I figured out where it is currently breaking when it is trying to log in. It seems that the opcode OP_SendExpZonein=0x3703 is where the problem is. This is the last opcode that the client receives before it stops responding. I also verified that by removing this opcode from Titanium it will fail at the exact same point according to the EQ Debug Logs.
Code:
DoMainLoop: just before first while(!EverQuest.ReceievedWorldObjects).
Actually, in Titanium, the log entry is slightly different, but it is the same thing just renamed:
Code:
DoMainLoop: just before first while(!ReadyEnterWorld).
My guess is that this opcode now needs to be encoded like many of the other important ones. And since it isn't being encoded, it isn't recognizing it, so it is failing. I am 99% sure that I have the correct opcode set for it.
Looking at the place where it is failing, here is the Assembly code for it:
Code:
.text:004DCC8F push offset aDomainloopJu_1 ; "DoMainLoop: just before first while(!Ev"...
.text:004DCC94 mov dword_907F60, esi
.text:004DCC9A call sub_645680 ; Call Procedure
.text:004DCC9F mov al, byte_9262EC
.text:004DCCA4 add esp, 18h ; Add
.text:004DCCA7 cmp al, bl ; Compare Two Operands
.text:004DCCA9 jnz short loc_4DCCF8 ; Jump if Not Zero (ZF=0)
.text:004DCCAB jmp short loc_4DCCB0 ; Jump
.text:004DCCAB ; ---------------------------------------------------------------------------
.text:004DCCAD align 10h
.text:004DCCB0
.text:004DCCB0 loc_4DCCB0: ; CODE XREF: sub_4DC610+69Bj
.text:004DCCB0 ; sub_4DC610+6E6j
.text:004DCCB0 mov eax, dword_761C6C
.text:004DCCB5 cmp eax, ebx ; Compare Two Operands
.text:004DCCB7 jz short loc_4DCCCA ; Jump if Zero (ZF=1)
.text:004DCCB9 mov ecx, [eax+4Ch]
.text:004DCCBC cmp ecx, ebx ; Compare Two Operands
.text:004DCCBE jz short loc_4DCCCA ; Jump if Zero (ZF=1)
.text:004DCCC0 push 1F4h
.text:004DCCC5 call sub_60DAD0 ; Call Procedure
.text:004DCCCA
.text:004DCCCA loc_4DCCCA: ; CODE XREF: sub_4DC610+6A7j
.text:004DCCCA ; sub_4DC610+6AEj
.text:004DCCCA mov ecx, edi
.text:004DCCCC call sub_4D9FF0 ; Call Procedure
.text:004DCCD1 push 1
.text:004DCCD3 push 4841h
.text:004DCCD8 push offset aCP4Everquest_0 ; "C:\\p4\\EverQuest\\live\\EverQuest\\EverQues"...
.text:004DCCDD mov ecx, edi
.text:004DCCDF call sub_4C1EA0 ; Call Procedure
.text:004DCCE4 test al, al ; Logical Compare
.text:004DCCE6 jnz loc_4DE160 ; Jump if Not Zero (ZF=0)
.text:004DCCEC push 1
.text:004DCCEE call ebp ; Indirect Call Near Procedure
.text:004DCCF0 cmp byte_9262EC, bl ; Compare Two Operands
.text:004DCCF6 jz short loc_4DCCB0 ; Jump if Zero (ZF=1)
.text:004DCCF8
.text:004DCCF8 loc_4DCCF8: ; CODE XREF: sub_4DC610+699j
.text:004DCCF8 push offset aDomainloopComp ; "DoMainLoop: complete after first while("...
.text:004DCCFD call sub_645680 ; Call Procedure
.text:004DCD02 add esp, 4 ; Add
.text:004DCD05 mov ecx, edi
.text:004DCD07 call sub_4E3B70 ; Call Procedure
.text:004DCD0C push 1
.text:004DCD0E mov ecx, edi
.text:004DCD10 mov dword_926EAC, ebx
.text:004DCD16 mov dword_926EA8, ebx
.text:004DCD1C call sub_4C2850 ; Call Procedure
.text:004DCD21 mov dword ptr [edi+38E94h], 1
.text:004DCD2B cmp byte_98452C, bl ; Compare Two Operands
.text:004DCD31 jz loc_4DCDE6 ; Jump if Zero (ZF=1)
.text:004DCD37 mov ecx, dword_907F0C
.text:004DCD3D push ebx
.text:004DCD3E push 3043h
.text:004DCD43 mov byte_98452C, bl
.text:004DCD49 call sub_6138B0 ; Call Procedure
.text:004DCD4E push 1 ; char
.text:004DCD50 push 111h ; int
.text:004DCD55 push eax ; char *
.text:004DCD56 mov ecx, edi
.text:004DCD58 call sub_4C5160 ; Call Procedure
.text:004DCD5D mov eax, dword_907F54
.text:004DCD62 mov edx, [eax+8]
.text:004DCD65 mov ecx, [edx+4]
.text:004DCD68 lea eax, [ecx+eax+8] ; Load Effective Address
.text:004DCD6C lea ecx, [eax+4] ; Load Effective Address
.text:004DCD6F call sub_61DF20 ; Call Procedure
.text:004DCD74 cmp dword ptr [eax+1304h], 0Ah ; Compare Two Operands
.text:004DCD7B jg short loc_4DCD96 ; Jump if Greater (ZF=0 & SF=OF)
.text:004DCD7D mov ecx, dword_907F0C
.text:004DCD83 push ebx
.text:004DCD84 push 213Ah
.text:004DCD89 call sub_6138B0 ; Call Procedure
.text:004DCD8E push eax ; char *
.text:004DCD8F mov ecx, edi
.text:004DCD91 call sub_4C5310 ; Call Procedure
.text:004DCD96
.text:004DCD96 loc_4DCD96: ; CODE XREF: sub_4DC610+76Bj
.text:004DCD96 mov ecx, dword_907F54
.text:004DCD9C add ecx, 0EEF8h ; Add
.text:004DCDA2 xor esi, esi ; Logical Exclusive OR
.text:004DCDA4 call sub_41C4D0 ; Call Procedure
.text:004DCDA9 test al, al ; Logical Compare
.text:004DCDAB jbe short loc_4DCDE6 ; Jump if Below or Equal (CF=1 | ZF=1)
.text:004DCDAD db 8Dh,49h,0 ; <BAD>lea ecx, [ecx+0] ; Load Effective Address
.text:004DCDB0
.text:004DCDB0 loc_4DCDB0: ; CODE XREF: sub_4DC610+7D4j
.text:004DCDB0 mov ecx, dword_907F54
.text:004DCDB6 push esi
.text:004DCDB7 add ecx, 0EEF8h ; Add
.text:004DCDBD call sub_41DA40 ; Call Procedure
.text:004DCDC2 cmp [eax], bl ; Compare Two Operands
.text:004DCDC4 jz short loc_4DCDCD ; Jump if Zero (ZF=1)
.text:004DCDC6 mov byte_925E8C, 1
.text:004DCDCD
.text:004DCDCD loc_4DCDCD: ; CODE XREF: sub_4DC610+7B4j
.text:004DCDCD mov ecx, dword_907F54
.text:004DCDD3 add ecx, 0EEF8h ; Add
.text:004DCDD9 inc esi ; Increment by 1
.text:004DCDDA call sub_41C4D0 ; Call Procedure
.text:004DCDDF movzx edx, al ; Move with Zero-Extend
.text:004DCDE2 cmp esi, edx ; Compare Two Operands
.text:004DCDE4 jl short loc_4DCDB0 ; Jump if Less (SF!=OF)
.text:004DCDE6
.text:004DCDE6 loc_4DCDE6: ; CODE XREF: sub_4DC610+721j
.text:004DCDE6 ; sub_4DC610+79Bj
.text:004DCDE6 push ebx ; int
.text:004DCDE7 push ebx ; int
.text:004DCDE8 push ebx ; int
.text:004DCDE9 push ebx ; int
.text:004DCDEA push ebx ; int
.text:004DCDEB push ebx ; int
.text:004DCDEC push ebx ; int
.text:004DCDED push ebx ; int
.text:004DCDEE push offset byte_925F9C ; int
.text:004DCDF3 lea eax, [esp+104h] ; Load Effective Address
.text:004DCDFA push 3045h ; int
.text:004DCDFF push eax ; char *
.text:004DCE00 call sub_4A3080 ; Call Procedure
.text:004DCE05 add esp, 2Ch ; Add
.text:004DCE08 push 1 ; char
.text:004DCE0A push 111h ; int
.text:004DCE0F lea ecx, [esp+0E8h] ; Load Effective Address
.text:004DCE16 push ecx ; char *
.text:004DCE17 mov ecx, edi
.text:004DCE19 call sub_4C5160 ; Call Procedure
.text:004DCE1E call sub_4EA590 ; Call Procedure
.text:004DCE23 mov ecx, eax
.text:004DCE25 call sub_4EA5C0 ; Call Procedure
.text:004DCE2A cmp dword_926328, 4 ; Compare Two Operands
.text:004DCE31 jnz short loc_4DCE92 ; Jump if Not Zero (ZF=0)
.text:004DCE33 mov eax, dword_907F54
.text:004DCE38 mov edx, [eax+8]
.text:004DCE3B mov ecx, [edx+4]
.text:004DCE3E lea eax, [ecx+eax+8] ; Load Effective Address
.text:004DCE42 lea ecx, [eax+4] ; Load Effective Address
.text:004DCE45 call sub_61DF20 ; Call Procedure
.text:004DCE4A cmp dword ptr [eax+1304h], 6 ; Compare Two Operands
.text:004DCE51 jge short loc_4DCE92 ; Jump if Greater or Equal (SF=OF)
.text:004DCE53 mov eax, dword_907F54
.text:004DCE58 mov edx, [eax+8]
.text:004DCE5B mov ecx, [edx+4]
.text:004DCE5E mov eax, [ecx+eax+108h]
.text:004DCE65 mov ecx, dword_907F34
.text:004DCE6B push eax
.text:004DCE6C call sub_62A060 ; Call Procedure
.text:004DCE71 test al, al ; Logical Compare
.text:004DCE73 jnz short loc_4DCE92 ; Jump if Not Zero (ZF=0)
.text:004DCE75 mov ecx, dword_907F0C
.text:004DCE7B push 1 ; char
.text:004DCE7D push 0Dh ; int
.text:004DCE7F push ebx
.text:004DCE80 push 3046h
.text:004DCE85 call sub_6138B0 ; Call Procedure
.text:004DCE8A push eax ; char *
.text:004DCE8B mov ecx, edi
.text:004DCE8D call sub_4C5160 ; Call Procedure
.text:004DCE92
.text:004DCE92 loc_4DCE92: ; CODE XREF: sub_4DC610+821j
.text:004DCE92 ; sub_4DC610+841j ...
.text:004DCE92 mov al, byte ptr word_92636C
.text:004DCE97 cmp al, 7Eh ; Compare Two Operands
.text:004DCE99 jz short loc_4DCED4 ; Jump if Zero (ZF=1)
.text:004DCE9B cmp al, bl ; Compare Two Operands
.text:004DCE9D jz short loc_4DCED4 ; Jump if Zero (ZF=1)
.text:004DCE9F push ebx ; int
.text:004DCEA0 push ebx ; int
.text:004DCEA1 push ebx ; int
.text:004DCEA2 push ebx ; int
.text:004DCEA3 push ebx ; int
.text:004DCEA4 push ebx ; int
.text:004DCEA5 push ebx ; int
.text:004DCEA6 push ebx ; int
.text:004DCEA7 push offset word_92636C ; int
.text:004DCEAC lea edx, [esp+104h] ; Load Effective Address
.text:004DCEB3 push 3047h ; int
.text:004DCEB8 push edx ; char *
.text:004DCEB9 call sub_4A3080 ; Call Procedure
.text:004DCEBE add esp, 2Ch ; Add
.text:004DCEC1 push 1 ; char
.text:004DCEC3 push 0Fh ; int
.text:004DCEC5 lea eax, [esp+0E8h] ; Load Effective Address
.text:004DCECC push eax ; char *
.text:004DCECD mov ecx, edi
.text:004DCECF call sub_4C5160 ; Call Procedure
.text:004DCED4
.text:004DCED4 loc_4DCED4: ; CODE XREF: sub_4DC610+889j
.text:004DCED4 ; sub_4DC610+88Dj
.text:004DCED4 mov ecx, offset unk_761D50
.text:004DCED9 mov byte ptr word_92636C, 7Eh
.text:004DCEE0 call sub_453C10 ; Call Procedure
.text:004DCEE5 mov ecx, dword_996AB4
.text:004DCEEB cmp ecx, ebx ; Compare Two Operands
.text:004DCEED jz short loc_4DCEF4 ; Jump if Zero (ZF=1)
.text:004DCEEF call sub_5E8870 ; Call Procedure
.text:004DCEF4
.text:004DCEF4 loc_4DCEF4: ; CODE XREF: sub_4DC610+8DDj
.text:004DCEF4 push offset aDomainloopJu_2 ; "DoMainLoop: just before second while(!R"...
.text:004DCEF9 call sub_645680 ; Call Procedure
.text:004DCEFE add esp, 4 ; Add
.text:004DCF01 call sub_4EC1F0 ; Call Procedure
.text:004DCF06 mov esi, eax
.text:004DCF08 cmp [esi+20h], bl ; Compare Two Operands
.text:004DCF0B jnz short loc_4DCF14 ; Jump if Not Zero (ZF=0)
.text:004DCF0D mov ecx, esi
.text:004DCF0F call sub_4EBE60 ; Call Procedure
.text:004DCF14
.text:004DCF14 loc_4DCF14: ; CODE XREF: sub_4DC610+8FBj
.text:004DCF14 mov byte ptr [esi+20h], 1
.text:004DCF18 mov ecx, dword_9A1CB4
.text:004DCF1E push 1
.text:004DCF20 dec ecx ; Decrement by 1
.text:004DCF21 push ebx
.text:004DCF22 mov dword_9A1CB4, ecx
.text:004DCF28 mov ecx, dword_761C68
.text:004DCF2E push 3703h
.text:004DCF33 call sub_637360 ; Call Procedure
.text:004DCF38 push eax
.text:004DCF39 push offset dword_907EF0
.text:004DCF3E push ebx
.text:004DCF3F push ebx ; char
.text:004DCF40 call sub_4BB750 ; Call Procedure
.text:004DCF45 dec dword_907F60 ; Decrement by 1
.text:004DCF4B call sub_4A2CF0 ; Call Procedure
.text:004DCF50 push offset aZoneConnectSen ; "Zone Connect -- Sending out a MSG_READY"...
.text:004DCF55 call sub_645680 ; Call Procedure
.text:004DCF5A mov eax, dword_925C80
.text:004DCF5F add esp, 18h ; Add
.text:004DCF62 cmp eax, ebx ; Compare Two Operands
.text:004DCF64 jnz short loc_4DCFAA ; Jump if Not Zero (ZF=0)
And, from client_packet.cpp, here is the code that handles that opcode:
Code:
void Client::Handle_Connect_OP_SendExpZonein(const EQApplicationPacket *app)
{
//////////////////////////////////////////////////////
// Spawn Appearance Packet
EQApplicationPacket* outapp = new EQApplicationPacket(OP_SpawnAppearance, sizeof(SpawnAppearance_Struct));
SpawnAppearance_Struct* sa = (SpawnAppearance_Struct*)outapp->pBuffer;
sa->type = AT_SpawnID; // Is 0x10 used to set the player id?
sa->parameter = GetID(); // Four bytes for this parameter...
outapp->priority = 6;
QueuePacket(outapp);
safe_delete(outapp);
// Inform the world about the client
outapp = new EQApplicationPacket();
CreateSpawnPacket(outapp);
outapp->priority = 6;
if (!GetHideMe()) entity_list.QueueClients(this, outapp, true);
safe_delete(outapp);
if(GetPVP()) //force a PVP update until we fix the spawn struct
SendAppearancePacket(AT_PVP, GetPVP(), true, false);
//Send AA Exp packet:
if(GetLevel() >= 51)
SendAAStats();
// Send exp packets
outapp = new EQApplicationPacket(OP_ExpUpdate, sizeof(ExpUpdate_Struct));
ExpUpdate_Struct* eu = (ExpUpdate_Struct*)outapp->pBuffer;
int32 tmpxp1 = GetEXPForLevel(GetLevel()+1);
int32 tmpxp2 = GetEXPForLevel(GetLevel());
// Quag: crash bug fix... Divide by zero when tmpxp1 and 2 equalled each other, most likely the error case from GetEXPForLevel() (invalid class, etc)
if (tmpxp1 != tmpxp2 && tmpxp1 != 0xFFFFFFFF && tmpxp2 != 0xFFFFFFFF) {
float tmpxp = (float) ( (float) m_pp.exp-tmpxp2 ) / ( (float) tmpxp1-tmpxp2 );
eu->exp = (uint32)(330.0f * tmpxp);
outapp->priority = 6;
QueuePacket(outapp);
}
safe_delete(outapp);
if(GetLevel() >= 51)
SendAATimers();
outapp = new EQApplicationPacket(OP_SendExpZonein, 0);
QueuePacket(outapp);
safe_delete(outapp);
outapp = new EQApplicationPacket(OP_RaidUpdate, sizeof(ZoneInSendName_Struct));
ZoneInSendName_Struct* zonesendname=(ZoneInSendName_Struct*)outapp->pBuffer;
strcpy(zonesendname->name,m_pp.name);
strcpy(zonesendname->name2,m_pp.name);
zonesendname->unknown0=0x0A;
QueuePacket(outapp);
safe_delete(outapp);
/* this is actually the guild MOTD
outapp = new EQApplicationPacket(OP_ZoneInSendName2, sizeof(ZoneInSendName_Struct2));
ZoneInSendName_Struct2* zonesendname2=(ZoneInSendName_Struct2*)outapp->pBuffer;
strcpy(zonesendname2->name,m_pp.name);
QueuePacket(outapp);
safe_delete(outapp);*/
if(IsInAGuild()) {
SendGuildMembers();
}
//No idea why live sends this if even were not in a guild
SendGuildMOTD();
return;
}
So, either the opcode needs to be encoded, or this handling code needs to be changed. I am guessing the opcode needs to be encoded, because the jump is looking for anything that isn't 0, so I would think that it is just making sure it got something for it. And, if it isn't encoded and is supposed to be, maybe it shows up as 0. But, if it doesn't need to be encoded, I don't know why it would be 0.
I will mess with it and see if I can figure out how to get that opcode encoded, but I don't really know how that will work, since the only opcodes I see currently getting encoded already have structures tied to them, but I don't see one for SendExpZonein. Unless maybe it is named differently.
At least I know where it is failing now, so I should be able to come up with something to move it to the next step. It should be getting pretty close now. I was able to find and verify more of the required opcodes for logging in over the past couple of days as well. Making some progress at least
