Removing entitystructure "encryption"

[netvortex]

Well i personally wouldnt call it "encryption" but it seems with the latest patch they tried to obfuscate the entitystructures of WAR a bit to make it harder for average joe to find data...

most of the functions now use xor with a hard-coded value to read and store data...

Currently that value is 0x348F4ACD - as it's hard-coded into the function this value wont change (at least until next patch). So simply xor the value with it again and you got the real value...

[Timmytimmelson]

from what i have written down the important attributes that are XOR'd are x,y,z, hp %, and rotation. GUID, level, and type are not?
hopefully that helps people who are searching through the memory

[PharmerPhale]

+Rep to both for the info.

Is this contained within the Entity Structure or have you discovered other locations "XOR'd"? :confused:

[Timmytimmelson]

HansW is alot more knowledgeable on what mythic has been changing around with the various structs but I know at least that most (or all) of the player class attributes seem to be un-"protected"

[HansW]

HansW is alot more knowledgeable on what mythic has been changing around with the various structs but I know at least that most (or all) of the player class attributes seem to be un-"protected"

to the best of my knowledge , that is correct. The Player was changed a bit, but has no XOR'ed values. Every Entity Type ( Player, Monster, Static , Platform,..) has its own structure. Most of them are based on the same base-class. So the first 230something bytes are the same. I've not seen anything else XOR'ed in the client so far. Why do you ask PharmerPhale ?

[PharmerPhale]

Oh, I was having some issues reading parts of the player structure but it's sorted now and had nothing to do with XOR.

[Timmytimmelson]

updates on entity related topics as i stumble through them (not like its anything new from last patch). it seems like all of the relevant entity data is contained in the lists pointed to by 0x00D3D2C8 and 0x00D3D2D4; however i cant always find a mob while searching from 0x00D3D2C8-0x00D3D2D4 so there must be another list somewhere
edit: and on further investigation it seems like that range is the only group of entity list pointers... ???

[HansW]

The main Entity List that contains ALL Entities can be found at 0x00D3D2C8. Every Entity that is created is added to that list. The other lists contain Entitys sorted by types. So all you need to search through is the Main List.

Using the List struct from my other post you can loop through like this: (c/c++)

Code:

WarList* m_pMainEntityList;
m_pMainEntityList =  (WarList*)*((DWORD*)0x00D3D2C8);

for (DWORD i=0 ; i < m_pMainEntityList->m_Size ; i++) {
			if (m_pMainEntityList->m_pList[i]) {
				WarEntityBase* pEntity =  ((WarListEntry*)m_pMainEntityList->m_pList[i])->m_pItem;
                        }
}

This code must be run in process, if you access the process from the outside you need to modify it so that it read from the pointers instead of accessing them like it is in process.

[Da_Teach]

I am 99.9% sure that you will not get the full list of entities going through the list that way HansW.

I'm pretty sure that the WarListEntry contains a link to another WarListEntry, at offset 8. Assuming we add a WarEntryList * after m_pItem, and we call it m_pNextEntry, the loop would be as followed:

Code:

WarList* m_pMainEntityList;
m_pMainEntityList =  (WarList*)*((DWORD*)0x00D3D2C8);

for (DWORD i=0 ; i < m_pMainEntityList->m_Size ; i++) {
  WarListEntry *pEntry = ((WarListEntry*)m_pMainEntityList->m_pList[i]);
  while (pEntry) {
    WarEntityBase* pEntity =  ((WarListEntry*)m_pMainEntityList->m_pList[i])->m_pItem;
    pEntry = ((WarListEntry*)m_pMainEntityList->m_pList[i])->m_pNextEntry;

  }
}

I, for the love of god, cant remember where I saw that piece of code though

But I did find it several patches ago and its the same for the list with names.

[Timmytimmelson]

I, for the love of god, cant remember where I saw that piece of code though

But I did find it several patches ago and its the same for the list with names.

I'd like to believe you and say my code isnt flawed... for some reason I always miss three or so entities I cannot find in the list lol; however Hans has proved to be a master of reverse-engineering WAR
but I'd love to know more about where to find this "list of names"

[HansW]

I'd like to believe you and say my code isnt flawed... for some reason I always miss three or so entities I cannot find in the list lol; however Hans has proved to be a master of reverse-engineering WAR
but I'd love to know more about where to find this "list of names"

inject my dll and target the mob you don't find in your list. type /script sd(GetTargetEntity(0)) or sd(GetTargetEntity(1)) (hostile/friendly target). check the guid. I don't search the list myself. instead i call a function in the client. This function gets me the entity pointer and it definitely searches the main entity list. What was added in the last patch was a mutex to lock the list for concurrent access. So the GetEntityPtr function i use locks this, before accessing the list and unlocks it after its done.

I have a search function that goes through the entity list "by hand" (locking and unlocking the mutex also). It does not seem to miss any entity's, but I've never crosschecked that by going through all entities around the player in the client.

What types of Entites are not picked up ? players, npc's ,statics,... ?

[HansW]

I am 99.9% sure that you will not get the full list of entities going through the list that way HansW.

I'm pretty sure that the WarListEntry contains a link to another WarListEntry, at offset 8. Assuming we add a WarEntryList * after m_pItem, and we call it m_pNextEntry, the loop would be as followed:

Code:

WarList* m_pMainEntityList;
m_pMainEntityList =  (WarList*)*((DWORD*)0x00D3D2C8);

for (DWORD i=0 ; i < m_pMainEntityList->m_Size ; i++) {
  WarListEntry *pEntry = ((WarListEntry*)m_pMainEntityList->m_pList[i]);
  while (pEntry) {
    WarEntityBase* pEntity =  ((WarListEntry*)m_pMainEntityList->m_pList[i])->m_pItem;
    pEntry = ((WarListEntry*)m_pMainEntityList->m_pList[i])->m_pNextEntry;

  }
}

I, for the love of god, cant remember where I saw that piece of code though

But I did find it several patches ago and its the same for the list with names.

There are plenty of linked lists in the client, but to my knowledge the Entity List is not one of them.

[Da_Teach]

There are plenty of linked lists in the client, but to my knowledge the Entity List is not one of them.

Well you dont have to take my word for it, just do a quick test, you'll find that in area's with a lot of entities treating it as a linked list will result in more entities found.

Just a quick test of my own resulted in 4 more entities found.

[HansW]

Well you dont have to take my word for it, just do a quick test, you'll find that in area's with a lot of entities treating it as a linked list will result in more entities found.

Just a quick test of my own resulted in 4 more entities found.

ok, i will post the client code that accesses the list and we can discuss this further. Don't get me wrong, I'am glad someone else here is sharing his knowledge and helps me find problems.

Update: I just checked, you a right, thank you. It looks like there is something new at offset 0x08 in the WarListEntry. And the search function in the client uses it. +Rep

[Timmytimmelson]

thanks for the info guys, helped a bunch 6): +Rep