Sadly, Pax is over, fellow gamers are packing up, and exhibitors are leaving before the cleaning crew shows up. There was a lot of SWAG, a lot of people, and a lot of games. I mentioned a few booths in my first post, so this time I am going to try and cover some notable booths I did not mention or did not get a picture of the first time around. I am trying to cover some of the major features here, but this is by no means a complete feature list.
You are currently browsing articles tagged Games.
Day one of the PAX expo is officially over and I have some pictures and information about the exhibitions to talk about. The day started harmlessly enough, we queued in the queue room to wait for the exhibition hall to open. While we waited the enforcers made sure we were not bored by entertaining us with internet memes and blow up beach balls.
Read the rest of this entry »
Unique character names in MMOs have long been a pet peeve of mine. I am sure most of you have experienced the frustration when your favorite character name ends up taken by some else, and if you are like me it might take as many as 20 tries to get an available name. Well, here is a question for all you MMO programmers, why the hell are you still using character names as a unique identifier? There are so many better options to identify players in the world, every name does not need to be unique. In fact I frequently find that running across players entitled ‘FancyPants12′ or ‘Moooo4me’ does more damage to game play than a simple change would. When I am in the process of being adsorbed into an MMO through very nicely executed immersion techniques, stumbling onto these players breaks flow, 
disrupts my concentration and I find it harder to follow the story line (or even care about it).
I bring this up because this last weekend I started playing Aion. A very nice game that I have high hopes for, but its probably the first MMO that I am actually interested in a bit of the lore; I even went so far as to read some of the important quest text. Its shocking yes, but they really did do a good job making the player feel like they are not just a drop of water in an ocean; which is worthy of recognition in itself. Unfortunately, Aion suffers from the unique name dilemma so while I am trying to rescue the damsel from a horde of black winged bandits I am constantly running into ‘XXSlayerXX’ or ‘RoGeGardian’ and that is just terrible from an immersion perspective.
But what can be done about it? After all, a lot depends on character names. PMs, brokers, mail, friend lists, etc etc. Obviously a new system has to enhance game play, not restrict it. I propose a system where each character is assigned a unique number, not a name, which can be used for all these means of communication with just a little extra effort on the programmers side.
Tags: design, Games, mmo, Programming
So a few things happened and it appears that I will be attending Pax West 2009. Being someone who did not know the convention existed until about a week ago I like to consider my position at PAX as ‘complete noob.’
Anyway why I am I posting this? Well I have nothing to say about Pax in particular, like I said I have never been there and my general understanding is its like an E3 only good and open to the public. I was roped into taking this trip by a friend and we plan to spend a week along the west coast. That being said Pax started out as only a minor side attraction for us, as we had already planned on traveling out there. It was not until I started reading about community events and enthusiasm that a lot of people seem to have that I started to seriously look forward to attending the conference.
Ever want to get more out of your music? Feel like your relation
ship is entirely one sided? Then you probably have not played Audiosurf yet. In a nutshell this program turns you music into a game that you play for points and against other people if you so wish. There are quite a number of cool features in Audiosurf but they are easily discovered while playing or researching the game. Instead I wish to make this post about a problem Audiosurf has, which is that tracks can be inconsistent across operating systems.
If you have ever seriously tried to play Audiosurf with someone or maybe a group of people you might discover that another person’s track is different then yours, in both congestion and block positioning. It so happens that me and my friends have setup a mini competition where we get scored for points and positions in several weekly songs. For full details: http://surfoff.blogspot.com/
Back to the main purpose of this article, yes, tracks do differ between operating systems, most common are windows xp to windows vista. The problem seems to be with the mp3 decoders, or so they say.
Here is how to fix this problem, simply use an open source audio editor like audacity and export the mp3 as a wav file. Then distribute and surf the wav file. You might want to use a good compressor, like winrar, for the file however, as it will be big.
Why does this work?
Audiosurf must first decode an mp3 before it can process it for block positions and colors. This process can differ between operating systems as previously discussed. So what we do here is decode the mp3 once on one machine and distribute the song uncompressed. This way Audiosurf does not need to decode anything, which in turn means it is not operating system sensitive.
Happy surfing
Last semester I was unceremoniously captured and tormented by the game we all know as World of Warcraft. During my adventures as a mage in this game I progressed as far as the first boss in black temple before wow-quiting. As I am sure many fellow gamers can understand, one day the game finally clicked for me and I did not sign on it for weeks, only to be destroyed when I reformatted last week.
But enough about that, I learned quite a few things from this game, and I would like to share some of the more practical lessons. I have compiled a mage ‘guide’ that I believe might just be the most comprehensive on the internet, concerning addons, macros, and gear tips anyway. You will still have to read elitistjerks to learn how to play your class.
I was the mage officer for my guild and so I had a big thread that detailed what I expected each mage to do, and various tips and tricks I had picked up. So without further delay, here is quite possibly the longest post I will ever make in one sitting.
Raiding
In order to raid you must first have the appropriate gear and stats. As a general rule of thumb, mages should have around 8k hp unbuffed. Usually that number is 8.5k, however mages do have a lot of survivability so I lowered it a bit. If you want to raid please get the appropriate gear either through badge loot or a few lucky heroic/kara/gruul runs. When picking who I will take to a raid you can follow this list.
- Have the time
- Know your class
- Know the fight
- Have the gear
I consider all these when choosing who to bring to a raid, please be aware of how you score and how you can improve.
Mage Sweet Information Thread
http://elitistjerks.com/f31/t18441-mage_sweet_informational_thread/
Consumables
Flasks
[Flask of Pure Death] +43 dps
[Flask of Blinding Light] +43 dps
[Flask of Supreme Power] +38 dps
[Flask of Distilled Wisdom] Acceptable for arcane mage use, 1125 mana, 1% to crit
[Shattrath Flask of Supreme Power] +38 dps
[Unstable Flask of the Sorcerer] Only for gruuls
Elixers
[Adept's Elixir] BATTLE ~+20 dps
[Elixir of Major Firepower] BATTLE +30 dps
[Elixir of Major Frost Power] BATTLE +30 dps
[Greater Arcane Elixir] BATTLE straight up damage, no crit
[Elixir of Draenic Wisdom] GUARDIAN
[Elixir of Major Mageblood] GUARDIAN +16 mp5
[Elixir of Major Fortitude] GUARDIAN If you need a little extra hp
Oils
[Superior Wizard Oil] Cheapest and easiest
[Superior Mana Oil] If you need the mp5
[Brilliant Wizard Oil] Damage and crit
Food
[Blackened Basilisk]
[Crunchy Serpent]
[Poached Bluefish]
[Skullfish Soup]
Potions
[Super Rejuvenation Potion]
[Major Dreamless Sleep Potion]
[Destruction Potion]
[Flame Cap]
Spec
Mages have 3 possible specs
2/48/11
http://www.wowhead.com/?talent=obZxgRzfcIoeRtVhM0o
40/0/21
http://www.wowhead.com/?talent=oi0ic0czxIziZZVA0coc0o
10/0/51
http://www.wowhead.com/?talent=obhVZZVAGcofLoiqt
Macros
There are a lot of things that help a mage get max dps and macros are one the top ones. Here are some handy macros I use, consider integrating them into your ui if you have not already.
Firstly, the most important,
/cast [COOLDOWN]
/stopcasting
Make a macro for all cooldowns you pop, including trinkets and gems. You might notice that when you use a cooldown you get global cooldown. This is not suppose to happen and can severely cut your dps. When you use stopcasting it will cancel the global cooldown. For example, as 40/0/21 I keep this macro
/cast Icy Veins
/stopcasting
/cast Cold Snap
/stopcasting
This pops both cooldowns at the same time and I can immediately follow up with a spell and save myself 3 seconds of global cooldown.
Second most important, focus targeting
Every mage should use these macros for cc. The command is simple, its just /focus
That will set a target as your focus. For those unfamiliar with focus targeting, think of the focus as a second target. You have your main target (the skull) and your cc target (star) both targeted at the same time. In this way you can easily see the timer on your sheep AND you can easily resheep without changing targets. Obviously this is a big deal, so use it. Here are the macros
/focus mouseover
then
/cast [target=focus] Polymorph
I bind the mouseover focus to mouse 3, or the middle button. When I click that on a mob I set my focus target. When it comes to cc I have polymorph target set to F and polymorph focus set to ctrl+F. I highly recommend the use of the modifier key, that way you can have one ‘sheep’ button, but it can do 2 different things.
If you have any questions about this please talk to me in game.
This handy little macro will delete any Mana Emeralds you have in your inventory and conjure a new one. Good if you want to replace the one that only has 1 or 2 charges left.
/run for x=0,4 do for y=1,GetContainerNumSlots(x) do l=GetContainerItemLink(x,y) if l then if GetItemInfo(l)==”Mana Emerald” then PickupContainerItem(x,y) DeleteCursorItem() return end end end end
/cast Conjure Mana Emerald
Addons
http://files.wowace.com/scorchio/scorchio.zip
Lets you know how long the scorch debuff has left, regardless of who owns the stack
Aloft
- Better overhead enemy health bars. There is also an option to include a sheep timer and cast bar
Banzai Alert
- This addon will tell you the second you pull agro or are targeted by an unfriendly mob/player
BigBrother
- This addon will tell you who breaks your sheeps, and has an optional announcement feature for parties and raids
Bongos
- Very customizable action bars, and easy to use key bind system.
Distance2
- Addon that scans your talents and displays an approximation of how far you are away from a mob
DrDamage
- Calculates your expected and effective dps given your talents, gear, etc. Displays damage for spells on your action bars, and much more
ElkBuffBars
- Very nice and clean buff bars
ErrorMonster
- If you are tired of all the ‘You Cannot Use That Item’ blah blah error messages, use this addon to filter them out.
FreeRefills
- Auto buy stacks of reagents
Grid + Click2Cast
- I use grid for my raid frames and love it. You can also combine grid with an addon called Click2Cast and effectively make decursive, removing an extra addon you dont really need. You will need some prowess in order to set it up but it is worth the trouble.
ag_UnitFrames + MobHealth
- ag_unitframes will replace blizzard’s default ui with a much cleaner and nicer ui. I combine it with mobhealth so that I can get really good approximations at how much health the boss really has.
OmniCC
- Will place a countdown on your action bar for your cooldowns.
SCT + SCTD
- Scrolling combat text and more importantly, scrolling combat damage. Can be easily configured to show you when you are taking damage and such.
Talented
- Allows you to store templates for other specs and even will respec for you. Combine this addon with Talented_DrDamage, and DrDamage will tell you expected dps with whichever spec you have open in talented
WitchHunt
- Will display a message when an enemy within range casts something, anything.
You might notice that a lot of these addons are ACE addons. I did this on purpose for if you download the ACE Updater you can easily update the majority of your addons in 1 click. Its just my preference though. Happy tweaking.
Gear (Mainly badges)
[Scryer's Blade of Focus] : 150 Badges
[Chronicle of Dark Secrets] : Rage Winterchill
[Wand of the Forgotten Star] : High Astromancer Solarian
[Cowl of Tirisfal] : Lady Vashj
- [Chaotic Skyfire Diamond]
- [Runed Crimson Spinel]
[Adornment of Stolen Souls] : Prince Malchezaar
[Loop of Cursed Bones] : Zul’jin
[Mantle of Tirisfal] : Void Reaver
- [Potent Noble Topaz]
- [Infused Amethyst]
[Brute Cloak of the Ogre-Magi] : Maulgar
[Tormented Demonsoul Robes] : 100 Badges
- [Brilliant Dawnstone]
[Cuffs of Devastation] : Rage Winterchill
- [Runed Living Ruby]
[Enslaved Doomguard Soulgrips] : 75 Badges
- [Brilliant Dawnstone]
[Belt of Blasting] : Crafted
- [Glowing Nightseye]
- [Veiled Noble Topaz]
[Corrupted Soulcloth Pantaloons] : 100 Badges
- [Runed Living Ruby]
- [Runed Living Ruby]
[Boots of Incantations] : 75 Badges
- [Potent Noble Topaz]
[Band of the Eternal Sage] : Exalted: The Scale of the Sands
[Fused Nethergon Band] : 60 Badges
[Hex Shrunken Head] : Hex Lord Malacrass
[Serpent-Coil Braid] : Morogrim TideWalker
[Sextant of Unstable Currents] : Fathom Lord Karathress
When all is said and done, according to thise nice dps calculator you should end up with about 1920.64 dps fully buffed.
Obviously this gear is geared more towards an arcane mage, so get to know and love the arcane mage rotation. I suggest occasionally spec’ing 40/0/21 and doing 5 mans to get the hang of it.
Stats in this gear (unbuffed)
7933 hp / 10691 mana
30% crit / 10% hit (3% off cap [buffs increase this])
1249 Spell Damage
Stats (buffed)
8603 hp / 13226 mana
40.51% crit / 13% hit
1481 Spell Damage
Buffed stats assume a shaman and moonkin in the group
Total Badge Count: 560
Gear (PVE [aka lazy])
[The Maelstrom's Fury] : High Warlord Naj’entus
[Chronicle of Dark Secrets] : Rage Winterchill
[Wand of the Forgotten Star] : High Astromancer Solarian
[Cowl of Tirisfal] : Lady Vashj
- [Chaotic Skyfire Diamond]
- [Runed Crimson Spinel]
[Adornment of Stolen Souls] : Prince Malchezaar
[Loop of Cursed Bones] : Zul’jin
[Mantle of Tirisfal] : Void Reaver
- [Potent Noble Topaz]
- [Infused Amethyst]
[Brute Cloak of the Ogre-Magi] : Maulgar
[Tormented Demonsoul Robes] : 100 Badges
- [Brilliant Dawnstone]
[Cuffs of Devastation] : Rage Winterchill
- [Runed Living Ruby]
[Enslaved Doomguard Soulgrips] : 75 Badges
- [Brilliant Dawnstone]
[Belt of Blasting] : Crafted
- [Glowing Nightseye]
- [Veiled Noble Topaz]
[Leggings of Channeled Elements] : Kaz’rogal
- [Runed Living Ruby]
- [Runed Living Ruby]
- [Runed Living Ruby]
[Slippers of the Seacaller] : High Warlock Naj’entus
- [Runed Living Ruby]
- [Runed Living Ruby]
[Band of the Eternal Sage] : Exalted: The Scale of the Sands
[Ring of Captured Storms] : High Warlord Naj’entus
[Hex Shrunken Head] : Hex Lord Malacrass
[Serpent-Coil Braid] : Morogrim TideWalker
[Sextant of Unstable Currents] : Fathom Lord Karathress
When all is said and done, according to thise nice dps calculator you should end up with about 1810.60 dps fully buffed.
Obviously this gear is geared more towards an arcane mage, so get to know and love the arcane mage rotation. I suggest occasionally spec’ing 40/0/21 and doing 5 mans to get the hang of it.
Stats in this gear (unbuffed)
7173 hp / 9791 mana
32.5% crit / 11% hit
1289 Spell Damage
Stats (buffed)
7763 hp / 12251 mana
43.69% crit / 14% hit
1566 Spell Damage
Buffed stats assume a shaman and moonkin in the group
Total Badge Count: 175
Tools and Resources
There are quite a lot of tools and such mages can use to figure out how they can be better. Here are some of the programs and web sites I use to keep tabs on everyone.
Rawr
http://www.codeplex.com/Rawr/Release/ProjectReleases.aspx?ReleaseId=12354
Gear comparison, dps calculator, spec inspection, this is by far the BEST mage program
Loot Rank
http://www.lootrank.com/wow/rank.asp
Does almost the same thing as Rawr but provides a bit more info and easier to use in a certain respect. The thing with loot rank is you have to assign numbers to stats for it to choose the best gear for you. These numbers can be tweaked a bit depending on how you feel, but here are some example builds.
High priority on stam and haste, not the best for all of us atm.
This weighting is more suited for our mages at the current moment. Check it out.
I might make some tweaks based on layout here or there but this guide is not going to change much so consider it current to today’s post date.
A little while ago, Valve had been quoted as saying that critical hits in Team Fortress 2 are skill dependent. That the chance to get a critical hit increases the better you do. A couple of weeks ago I made up an experiment to test these statements out in game.
First off, I should explain that I wrote a plugin for Team Fortress 2 called TFTrue. This plugin maintains critical chance and damage for server owners wishing to change the default settings. To make the plugin I had to study the take damage function in the game to figure out where the percentages were coming from ( which if you are curious, default you have a 5% chance to crit with weapons and 15% chance to crit with melee ). I thought this statement was weird because after all my searching I never came up with any ‘skill’ variable that increased or decreased the crit chance. I setup my test to work out all the unknown variables in the game code and find out whether or not score has an impact on your crit chance. I will summarize my data here, if you want to refer to the hard data, see the end of this article.
I setup a private server with TFTrue installed and crit chance set to 50%. I made a test map with 1 spawn point and set the respawn time to 0. This made my bots all spawn in the same place with little death delay. I expended 80 rounds of rocket ammo at a wall and observed my critical count. For my control test I ended up with exactly 50% critical chance, so far so good. Next I stepped it up, introducing 7 bots on the opposing team to test the idea that being out numbered helps. After firing all 80 rounds, my crit chance still remained 50%.
Next test involved killing the bots enough to achieve the ‘domination’ status with all of them. With my high score and high skill (according to the game), I fired 80 more rounds at the wall. Still 50% crit chance. What does this mean? It means being consistently better than the other players will not increase your crit chance.
The final test I did was tacked on as a side note when I noticed something interesting while killing the bots. It appeared that I was getting all crits when constantly killing the bots as they spawned right in front of me. So on a hunch I started firing constantly into the crowd of bots and low and behold, 100% crits for all 80 rounds. Upon further investigation I found that after killing 2 players in quick succession increased your crit chance about 4 times. Meaning default crit chance would become 20%. This effect lasted a variable amount of time depending on the weapon type. I timed the demoman’s sticky grenades to last for a bout 20 seconds, however the rockets only lasted about 5. To figure out what specifically influences this behavior we must look back at our code.
Before the Nov. 7th patch, Valve had kept private critical chance variables in the game. Namely, tf_crit_chance, tf_rapid_crit_chance, tf_melee_crit_chance. The first and last variable are pretty much self explanatory, however, what is rapid crit chance I wondered. Back then I decided that it was the chance to crit while firing rapidly. However after reviewing my test results I now believe that maybe this rapid chance is what determines critical chance when killing players rapidly. This is all theory and I have not tested it, but I do think that while playing if you kill a player the game rolls a number to compare to the rapid chance and turns crits on for you if you are lucky. After the Nov. 7 patch the TFTrue plugin treats both those numbers the same, they are both controlled by tftrue_crit_chance. And after further reviewing the code it supports this idea. So if we do work with this theory lets walk through a typical game.
Player Spawns
Player Shoots gun at wall (5% chance to crit)
Player runs to enemy territory
Player kills enemy player (5% chance to start “crit chain,” if the player if lucky he will now shoot crits for X seconds)
Player kills another enemy (5% chance to start “crit chain,” regardless if they are in one or not)
Player shoots (5% crit chance, unless in crit chain, then its 20%)
Player Dies.
I think if you are a hard core tf2 player you can easily identify with this result, just remember that this senerio is purely hypothetical. I have not done any tests modifying rapid crit chance. Like I said earlier however, the code supports this situation.
Now we must turn back to our original hypothesis. Does the critical hit chance get bigger the better you do? In one word, no. However I think we can easily see how Valve would mix up this system with a skill reward. In this system you can be a complete noob and get 1 kill to put you in a crit chain. Your skill as a player has no bearing on the crit chance. How you get more crits in tf2 is to kill more people. The more people you kill, the more shots you have at hitting that 5% chance on the nose.
Test Data:
Test 1: 15 / 40 crits | 24 / 40 crits
Test 2: 18 / 40 crits | 20 / 40 crits
Test 3: 22 / 40 crits | 18 / 40 crits
Test4: 39 / 40 crits | 40 / 40 crits
The true cornerstone of a project such as this will be dynamic and human like actions. I have spent the last two weeks thinking of a system that would allow the development and evolution of dynamic actions, searching the internet, writing down ideas, and finally come up with a design I feel confident enough to post about. I am writing this down for my benefit as well as anyone who is curious, so the train of thought it going to be random and probably hard to understand. For that I apologize, I will have more solid implementation details ready when I have a working system written.
I started by defining what I would be given, and what I would need to produce, and I decided to start with nothing but basic preprogrammed controllers attached to the actor’s to control everything about it. Rotation, position, scale, etc. For an npc, he would have controllers on all his bone joints, for an example. These controllers will have a predefined range of accepted values and know how to move around those ranges. What I wanted to end up with was a high level action, something that will ultimately be composed of hundreds of controller movements over time. And I needed a nice system to wrap up all this data into a structure the npc can store and build off of.
To start off, picture a flat plain of controllers. Each controller knows what it can do, but there are no existing actions yet so this npc is stupid as a brick. During training, actions will start simple, something along the lines of, ‘bend index finger’ works. The npc would look at its action graph and see only the flat plain of controllers, so then its asks each controller if it can accomplish the task of moving the finger’s x position by 1. The controller(s) that respond will have already been defined as able to do this so the npc builds a new action that connects directly with the controllers found previously. Now if the game asks to bend a finger, this action will say ‘I can do that’ and use the correct controller to chance the finger’s position. Its worth noting how the action knows it can do this, so I will explain that a bit. Each action has a function that reads the actor’s current state and determines if it has actions or controllers in its collection to handle that state in any way. If it does, it says yes.
So as the npc adds more and more actions it builds it’s web of linked actions, the process looks a lot like building a neural network. Actions have many actions linked to it, and many actions linked to. I cannot go to much farther without showing you the action class definition so here you go:
class Action
{
Action();
Action( Action* next );
bool validStart( Actor* );
bool validEnd( Actor* );
void AddNext( Action* );
void RemoveNext( Action* );
private:
std::set<Action*> actionList; // Each entry in this action array represents a start state.
// What about actions that have many independant start actions?
};
When designing this class I thought it was going to be some monster from hell, but after I thought about it, added some recursion, and trimmed it down I think it ended up rather nice. Its simple and works well. Each action will hold links to one or more actions. Each action link represents a valid start state, so when validStart is called the class should call each of it’s start states validState functions and return the OR of their return. This design is very recursive, a next link could be another action or a controller at the very basic level. Therefore chains of actions will form in neural network fashion with proper training. When the npc wants to change his state (execute an action) he simple needs to figure out what state he wants to be in, call validEnd( endState ) on each of his higher level actions that match his start state and if one matches, execute the action.
Only problem here is the tremendous overhead of using the brain. Take an example actor with just three levels of actions, when the game asks to do an action on the third level that action asks for valid start on all level 2 actions linked to it, and in turn those level 2 actions call valid state for all level 1 actions linked to it, which in turn call validstart for all controllers that are linked with it. We could be looking at thosands of function calls with a simple 4 or 5 level npc. And the growth is
exponential.
For now we will just have to deal with it since I believe this to be the best way to describe dynamic actions however in the future tremendous effort will be required to optimize this code.
I will be working on integrating this design into my demo project so if my explanation is way off I will have sample code sometime soon.
Continuing from part 4, I will be explaining about the detour I use in the cof plugin for day of defeat source. Basically, a detour is just what you would expect. When the actual game code reaches a certain part in the program, it will jump into one of your own newly coded functions to execute some code, then jump back to the original program. When we return control to the original program we can either return at the same place we jumped from, or we can return somewhere later in the program.
In the cof plugin, I setup a detour to replace the original bullet spread code with my own. I did this by setting a jump instruction right before the original jump code, and I returned just after the original shot code. I will illustrate this with a picture.
Basically what we are doing here is substituting our own code for the original. If you look at the cof plugin source from part 3, the code that adds this detour is found in the addCof function. I will explain the parts of it now.
First off we set the starting offset in the binary. This was mostly for optimization, instead of having the scanner search the entire binary image, I have it starting at a specific offset. This offset is far enough in the image to save some time while not going over the area the cone of fire code is likely to reside. Unless you know for a fact that the location will always be beyond this point, I do not suggest this for many projects. You will also notice I set two different values for win32 and linux. In linux I simply use a function to give me the address of a symbol in the file so that becomes my offset. After some experimentation I noticed that linux elf files did not take as kindly to the hard coded offset like windows did.
The next bit of code simply scans the binary for the shot code. After some error checking I offset the address a bit according to OS to run over the mov instruction right before the push -1 instruction (see cof plugin: part 4).
I then make a copy of the memory in that address space to allow for a simple ‘undo’ of the detour, should the server want to turn it off or an error occurs.
Immediately after that I proceed to write my detour. In this case I write it at the exact same point as the push -1 instruction from the last post.
What I ended up doing is moving the address I was going to jump to into a register and then calling a jump on that register. Something similar to:
mov eax, 0×11223344
jmp eax
My memory is a little fuzzy but that is basically what I did. You might be wondering why I did it this way and not just a ‘jmp 0×11223344,’ which is a very good question. See, the jmp instruction itself can only travel x number of bytes away. It can’t go anywhere in memory, across segments for instance. the ‘jmp far’ instruction can, but writing that function on the fly is a pain in the butt. I found an example of this kind of jump on the game deception forums. It allows me to jump where I need to go.
So after we write the jump into memory the legitimate bullet shot code will be sent directly to the address the myCOF() symbol points to. Two versions of this function exists, one for windows and another for linux.
Unfortunately this is where I have to end today so next time I will explain the assembly code, the stamp code, and how to setup the return jump.
Tags: disassemble, Games, hacking, series, tutorial
So hopefully by now you have a working source plugin that will make your server’s cone of fire a straight line. Today I am going to explain a bit about sigs, and show you the signature needed to find the correct location of the shot code.
A signature, in this case, is a string of bytes that (hopefully) only occur once in a program. This bytes should be very close, if not on top of the location you are trying to edit. For example, the signature I used in my cof plugin to find the correct location is this:
8B0D207454228B01680000803F68000080BFFF5004D95C24108B0D
207454228B11680000803F68000080BFFF5204D9542414D84C2414
If I remember correctly, this string will point my program at the exact location that the code prepares to call the random function from COF Plugin Part 1. Now if you are reading he source code you will see that I actually set many different sigs, one for the shot code, one for the return address, and 2 more for linux. In linux, the code looks a bit different so I needed 2 different sigs.
Now a sig like this, by itself is no more safe then using direct address manipulation. Lets say that 2 months from now a program update comes out and jump locations are changed to accommodate the new code. Lets say, 1000 more bytes of code were added in front of this location, now all of a sudden an address that pointed to the right location in the old version is now different.
There would be no way for our simple program to decide this or not (easily), and the sig scan would pass over the correct location without even knowing it.
By the way, sig scanning is what you use this sig for. What you basically do is start at the beginning of a binary in memory and scan through all the code looking for bytes that match your sig completely. I will post code to do this later.
So, how we improve our simple sig is to add a mask to it. A mask is a wondering thing, it tells the scanner to ignore certain parts of the sig, but still verify that its the correct order of instructions. If you are looking at my source code, you see I setup masks for each of the sigs, in fact, I made the mask and sig one in the same data structure to avoid confusion. I will not bother posting the mask, but here is the sig with the mask overlay to show what the scanning is actually searching for.
8B0D????????????680000803F68000080BF???????????????????????
???????680000803F68000080BFFF????D9??????D8??????
And this, translated into sudo assembly is
mov ???????????
???????
push 1
push -1
????????
????????
????????
????????
????????
push 1
push -1
call ???
fst ????
fmul ????
The question marks represent the bytes the scanner will not look at. In this way, the scanner will only search for this specific sequence of commands, not dealing with any data that can be changing by a recompile.
Technically speaking, the order of instructions can also change each recompile, especially if they make changes to the specific cpp file that hold FX_FireBullets. That would force the compiler to recompile the file and possibly alter the order of these commands. However I never said this was a fool proof way to scan, its just the one of the simplest and best ways. The chances of the instructions moving are very low, and if you plan to support this project in any way shape or form during its lifetime its an easy fix to change the sig a bit. In fact, if you have to change it often it is a good thing, you will learn how to make good sigs. So far I have not had to edit this sig since day of defeat source has not had an update since I made the plugin, but its always a possibility. Just remember, if you ever have to reconfigure a sig, make sure to keep it working for the older version as well, that way you can learn what you need to scan for and what you can skip.
So now that you know all about sigs I will post the sig scanner
bool bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
for(;*szMask;++szMask,++pData,++bMask)
if(*szMask==’x’ && *pData!=*bMask )
return false;
return (*szMask) == NULL;
}DWORD dwFindPattern( DWORD dwAddress, DWORD dwLen, BYTE* bMask, char* szMask)
{
for(DWORD i=0; i < dwLen; i++)
{
if( bDataCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )
return (DWORD)(dwAddress+i);
}return 0;
}
Fairly simple really, which is why sig scanning is the best cheap form of address retrieval. At each address we run the sig through the data comparer to see if this address matches the sig, if not, we forward to the next address. Not to efficient, but the scans are only done once as the program starts.
After the sig scanning we (hopefully) have the right addresses, if the sig was not found, then we print an error, if the sig was found in another location and we write there, then we break the program and the server crashes. Hopefully neither happen, but once we have the address its just a simple matter of writing our detour, which I will explain next time.
Tags: disassemble, Games, hacking, series, tutorial
Recent Comments