does all the collision calcs including the scene trigger collisions. By process of simplistic function and elimination of anything else; they are and must be set-up as follows to work:

On collision with object that contains property "player" send message to server; collision = true and Wait for response - this is the question the client asks or very close to it.

now then, the actual scene switch  (have you ever monitored your connection?) it's merely a ping to see if you are still connected with a few odd KB in data to say a simple short message that the client uses to determine what to do next. what is too long? load map C:\blah\blah\ETC\blah\steelcanyon.map and spawn blahblahblah and blah

(plus it seems a bit redundant to have all the spawn info on the cleint side if the server is gonna tell it all of it all over again every time we interact with those locations).

ok so the actual scene switch will be using a keyword that is already predefined on the client side, this presents a realistic loading situation versus being stuck there for minutes (high speed connection) waiting for the server to be free to send you all that data (and burning itself out fast in the process, some viruses called worms will do similar operations like : load blah.txt 3 billion trillion times)

from what I have seen we already have a long list of predefined terms in the client, I'm willing to bet that the trigger is waiting for a response of one of those terms.

Connectivity, I have several hypotheses of how to do it. 1; tell the cleint where to connect by changing it's target to include the desired file (where you could normally put in an IP address) 2; have the file itself be set to contact the client with the information, 3; both 1 and 2.

from what I can see the server sends very small amounts of simple data. the server says things like; steelcanyon = true, NPCMSliberty = true, Adamstor = true and Adamastor = G2  (spawn point) or Loc00.00.00 and Rot90.00.00, HP =###### End=###### Despawn at Time().

Timing is determined by the server,    Battle cals Could be done on either side though I'm sure they are done on the server for anti- hacking purposes. still that would mean there is a Defined term on the client side with Open/empty brackets. a simple statement by a wouldbe server file would just need to set for example @Joshex PlayerHP(1200) as an answer to a calc. I figure @name would work because the game is set-up to recognise any character we play as our @.

I do remember seeing such statements in the readable portion of the client that are regarding various stats.

pre defined terms are mandatory in most modern quality games, the games WIll understand them if they are sent such.

I will post more later.

Eeeeeeee!!! I love hearing(or seeing in this case) people take about the things they enjoy/love doing!

Joshex, any news on that sure proof way of getting CoH's IP back from NCSoft?  NCSoft's gates could use a good stormin'.

I will put that in motion the moment we hear anything negative from google.

[The Fifth Horseman]

By encrypted I mean, it's no longer 0's and 1's is it? therefore some form of encryption has been used to change the characters so a random person can't read it,

Hexadecimal representation is just a way of representing binary values, not any form of encryption. Four bits per digit, two digits per byte. 0xDEAD5432 = 1101 1110 1010 1101 0101 0100 0011 0010 b

also when it comes down to it, all the programming language we know is binary lol except for specific stuff like colors or sound coordinates. everything else is a bunch of 0's and 1's

Special cases? Since when? Your CPU can't operate on anything but binary. Your RAM and HDD can't store anything but binary.

[FatherXmas]

In the end, it's all ones and zeros.

[Joshex]

Hexadecimal representation is just a way of representing binary values, not any form of encryption. Four bits per digit, two digits per byte. 0xDEAD5432 = 1101 1110 1010 1101 0101 0100 0011 0010 bSpecial cases? Since when? Your CPU can't operate on anything but binary. Your RAM and HDD can't store anything but binary.

true, i was just setting myself up making sure to let people know that I know that typically sounds are represented in hexidecimal numbers yeah even that can be converted to it's binary ancestor, but I just wanted to make sure no one would call me an idiot for forgetting to mention hexidecimal.

[Mister Bison]

true, i was just setting myself up making sure to let people know that I know that typically sounds are represented in hexidecimal numbers yeah even that can be converted to it's binary ancestor, but I just wanted to make sure no one would call me an idiot for forgetting to mention hexidecimal.

Again, you mix terminology. Hexadecimal to binary and backward are not really conversions. It's merely a more compact way of writing it. Like 1 000 000 000 000 and 1.0E12, or "One 1 and 12 zeros". If you really insist, you convert notations, that's all. That's nothing really constructive.

It's the same with assembly. You don't "convert" from 06 07 03 to PUSH POP ADD. It's just another way of reprensenting it that allows a human to directly understand what the processor will do.

And it's not encrypted either.

And if you ever get or have source code, give it all up, don't look at the executable. But you won't find any source in the executable, that's the point. Executable is but a very optimized, computer-understandable conversion (yes, that is a conversion, called "compilation") from source code.