[Model Edit Fix] Official Model Edit Fix Thread

[DTMaik]

Hm... I become a Crit error wehn i used the OLD And the NEW PTR Mode ledit fix... oO

[Cypher]

The new build is on the website, downloading and updating fix atm.

EDIT: Uploaded.

[Damnz0r]

Did you test the PTR fix before uploading it? It seems no edits work for me anymore. (Even using my own Fix -zmutfx).

Does this mean Model Editing is fixed in 2.2.2?

[Cypher]

Based in information from myself and zmutfx it seems model editing is patched, I will work on a fix when I finish my Heroic.

We have two choices, I can work on a fix and release it when done, orrr, I can keep the new method secret until the patch goes live and release it then incase they decide to ass**** us while the PTRs are up and fix it again. (Assuming I find a workaround)

[Sabith]

Based in information from myself and zmutfx it seems model editing is patched, I will work on a fix when I finish my Heroic.

We have two choices, I can work on a fix and release it when done, orrr, I can keep the new method secret until the patch goes live and release it then incase they decide to ass**** us while the PTRs are up and fix it again. (Assuming I find a workaround)

I dunno, I say you tell us now, because the thing with the second choice is that if that's true, they will just do it anyways whether you've found a workaround or not.
Let's all pray all the Model Editing gods find a workaround!

[Froogle]

They won't make a work around if it's private ;o . . . and, he was saying he'd release it when 2.2.2 is live rather than PTR.

I vote for the second choice, less risk

[Sabith]

They won't make a work around if it's private ;o . . . and, he was saying he'd release it when 2.2.2 is live rather than PTR.

I vote for the second choice, less risk

Oh true, but I doubt someone will keep it private if they find out on any other forum sites (dunno if there are any other sites that do this and have skilled model editing people like MMOwned)

But I guess 2nd choice would seem better.

[Cypher]

Hah! New method found, new patch has been uploaded. For those who are interested I will post the technical details of my find below.

This is the signature checking function from WoW.exe v2.1.3

Code:

.text:0040207B loc_40207B:                             ; CODE XREF: sub_402030+30j
.text:0040207B                 mov     edx, [ebp+var_70]
.text:0040207E                 mov     eax, [ebp+var_6C]
.text:00402081                 push    4
.text:00402083                 push    offset unk_79E7F8
.text:00402088                 push    100h
.text:0040208D                 push    offset unk_80F000
.text:00402092                 push    edx
.text:00402093                 push    eax
.text:00402094                 call    sub_612A90
.text:00402099                 add     esp, 18h
.text:0040209C                 test    eax, eax
.text:0040209E                 jnz     short loc_4020D4
.text:004020A0                 push    offset aSignaturefile ; "signaturefile"
.text:004020A5                 push    offset aCouldNotAuthen ; "Could not authenticate the %s file."
.text:004020AA                 lea     ecx, [ebp+var_68]
.text:004020AD                 push    64h
.text:004020AF                 push    ecx
.text:004020B0                 call    sub_608F80
.text:004020B5                 add     esp, 10h
.text:004020B8                 push    1               ; uExitCode
.text:004020BA                 push    0               ; int
.text:004020BC                 lea     edx, [ebp+var_68]
.text:004020BF                 push    edx             ; int
.text:004020C0                 push    8AAh            ; int
.text:004020C5                 push    offset a_Client_cpp ; ".\Client.cpp"
.text:004020CA                 push    4DCh            ; int
.text:004020CF                 call    sub_613860

This is the same function in WoW.exe v0.2.2

Code:

.text:004020CB loc_4020CB:                             ; CODE XREF: sub_402080+30j
.text:004020CB                 mov     edx, [ebp+var_70]
.text:004020CE                 mov     eax, [ebp+var_6C]
.text:004020D1                 push    4
.text:004020D3                 push    offset unk_8358E8
.text:004020D8                 push    100h
.text:004020DD                 push    offset unk_8B0008
.text:004020E2                 push    edx
.text:004020E3                 push    eax
.text:004020E4                 call    sub_627170
.text:004020E9                 add     esp, 18h
.text:004020EC                 test    eax, eax
.text:004020EE                 jnz     short loc_40212B
.text:004020F0                 push    offset aSignaturefile ; "signaturefile"
.text:004020F5                 push    offset aCouldNotAuthen ; "Could not authenticate the %s file."
.text:004020FA                 lea     ecx, [ebp+var_68]
.text:004020FD                 push    64h
.text:004020FF                 push    ecx
.text:00402100                 call    sub_61BC00
.text:00402105                 add     esp, 10h
.text:00402108                 push    0
.text:0040210A                 call    sub_625F60
.text:0040210F                 push    1               ; uExitCode
.text:00402111                 push    0               ; int
.text:00402113                 lea     edx, [ebp+var_68]
.text:00402116                 push    edx             ; int
.text:00402117                 push    944h            ; int
.text:0040211C                 push    offset a_Client_cpp ; ".\Client.cpp"
.text:00402121                 push    4DCh            ; int
.text:00402126                 call    sub_626220

Notice the extra lines present in the new version.

Code:

.text:00402108                 push    0
.text:0040210A                 call    sub_625F60

By following that call we get this.

Code:

.text:00625F60 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00625F60
.text:00625F60 ; Attributes: bp-based frame
.text:00625F60
.text:00625F60 sub_625F60      proc near               ; CODE XREF: sub_402080+8Ap
.text:00625F60                                         ; sub_622100+18p ...
.text:00625F60
.text:00625F60 arg_0           = dword ptr  8
.text:00625F60
.text:00625F60                 push    ebp
.text:00625F61                 mov     ebp, esp
.text:00625F63                 mov     eax, [ebp+arg_0]
.text:00625F66                 mov     dword_CC1A44, eax
.text:00625F6B                 pop     ebp
.text:00625F6C                 retn    4
.text:00625F6C sub_625F60      endp
.text:00625F6C
.text:00625F6C ; ---------------------------------------------------------------------------

As you can (or maybe not) see, it is taking the '0' pushed at the start, loading it into a register, then putting the contents of that register (now '0') into the model editing variable. By doing this they are effectively resetting the variable every time before a file is loaded.

So how do we fix this? Simple! Just overwrite the '0' with our own number, in this case I will choose '1'. So the new code becomes.

Code:

.text:00402108                 push    1
.text:0040210A                 call    sub_625F60

There is one problem with this code though, it will not pass WoW's validation check on login because we are editing the text segment rather than the data segment, so, to get around this we simply enable and disable the fix at appropriate intervals, the times we should do this are explained upon running my new fix.

Thank you for your time and support.

P.S. A message to Blizzard:
Blizzard, there will always be hackers out there who will reverse your code, and they will always be able to disable your protections no matter how hard you try to stop us. There's no way to get rid of us, so just learn to deal with us, all you're doing is making extra work for yourself by "fixing" model editing.

[macintox]

Hmm tought my ASM lessons at university were useless , Its usefull

[macintox]

+rep for the src for explaining how it works Chaz

[Sabith]

Chaz...it isn't working=/
I press the end key when it finishes loading, and when I log in it crashes WoW, and if I don't press the end key before logging in it says my WoW is invalid or something.

Any ideas?

[snowtree]

where r the instructions provided?

[Cypher]

Chaz...it isn't working=/
I press the end key when it finishes loading, and when I log in it crashes WoW, and if I don't press the end key before logging in it says my WoW is invalid or something.

Any ideas?

1. Run WoW with fix
2. Press END and type in your username and password then login
3. Press HOME and enter the realm
4. PROFIT!!!

Note: I think that the MEF window has to have focus when you are pressing the hotkeys (HOME/END)

[Sabith]

Alright, so tab out and click the MEF and hit end, log in, hit home, go into the realm?

[darcy]

how do i use the program?