Memory reading - How is target HP hid?

11/29/2015 23:22 14422#1

I was going to make a DPS meter for the game but found out that I can't even find any proper presentation for target HP value.

Tried searching all the value types and played with decreasing/increasing values even in reverse order but found nothing that would follow the changes properly in the end.

So, does anyone happen to know how to read target HP value in Guild Wars 2?

12/05/2015 10:55 merphz#2

The targetAgent is located in AsContext. Find the ChCliCharacter this belongs to(there's probably pointer in agchar to character or iterate through character array) and get health value from the ChCliHealth. Health offset can be easily found by searching for m_health assert.

A better way to calculate dps would be to use

Code:

AsCombatEventManager::DisplayDamage

//found using this assert "type < AGENT_STATUS_COMBAT_EVENT_TYPE"
const static BYTE PATTERN[] = { 
	0x83, 0xEC, 0x2C, //sub esp, 0x2C(stack size)
	0x83, 0x7D, 0x08, 0x2F, //cmp [ebp+arg_0], 2Fh(AGENT_STATUS_COMBAT_EVENT_TYPES)
	0x53, //push ebx
	0x56, //push esi
	0x57, //push edi
	0x8B, 0xF1, //mov esi, ecx
	0x7C, 0x14, //jl 0x14(offset)
	0x68, '?', 0x00, 0x00, 0x00 }; //pushes line number to assertion function. Line numbers usually change often, so it's ignored.

It shows damage numbers on the screen. This way you can calculate your own dps and seperate condition damage.

12/08/2015 02:03 endgame003#3

thanks Good Work :] :D :D :D

12/08/2015 16:09 14422#4

Haven't done that level memory reading yet but I guess it's time to learn!

12/14/2015 01:04 14422#5

Apparently people start by reverse engineering the client with some compiler and then mixing in hex editor and so on to find the "getCliContext" for the known offsets but I was wondering can this be done somehow with Cheat Engine alone?

At least following hp changes of target and then showing it on disassembler leads me close to AsContext stuff ([Only registered and activated users can see links. Click Here To Register...]) but I do not know how to continue this as none of the guides did this with cheat engine.

So, any knowledge of how the process goes with Cheat Engine?

12/14/2015 10:14 merphz#6

Quote:

Originally Posted by 14422

Apparently people start by reverse engineering the client with some compiler and then mixing in hex editor and so on to find the "getCliContext" for the known offsets but I was wondering can this be done somehow with Cheat Engine alone?

At least following hp changes of target and then showing it on disassembler leads me close to AsContext stuff ([Only registered and activated users can see links. Click Here To Register...]) but I do not know how to continue this as none of the guides did this with cheat engine.

So, any knowledge of how the process goes with Cheat Engine?

I use IDA as disassembler.

You could do this using CE too. You could find it using CE pointer scan by doing pointer scan for address that is located somewhere in cliContext(e.g controlledPlayer) You can easily find out information about the object by looking at the vtable.

Vtable of the ascontext ends where the assert stuff begins. Usually first entry of the vtable is referenced in the constructor. Constructor usually contains a lot of juicy stuff.

Why do you want to limit yourself by using only CE?

[Only registered and activated users can see links. Click Here To Register...]

12/14/2015 14:48 Xereon#7

Any polymorphic object is always layouted as:

Code:

Base1_VftablePtr (only if Base1 is polymorhpic)
Base1_member1
Base1_member2
...
Base2_VftablePtr (only if Base2 is polymorhpic)
Base2_member1
...
Child_VftablePtr (only if Child is polymorphic)
Child_member1
...

Virtual calls usually look something like this:

Code:

mov eax, [ecx + offset] // eax contains the vftable ptr
mov eax, [eax + funcOffset] // on 32bit funcOffset = n * 4, on 64bit n*8 respectively, where n indexes the n-firstly declared virtual function
push ...
push ...
call eax

To find about the layout of a class its usually sufficient to look out for the actual virtual calls. If you need the actual vftable pointers its usually sufficient to simply break on any code part where an object of a class you are interessted in is used and just inspect the object at runtime.

12/17/2015 16:14 14422#8

Quote:

Originally Posted by merphz

Why do you want to limit yourself by using only CE?

At first I'd like to thank you for info!

About CE, I just thought it would be the easiest way for me as I'm only trying to make a DPS meter here and nothing else. I don't have any experience of disassemblers.

Gotta try this stuff when I manage to get more time. Cheers o/

12/22/2015 02:36 14422#9

So yeah, no chances. This stuff can't be just figured out with IDA and CE.

Why there's no guides about using reverse engineering as a part of memory reading? People seem like they are trying to hide it unlike pointer scanning which has so many guides, tutorials and so one available around net. Of course there's stuff about learning assembly but nothing past that. :confused:

Is GW2 some kind of special case where reverse engineering is needed for memory reading? Before this I've managed to do all the memory reading just with CE without going into assembly level.