[AutoIt] Diablo 3 Click To Move, Interaction, Actor Indexing.

[UnknOwned]

I have deleted the old post and made this new one as it got a bit too botty.
Here is a UDF for controlling Diablo 3 via memory editing.
This was originally made to make Diablo 3 controllable with a PS3 or Xbox360 controller (which worked awesome btw!).

In short it contains a few usefull function such as:

• GetCurrentPos()
• MoveToPos($_x,$_y,$_z)
• InteractGUID($_guid,$_snoPower)
• IterateObjectList($_displayINFO)

I have included some basic sample code, that does the following:


http://pastebin.com/0pQcz0zs

(it requires NomadMemory.au3, get it yourself!)

enjoy.

[Valmere]

Neat stuff

[sdq928]

I have deleted the old post and made this new one as it got a bit too botty.
Here is a UDF for controlling Diablo 3 via memory editing.
This was originally made to make Diablo 3 controllable with a PS3 or Xbox360 controller (which worked awesome btw!).

In short it contains a few usefull function such as:

• GetCurrentPos()
• MoveToPos($_x,$_y,$_z)
• InteractGUID($_guid,$_snoPower)
  
• IterateObjectList($_displayINFO)

I have included some basic sample code, that does the following:


[AutoIt] Diablo 3 Movement and Interaction UDF - Pastebin.com

(it requires NomadMemory.au3, get it yourself!)

enjoy.

Very grateful to you*

[diesiel1]

Thanks.

Can this interact with ingame buttons (like start game, resume game, change quest, etc)

[caosmen]

ty for sharing this.

now i can see the first code how some one works with objects

i will look in your code deeper and study it.

ty

[evil2]

hmm.. so few replies?.. this is the best d3 source posted here so far

thanks UnknOwned

[tfp]

this is the best d3 source posted here so far

qft!
I try hard now for 2 days to iterate over the Object starting at ObjectMananger... and you just released it as part of a small example.
Thank you - that will improve my understanding of other ressources postet here by a great margin.

[hata1234]

Thanks.
It's useful.
But did it safe?
Will warden detect it?

[DrArgo]

UnknOwned, I really appreciate the sample code. It helped me get a better grip on where to start as far as memory reading goes. I'm pretty sure I have the requisite skills to be able to do this, I'm just missing pieces on how to put everything together.

If you don't mind answering some basic questions, I'd like to go through some code snippets, line-by-line to understand them better.

Code:

global $ofs_ObjectManager = 				0x01580A2C
global $ofs__ObjmanagerActorOffsetA = 		0x8b0
global $ofs__ObjmanagerActorCount = 		0x108
global $ofs__ObjmanagerActorOffsetB = 		0x148
global $ofs__ObjmanagerActorLinkToCTM = 	0x380
global $_ObjmanagerStrucSize = 	0x428

These constants mean the following (please correct me if I'm wrong):

* 0x01580A2C -> The base address of the object manager pointer
* 0x8b0 -> The offset within the object manager where the Actor list pointer is located (it seems like the start of a pointer chain)
* 0x108 -> The offset starting from where the Actor list pointer is located, which contains the number of actors
* 0x148 -> The offset to the next link in the actor list pointer chain
* 0x380 -> used for click to move, which I'm not trying to figure out right now
* 0x428 -> The size of an Actor struct

Code:

global $_itrObjectManagerA  = _MemoryRead($ofs_ObjectManager, $d3, 'ptr')		
global $_itrObjectManagerB  = _MemoryRead($_itrObjectManagerA+$ofs__ObjmanagerActorOffsetA, $d3, 'ptr')	
global $_itrObjectManagerCount  = $_itrObjectManagerB+$ofs__ObjmanagerActorCount
global $_itrObjectManagerC  = _MemoryRead($_itrObjectManagerB+$ofs__ObjmanagerActorOffsetB, $d3, 'ptr')	
global $_itrObjectManagerD  = _MemoryRead($_itrObjectManagerC, $d3, 'ptr')	
global $_itrObjectManagerE  = _MemoryRead($_itrObjectManagerD, $d3, 'ptr')

Here's how it works from my understanding:

*$_itrObjectManagerA Address of the Object Manager as pointed to by a static memory location
*$_itrObjectManagerB -> Address of a structure that holds what I will call an ActorList** pointer and also the number of actors
*$_itrObjectManagerC -> Address of an ActorList* pointer.
*$_itrObjectManagerD -> Address of the actual ActorList.
*$_itrObjectManagerE -> I'm not sure what this is for.

Where did you get the structure definitions from?

I've been trying to find resources (read all of this forum and blizzhackers), but I can't seem to find how you actually go about determining what the structs store. I'm particularly interested in the Scene structs.

Ideally, I'd like to make a maphack that only reads process memory (it won't hook into the process). I will do that by overlaying a graphic on the screen. I'll certainly share whatever I can make. Right now I just don't know were to get information.

[RamirezX]

* 0x01580A2C -> The base address of the object manager pointer correct
* 0x8b0 -> The offset within the object manager where the Actor list pointer is located (it seems like the start of a pointer chain) correct
* 0x108 -> The offset starting from where the Actor list pointer is located, which contains the number of actors it looks the same as 0x10C ... correct
* 0x148 -> The offset to the next link in the actor list pointer chain address of the FirstActor, you can iterate through Actors this way: FirstActor + i*0x428 ..
* 0x380 -> used for click to move, which I'm not trying to figure out right now I'm too lazy to count it, but it looks like CRActorMovement->IsMoving
* 0x428 -> The size of an Actor struct correct

My pointerchains:

DWORD pObjectManager = 0x01580A2C;

DWORD pRActors[] = {0x01580A2C, 0x8B0};
DWORD pFirstActor[] = {0x01580A2C, 0x8B0, 0x148,0};
DWORD pActorCount[] = {0x01580A2C, 0x8B0, 0x10C};
DWORD ActorSize = 0x428

DWORD pACDCount[] = {0x01580A2C, 0x850, 0, 0x11C};
DWORD pFirstACD[] = {0x01580A2C, 0x850, 0, 0x148, 0};
DWORD ACDSize = 0x2D0

Where did you get the structure definitions from?

reverse engineering

I've been trying to find resources (read all of this forum and blizzhackers), but I can't seem to find how you actually go about determining what the structs store. I'm particularly interested in the Scene structs.

Here in this section of forum is a lot of info .. just read all the older stuff and collect informations from the debris

Ideally, I'd like to make a maphack that only reads process memory (it won't hook into the process). I will do that by overlaying a graphic on the screen. I'll certainly share whatever I can make. Right now I just don't know were to get information.

how do you wanna do overlay without injecting?

[TheArkanaProject]

how do you wanna do overlay without injecting?

Windowed D3 the size of the desktop?

Just a thought =)

[DrakeFish]

Ideally, I'd like to make a maphack that only reads process memory (it won't hook into the process). I will do that by overlaying a graphic on the screen. I'll certainly share whatever I can make. Right now I just don't know were to get information.

how do you wanna do overlay without injecting?

It is very possible to create a transparent layered window on top of another window and achieve the same type of rendering as if you were injected (but with your own DirectX "device", of course). The layered window system even lets you select a color that will be used for transparency so it is possible to do this with pretty much anything. I personally use this with GDI+ to perform simple drawing without being injected. Obviously, this system would not work in fullscreen mode, but for that there's the possibility of using DirectDraw.

The best way to get information about the game would be to start with what is provided here and do your own searching and reversing. There are a few threads from the beta with information on UI, and such things (I personally posted the UI structures and a few functions a long time ago in one of the first reversing threads). I'm sure you could update some of the information from those threads and use them if you don't want to start from nothing.

[DrArgo]

Here is some example code of an overlay using GDI+ to draw without injection: [AutoIt] Overlay clock - Pastebin.com. It's modified from some other code I didn't write, so it might be a little messy, but it gets the concept across, I think.

I'm fairly paranoid about injection being able to be detected, so I would not like to add or change any of the process memory, if possible. Transparent windows allow me to add UI functionality without messing with the game's memory.

After more digging, I have a bit more understanding about the actual structures being used. I have a lot of experience with C++, assembly, and CE, but reverse engineering seems to take things to a whole new level. I've written bots for fun for years and I'm taking it as a challenge this time to write one that relies on memory reading.

[quickyneone]

I tried to update this script with the pointers from the new patch but GetCurrentPos() is always returning 100 for my X. Is anyone else experiencing this issue or can update this script?

http://www.ownedcore.com/forums/diab...mp-thread.html ([Diablo 3][[1.0.3.10057] Retail Patch - Info Dump Thread)

global $ofs_ObjectManager = 0x15A0BEC
...
global $ofs_Interact = 0x15A0BD4

[UserNamex32]

Yeah I've been having issues with the getCurrentPos so I just had it find my toon and use it's X,y,z values for it instead
also doesn't require the initial click