Some Classes and Functions from 2012.09.09

[Ankharlyn]

The ChCliCoreStats structure changed a bit :

Code:

        // Guild Wars 2 Build 16089
        internal enum ChCliCoreStats : uint
        {
            Sex = 0x29,
            RealLevel = 0x84,
            EffectiveLevel = 0xAC,
            Power = 0x8C,
            Precision = 0x90,
            Thoughness = 0x94,
            Vitality = 0x98,
            TotalExperience = 0xB0,
            Class = 0x1EC,
        }

Thanks

I notice, however, that the CliContext CharacterArray (+ 0x14) seems to be zero for some reason, not sure if it's different now too. I tried locating it in mem but the results were confusing.

[piotr55]

@Piotr, that is a good question and I don't know the answer to it. In that regard I spent some time today investigating it. I updated z0m's DatContext project to use the new offset (set TlsIndex in that project = value of EAX after call to getTLS (CliContext minus 30h)) and it appears to be *sorta* correct, but it looks like some of the values are invalid, so I presume the structures have changed in some way...

thx for that. would be nice if you publish your new DatContext. so i can find my own way into it and the new struct. maybe jujubosc is willing to share a bit of his knowledge.
regards piotr

[z0m]

DatContext.zip

[Ankharlyn]

DatContext.zip

Thanks for that z0m.

Regarding what I mentioned with CharacterArray being zero, that was my own problem (I'd commented it for some reason). Also, this seems to have fixed some issues with the character name offsets, though it still cuts off the last two letters of my character's name. Also, I noticed that places that try to access ChCliPlayer are not working (throws exceptions for some members/doesn't have quite the right offsets it seems).

On another note, can I get you guys to confirm I'm updating TlsIndex and AsContext offsets correctly?

For TlsIndex I'm setting a breakpoint after the call to getTLS in getCliContext and grabbing the value of eax (before the +30h happens). For AsContext I'm doing the same thing but in getAsContext on the retn line.

I seem to get very different TlsIndex offsets than what I've seen here (0x06xxxxxx or 0x07xxxxxx instead of 0x16xxxxxx). That said, they seem to have sort of the right data anyhow.

The help is very much appreciated guys.

Oh I had another question, which is how to find the InGame offset and the Loading offset. I've tried just searching 0/1 when in character select/in game for the InGame offset but didn't turn anything up.

Anyway, I'm going to be posting some of my work on a Trading Post automater (C#) soon, hopefully you guys will find it interesting

[z0m]

for (int i = 0; i < 4*8; i += 2)

Increment it to the right length.

[Ankharlyn]

for (int i = 0; i < 4*8; i += 2)

Increment it to the right length.

Makes sense!

Regarding the problems with ChCliCharacter/Player (I forget which one, maybe both have members that are odd), I'll take a screenshot of debugger and illustrate what I'm talking about.

Thanks!

[z0m]

For AsContext I'm doing the same thing but in getAsContext on the retn line.

You can just open IDA and find it in seconds. Look for the function that was mentioned in the topic start, or search for text

Code:

"..\\..\\..\\Game\\Ui\\Scenes\\Gameplay\\GpMous"...

or bytes:

Code:

.text:0045AFDF 0F 84 84 00 00 00                                               jz      loc_45B069
.text:0045AFE5 E8 76 B5 69 00                                                  call    sub_AF6560
.text:0045AFEA 8B 10                                                           mov     edx, [eax]
.text:0045AFEC 8B C8                                                           mov     ecx, eax
.text:0045AFEE 8B 42 04                                                        mov     eax, [edx+4]
.text:0045AFF1 53                                                              push    ebx
.text:0045AFF2 FF D0                                                           call    eax
.text:0045AFF4 85 C0                                                           test    eax, eax
.text:0045AFF6 74 7F                                                           jz      short loc_45B077
.text:0045AFF8 E8 63 B5 69 00                                                  call    sub_AF6560
.text:0045AFFD 8B 10                                                           mov     edx, [eax]
.text:0045AFFF 8B C8                                                           mov     ecx, eax
.text:0045B001 8B 42 58                                                        mov     eax, [edx+58h]
.text:0045B004 53                                                              push    ebx
.text:0045B005 FF D0                                                           call    eax
.text:0045B007 C7 46 60 01 00 00 00                                            mov     dword ptr [esi+60h], 1
.text:0045B00E 83 7F 18 02                                                     cmp     dword ptr [edi+18h], 2
.text:0045B012 75 63                                                           jnz     short loc_45B077
.text:0045B014 E8 F7 CB 6C 00                                                  call    sub_B27C10
.text:0045B019 8B 10                                                           mov     edx, [eax]
.text:0045B01B 8B C8                                                           mov     ecx, eax
.text:0045B01D 8B 42 1C                                                        mov     eax, [edx+1Ch]
.text:0045B020 FF D0                                                           call    eax
.text:0045B022 8B F8                                                           mov     edi, eax
.text:0045B024 85 FF                                                           test    edi, edi
.text:0045B026 75 14                                                           jnz     short loc_45B03C
.text:0045B028 68 51 02 00 00                                                  push    251h
.text:0045B02D BA 20 6D 21 01                                                  mov     edx, offset a______GameUi_9 ; "..\\..\\..\\Game\\Ui\\Scenes\\Gameplay\\GpMous"...
.text:0045B032 B9 04 1B 21 01                                                  mov     ecx, offset aPlayer ; "player"
.text:0045B037 E8 C4 2C 21 00                                                  call    sub_66DD00

sub_AF6560 ==> GetAsContext
sub_B27C10 ==> GetCliContext

sub_AF6560:

Code:

.text:00AF6560
.text:00AF6560                                                 sub_AF6560      proc near               ; CODE XREF: sub_411440+41p
.text:00AF6560                                                                                         ; .text:00412BE3p ...
.text:00AF6560 B8 70 35 6B 01                                                  mov     eax, offset dword_16B3570
.text:00AF6565 C3                                                              retn
.text:00AF6565                                                 sub_AF6560      endp

dword_16B3570 is what you want, aka GW2.exe + 0x12B3570 at this point.

[Ankharlyn]

Well I have no problem finding them (been using that method after I realized what you were referring to in your earlier post about an easy way to find them all on the first post, as I hadn't noticed it was there at the time), I was just wondering if the TlsIndex is indeed in the eax register after the call to getTLS in the getCliContext sub.

Good to know about AsContext though, I was doing that wrong. Thanks

[z0m]

Never tried it tbh. I usually dumped the addresses with a very small C++ program.

[z0m]

Toyed around a bit to see what it's like to find it with your method.

In the Memory Viewer you go to the address of getCliContext:

Put your breakpoint at the return point:

Get the current value of the EAX register:

Perform a scan for it's value:

And the ChCliContext's address is shown as a static address:

[Ankharlyn]

Toyed around a bit to see what it's like to find it with your method.

In the Memory Viewer you go to the address of getCliContext:

Put your breakpoint at the return point:

Get the current value of the EAX register:

Perform a scan for it's value:

And the ChCliContext's address is shown as a static address:

Ahhh, okay. That makes so much more sense to me now. Thanks a million, man!

[Ankharlyn]

So testing it out now, it all appears to be correct


Any tips on locating InGame and Loading addresses?

[buffygr]

So testing it out now, it all appears to be correct


Any tips on locating InGame and Loading addresses?

search the boolean in CE.

[Ankharlyn]

search the boolean in CE.

I was hoping there was something better/faster. I tried doing it last night for InGame but going between the character screen and loading back in for each search takes forever.

[JuJuBoSc]

Use IDA and diff 2 binary