ci-20260423-1611-55c17fa

Scan target heap for live NosMall URL and auto-fill in MainForm

Hook DLL walks its own committed private pages via VirtualQuery +
ReadProcessMemory, regex-matches the fully-formatted shop URL (digit
required after sid=/server_index= so the unfilled %s template is
skipped). A 2 s background poller publishes the first hit to the UI
over the pipe as NOSMALLURL <url>, and the MainForm NosMall tab
auto-fills it into a read-only Live URL box.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

ci-20260423-0556-4204f4e

Rename to NosCore.DeveloperTools + Auth tab + Client Creator patches

The repo grew beyond just a packet logger (client binary patcher + GF
auth / JSON-RPC pipe launcher), so it's now NosCore.DeveloperTools.
Folders, csprojs, solution, AssemblyName / RootNamespace, runtime paths
(pipe name, %LOCALAPPDATA% settings/diag, embedded hook DLL resource
name), CI yml, README and docs/finding-hooks.md are all renamed.

New tabs / features:

Auth tab
- NosCore auth flow: POST /api/v1/auth/thin/sessions + POST
  /api/v1/auth/thin/codes (logged as JSON req/resp in the HTTP pane).
- GameforgeClientJSONRPC pipe server answering all ten methods the
  current gameforge_client_api.dll (v3.9.x) expects — the classic four
  (isClientRunning, initSession, queryAuthorizationCode,
  queryGameAccountName) plus queryGameAccountId, queryGameBranch,
  queryGameRegion, queryGameLocale, queryGameDisplayLocale,
  queryClientLocale. The four-method subset was the real cause of the
  "gf init failed" dialog.
- Single "Sign in && launch" button that walks auth → pipe start →
  client spawn → "Stop pipe" in one flow.
- gfLang is a RegionType-enum dropdown; the enum ordinal is the
  numeric `gf <N>` arg the client parses (not the code, which goes to
  NosCore's JSON gfLang field).
- "Skip client launch (for manual debug)" prints env vars + command
  line so x32dbg can drive the child process with the right _TNT_*
  env inherited from the spawning shell.
- Split HTTP / Pipe log panels; form fields persisted to settings.

Client Creator
- IP patch auto-detects the Delphi AnsiString slot by shape (FF FF FF
  FF refcount + IP-looking payload with exactly 3 dots), overwrites
  the payload and rewrites the length prefix — no text-based IP
  search, works on already-patched binaries.
- Allow-no-arg: NOP the 6-byte `JL rel32` that aborts double-click
  launches (argc check after ParamCount/dec eax).
- Default-to-Entwell: NOP the final `JNZ` of the arg dispatcher's
  `"EntwellNostaleClient"` compare so any non-gf/non-gftest launch
  falls into the Entwell standalone body. gf / gftest branches are
  untouched — a real Gameforge launcher still drives GF mode.
- Output filename field auto-filled to <name>_patched.<ext>; all
  inputs persisted.
- Dropped the earlier Pumba98-style `JL->JMP-to-Entwell-body` patch —
  its landing was past the arg dispatcher, which broke gf handling.

Packet Logger
- Login recv hook finalised as a mid-function detour at 0x4EB5CC. The
  trampoline pushes EBP; the managed hook dereferences [EBP-0x08] to
  grab the full cleartext NsTeST packet before the dispatcher's inline
  tokenizer consumes it.
- HookArg enum on Detour.Install (Edx / Ebp / EaxThenEdx) so the same
  trampoline mechanism handles register-based packet sources, caller-
  frame locals, and the two-arg send path (EAX self + EDX packet).
- Detour.Install gains a `prologueSize` override for targets whose
  byte-6 boundary would split a multi-byte instruction (needed for the
  login dispatcher's `mov ecx, 6`).
- Pipe protocol carries direction AND connection char: "PACKET
  <S|R> <W|L> <payload>", rendered as "[HH:mm:ss.fff] [World] [Send] …".
- Capture-side direction toggles + add/remove blacklist-or-whitelist
  filters applied at intake (filtered packets never reach the log).
- Ctrl+A / Ctrl+C / right-click Copy + Copy-with-tags; Clear button.
- Custom packet inject (send/recv) via a Delphi-register-convention
  invoker thunk + hand-rolled AnsiString.
- Clickable github link in About.

ci-20260422-1923-4550eee

Initial commit — NosCore.DeveloperTools

NosTale developer tooling collection:

- **Packet Logger**: NativeAOT hook DLL injected via CreateRemoteThread
  + LoadLibraryW, inline detours on world send/recv and mid-function
  on login recv, bidirectional named pipe for capture + inject, WinForms
  UI with filters/capture toggles/copy menu/custom-packet inject.
- **Client Creator**: byte-pattern patcher for NosCore.exe — rewrites
  the embedded Delphi AnsiString login address (auto-detected by header
  shape, no text search) and flips the multi-instance JL check into an
  unconditional JMP.
- Docs: docs/finding-hooks.md walks through the x32dbg+MCP recipe used
  to derive the hook signatures.

Repo renamed from NosCore.PacketLogger to NosCore.DeveloperTools.
History squashed.