# Feather.exe ###### tags: `Feather Cracking` Path: I:/Others/Feather_Newest/feather.exe Edition: Latest (@ 2017) Version: 1.3.0.10.14 `6A4EF4` -> set to 0 to support CHT IME # sf.ini Setting | Name | Addr | Value | Type (Opt.) | Found At (Opt.) | |:---|:---|:---|:---|:---| | Logging (Packet to File) | 008C8C4C<br>006A7D1C<br>008C8F78<br> | 1<br>1<br>0 | bool | IsRecordWrite | 008C8C4C | | bool | * @ \_WinMain@16<br>setting: LOGIN->IsRecordWrite | Enable Recording | 006A7D1C | [Record=1] | bool | 4BB3E1 @ sub_4BB3D0<br>4B740A @ \_WinMain@16<br>setting: LOGIN->Record | Do Show FPS<br>&emsp;FPS counter | 008C8C48<br>008C8FD8 | T/F<br>* | bool<br>Byte | 4B5DE3 @ sub_4B5030 | Write To Log.txt | 006A7D38 | | bool | 4B506E @ sub_4B5030 | Cht WordSet | 008C94FC | | bool | 4B766F @ \_WinMain@16<br>setting: LOGIN->NewQiangZhe | Read DB using CHS / CHT | \<?> | | bool | setting: LOGIN->Read_Datebase_Language_Type | | # Static Variables | Name | Addr | Value | Type (Opt.) | Found At (Opt.) | |:---|:---|:---|:---|:---| | Do Show FPS<br>&emsp;FPS counter | 008C8C48<br>008C8FD8 | T/F<br>* | bool<br>Byte | 4B5DE3 @ sub_4B5030 | Write To Log.txt | 006A7D38 | | bool | 4B506E @ sub_4B5030 | Break Flag (Recv) | 006B04E0 | | bool | 5EF5BA @ sub_5EF560 | isConnectionAvailable | 0091078C | | bool | 5EEB3E @ sub_5EEB10 | szTotalRecvSinceGameStart | 00910794 | | int | 5EFB59 @ sub_5EF560 (Listener) | Input Text (Chat) Static | \<?> | | char[256] | @ sub_43D0A0 (Chat Input Handler) | isPrintWalkMessage | 008C8EF8 | | bool | 46DC1B @ sub_46D7B0 | unk | 008C4214 | | TextPtr | @ 4018E7 | unk | 008C4218 | | TextPtr | @ 401907 | unk | 008C41F8 | | TextPtr | @ ? | unk | 008C4208 | | TextPtr | @ 40134A | unk | 008C516C | | Int | Format String ID @ 40166F # Special Things ## Fake-Teleport Command Setting ```shell= # core func for GM: sub_43DBD0 008C8C48 = 1 # fpsToggle (maybe is "im a gm yo"?) ``` # Function ## WinSocket / Login / Connection Related Function | Name | Func | Desc | |:---- |:---- | :--- | | Raise Sock Error | int __cdecl sub_5F04E0(int mainObj, signed int errorCode) | Crash after call | Release Socket | void __thiscall sub_5EEB10(int *mainObj) | mainObj[0xFE9E] = real socket ptr | ? | genRSAkey_sub_641FE0 | Create Threads | int __thiscall sub_5EFE20(int *mainObj_1, const char *a2) | Create Sender & Listener Threads | Chat Input Handler | char __cdecl sub_43D0A0(char *Source) | Calls when enter pressed ## Mixed Function | Name | Func | Desc | |:---- |:---- | :--- | | GM Command Handler | char __stdcall sub_43DBD0(char *inp) | # Pointers ## Main GUI Obj \- 008C8F1C | Name | Ptr | Desc | |:---- |:--- | :--- | | | | Base | 008C8F1C | | | ... | | ## Unk \- 008C8F20 | Name | Ptr | Desc | |:---- |:--- | :--- | | Base | 008C8F20 | | +&emsp; | => | ## MainObj Static \- 008C8F28 | Name | Ptr | Desc | |:---- |:--- | :--- | | Base | 008C8F28 | | +&emsp;SocketPtr | =>3FA78 | | +&emsp;RSA struct ptr | =>3FA80 | | &emsp;+&emsp;Callee Addr | =>3FA80\:8:10 | The func that will be called. (in hex addr, RSA method) | +&emsp;? | =>3FA88 | | +&emsp;? | =>3FC88 | | +&emsp;Crypto Key Ptr | =>3FE88 | encryptAndSend_sub_5F0070@5F015D | | | +&emsp;? | =>400A0 | Bool, Unk Bool | +&emsp;? | =>400A2 | 1 Byte, | +&emsp;Next Step | =>400A4 | 1 Byte, next step on switch case @ ListenerSub | | | +&emsp;? | =>400AC | Must be equal to =>400B4 before send | +&emsp;? | =>400B4 | Must be equal to =>400AC before send | | | +&emsp;Star Ptr | =>B4E698 | | &emsp;+&emsp;Btn | =>? | | &emsp;&emsp;+&emsp;Btn Func | =>FC | ```*(guiObj_2[0x16] + 0xFC)``` | +&emsp;BackPack Ptr | =>B4E850 | ## Unk \- 008C8F2C | Name | Ptr | Desc | |:---- |:--- | :--- | | Base | 008C8F2C | | +&emsp; | => | ## Player Static \- 008C8F30 | Name | Ptr | Desc | |:---- |:--- | :--- | | Base | 008C8F30 | | +&emsp;Timer | =>B4E4C8 | +&emsp;Inp Static | =>B4E654 | | &emsp;+&emsp;Inp Text | =>24 | Input (RealTime) | +&emsp;Chat Static | =>B4E658 | @ 43DD32 | +&emsp;?? | =>B4E680 | | +&emsp;VIP Status | =>B4E754 | _**TBC**_ | +&emsp;Text Color Static | =>B51EE0 | VIP Chat Text Color, DataType: Char[1] | +&emsp;Walk Rnd | =>B51FC4 | 4BE1A4@sub_4BE120 (Time Diff Maybe?) ## Unk \- 008C8F34 | Name | Ptr | Desc | |:---- |:--- | :--- | | Base | 008C8F34 | | +&emsp; | => | ## GUI Static \- 008C8F38 | Name | Ptr | Desc | |:---- |:--- | :--- | | Base | 008C8F38 | | +&emsp; | =>E | @ 4A8B24 ## RSA Method Pointer | Name | Ptr | Desc | |:---- |:--- | :--- | | Base | 00910BA4 | @ 64081D | | | # Command Lists (GM cmd included) | Pre-Write | Cmd | Desc | Func Addr | |:---|:---|:---|:---| | 008C8F60 = 1 | open \<mapName> | Teleport urself to this map (?)<br>!! Skill Bar will be unavailable until pre-write is 0 !! | @43DF44 | | debug_framecount | | | setframecount= \<num> | | trans \<...> | 5 six use =w= | | go \<x>,\<y> | | | savefile | write your chat to the file "test.txt" | # Reverse Engineering //src: https://blog.csdn.net/weixin_30856965/article/details/98707605 ida: "eh vector constructor/destructor iterator" -> self define class with constructor & destructor cause: ```cpp T* tt = new T[100]; delete[] tt; ``` when creating array in C++, the first 4-bytes saves the array size, followed by actual array data. n | o | sub_4F1680 | sub_5E7C00 | farm pet