Thanks for answer and I have some questions. Sorry if my post is to long...
1) I have some knowledge of programming of various languages, some methods how to inject to process, and also know how to use ollydbg, IDA, ReClass and others. But I have almost no experience in reverse software bigger and better than CrackMe (basic lvl).
At first, before writing the program, I am trying to understand the mechanism and the internal interactions of components/classes Diablo3.
To start, I tried to find the value of an attribute in the memory and look about which structures it affects.
I have read many forum pages from blizzhackers, ownedcore and others, there were advised to start with a simple attribute - life.
I tried and found with Artmoney some 3 addresses (At first I tried integer values, but then spied some source code that the value can be a floating-point :P )
Code:
Value 1 18D76C08 338.0000 4 byte floating point
Value 2 18D76C80 338.0000 4 byte floating point
Value 3 1CC587F0 338.0000 4 byte floating point
I'm set breakpoint on memory adress of Value 2 (18D76C80) in OllyDbg for check which code execute and get
Code:
CPU Disasm
Address Hex dump Command
00871491 |. 5E POP ESI
00871492 |. 85C9 TEST ECX,ECX
00871494 |. 74 0B JZ SHORT 008714A1
00871496 |> 3941 04 /CMP DWORD PTR DS:[ECX+4],EAX
00871499 |. 74 1C |JE SHORT 008714B7
0087149B |. 8B09 |MOV ECX,DWORD PTR DS:[ECX]
0087149D |. 85C9 |TEST ECX,ECX
0087149F |.^ 75 F5 \JNZ SHORT 00871496
008714A1 |> 25 FF0F0000 AND EAX,00000FFF
008714A6 |. 8D0480 LEA EAX,[EAX*4+EAX]
008714A9 |. 8B0CC5 1C0552 MOV ECX,DWORD PTR DS:[EAX*8+152051C]
008714B0 |. 8B45 08 MOV EAX,DWORD PTR SS:[ARG.1]
008714B3 |. 8908 MOV DWORD PTR DS:[EAX],ECX
008714B5 |. 5D POP EBP
008714B6 |. C3 RETN
008714B7 |> 8B51 08 MOV EDX,DWORD PTR DS:[ECX+8]
008714BA |. 8B45 08 MOV EAX,DWORD PTR SS:[ARG.1]
008714BD |. 8910 MOV DWORD PTR DS:[EAX],EDX
008714BF |. 5D POP EBP
008714C0 \. C3 RETN
At first I was trying to understand where point offset and what kind of structure (MOV EDX,DWORD PTR DS:[ECX+8]), but then when I tried to trace it have attracted the attention of
Code:
MOV ECX,DWORD PTR DS:[ECX]
Which gives iteration of the linked list in cycle.
At first I thought it was one big structure for a particular object, until I met the code that points to the iterate of a linked list.
I can't understand what kind of structure is in the linked list until looked inside source D3adventre, where found a similar function that I found (no idea what version of supremenerd88-d3adventure-1-5bc5887, but it is the most complete that I found). Structure proved to be an "Blizzhackers - Diablo III Offsets, Globals, Funcs, Structs, Classes, etc."
Code:
struct tAttribLink
{
tAttribLink* Next; // 0x000
LONG AttribIndex; // 0x004
LONG Value; // 0x008
};
Honestly, without D3Adventure and forum took me a very, very long time to come at least to some understanding of the structure.
Of course I can use the structure which was already founded and found to perform back reverse find the offsets, but it does not give me a full understanding of the mechanics and the opportunity to use the knowledge in the implementation of the program and further research Diablo3.
Questions: So, that would move on to study Diablo3, please tell me, how such great people as you can understand which specific structure by any address? In addition you will also find classes and functions, which also have some specific values. I think this is very hard!
Did you make up complex logical chain, tried value to transfer into various functions and their values almost randomly tried to link the available structures?
Perhaps you have used some tricks or lost debug information in the beta version?
Yes, perhaps this was done by people who reverse other projects of the Blizzard, but there is not enough people to help, which only work with Diablo3 (I think)
Since the information is scattered forum post and no single description, I'm trying to understand the mechanism and the work of the game based on his research, pieces of bodies and their addresses in the forum post, and within projects D3Adventure, Demonbuddy, HellBuddy and some bots from neighboring threads.
Can you advise your algorithms or tricks to identify links and game objects?
2) Please check my understanding of the basic classes (simplistically):
ObjectManager = Contains all information and pointers of all visible, logical and support object in game and their attributes/params.
ObjectManager -> Actor = Contains all information and pointers of all game objects in created game.
ObjectManager -> Actor -> Attribute = Contains all information and pointers of one attribute in attributes list of some actor.
ObjectManager -> Scene = Contains all information and pointers of all object and their params/info at the current part of game such as actors, terrain, interface and other
ObjectManager -> Scene -> NavMesh = Collection witch represent grid for actor to interaction with any action (walk, tuch and other)
ObjectManager -> Scene -> NavMesh -> NavSquare = Represent one cell of grid NavMesh
Questions:
* Is the correct meaning of my representation of objects?
* If actor is represent all game objects (Actors - Diablo 3 Lexicon), then objects like wall (skill of waller) or fire row behind the monsters (skill monster too) is actor too? I think it will be projectile, but not found.
* GUI interface, hp/affixes bars of hero/monsters, labels, chat, speech bubbles of characters also actors? Yes, I saw this post "Blizzhackers - Diablo III Offsets, Globals, Funcs, Structs, Classes, etc." but I can not understand how interface connected to game objects
* If one Scene contains information of all current object in the location, why scenes more than one (judging by what we get Id scenes may be a lot)? Performance initially are generated scenes for all locations?
* If NavSquare represent cell of grid and may have actors or anything then it should change the status when thechanging state of destructible objects?
3) Some areas in Diablo3 generated each time in different ways and I think it's best way is read from the memory NavMesh/NavSquare because in SNO of MPQ stores only static objects. Is this true?
If get Vec3 position and direction of character in the world is quite simple, using examples. How to get out of memory NavMesh NavSquare and use them to define the boundaries?
I'm trying to understand the hierarchy of structures:
I found "Blizzhackers - Diablo III Offsets, Globals, Funcs, Structs, Classes, etc." post with the offsets of the structures
Code:
[[pObjectMgr+0x8F4]0x108] => SceneCount
[[pObjectMgr+0x8F4]0x148] => SceneFirstScene
SceneSize => 0x2A8
which points on ObMan->Storage->Scenes as SceneCount and ObMan->Storage->Local as SceneFirstScene (if use structures from "Blizzhackers - Diablo III Offsets, Globals, Funcs, Structs, Classes, etc.") but I can not understand how these structures are associated with the structures described here "Blizzhackers - Diablo III Offsets, Globals, Funcs, Structs, Classes, etc." ?
And after all, as of NavZone/NavSquare get which coordinats is pozition and size of are, and the state of the current cell (blocked, free, destructable, etc)?
Perhaps my post is very large and covers different parts of the mechanism, but I try to make every effort to understand the structure of all objects / classes in the future to tie them into one project.
I would really appreciate if you try to understand me, and share for me some experience, knowledges and skills.
Thanks again to anyone who helps!
P.S. Sorry if you will finded some mistakes, my natural language is russian.
P.P.S. I change some links on posts from blizzhackers into "Blizzhackers - Diablo III Offsets, Globals, Funcs, Structs, Classes, etc." because this forum has limited count links to post