← Back to DevelopmentAging & Mixing viewer.dll generatorProgramsClan filesInternet Information ServiceOllyDbg tutorialsMiscellaneousSkinsLinks / Files

force_sheltom_fix_description_after_celesto

← Back to Miscellaneous
If you are using a fork of client 1873, you probably noticed that force sheltoms after Celesto got bugged display.
Both in inventory, and when used.

01.jpg 02.jpg

The first symptom is caused by a loop being too short and not displaying the description for the last forces.
The second one is caused by pointers pointing to a too short sheltom name table.
Both are easy to fix.

1. Inventory description:

The original loop stops at 9. That makes it stop at the Celesto force.

OllyDbg - Client side

0048FE60  |> /3B049D E8696C /CMP EAX,DWORD PTR DS:[EBX*4+6C69E8]
0048FE67  |. |74 0B         |JE SHORT 0048FE74
0048FE69  |. |43            |INC EBX
0048FE6A  |. |83FB 09       |CMP EBX,9
0048FE6D  |.^\7C F1         \JL SHORT 0048FE60


Here you can see the comparison with 9 (CMP EBX, 9). We just need to increase that value : C will display up to the Enigma force.

OllyDbg - Client side

0048FE67  |. /74 0B         JE SHORT 0048FE74
0048FE69  |. |43            INC EBX
0048FE6A     |83FB 0C       CMP EBX,0C
0048FE6D  |.^|7C F1         JL SHORT 0048FE60


03.jpg

That was an easy one :)

2. Active description:

This one requires a little bit more work. First, there's a pointer leading to a pointer table.
And that table contains pointers to the force names.

OllyDbg - Client side

004A7323  |.  8B148D 840068 MOV EDX,DWORD PTR DS:[ECX*4+680084]      ; PTR to ASCII "Numb:"


At the address 680084 we have this table :

OllyDbg - Client side



Unfortunately this table contains only 8 pointers and there's not enough space to add more. We'll have to relocate it somewhere.
Also if you are using a client with a KPTTrans section, there's a list of sheltom names we can use inside.

It's located here :

OllyDbg - Client side



Let's relocate the pointer table somewhere inside the KPTTrans section. I've chosen the address 0440F200.

OllyDbg - Client side



And let's not forget to change the pointer to the table!

OllyDbg - Client side

004A7323      8B148D 00F240 MOV EDX,DWORD PTR DS:[ECX*4+440F200]


04.jpg

Tadaaa :)

If after doing these modification, you have a weird display like this one :

05.jpg

Then your problem is located here :

OllyDbg - Client side

0048FD41  |> /3B049D E8696C /CMP EAX,DWORD PTR DS:[EBX*4+6C69E8]
0048FD48  |. |74 08         |JE SHORT 0048FD52
0048FD4A  |. |43            |INC EBX
0048FD4B  |. |83FB 09       |CMP EBX,9
0048FD4E  |.^\7C F1         \JL SHORT 0048FD41
0048FD50  |.  EB 3D         JMP SHORT 0048FD8F


You need to increase the constant 9 to the same value we set above. In my case, it was C.

OllyDbg - Client side

0048FD41  |> /3B049D E8696C CMP EAX,DWORD PTR DS:[EBX*4+6C69E8]
0048FD48  |. |74 08         JE SHORT 0048FD52
0048FD4A  |. |43            INC EBX
0048FD4B     |83FB 0C       CMP EBX,0C
0048FD4E  |.^\7C F1         JL SHORT 0048FD41
0048FD50  |.  EB 3D         JMP SHORT 0048FD8F