GW2 Memory Thread

Page 4 of 10 « First 23 4 56 Last »
10/20/2012 20:56 Cencil#46
Quote:
Originally Posted by midi12 View Post
Ok, this is fixed, i just check pThis is equal to EncryptCall to just log outgoing packet ^^"
But packets are differents than your, eg for Heartbeat i got:
Code:
size : 4
packet : c 0 0 0
Thanks again for help Cencil :)
Yeah with heartbeat I just meant the movement :)
Change the last flag from 0 to 1 to get an auto sync teleporter with packets :p

Heartbeat movement packet (packed!) under normal conditions:
uint16 packet code (0x0D)
uint16 time1
uint16 time2
float x
float y
float z
uint8 unk
uint16 flags, just set this shit to 0x1
10/20/2012 21:02 midi12#47
Quote:
Originally Posted by Cencil View Post
Yeah with heartbeat I just meant the movement :)
Lol okay ^^ so yes I got D for opcode when I move ! Thanks for confirmation !

new offsets :
#define EncryptPacket 0x00A69E40
#define NetworkClass 0x015D0754
10/23/2012 21:40 whitea2#48
Quote:
Originally Posted by Cencil View Post
Yeah with heartbeat I just meant the movement :)
Change the last flag from 0 to 1 to get an auto sync teleporter with packets :p

Heartbeat movement packet under normal conditions:
uint16 packet code (0x0D)
uint16 time1
uint16 time2
float x
float y
float z
uint8 unk
uint16 flags, just set this shit to 0x1
If either of you care to help out a newb with this, I'd be appreciative. I'm able to log the packets using Wireshark which I assume are encrypted (none of the movement packets contain 0x0D or 0x0C). I've found the EncryptPacket function in CE as well. I have no idea what to do from here.

Sorry for the probable unintelligent reply but I'm new to packet sniffing etc. I have decent knowledge with programming (including .asm) but am completely stuck in trying to write an autosync teleporter. The easiest approach seems to be by packet manipulation so I thought I'd give it a go. Thanks in advance for any information you may be able to provide.
10/23/2012 22:24 creepsi#49
modify the packet data before it gets encrypted
10/23/2012 22:24 Xereon#50
Quote:
Originally Posted by whitea2 View Post
If either of you care to help out a newb with this, I'd be appreciative. I'm able to log the packets using Wireshark which I assume are encrypted (none of the movement packets contain 0x0D or 0x0C). I've found the EncryptPacket function in CE as well. I have no idea what to do from here.

Sorry for the probable unintelligent reply but I'm new to packet sniffing etc. I have decent knowledge with programming (including .asm) but am completely stuck in trying to write an autosync teleporter. The easiest approach seems to be by packet manipulation so I thought I'd give it a go. Thanks in advance for any information you may be able to provide.
Get away from CE; "reversing" with CE is kid stuff; grab a debuger (either ollydbg or ida) and break at the EncryptPacket function. If its really the right function you should be able to retrieve the buffer. Now walk up the callstack to find the SendPacket function.
10/23/2012 23:53 midi12#51
Anyone can share the new mouseovers' pointers & offsets ? I'm not able to retrieves them :/

Quote:
Originally Posted by whitea2 View Post
I'm able to log the packets using Wireshark which I assume are encrypted
Wireshark sniff all packets on your connection, so your will get all packets outgoing from your computer (eg : net browser ect..), a best way to deal with Gw2 packets is WPE Pro tool, who hook winsocks function (send/recv ect) 1.1 and 2.0. So you'll get encrypted packets as you assumed. The only way to deal with unencrypted packets is to detour/hook SendPacket or PacketEncrypt.
Here some ressource to doing this :

C++ :
Detours from Microsoft : [Only registered and activated users can see links. Click Here To Register...] (here is 3.0 but i personnaly use 1.5, which is most firendly to use and don't need to be compiled, just use the .h and .lib)

Hand done detour :
Code:
void *detourFunction(BYTE *src, const BYTE *dst, const int len)
{
	BYTE *jmp = (BYTE*)malloc(len + 5);
	DWORD dwback;

	VirtualProtect(src, len, PAGE_READWRITE, &dwback);
	memcpy(jmp, src, len);
	jmp += len;
	jmp[0] = 0xE9;
	*(DWORD*)(jmp + 1) = (DWORD)(src + len - jmp) - 5;
	src[0] = 0xE9;
	*(DWORD*)(src + 1) = (DWORD)(dst - src) - 5;
	VirtualProtect(src, len, dwback, &dwback);

	return (jmp - len);
}
(Beware this is highly detectable (public) but you can be inspired by this code to do it)

ASM:
Just save registers
copy firsts bytes
replace with a jmp to your own function
recopy copied bytes
???
jmp to last location



I'm not in ASM coding so this is probably wrong, but just a idea how this can be done :/
10/24/2012 01:36 *M*#52
Hey Midi, I have an easy way to find mouse over

In olly I do a byte search for this (3B C3 74 5D D9 45 BC 8B 4D C8) which lands you at this code:
[Only registered and activated users can see links. Click Here To Register...]
Set a breakpoint on the value you want, I usually just find X since y and z are only 4/8 bytes away
From there you can use CE to pointer scan but anyway the current pointers are:

GW2.exe + 12A3C88 offset 0x80 -X
GW2.exe + 12A3C88 offset 0x84 -Y
GW2.exe + 12A3C88 offset 0x88 -Z
10/24/2012 12:57 midi12#53
Thanks for the explanation !

New offsets :
#define EncryptPacket 0x00A69B50
10/27/2012 19:36 _revo#54
mems updated
10/31/2012 09:38 jultjeboy#55
Hmm I tried alot of things but still cant figure it out how to do this :S
Can someone send me quick tutorial?
And is it true u can change ur characters level?

Really appreciate it :D
10/31/2012 13:56 whitea2#56
Quote:
Originally Posted by jultjeboy View Post
Hmm I tried alot of things but still cant figure it out how to do this :S
Can someone send me quick tutorial?

Really appreciate it :D
If you're referring to memory editing, you can always download Cheat Engine and go through its tutorial. That'll at least get you started.

Quote:
Originally Posted by jultjeboy View Post
And is it true u can change ur characters level?
Never heard that before. Seems highly unlikely as that information is stored on the server.
10/31/2012 16:40 creepsi#57
but displayed on the client
11/01/2012 01:49 whitea2#58
Anyone know the new NetClassPtr? I'd love to get back to trying the packet logger.
11/01/2012 14:23 Cencil#59
Quote:
Originally Posted by whitea2 View Post
Anyone know the new NetClassPtr? I'd love to get back to trying the packet logger.
Code:
  off_NetworkClass            = $015D0754; // [15898]
  off_EncryptCallAdd          = $1CC;      // [15898]
  off_EncryptPacket           = $00A69C60; // [15898]
11/02/2012 00:10 Rhubarb.Trader#60
Use a pattern or address to find the encrypt packet function in ollydbg. Set a breakpoint at the start of the encrypt function. Let it hit the break point press Alt + K goto the call window first one at the top go there. Set a new breakpoint check what is on the stack in the window.
Page 4 of 10 « First 23 4 56 Last »