GW2 Memory Thread

Page 5 of 10 « First 34 5 67 Last »
11/02/2012 22:41 Robban89#61
Is Endurance stored serverside?

"Gw2.exe"+011D3C28

Doesn't seem to be, I can only inject for a few minutes before game crashes.
Thoughts?
11/03/2012 01:04 *M*#62
Yeah It's checked sever side, if you bypass the check and try to dodge extra times it will disconnect back to the character select screen.
11/03/2012 02:16 Xereon#63
Anyone got expirience with map changes on the protocol layer?
11/03/2012 22:21 whitea2#64
Quote:
Originally Posted by Cencil View Post
Yeah with heartbeat I just meant the movement :)
Change the last flag from 0 to 1 to get an auto sync teleporter with packets :p

Heartbeat movement packet under normal conditions:
uint16 packet code (0x0D)
uint16 time1
uint16 time2
float x
float y
float z
uint8 unk
uint16 flags, just set this shit to 0x1
Hey Cencil and thanks for the great work in this thread. Thanks to you, I was able to get a C++ version of your packet logger working :) Care to elaborate on the auto-sync teleporter with packets? I tried modifying the x,y,z and different variations of the flags but had no luck. In my PacketEncrypt detour I simply set x,y,z to some value. Then I modified my physical/visual x,y,z in memory and tried to move. It kept putting me back to original location but was sending movement packets (0x0D) with the location I was trying to teleport to. Any help would be appreciated.
11/04/2012 14:34 Cencil#65
Quote:
Originally Posted by whitea2 View Post
Hey Cencil and thanks for the great work in this thread. Thanks to you, I was able to get a C++ version of your packet logger working :) Care to elaborate on the auto-sync teleporter with packets? I tried modifying the x,y,z and different variations of the flags but had no luck. In my PacketEncrypt detour I simply set x,y,z to some value. Then I modified my physical/visual x,y,z in memory and tried to move. It kept putting me back to original location but was sending movement packets (0x0D) with the location I was trying to teleport to. Any help would be appreciated.
Works fine for me, I just tested it in the packet detour without modifiying my position in the memory.
Code:
    if (wOpCode = $0D) and (packetSize = 21) then
    begin
      with pVec do
      begin
        x := 0;
        y := 0;
        z := 100;
      end;

      Move(pVec, buffer[6], SizeOf(pVec)); // 12 bytes
      wNewFlag := 1;
      Move(wNewFlag, buffer[19], SizeOf(wNewFlag)); // 2 bytes
      pBuffer := @buffer[0];
    end;
Mansual sending also works like a charm.
Code:
  p := TGW2Packet.Create();
  p.PutUInt16($0D);
  p.PutUInt16(1000); // timing 1 (incorrect value but the server doesn't care)
  p.PutUInt16(1000); // timing 2 (incorrect value but the server doesn't care)
  p.PutFloat(100);
  p.PutFloat(100);
  p.PutFloat(50);
  p.PutUInt8(0);
  p.PutUInt16(1); // sync position :)
  p.Send();
  p.Free()
Normally timing 1 and timing 2 are uint32 values. The packet above is packed and just works if you don't use the PutPacketQueue function! Make sure your packet has a size of 28 bytes.
11/04/2012 16:36 whitea2#66
Code:
void _fastcall my_PacketEncrypt(VOID* Unk, VOID* Unk1, int bufferSize, packet* pBuffer, int* pTargetBuffer)
{
	if(bufferSize == 21 && pBuffer->opcode == 0x0D) //movement packet
	{
		cout << "moving\n" << endl;
				
		pBuffer->x = 100;
		pBuffer->y = 100;
		pBuffer->z = 100;

		pBuffer->flags[2] = 1;

		cout << "opcode:" << pBuffer->opcode << "  x:" << pBuffer->x << "  y:" << pBuffer->y << "  z:" << pBuffer->z << endl;
	}

	orig_PacketEncrypt(Unk, Unk1, bufferSize, pBuffer, pTargetBuffer);
}
where packet is defined as a structure:
Code:
struct packet{
	UINT16 opcode;	//2 bytes
	UINT16 Time1;	//2 bytes
	UINT16 Time2;	//2 bytes
	FLOAT x;		//4 bytes
	FLOAT y;		//4 bytes
	FLOAT z;		//4 bytes
	CHAR flags[3];	//3 bytes
};
and orig_PacketEncrypt is defined as
Code:
typedef VOID (_fastcall *tPacketEncrypt)(VOID* Unk, VOID* Unk1, int bufferSize, packet* pBuffer, int* pTargetBuffer);
VOID _fastcall my_PacketEncrypt(VOID* Unk, VOID* Unk1, int bufferSize, packet* pBuffer, int* pTargetBuffer);
tPacketEncrypt orig_PacketEncrypt = (tPacketEncrypt)(0x00A69C60);
Got it working, thanks so much! The problem was my structure of pBuffer. Flags were not 'changed' the way I thought they would be. :)
11/05/2012 20:29 GeForce66#67
i know it is a lot work, but can somebody please upload a video which shows how to find the multilevel pointer for e.g. player x-y-z coordinates??
i did the multilevel pointer tutorial in CE but i can´t figure it out @ GW2.
Maybe some can explain (;
11/06/2012 16:36 derrod#68
Hi Leute,
bin neu in der Bot-Programmierung! Kann mir bitte irgendeiner die Begriffe der Memories erklären also z.b.:

Quote:
RotCos = 0x016A55C0
RotSin = 0x016A55C4
oder

Quote:
Base PreTargetPos = 0x015D359C
Offset1 = 0x8c
OffsetPosX = 0x78
OffsetPosY = 0x7C
OffsetPosZ = 0x80

Base Adrenaline = 0x016A5600
Offset1 = 0x184
Offset2 = 0x2C
Manche sachen (z.B Autowalk) sind ja selbsterklärend aber bei den oben genannten, bin ich selbst nach googlen nicht raufgekommen!

Danke für eure Hilfe!
Derrod
11/06/2012 19:40 i4mSoH34Vy#69
Quote:
Originally Posted by derrod View Post
Hi Leute,
bin neu in der Bot-Programmierung! Kann mir bitte irgendeiner die Begriffe der Memories erklären also z.b.:



oder



Manche sachen (z.B Autowalk) sind ja selbsterklärend aber bei den oben genannten, bin ich selbst nach googlen nicht raufgekommen!

Danke für eure Hilfe!
Derrod
RotCos wird wahrscheinlich der Cosinus der Kamera sein und
RotSin der Sinus
PreTargetPos damit kannst wahrscheinlich die Position des vorherigen Ziels auslesen (X,Y und Z)
Adrenalin kannst wahrscheinlich das Adrenalin auslesen
11/07/2012 12:39 _revo#70
Quote:
Originally Posted by derrod View Post
Manche sachen (z.B Autowalk) sind ja selbsterklärend aber bei den oben genannten, bin ich selbst nach googlen nicht raufgekommen!

Danke für eure Hilfe!
Derrod
Wenn man zu einem Agent schaut sieht man schon den Lebenspunktebalken, er wird also schon vorausgewählt, ist aber noch nicht im target.
Sobald er dann ausgewählt ist, ist PreTarget gleich target.
11/08/2012 14:14 Cencil#71
A small function update for 15977

Code:
004065F0 GetNetworkClassPtr
00B1C2A0 GetCliContext
00AEAE70 GetAsContext
00B1CC90 GetControlledCharacter
00B2AA90 Character::GetPlayer
00B32150 Character::IsAlive
00B32180 Character::IsDowned
00B321E0 Character::IsInWater
00B32240 Character::IsPlayer
00BF0430 Character::GetAgent
00B1C270 GetPlayerFromListById
00A66D50 Msg::DispatchStream
00A68420 Msg::GetPacketHandler
00A69C20 DeEncryptPacket
00A674E0 PutPacketQueue
00A7A140 PutPacketQueueCallProxy
00B61BD0 ProcessChatInput
00B658C0 PH_ChatMessage // packethandler for 0x133
00A7C390 SendMoveJump
00A7DB50 SendMoveStart
00A7DD10 SendMoveTurn
The PutPacketQueue function requires the unpacked packet buffer.
For example:
Code:
  if (FMover.SetPosition(Position)) then
  begin
    p := TGW2Packet.Create(28);
    p.PutUInt16($0D);
    p.PutUInt32(dwTiming);
    p.PutUInt32(dwTiming);
    p.PutVec3(Position);
    p.PutUInt32(0);
    p.PutUInt16(0);
    p.Send();
    p.Free();
  end;

  // send call

  asm
    push pBuf
    mov eax, $00A67BF0
    call eax
    mov edx, $1C // unpacked size
    mov ecx, eax
    mov eax, $00A674E0
    call eax
  end;
After you called it gw packs, encrypts and sends the packet for you.
11/08/2012 23:10 Rorouni#72
Quote:
Originally Posted by i4mSoH34Vy View Post
RotCos wird wahrscheinlich der Cosinus der Kamera sein und
RotSin der Sinus
PreTargetPos damit kannst wahrscheinlich die Position des vorherigen Ziels auslesen (X,Y und Z)
Adrenalin kannst wahrscheinlich das Adrenalin auslesen
RotCos is the cosinus player's facing not camera's. If you rotate your character you can see that those values change from -1 to 1 (4 peaks for north,west,south,east). You can calculate angle of facing using arc functions (atan2 in our case, which is included in pretty much every language).
11/09/2012 19:16 derrod#73
Thanks, but the problem is that I get values like 3212104670 or 1065259685!
11/09/2012 19:21 whitea2#74
Quote:
Originally Posted by Cencil View Post
A small function update for 15977
...
The PutPacketQueue function requires the unpacked packet buffer.
For example:
Code:
  if (FMover.SetPosition(Position)) then
  begin
    p := TGW2Packet.Create(28);
    p.PutUInt16($0D);
    p.PutUInt32(dwTiming);
    p.PutUInt32(dwTiming);
    p.PutVec3(Position);
    p.PutUInt32(0);
    p.PutUInt16(0);
    p.Send();
    p.Free();
  end;

  // send call

  asm
    push pBuf
    mov eax, $00A67BF0
    call eax
    mov edx, $1C // unpacked size
    mov ecx, eax
    mov eax, $00A674E0
    call eax
  end;
After you called it gw packs, encrypts and sends the packet for you.
Do you mind explaining the first 2 lines of the assembly? Is pBuf the pointer to your packet to send? Why is there a need to call $00A67BF0 (better yet, what function is that)?

Thanks so much for all the information you've put in this thread. I've learned so much and have gotten a ton of this working (main problem now is figuring out how to get a thread to execute code in the GW2 address space). Thanks again for all of the work you've freely shared!
11/09/2012 19:46 Cencil#75
Quote:
Originally Posted by whitea2 View Post
Do you mind explaining the first 2 lines of the assembly? Is pBuf the pointer to your packet to send? Why is there a need to call $00A67BF0 (better yet, what function is that)?

Thanks so much for all the information you've put in this thread. I've learned so much and have gotten a ton of this working (main problem now is figuring out how to get a thread to execute code in the GW2 address space). Thanks again for all of the work you've freely shared!
I didn't reversed what the function result from 0x00A67BF0 does in PutPacketQueue, but it seems to be fine for all movement packets.
PutPackQueue itself is a ms fastcall function. The third parameter is the buffer, as you already noticed.

To run my code in the correct threads I hook 0x00414450 (you can call it GameLoop or whatever you want) and ProcessChatInput.
Page 5 of 10 « First 34 5 67 Last »