Some Classes and Functions from 2012.09.09

[JuJuBoSc]

Yeah I noticed that while logging the unpacked packets Will look into it later.
Just trying some basic packet manipulation stuff at the moment. In WoW you could do incredible stuff with fake-packets.

The funny thing is that you just need to change 1 byte in your movement-packets to get an instant teleporter - with an auto sync.

Just have issues with the AddChatMessage function (I looked at 0x00B638B0). If you receive a player message, some pointers with the name and the text are passed. Dunno how the game displays error messages etc. I couldn't trace it yet.

Ho crap you revealed my way

[Ankharlyn]

Hey guys, just wanted to give back a little bit after the excellent help you've all given me in this thread.


GW2 Build 16035:

MoveForwards-Auto: 0x016A5544
MoveForwards: 0x016A5548
MoveBackwards: 0x016A554C
TurnRight: 0x016A555C
TurnLeft: 0x016A5558

getTLS - 0x0064E7E0
getCliContext - 0x00B1C300
getAsContext - 0x00AEAED0

Hopefully those last are right, this is the first time I've looked into getting the new getAsContext.

[Ankharlyn]

Offsets for GW2 Build 16048:

getTLS - 0x0064E7E0 ------> Unchanged!

getCliContext - 0x00B1C2B0
getAsContext - 0x00AEAE80

The movement related offsets from build 16035 are confirmed unchanged as well. Enjoy!

[Ankharlyn]

For GW2 Build 16071:

MoveForwards-Auto: 0x016B4E94
MoveForwards: 0x016AB4E98
MoveBackwards: 0x016B4E9C
TurnRight: 0x016B4EAC
TurnLeft: 0x016AB4EA8

Edit:

getTLS - 0x00655800
getCliContext - 0x00B274A0
getAsContext - 0x00AF5F20

[piotr55]

ida isnt running correctly so i cant reverse getCliContext :/
could someone please tell me the adress for CliContext (16071)

regards piotr

[Ankharlyn]

ida isnt running correctly so i cant reverse getCliContext :/
could someone please tell me the adress for CliContext (16071)

regards piotr

Look at my post above yours :P

[piotr55]

its getCliContext only but how can i get CliContext without ida with it?
regards piotr

[Ankharlyn]

You could do the same thing with CheatEngine. Add the address manually and set a breakpoint, inspect the register.

[piotr55]

You could do the same thing with CheatEngine. Add the address manually and set a breakpoint, inspect the register.

thx, but the breakpoint is never reached :/
regards piotr

[piotr55]

thx, but the breakpoint is never reached :/
regards piotr

would be nice if someone Else could help me out, maybe with a pattern to scan it myself.
regards piotr

[Ankharlyn]

thx, but the breakpoint is never reached :/
regards piotr

Hey man, I just tried it in Cheat Engine, and it works fine for me. 0x06D9BB00 is what I got for CliContext after inspecting the register (with the +30 added).

In any case, the new getCliContext address for build 16084 is 0x00B27C40 now.

1) I went into CheatEngine, selected GW2, clicked the little "Add Address Manually" button on the right above the address table and added 0x00B27C40.

2) Right clicked the address, selected "Browse this memory region".
a) Right click the disassembly and click "Go to address", paste 0x00B27C40 in. The memory region area and the disassembly are *not* the same by the way and don't auto-sync it appears, so be careful you're looking at the right address in the disassembly portion at the top. (It will say GW2.exe+727C40).

3) Set a breakpoint on the call to getTLS which made CheatEngine pop up the dialog asking to attach to the process and start the debugger.

Result: The breakpoint is *immediately* hit, the line turns dark green. Press F8 two times. Look at the right at the list of registers.

I'm not sure how the breakpoint wouldn't be hit if you correctly attached, it's called all the time.


--------------------------
For GW2 Build 16084:

getTLS - 0x00655BC0
getCliContext - 0x00B27C40
getAsContext - 0x00AF65A0

Unchanged:

MoveForwards-Auto: 0x016B4E94
MoveForwards: 0x016AB4E98
MoveBackwards: 0x016B4E9C
TurnRight: 0x016B4EAC
TurnLeft: 0x016AB4EA8

[Ankharlyn]

Did you have any luck getting the breakpoint to work in Cheat Engine, Piotr?

[piotr55]

yes i thnik so, with the new patch 16.089
getCliContext seems to be at B27C25 -> after breakpointing i recieve 064B79C0 from EAX.
But the CliContext should be an adress like 169522C (some patches ago)

i need it to read out player stats like sslisa had done this before:

Code:

function playerstats(_arg1)
	lvl = memoryReadRepeat("intptr", proc, 0x169522C,{0x28,_arg1,0xC,0x128,0x7C})
	adjlvl = memoryReadRepeat("intptr", proc, 0x169522C,{0x28,_arg1,0xC,0x128,0xA0})
	power = memoryReadRepeat("intptr", proc, 0x169522C,{0x28,_arg1,0xC,0x128,0x84})
	precision = memoryReadRepeat("intptr", proc, 0x169522C,{0x28,_arg1,0xC,0x128,0x88})
	toughness = memoryReadRepeat("intptr", proc, 0x169522C,{0x28,_arg1,0xC,0x128,0x8c})
	vitality = memoryReadRepeat("intptr", proc, 0x169522C,{0x28,_arg1,0xC,0x128,0x90})
	X = memoryReadRepeat("floatptr", proc, 0x169522C,{0x28,_arg1,0xC,0x44,0x1C,0x5C,0xB4})
	Y = memoryReadRepeat("floatptr", proc, 0x169522C,{0x28,_arg1,0xC,0x44,0x1C,0x5C,0xB8})
	Z = memoryReadRepeat("floatptr", proc, 0x169522C,{0x28,_arg1,0xC,0x44,0x1C,0x5C,0xBC})
	return lvl, adjlvl, power, precision, toughness, vitality, X, Y, Z
end
function character()
	local proc = getProc()
	size = memoryReadRepeat("intptr", proc, 0x169522C, 0x30)
	print("The size of the array is "..size)
	for i = 1, size-1 do
		if memoryReadRepeat("intptr", proc, 0x169522C,{0x28,i*4}) ~= 0 then
			if memoryReadRepeat("intptr", proc, 0x169522C,{0x28,i*4,0xC}) ~= 0 then
				lvl, adjlvl, power, precision, toughness, vitality, X, Y, Z = playerstats(i*4)
			end
		end
	end
end

[Ankharlyn]

@Piotr, that is a good question and I don't know the answer to it. In that regard I spent some time today investigating it. I updated z0m's DatContext project to use the new offset (set TlsIndex in that project = value of EAX after call to getTLS (CliContext minus 30h)) and it appears to be *sorta* correct, but it looks like some of the values are invalid, so I presume the structures have changed in some way.

I'm not good enough to say how or whatnot but I guess that is the correct address, but the offsets are different as there's more/less data (probably more).

Perhaps JuJuBoSc or someone else can chime in and enlighten us.

[JuJuBoSc]

The ChCliCoreStats structure changed a bit :

Code:

        // Guild Wars 2 Build 16089
        internal enum ChCliCoreStats : uint
        {
            Sex = 0x29,
            RealLevel = 0x84,
            EffectiveLevel = 0xAC,
            Power = 0x8C,
            Precision = 0x90,
            Thoughness = 0x94,
            Vitality = 0x98,
            TotalExperience = 0xB0,
            Class = 0x1EC,
        }