[Guide] Locating Silkroad’s Direct3D Objects

Page 2 of 2 1 2
07/10/2009 10:09 epifriend#16
Hi there,

I am very interested in your knowledge ^^

I am currently working on a personal project which would need to list ingame objects. By object I mean complex objects, like mobs, npcs, players, etc... Not simple Vertex or whatever.

Here is how I'm working:
I chose to make a dll proxy. It seemed easier for me to proceed as such.
I tried different ways to make silkroad load my own dll instead of the system one :
patching the sro_client.exe: failed (I was sure the game at least checks this, I tried anyway, it does)
patching the sro_client memory (launch, suspend, patch, resume): failed (I don't understand what happens, but it seems the game detects the patch and loads the real one instead anyway)
replacing the original d3d9.dll: I'm on windows seven, so failed ^^
so finally I installed a VM with XP on it, so I could replace the original d3d9.dll easilly: success (but slower of course)

so I made a dll proxy for d3d9.dll which is working fine. I clear a rect somewhere and I see it. Cool huh?

Anyway,
I'm a complete beginner on directX. From what I found on the internet, I saw that mostly EndScene will be my friend to display additional info.
But now I need a way to detect game's interesting objects. like "how can I detect this is a Mangyang"?

Can you give me a hand on this? I believe it is possible since I remember an ex co-worker added turning bubbles around mobs (blue bubbles on mobs, and red ones when selected). But I have no contact with him any more.

In short: I'm lost now, can you provide me with something to start with?

Thanks!
07/10/2009 13:10 recking#17
Quote:
Originally Posted by epifriend View Post
I am currently working on a personal project which would need to list ingame objects. By object I mean complex objects, like mobs, npcs, players, etc... Not simple Vertex or whatever.
im not sure, but u will find them with reading packages easier than using directx.
07/10/2009 14:19 maxbot#18
Quote:
Originally Posted by epifriend View Post
Hi there,

I am very interested in your knowledge ^^

I am currently working on a personal project which would need to list ingame objects. By object I mean complex objects, like mobs, npcs, players, etc... Not simple Vertex or whatever.

Here is how I'm working:
I chose to make a dll proxy. It seemed easier for me to proceed as such.
I tried different ways to make silkroad load my own dll instead of the system one :
patching the sro_client.exe: failed (I was sure the game at least checks this, I tried anyway, it does)
patching the sro_client memory (launch, suspend, patch, resume): failed (I don't understand what happens, but it seems the game detects the patch and loads the real one instead anyway)
replacing the original d3d9.dll: I'm on windows seven, so failed ^^
so finally I installed a VM with XP on it, so I could replace the original d3d9.dll easilly: success (but slower of course)

so I made a dll proxy for d3d9.dll which is working fine. I clear a rect somewhere and I see it. Cool huh?

Anyway,
I'm a complete beginner on directX. From what I found on the internet, I saw that mostly EndScene will be my friend to display additional info.
But now I need a way to detect game's interesting objects. like "how can I detect this is a Mangyang"?

Can you give me a hand on this? I believe it is possible since I remember an ex co-worker added turning bubbles around mobs (blue bubbles on mobs, and red ones when selected). But I have no contact with him any more.

In short: I'm lost now, can you provide me with something to start with?

Thanks!
Try looking for a "Model recognition finder". You would have to get the numvertices for Mangyang and then check if the model being drawn matches the Mangyang. However, this will take an enormous amount of time and you're better off with parsing 0x30D7/0x3417 packets.
07/10/2009 14:30 epifriend#19
Quote:
Originally Posted by recking View Post
im not sure, but u will find them with reading packages easier than using directx.
I'm sure it is simpler using packets. If I have no other choice I even might do it this way.
But I would prefer not to rely on other tools (I'm talking about nuConnector for instance). I mean, I prefer be the owner the whole chain. And I don't plan on developping myNuConnector :D

And another point, I intend to have some features like a colored glow (or equivalent) around mobs depending on the level difference between the char and the mob, this kind of stuff. So at one point I'll need to identify all that little people.
If I can't do it using directX only, how can I find the link between a network-object and a list of vertices?

It's more a new challenge for me.

Thanks for your answer anyway, it'll be a solution if I can't do it in my dll only ^^


Quote:
Originally Posted by maxbot View Post
Try looking for a "Model recognition finder". You would have to get the numvertices for Mangyang and then check if the model being drawn matches the Mangyang. However, this will take an enormous amount of time and you're better off with parsing 0x30D7/0x3417 packets.
Said like this, I guess so! But how the guy I told you about could add bubbles around mobs?
There is something I don't get ^^
Thanks
07/11/2009 11:06 maxbot#20
Quote:
Originally Posted by epifriend View Post
I'm sure it is simpler using packets. If I have no other choice I even might do it this way.
But I would prefer not to rely on other tools (I'm talking about nuConnector for instance). I mean, I prefer be the owner the whole chain. And I don't plan on developping myNuConnector :D

And another point, I intend to have some features like a colored glow (or equivalent) around mobs depending on the level difference between the char and the mob, this kind of stuff. So at one point I'll need to identify all that little people.
If I can't do it using directX only, how can I find the link between a network-object and a list of vertices?

It's more a new challenge for me.

Thanks for your answer anyway, it'll be a solution if I can't do it in my dll only ^^




Said like this, I guess so! But how the guy I told you about could add bubbles around mobs?
There is something I don't get ^^
Thanks
Once you find the Mangryang or any other monster, you could use either world or screen coordinates to put up your own objects in the game. You can read my guide (Making a Silkroad ingame GUI) on how is adding 2D objects done, altho it's not what you really want.
07/12/2009 21:49 epifriend#21
Ok thanks, I'll have a look into it. I'm not in a hurry, it's more a challenge for me...
07/13/2009 02:50 pushedx#22
Quote:
Originally Posted by epifriend View Post
I am currently working on a personal project which would need to list ingame objects. By object I mean complex objects, like mobs, npcs, players, etc... Not simple Vertex or whatever.
As mentioned, trying to use the DirectX DLL only would be very impractical for such a task and would not get you anything useful. Instead you must find the entity processing function in the client and hook it. Finding it is not too hard, just trace through the group spawn and individual spawn packet functions!

From there, you can store the ID of the entity. After you have a list of IDs, you then have to find the function that will return the object pointer based on the entity ID. This operation is more or less a std::map access. Once you have the object pointer, you can get all of the entities data from type, position, and anything else useful that's needed in the game.

That is the method I am using right now to be able to get all entities around the player as well as their real-time positions. It is very useful and works well. You also need to hook the entity remove function to know when to remove entity IDs as well! If you don't you'll crash the client trying to get the object pointer of an entity that does not exist!
07/13/2009 15:53 maxbot#23
I wish I know reversing as you do :|

Wouldn't have to bother with spawn packets, altho I almost got them parsed thanks to Bot90210.

I'm going to take a look into this entity processing function, I may actually find something :)

Totally OT, but seems debugging can be enabled in SRO. If I'd just knew where is stuff outputed.

Code:
006A6A28  |. /74 14         JE SHORT sro_clie.006A6A3E
006A6A2A  |. |68 E845C300   PUSH sro_clie.00C345E8                                  ;  UNICODE "DebugMsg On"
006A6A2F  |. |68 00010000   PUSH 100
006A6A34  |. |8D8C24 C40200>LEA ECX,DWORD PTR SS:[ESP+2C4]
006A6A3B  |. |51            PUSH ECX
006A6A3C  |. |EB 12         JMP SHORT sro_clie.006A6A50
006A6A3E  |> \68 CC45C300   PUSH sro_clie.00C345CC                                  ;  UNICODE "DebugMsg Off"
006A6A43  |.  68 00010000   PUSH 100
09/25/2009 17:53 Vegetta91#24
What other marker can i use instead of nop's? I tried the max allowed commands by olly witch is 8 consecutive nop's but it still finds over 100 matches. Could I use some JMP's? Thnx for the tutorials:D
09/25/2009 18:20 TheSpy#25
Quote:
Originally Posted by Vegetta91 View Post
What other marker can i use instead of nop's? I tried the max allowed commands by olly witch is 8 consecutive nop's but it still finds over 100 matches. Could I use some JMP's? Thnx for the tutorials:D
NOP = No OPeration. JMP = JuMP.
09/25/2009 20:07 Vegetta91#26
I know what they mean just don't know what they do... im n00b at reverse engeneering
05/25/2010 17:04 jM3#27
It's generally easier to codecave or hook Direct3DCreateX api. From there, you can either do vtbl hooking (they're COM objects, purely virtual, every function is, as in the documentation, in the vtable). You can also just use it to poison the game's D3D object pointers to your own class wrapper around the COM objects.

I find these methods more general and simpler. You don't have to 'find' anything, you just hook it anyway :).



Oh damn, schlurmann beat me to it :|.. by a lot :|..
Page 2 of 2 1 2