I know there are a lot of obvious debug strings left in to find functions that interact with various aspects of the game, however I am new to IDA and missing that crucial step to get the info such as agent array.
So for example searching for client context there are a few subroutines that reference the ChCliContext debug string from the data section. This is the first one found when searching:
So obviously the section with the string is the error handling that is ran when the "TEST ESI, ESI" AND LOGIC fails to produce a 1. My question is although this might be because I am not that familiar with IDA yet is how are you abstracting the class formats/pointers from these functions in IDA?Code:.text:00AFEC90 sub_AFEC90 proc near ; CODE XREF: sub_B0D800+4Ap .text:00AFEC90 ; sub_B15490+A3p ... .text:00AFEC90 .text:00AFEC90 arg_0 = dword ptr 8 .text:00AFEC90 .text:00AFEC90 push ebp .text:00AFEC91 mov ebp, esp .text:00AFEC93 push esi .text:00AFEC94 mov esi, [ebp+arg_0] .text:00AFEC97 test esi, esi .text:00AFEC99 jnz short loc_AFECAF .text:00AFEC9B push 9Dh .text:00AFECA0 mov edx, offset a______GameChar ; "..\\..\\..\\Game\\Char\\Cli\\ChCliContext.cpp"... .text:00AFECA5 mov ecx, offset aAgent ; "agent" .text:00AFECAA call sub_64E3C0 .text:00AFECAF .text:00AFECAF loc_AFECAF: ; CODE XREF: sub_AFEC90+9j .text:00AFECAF mov eax, [esi] .text:00AFECB1 mov edx, [eax+9Ch] .text:00AFECB7 mov ecx, esi .text:00AFECB9 call edx .text:00AFECBB test eax, eax .text:00AFECBD jnz short loc_AFECD7 .text:00AFECBF mov eax, [esi] .text:00AFECC1 mov edx, [eax+84h] .text:00AFECC7 mov ecx, esi .text:00AFECC9 call edx .text:00AFECCB test eax, eax .text:00AFECCD jz short loc_AFECD7 .text:00AFECCF add eax, 0FFFFFFE8h .text:00AFECD2 pop esi .text:00AFECD3 pop ebp .text:00AFECD4 retn 4 .text:00AFECD7 ; --------------------------------------------------------------------------- .text:00AFECD7 .text:00AFECD7 loc_AFECD7: ; CODE XREF: sub_AFEC90+2Dj .text:00AFECD7 ; sub_AFEC90+3Dj .text:00AFECD7 xor eax, eax .text:00AFECD9 pop esi .text:00AFECDA pop ebp .text:00AFECDB retn 4 .text:00AFECDB sub_AFEC90 endp
I would really appreciate if someone could do a walk through with IDA how to obtain the agent base array and how to traverse the agent list.
Thanks
Edit: Fixed as per http://www.ownedcore.com/forums/mmo/...ml#post2527654 (Some Classes and Functions from 2012.09.09)
2 patches in a row, great. Managed to grab a few things before deciding it's time to go to bed. Hope I can find a few more tomorrow, but this is what I had lying around already from a few days ago.
Credits to everyone who posted in this section, and extra ones to Juju, Kamikaaze & QKdefus as they helped a ton.
-- 4 bytes for all, build 15,623 --
CliContext
CliCharacterCode:Gw2.exe + 011BB464
CliCoreStatsCode:[Gw2.exe + 011BB464 + 38]
CliEnduranceCode:[[Gw2.exe + 011BB464 + 38] 128] Level [[Gw2.exe + 011BB464 + 38] 128] 7C] EffectiveLevel [[[Gw2.exe + 011BB464 + 38] 128] A0] Power [[[Gw2.exe + 011BB464 + 38] 128] 84] Precision [[[Gw2.exe + 011BB464 + 38] 128] 88] Thoughness [[[Gw2.exe + 011BB464 + 38] 128] 8C] Vitality [[[Gw2.exe + 011BB464 + 38] 128] 90]
CliPlayerCode:[[Gw2.exe + 011BB464 + 38] 14C] Endurance [[[Gw2.exe + 011BB464 + 38] 14C] 4] EnduranceMax [[[Gw2.exe + 011BB464 + 38] 14C] 8]
PS:Code:[[Gw2.exe + 011BB464 + 38] 38] Id [[[Gw2.exe + 011BB464 + 38] 38] 38]
Somehow I missed playername in CliPlayer, thanks, again. Trying to get them all myself, so feel free to add missing ones from the TS .
CT-file:
http://www.mediafire.com/?t8b1tcc69t92xyp
Last edited by z0m; 10-02-2012 at 10:18 AM.
z0m,
Thank so much for posting! Just curious, do you have patterns defined for these offsets?
Thanks!
-Shadow
Sort of yes, to match the TS:
Code:.text:0045ACF2 call sub_AD2F30 .text:0045ACF7 mov edx, [eax] .text:0045ACF9 mov ecx, eax .text:0045ACFB mov eax, [edx+58h] .text:0045ACFE push ebx .text:0045ACFF call eax .text:0045AD01 mov dword ptr [esi+60h], 1 .text:0045AD08 cmp dword ptr [edi+18h], 2 .text:0045AD0C jnz short loc_45AD4E .text:0045AD0E call sub_B03FE0 .text:0045AD13 mov edx, [eax] .text:0045AD15 mov ecx, eax .text:0045AD17 mov eax, [edx+18h] .text:0045AD1A call eax .text:0045AD1C mov [ebp+var_4], eax .text:0045AD1F test eax, eax .text:0045AD21 jnz short loc_45AD37 .text:0045AD23 push 14Ah .text:0045AD28 mov edx, offset a______GameU_10 ; "..\\..\\..\\Game\\Ui\\Scenes\\Gameplay\\GpMous"... .text:0045AD2D mov ecx, offset aPlayer ; "player" .text:0045AD32 call sub_64FE90
I could be wrong here but I noticed something which made the pointers not work.
Majority of the time [Gw2.exe + 011BB464] points to itself and everything is fine but occasionally it points elsewhere (only seen it on necromancer) and when this happens all of the pointers get messed up. I changed all of the [[Gw2.exe + 011BB464] 38] to be [Gw2.exe + 011BB464 + 38] and everything worked fine for necromancer, so maybe not use the [[Gw2.exe + 011BB464] 38]as base for player but use [Gw2.exe + 011BB464 + 38] ??
Damn necros necroing pointers? Thanks, and sorry, just never noticed it due to the class I play I guess. I'll edit my post, it makes sense though so thanks again (+).
Last edited by z0m; 10-02-2012 at 10:14 AM.
Thanks, yeah I am still trying to get my head around most of this, I usually just do CE scans for info and then pointer scans of the results and use those. Like for example I have player name at 0x15B6628 which is a static. I am trying to get the classes worked out because the next thing I want to do is get object info from memory, so basically a table of everything around you.
From what I understand the class system is where I will find my answer.
my guess its just a idle state ? it seems to be connected to the gui animation, but im probably wrong : )
Build 15,674
asContext
GW2.exe + 0x1295130
chCliContext
GW2.exe + 0x12951FC + 0x30
Some random ones that I use in a mini bot:
MoveForwards
GW2.exe + 0x1296A20
MoveBackwards
GW2.exe + 0x1296A24
StrafeLeft
GW2.exe + 0x1296A28
StrafeRight
GW2.exe + 0x1296A2C
TurnLeft
GW2.exe + 0x1296A30
TurnRight
GW2.exe + 0x1296A34
Name
GW2.exe + 0x11C0C28
Loading
[[[[[GW2.exe + 0x11C20D0] 0xC8] 0x4] 0x0] 0x3BC]
As far as heading goes, there are 2 pairs of static addresses that match the ones you get from your agent instance, but they seem to update at different speeds,
GW2.exe + 0x124F1DC
GW2.exe + 0x124F1E0
&
GW2.exe + 0x1296A98
GW2.exe + 0x1296A9C
Last edited by z0m; 10-07-2012 at 09:14 PM.
--edit
Anyone have some information on cooldowns for castbar?
Last edited by dook123; 10-08-2012 at 03:44 PM.
------------------------------
If not me than who?
Go deeper to class SkillBar.
I can tell you the actual text that you see for the time until you can use skill again is in memory as Unicode Text.
So if 18 seconds to go then it will be 18 as text Unicode. This isn't the total cooldown for the skill but the actual time left until skill is off cooldown. When it gets to below 5 seconds it goes into decimal values and is kind of messy.
So what I do is check the value for that address and if it is 300000H then the skill can be used, if it isn't the 300000H then it is on cooldown.
Hope it helps =)