Question - Anatomy of a maphack

[Tanaris4]

For those that know how to do this, I was just curious what people look for to create a maphack? Is it mainly around hooking packets to understand when the map data has been sent, or is a direct X function hooked + parameters changed so part of it is not hidden?

My end goal is to create this for OS X (openGL), but of course I always learn the windows way first

Thanks in advance!
~ Tanaris

[BitHacker]

Tanaris4,

Go to youtube and type in kartograph, this 3 part series will tell you the anatomy of a maphack. The map is actually in memory.

-Bit_Hacker

[Nesox]

The map is actually in memory.

No shit?
@Tanaris4
Take a look at 0x9BBAA0 seems to be related to the minimap,

Code:

signed int __fastcall sub_9BBAA0(int a1, int *a2, int a3, int a4, int a5, int a6, int a7, int a8)
{
  int v8; // edi@1
  int *v9; // esi@1
  int v10; // ebx@2
  int v11; // eax@5
  int v12; // eax@5
  int v13; // esi@5
  SNORecordTextures *v14; // eax@6
  int v15; // edi@6
  int v17; // [sp-10h] [bp-390h]@6
  SNORecordTextures *v18; // [sp+10h] [bp-370h]@6
  char Dst; // [sp+14h] [bp-36Ch]@5
  int v20; // [sp+20h] [bp-360h]@5
  int v21; // [sp+24h] [bp-35Ch]@5
  int v22; // [sp+28h] [bp-358h]@5
  int v23; // [sp+2Ch] [bp-354h]@5
  int v24; // [sp+30h] [bp-350h]@5
  int v25; // [sp+34h] [bp-34Ch]@5
  int v26; // [sp+38h] [bp-348h]@5
  int v27; // [sp+25Ch] [bp-124h]@5
  unsigned int v28; // [sp+37Ch] [bp-4h]@1
  int v29; // [sp+380h] [bp+0h]@1

  v28 = (unsigned int)&v29 ^ dword_1565F10;
  v8 = a1;
  v9 = a2;
  if ( !sub_9366A0(a1, a8) )
  {
    v10 = a8;
    v8 = sub_F1FA80(v8);
    if ( sub_9366A0(v8, a8) )
      goto LABEL_5;
    sub_EE8AF0(0, Class, 1682, 1);
    sub_EF5F40(1);
  }
  v10 = a8;
LABEL_5:
  *v9 = v8;
  MemSet(&Dst, 0x368u);
  v11 = *v9;
  v22 = a5;
  v23 = a6;
  v21 = v11;
  v27 = a7;
  v20 = 0;
  v26 = 0;
  v25 = 0;
  v24 = a4;
  v12 = sub_893A10((void *)DefTextures, (int)&Dst, 0, 0);
  v13 = v12;
  if ( v12 == -1 )
    return -1;
  v14 = (SNORecordTextures *)GetSNORecord(DefTextures, v12, 0);
  LOBYTE(v15) = a3;
  v18 = v14;
  v17 = *(_DWORD *)&v14->pad23F[9];
  if ( v24 == 1 )
  {
    if ( !GfxTextureCreate((int)&v14->pad23F[5], v14->dwHeight, v14->dwFaceCount, v14->dword18, 1, v17, v10, a3) )
    {
      if ( !a3 )
        v15 = (int)"texture name unknown";
      CDebug::OutputDebugString(2, 3, 0, "GfxTextureCreate() %s failed!", v15);
LABEL_15:
      PurgeSNORecord(DefTextures, (int *)&v18);
      sub_8925E0(v13, 0);
      return -1;
    }
  }
  else
  {
    if ( !GfxCubeMapCreate(&v14->pad23F[5], v14->dwHeight, v14->dwFaceCount, 1, v17, v10, a3) )
    {
      if ( !a3 )
        v15 = (int)"texture name unknown";
      CDebug::OutputDebugString(2, 3, 0, "GfxCubeMapCreate() %s failed!", v15);
      goto LABEL_15;
    }
  }
  if ( v10 & 1 )
    v18->dwWidth |= 1u;
  PurgeSNORecord(DefTextures, (int *)&v18);
  return v13;
}

Here's the SNORecordTextures type in case you need it, ( not sure if it's correct tho ) but should be to the most part.

Code:

#pragma pack(push, 1) struct SNORecordTextures
 {
   int Header[3];
   int dwWidth;
   int dwHeight;
   int dwFaceCount;
   int dword18;
   int dwMipMapLevelMax;
   int dword20[120];
   int dword200;
   int dword204;
   int serFrame[2];
   int dword210;
   int dword214;
   int dword218[2];
   int dword220;
   int dword224;
   int dword228[2];
   int dword230[2];
   int dword238;
   BYTE byte23C;
   BYTE byte23D;
   BYTE byte23E;
   BYTE pad23F[256];
   int dword33F;
   int serImageFileIDs[2];
   int dword34B;
   int dword34F;
   int dword353;
   int dword357;
 };
 #pragma pack(pop)

[Valtharak]

With D3 you can't do a full maphack like let say D2.

what i mean by that is that D3 stream scenes around you so you wont know some of the scene/subscene till you get close to them.
one good thing is the minimap marker for the dunjon exit for example are sent at the World zone in. so you can find out where the exit / entrance position by looking at the MapMarkers in memory.

do you want to create an out of process maphack or patch the ingame memory like d3advance does?

[Tanaris4]

I could do out of process or in memory, I don't mind either way. Currently looking into the function Nesox referenced (well trying to find it on OS X, thrilled there is a debug string in it)