GW2 Memory Thread

Robban89 · 11/02/2012, 22:41

Is Endurance stored serverside?

"Gw2.exe"+011D3C28

Doesn't seem to be, I can only inject for a few minutes before game crashes.
Thoughts?

*M* · 11/03/2012, 01:04

Yeah It's checked sever side, if you bypass the check and try to dodge extra times it will disconnect back to the character select screen.

Xereon · 11/03/2012, 02:16

Anyone got expirience with map changes on the protocol layer?

whitea2 · 11/03/2012, 22:21

Quote:

Originally Posted by Cencil

Yeah with heartbeat I just meant the movement
Change the last flag from 0 to 1 to get an auto sync teleporter with packets

Heartbeat movement packet under normal conditions:
uint16 packet code (0x0D)
uint16 time1
uint16 time2
float x
float y
float z
uint8 unk
uint16 flags, just set this **** to 0x1

Hey Cencil and thanks for the great work in this thread. Thanks to you, I was able to get a C++ version of your packet logger working

Care to elaborate on the auto-sync teleporter with packets? I tried modifying the x,y,z and different variations of the flags but had no luck. In my PacketEncrypt detour I simply set x,y,z to some value. Then I modified my physical/visual x,y,z in memory and tried to move. It kept putting me back to original location but was sending movement packets (0x0D) with the location I was trying to teleport to. Any help would be appreciated.

~~Cencil~~ · 11/04/2012, 14:34

Quote:

Originally Posted by whitea2

Hey Cencil and thanks for the great work in this thread. Thanks to you, I was able to get a C++ version of your packet logger working Care to elaborate on the auto-sync teleporter with packets? I tried modifying the x,y,z and different variations of the flags but had no luck. In my PacketEncrypt detour I simply set x,y,z to some value. Then I modified my physical/visual x,y,z in memory and tried to move. It kept putting me back to original location but was sending movement packets (0x0D) with the location I was trying to teleport to. Any help would be appreciated.

Works fine for me, I just tested it in the packet detour without modifiying my position in the memory.

Code:

    if (wOpCode = $0D) and (packetSize = 21) then
    begin
      with pVec do
      begin
        x := 0;
        y := 0;
        z := 100;
      end;

      Move(pVec, buffer[6], SizeOf(pVec)); // 12 bytes
      wNewFlag := 1;
      Move(wNewFlag, buffer[19], SizeOf(wNewFlag)); // 2 bytes
      pBuffer := @buffer[0];
    end;

Mansual sending also works like a charm.

Code:

  p := TGW2Packet.Create();
  p.PutUInt16($0D);
  p.PutUInt16(1000); // timing 1 (incorrect value but the server doesn't care)
  p.PutUInt16(1000); // timing 2 (incorrect value but the server doesn't care)
  p.PutFloat(100);
  p.PutFloat(100);
  p.PutFloat(50);
  p.PutUInt8(0);
  p.PutUInt16(1); // sync position :)
  p.Send();
  p.Free()

Normally timing 1 and timing 2 are uint32 values. The packet above is packed and just works if you don't use the PutPacketQueue function! Make sure your packet has a size of 28 bytes.

whitea2 · 11/04/2012, 16:36

Code:

void _fastcall my_PacketEncrypt(VOID* Unk, VOID* Unk1, int bufferSize, packet* pBuffer, int* pTargetBuffer)
{
	if(bufferSize == 21 && pBuffer->opcode == 0x0D) //movement packet
	{
		cout << "moving\n" << endl;
				
		pBuffer->x = 100;
		pBuffer->y = 100;
		pBuffer->z = 100;

		pBuffer->flags[2] = 1;

		cout << "opcode:" << pBuffer->opcode << "  x:" << pBuffer->x << "  y:" << pBuffer->y << "  z:" << pBuffer->z << endl;
	}

	orig_PacketEncrypt(Unk, Unk1, bufferSize, pBuffer, pTargetBuffer);
}

where packet is defined as a structure:

Code:

struct packet{
	UINT16 opcode;	//2 bytes
	UINT16 Time1;	//2 bytes
	UINT16 Time2;	//2 bytes
	FLOAT x;		//4 bytes
	FLOAT y;		//4 bytes
	FLOAT z;		//4 bytes
	CHAR flags[3];	//3 bytes
};

and orig_PacketEncrypt is defined as

Code:

typedef VOID (_fastcall *tPacketEncrypt)(VOID* Unk, VOID* Unk1, int bufferSize, packet* pBuffer, int* pTargetBuffer);
VOID _fastcall my_PacketEncrypt(VOID* Unk, VOID* Unk1, int bufferSize, packet* pBuffer, int* pTargetBuffer);
tPacketEncrypt orig_PacketEncrypt = (tPacketEncrypt)(0x00A69C60);

Got it working, thanks so much! The problem was my structure of pBuffer. Flags were not 'changed' the way I thought they would be.

GeForce66 · 11/05/2012, 20:29

i know it is a lot work, but can somebody please upload a video which shows how to find the multilevel pointer for e.g. player x-y-z coordinates??
i did the multilevel pointer tutorial in CE but i can´t figure it out @ GW2.
Maybe some can explain (;

derrod · 11/06/2012, 16:36

Hi Leute,
bin neu in der Bot-Programmierung! Kann mir bitte irgendeiner die Begriffe der Memories erklären also z.b.:

Quote:

RotCos = 0x016A55C0
RotSin = 0x016A55C4

oder

Quote:

Base PreTargetPos = 0x015D359C
Offset1 = 0x8c
OffsetPosX = 0x78
OffsetPosY = 0x7C
OffsetPosZ = 0x80

Base Adrenaline = 0x016A5600
Offset1 = 0x184
Offset2 = 0x2C

Manche sachen (z.B Autowalk) sind ja selbsterklärend aber bei den oben genannten, bin ich selbst nach googlen nicht raufgekommen!

Danke für eure Hilfe!
Derrod

i4mSoH34Vy · 11/06/2012, 19:40

Quote:

Originally Posted by derrod

Hi Leute,
bin neu in der Bot-Programmierung! Kann mir bitte irgendeiner die Begriffe der Memories erklären also z.b.:

oder

Manche sachen (z.B Autowalk) sind ja selbsterklärend aber bei den oben genannten, bin ich selbst nach googlen nicht raufgekommen!

Danke für eure Hilfe!
Derrod

RotCos wird wahrscheinlich der Cosinus der Kamera sein und
RotSin der Sinus
PreTargetPos damit kannst wahrscheinlich die Position des vorherigen Ziels auslesen (X,Y und Z)
Adrenalin kannst wahrscheinlich das Adrenalin auslesen

_revo · 11/07/2012, 12:39

Quote:

Originally Posted by derrod

Manche sachen (z.B Autowalk) sind ja selbsterklärend aber bei den oben genannten, bin ich selbst nach googlen nicht raufgekommen!

Danke für eure Hilfe!
Derrod

Wenn man zu einem Agent schaut sieht man schon den Lebenspunktebalken, er wird also schon vorausgewählt, ist aber noch nicht im target.
Sobald er dann ausgewählt ist, ist PreTarget gleich target.

~~Cencil~~ · 11/08/2012, 14:14

A small function update for 15977

Code:

004065F0 GetNetworkClassPtr
00B1C2A0 GetCliContext
00AEAE70 GetAsContext
00B1CC90 GetControlledCharacter
00B2AA90 Character::GetPlayer
00B32150 Character::IsAlive
00B32180 Character::IsDowned
00B321E0 Character::IsInWater
00B32240 Character::IsPlayer
00BF0430 Character::GetAgent
00B1C270 GetPlayerFromListById
00A66D50 Msg::DispatchStream
00A68420 Msg::GetPacketHandler
00A69C20 DeEncryptPacket
00A674E0 PutPacketQueue
00A7A140 PutPacketQueueCallProxy
00B61BD0 ProcessChatInput
00B658C0 PH_ChatMessage // packethandler for 0x133
00A7C390 SendMoveJump
00A7DB50 SendMoveStart
00A7DD10 SendMoveTurn

The PutPacketQueue function requires the unpacked packet buffer.
For example:

Code:

  if (FMover.SetPosition(Position)) then
  begin
    p := TGW2Packet.Create(28);
    p.PutUInt16($0D);
    p.PutUInt32(dwTiming);
    p.PutUInt32(dwTiming);
    p.PutVec3(Position);
    p.PutUInt32(0);
    p.PutUInt16(0);
    p.Send();
    p.Free();
  end;

  // send call

  asm
    push pBuf
    mov eax, $00A67BF0
    call eax
    mov edx, $1C // unpacked size
    mov ecx, eax
    mov eax, $00A674E0
    call eax
  end;

After you called it gw packs, encrypts and sends the packet for you.

Rorouni · 11/08/2012, 23:10

Quote:

Originally Posted by i4mSoH34Vy

RotCos wird wahrscheinlich der Cosinus der Kamera sein und
RotSin der Sinus
PreTargetPos damit kannst wahrscheinlich die Position des vorherigen Ziels auslesen (X,Y und Z)
Adrenalin kannst wahrscheinlich das Adrenalin auslesen

RotCos is the cosinus player's facing not camera's. If you rotate your character you can see that those values change from -1 to 1 (4 peaks for north,west,south,east). You can calculate angle of facing using arc functions (atan2 in our case, which is included in pretty much every language).

derrod · 11/09/2012, 19:16

Thanks, but the problem is that I get values like 3212104670 or 1065259685!

whitea2 · 11/09/2012, 19:21

Quote:
Originally Posted by Cencil
A small function update for 15977
...
The PutPacketQueue function requires the unpacked packet buffer.
For example:
Code:
  if (FMover.SetPosition(Position)) then
  begin
    p := TGW2Packet.Create(28);
    p.PutUInt16($0D);
    p.PutUInt32(dwTiming);
    p.PutUInt32(dwTiming);
    p.PutVec3(Position);
    p.PutUInt32(0);
    p.PutUInt16(0);
    p.Send();
    p.Free();
  end;

  // send call

  asm
    push pBuf
    mov eax, $00A67BF0
    call eax
    mov edx, $1C // unpacked size
    mov ecx, eax
    mov eax, $00A674E0
    call eax
  end;
After you called it gw packs, encrypts and sends the packet for you.

Do you mind explaining the first 2 lines of the assembly? Is pBuf the pointer to your packet to send? Why is there a need to call $00A67BF0 (better yet, what function is that)?

Thanks so much for all the information you've put in this thread. I've learned so much and have gotten a ton of this working (main problem now is figuring out how to get a thread to execute code in the GW2 address space). Thanks again for all of the work you've freely shared!

~~Cencil~~ · 11/09/2012, 19:46

Quote:

Originally Posted by whitea2

Do you mind explaining the first 2 lines of the assembly? Is pBuf the pointer to your packet to send? Why is there a need to call $00A67BF0 (better yet, what function is that)?

Thanks so much for all the information you've put in this thread. I've learned so much and have gotten a ton of this working (main problem now is figuring out how to get a thread to execute code in the GW2 address space). Thanks again for all of the work you've freely shared!

I didn't reversed what the function result from 0x00A67BF0 does in PutPacketQueue, but it seems to be fine for all movement packets.
PutPackQueue itself is a ms fastcall function. The third parameter is the buffer, as you already noticed.

To run my code in the correct threads I hook 0x00414450 (you can call it GameLoop or whatever you want) and ProcessChatInput.