Register for your free account! | Forgot your password?

Go Back   elitepvpers > MMORPGs > Guild Wars 2
A question reversers with experience with guild wars 2 A question reversers with experience with guild wars 2
You last visited: Today at 18:27

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement


Advertise with us!

A question reversers with experience with guild wars 2

Discussion on A question reversers with experience with guild wars 2 within the Guild Wars 2 forum part of the MMORPGs category.

Reply
Page 1 of 2 1 2
 
Old   #1
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: May 2014
Posts: 7
Received Thanks: 0
A question reversers with experience with guild wars 2

Is there a specific packet, or something, to get a user id based on hes AgentId?
for example, lets say there is a player, which i dont have hes Agent Object listed on my client,
but i managed to get hes AgentId from an incoming packet, could i use this Id to somehow identify him?
rakbob is offline  
Old 06/06/2015, 19:50   #2
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: May 2014
Posts: 7
Received Thanks: 0
update:
looks like gw2 uses the following command to get details about users:
PHP Code:
/Presence/GetUserInfo STS/1.0
t:$aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
l:30
s:73;timeout=29990 
i dont have much time to work on this, and progress is slow, if someone has already have the details of how to get that id from the Agent or Character object and can tell me, it would be much appreciated.
rakbob is offline  
Old 06/07/2015, 19:26   #3
 
Zektor's Avatar
 
elite*gold: 40
The Black Market: 9/1/0
Join Date: Aug 2007
Posts: 617
Received Thanks: 440
Quote:
Originally Posted by rakbob View Post
update:
looks like gw2 uses the following command to get details about users:
PHP Code:
/Presence/GetUserInfo STS/1.0
t:$aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
l:30
s:73;timeout=29990 
i dont have much time to work on this, and progress is slow, if someone has already have the details of how to get that id from the Agent or Character object and can tell me, it would be much appreciated.
Have been wondering about this too, for objects specifically (e.g. Rocks, Chests, Gather nodes etc.). I have a feature to scan objects in the surrounding area, but no way to accurately get their ID and assign them to a user defined name...
Zektor is offline  
Old 06/12/2015, 15:35   #4
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: May 2014
Posts: 7
Received Thanks: 0
Update: worked on it today, and i managed to do it.
the following snipet will get the PlayerId(i think its constant over instances) from the AgentId(volatile):

PHP Code:
unsigned longGetPlayerIdByAgentId(unsigned long ulAgentId)
{
    unsigned long pAgent GetAgentById(ulAgentId);
    if (!pAgent)
        return NULL;

    unsigned long pCharacter = ((unsigned long (__thiscall *)(unsigned long))VIRTUAL_FUNCTION(pAgent0x84))(pAgent) - 0x18;
    if (!pCharacter)
        return NULL;

    unsigned long pPlayer = ((unsigned long (__thiscall *)(unsigned long))VIRTUAL_FUNCTION(pCharacter0xf4))(pCharacter);
    if (!pPlayer)
        return NULL;

    return ((unsigned long* (__thiscall *)(unsigned long))VIRTUAL_FUNCTION(pPlayer0x40))(pPlayer);
}

unsigned long GetAgentById(unsigned long ulAgentId)
{
    return ((unsigned long(__fastcall *)(unsigned long))GetAgentById_Address)(ulAgentId);
GetAgentById_Address change from build to build, so you would need to add this to your signature engine:
PHP Code:
NEW_SIG_NORMAL(GetAgentById"56578BF1E8????????8BF83B774473108B473C8B04B085C074068B4004"

after you got the PlayerId you can either use your own STS client,
or use gw2 built in one to query for UserIds, perhaps next week i will work on that.





Update: one last thing i forgot to mention GetAgentById will not work and probably cause crash without some preparations before.
the reason is GetAgentById calls PropGetContext which uses TLS.
the way i made it "multi thread compatible" is like this:

(all my threads are being managed by a class i made and are registered there)
PHP Code:
MyDetourGetContext_Detour;
unsigned long __cdecl GetContext_Hook()
{
    unsigned long ulCallingThreadId GetCurrentThreadId();

    for (std::vector<ThreadManager*>::iterator i g_pThreadList.begin(); != g_pThreadList.end(); i++)
    {
        if (ulCallingThreadId == (*i)->GetThreadId())
        {
            while (!g_ulContext)
                Sleep(10);

            return g_ulContext;
        }
    }

    unsigned long ulContext = ((unsigned long (__cdecl *)())GetContext_Detour->GetTrampoline())();

    g_ulContext ulContext;

    return ulContext;
PHP Code:
NEW_SIG_NORMAL(GetContext"8B0D????????64A12C0000008B04888B8004000000C3"
i know its not thread safe, but with the current gw2 design there wasn't a need to make it like that.
rakbob is offline  
Old 06/16/2015, 12:29   #5
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Mar 2015
Posts: 12
Received Thanks: 1
Quote:
Originally Posted by rakbob View Post
update:
looks like gw2 uses the following command to get details about users:
PHP Code:
/Presence/GetUserInfo STS/1.0
t:$aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
l:30
s:73;timeout=29990 
i dont have much time to work on this, and progress is slow, if someone has already have the details of how to get that id from the Agent or Character object and can tell me, it would be much appreciated.
I think you have to start digging in the game network protocol. Not especially the STS one on cligate.101.ncplatform.net:6112.

Is there any documentation on it or..?
MrScale is offline  
Old 06/16/2015, 18:58   #6
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: May 2014
Posts: 7
Received Thanks: 0
i dont think its worth digging into the STS protocol,
not when i can let the game client do all the work.
rakbob is offline  
Old 06/16/2015, 20:16   #7
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Mar 2015
Posts: 12
Received Thanks: 1
That's what I said.

The client first initiates a connection with cligate.101.ncplatform.net:6112 and uses the STS protocol.

Then it connectes on Auth2.101.ArenaNetworks.com:6112 and sends a first packet of 0x10 bytes.

You can see it with this call stack:

Code:
Call stack of thread 00000E3C
Address    Returns to    Procedure / arguments                 Called from                   Frame      Stack Dump
04B3F8B0   01759450      ? Gw2Fix.017578C0                     Gw2Fix.0175944B               04B3F8AC   00000005 0B7373F
04B3F8E4   0216EA60      Gw2Fix.01759390                       Gw2Fix.0216EA5B               04B3F8E0   05FF6324 0000001
04B3F8E8   05FF6324        Arg1 = 05FF6324
04B3F8EC   00000010        Arg2 = 00000010
04B3F8F0   0B6AB9F0        Arg3 = 0B6AB9F0
04B3F8F4   00000000        Arg4 = 00000000
04B3F8F8   04B3F9B4        Arg5 = 04B3F9B4
04B3F8FC   00000000        Arg6 = 00000000
04B3F900   00000000        Arg7 = 00000000
04B3F904   00000000        Arg8 = 00000000
04B3F908   00000000        Arg9 = 00000000
04B3F924   01FFD0AC      Gw2Fix.0216E9F0                       Gw2Fix.01FFD0A7               04B3F920   0B731880 0000001
04B3F928   0B731880        Arg1 = 0B731880
04B3F92C   00000010        Arg2 = 00000010
04B3F930   0B6AB9F0        Arg3 = 0B6AB9F0
04B3F934   04B3F9B4        Arg4 = 04B3F9B4
04B3F938   00000000        Arg5 = 00000000
04B3F93C   00000000        Arg6 = 00000000
04B3F940   00000000        Arg7 = 00000000
04B3F944   00000000        Arg8 = 00000000
04B3F950   01FFD11E      Gw2Fix.01FFD000                       Gw2Fix.01FFD119               04B3F94C   0B7373FC 0000001
04B3F954   0B7373FC        Arg1 = 0B7373FC
04B3F958   00000010        Arg2 = 00000010
04B3F95C   0B6AB9F0        Arg3 = 0B6AB9F0
04B3F960   04B3F9B4        Arg4 = 04B3F9B4
04B3F964   00000000        Arg5 = 00000000
04B3F968   00000000        Arg6 = 00000000
04B3F96C   00000000        Arg7 = 00000000
04B3F970   00000000        Arg8 = 00000000
04B3F980   019FA4A3      Gw2Fix.01FFD0C0                       Gw2Fix.019FA49E               04B3F97C   019FAC30 0B7373C
04B3F984   019FAC30        Arg1 = 019FAC30
04B3F988   0B7373C0        Arg2 = 0B7373C0
04B3F98C   0B6AB9F0        Arg3 = 0B6AB9F0
04B3F990   00000010        Arg4 = 00000010
04B3F994   00000000        Arg5 = 00000000
04B3F998   04B3F9B4        Arg6 = 04B3F9B4
04B3F99C   00000000        Arg7 = 00000000
04B3F9A0   00000000        Arg8 = 00000000
04B3F9A4   00000000        Arg9 = 00000000
04B3FA2C   019FA782      Gw2Fix.019FA2A0                       Gw2Fix.019FA77D               04B3FA28   00000006 0C24D73
04B3FA3C   01FFCEAB      Gw2Fix.019FA6F0                       Gw2Fix.01FFCEA9               04B3FA38   00000006 04B3FA6
04B3FA40   00000006        Arg1 = 00000006
04B3FA44   04B3FA60        Arg2 = 04B3FA60
04B3FA50   017558E3      Gw2Fix.01FFCE70                       Gw2Fix.017558E1               04B3FA4C   060116FC 0000000
04B3FA54   060116FC        Arg1 = 060116FC
04B3FA58   00000006        Arg2 = 00000006
04B3FA5C   04B3FA60        Arg3 = 04B3FA60
These two addresses:
Code:
04B3F92C   00000010        Arg2 = 00000010
04B3F930   0B6AB9F0        Arg3 = 0B6AB9F0
Contains both the buffer size and the buffer content that will be sent over network:

Code:
0B6AB9F0  00 04 0C 00 D6 C2 00 00 65 00 00 00 04 00 00 00
One will have to find out what it stands for.

See ya.

Edit: Oh, and I said it's worth digging into this protocol because I think that's thanks to it that you're able to recover someone's UserId. Not sure yet.

Ho and I found where this buffer is set:

Code:
019FA2D0   . C745 B4 00040C>MOV DWORD PTR SS:[EBP-4C],0C0400
019FA2D7   . E8 74D6D4FF    CALL Gw2Fix.01747950
019FA2DC   . 8945 B8        MOV DWORD PTR SS:[EBP-48],EAX
019FA2DF   . E8 3CD6D4FF    CALL Gw2Fix.01747920
019FA2E4   . B9 03000000    MOV ECX,3
019FA2E9   . 8945 BC        MOV DWORD PTR SS:[EBP-44],EAX
019FA2EC   . C745 C0 040000>MOV DWORD PTR SS:[EBP-40],4
You can see that there are raw values that are set, like 0xC4000 and 0x04. Does anyone have a single clue about what it is?
MrScale is offline  
Old 06/17/2015, 14:35   #8
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: May 2014
Posts: 7
Received Thanks: 0
you should read my post with the GetPlayerIdByAgentId function, i know its through the STS protocol.

what i meant is, why bother reverse the entire protocol, when i can let the game client do all the key exchange, setup everything, choose the right server for me, and just use its own functions to register my custom request.
rakbob is offline  
Old 06/17/2015, 16:28   #9
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Mar 2015
Posts: 12
Received Thanks: 1
Quote:
you should read my post with the GetPlayerIdByAgentId function, i know its through the STS protocol.
So what's the STS request to retrieve someone's Id givent it's Character Name?

And how can one use your code snippet btw? Is there any proper documentation on this forum? I can't understand what you mean with "Your own signature engine":

Quote:
GetAgentById_Address change from build to build, so you would need to add this to your signature engine:
Is there any tool that searches some relevant offset given some hexa string plus random bytes as you provided us with?
MrScale is offline  
Old 06/18/2015, 01:37   #10
 
Zektor's Avatar
 
elite*gold: 40
The Black Market: 9/1/0
Join Date: Aug 2007
Posts: 617
Received Thanks: 440
You use his hex string to run a pattern match through the game's memory, once you find it, then that's the address you're looking for
Zektor is offline  
Old 06/22/2015, 17:52   #11
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Mar 2015
Posts: 12
Received Thanks: 1
Every hex editor recognizes the "?" character to mark it as "whatever you want"?
MrScale is offline  
Old 06/22/2015, 23:03   #12
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Sep 2011
Posts: 11
Received Thanks: 2
Quote:
Originally Posted by MrScale View Post
Every hex editor recognizes the "?" character to mark it as "whatever you want"?
Question mark is used as wildcard in pattern scanning. It has nothing to do with hex editors.
merphz is offline  
Old 06/24/2015, 23:15   #13
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Mar 2015
Posts: 12
Received Thanks: 1
But is there any single tool that performs pattern scanning? Otherwise I guess this is pretty cumbersome to find the accurate offset.
MrScale is offline  
Old 06/25/2015, 01:32   #14
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Sep 2011
Posts: 11
Received Thanks: 2
Quote:
Originally Posted by MrScale View Post
But is there any single tool that performs pattern scanning? Otherwise I guess this is pretty cumbersome to find the accurate offset.
I'm using IDA with rizzo.
merphz is offline  
Old 06/25/2015, 07:51   #15
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Mar 2015
Posts: 12
Received Thanks: 1
It makes sense. Thanks! ^^
MrScale is offline  
Reply
Page 1 of 2 1 2

« Better performance on low-end PC? | Midnight auto explore »

Similar Threads Similar Threads
[Reversing] Have a question for reversers!
12/06/2009 - General Gaming Discussion - 1 Replies
Hi, is this game still simple to reverse? I am looking for a game to test my reversing skills on. About a year ago I heard all you had to do was skip a check. What is it like now? Is it still the same thing? Kill HackShield, jump a check in the game? Also, just curious. How do you find things like speedhack? Via OllyDbg or cheatengine? Probably via Olly correct?



All times are GMT +2. The time now is 18:27.

elitepvpers - play less, get more - Top

Powered by vBulletin®
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2024 elitepvpers All Rights Reserved.