Although I'm far from an experienced asm programmer, I'm trying to make an attempt at making an anti-kick for this game called Midnight Club 2. That is if I'm able to find the "actual" kick bytes in the game and NOP them. I've done some debugging on my own and maybe some of you can advise me on how to go from here:
Highlighted in red is the boot message in assembly(found in the first picture)
You'll see several user comments which I use to help me with my debugging.
You'll also notice points where I've marked start and end or beginning function and end function those are different functions which have calls or jumps linked back to the orignal function where the boot message debug string is found. I found the functions by setting hardware breakpoints and checking if they were triggered when the boot message would pop up every time a user gets kicked from a game.
So a problem right away that I can already see is I'm not sure if the kick command is going to be found in a call, jump, or a mov dword, eax ptr ... instruction so how I'm try to debug the kick command is:
1.reverse all the jumps
2.nop each call one by one if the game hangs or crashes when i get kicked and the call is noped I may go further into the call
3. then I'll go through and nop the more prone instructions of crashing like mov dword,eax add 5, eax
Also just by looking at where the boot message is it seems as though the actual kick command is not inside that same function as you can see I've noped most of it, and unless the kick command is inlined into the function I don't see how it can be there. The kick message looks to be part of a huge switch statement which is just for error-handling messages not the actual "kick" function itself.
However, if I do "find references" to the beginning of the function it has two calls to it so I think that the kick function may be somewhere in there.
One of the calls is quite odd considering that if I set bp's on either side of the call command the game freezes. So for some reason it looks like the call is just thrown in the middle of the code for no apparent reason.
The other call however, I was able to find an actual beginning and end point.
Here's the entire switch block in which the boot message is in:
Below is the full code to the entire switch block but keep in mind that only 00423000 to 00423048 concerns the boot message.(I set bp's to confirm this)
PS: if you notice there is a call right underneath the boot message but to my understanding wouldn't the kick function need to happen before the boot message shows up and hence the kick bytes should happen before the message so I don't think that call is the correct one even though it's inside the function in which the boot message in.
Now here are the two calls to this function that I mentioned earlier in which I think the kick bytes might be in(they get called before this function even takes place):
Call 1 to the function which holds the boot string(00423000):
You'll see user comments beside the second call so you can't miss it and it's a weird one as well. I don't know why either sides of the call make the game hang when bp'd so I don't think anything around the call has to do with the boot function.
There are more calls that branch from each of these ones as well but I won't post them until someone can confirm that the functions that I've already went through and debugged don't have the kick bytes in them.
Sorry that the post is so long but I couldn't find a way to shorten it considering that I know 80% of people don't even play this game.
Please try to look past any grammatical errors it's extremely late here and I need to head off to sleep.
If anyone is interested in helping me keenly and deeply I'm willing to pay you via paypal. Otherwise any help here is appreciated. If you are interested in helping me finish this to the end(outside of the boards on msn or skype)we can negotiate a fair price.
The game has no anti-cheat and memory patching is breeze. Although the game is not open source nor is there any information about the game engine or api available on the net.