Inspirations from SRO_DevKit

[pushedx]

[Introduction]



No, this is not an out of season April fools joke! However, it's a very long and probably boring read, and since there's nothing ready to use yet, I'll save most people the time by mentioning that upfront, so feel to check back later once something is released.

I went on another SRO nostalgia trip the past month. I started looking back at a lot of my old released projects and dug up all my unreleased code. Literally 100s of projects for different things as I was on a quest to become a better reverse engineer. That quest still hasn't changed, only the game that I happen to be focusing on at the time, but here I am again.

I'm taking another short term look at SRO with new perspectives and knowledge now. Maybe I'll do some new stuff again or maybe I'll just get bored in a few months and move on, who knows. For now though, I've found a few things to have fun with and share with the community, so here's another TL;DR post from me because I've found something interesting again.

In this thread, I'm going to use florian's project as the base source of inspiration. It was actually his blog posts that gave me a few new ideas for things I wanted to do (will be covered in other posts later on), but all that information is contained in the SRO_DevKit anyways, so it's easier to just reference the devkit.

Since this is my first post in a while, I feel the need to also give special thanks to @, @, @, and @ for their community contributions as well. Those are the main names I continuously see when it comes to dev posts I've read, so thank you for your work! I don't mean to leave anyone else out who has also made contributions to the community either, it's just those seem to be the primary recurring names I see across the forums. I'm sorry ahead of time if I've missed anyone else, but you also have my thanks as well regardless.

Before I start, I'd like to also mention there's no usable code/project to share with the public yet in this post. I'm still putting things together and testing everything out. Basically, I'll only release something if I feel it's ready to be released and I'm happy with the quality of it. Anyone that wants to make their own version of what I'm about to describe certainly can though!

The main purpose of this thread is to share what I think is untapped potential with the SRO_DevKit project. I'll also be referring to this thread as the prerequisite for potential future projects, because their foundation will be built up using the stuff I will be talking about here. Basically, I've learned so much stuff over the past 10 years, there's no simple way to just share that knowledge, so I'm going to apply as much of it as I can in a practical manner.

[Initial Context]

As I mentioned earlier, I was revisiting SRO with the intent on seeing just how different things would look now with 10 more years of experience. I've learned a lot and have made even more projects/tools for Path of Exile during that time than I ever did with SRO, which is pretty crazy since I have so much SRO work done. I had started looking through community projects and some of the work that's been done ever since the VSRO files were released.

florian's blog post about memory based movement was what initially got me hooked. I still love bot development, and while I did have both packet and non-packet bot stuff for SRO back in the day, none of my old SRO stuff remotely compares to what I was able to accomplish with Path of Exile, so I've certainly raised the bar for myself moving forward.

Reading the blog posts greatly helped me make sense of things I encountered in the past, but didn't quite understand at the time. It saved me a lot of time from having to reverse them now, which isn't really a problem, rather it's just so time consuming and there's a lot to do.

Since VSRO 188 is a static version, I was able to catch up on SRO stuff and get back to doing things pretty quickly, despite the long time away. There's a lot of solid information provided between the blog posts and the SRO_DevKit project itself. As I started applying my new knowledge and perspective to this stuff, something dawned on me.

I don't think the community has realized yet just how much of a gold mine of information the SRO_DevKit actually is.

There's a bit of a nuanced topic here, so let me explain. The actual implementation of the SRO_DevKit is rigid due to binary compiler compatibility, hardcoded to VSRO 188, and really inefficient to work from when trying to reverse the game. It's a good modding platform though, but I feel there's other ways of doing things to achieve the same, which brings me to reference some of the new stuff I've learned over the years. In other words, it's the ideas behind SRO_DevKit and the way SRO works that makes it possible for there to still be unrealized potential when it comes to reversing the game.

[New reversing tools?]

I've come to see in my post-SRO days how important amazing reversing tools are. Being able to automate work each client update is important in saving you time and sanity. Furthermore, being able to apply your tools to different SRO versions allows you to understand the differences between them and potentially catch issue in your project because you have more targets to test across. As such, I've taught myself how to make some pretty crazy tools.

To illustrate my perspective as to why I feel SRO_DevKit isn't effective as a reversing tool right now, let's look at what it takes to understand how to iterate the entities in the game world. Doing some digging in the devkit, you'll piece together the following (obviously with some stuff snipped out for this post):

 Spoiler

Code:

// EntityManagerClient.h
class CEntityManagerClient : public CEntityManager
{
};

#define g_pGfxEttManager (*(CEntityManagerClient**)0x0110F7D8)

// EntityManager.h
class CEntityManager : public CObjChild
{
public:
	char _gap[4];
	std::map<int, CIObject*> entities;
};

// BSLib.h
class CObjChild : public CObj {
public:
    const virtual GFX_MSGMAP *GetMessageMap() const;
    static const struct GFX_MSGMAP_ENTRY *GetThisMessageEntries();
    static const GFX_MSGMAP messageMapCObjChild;
    virtual int Func_4(int a2);
    virtual void OnTimer(int timerId);
    virtual BOOL OnNetMsg(CMsgStreamBuffer *pMsg);
    CObjChild();
    int StartTimer(int timerId, int timeoutMs);

protected:
    int KillTimer(int timerId);

private:
    char pad_0004[16];
    std::n_list<CWhatever> m_list;
};

// BSLib.h
class CObj {
public:
    static const GlobalVar<CGfxRuntimeClass, 0x0110F8FC> classCObj;
    virtual CGfxRuntimeClass const *GetRuntimeClass() const;
    virtual CGfxRuntimeClass const *GetParentRuntimeClass() const;
    static CObj *__stdcall CreateObject();
    static void __cdecl DeleteObject(CObj *pObj);
    bool IsSame(const CGfxRuntimeClass &rtclass) const;
    bool IsKindOf(const CGfxRuntimeClass &rtclass) const;

public:
    virtual ~CObj();
};

Thinking aloud, g_pGfxEttManager tells me there's a global variable that holds the pointer to a CEntityManagerClient instance, so it's like a singleton. Great, makes life easy. Let's say I want to understand the entire CEntityManagerClient object, so I dereference that pointer in x32dbg. I'd see something roughly like this (I should note I'm using memory from TRSRO, since I don't have VSRO setup locally yet)



Now, referencing the code and using some already known low level MSVC/C++ knowledge:

• I know CObj should be 4 bytes because it has a vtable, and no other data members
• CObjChild states it has 16 bytes from offset 4 (based on the reclass name) followed by a list
• Doing some math, I know 0x4 + 0x10 means that list should be at 0x14
• 'vc80-stl.cpp' has a test case that verifies n_list should be 0xC bytes
• CEntityManager has 4 padding bytes followed by the map of entities
• I could probably compile the code in vs 2005 and use sizeof to verify the map size and offset of 'entities', to make sure I didn't miss anything or made a mistake, but I think I'll be able to make my point now

From a reversing point of view, this is inefficient, error prone, and just too much work for something this simple. Furthermore, due to how glorious C++ is, trying to write context aware memory dumps (basically make logs of the values of everything at any point in time) is super tedious and time consuming. I think I've seen some libraries that help, but that's just more complexity and work.

CEntityManagerClient is a tiny class, and there are substantially larger classes where this same process has to be perform on. SRO_DevKit does make use of the sizeof/offset of enforcement checks, which is great, but it's manual work, and not very helpful all the time, because the real CEntityManagerClient should be larger than what you can deduce by looking at the devkit source files (in VSRO it's 0x48 bytes, in TRSRO where the image is from, it's 0x3C bytes).

Having to manually go through and update layouts and fix offsets between different sro versions or game updates feels like an impossible task, and probably is to a degree right now. It's possible that I missed it, but I don't recall seeing any reclass tools for users to use to help advanced the object layouts, but even if there were, it would still be nice to have easily customizable tools to create your own efficient workflow. I myself have never used reclass; I always code my own tools for that stuff, so having to use that would hinder my reversing workflow.

So, what's the alternative? Jumping to the end result of my current project's output, it would be this (C# code if it's not obvious, also for TRSRO because I can't dump memory of a running VSRO yet, and I'm not giving ISRO $29/4 weeks just to be able to login)

 Spoiler

Code:

	[StructLayout(LayoutKind.Sequential, Pack = 1, Size = 0x3C)]
	public struct CEntityManagerClient
	{
		public CObj_Data Obj; // 0x0000 (0x4 bytes)
		public CObjChild_Data ObjChild; // 0x0004 (0x18 bytes)
		public CEntityManager_Data EntityManager; // 0x001C (0x20 bytes)
		//public CEntityManagerClient_Data EntityManagerClient; // 0x003C (0x0 bytes)
	}

	[StructLayout(LayoutKind.Sequential, Pack = 1)]
	public struct CObj_Data
	{
		public uint _0000; // 0x0000
	}

	[StructLayout(LayoutKind.Sequential, Pack = 1)]
	public struct CObjChild_Data
	{
		public uint _0000; // 0x0000
		public uint _0004; // 0x0004
		public uint _0008; // 0x0008
		public uint _000C; // 0x000C
		public uint _0010; // 0x0010
		public uint _0014; // 0x0014
	}

	[StructLayout(LayoutKind.Sequential, Pack = 1)]
	public struct CEntityManager_Data
	{
		public uint _0000; // 0x0000
		public NativeMap Entities; // 0x0004
		public NativeMap _000C; // 0x000C
		public uint _0014; // 0x0014
		public uint _0018; // 0x0018
		public uint _001C; // 0x001C
	}

	[StructLayout(LayoutKind.Sequential, Pack = 1)]
	public struct CEntityManagerClient_Data
	{
	}

The 'NativeMap' types were manually labeled, but everything else was code generated. By default, I simply split each structure along 4 byte alignment, since that's what MSVC does in 32-bit, so most fields will end up being 4 bytes, but can be ushorts/bytes, and perhaps even a double (8 bytes) so I'd have to manually split those up. In any case, most of the layout revering work is done simply by making everything 4 bytes, and then going through and adjusting things as needed.

The cherry on top from using a language supporting reflection like C#, is that the memory output from the image above (values might not exactly match, since memory changes) can easily be generated.

 Spoiler

Code:

[CEntityManagerClient] 0x272A53C4 [Static: 0x11A86C0] (0x3C bytes)
	[CObj_Data] Obj:
		[0x0][uint] _0000: 0xDEAFA0 [14593952]
	[CObjChild_Data] ObjChild:
		[0x4][uint] _0000: 0xBAADF00D [3131961357]
		[0x8][uint] _0004: 0xBAADF00D [3131961357]
		[0xC][uint] _0008: 0x0 [0]
		[0x10][uint] _000C: 0xBAADF00D [3131961357]
		[NativeMap] _0010:
			[0x14][uint] Head: 0x272A1AD8 [657070808]
			[0x18][uint] Size: 0x0 [0]
	[CEntityManager_Data] EntityManager:
		[0x1C][uint] _0000: 0x196 [406]
		[NativeMap] Entities:
			[0x20][uint] Head: 0x272C9CC8 [657235144]
			[0x24][uint] Size: 0x8 [8]
		[NativeMap] _000C:
			[0x28][uint] Head: 0x272C9CF8 [657235192]
			[0x2C][uint] Size: 0x0 [0]
		[0x30][uint] _0014: 0xBAAD0000 [3131899904]
		[0x34][uint] _0018: 0x2710 [10000]
		[0x38][uint] _001C: 0x272DFFD0 [657326032]

I've found being able to create memory logs like this greatly helps speed up reversing while giving you the ability to use diff/search tools to find recurring pointers or to match things across different classes. For example, let's say you dumped a bunch of memory and then search for '0x272A53C4'. If it appears in some log at some particular field, you know that field is a pointer to the current 'CEntityManagerClient' instance. Or, if you find a pointer in the client you don't know what it is, you can see if any of your dumped data contains it to investigate more.

[An important side note]

I'm running the client in a debugger, which is a must for reversing memory stuff, so I have debug heaps enabled. That means client performance tanks a lot, but you can see uninitialized memory (0xBAADF00D) rather than random memory values to get an idea of what's real data and what's not, as well as being able to see various C++ container types a lot more easily and various memory markers.

For example, in text listing above, I know CEntityManager_Data::_0014 is really either an u/short or two bytes followed by 2 bytes of what most likely is padding. Had I run the client without debug heaps, you'd get random values there and it might look like a pointer, or a float, or just random nonsense. The only way you'd know the real type would be to breakpoint on access the field and check the accessing assembly. That's impractical to do for every field, so having every bit of help really counts.

That is why debug heaps are so critical in reversing memory based stuff. It eliminates most of the guesswork when it comes to finding unused padding bytes, but it's not foolproof, since you don't know if something is simply uninitialized at that point in time, or is really just unused padding bytes. Checking CObjChild_Data in other types reveals the bytes are actually used.

Lastly, two more examples of just how important this stuff is. Consider the following image:



To most people, if you saw this memory layout, you'd start to think in terms of each part. First is a pointer, followed by 3 unset or padding uints, followed by 2 uints. However, this is a very obvious C++ container, either a std::string or std::wstring. By visiting the first pointer, you'd have seen it's a std::string because the text was not in wide character format.

In older SROs, yes, it's been posted that std::n_string is being used, which has 4 bytes prepended, but being able to understand containers and differences across Visual Studio versions is required regardless. PoE was similar back when I started with it, and over time as Visual Studio updated, so minor adjustments had to be made. It's a learn once, use forever type of skill though.

Consider the following C++ container, what is it?

 Spoiler

It's a hashmap/unordered_map

If you mistakenly reversed this as a float, list, vector, then two uints, you'd be missing a pretty important container, because the stuff contained in the list/vector might seem really weird. However, knowing it's the specific C++ container it is, you can use the right code to easily access the data inside.

Given enough experience reversing this stuff, you'll start to be able to instantly recognize such memory patterns, and things speed up a lot and you have a much clearer view of structures.

[Building up from C#]

Back to the output of the tool before the side note, what's great about this approach, is that you can then take snapshots of memory, perform some action, take a new snapshot and then use a text compare tool against the logs to figure out what's changing where to narrow down where you might need to focus your next efforts reversing/debugging.

Obviously, you'll have to write custom code to dump container contents, but that's just part of reversing so it's not a big deal. Since it's an external tool and C# is quick to recompile and run, you can easily make changes to the layouts as you reverse memory, rerun and then almost instantly see your results.

In essence, the tool is taking on the same role as something like ReClass, except it's providing a different workflow, one that I've used for years to reverse very large parts of games, so I know how efficient the process is. In addition, it's super easy for the community to use, just download the tool, specify the process, then take a snapshot. Edit struct layouts as you reverse them, upload the changed code, then everyone can easily stay up to date with minimal headaches.

The benefits don't stop there either. Using C# as your foundation, as a meta language in a sense, you can then use reflection to code generate C++ code. That's right, some of the best C++ code is actually just code generated from a different language, as you'll be able to easily make changes and rework things without having to do a bunch of tedious or error prone manual changes.

I actually wrote a C++ structure generating tool based on C# struct layouts for PoE, and it killed me just how long it took for me to understand why I should never have been writing so many manual structure layouts in C++ for years. It's far better to do it in something like C#, get your fast and easy productivity tools and memory dumps, then code generate whatever language you need from it.

[What are you doing and how does it work?]

What I'm doing is auto-magically generating the estimated structure layouts of the main objects of the game. Silkroad does not use an entity component system architecture, rather just your typical old school OOP design (which make sense because it was coded a long time ago).

For example, let's say I wanted to find the current player's HP/MP. Well, that information is stored somewhere in class that holds that type of information, which is CICharactor. However, the CICharactor object is then stored in another class for the type that the object actually is. For example, your character's object is CICPlayer. However, what about monsters? Their CICharactor data would be instead stored in a CICMonster object instead, and that memory layout would obviously be different.

By understanding SRO's OOP design, thanks in part to the dynamic RTTI information, it is possible to not only know the sizes of game structures, but also their exact ordering as it pertains to how each object is laid out in memory. I've not yet directly used the compile time rtti system florian blogged about (still on the todo list), but just knowing that existed and seeing some of the names helped me realize the other (?) system in place that can be leveraged to do neat things. Also, I'm just referring to it as rtti because it makes sense, I'm not sure what it actually is, if it's a typeid system or something.

Anyways, back to the example, rather than taking a CICMonster object as an entire singular object and applying some offset to find the hp, and then taking an entire CICPlayer object and applying a different offset to find the hp, you can instead just find the offset of the hp in a CICharactor object, and then magically know where it should be regardless if you have a CICMonster or CICPlayer object because you know the exact class layout from RTTI.

A practical example of this can actually be seen from :

 Spoiler

Quote:

Code:

class CICCos
{
public:
	char pad_0000[248]; //0x0000
	unsigned int UniqueID; //0x00F8
	char pad_00FC[20]; //0x00FC
	std::wstring cosname;//0x0110
	char pad_012C[12]; //0x012C
	unsigned int cosnamebackgroundcolor; //0x0138
	unsigned int cosnameforegroundcolor; //0x013C
	char pad_0140[784]; //0x0140
	unsigned int CurrentHP; //0x0450
	char pad_0454[4]; //0x0454
	unsigned int MaxHP; //0x0458

	void OnRender();
};

Using the new system I am talking about, CICCos would actually be (and this is the exact VSRO 188 layout, since I can generate it, I just can't dump memory yet)

 Spoiler

Code:

[StructLayout(LayoutKind.Sequential, Pack = 1, Size = 0x824)]
	public struct CICCos
	{
		public CObj_Data Obj; // 0x0000 (0x4 bytes)
		public CObjChild_Data ObjChild; // 0x0004 (0x1C bytes)
		public CIEntity_Data IEntity; // 0x0020 (0x34 bytes)
		public CIObject_Data IObject; // 0x0054 (0x88 bytes)
		public CIGIDObject_Data IGIDObject; // 0x00DC (0x178 bytes)
		public CICharactor_Data ICharactor; // 0x0254 (0x524 bytes)
		public CICNonuser_Data ICNonuser; // 0x0778 (0x10 bytes)
		public CICCos_Data ICCos; // 0x0788 (0x9C bytes)
	}

So "unsigned int MaxHP; //0x0458" would actually fall inside "CICharactor_Data", which is expected because as I mentioned a few sentences ago, hp/mp data is in CICharactor, but CICharactor might be at a different offset depending on the object type (in reality, most objects share a similar hierarchy, it's the differences between sro versions that matters more). Hopefully that all makes sense now. It's a pretty big deal, reversing wise to have this type of information available.

The really neat thing is, this system is used for a lot of things. florian has a blog post about the client's state machine based process system. If you go through CGame, you can get the current process, so when you're in the game world, CPSMission is the active process, you can then use this system to dump the object and work out additional information, besides the known time information. For example, I've found an instance to a GWeatherManager and
ACObjectMgr object, which I can then dump the same exact way to work out everything.

Going back to my initial example of getting entities, the following C# code:

 Spoiler

Code:

var EntityManagerClient = DumpGlobalInstance<CEntityManagerClient>(outputDir, process, g_pCEntityManagerClient);
{
	Console.WriteLine("[EntityManagerClient]");
	var entities = process.StdMap<uint, uint>(EntityManagerClient.EntityManager.Entities);
	foreach (var kvp in entities)
	{
		var rtti = GetRTTI(process, kvp.Value, address_to_rtti); // should never be null
		Console.WriteLine($"\t[{rtti.Name}] 0x{kvp.Key:X} - 0x{kvp.Value:X}");
		var instance = DumpObjectInstance(entityManagerClientOutputDir, process, rtti.Name, kvp.Key, kvp.Value);
		if (instance is CICMonster Monster)
		{
			var name = process.StdStringW(Monster.IGIDObject.Name);
			Console.WriteLine($"\t\t{name}");
		}
		else if (instance is CICNPC NPC)
		{
			var name = process.StdStringW(NPC.IGIDObject.Name);
			Console.WriteLine($"\t\t{name}");
		}
		else if (instance is CICUser User)
		{
			var name = process.StdStringW(User.IGIDObject.Name);
			Console.WriteLine($"\t\t{name}");
		}
		else if (instance is CICPlayer Player)
		{
			var name = process.StdStringW(Player.IGIDObject.Name);
			Console.WriteLine($"\t\t{name}");
		}
	}

	Console.WriteLine("");
}

produced this output in jangan where new characters spawn:

 Spoiler

Code:

[EntityManagerClient]
        [CICNPC] 0xC - 0x13860634
                Asker Hogang [Teleport]
        [CICUser] 0x1AF - 0x22B17D44
                sonhava
        [CICUser] 0x27B - 0x137B2EE4
                avatar1111
        [CICUser] 0x1B1 - 0x137ABB34
                p212
        [CICNPC] 0xE - 0x13860EDC
                General Sonhyeon
        [CIODecal] 0x3 - 0x23499B74
        [CICNPC] 0x6 - 0x19129644
                Asker Jowi
        [CICPlayer] 0x1 - 0x22074F24
                pushedx

The main attraction to this type of SDK generation, is that you then only have to match naming conventions across each SRO version, and your main code is going to pretty much work the same way as long as the SRO features you are coding for are the same.

For example, I have running code on TRSRO right now. When I get VSRO up and running, I just need to label the CEntityManager.:Entities and CIGIDObject::Name fields as well as use the larger old C++ native containers (behind the scenes) and the example code will work exactly the same.

That means developing across different SRO versions is way more accessible, so in theory, most VSRO work can be ported to other versions because there's not a massive difference in the entirety of the underlying game, so a lot of work is cut down. By diffing the rtti info across versions, vsro, csro-r, trsro/isro, you can get an idea of which classes/functionality is missing, and code accordingly.

The "fun" project I wanted to make, was a new autoselect feature for ISRO as it's been long removed. Now that I know how to iterate entities and find info such as type, hp, etc..., it's just a matter of finishing the project by either using packets or injected code to perform the selecting action.

Of course, this is only represents a small portion of what SRO_DevKit does, so it's not a replacement for it by any means or even a fair comparison. I'm only focused on the memory layout of objects right now, so coding support for virtual functions or binary compatibility with vs 2005 is just not a priority. However, you'd be able to generate better C++ structures to work from that were the correct size and ready to be understood in ways not currently possible with any tools I've seen in the community, so it'd help supplement it greatly I think.

In my opinion though, I'd rather look at rewriting the entire client as opposed to trying to reverse the entire thing to be able to fully mod it, but that's another topic for another day.

The last thing to talk about for this section is the "how does it work" part.

This is not compilable as-is (not hard to make it if you were really determined), but is the main program that shows exactly what I'm doing to generate the files

RTTI_Layout_Generator.cs

 Spoiler

Code:

using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Text;
using Common;
using Common.JSON;
using Common.SharpDisasm;
using Shared;
using SharpDisasm;

namespace RTTI_Layout_Generator
{
    class Program
    {
        static void MainWrapper(string strPid)
        {
            // Almost all normal exes have a 0x1000 sized base region with the text section at
            // + 0x1000. Since we're targeting 32-bit SRO, which is known to be compiled in
            // Visual Studio, we're safe to expect this.
            const int ExpectedBaseRegionSize = 0x1000;
            const int ExpectedTextSectionOffset = 0x1000;

            Dictionary<ulong, string> x32dbg_labels = new();

            List<RTTI> rttis = new();
            Dictionary<string, RTTI> name_to_rtti = new();
            Dictionary<uint, RTTI> address_to_rtti = new();

            ulong RegisterRTTI = 0;

            using var process = Process.GetProcessById(int.Parse(strPid));

            var md5 = process.HashMD5(); // Do this here to make sure we have process access privileges

            var outputDir = Path.Combine("output", md5);

            var rttiOutputDir = Path.Combine(outputDir, "rtti");
            Directory.CreateDirectory(Path.Combine(rttiOutputDir, "data"));
            Directory.CreateDirectory(Path.Combine(rttiOutputDir, "composite"));

            var baseAddress = process.MainModule.BaseAddress.ToUIntPtr();
            var imageSize = process.MainModule.ModuleMemorySize;
            var image = new byte[imageSize];

            var info = new StringBuilder();
            info.AppendLine($"[{process.Id}] {process.MainModule.FileName}");
            info.AppendLine($"\tBaseAddress: 0x{baseAddress:X}");
            info.AppendLine($"\tImageSize: 0x{imageSize:X}");
            info.AppendLine($"\tMD5: {md5}");
            info.AppendLine();

            // Since we save the generated files by MD5, it becomes hard to track which folder is for who
            // so we'll save a log to easily figure it out. It's ideal to rename the clients per-version
            // so that info is saved as well!
            File.WriteAllText(Path.Combine(outputDir, "RTTI_Layout_Generator.log"), info.ToString());

            Console.WriteLine(info.ToString());

            // First, query the process's first region
            var szLength = (UIntPtr) Unsafe.SizeOf<Interop.MEMORY_BASIC_INFORMATION>();
            Interop.MEMORY_BASIC_INFORMATION baseMBI;
            var szResult = Interop.VirtualQueryEx(process.SafeHandle,
                baseAddress,
                out baseMBI,
                szLength);
            if (szResult != szLength)
                throw new Exception($"'VirtualQueryEx' failed with error [0x{Marshal.GetLastWin32Error()}]");

            // Certain packers will merge all regions into one, so we can detect some packed clients in memory this way.
            if (baseMBI.RegionSize.ToUInt32() != ExpectedBaseRegionSize)
                throw new Exception(
                    $"Client's base region size is 0x{baseMBI.RegionSize.ToUInt32():X} bytes. Is this a packed client?");

            // Second, query the process's second region, which should be the .text section for normal clients
            Interop.MEMORY_BASIC_INFORMATION textMBI;
            szResult = Interop.VirtualQueryEx(process.SafeHandle,
                baseMBI.BaseAddress + (int) baseMBI.RegionSize.ToUInt32(),
                out textMBI,
                szLength);
            if (szResult != szLength)
                throw new Exception($"'VirtualQueryEx' failed with error [0x{Marshal.GetLastWin32Error()}]");

            // The second region's offset should be 0x1000 under normal circumstances
            var textSectionOffset = textMBI.BaseAddress.ToUInt64() - baseMBI.AllocationBase.ToUInt64();
            if (textSectionOffset != ExpectedTextSectionOffset)
                throw new Exception(
                    $"Client's second section is at offset 0x{textSectionOffset:X}. Is this a packed client?");

            // Read the entire process image and make sure all bytes were read
            var szToRead = (UIntPtr) imageSize;
            if (!Interop.ReadProcessMemory(process.SafeHandle, baseAddress, image, szToRead, out var szRead))
                throw new Exception($"'ReadProcessMemory' failed with error [0x{Marshal.GetLastWin32Error()}]");

            if (szRead != szToRead)
                throw new Exception(
                    $"'ReadProcessMemory' read only [{szRead.ToUInt32()} / {szToRead.ToUInt32()}] bytes");

            // New C# features, woot woot!
            ReadOnlyMemory<byte> memory = image;
            var textSection = memory.Span.Slice(ExpectedTextSectionOffset, (int) textMBI.RegionSize.ToUInt32());

            // This pattern should work across all base versions of SRO really...
            // 6A 00        | push 0x0
            // 6A 04        | push 0x4
            // 6A 00        | push 0x0
            // 6A 00        | push 0x0
            // 6A 00        | push 0x0
            // 68 E4D9E200  | push 0xE2D9E4 | "CObj"
            // B9 EC881A01  | mov ecx, rtti_CObj
            // E8 B7306C00  | call <RegisterRTTI>
            // C3           | ret
            var pattern_RegisterRTTI_CObj =
                new Pattern("6A 00 6A 04 6A 00 6A 00 6A 00 68 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? C3");

            var results = pattern_RegisterRTTI_CObj.Find(textSection);
            if (results.Count != 1)
                throw new Exception($"Expected 1 result, but {results.Count} results were found.");

            var RegisterRTTI_CObj = baseAddress + ExpectedTextSectionOffset + results[0];
            Console.WriteLine($"RegisterRTTI_CObj: 0x{RegisterRTTI_CObj.ToUInt64():X}");

            // Now disassemble the function to get the address of the 'RegisterRTTI' function
            var disasmOffset = (ulong) (ExpectedTextSectionOffset + results[0]);
            using (var funcDisasm = new Disassembler(image, ArchitectureMode.x86_32, baseAddress.ToUInt64(), true,
                Vendor.Intel, disasmOffset))
            {
                foreach (var insn in funcDisasm.Disassemble())
                {
                    if (insn.Mnemonic == SharpDisasm.Udis86.ud_mnemonic_code.UD_Iret ||
                        insn.Mnemonic == SharpDisasm.Udis86.ud_mnemonic_code.UD_Iint3)
                        break;

                    if (insn.Mnemonic == SharpDisasm.Udis86.ud_mnemonic_code.UD_Icall)
                    {
                        RegisterRTTI = insn.ResolveAddress(0) + disasmOffset;
                        break;
                    }
                }

                // This will usually either happen from a pserver breaking it, or a user is running the client in a debugger,
                // and sets a breakpoint inside the function on a non-wildcard byte.
                if (RegisterRTTI == 0)
                    throw new Exception(
                        "Could not find a call to the 'RegisterRTTI' function. Has the client been modified?");

                Console.WriteLine($"RegisterRTTI: 0x{RegisterRTTI:X}");
                Console.WriteLine();

                x32dbg_labels.Add(RegisterRTTI, "RegisterRTTI");
            }

            // Now look for all calls to 'RegisterRTTI'
            using (var disasm = new Disassembler(image, ArchitectureMode.x86_32, baseAddress.ToUInt64(), true,
                Vendor.Intel, ExpectedTextSectionOffset))
            {
                List<Instruction> insns = new();

                int callCount = 0;
                foreach (var insn in disasm.Disassemble())
                {
                    // Sliding window buffer of insns so we can process the function easily
                    insns.Insert(0, insn);
                    if (insns.Count > 8)
                        insns.RemoveAt(insns.Count - 1);

                    if (insn.Mnemonic == SharpDisasm.Udis86.ud_mnemonic_code.UD_Icall)
                    {
                        var target = insn.ResolveAddress(0) + ExpectedTextSectionOffset;
                        if (target == RegisterRTTI)
                        {
                            var callee = (insn.PC - (uint) insn.Length) + ExpectedTextSectionOffset;
                            Console.WriteLine($"[{++callCount}] Call to 'RegisterRTTI' @ 0x{callee:X}");

                            RTTI instance = new();
                            instance.UnknownValue = insns[7].GetOperandValueU32(0);
                            instance.TotalSize = insns[6].GetOperandValueU32(0);
                            instance.ParentAddress = insns[5].GetOperandValueU32(0);
                            instance.UnknownFunction = insns[4].GetOperandValueU32(0);
                            instance.Allocate = insns[3].GetOperandValueU32(0);
                            var instanceNamePtr = insns[2].GetOperandValueU32(0);
                            instance.Name = process.ReadNullTerminatedStringA((UIntPtr) instanceNamePtr);
                            instance.Address = insns[1].GetOperandValueU32(1);

                            Console.WriteLine(
                                $"\t{instance.Name} (0x{instance.TotalSize:X} bytes) [0x{instance.Address:X}]");

                            rttis.Add(instance);
                            name_to_rtti.Add(instance.Name, instance);
                            address_to_rtti.Add(instance.Address, instance);

                            // The function insns are backwards because we're matching the call at the end of the function
                            var functionStart = (insns[7].PC - (uint) insns[7].Length) + ExpectedTextSectionOffset;
                            x32dbg_labels.Add(functionStart, $"RegisterRTTI_{instance.Name}");

                            x32dbg_labels.Add(instance.Address, $"rtti_{instance.Name}");

                            // CObj can't be allocated, so we can't label an invalid address
                            if (instance.Allocate != 0)
                                x32dbg_labels.Add(instance.Allocate, $"Allocate_{instance.Name}");
                        }
                    }
                }

                Console.WriteLine();
            }

            // Build class hierarchy layout
            foreach (var rtti in rttis)
            {
                // Figure out the real size of the object
                rtti.Size = rtti.TotalSize;
                if (address_to_rtti.TryGetValue(rtti.ParentAddress, out var parent))
                    rtti.Size -= parent.TotalSize;

                // Everything should be aligned to 4 bytes
                if (rtti.Size % 4 != 0)
                    throw new Exception($"RTTI size (0x{rtti.Size:X}) is not divisible by 4!");

                // Traverse the parent hierarchy to the root
                while (parent != null)
                {
                    rtti.Hierarchy.Add(parent.Name);
                    var addr = parent.ParentAddress;
                    if (!address_to_rtti.TryGetValue(addr, out parent))
                    {
                        if (addr != 0)
                            throw new Exception($"Could not find RTTI information for [0x{addr:X}]");
                    }
                }
            }

            // Calculate the max hierarchy depth
            var maxDepth = 0;
            foreach (var rtti in rttis)
            {
                var depth = rtti.Hierarchy.Count;
                if (depth > maxDepth)
                    maxDepth = depth;
            }

            // Debug hierarchy
            for (var depth = 0; depth <= maxDepth; ++depth)
            {
                Console.WriteLine($"[Depth: {depth}]");
                foreach (var rtti in rttis.Where(r => r.Hierarchy.Count == depth))
                {
                    Console.WriteLine($"\t{rtti.Name} (0x{rtti.Size:X} bytes | 0x{rtti.TotalSize:X} bytes total)");
                    Console.Write("\t\t");
                    for (var d = 0; d < rtti.Hierarchy.Count; ++d)
                    {
                        Console.Write($"{rtti.Hierarchy[d]}");
                        if ((d + 1) != rtti.Hierarchy.Count)
                            Console.Write(" -> ");
                    }

                    Console.WriteLine();
                }
            }

            // First: write out the raw data structs
            for (var depth = 0; depth <= maxDepth; ++depth)
            {
                foreach (var rtti in rttis.Where(r => r.Hierarchy.Count == depth))
                {
                    var sb = new StringBuilder();

                    sb.AppendLine("using System.Runtime.InteropServices;");
                    sb.AppendLine();

                    sb.AppendLine("namespace Native");
                    sb.AppendLine("{");

                    sb.AppendLine("\t[StructLayout(LayoutKind.Sequential, Pack = 1)]");
                    sb.AppendLine($"\tpublic struct {rtti.Name}_Data");
                    sb.AppendLine("\t{");

                    // C# doesn't support 0-sized fixed buffers
                    /*if (rtti.Size > 0)
                        sb.AppendLine($"\t\tpublic unsafe fixed byte _0000[0x{rtti.Size:X}];");*/

                    // Reversing is way easier/faster in 32-bits thanks to 4 byte alignment by just assuming
                    // everything is an uint, and then fixing everything else. If we use the fixed byte method
                    // above, it's impossibly hard to do anything efficiently with the automatic format dumps since
                    // all your time is spent manually making a bunch of uints anyways
                    for (var offset = 0; offset < rtti.Size; offset += 4)
                        sb.AppendLine($"\t\tpublic uint _{offset:X4}; // 0x{offset:X4}");

                    sb.AppendLine("\t}");
                    sb.AppendLine("}");

                    File.WriteAllText(Path.Combine(rttiOutputDir, "data", $"{rtti.Name}_Data.cs"), sb.ToString());
                }
            }

            // Second: write out the composite object structs
            for (var depth = 0; depth <= maxDepth; ++depth)
            {
                foreach (var rtti in rttis.Where(r => r.Hierarchy.Count == depth))
                {
                    var sb = new StringBuilder();

                    sb.AppendLine("using System.Runtime.InteropServices;");
                    sb.AppendLine();

                    sb.AppendLine("namespace Native");
                    sb.AppendLine("{");

                    // Saving the Allocation address breaks easy diffing between versions/updates,
                    // so it's disabled for now. We'll just use our x32dbg script to be able to jump to
                    // address easily once we learn the names instead.
                    //sb.AppendLine("\t/// <summary>");
                    //sb.AppendLine($"\t/// Allocate: 0x{rtti.Allocate:X}");
                    //sb.AppendLine("\t/// </summary>");

                    // NOTE: The naming convention is very important. Since composite objects just hold a bunch of data
                    // types (which devs will change the format of manually), it's important we don't break the composite
                    // structs if the data objects change size between game versions. This way, the main composite accessing
                    // code will be stable name wise, and since each data object is unique since its a rtti hierarchy, devs
                    // won't ever have to touch the files again

                    sb.AppendLine($"\t[StructLayout(LayoutKind.Sequential, Pack = 1, Size = 0x{rtti.TotalSize:X})]");
                    sb.AppendLine($"\tpublic struct {rtti.Name}");
                    sb.AppendLine("\t{");
                    uint offset = 0;
                    for (var idx = 0; idx < rtti.Hierarchy.Count; ++idx)
                    {
                        // Hierarchy is bottom up, so start from the top (back) to list it top down
                        var parentName = rtti.Hierarchy[rtti.Hierarchy.Count - idx - 1];
                        var parentRtti = name_to_rtti[parentName];
                        var parentSize = parentRtti.Size;

                        // C# doesn't handle 0 byte structs (adds 1 byte), so we have to comment out 0 sized types
                        sb.AppendLine(
                            $"\t\t{(parentSize == 0 ? "//" : "")}public {parentName}_Data {(parentSize != 0 ? "" : "Virtual_")}{parentName.Substring(1)}; // 0x{offset:X4} (0x{parentSize:X} bytes)");

                        offset += parentSize;
                    }

                    // C# doesn't handle 0 byte structs (adds 1 byte), so we have to comment out 0 sized types
                    sb.AppendLine(
                        $"\t\t{(rtti.Size == 0 ? "//" : "")}public {rtti.Name}_Data {rtti.Name.Substring(1)}; // 0x{offset:X4} (0x{rtti.Size:X} bytes)");

                    sb.AppendLine("\t}");
                    sb.AppendLine("}");

                    File.WriteAllText(Path.Combine(rttiOutputDir, "composite", $"{rtti.Name}.cs"), sb.ToString());
                }
            }

            // Write out the x32dbg label script
            if (x32dbg_labels.Any())
            {
                File.WriteAllText(Path.Combine(outputDir, "x32dbg-labelscript.txt"),
                    Utility.GenerateLabelScript_x32dbg(x32dbg_labels));
            }

            // Write out the rtti info as a json file for easy loading between projects
            File.WriteAllText(Path.Combine(outputDir, "rtti.json"), rttis.ToJson());
        }

        static int Main(string[] args)
        {
            try
            {
                foreach (var arg in args)
                {
                    MainWrapper(arg);
                }
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
                return -1;
            }

            return 0;
        }
    }
}

As a VSRO 1.188 example, I'm basically finding and parsing information like this from the client:

 Spoiler

Code:

00D76350 | 6A 00                    | push 0x0                                           |
00D76352 | 6A 48                    | push 0x48                                          |
00D76354 | 68 78F91001              | push <[188]sro_client.rtti_CEntityManager>         |
00D76359 | 68 20409C00              | push <sub_9C4020>                                  |
00D7635E | 68 80449C00              | push <Allocate_CEntityManagerClient>               |
00D76363 | 68 AC1FDE00              | push [188]sro_client.DE1FAC                        | DE1FAC:"CEntityManagerClient"
00D76368 | B9 90F6EE00              | mov ecx, <[188]sro_client.rtti_CEntityManagerClien |
00D7636D | E8 4E66E2FF              | call <RegisterRTTI>                                |
00D76372 | C3                       | ret                                                |

Then, using a bit of creativity to make magic, I build the rtti hierarchy as a composite object, and then create separate data files for each object for people to update. Using reflection, I also have a function in my project to make sure no one breaks the size of anything by checking against the saved rtti data in the json file.

While it's technically "working", I've already had to make a few revisions to address issues where the structs I generated needed to use a different format to make diffing between game updates as easy as possible, and making sure this can become a community tool people can contribute to without having to jump through any hoops. This requires regenerating all files, which obviously overwrites any work, so I need the format to be finalized before starting up community work on it. That's also why I've generated an x32dbg labeling script for the client, as it certainly helps give more context to a lot of functions that use these types.

If you've made it this far or just happened to read this part, the following label script is for the original VSRO 188 client (MD5: DEDDDC44FD43914E2D4E2861C5ABA29C) so don't run it unless you know what you're doing, because you can mess up your existing x32dbg label database and lose a lot of work.

Instead, you can visit a few addresses first to make sure everything looks right, and then run it on a clean client (after backing up and moving your old x32dbg file database of course). ALT + S to open script, right click inside the program, Load Script -> Paste (obviously copy the code to clipboard first), then spacebar to run while the client is paused or at the main entry point.

 Spoiler

I had to use gists for the script, because this post would have otherwise broken the 100k thread character limit as the script itself is nearly 70k characters.

[Closing]

Phew, that was a lot of words. It seems the older I get, the more of them I tend to use

This stuff is exciting to me right now because I had wanted to start doing some new memory based things with the client, and now I can. It feels like there's a lot of new potential for stuff, so I'll just have to see where things end up as I familiarize myself with Silkroad again and start revisiting old projects.

On the todo list for this stuff is find more global pointers holding classes to dump information from (basically, trace into the Allocate_ functions, looking for 'this' to be stored in a static address), general testing to make sure I have as efficient and easy to use workflow as possible, and finally setting up a community project for people to start reversing or just generate structures for the SRO_DevKit to further advanced that awesome project.

I know this wasn't a super flashy thread, and is probably a confusing/hard to understand topic, but I think it'll start to make more sense and become more apparent how useful this stuff can be once the next set of projects rolls out. As I mentioned before, I'll be referring to this as the prerequisite thread, so I have to get it out of the way as I'm building upon this foundation for now.

[qoaway]

I just had time to read all this article, great work as always. Glad to see you back. Some leechers probably really hyped right now

[nemo08]

Glad to see you back again bro and I'm curious to see what will you achieve with SRO_Devkit ^^

[Judgelemental]

The legend is back.

[BurakYogun]

Great article thanks I'm looking forward to what you will do

[vietnguyen09]

I don't have enough words to say how I feel right now when read all the post. Wow

[SubZero**]

Glad to see you back

[#HB]

It's great to see you looking forward into making projects compatible with other SRO files versions, but lets be real here, no one is gonna use any other version but VSRO 1.88..

Everyone (server owner) wants to ensure his server is compatible with bots, bugless to milk some players.. None would never think of taking a risk for SRO sake. MeGaMaX was probably the only one taking the risk.

Glad to have you back though, am interested in your article. I'll probably lend a hand on my free time, when I finish my **** exams

[bares1993]

Quote:

Originally Posted by #HB

It's great to see you looking forward into making projects compatible with other SRO files versions, but lets be real here, no one is gonna use any other version but VSRO 1.88..

Everyone (server owner) wants to ensure his server is compatible with bots, bugless to milk some players.. None would never think of taking a risk for SRO sake. MeGaMaX was probably the only one taking the risk.

Glad to have you back though, am interested in your article. I'll probably lend a hand on my free time, when I finish my **** exams

you are wrong. There are quite a few csro projects under development. 2 of them are opened too

[notHype*]

Quote:

Originally Posted by bares1993

you are wrong. There are quite a few csro projects under development. 2 of them are opened too

And that fact that nobody knows which they are speaks VOLUMES.

[tarek1500]

You could host a project somewhere so people could contribute, would be a nice idea.
Well done btw, great effort.

[forbannet]

Nice to see you posting Drew!

I'm here just to say thanks, I've been away from the SRO Community [and epvpers] since 2011, I moved to other games.

You/0x33 were my inspiration for writing my own iSROBot Crack back in 2009 and advancing as a programmer and reverse engineer.

You sir, you are a living legend and I want to thank you. Always polite and releasing new content, you're a pillar of this community and the botting/reverse engineering community as a whole.

If it wasn't for Akaruz (an old friend, from RZ) and You, I don't think I would hold the degree I hold today, and do what I do.

Sadly Akaruz is no longer with us, but you are and I'm here to thank you .

From 2011 onwards I wrote a couple clientless bots, some driver cheats (Rust/CS:GO) and now I'm definitely aiming at the future so I can write more malicious code!