[C#] 1.0.8.16603 Enigma.D3

[enigma32]

Been reversing D3 with IDA for a while now and thought it was time for sharing. I do this primarily to learn and as a challenge so I don't really have any useful programs based on this framework. Don't be surprised if something is not quite working out or not making sense.

Please spare me the PMs asking to do this and that for payment, I'm not interested!

Credits:
KillerJohn for beeing a great sparring partner and for providing puzzles to solve.
DarthTon for the public framework which helped when getting started with all of this.
boredevil for a few posts that got me interested in assembly and IDA.

D3\Engine.cs contains the static offsets and is probably a good place to start exploring.
Properties using Field<T> are just that, fields inside the structure. Any 2nd argument specifies an array length.
Properties using Dereference<T> however are pointers. Any 2nd argument specifies an array length.
Names starting with _ means I've seen no usage in IDA (doesn't mean it's not used).
Names ending with _ means I'm not sure if the name I've given is an accurate representation.

I will not work more on this version as I've started on the PTR instead. As I don't have any programs depending on this framework I don't really know where to start applying fixes or how to confirm if structures and fields are the same. If someone find this useful, please state what information is useful and for what, then maybe I'll be able to keep those parts updated!

Note that D3 has the /LARGEADDRESSAWARE option, meaning it can access up to 3GB memory! My memory classes in this version will not appreciate addresses over 2GB.

[Ferroks]

hi, can you do a little video tutorial, looking as offsets, etc.?
I also interested in this topic - assembly and IDA, but I'm a lot more then there do not understand.
just make a video of the process of your work over the PTR version?

[enigma32]

hi, can you do a little video tutorial, looking as offsets, etc.?
I also interested in this topic - assembly and IDA, but I'm a lot more then there do not understand.
just make a video of the process of your work over the PTR version?

No, would require a huge effort to make something usable.

If you want to get started with IDA then I suggest you just start playing around. You absolutely need Hex-Rays Decompiler or you have to be a master at assembler. This will give you pseudo-C code where you can start renaming variables and set correct types (after qualified guesses).

I started using IDA ~8 months ago, knowing nothing about it and only having very basic knowledge of assembler. C# is my tool of trade so this low level was really new to me. Now I'd say I'm pretty decent at it so it just takes some tenacity. I'm probably not using it properly (never using the debugger) but who cares, whatever gives results

Some hints on how to get started from scratch:

• Start by finding the memory allocation method. Search for strings like "sReportOutOfMemory\n" and "Unable to allocate %d bytes". It's at [.text:01280C70] in current PTR.
• Look for references to above method to figure out where structures are allocated and how large they are. You can define structures in Local Types (Shift+F1) using C syntax. I use Excel to generate fields like _x00, _x04, _x08 and so on. I remove _ if I find the field being used and I append a name if I think I know what it's for (and postfix with _ if I'm unsure). If I find an allocation and I don't feel like defining a structure, I'll name it something like x00_Ptr128Bytes. Then if it happens to be used someplace interesting I can define structure then.
• Finding ObjectManager can be done by searching for "RActors". This will be passed as argument to a method creating a container. It will return pointer to the container and this will be set inside ObjectManager, voila, there's your address. Then you can look at the references for that address and see where it's written, then it shouldn't take long to figure out how large it is and what's initially initialized on it. There are 2 static pointers to it in current PTR, one address is only used during initialization and finalization.
• Now it's all about figuring out how stuff is used and this is the hard part. Luckily there are plenty of debug strings to assist you.
• Use a debugger, CheatEngine or your own tool to view the memory of a structure live in order to identify fields. Do things in the game and see how it affects things.

That's pretty much what I can be arsed writing. Good luck!

[Ferroks]

please write down the video when you're watching and PTR.
describe and explain nothing.
you can just write here found such and such a thing. but it is generally not know what kind of thing.

[KillerJohn]

please write down the video when you're watching and PTR.
describe and explain nothing.
you can just write here found such and such a thing. but it is generally not know what kind of thing.

your post makes no sense

[Ferroks]

KillerJohn I also did not understand yours)
sorry for the English

he somehow figuring editing memory)

I wish that "enigma32" made ​​the video as he searches for offsets with minimal description of the process.

[enigma32]

KillerJohn I also did not understand yours)
sorry for the English

he somehow figuring editing memory)

I wish that "enigma32" made ​​the video as he searches for offsets with minimal description of the process.

I will not make a video! If you want to learn then just start playing around with IDA! If the program is too confusing, try read a book! If that is too hard for you then you will have no chance figuring out how to reverse something with IDA.

[Ferroks]

enigma32 good) will be trying to understand myself)

[R3peat]

kinda wierd stuff is going on here xD

[RedXXXKnight]

enigma32 good) will be trying to understand myself)

Good thinking - everybody should start from themselves

[g4b51l]

Hi Enigma, thanks for sharing your work! Very nice stuff...
Just one question...I am comparing Johns offsets and your structures but I am struggling on the entry point (other things are working fine).
Usually we have (in most of the codings) objmgr sitting at 0x18CE394 and offset to storage 0x7CC. But checking in your classes I get 0x7B0 to be the storage offset.
The same it true for the storage itself e.g. data sitting at 0x0C4 rather than 0x0A8...
Maybe I am just missing the obvious? THX

[enigma32]

Hi Enigma, thanks for sharing your work! Very nice stuff...
Just one question...I am comparing Johns offsets and your structures but I am struggling on the entry point (other things are working fine).
Usually we have (in most of the codings) objmgr sitting at 0x18CE394 and offset to storage 0x7CC. But checking in your classes I get 0x7B0 to be the storage offset.
The same it true for the storage itself e.g. data sitting at 0x0C4 rather than 0x0A8...
Maybe I am just missing the obvious? THX

Hi CrazyName

The thing with Storage is that it is allocated inside ObjectManager, a struct within a struct. If a field is added or removed from either in a patch, someone that is only reading memory (like KJ) will not know if the change was to Storage or ObjectManager and most likely try to adjust the offset for Storage to make it fit. Since I'm looking at the actual program and not the memory I know exactly what offset Storage has. If you compare the values you stated you can see there is a difference of 0x1C between them:

0x7CC - 0x7B0 = +0x1C
0x0A8 - 0x0C4 = -0x1C

0x7CC + 0x0A8 = 0x874
0x7B0 + 0x0C4 = 0x874

[g4b51l]

The obvious...it's a struct inside the struct not a pointer...thx

[nexus84]

Hello,

Thanks for the release. But I guess all offsets are outdated with the current patch version?
I'm a professional C# programmer, and I wish to contribute. I haven't found any good up to date API in C#, so maybe we could work on creating one.
My first goal is to make something pretty simple : a follower bot.
Enigma seems pretty complete, but I guess it was retrieved using reflector ? For example, member names of class Storage are meaningless.

See you.

[enigma32]

I guess all offsets are outdated with the current patch version?

Changes in major version tends to stir things up a bit

I haven't found any good up to date API in C#, so maybe we could work on creating one.

Thanks but I'm not interested in supporting bots and all the retard questions that comes with the territory (no offense). I might release my up to date version when RoS hits, not sure yet... not sure what good it would do if any.

Enigma seems pretty complete, but I guess it was retrieved using reflector ? For example, member names of class Storage are meaningless.

Reflector? Please show me a reflector that works for C++ programs :P Names I get by debug messages or by simply figuring out how things work and why.