how to get the right address to hook

kotsh23 · 09/19/2021, 19:10

Hello guys

i'm new at c++ i check florine dev kit util.cpp
i found this

Code:

 replaceOffset(0x00682AFC, addr_from_this(&CIFItemComparison::AppendAdvancedInfo)); // set
replaceOffset(0x00682D6E, addr_from_this(&CIFItemComparison::AppendAdvancedInfo)); // accs
replaceOffset(0x00682FBE, addr_from_this(&CIFItemComparison::AppendAdvancedInfo)); // wep
replaceOffset(0x0068320E, addr_from_this(&CIFItemComparison::AppendAdvancedInfo)); // shield

i want the same thing for other items like avatars

how to get the address like 0x00682AFC
for avatars

i tried to debug and tried to hook this address 0x006825BB

but game crashing when i hover on avatar thank you

JellyBitz · 09/20/2021, 09:10

I barely knows ASM but I was able to find the cause about it because at my point of view, it was the places where that popup window could be shown, not because item type so there was my curiosity about it.

Then I start tracking up the calls to these functions.
I find out after comparing some registers that everything starts at 0x00686CC7, it is some sort switch/case if you look into the assembly. I end up placing hooks on these root cases and looked like this:

Util.cpp

Spoiler

CIFSlotWithHelp.h

Spoiler

CIFSlotWithHelp.cpp

Spoiler

Having this setup, we're able to filter the item type and add text at start, or at the end from popup window. Or even deeper, overwrite all to our preference.

Here is a quick example to know how to filter item types through the item type ID.

Spoiler

CIFSlotWithHelp.cpp

PHP Code:


			
void CIFSlotWithHelp::OnEquipableHovered(CIFHelperBubbleWindow* window)
{
    reinterpret_cast<void(__thiscall*)(CIFSlotWithHelp*, CIFHelperBubbleWindow*)>(0x00685F20)(this, window);
    
    // Retrieve data from item hovered
    CSOItem* item = this->m_CSOItem;
    USHORT itemTID = item->GetObjectData()->TID;
    bool isCashItem = itemTID & 1 == 1;
    BYTE tID1 = (itemTID >> 2) & 7;
    BYTE tID2 = (itemTID >> 5) & 3;
    BYTE tID3 = (itemTID >> 7) & 0xF;
    BYTE tID4 = (itemTID >> 11) & 0xF;

    // Filter TypeI #1 - It is a "just in case" to make sure we are filtering items only
    if (tID1 != 3)
        return;
    // Filter TypeID #2
    switch (tID2)
    {
    case 1: // Equipable
    {
        // Filter TypeID #3
        switch (tID3)
        {
        case 1: // Garment
        case 2: // Protector
        case 3: // Armor
        case 9: // Robe
        case 10: // Light Armor
        case 11: // Heavy Armor
        {
            // Filter TypeID #4
            switch (tID4)
            {
            case 1: // Head
            case 2: // Shoulders
            case 3: // Chest
            case 4: // Pants
            case 5: // Gloves
            case 6: // Boots
            {

            } break;
            }
        } break;
        case 4: // Shield
        {
            // ...
        } break;
        case 5: // Accesories CH
        case 12: // Accesories EU
        {
            // Filter TypeID #4
            switch (tID4)
            {
            case 1: // Earrings
            case 2: // Necklace
            case 3: // Rings
            {
                // ...
            } break;
            }
        } break;
        case 6: // Weapon
        {
            // ...
        } break;
        case 7: // Job
        {
            // ...
        } break;
        case 13: // Avatar
        {
            // ...
        } break;
        case 14: // Devil Spirit
        {
            // ...
        } break;
        }
    } break;
    case 2: // COS
    {
        // ...
    } break;
    case 3: // ETC
    {
        // ...
    } break;
    }
}

pushedx · 09/20/2021, 10:38

Quote:

Originally Posted by kotsh23

i want the same thing for other items like avatars

how to get the address like 0x00682AFC
for avatars

i tried to debug and tried to hook this address 0x006825BB

but game crashing when i hover on avatar thank you

Ok, your question in my thread makes sense now. I didn't see you had a thread asking about this.

Are you using this release:

?

I can't find the code you posted in vanilla SRO_DevKit, but maybe I'm on the wrong branch. Anyways, I just checked into this real fast, and it looks like you're close, but just grabbed the wrong address.

First, if you look at the 4 addresses referenced:

Spoiler

Notice how the code looks. When you go to the address you posted, 0x006825BB, it does not look like those, so that's why it crashes (but you already know you have the wrong address).

To find the right address, first, you need to trace up one level to see what calls the 4 existing known functions. You have to scroll up quite a ways to find the start of the function, and then check what code references it. So for example, CTRL + G to 0x00682D6E (accessory). Scroll all the way to the top of the function (00682BA0). Then hit X on that line and choose the call reference that pops up.

In this case, it's pretty simple, it's a switch statement that calls a function based on the slot type.

Spoiler

Highlighted is where we land for the accessory, so if we check the logic (I have a few labels placed), you would then just breakpoint on the switch selector to figure out what value gets passed when you hover over an avatar slot, follow the function (which you did already), and then find the function that "visually" looks like the other 4 (this is the part you missed).

Scroll down more in the function you found to address 0x682735 and look at the code vs the other 4.

Spoiler

See how it visually looks the same? I'd venture a guess that'd be the address of the function you want to hook like the others, so give that a try. If it doesn't work, then you'll have to do some more digging, but just glancing at the code, I think this is the relevant address.

kotsh23 · 09/20/2021, 12:42

Quote:

Originally Posted by JellyBitz

I barely knows ASM but I was able to find the cause about it because at my point of view, it was the places where that popup window could be shown, not because item type so there was my curiosity about it.

Then I start tracking up the calls to these functions.
I find out after comparing some registers that everything starts at 0x00686CC7, it is some sort switch/case if you look into the assembly. I end up placing hooks on these root cases and looked like this:

Util.cpp

Spoiler

PHP Code:

    // Hook bubble window on hover     replaceOffset(0x00686CE8, addr_from_this(&CIFSlotWithHelp::OnEquipableHovered));     replaceOffset(0x00686D14, addr_from_this(&CIFSlotWithHelp::OnEtcHovered));     replaceOffset(0x00686D4D, addr_from_this(&CIFSlotWithHelp::OnCosHovered));     replaceOffset(0x00686D71, addr_from_this(&CIFSlotWithHelp::OnUnknown01Hovered));     replaceOffset(0x00686D95, addr_from_this(&CIFSlotWithHelp::OnUnknown02Hovered));

CIFSlotWithHelp.h

Spoiler

PHP Code:

    void OnEquipableHovered(CIFHelperBubbleWindow* window);     void OnCosHovered(CIFHelperBubbleWindow* window);     void OnEtcHovered(CIFHelperBubbleWindow* window);     void OnUnknown01Hovered(CIFHelperBubbleWindow* window);     void OnUnknown02Hovered(CIFHelperBubbleWindow* window);

CIFSlotWithHelp.cpp

Spoiler

PHP Code:

void CIFSlotWithHelp::OnEquipableHovered(CIFHelperBubbleWindow* window) {     reinterpret_cast<void(__thiscall*)(CIFSlotWithHelp*, CIFHelperBubbleWindow*)>(0x00685F20)(this, window); } void CIFSlotWithHelp::OnCosHovered(CIFHelperBubbleWindow* window) {     reinterpret_cast<void(__thiscall*)(CIFSlotWithHelp*, CIFHelperBubbleWindow*)>(0x006860A0)(this, window); } void CIFSlotWithHelp::OnEtcHovered(CIFHelperBubbleWindow* window) {     reinterpret_cast<void(__thiscall*)(CIFSlotWithHelp*, CIFHelperBubbleWindow*)>(0x00684740)(this, window); } void CIFSlotWithHelp::OnUnknown01Hovered(CIFHelperBubbleWindow* window) {     reinterpret_cast<void(__thiscall*)(CIFSlotWithHelp*, CIFHelperBubbleWindow*)>(0x00685B80)(this, window); } void CIFSlotWithHelp::OnUnknown02Hovered(CIFHelperBubbleWindow* window) {     reinterpret_cast<void(__thiscall*)(CIFSlotWithHelp*, CIFHelperBubbleWindow*)>(0x006860A0)(this, window); }

Having this setup, we're able to filter the item type and add text at start, or at the end from popup window. Or even deeper, overwrite all to our preference.

Here is a quick example to know how to filter item types through the item type ID.

Spoiler

CIFSlotWithHelp.cpp

PHP Code:

void CIFSlotWithHelp::OnEquipableHovered(CIFHelperBubbleWindow* window) {     reinterpret_cast<void(__thiscall*)(CIFSlotWithHelp*, CIFHelperBubbleWindow*)>(0x00685F20)(this, window);          // Retrieve data from item hovered     CSOItem* item = this->m_CSOItem;     USHORT itemTID = item->GetObjectData()->TID;     bool isCashItem = itemTID & 1 == 1;     BYTE tID1 = (itemTID >> 2) & 7;     BYTE tID2 = (itemTID >> 5) & 3;     BYTE tID3 = (itemTID >> 7) & 0xF;     BYTE tID4 = (itemTID >> 11) & 0xF;     // Filter TypeI #1 - It is a "just in case" to make sure we are filtering items only     if (tID1 != 3)         return;     // Filter TypeID #2     switch (tID2)     {     case 1: // Equipable     {         // Filter TypeID #3         switch (tID3)         {         case 1: // Garment         case 2: // Protector         case 3: // Armor         case 9: // Robe         case 10: // Light Armor         case 11: // Heavy Armor         {             // Filter TypeID #4             switch (tID4)             {             case 1: // Head             case 2: // Shoulders             case 3: // Chest             case 4: // Pants             case 5: // Gloves             case 6: // Boots             {             } break;             }         } break;         case 4: // Shield         {             // ...         } break;         case 5: // Accesories CH         case 12: // Accesories EU         {             // Filter TypeID #4             switch (tID4)             {             case 1: // Earrings             case 2: // Necklace             case 3: // Rings             {                 // ...             } break;             }         } break;         case 6: // Weapon         {             // ...         } break;         case 7: // Job         {             // ...         } break;         case 13: // Avatar         {             // ...         } break;         case 14: // Devil Spirit         {             // ...         } break;         }     } break;     case 2: // COS     {         // ...     } break;     case 3: // ETC     {         // ...     } break;     } }

Thank you boss
i tried with CIFSlotWithHelp but didnt work for me
but i used your code and your address with new class worked fine

thank you again

Quote:

Originally Posted by pushedx

Ok, your question in my thread makes sense now. I didn't see you had a thread asking about this.

Are you using this release: ?

I can't find the code you posted in vanilla SRO_DevKit, but maybe I'm on the wrong branch. Anyways, I just checked into this real fast, and it looks like you're close, but just grabbed the wrong address.

First, if you look at the 4 addresses referenced:

Spoiler

Notice how the code looks. When you go to the address you posted, 0x006825BB, it does not look like those, so that's why it crashes (but you already know you have the wrong address).

To find the right address, first, you need to trace up one level to see what calls the 4 existing known functions. You have to scroll up quite a ways to find the start of the function, and then check what code references it. So for example, CTRL + G to 0x00682D6E (accessory). Scroll all the way to the top of the function (00682BA0). Then hit X on that line and choose the call reference that pops up.

In this case, it's pretty simple, it's a switch statement that calls a function based on the slot type.

Spoiler

Highlighted is where we land for the accessory, so if we check the logic (I have a few labels placed), you would then just breakpoint on the switch selector to figure out what value gets passed when you hover over an avatar slot, follow the function (which you did already), and then find the function that "visually" looks like the other 4 (this is the part you missed).

Scroll down more in the function you found to address 0x682735 and look at the code vs the other 4.

Spoiler

See how it visually looks the same? I'd venture a guess that'd be the address of the function you want to hook like the others, so give that a try. If it doesn't work, then you'll have to do some more digging, but just glancing at the code, I think this is the relevant address.

man you really great thank you none wanted to tell me how to debug all say i have no clue or no idea like mr #Laag

but you really a good person i hope you get nice life and good health