Iterating RActors

[mozartmclaus]

Hi, cant get RActors array iteration correct:

I remember you mentioned RActors size 0x42C, is this the size of the struct after dereferencing (i.e. at 1F27D660);
I have determined array entry size as 416, and it seem to work for the first 5 array elements, but then i only get crap.
Currently im not having a clue how this list is organized. Cant find any sizes or offsets or prev/next pointers which can be used to find next object in the list.
Fixed offset also wont work.

ObjectManagerPointerAddress: 0156C8CC
ObjectManagerAddress: 07E83E00
RActorsAddress: 1F437040
RActorsName: RActors
RActorsArraySize: 114
RActorAddress (Offset:00000148 ) : 1F27D660 ActorCommonData
RActorAddress (Offset:000002E8 ) : 1F27D7C8 RainParticles
RActorAddress (Offset:00000488 ) : 1F27CC78 Particles
RActorAddress (Offset:00000628 ) : 1F27D3F8 Lights
RActorAddress (Offset:000007C8 ) : 1F27D860 FastAttribGroups
RActorAddress (Offset:00000968 ) : 1F27DC28 [cant get name string]
RActorAddress (Offset:00000B08 ) : 0000116E ...
RActorAddress (Offset:00000CA8 ) : 8F000000 ...
RActorAddress (Offset:00000E48 ) : D3290000 ...
...

This is screen of first actor occurance. Array (or is this List?) entry itself seem to begin directly
at 0x100 offset. And at 0x108 or 0x10C supposed to be ArraySize.



Is the RActors an Object with all that Arrays being its properties or is it Array/List itself?

[BitHacker]

mozartmclaus,

I can't recreate your RActorAddress with offsets. My values within reclass are way different.





Can You tell me if we are saying RActor is equal to public class Actor : FileFormat in mooege? Kinda confused here. Thanks.

-Bit_Hacker

[Nesox]

mozartmclaus,

Can You tell me if we are saying RActor is equal to public class Actor : FileFormat in mooege? Kinda confused here. Thanks.

-Bit_Hacker

It's not the same, the " class Actor : FileFormat" is the actor sno record

[BitHacker]

Nesox,

Can you explain the hierarchy a little so I can stop being an idiot and actually know something?
I see you guys talking about ObjectMananger, ObjectManagerPtr, RActor, and ACD Actor Common Data.
I'm just confused, can someone straighten me out. So, I can stop bothering everyone?
Seems as if I aggravated some people. Sorry.
I'm just trying to learn.

-Bit_Hacker

[mozartmclaus]

BitHacker
you start with fixed ObjectManagerPointerAddress: 0156C8CC
dereference pointer at that address and get address of ObjectManager

here are some offsets i got so far:
const uint ObjectManagerCutScenesPointerOffset = 0x8A8;
const uint ObjectManagerRActorsPointerOffset = 0x8B0;
const uint ObjectManagerScenesPointerOffset = 0x8F4;
const uint ObjectManagerCWorldsPointerOffset = 0x92C;

so add 0x8B0 to ObhectManager address and dereference -> you get address of object managing RActors.
Im not sure if it is an object or array/list.

at offset 0x108 or 0x1A0 you should get numer of elements in the actors array.
at offset 0x148 there should be the first entry (ActorCommonData)
adding 1A0 you get next element and so on, except that after 5 elements I only get crap.

I would also like to have more info, even if I get RActor object I dont know how to reverse it correctly.
Even with ReClass I see lots of pointers and values without knowing what they are.
Not sure where to get this info...
Mooego doesnt seem to have related strucs.
IDA and many hours of code reversing seem to be the only way.
You can set read/write barriers on any data value in D3 memory.
Trace which code accesses it and try to reverse how this code is using the data.

[Tanaris4]

FYI I don't think you should be adding 1A0, I believe it's 0x42C on windows (just explore the first entry w/cheat engine you get from reading offset 0x148 and see how far it is until the next one)

On OS X it's 0x428, I just found out how to iterate our of process

Now to find interesting things about these RActors heh. GL!

[ShoniShilent]

you guys are both close:

here is the relevant code

00B598A4 - A1 CCC85601 - mov eax,[0156C8CC] <--------
00B598A9 - 8B 90 B0080000 - mov edx,[eax+000008B0] <-----------
00B598AF - 85 D2 - test edx,edx
00B598B1 - 74 44 - je 00B598F7
00B598B3 - 0FB7 F7 - movzx esi,di
00B598B6 - 3B B2 00010000 - cmp esi,[edx+00000100]
00B598BC - 73 39 - jae 00B598F7
00B598BE - 8A 8A 8C010000 - mov cl,[edx+0000018C]
00B598C4 - 8B DE - mov ebx,esi
00B598C6 - D3 EB - shr ebx,cl
00B598C8 - 8B 8A 8C010000 - mov ecx,[edx+0000018C]
00B598CE - B8 01000000 - mov eax,00000001
00B598D3 - D3 E0 - shl eax,cl
00B598D5 - 8B 8A 48010000 - mov ecx,[edx+00000148] <------------
00B598DB - 48 - dec eax
00B598DC - 23 C6 - and eax,esi
00B598DE - 69 C0 28040000 - imul eax,eax,00000428 <-------------
00B598E4 - 03 04 99 - add eax,[ecx+ebx*4]

so it's [[[156c8cc]+8b0]+148]

and then every 0x428 is the next rActor

rActor 5th in line is usually your character (or [[[156c8cc]+8b0]+148]+10a0) or 'CharacterBase'

and your CharacterBase
+a0/a4/a8 is x/y/z

I am not sure if

[[156c8cc]+8b0]+108
or
[[156c8cc]+8b0]+10c

holds the Number of Actors to iterate. 108 stays more stable while 10c changes alot so I would have to experiment more or get feedback from others who are 'in the know'

[BitHacker]

ShoniShilent,

What function is 00B598A4 out of ?


Your call area:
0094E6F7 E8 F49E0B00 CALL Diablo_I.00A085F0
0094E6FC E8 3FFCFFFF CALL Diablo_I.0094E340
0094E701 E8 FA180D00 CALL Diablo_I.00A20000
0094E706 E8 855A0900 CALL Diablo_I.009E4190
0094E70B E8 C0B02000 CALL Diablo_I.00B597D0
0094E710 E8 ABA92000 CALL Diablo_I.00B590C0
0094E715 E8 36B32100 CALL Diablo_I.00B69A50
0094E71A E8 91840B00 CALL Diablo_I.00A06BB0
0094E71F E8 DC642000 CALL Diablo_I.00B54C00
0094E724 E8 E76B2100 CALL Diablo_I.00B65310



I want to know why you were looking at that call? What lead you to it? Why were you inside it?
0094E710 E8 ABA92000 CALL Diablo_I.00B590C0






When your walking around these values are constantly changing:
(Inside RActor)
0108
010C
0110
0114
011C

What are those?

-Bit_Hacker

[ShoniShilent]

that code snippet was chosen so that you could see the progression pointing to the rActor manager struct. i just did a breakpoint on the rActor so i could pull up code to show you. that progression is all through the diablo 3 in several places.

i am guessing 108 is the maximum num of rActors and 10c is the 'visible' or 'nearby' rActors or rActors of a type. the others i have no idea. as i said, i have just started tinkering with this. maybe some other peeps would like to chime in.

it's simple enough now to do a 'radar' and 'list' of what is around you with just that information above. however, there's alot more to do, as you have to identify what is 'monster' vs. ' items' vs. 'obstructions', etc.

[BitHacker]

ShoniShilent,

Well 108 decreases and increases as you walk around town.



Might have found Chat
[0156C8CC] + 08B0] + 0148] + 0018] + 0004 Achevements: 31B0FC00
[0156C8CC] + 08B0] + 0148] + 0018] + 0584 SimpleChat 083ED2D8
[0156C8CC] + 08B0] + 0148] + 0018] + 0594 SimpleChat:c_Tabs 013A6608


That 0584 has a lot of nice stuff
SimpleChat
SinglePlayer
SkillBar
SplasScreen
Stable
StartGame
Stash
ToolTip
Trade
WaypointDialog
a1dun_leor01
a2dun_Aqd_Beather1
a2dun_Spider_Caves_02
a2dun_Swr_Weather1
a2dun_Zolt_Random_Weather1
a2dun_Zolt_Weather1
a3Dun_Keep_A
CaOut_Boneyard_Weather
CaOUT_Mine_Abandoned_Cellar_Weather
CaOUT_OasisA_Weather
caOut_Weather_CanyonPass
caOut_Weather_SandStorm
caOut_Weather_SandStorm_Alcarnus
NoWeather
NoWeatherDun
Sewer_Level01
LeoricJournal1 - 15
PlayerIsBarbarian 25C8
PlayerIsMonk 2664
PlayerIsWitchDoctor 2700
PlayerIsWizard 279C

and a whole crap more it all has structure to it... Its pretty big....


-Bit_Hacker

[BitHacker]

Edited:
-Bit_Hacker

[mozartmclaus]

i probably misunderstood the structure of RActors.I was trying to access them via:
[[156c8cc]+8b0]+148+i*416
(416 is decimal here)
now i realize that this is not an array but an object.
and to address array you say it would be correct to do this:
[[[156c8cc]+8b0]+148]+i*416

[Nonal2]

i probably misunderstood the structure of RActors.I was trying to access them via:
[[156c8cc]+8b0]+148+i*416
(416 is decimal here)
now i realize that this is not an array but an object.
and to address array you say it would be correct to do this:
[[[156c8cc]+8b0]+148]+i*416

Sorry, I don't think you are there yet. Looking closely at assembly quoted in this thread: it is taking 16-bits low part of the GUID and does two things using a variable "bit size" (let's take 10 as an example):
1/ Takes top bits (10 to 15) to select a bucket of objects
2/ Masks low bits of the remaining address (9-0) to select the proper object in the bucket

In other words, you are looking at an array of buckets, ie implementation of a map (hashtable), which makes sense since D3 wants fast access based on GUID. I would suggest something like this if you want it iterate on it (accessing by GUID is obviously simpler):

Code:

RActorsAddress = getInt(ObjectManagerAddress+0x8b0);
RActorsMax = getInt(RActorsAddress+0x100);
RActorsBits = getInt(RActorsAddress+0x18C);
RActorsBase = getInt(RActorsAddress+0x148);
nbBuckets = RActorsMax/(1<<RActorsBits);

for(bucket=0; bucket<nbBuckets; ++bucket) {
	bucketAddr = getInt(RActorsBase+4*bucket);  
	if (bucketAddr==0x0) continue;
	for(pos=0; pos<(1<<RActorsBits); ++pos) {
		addr = bucketAddr+0x428*pos;
		GUID = getInt(addr);
		if (GUID==0xFFFFFFFF || GUID==0x0) continue;
	}
}

Posting with a new account as I could not manage to recover previous one.
New game, new account. Makes sense

[BitHacker]

you guys are both close:

here is the relevant code

00B598A4 - A1 CCC85601 - mov eax,[0156C8CC] <--------
00B598A9 - 8B 90 B0080000 - mov edx,[eax+000008B0] <-----------
00B598AF - 85 D2 - test edx,edx
00B598B1 - 74 44 - je 00B598F7
00B598B3 - 0FB7 F7 - movzx esi,di
00B598B6 - 3B B2 00010000 - cmp esi,[edx+00000100]
00B598BC - 73 39 - jae 00B598F7
00B598BE - 8A 8A 8C010000 - mov cl,[edx+0000018C]
00B598C4 - 8B DE - mov ebx,esi
00B598C6 - D3 EB - shr ebx,cl
00B598C8 - 8B 8A 8C010000 - mov ecx,[edx+0000018C]
00B598CE - B8 01000000 - mov eax,00000001
00B598D3 - D3 E0 - shl eax,cl
00B598D5 - 8B 8A 48010000 - mov ecx,[edx+00000148] <------------
00B598DB - 48 - dec eax
00B598DC - 23 C6 - and eax,esi
00B598DE - 69 C0 28040000 - imul eax,eax,00000428 <-------------
00B598E4 - 03 04 99 - add eax,[ecx+ebx*4]

so it's [[[156c8cc]+8b0]+148]

and then every 0x428 is the next rActor

rActor 5th in line is usually your character (or [[[156c8cc]+8b0]+148]+10a0) or 'CharacterBase'

and your CharacterBase
+a0/a4/a8 is x/y/z

I am not sure if

[[156c8cc]+8b0]+108
or
[[156c8cc]+8b0]+10c

holds the Number of Actors to iterate. 108 stays more stable while 10c changes alot so I would have to experiment more or get feedback from others who are 'in the know'

I'm no math wiz here but:

so it's [[[156c8cc]+8b0]+148]

and then every 0x428 is the next rActor

rActor 5th in line is usually your character (or [[[156c8cc]+8b0]+148]+10a0) or 'CharacterBase'

0x428 * 5 = 14C8

I don't know where your coming up with 10A0? Care to explain?


I see:
14C8 - 0x428 = 10A0...

But there is nothing there.. offset is NFG...

[biskow]

Hello,
Does anyone have actual working version of this?
I tried all the aproaches in this topic and im still quite confused.
Did anyone actually got this working