Finding Base Addresses and Offsets on a Server: Challenges with GetTargetVID and Poin

Hello,

I am currently working on finding base addresses and offsets on a server. While I can find these without issues on unprotected servers, I am facing challenges with the server I am currently working on. So far, I've only managed to find certain values like playerX, MountX,Weapon-Type, but I am not sure about GetTargetVID; it returns unusually high values. For example, when I right-click on skill trainers, their values increment by +1 sequentially. I am trying to use these values to find the attack value, but the pointers I've found are not effective. Also, when I use the value from GetTargetVID and place it there, it doesn’t work. Additionally, when searching pointers through Reference Strings, I encounter the following error: "CInstanceBase::PushTCPState You can't send move packets to yourself!"

I have heard of some server doing encryption on VID's somehow. What I usually recommend is to reconstruct the instance mapping by yourself. Hook the recv function and inspect each packet coming in, this is slightly more complicated but I believe it produces a better result in the end.
This way you are 100% sure what are the VID's and as a bonus you get more information about the instance without any additional offsets.

Quote:

Originally Posted by martinx1 I have heard of some server doing encryption on VID's somehow. What I usually recommend is to reconstruct the instance mapping by yourself. Hook the recv function and inspect each packet coming in, this is slightly more complicated but I believe it produces a better result in the end. This way you are 100% sure what are the VID's and as a bonus you get more information about the instance without any additional offsets.

I haven't heard of or tried the method you're describing. Could you provide a bit more detail or help me understand how it's done?

There are multiple ways to accomplish this...
But before jumping into that let's try to understand what is a client how does it work.
The client, is nothing more that a bunch of logic that interprets the packets sent by the sever, display the graphics and resends the data according to use input.

In theory, if we know what the client receives and sends we don't even need it to inject our logic.
Obviously the game uses encryption to talk to the server, so you either have to reverse the entire encryption and do a man-in-the-middle while coding the entire game logic (this would be a clientless bot), which is not a trivial task, or you can go the easy way and inject a shellcode or a dll into the process and hook the recv/send function after encryption/decryption.

Using a simple JMP hook, on those functions you can inspect the packets and do whatever you want to do with it. You just need the 2 function patterns (or only 1 if you only pretend to recieve data) and figure out the headers for each pattern which can be done using static analysis of the binary or just printing out every single packet into a terminal and going by trail and error. Also take into consideration that there packets with variable size without a header, those are a bit more tricky to deal with.

If you don't want to have all this work of finding the headers of each packet, you can hook just the functions that recieve the particular packet you want.
For example the functions: "RemoveActor" and "__RecvCharacterAppendPacket" which handles the packet for deleting and adding a new character respectively.

To be honest, I rather use one of this techniques that i mentioned instead of finding out the pointer/offset to the underlaying map structure of the entities. With this approach you can code using an event driven approach instead of needing to constantly looping trough the entity list, this gives you more freedom to build your entity data structure according to your needs and you also don't need to think about concurrency in case you are using a remote thread, which can be a big pain the ass.