Pets move function

[Roxeez]

Hi, i'm making a small bot for a friend and i need to implement pet movement.
Looks like ptctl packet does not display pet movement on client screen. (Like walk packet does not display character movement)

That's why i'm looking if somebody can share with me pet walk function because i'm a total noob about RE and i can't find it by myself

Thanks

[Hatz~]

Code from cheat engine:

 Spoiler

Small test dll to make sure it works:

 Spoiler

Code:

#include "pch.h"
#include <Windows.h>
#include <iostream>

void petWalk(short x, short y)
{
    DWORD entryPoint = (DWORD)GetModuleHandle(NULL);

    DWORD petWalkFunc = entryPoint + 0x14EE14;
    DWORD petObject = *(DWORD*)(*(DWORD*)(entryPoint + 0x4997C4) + 0x3C);
    DWORD position = (y << 16) | x;

    _asm
    {
        push 1
        xor ecx, ecx
        mov edx, position
        mov eax, petObject
        call petWalkFunc;
    }
}

DWORD WINAPI Test(HMODULE hModule)
{
    short x = 28, y = 46;

    DWORD entryPoint = (DWORD)GetModuleHandle(NULL);

    DWORD petWalkFunc = entryPoint + 0x14EE14;
    DWORD petObject = *(DWORD*)(*(DWORD*)(entryPoint + 0x4997C4) + 0x3C);
    DWORD position = (y << 16) | x;
    

    AllocConsole();
    FILE* file = new FILE;
    freopen_s(&file, "CONOUT$", "w", stdout);

    std::cout << "We are injected!" << std::endl;

    while (!(GetAsyncKeyState(VK_END) & 1 ))
    {
        Sleep(10);
        if (GetAsyncKeyState(VK_INSERT) & 1)
        {
            std::cout << "Walking to X: " << std::dec << x << " Y: " << std::dec << y << std::endl;
            petWalk(x, y);
        }

        if (GetAsyncKeyState(0x39) & 1)
        {
            std::cout << "Position: " << std::hex << position << std::endl;
            std::cout << "WalkFunc: " << std::hex << petWalkFunc << std::endl;
            std::cout << "WalkObject: " << std::hex << petObject << std::endl;
        }
    }


    FreeConsole();
    fclose(file);
    FreeLibraryAndExitThread(hModule, 0);
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Test, hModule, 0, 0);
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

To find it i've just put a break point on the instruction that writes the destiny position of the pet/partner, once the breakpoint hit execute till return and if you scroll up a little bit you'll see it.

Signature and mask for walk func (generated with CE plugin):

 Spoiler

Code:

\x55\x8b\xec\x83\xc4\x00\x53\x56\x57\x8b\xf9\x89\x55\x00\x8b\xd8\xc6\x45 xxxxx?xxxxxxx?xxxx

[FI0w]

Quote:

Originally Posted by Hatz~

Code from cheat engine:

 Spoiler

Small test dll to make sure it works:

 Spoiler

Code:

#include "pch.h"
#include <Windows.h>
#include <iostream>

void petWalk(short x, short y)
{
    DWORD entryPoint = (DWORD)GetModuleHandle(NULL);

    DWORD petWalkFunc = entryPoint + 0x14EE14;
    DWORD petObject = *(DWORD*)(*(DWORD*)(entryPoint + 0x4997C4) + 0x3C);
    DWORD position = (y << 16) | x;

    _asm
    {
        push 1
        xor ecx, ecx
        mov edx, position
        mov eax, petObject
        call petWalkFunc;
    }
}

DWORD WINAPI Test(HMODULE hModule)
{
    short x = 28, y = 46;

    DWORD entryPoint = (DWORD)GetModuleHandle(NULL);

    DWORD petWalkFunc = entryPoint + 0x14EE14;
    DWORD petObject = *(DWORD*)(*(DWORD*)(entryPoint + 0x4997C4) + 0x3C);
    DWORD position = (y << 16) | x;
    

    AllocConsole();
    FILE* file = new FILE;
    freopen_s(&file, "CONOUT$", "w", stdout);

    std::cout << "We are injected!" << std::endl;

    while (!(GetAsyncKeyState(VK_END) & 1 ))
    {
        Sleep(10);
        if (GetAsyncKeyState(VK_INSERT) & 1)
        {
            std::cout << "Walking to X: " << std::dec << x << " Y: " << std::dec << y << std::endl;
            petWalk(x, y);
        }

        if (GetAsyncKeyState(0x39) & 1)
        {
            std::cout << "Position: " << std::hex << position << std::endl;
            std::cout << "WalkFunc: " << std::hex << petWalkFunc << std::endl;
            std::cout << "WalkObject: " << std::hex << petObject << std::endl;
        }
    }


    FreeConsole();
    fclose(file);
    FreeLibraryAndExitThread(hModule, 0);
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Test, hModule, 0, 0);
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

To find it i've just put a break point on the instruction that writes the destiny position of the pet/partner, once the breakpoint hit execute till return and if you scroll up a little bit you'll see it.

Signature and mask for walk func (generated with CE plugin):

 Spoiler

Code:

\x55\x8b\xec\x83\xc4\x00\x53\x56\x57\x8b\xf9\x89\x55\x00\x8b\xd8\xc6\x45 xxxxx?xxxxxxx?xxxx

Dont need it but great work

[Roxeez]

Quote:

Originally Posted by Hatz~

Code from cheat engine:

 Spoiler

Small test dll to make sure it works:

 Spoiler

Code:

#include "pch.h"
#include <Windows.h>
#include <iostream>

void petWalk(short x, short y)
{
    DWORD entryPoint = (DWORD)GetModuleHandle(NULL);

    DWORD petWalkFunc = entryPoint + 0x14EE14;
    DWORD petObject = *(DWORD*)(*(DWORD*)(entryPoint + 0x4997C4) + 0x3C);
    DWORD position = (y << 16) | x;

    _asm
    {
        push 1
        xor ecx, ecx
        mov edx, position
        mov eax, petObject
        call petWalkFunc;
    }
}

DWORD WINAPI Test(HMODULE hModule)
{
    short x = 28, y = 46;

    DWORD entryPoint = (DWORD)GetModuleHandle(NULL);

    DWORD petWalkFunc = entryPoint + 0x14EE14;
    DWORD petObject = *(DWORD*)(*(DWORD*)(entryPoint + 0x4997C4) + 0x3C);
    DWORD position = (y << 16) | x;
    

    AllocConsole();
    FILE* file = new FILE;
    freopen_s(&file, "CONOUT$", "w", stdout);

    std::cout << "We are injected!" << std::endl;

    while (!(GetAsyncKeyState(VK_END) & 1 ))
    {
        Sleep(10);
        if (GetAsyncKeyState(VK_INSERT) & 1)
        {
            std::cout << "Walking to X: " << std::dec << x << " Y: " << std::dec << y << std::endl;
            petWalk(x, y);
        }

        if (GetAsyncKeyState(0x39) & 1)
        {
            std::cout << "Position: " << std::hex << position << std::endl;
            std::cout << "WalkFunc: " << std::hex << petWalkFunc << std::endl;
            std::cout << "WalkObject: " << std::hex << petObject << std::endl;
        }
    }


    FreeConsole();
    fclose(file);
    FreeLibraryAndExitThread(hModule, 0);
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Test, hModule, 0, 0);
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

To find it i've just put a break point on the instruction that writes the destiny position of the pet/partner, once the breakpoint hit execute till return and if you scroll up a little bit you'll see it.

Signature and mask for walk func (generated with CE plugin):

 Spoiler

Code:

\x55\x8b\xec\x83\xc4\x00\x53\x56\x57\x8b\xf9\x89\x55\x00\x8b\xd8\xc6\x45 xxxxx?xxxxxxx?xxxx

Big thanks

[Roxeez]

Got some issue with pet object.
The value of static address + 0x3C is equals to 0 until you first move your cursor and also this value change if you put your cursor on any entity



Object = value in ESI needed by pet walk function

1 - In character selection screen, object value is 0 (nothing strange i guess)
2 - In game but haven't move cursor yet, object value is 0, so if i call pet walk it will crash
3 - Normal behavior object value is correct, if i call pet walk function it will work
4 - Cursor on an entity on your screen object value is incorrect, if i call pet walk function it will crash


Here is the code i'm using to test it.

Code:

if (GetAsyncKeyState(VK_INSERT) & 1)
{
    std::cout << "--------------- PATTERN ---------------" << std::endl;

    DWORD function = Module::GetInstance()->FindPattern<DWORD>("\x55\x8b\xEC\x83\xC4\x00\x53\x56\x57\x8B\xF9\x89\x55\x00\x8B\xD8\xC6\x45", "xxxxx?xxxxxxx?xxxx", 0);
    DWORD address = **Module::GetInstance()->FindPattern<DWORD**>("\x50\xA1\x00\x00\x00\x00\x8B\x00\x8B\x40\x20\x66\x8B\x4D\xF6", "xx????x?xxxxxxx", 2);
    DWORD obj = *(DWORD*)(*((DWORD*)address) + 0x3C);

    std::cout << "Function: " << function << " (NostaleClientX.exe + " << function - Module::GetInstance()->GetBaseAddress() << ")" << std::endl;
    std::cout << "Object static address: " << address << " (NostaleClientX.exe + " << address - Module::GetInstance()->GetBaseAddress() << ")" << std::endl;
    std::cout << "Object: " << obj << std::endl;
} 
else if (GetAsyncKeyState(VK_DELETE) & 1)
{
    std::cout << "--------------- HARDCODED ---------------" << std::endl;

    DWORD function = 0x53e318;
    DWORD address = 0x8997d8;
    DWORD obj = *(DWORD*)(*((DWORD*)address) + 0x3C);

    std::cout << "Function: " << function << " (NostaleClientX.exe + " << (function - 0x400000) << ")" << std::endl;
    std::cout << "Object static address: " << address << " (NostaleClientX.exe + " << (address - 0x400000) << ")" << std::endl;
    std::cout << "Object: " << obj << std::endl;
}
else if (GetAsyncKeyState(VK_END) & 1)
{
    std::cout << "--------------- TESTING ---------------" << std::endl;

    DWORD function = Module::GetInstance()->FindPattern<DWORD>("\x55\x8b\xEC\x83\xC4\x00\x53\x56\x57\x8B\xF9\x89\x55\x00\x8B\xD8\xC6\x45", "xxxxx?xxxxxxx?xxxx", 0);
    DWORD address = **Module::GetInstance()->FindPattern<DWORD**>("\x50\xA1\x00\x00\x00\x00\x8B\x00\x8B\x40\x20\x66\x8B\x4D\xF6", "xx????x?xxxxxxx", 2);
    DWORD obj = *(DWORD*)(*((DWORD*)address) + 0x3C);

    DWORD position = (28 << 16) | 28;

    std::cout << "Function: " << function << " (NostaleClientX.exe + " << function - Module::GetInstance()->GetBaseAddress() << ")" << std::endl;
    std::cout << "Object static address: " << address << " (NostaleClientX.exe + " << address - Module::GetInstance()->GetBaseAddress() << ")" << std::endl;
    std::cout << "Object: " << obj << std::endl;

    _asm
    {
        push 1
        xor ecx, ecx
        mov edx, position
        mov eax, obj
        call function;
    }
}

Any help appreciated

[Hatz~]

The function moves a ptr to TSvrCtlObjManager into eax, so i found a ptr to CtrlObjManagerList at 0x899924 adding + 0x4 to the adress of the CtrlObjManagerList leads you to the list of objects and at + 0x8 you have the number of objects in the list which is usually just your pets. It looks something like this:

 Spoiler

Code:

class CtrlObjManagerList
{
    uint32_t vtable;            // 0x0
    TSvrCtlObjManager** List;   // 0x4
    uint32_t nObjects;          // 0x8
};

[Roxeez]

Thanks for your help, works fine

Another problem
After calling 5-6 times pet walk function my app crash (when reaching ASM)

I checked and all addresses/pointers are ok, even when it crash

Code:

DWORD WINAPI Thread(HMODULE hModule)
{
    AllocConsole();
    FILE* file = new FILE;
    freopen_s(&file, "CONOUT$", "w", stdout);

    std::cout << std::hex;

    DWORD position = (28 << 16) | 28;
    DWORD function = Module::GetInstance()->FindPattern<DWORD>("\x55\x8b\xEC\x83\xC4\x00\x53\x56\x57\x8B\xF9\x89\x55\x00\x8B\xD8\xC6\x45", "xxxxx?xxxxxxx?xxxx", 0);
    DWORD base = **Module::GetInstance()->FindPattern<DWORD**>("\x8B\xF8\x8B\xD3\xA1\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x8B\xD0", "xxxxx????x????xx", 5);

    std::cout << "Function: " << function << std::endl;
    std::cout << "Base: " << base << std::endl;

    while (!(GetAsyncKeyState(VK_END) & 1))
    {
        Sleep(10);
        if (GetAsyncKeyState(VK_INSERT) & 1)
        {
            DWORD list = *(DWORD*)(base + 0x4);
            int size = *(DWORD*)(base + 0x8);

            std::cout << "Address: " << list << std::endl;
            std::cout << "Size: " << size << std::endl;

            if (size == 0)
            {
                continue;
            }

            DWORD address = size == 1 ? list + 0x0 : list + 0x4;
            DWORD object = *(DWORD*)address;

            std::cout << "Object: " << object << std::endl;

            __asm
            {
                push 1
                xor ecx, ecx
                mov edx, position
                mov eax, object
                call function
            }

            std::cout << "--------------------------" << std::endl;
        }
    }

    return 0x0;
}

[Roxeez]

I checked assembly in cheat engine and i saw 2 "push 1" at the beginning instead of 1 so i tried to add it into asm and it works, no more crash

From

Code:

__asm
{
    push 1
    xor ecx, ecx
    mov edx, position
    mov eax, object
    call function
}

to

Code:

__asm
{
    push 1
    push 1
    xor ecx, ecx
    mov edx, position
    mov eax, object
    call function
}

If somebody can explain me why i appreciate

[Apourtartt]

[romdrak]

Quote:

Originally Posted by Roxeez

If somebody can explain me why i appreciate

It's 4th and 5th argument, that are pushed onto stack. For more info check register calling convention=D