Explore GameReplays...

Rise of the Witch King

The auto defeat fix to end all auto defeat fixes ...

Reply to this topic Start new topic
# 1withmorten Mar 10 2018, 00:07 AM
Hi, new here but not new to BFME.

I sat down with a friend today and finally figured out how to *really* bypass the Auto defeat of doom after 3:30 minutes if the game2.dat or the ergc code in the registry is wrong.

What happens is the following:

1. The BFME1/2/ROTWK installer encrypts a GUID with your ergc Key using Blowfish and writes the contents into the lotrbfme.dat or game2.dat. This GUID is hardcoded in the binary for BFME1, and the G4 entry in the gi.dat for BFME2 and ROTWK.

2. On startup, the launcher (lotrbfme.exe, lotrbfme2.exe or lotrbfme2ep1.exe) decrypts the contents of the license file using your ergc registry entry and passes that decrypted String to the game.dat via MapViewOfFileEx and PostThreadMessageA. If this decrypted GUID does not match the unencrypted hardcoded or gi.dat entry, it will auto defeat you after 3:30 minutes.

After we finally figured this out, it was relatively trivial to patch the launcher for ROTWK to always pass the unencrypted GUID from the gi.dat ("D9151691-DF43-448c-87C2-742C1FC0FAEB" in ROTWK) to the game.dat, no matter what.

Since the launcher already had a function for retrieving the G4 string from the gi.dat, we simply used that and overwrote the buffer created by MapViewOfFileEx with strcpy(game2datMappedFileBuffer, GUID4).

Here is pseudocode illustrating that: https://i.imgur.com/WYp7RCS.png

And since I'm probably not supposed to just upload the patched launcher on here without asking anyone, here's a binary diff so you know what we actually did (and can apply the patch yourself):

https://i.imgur.com/yHgdrVy.png

Above is the patched version, below untouched.

The same principle of patching can be applied to the BFME2 and BFME1 launcher, I just only found out about it though and haven't gotten around to testing that yet.

Maybe some mod can respond and a patched launcher can be integrated into one of the tutorials on here? I'm sure this will avoid a lot of headaches in the future since you don't need to reinstall the game (or install it at all) anymore.


Attached File launchers.zip
Size: 530.12k
Number of downloads: 12960
Player Name Side Team


This post has been edited by brabox: Sep 10 2018, 12:28 PM

Posts: 6

Game: Rise of the Witch King


+
# 2TheRingisHot Mar 10 2018, 10:41 AM
cool, thank you so much!

Posts: 2,943

Game: Rise of the Witch King


+
# 3brabox Mar 10 2018, 13:28 PM
Good work!

Can you post your modified version of the lotrbfme2ep1.exe (upload inside a zip file pease) and your binary diff in text format?

Furthermore, a reverse engineer already removed the safedisc thing from game.dat (the actual engine) but that only works if you run that executable directly.


Are you guys reverse engineers? There's a ton of interesting projects in 2.02 that involve binary editing such as:
- Changing the mechanic of the Armor bonus
- Changing how the HERO kindof works
- Unlocking War of the Ring for more than 2 humans (could prove tricky)
- Reducing delay in multiplayer mode (this will definitely be tricky biggrin.gif)

If you're ever interested in any of them, please let me know. We can even discuss payment.

Posts: 5,037

Game: Rise of the Witchking 2.01


+
# 4withmorten Mar 11 2018, 01:51 AM
Thanks!

Attached to this post are the fixed launchers for BFME1, BFME2 and ROTWK, including an IDA dif file for automated patching and a .diff file containing instructions for manual patching.

The BFME2 launcher patch is the same as for the ROTWK one, just some different offsets.

The BFME1 launcher was a bit different because the GUID is hardcoded into the game but not present in the launcher, so I had to add the GUID string somewhere - I decided to overwrite the Blowfish initialization key with it - and then call memcpy instead of strcpy as it was not present in the binary either.

Your latest ROTWK patch is using an unsafedisced game.dat that doesn't generate a random version number everytime right?

The function that uses WinVerifyTrust to check if the game.dat is still packed/unmodified modified always returns true and thus the version memory area doesn't get set to number generated with rand().

I made a very similar patch to the game.dat, too, and then noticed that your team had already patched that. I also patched the unsafedisced version of BFME2, if you're interested in that. They're both on gamecopyworld, they're based on the scene cracks that were available for the latest EA patches, which both include unsafedisced binaries.

We both just occasionally dabble in reverse engineering, my friend is a lot better at it than me, but we're nowhere near professional RE'ing. My friend also doesn't really play BFME, he just helped me because I asked him to and he actually wanted to figure out how the damn thing worked, too biggrin.gif So while I can have a look at the problems you listed, I probably won't be able to help much (and neither can my friend since he's busing modding other games, such as GTAIII, VC and SA, he's the one who made skygfx for those games).

Increasing the player number in WOTR does sound really cool though. Seems entirely possible too, considering that the mode already supports 6 players, just not 6 human players. So the structs/classes *already* support 6 players and you don't need to rewrite every single one of them, hopefully.

I did however potentially fix another problem in ROTWK. Sometimes when you play for a long time against AI enemies (or even just human players, who knows, never test that), either in Skirmish or LAN (which is how my brother and me mostly play), the game will crash when you defeat an enemy. I was able to track down the exception address and modified the function in which the game crashed to never reach that part of the code, and it doesn't seem to have any side effects apart from actually not crashing at all anymore when defeating enemies now, but it's hard to know ...

The function is at 0x9B62F6, and the ExceptionAddress is 0x9B6318. It's right at the location a JNZ points to, so I just nopped that out, effectively neutering the function but the game still seems to work fine.

I also figured out how to start the game.dat directly without the launcher, but if it doesn't get the license GUID by the launcher it still defeats you after 3:30 minutes. That'd be another thing to look at, how the game actually uses that GUID4 and whatever info it gets from being started by the launcher elsewise. We briefly looked at it, but the game.dat is just incredibly complicated, with virtualized functions and everything else you could ever hate about reverse engineering a huge C++ program.

Posts: 6

Game: Rise of the Witch King


+
# 5withmorten Mar 11 2018, 05:19 AM
Okay I actually had a very quick look at the WOTR stuff and managed to do *something* ... you can now select "Open" for all 6 players in LAN WOTR, even though I have no idea if it will actually work. I might be able to test it with some laptops soon, but not sure, and I certainly don't have 6. The default AI players also remain which is a bit weird. You can join as player 3-6 now, though, if the host opens the slots manually.

Anyway, I patched some bytes in what I think is the game.dat that was packaged with 202_v7, in more detail, I nopped 0xF bytes at file offset 0x441835. The game now ignores a value that seemed to be 1 for player 0 and 1, and the return value of some function that I have no idea what it does (also seemed to be 1 for player 0 and 1), and thus adds the GUI:Open option for all players except player 0 (the host) in WOTR mode now. Does the same in SP though. So really, very buggy.

The modified game.dat is attached in a zip below, feel free to test it out.


Attached File(s)
Attached File game.zip
Size: 4.83mb
Number of downloads: 1580
Player Name Side Team

Posts: 6

Game: Rise of the Witch King


+
# 6brabox Mar 11 2018, 10:18 AM
QUOTE(withmorten @ Mar 11 2018, 02:51 AM) *

Attached to this post are the fixed launchers for BFME1, BFME2 and ROTWK, including an IDA dif file for automated patching and a .diff file containing instructions for manual patching.

Thanks very much. I'm making a "portable" 2.02 installer containing both bfme2 and rotwk 2.02 in 1 download that does not rely on EA's installers. Your auto-defeat fix seems better than renaming our v7 game.dat to lotrbfme2ep1.exe and running it directly.

QUOTE(withmorten @ Mar 11 2018, 02:51 AM) *

Your latest ROTWK patch is using an unsafedisced game.dat that doesn't generate a random version number everytime right?

I'm not exactly sure, but I can confirm a reverse engineer having done some work on the safedisc thing. I think he also modified the launcher but I think we forgot to ship it with v7 biggrin.gif


QUOTE(withmorten @ Mar 11 2018, 02:51 AM) *

We both just occasionally dabble in reverse engineering, my friend is a lot better at it than me, but we're nowhere near professional RE'ing. My friend also doesn't really play BFME, he just helped me because I asked him to and he actually wanted to figure out how the damn thing worked, too biggrin.gif So while I can have a look at the problems you listed, I probably won't be able to help much (and neither can my friend since he's busing modding other games, such as GTAIII, VC and SA, he's the one who made skygfx for those games).

Sounds cool!



QUOTE(withmorten @ Mar 11 2018, 02:51 AM) *

Increasing the player number in WOTR does sound really cool though. Seems entirely possible too, considering that the mode already supports 6 players, just not 6 human players. So the structs/classes *already* support 6 players and you don't need to rewrite every single one of them, hopefully.

Correct.
I think it even has a mechanism for determining whether you can play RTS. It simply is: as long as all human players have an army on the disputed territory, RTS is possible.

The reason being that EA didn't make an observer mode for WotR (I think).


QUOTE(withmorten @ Mar 11 2018, 02:51 AM) *

I did however potentially fix another problem in ROTWK. Sometimes when you play for a long time against AI enemies (or even just human players, who knows, never test that), either in Skirmish or LAN (which is how my brother and me mostly play), the game will crash when you defeat an enemy. I was able to track down the exception address and modified the function in which the game crashed to never reach that part of the code, and it doesn't seem to have any side effects apart from actually not crashing at all anymore when defeating enemies now, but it's hard to know ...

The function is at 0x9B62F6, and the ExceptionAddress is 0x9B6318. It's right at the location a JNZ points to, so I just nopped that out, effectively neutering the function but the game still seems to work fine.


QUOTE(withmorten @ Mar 11 2018, 02:51 AM) *

I also figured out how to start the game.dat directly without the launcher, but if it doesn't get the license GUID by the launcher it still defeats you after 3:30 minutes.

Our current game.dat already supports this.

It also improves the Random faction generation.


QUOTE(withmorten @ Mar 11 2018, 02:51 AM) *

We briefly looked at it, but the game.dat is just incredibly complicated, with virtualized functions and everything else you could ever hate about reverse engineering a huge C++ program.

Yeah I don't doubt it's nasty work. Especially the offhost delay issue seems to be incredibly complex.


QUOTE(withmorten @ Mar 11 2018, 06:19 AM) *

Okay I actually had a very quick look at the WOTR stuff and managed to do *something* ... you can now select "Open" for all 6 players in LAN WOTR, even though I have no idea if it will actually work. I might be able to test it with some laptops soon, but not sure, and I certainly don't have 6. The default AI players also remain which is a bit weird. You can join as player 3-6 now, though, if the host opens the slots manually.

Anyway, I patched some bytes in what I think is the game.dat that was packaged with 202_v7, in more detail, I nopped 0xF bytes at file offset 0x441835. The game now ignores a value that seemed to be 1 for player 0 and 1, and the return value of some function that I have no idea what it does (also seemed to be 1 for player 0 and 1), and thus adds the GUI:Open option for all players except player 0 (the host) in WOTR mode now. Does the same in SP though. So really, very buggy.

The modified game.dat is attached in a zip below, feel free to test it out.

Wow nice! I'll try it out with 3 players.

V7 ships 2 game.dat files, one for older versions (game.other by default) and one for newer versions (game.dat by default). The new game.dat is smaller in file size.

Posts: 5,037

Game: Rise of the Witchking 2.01


+
# 7Ab3r` Mar 11 2018, 12:22 PM
Amazing to think how many talented people play this game offline, we could use more people like this in the community!

Posts: 5,110

Game: Rise of the Witch King


+
# 8FotosKaroullas Mar 11 2018, 13:44 PM
Wow, you are amazing!

I am willing to pay money if you remove the offhost lag or lag in general!
It will feel like its a new game!

Posts: 533

Game: Rise of the Witch King


+
# 9Mako Mar 11 2018, 14:35 PM
Ha Fotos you are Dodger!

Well withmorten if you can do anything to help us it will be amazing!

Posts: 4,936

Game: Rise of the Witch King


+
# 10withmorten Mar 11 2018, 15:38 PM
I can 100% say that I am not good enough to fix an issue as complicated as that ... I'd glady help, as the issue is really annoying to me as well, I can't believe how bad this game runs even in a physical LAN.

it would be nice if somebody did the same thing for the game as the userpatch guys did for Age of Empires 2 (where the game now runs almost without delay in LAN mode, practially the same as singleplayer), but I think it's just way, way more complicated.

@brabox:

So what exactly is all fixed in your unsafedisced game.dat?

Random faction generation, no random version number, but surely not the weird crash fix? And you can launch it directly as game.exe AND it doesn't auto defeat you even though it doesn't get started by the launcher?

I think I might have actually used the 6.0.0 version by accident, so be sure to start it via the launcher. Edit: Nevermind, it's the fully patched version (startable without launcher and no autodefeat).

Who did the reverse engineering for your version? It would be nice to get in touch with him somehow. I'll have a look at the binary shipped with v7 and compare it to the v6. Do you also have the original untouched unsafedisced version you used? I think I found a similar file in a super old torrent once but it was long dead.

Edit: And I compared the two binaries (my one and your one), and it turns out we actually found the function that causes the game to go into auto defeat mode too, I just thought it didn't get used whatsoever because there were no xrefs to it and breakpoints revealed it didn't ever get used either, but it turns out that just making it return 1 everytime actually fixes everything. Your reverse engineer made it so that it will return one if the game2dat isn't mapped, but you can just make it return 1 everytime it gets called and the whole launcher stuff is unecessary, even if you start it *with* a launcher.

The potential crashfix isn't present, that was probably just weird quoting by you biggrin.gif

This post has been edited by withmorten: Mar 11 2018, 16:49 PM

Posts: 6

Game: Rise of the Witch King


+
# 11brabox Mar 12 2018, 11:39 AM
QUOTE(withmorten @ Mar 11 2018, 16:38 PM) *

I can 100% say that I am not good enough to fix an issue as complicated as that ... I'd glady help, as the issue is really annoying to me as well, I can't believe how bad this game runs even in a physical LAN.

Yeah it's terrible. Even on a wired LAN you get like 1 second of command delay...

The problem is the offhost player simply sees the game 1 second (5 "logic frames") in the past. It's like if you're playing a game with a 1 second delay from the console to the TV.

In other words, the game sends offhost commands immediately, no significant delay there.

Using our TV analogy: if you press <jump> on your keypad, the console registers it immediately (=no command delay), but you'll only see it happen 1 second later because of the delay in the TV connection.


QUOTE(withmorten @ Mar 11 2018, 16:38 PM) *
it would be nice if somebody did the same thing for the game as the userpatch guys did for Age of Empires 2 (where the game now runs almost without delay in LAN mode, practially the same as singleplayer), but I think it's just way, way more complicated.

Would be nice, but I dunno what the deal would be.


QUOTE(withmorten @ Mar 11 2018, 16:38 PM) *
@brabox:

So what exactly is all fixed in your unsafedisced game.dat?

Random faction generation, no random version number, but surely not the weird crash fix? And you can launch it directly as game.exe AND it doesn't auto defeat you even though it doesn't get started by the launcher?

The weird crash fix is not there, no.

QUOTE(withmorten @ Mar 11 2018, 16:38 PM) *
I think I might have actually used the 6.0.0 version by accident, so be sure to start it via the launcher. Edit: Nevermind, it's the fully patched version (startable without launcher and no autodefeat).

Version 6.0.0 and 7.0.0 use the same game.dat.

QUOTE(withmorten @ Mar 11 2018, 16:38 PM) *
Who did the reverse engineering for your version? It would be nice to get in touch with him somehow. I'll have a look at the binary shipped with v7 and compare it to the v6. Do you also have the original untouched unsafedisced version you used? I think I found a similar file in a super old torrent once but it was long dead.

I'd have to ask him first, he prefers to remain anonymous. I'll PM you if I have a response.


QUOTE(withmorten @ Mar 11 2018, 16:38 PM) *
Edit: And I compared the two binaries (my one and your one), and it turns out we actually found the function that causes the game to go into auto defeat mode too, I just thought it didn't get used whatsoever because there were no xrefs to it and breakpoints revealed it didn't ever get used either, but it turns out that just making it return 1 everytime actually fixes everything. Your reverse engineer made it so that it will return one if the game2dat isn't mapped, but you can just make it return 1 everytime it gets called and the whole launcher stuff is unecessary, even if you start it *with* a launcher.

OK nice, I dunno which fix I prefer. Doing it inside lotrbfme2ep1 nicely separates the fix from the game.dat and its version. That means you can play online without getting a mismatch.


QUOTE(withmorten @ Mar 11 2018, 16:38 PM) *

The potential crashfix isn't present, that was probably just weird quoting by you biggrin.gif

I'm not sure what you mean here.

Posts: 5,037

Game: Rise of the Witchking 2.01


+
# 12FotosKaroullas Mar 12 2018, 15:43 PM
QUOTE(Mako @ Mar 11 2018, 17:35 PM) *

Ha Fotos you are Dodger!

Yeah, I thought everyone knew that! tongue.gif

Posts: 533

Game: Rise of the Witch King


+
# 13withmorten Mar 15 2018, 23:08 PM
Sorry, forgot to reply here:

Re: last quote/question, nevermind, the quoting in your previous reply just made it seem like the potential crashfix (well, not really potential, I know for a fact that the game doesn't crash in this specific scenario anymore) was also present in your fixed game.dat

QUOTE
Yeah it's terrible. Even on a wired LAN you get like 1 second of command delay...

The problem is the offhost player simply sees the game 1 second (5 "logic frames") in the past. It's like if you're playing a game with a 1 second delay from the console to the TV.

In other words, the game sends offhost commands immediately, no significant delay there.

Using our TV analogy: if you press <jump> on your keypad, the console registers it immediately (=no command delay), but you'll only see it happen 1 second later because of the delay in the TV connection.


Yeah that's how it always felt like to me too. You have to time your specialpowers very, very awkwardly ... but oh well, what else to expect from an engine that binds its timescale to the FPS ...

Let me know if you get a reply from your RE.

Some additional info about the WOTR stuff, the game doesn't see the hacked players 3-6 as fully human. I've found out *some* in how the game populates the player list, but I haven't yet found the place where it actually inits the 4 players as non-human. There is a value that gets checked rather often, and by a specific function, it seems to be playerClass->playerType or something, it's the first (i.e. offset 4) dword in the struct, and it needs to be 6 for the player to be considered human or human or AI or something like that. But I have no idea where it gets initialised as that, only where it gets checked, and I'm not sure that making the function that checks that value always return 1 is a good idea biggrin.gif

The issue with the not-fully-human players, as tested with 4 players, is that some bonuses are weird for the AI, and the "decide who gets the region" isn't there if players 2 and 3 for example have to decide who gets the region after conquering it from an AI, the region remains in possession of the enemy until one player leaves it ...

Edit: Oh yeah, another thing I forgot to mention: I'm not sure how widespread collectors edition users are here, but that also gets handled by the game2.dat (for both versions, BFME2 and ROTWK). I believe the only difference is the first letter in the GUID, it's M instead of whatever else (so the first 8 bytes of the game2.dat are different, because Blowfish encrypts in 8 byte blocks), but I haven't 100% tested it yet. By always sending the standard GUID4 to the game.dat with the launcher, everybody using that launcher will not get the Upgrade_AllFactionUpgrade necessary for displaying the CE graphics.

This post has been edited by withmorten: Mar 16 2018, 02:13 AM

Posts: 6

Game: Rise of the Witch King


+
# 14brabox Mar 16 2018, 12:58 PM
QUOTE(withmorten @ Mar 16 2018, 00:08 AM) *
Some additional info about the WOTR stuff, the game doesn't see the hacked players 3-6 as fully human. I've found out *some* in how the game populates the player list, but I haven't yet found the place where it actually inits the 4 players as non-human. There is a value that gets checked rather often, and by a specific function, it seems to be playerClass->playerType or something, it's the first (i.e. offset 4) dword in the struct, and it needs to be 6 for the player to be considered human or human or AI or something like that. But I have no idea where it gets initialised as that, only where it gets checked, and I'm not sure that making the function that checks that value always return 1 is a good idea biggrin.gif

The issue with the not-fully-human players, as tested with 4 players, is that some bonuses are weird for the AI, and the "decide who gets the region" isn't there if players 2 and 3 for example have to decide who gets the region after conquering it from an AI, the region remains in possession of the enemy until one player leaves it ...

Right makes sense. There were bound to be rough edges around how EA set it up causing them to lock slots 3 through 6.

I don't really understand the bonuses issues though. If slot 2 gets the bonuses correctly, I don't see how slots 3-6 should be different.

About "Decide who gets the region": you could probably fix that by making sure player 1 and player 2 are on opposing teams.
I mean, with an unpatched game.dat, you could play like this:
P1 Human + P3 AI + P4 AI
vs
P2 Human + P5 AI + P6 AI

And then if P5 and P6 attack 1 territory together, I would assume P2 would get to decide who gets it, yes?

So maybe you should lock P1 to team 1 and P2 to team 2. It's a little ugly of course, but hey.


QUOTE(withmorten @ Mar 16 2018, 00:08 AM) *
Edit: Oh yeah, another thing I forgot to mention: I'm not sure how widespread collectors edition users are here, but that also gets handled by the game2.dat (for both versions, BFME2 and ROTWK). I believe the only difference is the first letter in the GUID, it's M instead of whatever else (so the first 8 bytes of the game2.dat are different, because Blowfish encrypts in 8 byte blocks), but I haven't 100% tested it yet. By always sending the standard GUID4 to the game.dat with the launcher, everybody using that launcher will not get the Upgrade_AllFactionUpgrade necessary for displaying the CE graphics.

CE graphics can be fully controlled within the ini files of the game. 2.02 installations no longer respond to the actual CE token.

Posts: 5,037

Game: Rise of the Witchking 2.01


+
# 15withmorten Mar 18 2018, 01:45 AM
What I meant by bonuses weird for the AI is that it seems the AI doesn't fully profit from some bonuses (such as buildings at half price), they only get like -xx4 cost or something. At least all my building costs ended with 6 for some reason. I was P3 in team 1 with P1 and P2 also human.

QUOTE
I don't really understand the bonuses issues though. If slot 2 gets the bonuses correctly, I don't see how slots 3-6 should be different.


Yeah I mean I wouldn't have thought that either. I was thrilled everything was working so flawlessly ... and then we noticed that. No idea what's wrong there honestly. I'd have to test it again to be 100% sure.

What just really sucks about this whole thing is that it would have been *trivial* for the actual devs to extend this gamemode past 2 human players max.

I'll have another look at the whole WOTR thing some time in the future, I think the breakthrough would be to find where the game inits players 3-6 as non-human, and tracking how the one *other* variable determining if the player spot can be "Open" gets used and filled initially.

QUOTE
CE graphics can be fully controlled within the ini files of the game. 2.02 installations no longer respond to the actual CE token.


Yeah I'm aware, but the game2.dat makes the game give players with the CE the upgrade to trigger them in the vanilla BFME2 and ROTWK. Good thing it doesn't matter for new installations. Guess "pirates" (not really since you can't even buy the game anymore) won't actually have the CE or care for the graphics, heh.

The only good CE graphics are the banner carriers and the lightning thingies in the tornado anyway, the rest looks rather crap in my opinion.

Posts: 6

Game: Rise of the Witch King


+
# 16Warner Bros Dec 28 2019, 19:30 PM
Hi im having trouble with this text after installing the update v8. Now, its showing me this....
Attached File LOTR.docx
Size: 1.51mb
Number of downloads: 110


Please ignore the text from the above image, Thank You.

Posts: 1


+

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)