Some Classes and Functions from 2012.09.09 menu

User Tag List

Page 5 of 12 FirstFirst 123456789 ... LastLast
Results 61 to 75 of 171
  1. #61
    Midi12's Avatar Contributor
    Reputation
    90
    Join Date
    Sep 2012
    Posts
    182
    Thanks G/R
    6/13
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    #define EncryptPacket 0x00A69B50
    #define NetworkClass 0x015D0754
    Last edited by Midi12; 10-24-2012 at 07:13 AM.

    Some Classes and Functions from 2012.09.09
  2. #62
    Ankharlyn's Avatar Sergeant
    Reputation
    1
    Join Date
    Oct 2012
    Posts
    35
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So I wanted to give finding the getClientContext a chance, I think I found it at

    getCliContext: 0x64E4C0

    for build 15,873

    Can anyone confirm that's right?
    Last edited by Ankharlyn; 10-27-2012 at 03:08 AM.

  3. #63
    JuJuBoSc's Avatar Banned for scamming CoreCoins Purchaser
    Reputation
    1019
    Join Date
    May 2007
    Posts
    922
    Thanks G/R
    1/3
    Trade Feedback
    1 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    00B1C7B0 GetChCliContext - 15873

  4. #64
    Ankharlyn's Avatar Sergeant
    Reputation
    1
    Join Date
    Oct 2012
    Posts
    35
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by JuJuBoSc View Post
    00B1C7B0 GetChCliContext - 15873
    Why use this:

    Code:
    .text:00B1C7B0   ; =============== S U B R O U T I N E =======================================
    .text:00B1C7B0
    .text:00B1C7B0
    .text:00B1C7B0   sub_B1C7B0      proc near               ; CODE XREF: sub_40F700+15p
    .text:00B1C7B0                                                         ; sub_412B20:loc_412B79p ...
    .text:00B1C7B0                   call    getCliContext
    .text:00B1C7B5                   mov     eax, [eax+30h]
    .text:00B1C7B8                   retn
    .text:00B1C7B8   sub_B1C7B0      endp
    .text:00B1C7B8
    .text:00B1C7B8   ; ---------------------------------------------------------------------------
    vs this:

    Code:
    .text:0064E4C0   ; =============== S U B R O U T I N E =======================================
    .text:0064E4C0
    .text:0064E4C0
    .text:0064E4C0   getCliContext   proc near               ; CODE XREF: sub_43F480p
    .text:0064E4C0                                           ; sub_43F510+71p ...
    .text:0064E4C0                   mov     eax, TlsIndex
    .text:0064E4C5                   mov     ecx, large fs:2Ch
    .text:0064E4CC                   mov     edx, [ecx+eax*4]
    .text:0064E4CF                   mov     eax, [edx+4]
    .text:0064E4D5                   retn
    .text:0064E4D5   getCliContext   endp
    .text:0064E4D5
    .text:0064E4D5   ; ---------------------------------------------------------------------------
    ?

    Edit: At first I thought I was going crazy when you posted that JuJu, until I went and looked at the addy.

  5. #65
    JuJuBoSc's Avatar Banned for scamming CoreCoins Purchaser
    Reputation
    1019
    Join Date
    May 2007
    Posts
    922
    Thanks G/R
    1/3
    Trade Feedback
    1 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ChCliContext is stored in the Thread Local Storage at 0x30, 64E4C0 (which u named wrong) is to get the TLS, and B1C7B0 to get the ChCliContext.

  6. #66
    Ankharlyn's Avatar Sergeant
    Reputation
    1
    Join Date
    Oct 2012
    Posts
    35
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the clarification JuJu. I guess I got mixed up due to the naming of the function by Kamikaaze on the first page (quoted below), causing me to think that it was getCliContext.

    Originally Posted by Kamikaaze View Post

    --snip--

    Functions:

    getClientContext():
    Code:
    .text:00636800 getCliContext   proc near               ; CODE XREF: sub_43E900p
    .text:00636800                                         ; sub_43E910+71p ...
    .text:00636800                 mov     eax, TlsIndex
    .text:00636805                 mov     ecx, large fs:2Ch
    .text:0063680C                 mov     edx, [ecx+eax*4]
    .text:0063680F                 mov     eax, [edx+4]
    .text:00636815                 retn
    .text:00636815 getCliContext   endp

  7. #67
    Cen01's Avatar Banned
    Reputation
    92
    Join Date
    Dec 2011
    Posts
    53
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    15873

    All names are guessed. Image base already added.

    Code:
    00A69E40 EnDecryptPacket
    004064A0 GetNetworkClassPtr
    00A67700 PutPacketQueue
    00A7A540 PutPacketQueueCallProxy
    00A7DF50 SendMoveStart
    00A7C790 SendMoveJump
    00A7E110 SendMoveTurn
    00B63C30 AddChatMessage
    00B62010 SendChatInput
    Last edited by Cen01; 10-27-2012 at 12:21 PM.

  8. #68
    KingOfCats's Avatar Private
    Reputation
    1
    Join Date
    Sep 2012
    Posts
    5
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Ankharlyn View Post
    Why use this:

    Code:
    .text:00B1C7B0   ; =============== S U B R O U T I N E =======================================
    .text:00B1C7B0
    .text:00B1C7B0
    .text:00B1C7B0   sub_B1C7B0      proc near               ; CODE XREF: sub_40F700+15p
    .text:00B1C7B0                                                         ; sub_412B20:loc_412B79p ...
    .text:00B1C7B0                   call    getCliContext
    .text:00B1C7B5                   mov     eax, [eax+30h]
    .text:00B1C7B8                   retn
    .text:00B1C7B8   sub_B1C7B0      endp
    .text:00B1C7B8
    .text:00B1C7B8   ; ---------------------------------------------------------------------------
    So if I understand this correctly the chclicontext is in the EAX register after the call at 00B1C7B0. So from there I am assuming you guys are then setting a breakpoint in IDA then running gw2 to actually get the address?

  9. #69
    JuJuBoSc's Avatar Banned for scamming CoreCoins Purchaser
    Reputation
    1019
    Join Date
    May 2007
    Posts
    922
    Thanks G/R
    1/3
    Trade Feedback
    1 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by KingOfCats View Post
    So if I understand this correctly the chclicontext is in the EAX register after the call at 00B1C7B0. So from there I am assuming you guys are then setting a breakpoint in IDA then running gw2 to actually get the address?
    Or reverse it to read it, or call it with your program from game engine.

  10. #70
    Ankharlyn's Avatar Sergeant
    Reputation
    1
    Join Date
    Oct 2012
    Posts
    35
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So I'm interested in updating the DatContext source that z0m posted earlier in the thread. Any tips/pointers on finding the addresses for these:

    Code:
            public static readonly int AsContext = 0x1295130;
            public static readonly int InGame = 0x11BB728;
            public static readonly int Loading = 0x12969AC;
            public static readonly int Target = 0x128A930;
    and these

    Code:
                public static readonly int HeadingX = 0x1296A98;
                public static readonly int HeadingY = 0x1296A9C;
                public static readonly int MoveForwards = 0x1296A20;
                public static readonly int MoveBackwards = 0x1296A24;
                public static readonly int TurnLeft = 0x1296A30;
                public static readonly int TurnRight = 0x1296A34;
    I'm not asking for the updated offsets themselves, but any relevant info/pointers in the right direction would be much appreciated!

  11. #71
    z0m's Avatar Banned CoreCoins Purchaser
    Reputation
    3
    Join Date
    Jan 2011
    Posts
    56
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can find the offset for AsContext really easily if you have getClientContext. You can find a function, that is called very often in a thread, that has both of them in the topic start of this thread. If you can't find it --> 55 8B EC 83 EC 44 53 56 8B F1 57 8B 7D 08
    As for the others: finding them the first time using IDA will take you more time than finding them with CheatEngine as they're all really easy to find by looking for MoveForwards (1 when auto-walk is on) and then just keep scanning 0/1 till you find a proper static address. The other ones are "right next to it". After that make a pattern for them .

    Kinda got bored and moved on to BF3 hacking... people even play GW2 still?

    Edit:
    Oh and another option is using patterns to find the UI base, Lisa does it that way. That also gives you target/heading/moving, but same deal there: if you find them yourself in CheatEngine, you won't need someone else's pattern.
    Last edited by z0m; 11-07-2012 at 10:21 AM.

  12. #72
    Ankharlyn's Avatar Sergeant
    Reputation
    1
    Join Date
    Oct 2012
    Posts
    35
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks z0m, just what I needed. I figured as much about AsContext, and I've got getCliContext down in terms of updating the offset. The tips about the movement offsets are gold, I didn't even think about using Cheat Engine for some reason.

  13. #73
    Cen01's Avatar Banned
    Reputation
    92
    Join Date
    Dec 2011
    Posts
    53
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm not doing much with GW2 atm, here's a small function diff maybe it helps someone...

    15977

    Code:
    004065F0 GetNetworkClassPtr // used for the encrypt function
    00B1C2A0 GetCliContext
    00AEAE70 GetAsContext
    00B1CC90 GetControlledCharacter
    00B2AA90 Character::GetPlayer
    00B32150 Character::IsAlive
    00B32180 Character::IsDowned
    00B321E0 Character::IsInWater
    00B32240 Character::IsPlayer
    00BF0430 Character::GetAgent
    00B1C270 GetPlayerFromListById
    00A66D50 Msg::DispatchStream
    00A68420 Msg::GetPacketHandler
    00A69C20 DeEncryptPacket
    00A674E0 PutPacketQueue
    00A7A140 PutPacketQueueCallProxy
    00B61BD0 ProcessChatInput
    00B658C0 PH_ChatMessage // packethandler for 0x133
    00A7C390 SendMoveJump
    00A7DB50 SendMoveStart
    00A7DD10 SendMoveTurn
    We need moar function names

    The PutPacketQueue function requires the unpacked packet buffer.
    For example:

    Code:
      if (FMover.SetPosition(Position)) then
      begin
        p := TGW2Packet.Create(28);
        p.PutUInt16($0D);
        p.PutUInt32(dwTiming);
        p.PutUInt32(dwTiming);
        p.PutVec3(Position);
        p.PutUInt32(0);
        p.PutUInt16(0);
        p.Send();
        p.Free();
      end;
    
      // send call
    
      asm
        push pBuf
        mov eax, $00A67BF0
        call eax
        mov edx, $1C // unpacked size
        mov ecx, eax
        mov eax, $00A674E0
        call eax
      end;
    After you called it gw packs, encrypts and sends the packet for you.
    Last edited by Cen01; 11-09-2012 at 08:23 AM.

  14. #74
    JuJuBoSc's Avatar Banned for scamming CoreCoins Purchaser
    Reputation
    1019
    Join Date
    May 2007
    Posts
    922
    Thanks G/R
    1/3
    Trade Feedback
    1 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Not sure if you noticed but using 00A674E0 for send a packet, when string is involved you have to pass a string pointer, which is weird.

  15. #75
    Cen01's Avatar Banned
    Reputation
    92
    Join Date
    Dec 2011
    Posts
    53
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by JuJuBoSc View Post
    Not sure if you noticed but using 00A674E0 for send a packet, when string is involved you have to pass a string pointer, which is weird.
    Yeah I noticed that while logging the unpacked packets Will look into it later.
    Just trying some basic packet manipulation stuff at the moment. In WoW you could do incredible stuff with fake-packets.

    The funny thing is that you just need to change 1 byte in your movement-packets to get an instant teleporter - with an auto sync.

    Just have issues with the AddChatMessage function (I looked at 0x00B638B0). If you receive a player message, some pointers with the name and the text are passed. Dunno how the game displays error messages etc. I couldn't trace it yet, they use the same function though.

    edit: nvm, got it. didn't looked deep enough!
    Last edited by Cen01; 11-09-2012 at 08:48 PM.

Page 5 of 12 FirstFirst 123456789 ... LastLast

Similar Threads

  1. [PvP] Ninja Capping Guide Some Class And Race Specific
    By Augury13 in forum World of Warcraft Guides
    Replies: 3
    Last Post: 04-26-2013, 09:27 PM
  2. [Gold] Old place to Farm some gold, and some items ( from junk to epic ).
    By markons in forum World of Warcraft Guides
    Replies: 49
    Last Post: 02-17-2013, 07:58 PM
  3. Class and Instance Guides
    By Robin1986 in forum World of Warcraft Guides
    Replies: 0
    Last Post: 04-11-2007, 02:18 PM
  4. Save your hearth while going back and forth from shatt to SW
    By shakey420 in forum World of Warcraft Exploits
    Replies: 6
    Last Post: 04-07-2007, 03:42 PM
  5. Favourite Class and Race
    By Simy in forum World of Warcraft General
    Replies: 13
    Last Post: 07-12-2006, 08:55 PM
All times are GMT -5. The time now is 07:19 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search