Some Classes and Functions from 2012.09.09

[Ankharlyn]

Code:

void Detour(byte* location, byte* newFunction, int NOPS = 0)
{
	DWORD dwOldProtection;
	VirtualProtect(location, 5+NOPS, PAGE_EXECUTE_READWRITE, &dwOldProtection);
	if( NOPS > 0 )
		memset((void*)location, 0x90, 5+NOPS);
	location[0] = 0xE9;
	*((DWORD*)(location + 1)) = (DWORD)(newFunction - location) - 5;
	VirtualProtect(location, 5+NOPS, dwOldProtection, &dwOldProtection);
}

thats the function i use when hooking something from a dll. i guess you can translate that to c#
what u basically do is writing a jmp (0xe9) to the first byte and the address of your code (gotta be naked) - yourfunc - 5 to the next 4 bytes.
since u need 5 bytes for that u need to NOP x bytes if the overwritten instruction(s) had more than 5 bytes in total.
you then execute your code + the overwritten one. after that all you gotta do is jump back to yourfunc+x (the number of bytes the overwritten instructions had)

if you are executing anything that would modify the registers to something thats not planned in the programs schedule you need to save and restore the registers. you can do that by adding a 'pushad' at the start and a 'popad' at the end.

since you are doing it in c# you may have to use virtualallocex to allocate memory in the target process and then write your naked code to there.

I'm thinking I'll use something like this

Code:

                    memory.Asm.Clear();
                    memory.Asm.AddLine("pushad");
                    memory.Asm.AddLine("pushfd");
                    memory.Asm.AddLine("call {0}", 0x00655BB0);
                    memory.Asm.AddLine("mov [{0}], eax", tls_address);
                    memory.Asm.AddLine("popfd");
                    memory.Asm.AddLine("popad");
                    memory.Asm.AddLine("jmp {0}", hook_address + 5);
                    memory.Asm.Inject(codecave);


                    memory.Asm.Clear();
                    memory.Asm.AddLine("jmp {0}", codecave);
                    memory.Asm.Inject(hook_address);

Now my question is do I need to preserve the instruction that my jmp is overwriting? Should I just put it in my function there (before pushad/fd)?

[z0m]

Code:

	DWORD pChar = Ptr.ReadDoubleWord(hProcess, 0x16B366C) + 0x38;
	printf("0x%X\n", pChar);
	DWORD pAgent = Ptr.ReadDoubleWord(hProcess, pChar + 0x44);
	printf("0x%X\n", pAgent);
	float posx = Ptr.ReadFloat(hProcess, pAgent+0x20);
	printf("%f\n", posx);

still doesnt work :/

CheatEngine: Position.CT

[thisflora]

I'm thinking I'll use something like this

Code:

                    memory.Asm.Clear();
                    memory.Asm.AddLine("pushad");
                    memory.Asm.AddLine("pushfd");
                    memory.Asm.AddLine("call {0}", 0x00655BB0);
                    memory.Asm.AddLine("mov [{0}], eax", tls_address);
                    memory.Asm.AddLine("popfd");
                    memory.Asm.AddLine("popad");
                    memory.Asm.AddLine("jmp {0}", hook_address + 5);
                    memory.Asm.Inject(codecave);


                    memory.Asm.Clear();
                    memory.Asm.AddLine("jmp {0}", codecave);
                    memory.Asm.Inject(hook_address);

Now my question is do I need to preserve the instruction that my jmp is overwriting? Should I just put it in my function there (before pushad/fd)?

yep, put it there. (ALL the instructions you overwrite with your jmp)

edit:

Thanks z0m, looking into it!

edit2: got it to work, forgot the foundation offset

[JuJuBoSc]

Code:

	DWORD pChar = Ptr.ReadDoubleWord(hProcess, 0x16B366C) + 0x38;
	printf("0x%X\n", pChar);
	DWORD pAgent = Ptr.ReadDoubleWord(hProcess, pChar + 0x44);
	printf("0x%X\n", pAgent);
	float posx = Ptr.ReadFloat(hProcess, pAgent+0x20);
	printf("%f\n", posx);

still doesnt work :/

re read it when you add the 0x38, and learn how pointer work..

[Ankharlyn]

yep, put it there. (ALL the instructions you overwrite with your jmp)

Awesome! I'll be testing it hooking some function later tonight, should be neat.

Also, glad you got it working, as I didn't have a chance to play with it last night (had to spend time with the gf).

[thisflora]

re read it when you add the 0x38, and learn how pointer work..

lol, thanks. Got it to work with the CE table. I do know how pointers work, but i simply didn't recognize them as pointers, but rather as simple offsets.
Now that i know that these are pointers, i can easily handle them

[Ankharlyn]

Just in case anyone finds this useful, here's what I ended up using for my hook/detour:

Code:

                    // Snipped initializing BlackMagic (the memory variable) and allocating detour_address and tls_address and setting hook_address.

                    // Install our detour first.
                    memory.Asm.Clear();
                    memory.Asm.AddLine("mov esi, [eax+0x0C]"); // Add the code your jump overwrites here.
                    memory.Asm.AddLine("mov eax, [esi]"); // This is 5 bytes so no nops, but more/longer instructions may require them.
                    memory.Asm.AddLine("pushad");
                    memory.Asm.AddLine("pushfd");
                    memory.Asm.AddLine("call {0}", 0x00B27820); // Offset to getCliContext
                    /// This is the golden line here!
                    /// We copy EAX into the value pointed by the 
                    /// address to the 4 bytes of memory we
                    /// allocated for tls_address in the game thread.
                    memory.Asm.AddLine("mov [{0}], eax", tls_address);
                    memory.Asm.AddLine("popfd");
                    memory.Asm.AddLine("popad");
                    memory.Asm.AddLine("jmp {0}", hook_address + 5); // If the code resumes after >5 bytes, account for that.
                    memory.Asm.Inject(detour_address);

                    // Install the hook.
                    memory.Asm.Clear();
                    memory.Asm.AddLine("jmp {0}", detour_address);
                    memory.Asm.Inject(hook_address);

                    // Uninstall the hook.
                    memory.Asm.Clear();
                    memory.Asm.AddLine("mov esi, [eax+0x0C]");
                    memory.Asm.AddLine("mov eax, [esi]");
                    memory.Asm.Inject(hook_address);

                    // Get the TLS index
                    uint temp = memory.ReadUInt(tls_address)
                    byte[] address_bytes = BitConverter.GetBytes(temp);

                    uint tls_index = memory.FindPattern(address_bytes, "xxxx") - 0x30;

For the getCliContext address, I am actually using this to grab it and pass it straight in where the offset (0x00B27820) appears in the above code.

Code:

uint get_cli_address = memory.FindPattern(new byte[] { 0xe8, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x30, 0xc3, 0xcc, 0xcc, 0xcc }, "x????xxxxxxx");

To find the function to hook, I just stepped out of a call to getCliContext into a function that calls it all the time and found an instruction (two in this case) that comprised 5 bytes.

Really awesome to see your code appear in the disassembly in CheatEngine too.

Thanks to JuJu, z0m and thisflora for your help

[thisflora]

I'm currently trying to iterate trough the CharacterArray, but apparently i'm too dumb.
I have to say, when using getAgent() on the Character* i get from GetControlledCharacter(), it works flawless. So does the position-stuff.
I simply can't figure out why the agentpointer is always the same.

My Code:

Code:

	Agent* Character::getAgent()
	{
		return new Agent( ((*(DWORD*)(m_Base))+0x44) );
	}

	int CharacterContext::GetCharacterArrayCount()
	{
		return ( *(int*)( (*(DWORD*)(m_Base)) + 0x1C ) );
	}

	DWORD CharacterContext::GetCharacterArray()
	{
		return ( *(DWORD*)((*(DWORD*)(m_Base))+0x14) );
	}

Code:

	DWORD toRead;
	Character* c;
	DWORD address = pClient->GetCharacterArray();
	int arrayCount = pClient->GetCharacterArrayCount();
	for(int i = 0; i < arrayCount ; i++)
	{
		toRead = *(DWORD*)(address + (i*4));
		if( toRead != NULL )
		{
			c = new Character(toRead);
			printf("pCharBase: 0x%X\n", c->getBase());
			printf("pAgentBase: 0x%X\n", c->getAgent()->getBase());
			printf("pPosBase: 0x%X\n", c->getAgent()->getPosition()->getBase());
			printf("posx: %.2f\n\n", c->getAgent()->getPosition()->X());
		}
	}

getBase simply returns the pointer. example:

Code:

	Character(DWORD pBase)
	{
		m_Base = pBase;
	}

	DWORD getBase()
	{
		return m_Base;
	}

And a screenshot of the output: https://dl.dropbox.com/u/23323460/idunnowhy.png

By the way, i was trying to rebuild this in c++:

Code:

        {
            IntPtr address = CharacterArray;
            int arrayCount = CharacterArrayCount;
            var toReturn = new List<ChCliCharacter>();
            for (int i = 0; i < arrayCount; i++)
            {
                IntPtr toRead = Memory.Reader.Read<IntPtr>(address + (i*4));
                if (toRead != (IntPtr) 0)
                    toReturn.Add(new ChCliCharacter(toRead));
            }
            return toReturn;
        }

I hope someone can help me.
Thanks in advance, thisFlora.

[Ankharlyn]

@thisFlora, I've looked over your posted code half a dozen times and I honestly can't see why it'd be doing that. Can you step through the call to getAgent and getBase and make sure the m_Base is correct?

Also, I'd suggest booting up the C# project and just stepping through and looking at the addresses coming out of getCharacterList or whatever (the one you're translating) and compare with your project.

[z0m]

Try
if( toRead != 0 )

The value of unused pointers (not every position in the array is being used) is 0, which you want to filter out.

Here is an example with ReClass:



CharacterArray:


After some scrolling I found these:


First one:



Second one:



Third one:



You can also clearly see the pointers to the vtables now (and by that how many parent classes ChCliCharacter has).



edit,
oh and for completeness, here is the agent + position of the first of the 3 characters...


And also, try to do as Juju says. About 2 months ago I asked him a really retarded question regarding memory. After following his tips I started to really understand how it all works, rather than just understanding bits of it and a lot of copy pasta.

And another tip, this is a snippet of a C++ version of the DatContext lib (the C# one):

Code:

std::vector<DatContext::ChCliCharacter> DatContext::ChCliContext::GetCharacters()
{
	DWORD base = CharacterArrayBase();
	int arrayCount = CharacterArrayCount();
	std::vector<DatContext::ChCliCharacter> toReturn;
	for (int i = 0; i < arrayCount; i++)
	{
		DWORD address = m_reader.Read<DWORD>(base + (i * 4));
		if (address != 0)
			toReturn.push_back(DatContext::ChCliCharacter(address));
	}
	return toReturn;
}

compare that to:

Code:

   public List<ChCliCharacter> GetChCliCharacters()
        {
            IntPtr address = CharacterArray;
            int arrayCount = CharacterArrayCount;
            var toReturn = new List<ChCliCharacter>();
            for (int i = 0; i < arrayCount; i++)
            {
                IntPtr toRead = Memory.Reader.Read<IntPtr>(address + (i*4));
                if (toRead != (IntPtr) 0)
                    toReturn.Add(new ChCliCharacter(toRead));
            }
            return toReturn;
        }

Really try to rely a lot on tools to visualize it for yourself. Seeing it all in ReClass/CheatEngine for example makes it all appear so logical and it will all make sense. Obviously Reclass gives the extra benefit of saving yourself some typing in the future, IE:

Code:

class ChCliContext;
class ChCliCharacter;
class ChCliHealth;
class CharacterArray;
class Agent;
class Position;

class ChCliContext
{
public:
char _0x0000[20];
	DWORD CharacterArrayPTR; //0x0014 
char _0x0018[4];
	__int32 CharacterArrayCount; //0x001C 
char _0x0020[24];
	ChCliCharacter* LocalChCliCharacter; //0x0038 
char _0x003C[88];

};//Size=0x0094

class ChCliCharacter
{
public:
char _0x0000[68];
	Agent* PointerToAgent; //0x0044 
char _0x0048[264];
	ChCliHealth* PointerToChCliHealth; //0x0150 
char _0x0154[44];

};//Size=0x0180

class ChCliHealth
{
public:
char _0x0000[8];
	float Health; //0x0008 
	float HealthMax; //0x000C 

};//Size=0x0010

class Agent
{
public:
char _0x0000[28];
	Position* PointerToPositionBase; //0x001C 
char _0x0020[32];

};//Size=0x0040

class Position
{
public:
char _0x0000[32];
	float X; //0x0020 
	float Y; //0x0024 
	float Z; //0x0028 
char _0x002C[20];

};//Size=0x0040

The above is the result of the 3 minutes of work I spent on this post.

Another edit:
Decided that I might as well use ReClass to dump a few members of some actual classes, just to show you how much easier it becomes when you have classes with the required padding (most of my GW2 stuff is fairly outdated so will have to do them over).

Code:

class ChCliContext;
class ChCliCharacter;
class ChCliHealth;
class Agent;
class ChCliCoreStats;
class ChCliEndurance;
class ChCliInventory;
class ChCliKennel;
class ChCliProfession;
class ChCliSkillbar;
class Position;
class AsContext;
class GdCliContext;

class ChCliContext
{
public:
	CHAR _0x0000[20];
	DWORD m_characterArray; //0x0014 
	CHAR _0x0018[4];
	INT m_characterArraySize; //0x001C 
	CHAR _0x0020[8];
	DWORD m_playerArray; //0x0028 
	CHAR _0x002C[4];
	INT m_playerArraySize; //0x0030 
	CHAR _0x0034[4];
	ChCliCharacter* m_localCharacter; //0x0038 
	CHAR _0x003C[4];

	static ChCliContext* Singleton()
	{
		return *(ChCliContext**)0x16B366C;
	}
};//Size=0x0040

class ChCliCharacter
{
public:
	CHAR _0x0000[68];
	Agent* m_agent; //0x0044 
	INT m_type; //0x0048 
	CHAR _0x004C[20];
	INT m_attitudeToLocalCharacter; //0x0060 
	CHAR _0x0064[4];
	INT m_isInWater; //0x0068 
	CHAR _0x006C[44];
	BYTE m_flags; //0x0098 
	CHAR _0x0099[7];
	INT m_healthStatus; //0x00A0 
	CHAR _0x00A4[132];
	ChCliCoreStats* m_coreStats; //0x0128 
	CHAR _0x012C[32];
	ChCliEndurance* m_endurance; //0x014C 
	ChCliHealth* m_health; //0x0150 
	ChCliInventory* m_inventory; //0x0154 
	ChCliKennel* m_kennel; //0x0158 
	CHAR _0x015C[40];
	ChCliProfession* m_profession; //0x0184 
	ChCliSkillbar* m_skillbar; //0x0188 

};//Size=0x018C

class ChCliHealth
{
public:
	CHAR _0x0000[8];
	float m_health; //0x0008 
	float m_healthMax; //0x000C 

};//Size=0x0010

class Agent
{
public:
	CHAR _0x0000[16];
	INT m_id; //0x0010 
	CHAR _0x0014[8];
	Position* m_position; //0x001C 

};//Size=0x0020

class ChCliCoreStats
{
public:
	CHAR _0x0000[41];
	INT8 m_sex; //0x0029 
	CHAR _0x002A[90];
	INT m_level; //0x0084 
	CHAR _0x0088[4];
	INT m_power; //0x008C 
	INT m_precision; //0x0090 
	INT m_thoughness; //0x0094 
	INT m_vitality; //0x0098 
	CHAR _0x009C[16];
	INT m_effectiveLevel; //0x00AC 
	INT m_totalExperience; //0x00B0 
	CHAR _0x00B4[44];
	INT m_class; //0x00E0 

};//Size=0x00E4

class ChCliEndurance
{
public:
	CHAR _0x0000[4];
	INT m_endurance; //0x0004 
	INT m_enduranceMax; //0x0008 

};//Size=0x000C

class ChCliInventory
{
public:
	CHAR _0x0000[80];
	INT m_money; //0x0050 
	CHAR _0x0054[24];
	DWORD m_itemArray; //0x006C 
	CHAR _0x0070[4];
	INT m_itemArraySize; //0x0074 

};//Size=0x0078

class ChCliKennel
{
public:
	CHAR _0x0000[20];
	DWORD m_pet; //0x0014 

};//Size=0x0018

class ChCliProfession
{
public:
	CHAR _0x0000[44];
	float m_professionPower; //0x002C 
	float m_professionPowerMax; //0x0030 

};//Size=0x0034

class ChCliSkillbar
{
public:
	CHAR _0x0000[64];
	INT m_pressedSkillSlot; //0x0040 

};//Size=0x0044

class Position
{
public:
	CHAR _0x0000[32];
	float m_x; //0x0020 
	float m_y; //0x0024 
	float m_z; //0x0028 
	CHAR _0x002C[196];
	float m_headingX; //0x00F0 
	float m_headingY; //0x00F4 

};//Size=0x00F8

class AsContext
{
public:
	CHAR _0x0000[48];
	INT m_groundTargetCircleVisible; //0x0030 
	CHAR _0x0034[60];
	Agent* m_targetAgent1; //0x0070 
	CHAR _0x0074[8];
	Agent* m_mouseOverAgent; //0x007C 
	CHAR _0x0080[4];
	Agent* m_targetAgent2; //0x0084 
	CHAR _0x0088[8];
	Agent* m_targetAgent3; //0x0090 
	CHAR _0x0094[4];
	float m_mousePositionFromCenterX; //0x0098 
	float m_mousePositionFromCenterY; //0x009C 
	CHAR _0x00A0[8];
	float UnknownX; //0x00A8 
	float UnknownY; //0x00AC 
	float UnknownZ; //0x00B0 
	CHAR _0x00B4[4];
	float m_mouseOverX; //0x00B8 
	float m_mouseOverY; //0x00BC 
	float m_mouseOverZ; //0x00C0 
	CHAR _0x00C4[60];

	static AsContext* Singleton()
	{
		return (AsContext*)0x16B3570;
	}
};//Size=0x0100

Lulzy dump (C code calling LUA functions, ignore the quick dump code, sample yadi yadi yada):

Code:

        ChCliContext* chCliContext = ChCliContext::Singleton();
	float fHealth = chCliContext->m_localCharacter->m_health->m_health;
	float fHealthMax = chCliContext->m_localCharacter->m_health->m_healthMax;
	float fPosX = chCliContext->m_localCharacter->m_agent->m_position->m_x;
	float fPosY = chCliContext->m_localCharacter->m_agent->m_position->m_y;
	float fPosZ = chCliContext->m_localCharacter->m_agent->m_position->m_z;
	float fProfPower = chCliContext->m_localCharacter->m_profession->m_professionPower;
	float fProfPowerMax = chCliContext->m_localCharacter->m_profession->m_professionPowerMax;
	char cVal[32];
	sprintf(cVal,"Health: %f", fHealth);
	Log(cVal);
	sprintf(cVal,"HealthMax: %f", fHealthMax);
	Log(cVal);
	sprintf(cVal,"Prof Power: %f", fProfPower);
	Log(cVal);		
	sprintf(cVal,"Prof Power Max: %f", fProfPowerMax);
	Log(cVal);		
	sprintf(cVal,"Position [X]: %f", fPosX);
	Log(cVal);		
	sprintf(cVal,"Position [Y]: %f", fPosY);
	Log(cVal);		
	sprintf(cVal,"Position [Z]: %f", fPosZ);
	Log(cVal);

As you can see you can save yourself from a lot of drama regarding where objects are and all that. I didn't actually check if these pointers were valid, but the game wouldn't really work if my own character had invalid pointers... (you should normally for other players/mobs/gadgets etc). This is where C++ really shines, use it.

[thisflora]

Sorry, i'm entirely brain****ed. I KNOW how memory works. I just dont get the following thing:

address: ee4c990 | value: 01453680h
address: ee49d20 | value: 01453680h

Obviously, this explains why i always had the same result. But it does NOT explain why you get other results than me.
We almost have the same code, the only thing thats different is the memory reading.
I don't get why you wouldn't use the standard for reading memory when using c++.
I have problems to recode that because i don't know what your reading functions do.

[z0m]

I'll PM you a tiny project that should help you a bit. Mind you, you would have to be injected for this to work.

Oh and Ankharlyn,
you should for real make the language swap
In C++ you would achieve the same with

Code:

typedef DWORD tGetTlsStructure (void);
tGetTlsStructure* oGetTlsStructure = (tGetTlsStructure*)0x655C50;
DWORD dTlsStructure = oGetTlsStructure();

and for smaller projects you should be just fine like that.

[Ankharlyn]

I'll PM you a tiny project that should help you a bit. Mind you, you would have to be injected for this to work.

Oh and Ankharlyn,
you should for real make the language swap
In C++ you would achieve the same with

Code:

typedef DWORD tGetTlsStructure (void);
tGetTlsStructure* oGetTlsStructure = (tGetTlsStructure*)0x655C50;
DWORD dTlsStructure = oGetTlsStructure();

and for smaller projects you should be just fine like that.

As tempting as that is (and amusingly enough, I'm a C++ programmer by trade and have done game development as a job for several years), I feel like I can use my limited time better in C#, as it's easier to build up functionality without dealing with the minutiae. Plus it gets me more experience with C# which is nice :P That said, it is tempting.

[thisflora]

After i finally found some time to actually analyze the character array and UNDERSTAND it, i was able to fix my issues. Thanks to everyone who helped me!

[Till034]

I'll PM you a tiny project that should help you a bit. Mind you, you would have to be injected for this to work.

Oh and Ankharlyn,
you should for real make the language swap
In C++ you would achieve the same with

Code:

typedef DWORD tGetTlsStructure (void);
tGetTlsStructure* oGetTlsStructure = (tGetTlsStructure*)0x655C50;
DWORD dTlsStructure = oGetTlsStructure();

and for smaller projects you should be just fine like that.

Hi

Where do you call it from? I tried from a dll I injected into gw2 but doesn't work because of course the function called doesn't find the TlsIndex.