如何让XBOX Live游戏可以使用EvoX的DebugTSR机制

一般来说, 支援Live的游戏, 在游戏执行后, 都会去呼叫XnInit 这个程序,若是你有开启 EvoX 的 DebugTSR=Debug 功能, 执行 XnInit 后就有可能会导致游戏当机或是DebugTSR的功能失效, 因此只要将XnInit 这个程序的程式码作点手脚, 就可以在执行这些Live的游戏时(此指单机玩,不上XBox Live), 依然可以保留 DebugTSR 的所有功能..

虽然IDA可以解译出多数XDK的程序名称, 但还是有不少的XDK程序无法经由IDA解译(如 XnInit), 不过我们可透过另外两个程序名来找到 XnInit 这个程序的程式码 ..因为这两个程序一定都会去呼叫 XnInit

这两个程序名为:
WSAStartup
XNetStartup

使用IDA Functions 搜寻功能直接搜寻 WSAStartup or XNetStartup, 并 List 出程式码..(以 WSAStartup 为例)

XNET:0045C025                   ; __stdcall WSAStartup(x,x)
XNET:0045C025                   _WSAStartup@8 proc near                 ; CODE XREF: XOnlineStartup(x)+37_p
XNET:0045C025                  
XNET:0045C025                   arg_0  = dword ptr  4
XNET:0045C025                   arg_4  = dword ptr  8
XNET:0045C025                  
XNET:0045C025 FF 74 24 08              push [esp+arg_4]
XNET:0045C029 FF 74 24 08              push [esp+4+arg_0]
XNET:0045C02D 6A 01                    push 1
XNET:0045C02F 6A 00                    push 0
XNET:0045C031 6A 00                    push 0
XNET:0045C033 68 A8 BB 54 00           push offset dword_54BBA8
XNET:0045C038 E8 E2 FD FF FF           call sub_45BE1F                  ; Call Procedure <- This calls XnInit
XNET:0045C03D C2 08 00                 retn 8
XNET:0045C03D                   _WSAStartup@8 endp

请注意到红色字的部份, 这行 Call sub_45BE1F 的 sub_45BE1F 就是 XnInit程序的起始位址.直接跳到 sub_45BE1F 可以看到下列的程式码:

XNET:0045BE1F 55                       push ebp ; <- this will be patched
XNET:0045BE20 8B EC                    mov ebp, esp ; <- this will be patched
XNET:0045BE22 81 EC 18 02 00 00        sub esp, 218h                  
XNET:0045BE28 56                       push esi

我们只需要将位址 0045BE1F 的程式码 55 8B EC 改成 C2 18 00 即可.(程式码为 retn 18h)

以上修改的程序可以直接修改 default.xbe 或 做成金手指皆可, 经过这个手术, 你就可以使用DebugTSR来记忆体搜寻支援Live的游戏了.

TRICK: debugging network enabled games
Rewritten this post to makes things more clear.

code:--------------------------------------------------------------------------------
When to use this trick:
----------------------
If games HANG/FREEZE when Debug TSR is on, using this trick WILL NOT SOLVE that problem.
You should apply this trick if a game works like it should, but you can't telnet to it.

How does it work:
----------------
This trick will patch the networkcode of the game, that way it wont screw up the network stack/code of Debug TSR.
The specific networkcode to patch is called XnInit.

What do you need:
----------------
IDA
Xbox Flirt (.sig file)
A Evox trainer maker

If you don't already have the xbox flirt it can be found here: http://www.yates2k.net/ida.html
Put the .sig file in IDA's /sig/ dir.
After or during the disassembling process you goto File, Load, Flirt Signature file -> XBOX Flirt

Finding the correct networkcode:
-------------------------------
Because of the XBOX flirt, IDA will recognise most functions.
A little problem is that XnInit doesnt always get recognised.
But it is easy to find anywayz.
There are 2 functions that ALWAYS call XnInit.

These are:
WSAStartup
XNetStartup

In IDA search in the Names window for WSAStartup, when it finds it double click and you'll see something like the following code:
(if WSAStartup doesnt exist, search for XNetStartup instead)

XNET:0045C025                   ; __stdcall WSAStartup(x,x)
XNET:0045C025                   _WSAStartup@8 proc near                 ; CODE XREF: XOnlineStartup(x)+37_p
XNET:0045C025                  
XNET:0045C025                   arg_0  = dword ptr  4
XNET:0045C025                   arg_4  = dword ptr  8
XNET:0045C025                  
XNET:0045C025 FF 74 24 08              push [esp+arg_4]
XNET:0045C029 FF 74 24 08              push [esp+4+arg_0]
XNET:0045C02D 6A 01                    push 1
XNET:0045C02F 6A 00                    push 0
XNET:0045C031 6A 00                    push 0
XNET:0045C033 68 A8 BB 54 00           push offset dword_54BBA8
XNET:0045C038 E8 E2 FD FF FF           call sub_45BE1F                  ; Call Procedure <- This calls XnInit
XNET:0045C03D C2 08 00                 retn 8
XNET:0045C03D                   _WSAStartup@8 endp

So jump to sub_45BE1F and you'll be at XnInit.
It will look something like this:

XNET:0045BE1F 55                       push ebp ; <- this will be patched
XNET:0045BE20 8B EC                    mov ebp, esp ; <- this will be patched
XNET:0045BE22 81 EC 18 02 00 00        sub esp, 218h                  
XNET:0045BE28 56                       push esi
etc etc

Patching the code:
-----------------
You are going to replace these hexvalues:
XNET:0045BE1F 55
XNET:0045BE20 8B
XNET:0045BE21 EC

You want to replace that code with "retn 18h", which is C2 18 00 in hex.
That tells the function to do return (and do nothing).

Turns out can just make a Evox trainer out of this. I use a program like easy trainer maker.
Make an item called "Enable Debug TSR" or something like that, and tell it what it should patch.
In this case:

XNET:0045BE1F C2
XNET:0045BE20 18
XNET:0045BE21 00

Generate the trainer, enable it, startup the game and Debug TSR will be working.

Notes:
-----
This trick would not be needed if Evox Debug TSR had a private network stack of its own like XDK has.
No idea how XDK does it, but m