← Back to DevelopmentAging & Mixing viewer.dll generatorProgramsClan filesInternet Information ServiceOllyDbg tutorialsMiscellaneousSkinsLinks / Files

teleport_core_add

← Back to Miscellaneous
Research starting point offered by Moons.

When you open the teleport core list, some magic happens arround here in the client :

OllyDbg - Client side

00470044  |.  66:833D 5EA00 CMP WORD PTR DS:[306A05E],2
0047004C  |.  0F95C0        SETNE AL
0047004F  |.  48            DEC EAX
00470050  |.  83E0 FF       AND EAX,FFFFFFFF
00470053  |.  83C0 0A       ADD EAX,0A


First it checks which page of the list you are, and then it computes the number of element for the page.

There's also some magic happening at this location :

OllyDbg - Client side

0046C150  |.  66:3D 0200    CMP AX,2
0046C154  |.  7D 05         JGE SHORT 0046C15B
0046C156  |.  40            INC EAX
0046C157  |.  66:8946 16    MOV WORD PTR DS:[ESI+16],AX
0046C15B  |>  0FBF46 16     MOVSX EAX,WORD PTR DS:[ESI+16]
0046C15F  |.  8B0C85 38165F MOV ECX,DWORD PTR DS:[EAX*4+5F1638]      ; ASCII "Df\"


First ut checks which page you are, and on the last line, it loads the appropriate .sin file.
If you follow the pointer, you'll find a pointer table.

OllyDbg - Client side

005F1638  44 66 5C 00|18 66 5C 00|EC 65 5C 00|             Df\..f\.e\.


This table leading the the .sin filenames.

OllyDbg - Client side

005C65E4                          69 6D 61 67|65 5C 53 69|         image\Si
005C65F4  6E 69 6D 61|67 65 5C 68|65 6C 70 5C|68 61 54 65| nimage\help\haTe
005C6604  6C 65 70 6F|72 74 5F 46|69 65 6C 64|5B 33 5D 2E| leport_Field[3].
005C6614  73 69 6E 00|69 6D 61 67|65 5C 53 69|6E 69 6D 61| sin.image\Sinima
005C6624  67 65 5C 68|65 6C 70 5C|68 61 54 65|6C 65 70 6F| ge\help\haTelepo
005C6634  72 74 5F 46|69 65 6C 64|5B 32 5D 2E|73 69 6E 00| rt_Field[2].sin.
005C6644  69 6D 61 67|65 5C 53 69|6E 69 6D 61|67 65 5C 68| image\Sinimage\h
005C6654  65 6C 70 5C|68 61 54 65|6C 65 70 6F|72 74 5F 46| elp\haTeleport_F
005C6664  69 65 6C 64|5B 31 5D 2E|73 69 6E                 ield[1].sin


Each .sin file can only contain 10 entries (well it can contain more, but if you point on the 11th, it'll highlight the 1st one too).
At some point, well need a new .sin file. Unfortunately there's no space near the pointer table to add a new pointer.
And the filenames are surrounded by other codes. Let's move all of this.

My pointer table will start at the address 0440F1F0, the filenames will follow.

OllyDbg - Client side



Once you've moved everything and added a new pointer and a new filename, don't forget to move the pointer to the pointers table.


OllyDbg - Client side

0046C15F  |.  8B0C85 F0F140 MOV ECX,DWORD PTR DS:[EAX*4+440F1F0]                        ; PTR to ASCII "image\Sinimage\help\haTeleport_Field[1].sin"


Now that we have relocated the tables, we need to tell the magic parts to use them.
First the part computing the number of element per page. Well I discovered that if you set the value all the time, it works exactly the same so, let's simplify it.
Select the 3 instructions DEC, AND and ADD and replace them with MOV EAX,0A (with the space bar).

OllyDbg - Client side

0047004F  |.  B8 0A000000   MOV EAX,0A
00470054  |.  90            NOP
00470055  |.  90            NOP


After you need to increase the page number on the second magic part check. The first one doesn't need to be touched since we set the value to 0A all the time.
Actually I recommend not touching it, if you increase the value it'll read in the memory when it's not supposed to.
The count starts at 0. We have 4 pages here so the value will be 3.

OllyDbg - Client side

0046C150  |.  66:3D 0300    CMP AX,3


After that, you just need to add new values to the map table. You can find how to here.
Also don't forget to increase the ending address for the table if you want your new values to be read.

There's still 2 values we missed. Go back to the original pointers table, select it and look up for references to it (Ctrl + R).
You should find the 2 missing values.

Edit

OllyDbg - Client side

0046CFCA      8B0495 38165F MOV EAX,DWORD PTR DS:[EDX*4+5F1638]                               ; ASCII "Df\"


to

OllyDbg - Client side

0046CFCA      8B0495 F0F140 MOV EAX,DWORD PTR DS:[EDX*4+440F1F0]                              ; PTR to ASCII "image\Sinimage\help\haTeleport_Field[1].sin"


And

OllyDbg - Client side

0046C1AE      8B0C85 38165F MOV ECX,DWORD PTR DS:[EAX*4+5F1638]      ; ASCII "Df\"


to

OllyDbg - Client side

0046C1AE      8B0C85 F0F140 MOV ECX,DWORD PTR DS:[EAX*4+440F1F0]     ; PTR to ASCII "image\Sinimage\help\haTeleport_Field[1].sin"