Server Help :: View topic - Exported plaintext content from subgame2.exe and fix.dll

Server Help

General Questions - Exported plaintext content from subgame2.exe and fix.dll

L.C. - Fri Nov 13, 2009 8:42 pm
Post subject: Exported plaintext content from subgame2.exe and fix.dll

Might be interesting to skim these -- nothing new really.
http://www.hlrse.net/Qwerty/hxd_subgame2EXE.txt
http://www.hlrse.net/Qwerty/hxd_fixDLL.txt

However I did find some things that caught my attention that I did not see in the past (well, SOME I did see -- like the idblock.txt file).

subgame2.exe

Quote:

All
Shark
Lancaster
Terrier
Weasel
Leviathan
Spider
Javelin
Warbird

Quote:

pulled.dat
/nb.server.ini
/SPAWN
idblock.txt
ipallow.txt
ipblock.txt

Quote:

scrty
S
Z
subspace.exe
Update2.exe
Update1.exe
Update.exe
version%d\
version0

Quote:

Spawned TRACERT
SUBGAME2 /SPAWN tracert %s > spawn.log
SPAWN STARTED
SUBGAME2 /SPAWN %s > spawn.log

Quote:

(SPAWN)
(FIND)
(CHAT)
(ENEMYTEAM:%d)
(TEAM:%d)
(TO:----)
(TO:%s).%s> %s

Fix.dll

Quote:

$login
$pvt
$pub

Fix.dll -- server.ini stuff

Quote:

SyncJitter
AllVips
TrackFlood
CheckPrizeDistribution

Fix.dll - commands

Quote:

*locate
*rstat
*tmode
*bandwidth
?recycle
?set
?get

Quote:

noshutdown
*shutdown

Quote:

Undetermined
SOCKS5 proxy
Using proxy at localhost
ServerIP is not set in server.ini
Not using proxy
Using NAT
Using custom proxy

Quote:

(staff)
(local)

Quote:

-------------------: Extended version %s

Samapico - Fri Nov 13, 2009 8:57 pm
Post subject:

pulled.dat?

L.C. - Fri Nov 13, 2009 9:24 pm
Post subject:

pulled.dat is an interesting one. No clue about it.

/SPAWN is an actual startup command. With this command, you startup Subgame2.exe AND the specified cmd/bat/exe/com file. I am thinking that Trench Wars might be using this kind of startup to either (1) execute itself to run itself twice simultaneously or (2) something else.

/nb.server.ini seems to be another startup command too, although I am not quite sure what this actually does.

Does anyone happen to know what the command line parameter is to automatically boot Subgame2 into offline mode?

cycad - Sat Nov 21, 2009 12:27 pm
Post subject:

Check http://forums.minegoboom.com/viewtopic.php?t=8599.

Hit shift+12. Hit alt+t. Type in 'pulled.dat'. Double click the highlighted row. Offset 0x42b810 is highlighted (this is where pulled.dat is defined.) Highlight its identifier (aPulled_dat) then press 'x' to see all references to that text string. Double click the single reference that pops up. Offset 0x40b9d8 comes up in the disassembly. Notice that in the status bar at the bottom we are in the function PlayerHandleGamePacket. Looking below the current location, we see intrinsic strlen and strcpy (the repne scasb and rep movsd). Let's find where this string goes.

Presumably the call at offset 0x40ba0c operates on that string, because thats the only other call made before the function we are in exits (the epilogue is at 0x40ba18).

Double click on 'sub_41D440'. We see a bunch of mov operations. We don't care what this does right now, lets just get a high level picture from flow control. The only flow control we see is the call at 0x41d4b6, to sub_41CE60. Double click it, let's see what it does.

Ahh. GetTickCount() call, followed by WriteToNetwork(). This string is getting sent to someone.

Hit escape twice to go back to where we started. We are now at 0x40ba0c. Let's scroll up. Maybe we can see where this string is from and who it's going to.

Scrolling up to 0x40b8c7, which is marked as 'pkt_game_handle_0x16', w e know we are in the handler for the game packet 0x16. What is this packet? No clue yet.

At offset 0x40b8d2 we see a reference that retrieve a player pointer from the global array of all players, followed by a check to see if they are sysop at 0x40b8e5. So the source or target must be a sysop.

Lets look at the prototype for the current function. Hit 'y'. The first argument is a PLAYER structure (it's actually the 'this' pointer, which we know from the __thiscall I marked earlier, which I knew to mark because ecx was used before being set at the beginning of the function, which means the calling function set it).

Let's see what goes on before the jump to the packet handler. Highlight 'pkt_game_handle_0x16 and hit 'x' to see references to this location. Double click the first item that pops up, a jump to it. We are now at 0x408eb6. Scrolling up, we are at the entrance to the function (0x408e90). The ECX reference @ 0x408e9f contains the 'this' pointer, which is PLAYER class pointer. That gets moved into the EBP register. Not that this function has an ESP based from, and EBP does not point to the stack -- it point's to the current players class.

Hit escape to go back to the pkt_game_handle_0x16 definition. We know that EBP has the current players PLAYER pointer, so the mov eax, [ebp+58h] instruction at 0x40b8c7 is pulling information from the current player's structure. What is this information? Let's see.

That EAX value is used as an index into the PlayerArray (global array of all players in subgame). So we could right now go to the structure window and define offset 0x58 in the PLAYER struct to be 'some_index_into_PlayerArray]. But let's not do that right now. :)

So it looks like PLAYER offset 0x58 contains the index into PlayerArray which is some other player's PLAYER pointer. I assume its the destination player.

Looking at the string reference at 0x40b8d2, one 'thing' is getting forwarded from one sysop to another (the sysop check is at 0x40b8e5).

So how does PLAYER offset 0x58 get set? And what is the data being sent? Why is it sysop-only? Why is it named pulled.dat? It looks like we have more questions than answers (oh how common this is...).

At this point we would have to trace references to PLAYER pointer offsets 0x58 and see what sets it. I would probably do this dynamically with a debugger and breakpoints.

But I hope this gives enough information to get started. Always keep it interesting...

L.C. - Sun Nov 22, 2009 7:59 pm
Post subject:

Quote:

To disable *shutdown create noshutdown directory to server directory.

Quote:

----------------------------- version 1.34.12a --------------------------------
Added proxy detection to /*einfo. Proxy is detected for Continuum 0.37 and
later clients. You need to set server IP address in server.ini [Misc] ServerIP
for it to work.
* Undetermined - SS 1.3x or Continuum 0.36 clients
* SOCKS5 proxy - User is using Continuum's built in SOCKS5 proxy
* Using proxy at localhost - player is using proxy ran in same machine as
Continuum client. There is no other reason to do so than monitoring or
tampering with packet stream
* Using custom proxy - player is using custom proxy. Suspect cheating.
* Using NAT - player is using router or firewall doing NAT translation
* Not using proxy - no proxy was detected between client and server

Quote:

----------------------------- version 1.34.12pr3 ------------------------------
Added support for team sounds. Regular users can play sounds %150 - %255 in
team chat, zone sysops can upload these sounds in lvz file

Quote:

New command: *relkills <0 or 1> - toggles sending kills reliably on and off.
Normally server sends kill messages as non-reliable messages if killed player's
bounty is less than 200 (teamkills are always non-reliable). Setting
*relkills 1 will make server send kill messages reliably,

New command: /*bandwidth <bandwidth> - allow to set cutback watermark per
player, overriding arena's Latency:CutbackWatermark setting

JoWie - Sun Nov 22, 2009 8:08 pm
Post subject:

C2S 0x16 is upload file packet, this may explain the sysop only

L.C. - Wed Nov 25, 2009 7:48 pm
Post subject:

Quote:

/nb.server.ini

/nb starts Subgame2 in offline mode. The initials stand for "no billing/er".

L.C. - Wed Mar 17, 2010 5:25 am
Post subject:

Quote:

All
Shark
Lancaster
Terrier
Weasel
Leviathan
Spider
Javelin
Warbird

I think this partly makes a reference to templates.sss. For the settings regarding ship settings, "all" is used.

Samapico - Wed Mar 17, 2010 6:55 am
Post subject:

L.C. wrote:

Quote:

All
Shark
Lancaster
Terrier
Weasel
Leviathan
Spider
Javelin
Warbird

I think this partly makes a reference to templates.sss. For the settings regarding ship settings, "all" is used.

Note the order is also the reverse order of how the settings will appear in Esc-C editor... The Terrier being after the Weasel, for some reason (most likely a mistake)
The fact that it is in reverse order is probably just some technical thing about how that part is implemented.

L.C. - Wed Mar 17, 2010 6:01 pm
Post subject:

I wonder if swapping the two in Subgame2's HEX would fix that. After all, Subgame2 isn't "secured" like Continuum.exe and fix.dll.

Dr Brain - Wed Mar 17, 2010 6:23 pm
Post subject:

It might fix that problem, but it'd introduce a whole new problem with all the settings being swapped between the two ships.

L.C. - Wed Mar 17, 2010 6:28 pm
Post subject:

How might it introduce new problems?

I can't imagine how it would, seeing as how *.cfg stores everything for Terrier under [Terrier]. Swapping orders won't change the *.cfg. :X

Dr Brain - Wed Mar 17, 2010 7:03 pm
Post subject:

No, but you'd make it so everything under [Terrier] goes to ship 6, aka the Weasel.

L.C. - Wed Mar 17, 2010 7:52 pm
Post subject:

Dr Brain wrote:

No, but you'd make it so everything under [Terrier] goes to ship 6, aka the Weasel.

*testing*

EDIT: You are correct.

It doesn't appear as if there is any easy way to "fix" it either (from my standpoint anyway).

Samapico - Wed Mar 17, 2010 8:34 pm
Post subject:

Dr Brain wrote:

No, but you'd make it so everything under [Terrier] goes to ship 6, aka the Weasel.

Uh? I would have thought it would do something like:
-[4 other ships]
-Read 'Weasel'
-Read the .cfg value for [Weasel]
-Send that
-Read 'Terrier'
- ...

In which case there would be no problem... So you're saying it does something like this? :
-[4 other ships]
-Read 'Weasel'
-Read the .cfg value for ship 6, even if it's the 5th ship we check, but just because I know we put it in a stupid 1,2,3,4,6,5,7,8 order
-Send that setting with the Weasel tag
-Read 'Terrier'
- ...

I really don't see how it could be that way

L.C. - Wed Mar 17, 2010 9:24 pm
Post subject:

Samapico wrote:

Uh? I would have thought it would do something like:
-[4 other ships]
-Read 'Weasel'
-Read the .cfg value for [Weasel]
-Send that
-Read 'Terrier'
- ...

That's what I was thinking too. Because "all" was there, I was led to think that if "Weasel" is in there, it should search for [Weasel], and not have a fixed order (stupid, no?). It was to my assumption that that section may primarily be in regards to template.sss, but I suppose this isn't fully correct (after testing of course).

I need to put an entry for Warbird in template.sss and see if it overwrites [All].

Samapico wrote:

In which case there would be no problem... So you're saying it does something like this? :
-[4 other ships]
-Read 'Weasel'
-Read the .cfg value for ship 6, even if it's the 5th ship we check, but just because I know we put it in a stupid 1,2,3,4,6,5,7,8 order
-Send that setting with the Weasel tag
-Read 'Terrier'
- ...

I really don't see how it could be that way

So yes, Subgame2 was coded in a stupid way as far as this goes. It uses a fixed order rather than grab "Name" and locate [Name]. If you change Weasel to Terrier, it will still look for [Weasel] and not [Terrier].

Dr Brain - Wed Mar 17, 2010 9:26 pm
Post subject:

Samapico, why it works like that really isn't the issue. The important fact is that there is only one string in the binary. If you rename "Terrier" to "Weasel" the internal index of the string and ship haven't been altered.

No string manipulation in the binary will decouple the indexes. Any successful change would have to work at a lower level.

Samapico - Wed Mar 17, 2010 11:04 pm
Post subject:

But if it grabbed the setting from the correspondnig [Section] in the cfg, it wouldn't use the index at all

Dr Brain - Thu Mar 18, 2010 6:19 am
Post subject:

Where does it get that section string from? As I said, there seems to be only one copy of the ship string in the binary.

L.C. - Thu Mar 18, 2010 5:05 pm
Post subject:

Dr Brain wrote:

Where does it get that section string from? As I said, there seems to be only one copy of the ship string in the binary.

I think you are missing the point Samapico is trying to point out. It is possible for a program to be programmed that if String exists, search for [String]. x will always equal x.

In other words, before I actually swapped the two ship names in Subgame2.exe, it is unknown by you (unless you already tested, which you failed to mention), me, or Samapico whether it worked by fixed index (which is what you are saying, and how it actually is after testing) or by the above paragraph. Our (Samapico and I) initial thoughts were the first paragraph of this post, unlike yours -- which was fixed index.

Dr Brain - Fri Mar 19, 2010 1:54 am
Post subject:

I have no idea what you mean by that.

Short of generating the string through mathematical means, the string must exist in the binary. If there's only one copy, as you indicated, then it has to work the way I said. No, I haven't done any testing. It's just obvious how it must work given your statements about the strings in the binary.