[Project] Removing the Failsafe in 3.3.5

[Gurluas]

I have been researching a very annoying pheonomenon regarding 3.3.5 which causes it to filter any unnatural skin, face, haircolor etc. to value 00.
Say, you make a Blood elf with deathknight eyes, in this case face 10, anyone else will see a Blood elf with face 00.
This was not the case in earlier versions such as 1.12.1.

In my server, I wish to give access to skins such as Mag'har, or High elves to all players.
Since the client has been edited before, for instance, to enable new races, would it be possible to edit it to remove the failsafe?

I would gladly cooperate with anyone to make this possible.

PS. This has NOTHING to do with model editing. This isn't about replacing a current skin with an npc skin, it's about letting players use the npc skin directly, which is possibly but the client filters it away.

I hope anyone with experience can help.

Oh and here is a screenshot to demonstrate how it works in 1.12.1:
http://oi35.tinypic.com/2vta4wl.jpg


This was originally posted on Ownedcore, but I am sure some of you can find a way to help.
http://www.ownedcore.com/forums/world-of-warcraft/world-of-warcraft-bots-programs/wow-memory-editing/411516-help-removing-failsafe-3-3-5-a.html#post2732302

[Ascathos]

Right off the bat, is that a client limitation ?

[Gurluas]

Right off the bat, is that a client limitation ?

The Trinity core devs says it is, and 3.3.5 has it, 1.12.1 doesn't, so yeah I am pretty sure it is a client filter.

Somewhere along the line it filters away anything non-normal, such as Deathknight skins on other classes or npc skins.

[Ascathos]

This is a personal opinion, but, I think removing that is not possible. I assume that it is sort of a client-side information, transmitted from server to client with the core information, e.g. skin data, where it validates, before moving it serverside-wise to the clients for another check. I do not believe this to be client-wise. I could imagine, though, that the charsections flags 0x2 which is not further used is somehow related to this. We'd need to see what previous data these "core" files contain (CharSections, etc.)

[Gurluas]

Hm it is possible, but from a quick glance they seems identical. (Sans all the non implemented stuff ofc)


I tried removing the NPC flag from those skins, yet the block serverside remained, even when the changed DBC was used. This led me to believe it was either a server core thing or a clienside thing.

Whether we disable it, or add all skins to the "allowed" list, both works fine for me.

[stoneharry]

You will need to find the relevant functions in the binary by reverse engineering it.

Noteworthy:

Code: [Select]

CharacterCreate_UpdateFacialHairCustomization();
CharacterCreate_UpdateHairCustomization();
CharacterChangeFixup();
And:

Code: [Select]

function CharacterCustomization_Left(id)
PlaySound("gsCharacterCreationLook");
CycleCharCustomization(id, -1);
end

function CharacterCustomization_Right(id)
PlaySound("gsCharacterCreationLook");
CycleCharCustomization(id, 1);
end

function CharacterCreate_Randomize()
PlaySound("gsCharacterCreationLook");
RandomizeCharCustomization();
end

I looked at the GueXML inside patch-enGB.mpq (build ~8000) and these functions are identical, so I do not know how you could, or if you could, even allow these skins etc to be used in the char creation menu.

[Gurluas]

You will need to find the relevant functions in the binary by reverse engineering it.

Noteworthy:

Code: [Select]

CharacterCreate_UpdateFacialHairCustomization();
CharacterCreate_UpdateHairCustomization();
CharacterChangeFixup();
And:

Code: [Select]

function CharacterCustomization_Left(id)
PlaySound("gsCharacterCreationLook");
CycleCharCustomization(id, -1);
end

function CharacterCustomization_Right(id)
PlaySound("gsCharacterCreationLook");
CycleCharCustomization(id, 1);
end

function CharacterCreate_Randomize()
PlaySound("gsCharacterCreationLook");
RandomizeCharCustomization();
end

I looked at the GueXML inside patch-enGB.mpq (build ~8000) and these functions are identical, so I do not know how you could, or if you could, even allow these skins etc to be used in the char creation menu.

You can't, you use WPE Pro to hack the packet. Say if you have a character with a four-letter name you force it to send 0A instead of 00 (Obviously you select skin 00 in the character creation) in slot 15, then you have a character with skin 10, which is typically an npc skin. (High elf in the case of Blood elves to make a point)

The problem is...The filtering makes everyone else see a different skin, I.E skin 00.
So say...As a Human Female, no matter what special skin you pick, Deathknight, Cultist, Whitemane etc.
Any other player will see you as a normal human with the palest skin, namely, skin 00.

This was not the case with the Burning Crusade or with Vanilla.

[stoneharry]

You will need to find the relevant functions in the binary by reverse engineering it.

Noteworthy:

Code: [Select]

CharacterCreate_UpdateFacialHairCustomization();
CharacterCreate_UpdateHairCustomization();
CharacterChangeFixup();
And:

Code: [Select]

function CharacterCustomization_Left(id)
PlaySound("gsCharacterCreationLook");
CycleCharCustomization(id, -1);
end

function CharacterCustomization_Right(id)
PlaySound("gsCharacterCreationLook");
CycleCharCustomization(id, 1);
end

function CharacterCreate_Randomize()
PlaySound("gsCharacterCreationLook");
RandomizeCharCustomization();
end

I looked at the GueXML inside patch-enGB.mpq (build ~8000) and these functions are identical, so I do not know how you could, or if you could, even allow these skins etc to be used in the char creation menu.

You can't, you use WPE Pro to hack the packet.
The problem is...The filtering makes everyone else see a different skin, I.E skin 00.
So say...As a Human Female, no matter what special skin you pick, Deathknight, Cultist, Whitemane etc.
Any other player will see you as a normal human with the palest skin, namely, skin 00.

This was not the case with the Burning Crusade or with Vanilla.

Which packet are you manipulating in specific? As far as I am aware, the server loads your character information, then sends these byte values to you and any other players who need the data.

This means that if you are intercepting this packet and changing the byte values, of course it will be client side only.

But this also implies that you could simply just send the relevant skin index byte from the server rather than the one sent from the client when creating the char.

I am confused.

[Gurluas]

You will need to find the relevant functions in the binary by reverse engineering it.

Noteworthy:

Code: [Select]

CharacterCreate_UpdateFacialHairCustomization();
CharacterCreate_UpdateHairCustomization();
CharacterChangeFixup();
And:

Code: [Select]

function CharacterCustomization_Left(id)
PlaySound("gsCharacterCreationLook");
CycleCharCustomization(id, -1);
end

function CharacterCustomization_Right(id)
PlaySound("gsCharacterCreationLook");
CycleCharCustomization(id, 1);
end

function CharacterCreate_Randomize()
PlaySound("gsCharacterCreationLook");
RandomizeCharCustomization();
end

I looked at the GueXML inside patch-enGB.mpq (build ~8000) and these functions are identical, so I do not know how you could, or if you could, even allow these skins etc to be used in the char creation menu.

You can't, you use WPE Pro to hack the packet.
The problem is...The filtering makes everyone else see a different skin, I.E skin 00.
So say...As a Human Female, no matter what special skin you pick, Deathknight, Cultist, Whitemane etc.
Any other player will see you as a normal human with the palest skin, namely, skin 00.

This was not the case with the Burning Crusade or with Vanilla.

Which packet are you manipulating in specific? As far as I am aware, the server loads your character information, then sends these byte values to you and any other players who need the data.

This means that if you are intercepting this packet and changing the byte values, of course it will be client side only.

But this also implies that you could simply just send the relevant skin index byte from the server rather than the one sent from the client when creating the char.

I am confused.

What I am doing, is interception the packet during character creation that tells the server what skin the character will have, and give it a value you cannot select ingame, such as 0A which is skin 10.
The result is that the character, serverside HAS skin 0A, and if your server has a model viewer plugin in the website showing your character you can see said skin there too.


The problem is, that the filtering I call the failsafe, filters that skin for anyone else who sees it to skin 00.
This is NOT the case with Vanilla or Burning Crusade. If I get the Earthen skin there, others can see it, this filter isn't there.

[stoneharry]

You will need to find the relevant functions in the binary by reverse engineering it.

Noteworthy:

Code: [Select]

CharacterCreate_UpdateFacialHairCustomization();
CharacterCreate_UpdateHairCustomization();
CharacterChangeFixup();
And:

Code: [Select]

function CharacterCustomization_Left(id)
PlaySound("gsCharacterCreationLook");
CycleCharCustomization(id, -1);
end

function CharacterCustomization_Right(id)
PlaySound("gsCharacterCreationLook");
CycleCharCustomization(id, 1);
end

function CharacterCreate_Randomize()
PlaySound("gsCharacterCreationLook");
RandomizeCharCustomization();
end

I looked at the GueXML inside patch-enGB.mpq (build ~8000) and these functions are identical, so I do not know how you could, or if you could, even allow these skins etc to be used in the char creation menu.

You can't, you use WPE Pro to hack the packet.
The problem is...The filtering makes everyone else see a different skin, I.E skin 00.
So say...As a Human Female, no matter what special skin you pick, Deathknight, Cultist, Whitemane etc.
Any other player will see you as a normal human with the palest skin, namely, skin 00.

This was not the case with the Burning Crusade or with Vanilla.

Which packet are you manipulating in specific? As far as I am aware, the server loads your character information, then sends these byte values to you and any other players who need the data.

This means that if you are intercepting this packet and changing the byte values, of course it will be client side only.

But this also implies that you could simply just send the relevant skin index byte from the server rather than the one sent from the client when creating the char.

I am confused.

What I am doing, is interception the packet during character creation that tells the server what skin the character will have, and give it a value you cannot select ingame, such as 0A which is skin 10.
The result is that the character, serverside HAS skin 0A, and if your server has a model viewer plugin in the website showing your character you can see said skin there too.


The problem is, that the filtering I call the failsafe, filters that skin for anyone else who sees it to skin 00.
This is NOT the case with Vanilla or Burning Crusade. If I get the Earthen skin there, others can see it, this filter isn't there.

That makes a lot more sense. In future, just edit the byte fields in the database rather than going to the hassle of having to manipulate the packets in real time.

Then I guess it is just a client side range check which defaults to 0 if that range is exceeded. Finding this in the assembly will not be trivial.

[Gurluas]

You will need to find the relevant functions in the binary by reverse engineering it.

Noteworthy:

Code: [Select]

CharacterCreate_UpdateFacialHairCustomization();
CharacterCreate_UpdateHairCustomization();
CharacterChangeFixup();
And:

Code: [Select]

function CharacterCustomization_Left(id)
PlaySound("gsCharacterCreationLook");
CycleCharCustomization(id, -1);
end

function CharacterCustomization_Right(id)
PlaySound("gsCharacterCreationLook");
CycleCharCustomization(id, 1);
end

function CharacterCreate_Randomize()
PlaySound("gsCharacterCreationLook");
RandomizeCharCustomization();
end

I looked at the GueXML inside patch-enGB.mpq (build ~8000) and these functions are identical, so I do not know how you could, or if you could, even allow these skins etc to be used in the char creation menu.

You can't, you use WPE Pro to hack the packet.
The problem is...The filtering makes everyone else see a different skin, I.E skin 00.
So say...As a Human Female, no matter what special skin you pick, Deathknight, Cultist, Whitemane etc.
Any other player will see you as a normal human with the palest skin, namely, skin 00.

This was not the case with the Burning Crusade or with Vanilla.

Which packet are you manipulating in specific? As far as I am aware, the server loads your character information, then sends these byte values to you and any other players who need the data.

This means that if you are intercepting this packet and changing the byte values, of course it will be client side only.

But this also implies that you could simply just send the relevant skin index byte from the server rather than the one sent from the client when creating the char.

I am confused.

What I am doing, is interception the packet during character creation that tells the server what skin the character will have, and give it a value you cannot select ingame, such as 0A which is skin 10.
The result is that the character, serverside HAS skin 0A, and if your server has a model viewer plugin in the website showing your character you can see said skin there too.


The problem is, that the filtering I call the failsafe, filters that skin for anyone else who sees it to skin 00.
This is NOT the case with Vanilla or Burning Crusade. If I get the Earthen skin there, others can see it, this filter isn't there.

That makes a lot more sense. In future, just edit the byte fields in the database rather than going to the hassle of having to manipulate the packets in real time.

Then I guess it is just a client side range check which defaults to 0 if that range is exceeded. Finding this in the assembly will not be trivial.

Indeed, it wont, this is why I asked for help from the best.
I really hope you can figure it out.

[Gurluas]

Any luck anyone?

This can have fantastic results if dealt with.

EDIT: I got this tip:
"Look where the texture is stored, attach a read-hook, look for the function assigning the values and go backwards until you find the validation."

It's completely foreign to me to me but maybe one of you has an idea.
Imagine all the possibilities once it is gone, especially for roleplay servers.

[Gurluas]

Here is more data regarding this problem:

1. The failsafe is NOT present in 2.4.3
2. It appears that the failsafe does not isolate numbers 0-9, instead, it isolates anything in the DBC flagged NPC, or Deathknight for non-Deathknights.

More specifically, flag 0x4 for Deathknights, and 0x8 for NPCs.
The filtering is different. Characters with the Deathknight class do not get filtered, while other characters do.
For instance, a Hunter with a Deathknight skin will have Skin 00.

With Npc skins, such as the High elf skin, everything gets filtered.