Transmogrify message

[Kraj]

Has anyone found the offset to remove the transmogrify display message for 1.10 by any chance?

[MindChild]

find

Code: Select all

6FAE2092   E8 5B8F0800      CALL <JMP.&D2Common.#10825>
6FAE2097   85C0             TEST EAX,EAX
6FAE2099   0F85 821B0000    JNZ D2CLIENT.6FAE3C21
6FAE209F   83FF 05          CMP EDI,5
6FAE20A2   0F85 0D0B0000    JNZ D2CLIENT.6FAE2BB5

in dll:

00042091   50               PUSH EAX
00042092   E8 5B8F0800      CALL 000CAFF2
00042097   85C0             TEST EAX,EAX
00042099   0F85 821B0000    JNZ 00043C21
0004209F   83FF 05          CMP EDI,5

change it to

Code: Select all

6FAE2092   E8 5B8F0800      CALL <JMP.&D2Common.#10825>
6FAE2097   85C0             TEST EAX,EAX
6FAE2099   90               NOP
6FAE209A   90               NOP
6FAE209B   90               NOP
6FAE209C   90               NOP
6FAE209D   90               NOP
6FAE209E   90               NOP
6FAE209F   83FF 05          CMP EDI,5
6FAE20A2   0F85 0D0B0000    JNZ D2CLIENT.6FAE2BB5

in dll

00042091   50               PUSH EAX
00042092   E8 5B8F0800      CALL 000CAFF2
00042097   85C0             TEST EAX,EAX
00042099   90               NOP
0004209A   90               NOP
0004209B   90               NOP
0004209C   90               NOP
0004209D   90               NOP
0004209E   90               NOP
0004209F   83FF 05          CMP EDI,5

i believe this will work...


also, to change the message you can add the customdll code + my addition and add

Code: Select all

indexed[5387]="convertsto";

to it and add convertsto into the custom table
'convertsto' is in string.tbl but is accessed via index strangely enough, so if you dont add it to your custom dll it will just use the one in string.tbl

[Kraj]

Yikes! Isn't there an offset that can be switched off like in 1.09?

[MindChild]

yeah, you just nop out the jump, (just a small bit of code, i just showed where in the dll or memory it needed to be changed and what it used to be).

[Kraj]

Well I still can't make heads nor tails of this. I'm using XVI32... you don't specify which dll it is so I tried several. I've searched for strings and addresses in every way I know how with the program with no results.

[kingpin]

You should work with OllyDbg instead, since the code in here are posted as assembler code and not HEX.

[MindChild]

its in d2client.dll, cause of course, that deals with the clientside things (such as calls to d2win etc)

[Kraj]

I have no interest in working with Ollydb and the game code. Nevertheless, I figured it wouldn't hurt to give it a try. So I did. And I wasted my time. Ollydbg can't even open up a dll directly, so how am I supposed to make changes in the dll? And in no attempt in any dll or exe with any program have I been able to find anything that remotely looks like the code that was posted.

I would have been less frustrated if simply told, "To answer your question is, no - there is no dll offset change that can turn off the transmogrify message like there was in 1.09. This change requires more code editing."

[kingpin]

In OllyDbg you need to file/open or file/attach (is used when debugging in game) the game.exe first. When you have done this you can use View/File to open up the actual .dll.

I would have been less frustrated if simply told, "To answer your question is, no - there is no dll offset change that can turn off the transmogrify message like there was in 1.09. This change requires more code editing."

The princip should be the same with removing the transmogrify message as in 1.09x since it would surprise me a lot if that code has changed anything.

[MindChild]

ok, no more arguments, the offset for the DLL in D2CLIENT.DLL is:

0x42099

0F85821B0000

change it to

0x42099

909090909090

the code above showed this as well, but apparently you looked right past it because it also had the equivelent Assembly code along the right of that...

[Myhrginoc]

[quote=kingpin";p="142619"]In OllyDbg you need to file/open or file/attach (is used when debugging in game) the game.exe first. When you have done this you can use View/File to open up the actual .dll.[/quote]

Actually View | File is similar to a hex editor, you don't attach to a running program to use it. The command when attached is View | Executables, which gives you a list of every module visible within the process allocated to the game.

Never File | Open on Diablo II. Game.exe has some anti-debugging code that crashes you out if Ollydbg is attached at the very start. Always File | Attach after the first D2 window is drawn (even before it finishes the fill).

[kingpin]

Actually View | File is similar to a hex editor, you don't attach to a running program to use it. The command when attached is View | Executables, which gives you a list of every module visible within the process allocated to the game.

Oh, i have always opened up game.exe before editing the file locally, then i learned somethings new

[Myhrginoc]

You have to be careful when using View | File. If you open a DLL up this way, you will see raw hex. You can right-click | Disassemble, and you will get a view similar to the code we copy here. But this doesn't mean you have disassembled the file in a meaningful way. The first problem is relative addressing. Disassembling from File | Attach gets you absolute addressing from the memory image. Disassembling from View | File gets you relative addressing from the file offset. But some addresses need to be absolute references, as this sample from D2Client.dll shows:

Code: Select all

0000E9D9    57              PUSH EDI
0000E9DA    6A 35           PUSH 35
0000E9DC    BA 4C60B76F     MOV EDX,[color=tan]6FB7604C[/color]
0000E9E1    B9 4C1F0000     MOV ECX,1F4C
0000E9E6    E8 E9BC0B00     CALL 000CA6D4

Note the numbers on the far left are now file offsets, they range from 00 to the end of file. But code in D2 modules starts at file offset 1000, and there are several non-code sections between the end of code and the end of the file. But disassembly from View | File makes no distinction between code and non-code sections!

It is far better to use View | File for hex editing mode and File | Attach for disassembly. Also the latter mode is the only way to use Ollydbg's analysis tools and breakpoints.