[Free Source] BDO Market Bot/Animation Speedhack

a882794 · 08/27/2018, 17:21

This no longer works

pachela · 08/27/2018, 21:32

Hey guys. How to find this?
#define ATA_LUA_GETTOP
I finding getTopValue only. Or it's same?

Ustonovic · 09/05/2018, 17:06

Quote:

Originally Posted by StaffiStaff

I've tried to do this but it seems im failing. Anyone one knows what im doing wrong?

" Severity Code Description Project File Line Suppression State
Error C4996 'localtime': This function or variable may be unsafe. Consider using localtime_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS.

I mean, the solution to this error is literally the last sentence in the error message.

KaliMinion · 09/05/2018, 19:40

Quote:

Originally Posted by pachela

Hey guys. How to find this?
#define ATA_LUA_GETTOP
I finding getTopValue only. Or it's same?

LUA_GETTOP was a lil tricky, so I'll explain it a bit.

First, let's look at the Lua source code and let's find out which version of Lua Black Desert is using. After unpacking the BlackDesert64.exe, rebuilding any PE headers, and opening it up in IDA, do a search for "lua" and find a line similar to this:

Quote:

___:000000014294ADE0 0000008D C $Lua: Lua 5.1.5 Copyright (C) 1994-2012 Lua.org, PUC-Rio $\n$Authors: R. Ierusalimschy, L. H. de Figueiredo & W. Celes $\n$URL: $\n

We now know that BDO uses Lua 5.1.5.

So, if we go to the original source for 5.1.5, we find this page:

The file we're looking for is lbaselib.c (

).

Code:

/*
** If your system does not support `stdout', you can just remove this function.
** If you need, you can define your own `print' function, following this
** model but changing `fputs' to put the strings at a proper place
** (a console window or a log file, for instance).
*/
static int luaB_print (lua_State *L) {
  int n = lua_gettop(L);  /* number of arguments */
  int i;
  lua_getglobal(L, "tostring");
  for (i=1; i<=n; i++) {
    const char *s;
    lua_pushvalue(L, -1);  /* function to be called */
    lua_pushvalue(L, i);   /* value to print */
    lua_call(L, 1, 1);
    s = lua_tostring(L, -1);  /* get result */
    if (s == NULL)
      return luaL_error(L, LUA_QL("tostring") " must return a string to "
                           LUA_QL("print"));
    if (i>1) fputs("\t", stdout);
    fputs(s, stdout);
    lua_pop(L, 1);  /* pop result */
  }
  fputs("\n", stdout);
  return 0;

This is near the top of the file, the line we're interested in is line 32, " int n = lua_gettop(L); /* number of arguments */"

However, as you've already noticed, there is no "gettop" string relating to Lua, just a random gettopvalue which is not what we're looking for. So what do we do? Well, right below that is a lua_getglobal function calling for tostring, so let's look and see if IDA has that.

Quote:

___:000000014294BB68 00000009 C tostring

Success, let's follow up on this lead. Double click the string and xref aToString.

Code:

___:0000000141667640
___:0000000141667640 ; =============== S U B R O U T I N E =======================================
___:0000000141667640
___:0000000141667640
___:0000000141667640 sub_141667640   proc near
___:0000000141667640
___:0000000141667640 arg_0           = qword ptr  8
___:0000000141667640 arg_8           = qword ptr  10h
___:0000000141667640 arg_10          = qword ptr  18h
___:0000000141667640
___:0000000141667640                 mov     [rsp+arg_0], rbx
___:0000000141667645                 mov     [rsp+arg_8], rbp
___:000000014166764A                 mov     [rsp+arg_10], rsi
___:000000014166764F                 push    rdi
___:0000000141667650                 sub     rsp, 20h
___:0000000141667654                 mov     rdi, rcx
___:0000000141667657                 call    sub_14165A110
___:000000014166765C                 lea     r8, aTostring   ; "tostring"
___:0000000141667663                 mov     edx, 0FFFFD8EEh
___:0000000141667668                 mov     rcx, rdi
___:000000014166766B                 mov     ebp, eax
___:000000014166766D                 call    sub_14165A010
___:0000000141667672                 mov     ebx, 1
___:0000000141667677                 cmp     ebp, ebx
___:0000000141667679                 jl      loc_141667705
___:000000014166767F                 nop

If you use IDA Pro, you can then progress further examining the Psuedocode:

Code:

__int64 __fastcall sub_141667640(__int64 a1)
{
  __int64 v1; // rdi@1
  int v2; // ebp@1
  signed int i; // ebx@1
  const char *v4; // rax@2
  const char *v5; // rsi@2
  FILE *v6; // rax@4
  FILE *v7; // rax@5
  FILE *v8; // rax@6

  v1 = a1;
  v2 = sub_14165A110();
  sub_14165A010(v1, 4294957294i64, "tostring");
  for ( i = 1; i <= v2; ++i )
  {
    sub_14165A810(v1, 0xFFFFFFFFi64);
    sub_14165A810(v1, (unsigned int)i);
    sub_141659BA0(v1, 1i64, 1i64);
    LODWORD(v4) = sub_14165AF70(v1, 0xFFFFFFFFi64, 0i64);
    v5 = v4;
    if ( !v4 )
      sub_14165BA20(v1, "'tostring' must return a string to 'print'");
    if ( i > 1 )
    {
      LODWORD(v6) = j___acrt_iob_func(1i64);
      j_fputs("\t", v6);
    }
    LODWORD(v7) = j___acrt_iob_func(1i64);
    j_fputs(v5, v7);
    sub_14165AD90(v1, 4294967294i64);
  }
  LODWORD(v8) = j___acrt_iob_func(1i64);
  j_fputs("\n", v8);
  return 0i64;
}

We have two very similar lines here.
Lua Source:

Quote:

return luaL_error(L, LUA_QL("tostring") " must return a string to "
LUA_QL("print"));

IDA Psuedocode:

Quote:

sub_14165BA20(v1, "'tostring' must return a string to 'print'");

So we now have confirmed that this is the exact spot of the source clip above. Looking back at the Lua Source:

Code:

static int luaB_print (lua_State *L) {
  int n = lua_gettop(L);  /* number of arguments */
  int i;
  lua_getglobal(L, "tostring");

We can see that lua_gettop is called 2 lines above "tostring". Let's look at the Psuedocode again:

Code:

  v1 = a1;
  v2 = sub_14165A110();
  sub_14165A010(v1, 4294957294i64, "tostring");

There isn't a function called two lines above, however there is one called one line above. Let's investigate further:

Code:

__int64 __fastcall sub_14165A110(__int64 a1)
{
  return (*(_QWORD *)(a1 + 16) - *(_QWORD *)(a1 + 24)) >> 4;
}

In IDA, this is the Psuedocode used to represent LUA_GETTOP. So your address would be: 0x000000014165A110. I'd like to remind anyone reading this in the future that this address is only valid for build 290475 (NA).

Kmrdrow · 09/13/2018, 06:19

Willing to pay 20 bucks via paypal or 2k pearls in bdo for a working copy of this. PM me please.

Ustonovic · 09/13/2018, 16:28

Quote:

Originally Posted by KaliMinion

~

Nice guide. Tip: When you found the function, you can easily create a pattern for future updates. You can literally use the full function bytes as pattern.

whosdatdev · 09/19/2018, 02:12

Quote:

Originally Posted by KaliMinion

... After unpacking the BlackDesert64.exe, rebuilding any PE headers ...

May I ask how you unpacked it? Did you dump it with some tool? What did you use to rebuild PE headers?

ZERREZ · 09/19/2018, 15:09

Is this working? i have no experience at all bdo is my first MMO and 2nd computer game ive ever played if someone is willing to help me out id really appreciate it.

Hangook · 09/20/2018, 04:44

I am willing to pay for a marketplace bot. I dont need anything other hacks just marketplace bot

HyperZett · 09/23/2018, 09:03

Quote:

Originally Posted by KaliMinion

Did you ever manage to figure out how to do this ? Or does it require some digging... somewhere

Can't really see how 14,019 becomes 50,345,667 with +3

After some tinkering i think items are represented as 4 bytes, where the first byte is the enhancement information.

The +0 item would be 14019 as 4 byte hex

Code:

00 00 36 c3

The +3 item would be 50345667 as 4 byte hex

Code:

03 00 36 c3

Btw, thanks for all the information in this thread, really appreciated.

So far I'm at the point to get the warehouse money in the console, but as soon as an item appears in the market the game just freezes, propably got some of the bidding/price adresses wrong.

I'll keep on trying but I'd welcome any help!

R3p · 09/23/2018, 09:40

exactly

they call this the itemEnchantKeyRaw which is a combination of itemId and enchantlevel

C3 36 00 03

2 bytes itemId and the last byte enchantlevel

KaliMinion · 09/23/2018, 11:22

I would have never guessed that. Very interesting

00 00 36 C3 = 14019
01 00 36 C3 = 16791235
02 00 36 C3 = 33568451
03 00 36 C3 = 50345667

etc, thanks guys

Not even playing the game currently, but it's nice that I understand how that works now.

Farolly · 09/24/2018, 20:15

Impossibru!111

Fayker · 09/25/2018, 13:09

Its so fascinating you guys talking with numbers. I don't understand none of that.. but is awsome!

Btw ty for the "mini" guide, Im sure some people will aprecciate the share. But for me I think I still need alot of background to keep up and fully understand the mindset needed to R.E. One of my future "need to know" wishes ... when I retire.

MastaDan9 · 10/05/2018, 15:37

Quote:

Originally Posted by KaliMinion

I would have never guessed that. Very interesting

00 00 36 C3 = 14019
01 00 36 C3 = 16791235
02 00 36 C3 = 33568451
03 00 36 C3 = 50345667

etc, thanks guys

Not even playing the game currently, but it's nice that I understand how that works now.

Hello! Good man) Thank you very much for your lessons. They help me to understand all this. P. S. Do I understand correctly that would accelerate the speed of the animation I need the localplayer? Sorry about my English, translator.