knowledge from beta weekend

http://www.guildwars2.com
Message
Author
User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

knowledge from beta weekend

#1 Post by lisa » Tue Jul 24, 2012 9:03 pm

Ok So I took part in the beta weekend and learnt a few things, posting here what I know so far.

--=== adrresses ===--
Static Addresses
Player X,Z,Y -- easy enough to find again
I found 2 indicators of direction, should be workable
2 indicators of camera direction, should be workable
if loot window is open, very important.
2 indicators of mouse position, X,Y axis. 1/1 very bottom left, max/max top right, i think it was 100/100 but can't remember for sure.

Non static addresses
player Hp, Max HP, 3 offsets --should be easy to find again
"F" interaction is available, couldn't get reliable address+offsets.


--=== game play ===--

Hot keys
"1" is autoattack, available lvl 1
2-5 varied attack skills, need to be earned via kill xp
"6" is always heal skill, available lvl 1
"7" is a buff, unlocked at lvl 5? need to buy skill and place in hotkey
"8" is a buff, unlocked at lvl 10? need to buy skill and place in hotkey
"9"
"0" elite skill, unlocked lvl 30?

--=== progression ===--
Because you get scaled down to area and the xp and loot gets scaled up to your lvl you can sit in start area and farm mobs forever and you will get loot and lvl, obviously better loot and xp in higher areas but start area will be easy kills.

Events are good sources of XP, gold, karma. Usually very easy to complete, not sure on timing for them.
I bought nice items with karma.

WvW is good for events and therefore xp,gold,karma but I believe important to make your skills available before hand, going in lvl 1 with just autoattack will just get you killed.


--=== auction house ===--
"O" was available to post items from anywhere in world, not sure if just for beta event. I could empty my bags into the auction house and keep grinding mobs. You can only pickup items or gold from the vendors though.


--=== Repairs ===--
There was a very small icon to the right of HP orb, it would show durability status of items. Seemed very important to me to repair items.
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: knowledge from beta weekend

#2 Post by lisa » Tue Jul 24, 2012 9:20 pm

addresses at the end of beta weekend

Code: Select all

addresses = {
playerhp_address = 0x16A13F8,
playerhp_offset = {0x134,0x3C,0x10},
playermaxhp_offset = {0x134,0x3C,0x14},
playerX = 	0x1729338,
playerZ = 	0x1729334,
playerY = 	0x172933C,

playerdir1 = 0x1729328,
playerdir2 = 0x172932C,

loot = 0x176E3DC,
}
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

overture2112
Posts: 4
Joined: Tue Jul 31, 2012 11:10 am

Re: knowledge from beta weekend

#3 Post by overture2112 » Tue Jul 31, 2012 11:45 pm

There was a pretty useful IDA database from a BWE build with quite a bit of commenting and vfunc renaming posted at ownedcore which shows some potentially very nice methods for handling movement better than sending key presses (presumably leveraging the same pathfinding the NPCs use).

Ex:

Code: Select all

Agent::CCommandMoveDirection_vtable
Agent::CCommandMoveOnPath_vtable
Agent::CCommandMoveOnRail_vtable
Agent::CCommandMoveRotate_vtable
Agent::CCommandMoveRotateToFace_vtable
Agent::CCommandMoveTeleport_vtable
Agent::CCommandMoveToPoint_vtable
I don't suppose you got the chance to try any injection?

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: knowledge from beta weekend

#4 Post by lisa » Wed Aug 01, 2012 3:39 am

overture2112 wrote:There was a pretty useful IDA database from a BWE build with quite a bit of commenting and vfunc renaming posted at ownedcore which shows some potentially very nice methods for handling movement better than sending key presses (presumably leveraging the same pathfinding the NPCs use).

Ex:

Code: Select all

Agent::CCommandMoveDirection_vtable
Agent::CCommandMoveOnPath_vtable
Agent::CCommandMoveOnRail_vtable
Agent::CCommandMoveRotate_vtable
Agent::CCommandMoveRotateToFace_vtable
Agent::CCommandMoveTeleport_vtable
Agent::CCommandMoveToPoint_vtable
I don't suppose you got the chance to try any injection?
No I didn't play around with any injection, pretty sure Admin was going to look at that once game is released. I just focused on what info I could find addresses for easily and also get a feel for the game and how it plays.
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: knowledge from beta weekend

#5 Post by lisa » Wed Aug 01, 2012 7:10 am

I got a new toy, IDA and thought I would have a play.
This is player details such as coords and direction aswell as a loot address.
playercoordsIDA.jpg
lootIDA.jpg
Also came across this Text, ATargetDistance. Obviously can't check in game if it is indeed the target distance.
targetdistanceIDA.jpg
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

overture2112
Posts: 4
Joined: Tue Jul 31, 2012 11:10 am

Re: knowledge from beta weekend

#6 Post by overture2112 » Wed Aug 01, 2012 11:28 pm

It seems there's a stress test tomorrow from noon-4pm PST that can be used for more testing. Any idea if there's any protections against attaching a debugger?

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: knowledge from beta weekend

#7 Post by lisa » Thu Aug 02, 2012 12:37 am

That is about 5am to 9am my time, I may or may not get out of bed for it.

I had already patched the game though and the new player coords look like this.
playercoordsIDA 2.jpg

Code: Select all

playerX = 	0x172FCF8,
playerZ = 	0x172FCF4,
playerY = 	0x172FCFC,

Code: Select all

playerdir1 = 0x172FCE8,
playerdir2 = 0x172FCEC,
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: knowledge from beta weekend

#8 Post by lisa » Thu Aug 02, 2012 6:05 pm

I was in game for about 15 mins before it ended.

Static addresses

Code: Select all

 hastarget = 0x16A814C -- 0 or 1
 targetAddress = 0x1775CFC -- address of target pawn.
That will actually make it very easy to get info now we have the start addresses for objects around us. Should be able to back track to a table of objects.
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

overture2112
Posts: 4
Joined: Tue Jul 31, 2012 11:10 am

Re: knowledge from beta weekend

#9 Post by overture2112 » Thu Aug 02, 2012 7:18 pm

So 0x0172FCF8 is a static address that contains your x coordinate, but modifying it doesn't do anything (gets set back immediately), so I tried digging around to see why. Of course, only reading is fine if you just want to move by inputting key presses, but I'd ideally like to more directly control position since that way you can avoid getting stuck.

I assumed that address was for the UI or something that merely holds a copy of the x coords so I tried checking to see what wrote to it and sure enough it was being written to constantly (once per frame?) even when I was stationary, by only 1 region of code, and moving had zero effect.

Since I knew my exact x coordinate, I searched for other addresses storing it (narrowed to ~63 matches). Almost all of those (I only got to test ~30 in the few minutes I had after work) were similar to 0x0172FCF8 in that they were written by 1 thing constantly, presumably being updated by the definitive source of character position. The was one exception among the ones I tested (0x09E1E4DC at the time, didn't get a chance to trace it back to a static addr), which was only written to when I moved:

Code: Select all

Gw2.exe+569EBE - 83 C2 06              - add edx,06
Gw2.exe+569EC1 - D9 04 06              - fld dword ptr [esi+eax]
Gw2.exe+569EC4 - 83 C0 18              - add eax,18
Gw2.exe+569EC7 - 83 FA 0C              - cmp edx,0C
Gw2.exe+569ECA - D9 58 E8              - fstp dword ptr [eax-18]    << writes to 0x09E1E4DC
Gw2.exe+569ECD - D9 44 07 E8           - fld dword ptr [edi+eax-18]
Gw2.exe+569ED1 - D9 58 EC              - fstp dword ptr [eax-14]
Gw2.exe+569ED4 - D9 44 01 E8           - fld dword ptr [ecx+eax-18]

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: knowledge from beta weekend

#10 Post by lisa » Thu Aug 02, 2012 7:35 pm

yeah I found the same thing, can read them but writing doesn't work, I didn't look any further at the time as I had a short amount of time and wanted to look at other things as a priority, finding the coords at that time was enough for me ;)
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: knowledge from beta weekend

#11 Post by lisa » Sun Aug 05, 2012 4:47 am

Every week I start up the launcher to see if there have been any updates to the game, today it has 10,000 files to update, that is half the game lol
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
Administrator
Site Admin
Posts: 5306
Joined: Sat Jan 05, 2008 4:21 pm

Re: knowledge from beta weekend

#12 Post by Administrator » Sun Aug 05, 2012 1:31 pm

Yeah. This patch just went up. I checked earlier and there was nothing; now there is a huge patch.

The game was expected to be about 25-30GB, with the beta only covering 12-15GB, so it makes sense. I'm glad they allow us to get the client fully up-to-date now rather than have everybody flooding their servers in the day before launch, causing terrible download rates for everyone (and possible outages).

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: knowledge from beta weekend

#13 Post by lisa » Sun Aug 05, 2012 6:36 pm

yeah I really don't want to see another D3 release, took me an hour just to log onto the server.
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

overture2112
Posts: 4
Joined: Tue Jul 31, 2012 11:10 am

Re: knowledge from beta weekend

#14 Post by overture2112 » Tue Aug 07, 2012 1:41 am

I still have a client half running (kicked to login screen with error message as stress test went down but some useful data is lingering in memory) and have been trying to squeeze some information out, but I'm leaving in two days for vacation until >1wk after GW2 launches so I figured I'd jot down some things I learned so hopefully others can make progress while I'm unable to.

There's a base top level object ( fetched via what assertion messages refer to as GetContextSafe() ) located in thread local storage:

As of 2Aug2012 stress test:

Code: Select all

baseObj = [[[ mainThreadTEB + 0x2c ] + 4*TlsIndex ] +offset]
TlsIndex = 0
offset = 4


But obviously we want something more future proof as TlsIndex and the offset at the end can change (eg, it's +8 in the 14234 build] . So looking at the disassembly of GetContextSafe we can come up with a mask pattern we can apply to easily determine the location of TlsIndex (which we can then lookup) and the offset for the baseObj from the thread's TLS slot:

Code: Select all

.text:00632870 GetContextSafe proc near                ; CODE XREF: sub_43C710p
.text:00632870                                         ; sub_43C880+6Dp ...
.text:00632870 mov     eax, TlsIndex
.text:00632875 mov     ecx, large fs:2Ch
.text:0063287C mov     edx, [ecx+eax*4]
.text:0063287F mov     eax, [edx+4]
.text:00632885 retn
.text:00632885 GetContextSafe endp
The use of "mov ecx, large fs:2Ch" is reasonable unique as on Windows the FS register/segment are used just for thread local storage and a quick cross reference of TlsIndex confirms that nothing else looks like it (the function that _sets_ the base object is the only thing close and it obviously won't match since it's last op is moving to memory rather than from). So let's copy paste the bytes and check it matches up:

Code: Select all

[rin@antec udis86-1.7]$ echo "A1 70 FD 72 01 64 8B 0D 2C 00 00 00 8B 14 81 8B 82 04 00 00 00 C3" | udcli -32 -x
0000000000000000 a170fd7201       mov eax, [0x172fd70]
0000000000000005 648b0d2c000000   mov ecx, [fs:0x2c]
000000000000000c 8b1481           mov edx, [ecx+eax*4]
000000000000000f 8b8204000000     mov eax, [edx+0x4]
0000000000000015 c3               ret
So the final pattern is:

Code: Select all

pat = "A1 ?? ?? ?? ?? 64 8B 0D 2C 00 00 00 8B 14 81 8B 82 ?? 00 00 00 C3"
And a byte sequence search confirms it is unique.

Now this base object contains the CharClient Context ( at [baseObj +52] for all clients I've checked, although the pattern "E8 ?? ?? ?? ?? 8B 40 ?? C3" should work ). This holds has a lot of handy functions and structures attached to it, such as:

Code: Select all

GetControlledPlayer :: CharClientContext -> Player (@ +24)
agent container (first elem @ +20, length @ +28)
character container (first elem @ +40, length @ +48)
Indexing looks like "agent = agentArray + agentId * 4", thus we can infer then that the containers are something like:

Code: Select all

struct SmartArray {
    dword* array_data;
    dword unknown;
    int array_length;
    // maybe more fields but at most 0x20 bytes worth
}
Character objects have methods like (offsets from 14234 build but this is mostly useful for seeing what's available):

Code: Select all

Character::
GetCoreStats() @ 4, m_coreStats field @ 268
GetHealth() @ 20, m_health @ 308
GetInventory() @ 32, m_inventory @ 312
GetKennel() (for ranger pets etc) @ 36, m_kennel @ 316
GetAgent() @ 104 (for converting to an agent object, agents have a similar method for transformation to Character obj)
GetSkillMgr() @ 168
IsAlive() @ 200
IsDowned() @ 212
IsInWater() @ 240

CoreStats::
EarnedLevel() @ 28
EffectiveLevel() @ 36
Experience() @ 40
Karma() @ 48
GetProfession() @ 60 (an int from 1-8)

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: knowledge from beta weekend

#15 Post by lisa » Tue Aug 07, 2012 2:53 am

If I understand you correctly, to translate to "my language" for lack of a better word we are looking at this.

Code: Select all

0x172fd70 --> someaddress + 0x4 --> someaddress + 0x268 --> corestatbase
corestatbase + 0x28 = actual level
corestatbase + 0x36 = effective level
corestatbase + 0x40 = experience
corestatbase + 0x48 = Karma
corestatbase + 0x60 = profession (int 1-8)
the "-->" obviously means it is a pointer.

If so that is awesome work =)

I set this as an updater, won't be able to test it until servers are up again though.

Code: Select all

base = {
		pattern = string.char(
		0xA1, 0xFF, 0xFF, 0xFF, 0xFF, 0x64, 0x8B, 0x0D, 0x2C, 0x00,
		0x00, 0x00, 0x8B, 0x14, 0x81, 0x8B, 0x82, 0xFF, 0x00, 0x00, 0x00, 0xC3),
		mask = "x????xxxxxxxxxxxx?xxxx",
		offset = 1,
		startloc = 0x400000,
	},
Not sure on the startloc yet, will play with it when servers are up.
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: knowledge from beta weekend

#16 Post by lisa » Wed Aug 15, 2012 10:51 pm

Seems there was a stress test today, I should check the announcements more often lol

current address for previous post.
0x166FF30

the pattern is still holding true.
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: knowledge from beta weekend

#17 Post by lisa » Tue Aug 21, 2012 5:58 am

Stress test in 9 hours, I'll try to get out of bed for it, see if I can find any interesting addresses.
We will be conducting a stress test tomorrow Tuesday, August 21 from 12:00 Noon PACIFIC Time to 4:00 PM PACIFIC Time
current patch address is, 0x1677EF0, pattern still holding true.
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
Administrator
Site Admin
Posts: 5306
Joined: Sat Jan 05, 2008 4:21 pm

Re: knowledge from beta weekend

#18 Post by Administrator » Tue Aug 21, 2012 5:43 pm

I got a quick chance to check the game's packets. Looks like they are encrypted and do use some dynamic variable to prevent you from sending copies of packets. Unfortunately, this means it would be a lot of work to figure out which packets do what. However, it may still be possible to hook the sending and receiving of packets before they are encrypted and passed on to Winsock.

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: knowledge from beta weekend

#19 Post by lisa » Tue Aug 21, 2012 6:00 pm

Managed to kick myself out of bed to do some stuff in GW2, stress test still on atm

0x16BEDAC target address, killable.
0x16BEE04 target address, all

coords of spot mouse is pointing to, yay AOE skills
0x16BEE38 X
0x16BEE3C Z
0x16BEE40 Y


0x16bdf7c loot window, 0 or 1


"F" interaction
0x16BEDE0 = address of object to interact with or 0


--=== player ===--
HP
0x15ef558
0x150,0x3C,0x10

max HP
0x15ef558
0x150,0x3C,0x14



Even though I have the addresses for objects around me still looking for hp and such for those mobs

Found an address for "element, F1 F2 F3 F4" not static and didn't seem to be any other skill info nearby. Not high priority atm, might look at it again in a few weeks.
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: knowledge from beta weekend

#20 Post by lisa » Wed Sep 19, 2012 12:29 am

I keep coming back to this topic hoping that it will suddenly all fall into place.

I am still struggling to get a table of objects/mobs/npc.

What I know
There is ALWAYS 2 places for object HP and ALWAYS 2 places for object Max HP, I assume the first of each is to do with the health bar you can see on screen as those 2 addresses are ALWAYS 4 bytes apart, i.e. 1047658, 104765C.
The second set of hp/maxhp are very random in their address location but usually within say 0x10000 of each other.
In my investigations I have come across several occurances of the same object X,Z,Y, and face direction.
Today I found character actual level and adjusted level, always 2 of each for any character, seems like the data is repeated after itself, I can't get a link between that info and the target Address though.

Still plugging away at it, hopefully I get a table of objects soon.
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests