Some Classes and Functions from 2012.09.09

[robhunter]

Code:

        public enum SkillBar : uint
        {
            Slot_1 = 5, // Skill1
            Slot_2 = 6, // Skill2
            Slot_3 = 7, // Skill3
            Slot_4 = 8, // Skill4
            Slot_5 = 9, // Skill5

            Slot_6 = 0, // Healing Skill1
            Slot_7 = 1, // Utility Skill1
            Slot_8 = 2, // Utility Skill2
            Slot_9 = 3, // Utility Skill3
            Slot_10 = 4, // Elite Skill1

            Slot_11 = 10, // ??
            Slot_12 = 11, // ??
            Slot_13 = 12, // F1
            Slot_14 = 13, // F2 
            Slot_15 = 14, // F3
            Slot_16 = 15, // F4
            Slot_17 = 16, // Mining ?
        }

on my ranger 10-15 does nothing, not sure why : )

Hi... I know it sounds so newbie but.. How did you find this? I think with IDA PRO but I'm a bit lost on that tool... -_-"

[KingOfCats]

I know there are a lot of obvious debug strings left in to find functions that interact with various aspects of the game, however I am new to IDA and missing that crucial step to get the info such as agent array.

So for example searching for client context there are a few subroutines that reference the ChCliContext debug string from the data section. This is the first one found when searching:

Code:

.text:00AFEC90 sub_AFEC90      proc near               ; CODE XREF: sub_B0D800+4Ap
.text:00AFEC90                                         ; sub_B15490+A3p ...
.text:00AFEC90
.text:00AFEC90 arg_0           = dword ptr  8
.text:00AFEC90
.text:00AFEC90                 push    ebp
.text:00AFEC91                 mov     ebp, esp
.text:00AFEC93                 push    esi
.text:00AFEC94                 mov     esi, [ebp+arg_0]
.text:00AFEC97                 test    esi, esi
.text:00AFEC99                 jnz     short loc_AFECAF
.text:00AFEC9B                 push    9Dh
.text:00AFECA0                 mov     edx, offset a______GameChar ; "..\\..\\..\\Game\\Char\\Cli\\ChCliContext.cpp"...
.text:00AFECA5                 mov     ecx, offset aAgent ; "agent"
.text:00AFECAA                 call    sub_64E3C0
.text:00AFECAF
.text:00AFECAF loc_AFECAF:                             ; CODE XREF: sub_AFEC90+9j
.text:00AFECAF                 mov     eax, [esi]
.text:00AFECB1                 mov     edx, [eax+9Ch]
.text:00AFECB7                 mov     ecx, esi
.text:00AFECB9                 call    edx
.text:00AFECBB                 test    eax, eax
.text:00AFECBD                 jnz     short loc_AFECD7
.text:00AFECBF                 mov     eax, [esi]
.text:00AFECC1                 mov     edx, [eax+84h]
.text:00AFECC7                 mov     ecx, esi
.text:00AFECC9                 call    edx
.text:00AFECCB                 test    eax, eax
.text:00AFECCD                 jz      short loc_AFECD7
.text:00AFECCF                 add     eax, 0FFFFFFE8h
.text:00AFECD2                 pop     esi
.text:00AFECD3                 pop     ebp
.text:00AFECD4                 retn    4
.text:00AFECD7 ; ---------------------------------------------------------------------------
.text:00AFECD7
.text:00AFECD7 loc_AFECD7:                             ; CODE XREF: sub_AFEC90+2Dj
.text:00AFECD7                                         ; sub_AFEC90+3Dj
.text:00AFECD7                 xor     eax, eax
.text:00AFECD9                 pop     esi
.text:00AFECDA                 pop     ebp
.text:00AFECDB                 retn    4
.text:00AFECDB sub_AFEC90      endp

So obviously the section with the string is the error handling that is ran when the "TEST ESI, ESI" AND LOGIC fails to produce a 1. My question is although this might be because I am not that familiar with IDA yet is how are you abstracting the class formats/pointers from these functions in IDA?

I would really appreciate if someone could do a walk through with IDA how to obtain the agent base array and how to traverse the agent list.

Thanks

[z0m]

Edit: Fixed as per http://www.ownedcore.com/forums/mmo/...ml#post2527654 (Some Classes and Functions from 2012.09.09)

2 patches in a row, great. Managed to grab a few things before deciding it's time to go to bed. Hope I can find a few more tomorrow, but this is what I had lying around already from a few days ago.
Credits to everyone who posted in this section, and extra ones to Juju, Kamikaaze & QKdefus as they helped a ton.

-- 4 bytes for all, build 15,623 --

CliContext

Code:

Gw2.exe + 011BB464

CliCharacter

Code:

[Gw2.exe + 011BB464 + 38]

CliCoreStats

Code:

[[Gw2.exe + 011BB464 + 38] 128]

Level
[[Gw2.exe + 011BB464 + 38] 128] 7C]

EffectiveLevel
[[[Gw2.exe + 011BB464 + 38] 128] A0]

Power
[[[Gw2.exe + 011BB464 + 38] 128] 84]

Precision
[[[Gw2.exe + 011BB464 + 38] 128] 88]

Thoughness
[[[Gw2.exe + 011BB464 + 38] 128] 8C]

Vitality
[[[Gw2.exe + 011BB464 + 38] 128] 90]

CliEndurance

Code:

[[Gw2.exe + 011BB464 + 38] 14C]

Endurance
[[[Gw2.exe + 011BB464 + 38] 14C] 4]

EnduranceMax
[[[Gw2.exe + 011BB464 + 38] 14C] 8]

CliPlayer

Code:

[[Gw2.exe + 011BB464 + 38] 38] 

Id
[[[Gw2.exe + 011BB464 + 38] 38] 38]

PS:
Somehow I missed playername in CliPlayer, thanks, again. Trying to get them all myself, so feel free to add missing ones from the TS .

CT-file:
http://www.mediafire.com/?t8b1tcc69t92xyp

[Shadowhunter12]

z0m,

Thank so much for posting! Just curious, do you have patterns defined for these offsets?

Thanks!

-Shadow

[z0m]

Thank so much for posting! Just curious, do you have patterns defined for these offsets?

Sort of yes, to match the TS:

Code:

.text:0045ACF2                 call    sub_AD2F30
.text:0045ACF7                 mov     edx, [eax]
.text:0045ACF9                 mov     ecx, eax
.text:0045ACFB                 mov     eax, [edx+58h]
.text:0045ACFE                 push    ebx
.text:0045ACFF                 call    eax
.text:0045AD01                 mov     dword ptr [esi+60h], 1
.text:0045AD08                 cmp     dword ptr [edi+18h], 2
.text:0045AD0C                 jnz     short loc_45AD4E
.text:0045AD0E                 call    sub_B03FE0
.text:0045AD13                 mov     edx, [eax]
.text:0045AD15                 mov     ecx, eax
.text:0045AD17                 mov     eax, [edx+18h]
.text:0045AD1A                 call    eax
.text:0045AD1C                 mov     [ebp+var_4], eax
.text:0045AD1F                 test    eax, eax
.text:0045AD21                 jnz     short loc_45AD37
.text:0045AD23                 push    14Ah
.text:0045AD28                 mov     edx, offset a______GameU_10 ; "..\\..\\..\\Game\\Ui\\Scenes\\Gameplay\\GpMous"...
.text:0045AD2D                 mov     ecx, offset aPlayer ; "player"
.text:0045AD32                 call    sub_64FE90

[SSlisa]

2 patches in a row, great. Managed to grab a few things before deciding it's time to go to bed. Hope I can find a few more tomorrow, but this is what I had lying around already from a few days ago.
Credits to everyone who posted in this section, and extra ones to Juju, Kamikaaze & QKdefus as they helped a ton.

PS:
Somehow I missed playername in CliPlayer, thanks, again. Trying to get them all myself, so feel free to add missing ones from the TS .

CT-file:
GW2 15623 MiniDump.CT

I could be wrong here but I noticed something which made the pointers not work.

Majority of the time [Gw2.exe + 011BB464] points to itself and everything is fine but occasionally it points elsewhere (only seen it on necromancer) and when this happens all of the pointers get messed up. I changed all of the [[Gw2.exe + 011BB464] 38] to be [Gw2.exe + 011BB464 + 38] and everything worked fine for necromancer, so maybe not use the [[Gw2.exe + 011BB464] 38]as base for player but use [Gw2.exe + 011BB464 + 38] ??

[z0m]

Damn necros necroing pointers? Thanks, and sorry, just never noticed it due to the class I play I guess. I'll edit my post, it makes sense though so thanks again (+).

[SSlisa]

Damn necros necroing pointers? Thanks, and sorry, just never noticed it due to the class I play I guess. I'll edit my post, it makes sense though so thanks again (+).

Thanks, yeah I am still trying to get my head around most of this, I usually just do CE scans for info and then pointer scans of the results and use those. Like for example I have player name at 0x15B6628 which is a static. I am trying to get the classes worked out because the next thing I want to do is get object info from memory, so basically a table of everything around you.
From what I understand the class system is where I will find my answer.

[z0m]

public enum SkillBar : uint

Does the 17 (no input on InputPressedSkillbarSlot) refer to anything at all? Or just a placeholder as it's the first one outside the skillbar consts.
Hope someone understands my terribly formed question.

[QKdefus]

my guess its just a idle state ? it seems to be connected to the gui animation, but im probably wrong : )

[z0m]

Build 15,674
asContext
GW2.exe + 0x1295130
chCliContext
GW2.exe + 0x12951FC + 0x30

Some random ones that I use in a mini bot:

MoveForwards
GW2.exe + 0x1296A20
MoveBackwards
GW2.exe + 0x1296A24
StrafeLeft
GW2.exe + 0x1296A28
StrafeRight
GW2.exe + 0x1296A2C
TurnLeft
GW2.exe + 0x1296A30
TurnRight
GW2.exe + 0x1296A34

Name
GW2.exe + 0x11C0C28
Loading
[[[[[GW2.exe + 0x11C20D0] 0xC8] 0x4] 0x0] 0x3BC]

As far as heading goes, there are 2 pairs of static addresses that match the ones you get from your agent instance, but they seem to update at different speeds,
GW2.exe + 0x124F1DC
GW2.exe + 0x124F1E0
&
GW2.exe + 0x1296A98
GW2.exe + 0x1296A9C

[dook123]

--edit
Anyone have some information on cooldowns for castbar?

[ValvePro]

Go deeper to class SkillBar.

[SSlisa]

--edit
Anyone have some information on cooldowns for castbar?

I can tell you the actual text that you see for the time until you can use skill again is in memory as Unicode Text.
So if 18 seconds to go then it will be 18 as text Unicode. This isn't the total cooldown for the skill but the actual time left until skill is off cooldown. When it gets to below 5 seconds it goes into decimal values and is kind of messy.
So what I do is check the value for that address and if it is 300000H then the skill can be used, if it isn't the 300000H then it is on cooldown.

Hope it helps =)

[Zynes]

--edit
Anyone have some information on cooldowns for castbar?

class Skillbar
{
public:
/* 0x03C */ virtual bool IsRecharchingSpell( uint32 slot ); //true = cooldown
};