I have been able to edit the Halo Dedicated Server's (both normal + CE) without a problem, now with the client I'm having a bit of trouble,
I can get around the Halo Is Corrupted message without any difficulties, though with the checksum to see if it has been edited or changed in any way, is what im having problems with.

does anyone have any pointers or at least a starting point for where the checksum resides, it would be a great help :neckbeard:

Why exactly are you editing the Halo client? Also, they are ALOT different to the dedicated server exes, I have never edited the actual client exe I dont know if its possible.

Actually they aren't that different most of the network + server instructions seem to be the same or very similar., I wasnt comparing them, I was giving it as an example.

And yes it is possible.

If you look on my introduction thread, my hobby is reveng, so thats why I wish to edit the client.

It depends what you are editing, could you not do it via memory editing? Or is it because you want it permanent.

E: Didn't realize you said you already got around the message box. So.. please explain in more detail?

The checksum for PE executable files is located in the IMAGE_OPTIONAL_HEADER structure in the PE header, however editing an executable shouldn't throw you any errors and should still make the program run. Well, that is as long as you edit it correctly. So... what exactly is happening? Halo doesn't run right? You probably changed assembly instructions wrong that must be vital. You haven't provided any information other than there is a problem and you think it's something to do with the checksum, which it's most likely not.


I guess I can try to help, assuming you know how to read some assembly. What exactly did you edit to make it say corrupt executable? I've edited the Halo binary before without that error popping up...

I found this which I'm assuming is what's popping up. (All addresses and disassembly here is from Halo PC 1.08)(NOT dedi and NOT ce!)

00541F5E PUSH EBX ; Style
00541F5F PUSH halo.00671130 ; Title = "Halo"
00541F64 PUSH halo.00671028 ; Text = "Corrupted Halo.exe"
00541F69 PUSH EBX ; hOwner
00541F6A CALL NEAR DWORD PTR DS:[<&USER32.MessageBoxA>] ; MessageBoxA
00541F70 PUSH 1 ; ExitCode = 1
00541F72 CALL NEAR DWORD PTR DS:[<&KERNEL32.ExitProcess>] ; ExitProcess

If you trace back a step, you get to the function which jumps here which is Halo's main entry point function. Below is the part where it's throwing you this message.

00541D12 PUSH halo.0067103C ; ASCII "-testcrash"
00541D17 XOR EDI,EDI
00541D19 CALL halo.00542D30
00541D1E ADD ESP,4
00541D21 TEST AL,AL
00541D23 JE halo.00541F5E

You could just change the JE instruction to a NOP instruction and see what happens. It should stop the message box from popping up and stop Halo from closing. See the CALL? It's a __CDECL calling convention: a) The callee is responsible for balancing the stack pointer (ADD ESP,4) b) The way the parameters are pushed(last param is pushed first). All calls return value is stored in the 32-bit EAX register(int,dword,long). AL is the 16-bit version of EAX(word,short). TEST AL,AL sets a flag(zero flag?), that is tested in the JE instruction, which is your fate here lol. We know that whatever that call returns is what makes the error pop up or not. If you look around this area in Olly or IDA, whatever you are using, you notice this same CALL is made by what looks like every possible command line parameter, maybe checking to see if was entered at program start. Maybe you enabled "-testcrash"? Again, I'm not sure what this function does exactly, I haven't even looked at it, but this should help you along. Please follow up!! :downs: