#define EncryptPacket 0x00A69B50
#define NetworkClass 0x015D0754
#define EncryptPacket 0x00A69B50
#define NetworkClass 0x015D0754
Last edited by Midi12; 10-24-2012 at 07:13 AM.
So I wanted to give finding the getClientContext a chance, I think I found it at
getCliContext: 0x64E4C0
for build 15,873
Can anyone confirm that's right?
Last edited by Ankharlyn; 10-27-2012 at 03:08 AM.
00B1C7B0 GetChCliContext - 15873
Why use this:
vs this:Code:.text:00B1C7B0 ; =============== S U B R O U T I N E ======================================= .text:00B1C7B0 .text:00B1C7B0 .text:00B1C7B0 sub_B1C7B0 proc near ; CODE XREF: sub_40F700+15p .text:00B1C7B0 ; sub_412B20:loc_412B79p ... .text:00B1C7B0 call getCliContext .text:00B1C7B5 mov eax, [eax+30h] .text:00B1C7B8 retn .text:00B1C7B8 sub_B1C7B0 endp .text:00B1C7B8 .text:00B1C7B8 ; ---------------------------------------------------------------------------
?Code:.text:0064E4C0 ; =============== S U B R O U T I N E ======================================= .text:0064E4C0 .text:0064E4C0 .text:0064E4C0 getCliContext proc near ; CODE XREF: sub_43F480p .text:0064E4C0 ; sub_43F510+71p ... .text:0064E4C0 mov eax, TlsIndex .text:0064E4C5 mov ecx, large fs:2Ch .text:0064E4CC mov edx, [ecx+eax*4] .text:0064E4CF mov eax, [edx+4] .text:0064E4D5 retn .text:0064E4D5 getCliContext endp .text:0064E4D5 .text:0064E4D5 ; ---------------------------------------------------------------------------
Edit: At first I thought I was going crazy when you posted that JuJu, until I went and looked at the addy.
ChCliContext is stored in the Thread Local Storage at 0x30, 64E4C0 (which u named wrong) is to get the TLS, and B1C7B0 to get the ChCliContext.
15873
All names are guessed. Image base already added.
Code:00A69E40 EnDecryptPacket 004064A0 GetNetworkClassPtr 00A67700 PutPacketQueue 00A7A540 PutPacketQueueCallProxy 00A7DF50 SendMoveStart 00A7C790 SendMoveJump 00A7E110 SendMoveTurn 00B63C30 AddChatMessage 00B62010 SendChatInput
Last edited by Cen01; 10-27-2012 at 12:21 PM.
So I'm interested in updating the DatContext source that z0m posted earlier in the thread. Any tips/pointers on finding the addresses for these:
and theseCode:public static readonly int AsContext = 0x1295130; public static readonly int InGame = 0x11BB728; public static readonly int Loading = 0x12969AC; public static readonly int Target = 0x128A930;
I'm not asking for the updated offsets themselves, but any relevant info/pointers in the right direction would be much appreciated!Code:public static readonly int HeadingX = 0x1296A98; public static readonly int HeadingY = 0x1296A9C; public static readonly int MoveForwards = 0x1296A20; public static readonly int MoveBackwards = 0x1296A24; public static readonly int TurnLeft = 0x1296A30; public static readonly int TurnRight = 0x1296A34;
You can find the offset for AsContext really easily if you have getClientContext. You can find a function, that is called very often in a thread, that has both of them in the topic start of this thread. If you can't find it --> 55 8B EC 83 EC 44 53 56 8B F1 57 8B 7D 08
As for the others: finding them the first time using IDA will take you more time than finding them with CheatEngine as they're all really easy to find by looking for MoveForwards (1 when auto-walk is on) and then just keep scanning 0/1 till you find a proper static address. The other ones are "right next to it". After that make a pattern for them .
Kinda got bored and moved on to BF3 hacking... people even play GW2 still?
Edit:
Oh and another option is using patterns to find the UI base, Lisa does it that way. That also gives you target/heading/moving, but same deal there: if you find them yourself in CheatEngine, you won't need someone else's pattern.
Last edited by z0m; 11-07-2012 at 10:21 AM.
Thanks z0m, just what I needed. I figured as much about AsContext, and I've got getCliContext down in terms of updating the offset. The tips about the movement offsets are gold, I didn't even think about using Cheat Engine for some reason.
I'm not doing much with GW2 atm, here's a small function diff maybe it helps someone...
15977
We need moar function namesCode:004065F0 GetNetworkClassPtr // used for the encrypt function 00B1C2A0 GetCliContext 00AEAE70 GetAsContext 00B1CC90 GetControlledCharacter 00B2AA90 Character::GetPlayer 00B32150 Character::IsAlive 00B32180 Character::IsDowned 00B321E0 Character::IsInWater 00B32240 Character::IsPlayer 00BF0430 Character::GetAgent 00B1C270 GetPlayerFromListById 00A66D50 Msg::DispatchStream 00A68420 Msg::GetPacketHandler 00A69C20 DeEncryptPacket 00A674E0 PutPacketQueue 00A7A140 PutPacketQueueCallProxy 00B61BD0 ProcessChatInput 00B658C0 PH_ChatMessage // packethandler for 0x133 00A7C390 SendMoveJump 00A7DB50 SendMoveStart 00A7DD10 SendMoveTurn
The PutPacketQueue function requires the unpacked packet buffer.
For example:
After you called it gw packs, encrypts and sends the packet for you.Code:if (FMover.SetPosition(Position)) then begin p := TGW2Packet.Create(28); p.PutUInt16($0D); p.PutUInt32(dwTiming); p.PutUInt32(dwTiming); p.PutVec3(Position); p.PutUInt32(0); p.PutUInt16(0); p.Send(); p.Free(); end; // send call asm push pBuf mov eax, $00A67BF0 call eax mov edx, $1C // unpacked size mov ecx, eax mov eax, $00A674E0 call eax end;
Last edited by Cen01; 11-09-2012 at 08:23 AM.
Not sure if you noticed but using 00A674E0 for send a packet, when string is involved you have to pass a string pointer, which is weird.
Yeah I noticed that while logging the unpacked packets Will look into it later.
Just trying some basic packet manipulation stuff at the moment. In WoW you could do incredible stuff with fake-packets.
The funny thing is that you just need to change 1 byte in your movement-packets to get an instant teleporter - with an auto sync.
Just have issues with the AddChatMessage function (I looked at 0x00B638B0). If you receive a player message, some pointers with the name and the text are passed. Dunno how the game displays error messages etc. I couldn't trace it yet, they use the same function though.
edit: nvm, got it. didn't looked deep enough!
Last edited by Cen01; 11-09-2012 at 08:48 PM.