Finding OverlayContainer address in AH

[vixing]

Hi, I would need some help with finding the correct address of "selected item" in AH.
I think its called OverlayContainer. When I select item in 1st item slot, it contains "0" / slot 2 = "1" / slot 3 = "2" ... slot 11 = "10".
Address changes every time when I login, and I need to find it every time when I leave.
I use CheatEngine because I have no experience in C family languages etc.
Is there any method to find that address fast?
I'm pretty good at AutoIt and If there would exist a function which finds that address I can call it using DLLCall().

All I want is finding the correct address containing currently selected item's slot (-1).
And that address always ends with a AC.
eg.: 0x0B2F89AC, 0x0CCAA1AC, 0x0CC149AC, 0x07D4E5AC, 0x1FE3E9AC, 0x1FE3C5AC, 0x1FD0E1AC, 0x180765AC, 0x1FE3A1AC, 0x18DFC9AC, 0x1FD105AC, 0x174001AC, 0x292C41AC, 0x241961AC, 0x24193DAC

Regards,
VixinG

[SanjoX]

Maybe you can find a static pointer to your address (pointer to pointer to pointer ... to your address). It's described in the Cheat Engine tutorial program how you find such a pointer.

[defthack]

I believe the "OverlayContainer" you are looking for is actually
Root.NormalLayer.BattleNetAuctionHouse_main.LayoutRoot.OverlayContainer.TabConte ntContainer.SearchTabContent.SearchListContent.SearchItemList.ItemListContainer. ItemListRadioButtonGroup = 0xA53AF1388A1C1CBA
This is of course if you are talking about the selected item in the search results. For other indexes look into
.AuctionTabContent.AuctionListContent.SellItemListContainer.ItemListContainer.It emListRadioButtonGroup = 0xCE25A46A9A48FDCD
and
.AuctionTabContent.AuctionListContent.BidItemListContainer.ItemListContainer.Ite mListRadioButtonGroup = 0xC97859A5BA6A9D1A

You will need to know how to get the memory location of a UI element by its hash.
From the Info Dump thread http://www.ownedcore.com/forums/diab...mp-thread.html ([Diablo 3][[1.0.3.10485] Retail Patch - Info Dump Thread)
0093F470 D3::GetUIElementByHash

Once you do that it becomes [GetUIElementByHash(0xA53AF1388A1C1CBA)+0x444] +0xB40+0x10+0xD5C+0x10+0x1DAC

I don't believe there is a static pointer you can find for this address. The static pointer points to the hash table where the UI Element is stored.

[vixing]

That's great info, thanks... but how can I add it to my AutoIt script? I can only MemoryRead and MemoryWrite...

Also, how about the address "How many items are currently displayed in AH tab" ? There are like 5 addresses like that but they are changing after 2-3 logins.

edit: but focusing on that selection thingy, overlaycontainer. How can I add it to my script?

[defthack]

Reverse the function at 0x0093F470 (Diablo III.exe +0x13F470) and you can make an out of process implementation that only requires MemoryRead
A few hints:
You will need to know how a hash table works, and how linked lists work.
Hash table - Wikipedia, the free encyclopedia
Hash table - Wikipedia, the free encyclopedia
Linked list - Wikipedia, the free encyclopedia

The calling convention is stdcall. Pay attention to how the parameters are passed and how the result is returned
x86 calling conventions - Wikipedia, the free encyclopedia
The parameter for this function is a pointer to the 64bit hash of the element that you are trying to get the address for (posted above 0xA53AF1388A1C1CBA) and the value returned is the address of the UI Element

Edit: After looking into it you can get "How many items are currently displayed in AH tab" with the same offset chain, but change the last offset from 0x1DAC to 0x1DA0

[vixing]

Reverse the function at 0x0093F470 (Diablo III.exe +0x13F470) and you can make an out of process implementation that only requires MemoryRead
A few hints:
You will need to know how a hash table works, and how linked lists work.
Hash table - Wikipedia, the free encyclopedia
Hash table - Wikipedia, the free encyclopedia
Linked list - Wikipedia, the free encyclopedia

The calling convention is stdcall. Pay attention to how the parameters are passed and how the result is returned
x86 calling conventions - Wikipedia, the free encyclopedia
The parameter for this function is a pointer to the 64bit hash of the element that you are trying to get the address for (posted above 0xA53AF1388A1C1CBA) and the value returned is the address of the UI Element

Thanks a lot! You are great. Thanks for great help I'm gonna read those. If you say that I can script that inside AutoIt and use only MemoryRead function, I will try.

[vixing]

I know that autoit's DllCallAddress() is based on stdcall.
I tried to call this function by it's address, but I don't know what to write as types and params..
It should be GetUIElementByHash(0xA53AF1388A1C1CBA)
Here's the function:

DllCallAddress ( "return type", address [, type1, param1 [, type n, param n]] )

I know I need to specify window handle somewhere too.

[_Mike]

You can only use DllCallAddress within your own address space, so unless you are hosting autoit within D3 you need to use DllCall to call CreateRemoteThread with a proxy function which calls GetUIElementByHash with the proper parameters.

[vixing]

You can only use DllCallAddress within your own address space, so unless you are hosting autoit within D3 you need to use DllCall to call CreateRemoteThread with a proxy function which calls GetUIElementByHash with the proper parameters.

And how to do that? I'd be grateful if you help me write it.
Edit: I need to create C++/C# DLL with a function, then DllCall() it from AutoIt script.
Edit2: I don't know C++ or C#. If you or someone else would like to help me, I will be grateful.

[defthack]

Since the GetUIElementByHash function doesn't use thread local storage you can call it from your own thread. You will need to allocate memory to store the hash that you are looking up since the parameter it takes is a pointer to the hash. Some functions that you might need
VirtualAllocEx VirtualAllocEx function
and
CreateRemoteThread CreateRemoteThread function

I don't use AutoIt, but here is a Cheat Engine Auto Assemble implementation. It is pretty straightforward store the hash, push the pointer, call the function, then store the result and exit.

alloc(CodeCave, 1024)
CREATETHREAD(CodeCave)
CodeCave:
mov [CodeCave+0x100], 0x8A1C1CBA
mov [CodeCave+104], 0xA53AF138
push CodeCave+0x100
call 0x0093F470
mov [CodeCave+0x108],eax
call ExitThread

This example will leak memory every time you use it so you will want to either dealloc after you have read the value or change it to global alloc so it reuses uses the same code cave.

[vixing]

Since the GetUIElementByHash function doesn't use thread local storage you can call it from your own thread. You will need to allocate memory to store the hash that you are looking up since the parameter it takes is a pointer to the hash. Some functions that you might need
VirtualAllocEx VirtualAllocEx function
and
CreateRemoteThread CreateRemoteThread function

I don't use AutoIt, but here is a Cheat Engine Auto Assemble implementation. It is pretty straightforward store the hash, push the pointer, call the function, then store the result and exit.

alloc(CodeCave, 1024)
CREATETHREAD(CodeCave)
CodeCave:
mov [CodeCave+0x100], 0x8A1C1CBA
mov [CodeCave+104], 0xA53AF138
push CodeCave+0x100
call 0x0093F470
mov [CodeCave+0x108],eax
call ExitThread

This example will leak memory every time you use it so you will want to either dealloc after you have read the value or change it to global alloc so it reuses uses the same code cave.

Here's the result:
CodeCave=02D20000 - is it good?

Thanks for everything.

I also found some code on the web and I changed it a bit. I don't know how to modify it to do what I want to, but it looks like that:
http://pastebin.com/raw.php?i=YbkwSyHD

[defthack]

I'm not very fluent with C++ but if there is one thing I have learned from reading this forum it is that calling create thread from dll main is a bad idea. It also looks like you are passing an int64 to GetUIElementByHash instead of a pointer to a 64bit hash, but I could be wrong about that.

Depending on how you plan on injecting the dll if you are allocating memory and creating a thread anyways you can save some overhead and just call GetUIElementByHash from your code cave instead of calling loadlibrary.