Help with UsePower?

[DennyPow]

Hi -

I've a problem with UsePower function (0x97AC70)


I don't know how I've to use this function (injected code)

Yeah I've read all this threads about UsePower but at first i don't know what works currently and how I've to use the usercall wrapper => cdcel


Would be nice if someone could explain this stuff

Thanks

[Aftiagouras]

This func gets one argumet from eax wich is the register used for returning values so mb you could do something like that:

int SetFirstArg(int a1) { return a1; }

and call UsePower like that:

SetFirstArg(a1);
Usepower(a2, a3, a4);

Then again your compiler could mess this up so you might have to call it manualy with asm code.

[DennyPow]

This func gets one argumet from eax wich is the register used for returning values so mb you could do something like that:

int SetFirstArg(int a1) { return a1; }

and call UsePower like that:

SetFirstArg(a1);
Usepower(a2, a3, a4);

Then again your compiler could mess this up so you might have to call it manualy with asm code.

Could you say me what's the params are?

eax stores a stuture pointer which contains GUID to target....

[boredevil]

just scroll a bit to the top. the function just above yours is the "real" usepower. all its arguments are well explained in this forum.

[DennyPow]

just scroll a bit to the top. the function just above yours is the "real" usepower. all its arguments are well explained in this forum.

I think you mean 0x97AA30?
I don't find something useful here all is confused, there is no thread who is only discuss this problem, which is up-to-date.


EAX contains ActorPtr
ECX contains ActorGUID

ESI ?
...
...

[boredevil]

So just tell me how to call it.
...

Sorry dude. No spoons in stock atm.

[DennyPow]

No one knows? :confused:

[xzidez]

No one knows? :confused:

Create e delegate (I choosed stdcall so .net handles the stack for me)...

Code:

[UnmanagedFunctionPointer(CallingConvention.StdCall)]
private delegate int UserPowerWrapperDelegate(uint cmdPacket,uint ptrHero, uint one, uint zero, uint address);
private static UserPowerWrapperDelegate UsePowerInternal;
private static IntPtr UsePowerWrapper = IntPtr.Zero;

Create your wrapper.

Code:

                Byte[] asm = new Byte[]
                {
                    0x55,                       //Push EBP
                    0x8B, 0xEC,                 //Mov EBP, ESP
                    0x8B, 0x5D, 0x18,           //mov ebx, [ebp+18]
                    0x8B, 0x45, 0x14,           //mov eax, [ebp+14]
                    0x50,                       //Push EAX
                    0x8B, 0x45, 0x10,           //mov eax, [ebp+10] 
                    0x50,                       //Push EAX
                    0x8B, 0x45, 0x0C,           //mov eax, [ebp+0C] //Hero
                    0x50,                       //Push EAX
                    0x8B, 0x45, 0x08,           //mov eax, [ebp+08] //Cmdpacket
                    0xFF, 0xD3,                 //Call ebx
                    0x8B, 0XE5,                 //Mov ESP, EBP
                    0x5D,                       //Pop ebp   
                    0xC3                        //Return
                };

Allocate some memory, copy our asm there and register our delegate.

Code:

UsePowerWrapper = Marshal.AllocCoTaskMem(asm.Length);
Marshal.Copy(asm, 0, UsePowerWrapper, asm.Length);
UsePowerInternal = Marshal.GetDelegateForFunctionPointer(ptr, typeof(UserPowerWrapperDelegate))

And now we can call it with our UsePowerInternal.

Edit: This is the "outer" usepower, you can only use this on actors.. Not on vectors.. for that you will have to reverse a bit
good luck

[DennyPow]

Thanks but I'am not able to implement this in C don't know what's my mistake :confused:

PHP Code:

void _declspec(naked) UsePowerToActor_Wrapper()
{
    _asm
    {
        push ebp
        mov EBP, ESP
        mov ebx, [ebp+0x18]
        mov eax, [ebp+0x14]
        push EAX
        mov eax, [ebp+0x10]
        push EAX
        mov eax, [ebp+0x0C]
        mov eax, [ebp+0x08]
        push EAX
        call ebx
        mov ESP, EBP
        pop ebp 
        ret
    }
}

void __stdcall UsePowerToActorFunc(int cmdPacket, int ptrHero, int one, int zero, int address)
{
    UsePowerToActor_Wrapper();
} 


Then I calling

cmdPacket = SNOId?
ptrHero = MyActorPtr
one = 1?
zero = 0?
address = UsePowerToActorAddr (0x97C770)

UsePowerToActorFunc(.........);

What's wrong?

[xzidez]

I havent updated my framework to latest patch so I cant comment on the address... last patch it was 0x97AC70.
And cmdPacket is not SNO its a struct with the target and the power you want to use. Im sorry to say this but I think you should go a few steps back and work on your reversing skills a bit. Even if I would give you a complete samplecode with everything you need you wont be able to use it and you will be stuck on the next thing you want to do.

People here dont mind helping.. but just handing you the exact code will just get you stuck on your next problem. you gotta learn how to do stuffs yourself

[RamirezX]

My quick&dirty wrapper to UsePowerToActor used as MoveTo ...

Code:

#define f_UsePower	0x97C790

typedef struct {

		DWORD power_1;
		DWORD power_2;
		DWORD cmd;
		DWORD acd_id;
		float x, y, z;
		DWORD world_id;
		DWORD end;

} INTERACT_PACKET;


__declspec(naked) DWORD PlayerMoveTo(DWORD dwPlayerActorAddress, float x, float y, float z)	{

	__asm { //prolog

		push ebp
		mov ebp, esp
		sub esp, 0x80

	}

	DWORD PlayerActorAddress, *pPlayerActorAddress;
	pPlayerActorAddress = &PlayerActorAddress;
	PlayerActorAddress = dwPlayerActorAddress;

	INTERACT_PACKET iPacket, *piPacket;
	piPacket = &iPacket;

	piPacket->power_1 = 0x0000777C;
	piPacket->power_2 = 0x0000777C;
	piPacket->cmd = 2;
	piPacket->acd_id = 0xFFFFFFFF;
	piPacket->x = x;
	piPacket->y = y;
	piPacket->z = z;
	piPacket->world_id = 0x772E0000;
	piPacket->end = 0xFFFFFFFF;

	__asm {
	
		push pPlayerActorAddress
		push 1
		push 0
		mov esi, piPacket
		mov eax, PlayerActorAddress
			
		mov ecx, f_UsePower
		call ecx

		mov esp, ebp //epilog
		pop ebp
		ret
	}

}

[KOS0937]

My quick&dirty wrapper to UsePowerToActor used as MoveTo ...

You are missing the 10th field in the callStruct. It will be fine usually (as you want that last value to be 0), but you never know...

proof:

Code:

.text:0097C7FD                 cmp     dword ptr [esi+24h], 0

[ValvePro]

My quick&dirty wrapper to UsePowerToActor used as MoveTo ...

Code:

#define f_UsePower	0x97C790

typedef struct {

		DWORD power_1;
		DWORD power_2;
		DWORD cmd;
		DWORD acd_id;
		float x, y, z;
		DWORD world_id;
		DWORD end;

} INTERACT_PACKET;


__declspec(naked) DWORD PlayerMoveTo(DWORD dwPlayerActorAddress, float x, float y, float z)	{

	__asm { //prolog

		push ebp
		mov ebp, esp
		sub esp, 0x80

	}

	DWORD PlayerActorAddress, *pPlayerActorAddress;
	pPlayerActorAddress = &PlayerActorAddress;
	PlayerActorAddress = dwPlayerActorAddress;

	INTERACT_PACKET iPacket, *piPacket;
	piPacket = &iPacket;

	piPacket->power_1 = 0x0000777C;
	piPacket->power_2 = 0x0000777C;
	piPacket->cmd = 2;
	piPacket->acd_id = 0xFFFFFFFF;
	piPacket->x = x;
	piPacket->y = y;
	piPacket->z = z;
	piPacket->world_id = 0x772E0000;
	piPacket->end = 0xFFFFFFFF;

	__asm {
	
		push pPlayerActorAddress
		push 1
		push 0
		mov esi, piPacket
		mov eax, PlayerActorAddress
			
		mov ecx, f_UsePower
		call ecx

		mov esp, ebp //epilog
		pop ebp
		ret
	}

}

Nice - but is there any way to get the current World_ID?

[RamirezX]

You are missing the 10th field in the callStruct. It will be fine usually (as you want that last value to be 0), but you never know...

proof:

Code:

.text:0097C7FD                 cmp     dword ptr [esi+24h], 0

thx for a hint ;-)

[RamirezX]

Nice - but is there any way to get the current World_ID?

Of course .. take it from PlayerActor ...
I wrote _quick&dirty_