GW2 Memory Thread

[Cencil]

Quote:

Originally Posted by midi12

Ok, this is fixed, i just check pThis is equal to EncryptCall to just log outgoing packet ^^"
But packets are differents than your, eg for Heartbeat i got:

Code:

size : 4
packet : c 0 0 0

Thanks again for help Cencil

Yeah with heartbeat I just meant the movement
Change the last flag from 0 to 1 to get an auto sync teleporter with packets

Heartbeat movement packet (packed!) under normal conditions:
uint16 packet code (0x0D)
uint16 time1
uint16 time2
float x
float y
float z
uint8 unk
uint16 flags, just set this **** to 0x1

[midi12]

Quote:

Originally Posted by Cencil

Yeah with heartbeat I just meant the movement

Lol okay ^^ so yes I got D for opcode when I move ! Thanks for confirmation !

new offsets :
#define EncryptPacket 0x00A69E40
#define NetworkClass 0x015D0754

[whitea2]

Quote:

Originally Posted by Cencil

Yeah with heartbeat I just meant the movement
Change the last flag from 0 to 1 to get an auto sync teleporter with packets

Heartbeat movement packet under normal conditions:
uint16 packet code (0x0D)
uint16 time1
uint16 time2
float x
float y
float z
uint8 unk
uint16 flags, just set this **** to 0x1

If either of you care to help out a newb with this, I'd be appreciative. I'm able to log the packets using Wireshark which I assume are encrypted (none of the movement packets contain 0x0D or 0x0C). I've found the EncryptPacket function in CE as well. I have no idea what to do from here.

Sorry for the probable unintelligent reply but I'm new to packet sniffing etc. I have decent knowledge with programming (including .asm) but am completely stuck in trying to write an autosync teleporter. The easiest approach seems to be by packet manipulation so I thought I'd give it a go. Thanks in advance for any information you may be able to provide.

[creepsi]

modify the packet data before it gets encrypted

[Xereon]

Quote:

Originally Posted by whitea2

If either of you care to help out a newb with this, I'd be appreciative. I'm able to log the packets using Wireshark which I assume are encrypted (none of the movement packets contain 0x0D or 0x0C). I've found the EncryptPacket function in CE as well. I have no idea what to do from here.

Sorry for the probable unintelligent reply but I'm new to packet sniffing etc. I have decent knowledge with programming (including .asm) but am completely stuck in trying to write an autosync teleporter. The easiest approach seems to be by packet manipulation so I thought I'd give it a go. Thanks in advance for any information you may be able to provide.

Get away from CE; "reversing" with CE is kid stuff; grab a debuger (either ollydbg or ida) and break at the EncryptPacket function. If its really the right function you should be able to retrieve the buffer. Now walk up the callstack to find the SendPacket function.

[midi12]

Anyone can share the new mouseovers' pointers & offsets ? I'm not able to retrieves them :/

Quote:

Originally Posted by whitea2

I'm able to log the packets using Wireshark which I assume are encrypted

Wireshark sniff all packets on your connection, so your will get all packets outgoing from your computer (eg : net browser ect..), a best way to deal with Gw2 packets is WPE Pro tool, who hook winsocks function (send/recv ect) 1.1 and 2.0. So you'll get encrypted packets as you assumed. The only way to deal with unencrypted packets is to detour/hook SendPacket or PacketEncrypt.
Here some ressource to doing this :

C++ :
Detours from Microsoft : (here is 3.0 but i personnaly use 1.5, which is most firendly to use and don't need to be compiled, just use the .h and .lib)

Hand done detour :

Code:

void *detourFunction(BYTE *src, const BYTE *dst, const int len)
{
	BYTE *jmp = (BYTE*)malloc(len + 5);
	DWORD dwback;

	VirtualProtect(src, len, PAGE_READWRITE, &dwback);
	memcpy(jmp, src, len);
	jmp += len;
	jmp[0] = 0xE9;
	*(DWORD*)(jmp + 1) = (DWORD)(src + len - jmp) - 5;
	src[0] = 0xE9;
	*(DWORD*)(src + 1) = (DWORD)(dst - src) - 5;
	VirtualProtect(src, len, dwback, &dwback);

	return (jmp - len);
}

(Beware this is highly detectable (public) but you can be inspired by this code to do it)

ASM:
Just save registers
copy firsts bytes
replace with a jmp to your own function
recopy copied bytes
???
jmp to last location



I'm not in ASM coding so this is probably wrong, but just a idea how this can be done :/

[*M*]

Hey Midi, I have an easy way to find mouse over

In olly I do a byte search for this (3B C3 74 5D D9 45 BC 8B 4D C8) which lands you at this code:

Set a breakpoint on the value you want, I usually just find X since y and z are only 4/8 bytes away
From there you can use CE to pointer scan but anyway the current pointers are:

GW2.exe + 12A3C88 offset 0x80 -X
GW2.exe + 12A3C88 offset 0x84 -Y
GW2.exe + 12A3C88 offset 0x88 -Z

[midi12]

Thanks for the explanation !

New offsets :
#define EncryptPacket 0x00A69B50

[_revo]

mems updated

[jultjeboy]

Hmm I tried alot of things but still cant figure it out how to do this :S
Can someone send me quick tutorial?
And is it true u can change ur characters level?

Really appreciate it

[whitea2]

Quote:

Originally Posted by jultjeboy

Hmm I tried alot of things but still cant figure it out how to do this :S
Can someone send me quick tutorial?

Really appreciate it

If you're referring to memory editing, you can always download Cheat Engine and go through its tutorial. That'll at least get you started.

Quote:

Originally Posted by jultjeboy

And is it true u can change ur characters level?

Never heard that before. Seems highly unlikely as that information is stored on the server.

[creepsi]

but displayed on the client

[whitea2]

Anyone know the new NetClassPtr? I'd love to get back to trying the packet logger.

[Cencil]

Quote:

Originally Posted by whitea2

Anyone know the new NetClassPtr? I'd love to get back to trying the packet logger.

Code:

  off_NetworkClass            = $015D0754; // [15898]
  off_EncryptCallAdd          = $1CC;      // [15898]
  off_EncryptPacket           = $00A69C60; // [15898]

[Rhubarb.Trader]

Use a pattern or address to find the encrypt packet function in ollydbg. Set a breakpoint at the start of the encrypt function. Let it hit the break point press Alt + K goto the call window first one at the top go there. Set a new breakpoint check what is on the stack in the window.