[0.1.62115] Offsets

[QuadroTony]

anyone can help me. how to unlock Hell? i dont need other saves, i want it on mine
so i need to edit my save
already figured out how to unlock Nightmare with HEX editor
but not Hell

[dschu012]

anyone can help me. how to unlock Hell? i dont need other saves, i want it on mine
so i need to edit my save
already figured out how to unlock Nightmare with HEX editor
but not Hell

d2s - Example

load your save. click 'Unlock Hell'. click 'Save D2R'.

[QuadroTony]

Did some work on UI stuff today, got the panel manager offset and some structures to go with it.

PanelManager = 0x234AF30
There is also a copy on 0x234AF40 but haven't looked into what that is used for yet.

InitializePanelManager = 0x5A3C50
InitializeGameWidgets = 0x5B30B0 lot of initialization going on in there

Code:

class Widget;
class WidgetList;
class PanelManager;

// Actually a list of like 33 items but not sure exactly
// about the size yet so just added some items for testing
class WidgetList
{
public:
	Widget *N000036F1; //0x0000
	Widget *N00004084; //0x0008
	Widget *N00004085; //0x0010
	Widget *N00004086; //0x0018
	Widget *N00004087; //0x0020
	Widget *N00004088; //0x0028
	Widget *N00004089; //0x0030
	Widget *N0000408A; //0x0038
	Widget *N0000408B; //0x0040
	Widget *N0000408C; //0x0048
	Widget *N0000408D; //0x0050
	Widget *N0000408E; //0x0058
}; //Size: 0x0060

class Widget
{
public:
	char *pName; //0x0008
	char pad_0010[32]; //0x0010
	Widget *Parent; //0x0030
	char pad_0038[24]; //0x0038
	uint64_t Flags; //0x0050 flags & 0x10 = visible
	WidgetList *Children; //0x0058
	uint64_t numElements; //0x0060
	char pad_0068[32]; //0x0068
	
	virtual void Function0();
	virtual void Function1();
	virtual void Function2();
	virtual void Function3();
	virtual void Function4();
	virtual void Function5();
	virtual void Function6();
	virtual void Function7();
	virtual void Function8();
	virtual void Function9();
}; //Size: 0x0088

class PanelManager : public Widget
{
public:
	WidgetList *pWidgetList; //0x0088
	uint64_t numElements; //0x0090
	char pad_0098[8]; //0x0098
	WidgetList *pWidgetList2; //0x00A0
	uint64_t numElements2; //0x00A8
	char pad_00B0[8]; //0x00B0
	uint32_t N0000432E; //0x00B8
	uint32_t ScreenWidth; //0x00BC
	uint32_t ScreenHeight; //0x00C0
	char pad_00C4[4]; //0x00C4
	Widget *ActiveModal; //0x00C8
	Widget *GlobalData; //0x00D0
	Widget *FocusManager; //0x00D8
	char pad_00E0[16]; //0x00E0
}; //Size: 0x00F0

do you tihnk it will be possible to turn ON gamepad UI and other gamepad features, but play with keyboard and mouse?

[QuadroTony]

Ah, ok... never mind I figured it out.


adding
0x1EE3201:90
to patches.txt will make item levels show

I'm still testing the rest

0x1EE3200:90: ~ allowLadderRunewords
0x1EE3201:90: ~ displayItemLevel
0x1EE31FF:90: ~ allowCowPortalWhenCowKingWasKilled
0x1EE3203:90 ~ enableUberQuest
0x1EE3202:90: ~ allowStatUnassignment
0x1EE3204:90: ~ allowSkillUnassignment (doesn't seem to be working)
0x1EE320D:90: ~ enableWorldEventOffline (Assume Uber Diablo - haven't tested)
0x1EE320E:90: ~ enableMultipleHirelings
//0x1EE3211:90: ~ worldEventMonsterClass (probably needs correct ID for Uber Diablo)
//0x1EE3215:90: ~ worldEventGlobalMessage (probably needs correct ID for the string to reference)
//0x1EE3315:90: ~ worldEventGlobalSound (probably needs correct ID for audio file to reference)

not working for me

at least i cant see item levels

didint test other things, what i am doing wrong? tried 01 instead of 90 as suggested few posts above = same issue

[dschu012]

I find this very interesting. I wonder if we can figure out how to turn the console on and see if there is any interesting information in there.

Attachment 77216

How do you find a memory offset for something like this in Cheat Engine? I understand, in Cheat Engine, we can manually add an address if we know the offset.

So how did you go from something like this in IDA:
.rdata:0000000141A1B528 aAllowladderrun db 'allowLadderRunewords',0

to something like this in Cheat Engine:
game.exe+0x1EE3200

I can't claim to be great at this either. But I'd search for references to the string in code. That narrowed me down to

Untitled.png

you can see they call a func which we can presume checks for s_show_console being set. you can see the result of the call being stored in Game.exe+0x22E1CB8. however patching that address nor patching the instructions to just `MOV RAX,0x1` did not result in any kind of difference in game to me.

[ejt]

not working for me

at least i cant see item levels

didint test other things, what i am doing wrong? tried 01 instead of 90 as suggested few posts above = same issue

The way you're changing the value is at startup when you're using the patches.txt method of doing things. This is why you should load up something like cheat engine and modify the value yourself. What probably happens is that when you enter a game or somewhere along the way the game overwrites your modified value and make the patch useless.

[QuadroTony]

The way you're changing the value is at startup when you're using the patches.txt method of doing things. This is why you should load up something like cheat engine and modify the value yourself. What probably happens is that when you enter a game or somewhere along the way the game overwrites your modified value and make the patch useless.

all other things inside patches.txt works fine, so it looks like just that item level parameter/adress incorrect

[ejt]

all other things inside patches.txt works fine, so it looks like just that item level parameter/adress incorrect

You're wrong

[iceblade7]

all other things inside patches.txt works fine, so it looks like just that item level parameter/adress incorrect

everything worked fine for me, but like ejt said, the program modifies values and not working always as it should

[Crazyloon]

all other things inside patches.txt works fine, so it looks like just that item level parameter/adress incorrect

I recommend opening the game with Cheat Engine and modifying the values that way. There's a race condition when using patches.txt that can sometimes cause some of the values to be overwritten.

[ejt]

<removed, you go figure it out>

[QuadroTony]

anyone know to be able to open cow level after killing cow king

i need edit save file, or game exe itself? ie cheat engine

[knochenrolf]

anyone know to be able to open cow level after killing cow king

i need edit save file, or game exe itself? ie cheat engine

did u check the first page at all? its posted there ^^

"game.exe+1EE31FF" set it to true

[rm10]

Here's some offsets that will be needed for maphack later.

Code:

// tested globals
PanelManager = 0x234AF30,
AutomapLayer = 0x22E46E8,

// tested functions
GetControlUnitId = 0x14C510,
GetControlUnitPtr = 0x157300,
GetLayer = 0x296ED0,
GetLevel = 0x292740,
InitAutomapLayer = 0x176550,
InitLevel = 0x292D70,
LoadAct = 0x278BD0,
LoadAct_1 = 0x172750, // void LoadAct_1(Room1* room)
LoadAct_3 = 0x172890,
UnloadAct = 0x278A10,
RevealAutomapRoom = 0x177900, // contains retcheck

As you may have noticed, RevealAutomapRoom has a retcheck, quite aggressive one at that. What I could figure out it looks something like this

Code:

v31 = retaddr[0];
  if ( retaddr[0] < s_ImageBase || retaddr[0] >= s_ImageBase + 0x1A14584 )
    goto LABEL_44;
  v20 = *(retaddr[0] - 5);
  if ( v20 != -24 )
  {
    if ( *(retaddr[0] - 7) != -1 || (v21 = *(retaddr[0] - 6), ((v21 & 0x38) - 16) & 0xF7) )
    {
      v21 = *(retaddr[0] - 6);
      v22 = 0;
    }
    else
    {
      v22 = 1;
    }
    v23 = v21 != -1 || ((v20 & 0x38) - 16) & 0xF7 ? 0 : 1;
    v24 = v22 | v23;
    if ( *(retaddr[0] - 4) != -1 || (v25 = *(retaddr[0] - 3), ((v25 & 0x38) - 16) & 0xF7) )
      v25 = *(retaddr[0] - 3);
    else
      v24 = 1;
    if ( v25 != -1 || (v26 = *(retaddr[0] - 2), ((v26 & 0x38) - 16) & 0xF7) )
    {
      v26 = *(retaddr[0] - 2);
      v27 = 0;
    }
    else
    {
      v27 = 1;
    }
    v28 = v27 | v24;
    if ( (v26 != -1 || ((*(retaddr[0] - 1) & 0x38) - 16) & 0xF7) && !v28 )
    {
LABEL_44:
      while ( 1 )
      {
        *v31 = v31 / 0;
        memset(&v32, 0, 0x1000ui64);
      }
    }
  }
  v29 = (qword_BAB30 + *(qword_BAB30 + ((LODWORD(retaddr[0]) - _ImageBase) >> 14)));
  v30 = *v29;
  if ( !*v29 )
  {
    while ( 1 )
    {
LABEL_40:
      *retaddr[0] = retaddr[0] / 0ui64;
      memset(&retaddr[1], 0, 0x1000ui64);
    }
  }
  while ( v30 - (LODWORD(retaddr[0]) - _ImageBase) > 0x40 )
  {
    v30 = v29[1];
    ++v29;
    if ( !v30 )
      goto LABEL_40;
  }

It was heavily obfuscated so the pseudo code is unreliable but sort of gives you an understanding of what it does. It checks the return address against a global variable, if it's to low or high it eventually goes into a endless loop that will divide by zero and zero out some memory. Still trying to get past this but haven't looked into defeating the anti-debugging yet so its going slow, sharing in case anyone else is looking to get a maphack working.

EDIT:

Here's a patch that will jump over the retcheck in RevealAutomapRoom. Still want to find a solution for doing this dynamically but it will work for testing purposes.

Code:

0x177A91:E99C050000: ~ retcheck in RevealAutomapRoom

Still need the functions AddRoomData and RemoveRoomData to complete the maphack.

How did you adapt so well from x86 assembly to x64 to find the functions. Without being able to debug / breakpoint I'm still having a hard time understanding how everyone is finding so much useful stuff. Do you all really sit their for hours on end looking at the C code to find the similarities ? Thanks for your contributions and findings.

[ejt]

How did you adapt so well from x86 assembly to x64 to find the functions. Without being able to debug / breakpoint I'm still having a hard time understanding how everyone is finding so much useful stuff. Do you all really sit their for hours on end looking at the C code to find the similarities ? Thanks for your contributions and findings.

Most of my experience come from reversing World of Warcraft which is also x64 other than that there is not that much difference between x86 and x64 so its not a hard swap to do.

And yes, I do sit for hours on end looking for stuff.