FIXING PRSPY >64p

[UTurista]

You may know, or not, but when you see the player list in-game or in PRSPY (web or android app) you'll get a limited view of the first 64 players.

In this last days I've been trying to found a solution and I think I found it. By only changing 2 key values on the assembly code the servers start to reply the full list of players.

Unfortunately I've only tested this on a local server with (96) Bots and knowing DICE this could means that does't work on dedicated works. Meaning that I need some server administrators to volunteer to upload the changes and test it.

The FIX
BF2.exe - Tested in Local

• 66C51F
• 66BA56

BF2_w32.exe - Server crashes after the 66th player (bot or human) tries to join. Does successfully report the 65 players however.

• 6156F6
• 616185

Linux 32

• ------
• ------

Linux 64

• ------
• ------

The values need to be change from #40 to #64



With that said is there any server willing to test this out?

EDIT: 27/12
The Linux offsets are yet to be found, so I'm currently trying to find a solution via Python, link.

[Wicca]

PRTA is super duper interested!

[Wicca]

We need to organize an event for it though. Is that allright with you? I will send a PM to Epoch for permission if you wish to choose PRTA as the testing platform. The server needs to be locked for this.

[UTurista]

Once you get the answer from Epoch tell me if you need help in doing the executable alterations and/or the date of the event so I can test if its working.

[UTurista]

Bumping...

Also is there any way I can get the PR Server files so I can test this further?

[Mineral]

You should really PM AM with this.

[PricelineNegotiator]

Wow, this would be really cool to see. Good work Turista!

[Wicca]

Once you get the answer from Epoch tell me if you need help in doing the executable alterations and/or the date of the event so I can test if its working.

sorry didnt see this, sending AM and Epoch a PM now.

[UTurista]

Unfortunately after talking to AncientMan I realized that I've forgot about the Linux servers, if this works is for Windows only.

I'll try fix this but my hate for this OS could be an issue.

[MikeDude]

Come on, almighty Turista! We believe in you!

[Mats391]

Unfortunately after talking to AncientMan I realized that I've forgot about the Linux servers, if this works is for Windows only.

I'll try fix this but my hate for this OS could be an issue.

I have some assembly hacking stuff already set up for linux servers. I can help if you want.

[UTurista]

I have some assembly hacking stuff already set up for linux servers. I can help if you want.

Would really appreciate, but is it possible to say the commands you need to look for?

In windows the first function is this:

Code: Select all

0066BA40       PUSH EBP
0066BA41       MOV EBP,ESP
0066BA43       MOV EDX,DWORD PTR SS:[EBP+C]
0066BA46       TEST EDX,EDX
0066BA48       JL SHORT BF2.0066BA86
0066BA4A       CMP EDX,8
0066BA4D       JGE SHORT BF2.0066BA86
0066BA4F       MOV EAX,DWORD PTR SS:[EBP+8]
0066BA52       TEST EAX,EAX
0066BA54       JL SHORT BF2.0066BA86
[b][color=Red]0066BA56       CMP EAX,40[/color][/b]
0066BA59       JGE SHORT BF2.0066BA86
0066BA5B       LEA EAX,DWORD PTR DS:[EDX+EAX*8]
0066BA5E       LEA EDX,DWORD PTR DS:[EAX*8]
0066BA65       SUB EDX,EAX
0066BA67       CMP DWORD PTR DS:[ECX+EDX*4+50C],10
0066BA6F       LEA EAX,DWORD PTR DS:[ECX+EDX*4+4F4]
0066BA76       JB SHORT BF2.0066BA7F
0066BA78       MOV EAX,DWORD PTR DS:[EAX+4]
0066BA7B       POP EBP
0066BA7C       RETN 8
0066BA7F       ADD EAX,4
0066BA82       POP EBP
0066BA83       RETN 8
0066BA86       XOR EAX,EAX
0066BA88       POP EBP
0066BA89       RETN 8

And the second change is in a mix of very long loops.

Code: Select all

0066C508        MOV EDX,DWORD PTR SS:[EBP-24]
0066C50B       |MOV EAX,DWORD PTR DS:[EDX]
0066C50D       MOV ESI,DWORD PTR SS:[EBP-44]
0066C510       MOV DWORD PTR SS:[EBP-24],EAX
0066C513       MOV EAX,DWORD PTR SS:[EBP-28]
0066C516       ADD EAX,1
0066C519       ADD EBX,0E0
[b][color=Red]0066C51F       CMP EAX,40[/color][/b]
0066C522       MOV DWORD PTR SS:[EBP-28],EAX
0066C525       JL BF2.0066C379
0066C52B       MOV ECX,DWORD PTR SS:[EBP-28]
0066C52E       MOV DWORD PTR DS:[EDI+4F0],ECX
0066C534       MOV EAX,DWORD PTR DS:[ESI]
0066C536       CMP EAX,ESI
0066C538       MOV DWORD PTR DS:[ESI],ESI
0066C53A       MOV DWORD PTR DS:[ESI+4],ESI
0066C53D       JE SHORT BF2.0066C551
0066C53F       NOP

If you could find this in Linux would be awesome.

[Mats391]

Will check it.

Edit: NVM

[Mats391]

Just searched for this and found no clear candidates. The issue is that i do not know whether it is using EAX as well or another register. How did you find those addresses in the first place? Might be able to do the same on linux.

[UTurista]

With "Cheat Engine" I found a name that would appear in the Query response, then (with Olly dbg) I add a memory breakpoint in that memory position, after a while I've narrow to one call that only happens when we QUERY the server, then I've followed step by step several times until figuring out the offset that I wanted.

Unfortunately there were two comparisons one with a Hard coded value the other with a stack value (array.size()) so I made again memory breakpoints but this time for calls that would write the array size, after a while I'd fount the second offset.

In terms of order the 2nd offset I've found is the 1st to be called.

[Strepto]

Good job on finding that! That was the primary reason I scrapped my android app project. I won't release a competitor to your nice app though!

[UTurista]

[quote=""'[R-CON"]Mats391;2039179']Just searched for this and found no clear candidates. The issue is that i do not know whether it is using EAX as well or another register. How did you find those addresses in the first place? Might be able to do the same on linux.[/quote]

Could a regex search with only the instructions work? Also could you send me a file with the assembly code? And if possible try to narrow it for the BF2 executable module.



[quote="Strepto""]Good job on finding that! That was the primary reason I scrapped my android app project. I won't release a competitor to your nice app though! [/quote]
Competition never hurt anyone

[Mats391]

Could a regex search with only the instructions work? Also could you send me a file with the assembly code? And if possible try to narrow it for the BF2 executable module.

I did regex search and a comparison between 0x40 and eax has already 35 hits

Here are the files i worked with. I created them with the gcc, so the notation is different to yours. The main difference seems to be that the parameters for the commands in gcc are source,destination and yours seems to be destination,source.
I also suggest to start with the IA32 one as the AMD64 is a bit more complicated (at least for me).

Download

[The Iron Dreamer]

Bump?
7char.

[UTurista]

The idea worked for windows but Linux is another story.
I'm now trying to found a solution via python but apparently AM already tried this route and would cause server instability...
Nevertheless Ill give a look.

Edit:
This doesn't means its impossible to find the offsets for the linux binaries, It just the tools available arent easy(good), at least in my opinion.