Page 1 of 3
FIXING PRSPY >64p
Posted: 2014-10-11 00:03
by UTurista
You may know, or not, but when you see the player list in-game or in PRSPY (web or android app) you'll get a limited view of the first 64 players.
In this last days I've been trying to found a solution and I think I found it. By only changing 2 key values on the assembly code the servers start to reply the full list of players.
Unfortunately I've only tested this on a local server with (96) Bots and knowing DICE this could means that does't work on dedicated works. Meaning that I need some server administrators to volunteer to upload the changes and test it.
The FIX
BF2.exe - Tested in Local
BF2_w32.exe - Server crashes after the 66th player (bot or human) tries to join. Does successfully report the 65 players however.
Linux 32
Linux 64
The values need to be change from #40 to #64
With that said is there any server willing to test this out?
EDIT: 27/12
The Linux offsets are yet to be found, so I'm currently trying to find a solution via Python,
link.
Re: FIXED PRSPY >64p
Posted: 2014-10-11 00:26
by Wicca
PRTA is super duper interested!
Re: FIXED PRSPY >64p
Posted: 2014-10-11 00:32
by Wicca
We need to organize an event for it though. Is that allright with you? I will send a PM to Epoch for permission if you wish to choose PRTA as the testing platform. The server needs to be locked for this.
Re: FIXED PRSPY >64p
Posted: 2014-10-11 11:40
by UTurista
Once you get the answer from Epoch tell me if you need help in doing the executable alterations and/or the date of the event so I can test if its working.
Re: FIXED PRSPY >64p
Posted: 2014-10-13 19:24
by UTurista
Bumping...
Also is there any way I can get the PR Server files so I can test this further?
Re: FIXED PRSPY >64p
Posted: 2014-10-13 20:20
by Mineral
You should really PM AM with this.
Re: FIXED PRSPY >64p
Posted: 2014-10-13 23:37
by PricelineNegotiator
Wow, this would be really cool to see. Good work Turista!
Re: FIXED PRSPY >64p
Posted: 2014-10-14 13:27
by Wicca
O_turista_portugues wrote:Once you get the answer from Epoch tell me if you need help in doing the executable alterations and/or the date of the event so I can test if its working.
sorry didnt see this, sending AM and Epoch a PM now.
Re: FIXED PRSPY >64p
Posted: 2014-10-14 16:24
by UTurista
Unfortunately after talking to AncientMan I realized that I've forgot about the Linux servers, if this works is for Windows only.
I'll try fix this but my hate for this OS could be an issue.
Re: FIXED PRSPY >64p
Posted: 2014-10-14 17:53
by MikeDude
Come on, almighty Turista! We believe in you!
Re: FIXED PRSPY >64p
Posted: 2014-10-14 18:19
by Mats391
O_turista_portugues wrote:Unfortunately after talking to AncientMan I realized that I've forgot about the Linux servers, if this works is for Windows only.
I'll try fix this but my hate for this OS could be an issue.
I have some assembly hacking stuff already set up for linux servers. I can help if you want.
Re: FIXED PRSPY >64p
Posted: 2014-10-14 18:36
by UTurista
[R-CON]Mats391 wrote:I have some assembly hacking stuff already set up for linux servers. I can help if you want.
Would really appreciate, but is it possible to say the commands you need to look for?
In windows the first function is this:
Code: Select all
0066BA40 PUSH EBP
0066BA41 MOV EBP,ESP
0066BA43 MOV EDX,DWORD PTR SS:[EBP+C]
0066BA46 TEST EDX,EDX
0066BA48 JL SHORT BF2.0066BA86
0066BA4A CMP EDX,8
0066BA4D JGE SHORT BF2.0066BA86
0066BA4F MOV EAX,DWORD PTR SS:[EBP+8]
0066BA52 TEST EAX,EAX
0066BA54 JL SHORT BF2.0066BA86
[b][color=Red]0066BA56 CMP EAX,40[/color][/b]
0066BA59 JGE SHORT BF2.0066BA86
0066BA5B LEA EAX,DWORD PTR DS:[EDX+EAX*8]
0066BA5E LEA EDX,DWORD PTR DS:[EAX*8]
0066BA65 SUB EDX,EAX
0066BA67 CMP DWORD PTR DS:[ECX+EDX*4+50C],10
0066BA6F LEA EAX,DWORD PTR DS:[ECX+EDX*4+4F4]
0066BA76 JB SHORT BF2.0066BA7F
0066BA78 MOV EAX,DWORD PTR DS:[EAX+4]
0066BA7B POP EBP
0066BA7C RETN 8
0066BA7F ADD EAX,4
0066BA82 POP EBP
0066BA83 RETN 8
0066BA86 XOR EAX,EAX
0066BA88 POP EBP
0066BA89 RETN 8
And the second change is in a mix of very long loops.
Code: Select all
0066C508 MOV EDX,DWORD PTR SS:[EBP-24]
0066C50B |MOV EAX,DWORD PTR DS:[EDX]
0066C50D MOV ESI,DWORD PTR SS:[EBP-44]
0066C510 MOV DWORD PTR SS:[EBP-24],EAX
0066C513 MOV EAX,DWORD PTR SS:[EBP-28]
0066C516 ADD EAX,1
0066C519 ADD EBX,0E0
[b][color=Red]0066C51F CMP EAX,40[/color][/b]
0066C522 MOV DWORD PTR SS:[EBP-28],EAX
0066C525 JL BF2.0066C379
0066C52B MOV ECX,DWORD PTR SS:[EBP-28]
0066C52E MOV DWORD PTR DS:[EDI+4F0],ECX
0066C534 MOV EAX,DWORD PTR DS:[ESI]
0066C536 CMP EAX,ESI
0066C538 MOV DWORD PTR DS:[ESI],ESI
0066C53A MOV DWORD PTR DS:[ESI+4],ESI
0066C53D JE SHORT BF2.0066C551
0066C53F NOP
If you could find this in Linux would be awesome.
Re: FIXED PRSPY >64p
Posted: 2014-10-14 18:42
by Mats391
Will check it.
Edit: NVM
Re: FIXED PRSPY >64p
Posted: 2014-10-14 19:53
by Mats391
Just searched for this and found no clear candidates. The issue is that i do not know whether it is using EAX as well or another register. How did you find those addresses in the first place? Might be able to do the same on linux.
Re: FIXED PRSPY >64p
Posted: 2014-10-14 21:41
by UTurista
With "Cheat Engine" I found a name that would appear in the Query response, then (with Olly dbg) I add a memory breakpoint in that memory position, after a while I've narrow to one call that only happens when we QUERY the server, then I've followed step by step several times until figuring out the offset that I wanted.
Unfortunately there were two comparisons one with a Hard coded value the other with a stack value (array.size()) so I made again memory breakpoints but this time for calls that would write the array size, after a while I'd fount the second offset.
In terms of order the 2nd offset I've found is the 1st to be called.
Re: FIXED PRSPY >64p
Posted: 2014-10-14 21:50
by Strepto
Good job on finding that! That was the primary reason I scrapped my android app project. I won't release a competitor to your nice app though!
Re: FIXED PRSPY >64p
Posted: 2014-10-14 22:23
by UTurista
[quote=""'[R-CON"]Mats391;2039179']Just searched for this and found no clear candidates. The issue is that i do not know whether it is using EAX as well or another register. How did you find those addresses in the first place? Might be able to do the same on linux.[/quote]
Could a regex search with only the instructions work? Also could you send me a file with the assembly code? And if possible try to narrow it for the BF2 executable module.
[quote="Strepto""]Good job on finding that! That was the primary reason I scrapped my android app project. I won't release a competitor to your nice app though!
[/quote]
Competition never hurt anyone
Re: FIXED PRSPY >64p
Posted: 2014-10-15 13:17
by Mats391
O_turista_portugues wrote:Could a regex search with only the instructions work? Also could you send me a file with the assembly code? And if possible try to narrow it for the BF2 executable module.
I did regex search and a comparison between 0x40 and eax has already 35 hits
Here are the files i worked with. I created them with the gcc, so the notation is different to yours. The main difference seems to be that the parameters for the commands in gcc are source,destination and yours seems to be destination,source.
I also suggest to start with the IA32 one as the AMD64 is a bit more complicated (at least for me).
Download
Re: FIXED PRSPY >64p
Posted: 2014-11-10 17:12
by The Iron Dreamer
Bump?
7char.
Posted: 2014-11-11 12:24
by UTurista
The idea worked for windows but Linux is another story.
I'm now trying to found a solution via python but apparently AM already tried this route and would cause server instability...
Nevertheless Ill give a look.
Edit:
This doesn't means its impossible to find the offsets for the linux binaries, It just the tools available arent easy(good), at least in my opinion.