knowledge from beta weekend
knowledge from beta weekend
Ok So I took part in the beta weekend and learnt a few things, posting here what I know so far.
--=== adrresses ===--
Static Addresses
Player X,Z,Y -- easy enough to find again
I found 2 indicators of direction, should be workable
2 indicators of camera direction, should be workable
if loot window is open, very important.
2 indicators of mouse position, X,Y axis. 1/1 very bottom left, max/max top right, i think it was 100/100 but can't remember for sure.
Non static addresses
player Hp, Max HP, 3 offsets --should be easy to find again
"F" interaction is available, couldn't get reliable address+offsets.
--=== game play ===--
Hot keys
"1" is autoattack, available lvl 1
2-5 varied attack skills, need to be earned via kill xp
"6" is always heal skill, available lvl 1
"7" is a buff, unlocked at lvl 5? need to buy skill and place in hotkey
"8" is a buff, unlocked at lvl 10? need to buy skill and place in hotkey
"9"
"0" elite skill, unlocked lvl 30?
--=== progression ===--
Because you get scaled down to area and the xp and loot gets scaled up to your lvl you can sit in start area and farm mobs forever and you will get loot and lvl, obviously better loot and xp in higher areas but start area will be easy kills.
Events are good sources of XP, gold, karma. Usually very easy to complete, not sure on timing for them.
I bought nice items with karma.
WvW is good for events and therefore xp,gold,karma but I believe important to make your skills available before hand, going in lvl 1 with just autoattack will just get you killed.
--=== auction house ===--
"O" was available to post items from anywhere in world, not sure if just for beta event. I could empty my bags into the auction house and keep grinding mobs. You can only pickup items or gold from the vendors though.
--=== Repairs ===--
There was a very small icon to the right of HP orb, it would show durability status of items. Seemed very important to me to repair items.
--=== adrresses ===--
Static Addresses
Player X,Z,Y -- easy enough to find again
I found 2 indicators of direction, should be workable
2 indicators of camera direction, should be workable
if loot window is open, very important.
2 indicators of mouse position, X,Y axis. 1/1 very bottom left, max/max top right, i think it was 100/100 but can't remember for sure.
Non static addresses
player Hp, Max HP, 3 offsets --should be easy to find again
"F" interaction is available, couldn't get reliable address+offsets.
--=== game play ===--
Hot keys
"1" is autoattack, available lvl 1
2-5 varied attack skills, need to be earned via kill xp
"6" is always heal skill, available lvl 1
"7" is a buff, unlocked at lvl 5? need to buy skill and place in hotkey
"8" is a buff, unlocked at lvl 10? need to buy skill and place in hotkey
"9"
"0" elite skill, unlocked lvl 30?
--=== progression ===--
Because you get scaled down to area and the xp and loot gets scaled up to your lvl you can sit in start area and farm mobs forever and you will get loot and lvl, obviously better loot and xp in higher areas but start area will be easy kills.
Events are good sources of XP, gold, karma. Usually very easy to complete, not sure on timing for them.
I bought nice items with karma.
WvW is good for events and therefore xp,gold,karma but I believe important to make your skills available before hand, going in lvl 1 with just autoattack will just get you killed.
--=== auction house ===--
"O" was available to post items from anywhere in world, not sure if just for beta event. I could empty my bags into the auction house and keep grinding mobs. You can only pickup items or gold from the vendors though.
--=== Repairs ===--
There was a very small icon to the right of HP orb, it would show durability status of items. Seemed very important to me to repair items.
Remember no matter you do in life to always have a little fun while you are at it
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
Re: knowledge from beta weekend
addresses at the end of beta weekend
Code: Select all
addresses = {
playerhp_address = 0x16A13F8,
playerhp_offset = {0x134,0x3C,0x10},
playermaxhp_offset = {0x134,0x3C,0x14},
playerX = 0x1729338,
playerZ = 0x1729334,
playerY = 0x172933C,
playerdir1 = 0x1729328,
playerdir2 = 0x172932C,
loot = 0x176E3DC,
}
Remember no matter you do in life to always have a little fun while you are at it
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
-
- Posts: 4
- Joined: Tue Jul 31, 2012 11:10 am
Re: knowledge from beta weekend
There was a pretty useful IDA database from a BWE build with quite a bit of commenting and vfunc renaming posted at ownedcore which shows some potentially very nice methods for handling movement better than sending key presses (presumably leveraging the same pathfinding the NPCs use).
Ex:
I don't suppose you got the chance to try any injection?
Ex:
Code: Select all
Agent::CCommandMoveDirection_vtable
Agent::CCommandMoveOnPath_vtable
Agent::CCommandMoveOnRail_vtable
Agent::CCommandMoveRotate_vtable
Agent::CCommandMoveRotateToFace_vtable
Agent::CCommandMoveTeleport_vtable
Agent::CCommandMoveToPoint_vtable
Re: knowledge from beta weekend
No I didn't play around with any injection, pretty sure Admin was going to look at that once game is released. I just focused on what info I could find addresses for easily and also get a feel for the game and how it plays.overture2112 wrote:There was a pretty useful IDA database from a BWE build with quite a bit of commenting and vfunc renaming posted at ownedcore which shows some potentially very nice methods for handling movement better than sending key presses (presumably leveraging the same pathfinding the NPCs use).
Ex:I don't suppose you got the chance to try any injection?Code: Select all
Agent::CCommandMoveDirection_vtable Agent::CCommandMoveOnPath_vtable Agent::CCommandMoveOnRail_vtable Agent::CCommandMoveRotate_vtable Agent::CCommandMoveRotateToFace_vtable Agent::CCommandMoveTeleport_vtable Agent::CCommandMoveToPoint_vtable
Remember no matter you do in life to always have a little fun while you are at it
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
Re: knowledge from beta weekend
I got a new toy, IDA and thought I would have a play.
This is player details such as coords and direction aswell as a loot address. Also came across this Text, ATargetDistance. Obviously can't check in game if it is indeed the target distance.
This is player details such as coords and direction aswell as a loot address. Also came across this Text, ATargetDistance. Obviously can't check in game if it is indeed the target distance.
Remember no matter you do in life to always have a little fun while you are at it
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
-
- Posts: 4
- Joined: Tue Jul 31, 2012 11:10 am
Re: knowledge from beta weekend
It seems there's a stress test tomorrow from noon-4pm PST that can be used for more testing. Any idea if there's any protections against attaching a debugger?
Re: knowledge from beta weekend
That is about 5am to 9am my time, I may or may not get out of bed for it.
I had already patched the game though and the new player coords look like this.
I had already patched the game though and the new player coords look like this.
Code: Select all
playerX = 0x172FCF8,
playerZ = 0x172FCF4,
playerY = 0x172FCFC,
Code: Select all
playerdir1 = 0x172FCE8,
playerdir2 = 0x172FCEC,
Remember no matter you do in life to always have a little fun while you are at it
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
Re: knowledge from beta weekend
I was in game for about 15 mins before it ended.
Static addresses
That will actually make it very easy to get info now we have the start addresses for objects around us. Should be able to back track to a table of objects.
Static addresses
Code: Select all
hastarget = 0x16A814C -- 0 or 1
targetAddress = 0x1775CFC -- address of target pawn.
Remember no matter you do in life to always have a little fun while you are at it
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
-
- Posts: 4
- Joined: Tue Jul 31, 2012 11:10 am
Re: knowledge from beta weekend
So 0x0172FCF8 is a static address that contains your x coordinate, but modifying it doesn't do anything (gets set back immediately), so I tried digging around to see why. Of course, only reading is fine if you just want to move by inputting key presses, but I'd ideally like to more directly control position since that way you can avoid getting stuck.
I assumed that address was for the UI or something that merely holds a copy of the x coords so I tried checking to see what wrote to it and sure enough it was being written to constantly (once per frame?) even when I was stationary, by only 1 region of code, and moving had zero effect.
Since I knew my exact x coordinate, I searched for other addresses storing it (narrowed to ~63 matches). Almost all of those (I only got to test ~30 in the few minutes I had after work) were similar to 0x0172FCF8 in that they were written by 1 thing constantly, presumably being updated by the definitive source of character position. The was one exception among the ones I tested (0x09E1E4DC at the time, didn't get a chance to trace it back to a static addr), which was only written to when I moved:
I assumed that address was for the UI or something that merely holds a copy of the x coords so I tried checking to see what wrote to it and sure enough it was being written to constantly (once per frame?) even when I was stationary, by only 1 region of code, and moving had zero effect.
Since I knew my exact x coordinate, I searched for other addresses storing it (narrowed to ~63 matches). Almost all of those (I only got to test ~30 in the few minutes I had after work) were similar to 0x0172FCF8 in that they were written by 1 thing constantly, presumably being updated by the definitive source of character position. The was one exception among the ones I tested (0x09E1E4DC at the time, didn't get a chance to trace it back to a static addr), which was only written to when I moved:
Code: Select all
Gw2.exe+569EBE - 83 C2 06 - add edx,06
Gw2.exe+569EC1 - D9 04 06 - fld dword ptr [esi+eax]
Gw2.exe+569EC4 - 83 C0 18 - add eax,18
Gw2.exe+569EC7 - 83 FA 0C - cmp edx,0C
Gw2.exe+569ECA - D9 58 E8 - fstp dword ptr [eax-18] << writes to 0x09E1E4DC
Gw2.exe+569ECD - D9 44 07 E8 - fld dword ptr [edi+eax-18]
Gw2.exe+569ED1 - D9 58 EC - fstp dword ptr [eax-14]
Gw2.exe+569ED4 - D9 44 01 E8 - fld dword ptr [ecx+eax-18]
Re: knowledge from beta weekend
yeah I found the same thing, can read them but writing doesn't work, I didn't look any further at the time as I had a short amount of time and wanted to look at other things as a priority, finding the coords at that time was enough for me
Remember no matter you do in life to always have a little fun while you are at it
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
Re: knowledge from beta weekend
Every week I start up the launcher to see if there have been any updates to the game, today it has 10,000 files to update, that is half the game lol
Remember no matter you do in life to always have a little fun while you are at it
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
- Administrator
- Site Admin
- Posts: 5312
- Joined: Sat Jan 05, 2008 4:21 pm
Re: knowledge from beta weekend
Yeah. This patch just went up. I checked earlier and there was nothing; now there is a huge patch.
The game was expected to be about 25-30GB, with the beta only covering 12-15GB, so it makes sense. I'm glad they allow us to get the client fully up-to-date now rather than have everybody flooding their servers in the day before launch, causing terrible download rates for everyone (and possible outages).
The game was expected to be about 25-30GB, with the beta only covering 12-15GB, so it makes sense. I'm glad they allow us to get the client fully up-to-date now rather than have everybody flooding their servers in the day before launch, causing terrible download rates for everyone (and possible outages).
Re: knowledge from beta weekend
yeah I really don't want to see another D3 release, took me an hour just to log onto the server.
Remember no matter you do in life to always have a little fun while you are at it
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
-
- Posts: 4
- Joined: Tue Jul 31, 2012 11:10 am
Re: knowledge from beta weekend
I still have a client half running (kicked to login screen with error message as stress test went down but some useful data is lingering in memory) and have been trying to squeeze some information out, but I'm leaving in two days for vacation until >1wk after GW2 launches so I figured I'd jot down some things I learned so hopefully others can make progress while I'm unable to.
There's a base top level object ( fetched via what assertion messages refer to as GetContextSafe() ) located in thread local storage:
As of 2Aug2012 stress test:
But obviously we want something more future proof as TlsIndex and the offset at the end can change (eg, it's +8 in the 14234 build] . So looking at the disassembly of GetContextSafe we can come up with a mask pattern we can apply to easily determine the location of TlsIndex (which we can then lookup) and the offset for the baseObj from the thread's TLS slot:
The use of "mov ecx, large fs:2Ch" is reasonable unique as on Windows the FS register/segment are used just for thread local storage and a quick cross reference of TlsIndex confirms that nothing else looks like it (the function that _sets_ the base object is the only thing close and it obviously won't match since it's last op is moving to memory rather than from). So let's copy paste the bytes and check it matches up:
So the final pattern is:
And a byte sequence search confirms it is unique.
Now this base object contains the CharClient Context ( at [baseObj +52] for all clients I've checked, although the pattern "E8 ?? ?? ?? ?? 8B 40 ?? C3" should work ). This holds has a lot of handy functions and structures attached to it, such as:
Indexing looks like "agent = agentArray + agentId * 4", thus we can infer then that the containers are something like:
Character objects have methods like (offsets from 14234 build but this is mostly useful for seeing what's available):
There's a base top level object ( fetched via what assertion messages refer to as GetContextSafe() ) located in thread local storage:
As of 2Aug2012 stress test:
Code: Select all
baseObj = [[[ mainThreadTEB + 0x2c ] + 4*TlsIndex ] +offset]
TlsIndex = 0
offset = 4
But obviously we want something more future proof as TlsIndex and the offset at the end can change (eg, it's +8 in the 14234 build] . So looking at the disassembly of GetContextSafe we can come up with a mask pattern we can apply to easily determine the location of TlsIndex (which we can then lookup) and the offset for the baseObj from the thread's TLS slot:
Code: Select all
.text:00632870 GetContextSafe proc near ; CODE XREF: sub_43C710p
.text:00632870 ; sub_43C880+6Dp ...
.text:00632870 mov eax, TlsIndex
.text:00632875 mov ecx, large fs:2Ch
.text:0063287C mov edx, [ecx+eax*4]
.text:0063287F mov eax, [edx+4]
.text:00632885 retn
.text:00632885 GetContextSafe endp
Code: Select all
[rin@antec udis86-1.7]$ echo "A1 70 FD 72 01 64 8B 0D 2C 00 00 00 8B 14 81 8B 82 04 00 00 00 C3" | udcli -32 -x
0000000000000000 a170fd7201 mov eax, [0x172fd70]
0000000000000005 648b0d2c000000 mov ecx, [fs:0x2c]
000000000000000c 8b1481 mov edx, [ecx+eax*4]
000000000000000f 8b8204000000 mov eax, [edx+0x4]
0000000000000015 c3 ret
Code: Select all
pat = "A1 ?? ?? ?? ?? 64 8B 0D 2C 00 00 00 8B 14 81 8B 82 ?? 00 00 00 C3"
Now this base object contains the CharClient Context ( at [baseObj +52] for all clients I've checked, although the pattern "E8 ?? ?? ?? ?? 8B 40 ?? C3" should work ). This holds has a lot of handy functions and structures attached to it, such as:
Code: Select all
GetControlledPlayer :: CharClientContext -> Player (@ +24)
agent container (first elem @ +20, length @ +28)
character container (first elem @ +40, length @ +48)
Code: Select all
struct SmartArray {
dword* array_data;
dword unknown;
int array_length;
// maybe more fields but at most 0x20 bytes worth
}
Code: Select all
Character::
GetCoreStats() @ 4, m_coreStats field @ 268
GetHealth() @ 20, m_health @ 308
GetInventory() @ 32, m_inventory @ 312
GetKennel() (for ranger pets etc) @ 36, m_kennel @ 316
GetAgent() @ 104 (for converting to an agent object, agents have a similar method for transformation to Character obj)
GetSkillMgr() @ 168
IsAlive() @ 200
IsDowned() @ 212
IsInWater() @ 240
CoreStats::
EarnedLevel() @ 28
EffectiveLevel() @ 36
Experience() @ 40
Karma() @ 48
GetProfession() @ 60 (an int from 1-8)
Re: knowledge from beta weekend
If I understand you correctly, to translate to "my language" for lack of a better word we are looking at this.
the "-->" obviously means it is a pointer.
If so that is awesome work =)
I set this as an updater, won't be able to test it until servers are up again though.
Not sure on the startloc yet, will play with it when servers are up.
Code: Select all
0x172fd70 --> someaddress + 0x4 --> someaddress + 0x268 --> corestatbase
corestatbase + 0x28 = actual level
corestatbase + 0x36 = effective level
corestatbase + 0x40 = experience
corestatbase + 0x48 = Karma
corestatbase + 0x60 = profession (int 1-8)
If so that is awesome work =)
I set this as an updater, won't be able to test it until servers are up again though.
Code: Select all
base = {
pattern = string.char(
0xA1, 0xFF, 0xFF, 0xFF, 0xFF, 0x64, 0x8B, 0x0D, 0x2C, 0x00,
0x00, 0x00, 0x8B, 0x14, 0x81, 0x8B, 0x82, 0xFF, 0x00, 0x00, 0x00, 0xC3),
mask = "x????xxxxxxxxxxxx?xxxx",
offset = 1,
startloc = 0x400000,
},
Remember no matter you do in life to always have a little fun while you are at it
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
Re: knowledge from beta weekend
Seems there was a stress test today, I should check the announcements more often lol
current address for previous post.
0x166FF30
the pattern is still holding true.
current address for previous post.
0x166FF30
the pattern is still holding true.
Remember no matter you do in life to always have a little fun while you are at it
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
Re: knowledge from beta weekend
Stress test in 9 hours, I'll try to get out of bed for it, see if I can find any interesting addresses.
current patch address is, 0x1677EF0, pattern still holding true.We will be conducting a stress test tomorrow Tuesday, August 21 from 12:00 Noon PACIFIC Time to 4:00 PM PACIFIC Time
Remember no matter you do in life to always have a little fun while you are at it
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
- Administrator
- Site Admin
- Posts: 5312
- Joined: Sat Jan 05, 2008 4:21 pm
Re: knowledge from beta weekend
I got a quick chance to check the game's packets. Looks like they are encrypted and do use some dynamic variable to prevent you from sending copies of packets. Unfortunately, this means it would be a lot of work to figure out which packets do what. However, it may still be possible to hook the sending and receiving of packets before they are encrypted and passed on to Winsock.
Re: knowledge from beta weekend
Managed to kick myself out of bed to do some stuff in GW2, stress test still on atm
0x16BEDAC target address, killable.
0x16BEE04 target address, all
coords of spot mouse is pointing to, yay AOE skills
0x16BEE38 X
0x16BEE3C Z
0x16BEE40 Y
0x16bdf7c loot window, 0 or 1
"F" interaction
0x16BEDE0 = address of object to interact with or 0
--=== player ===--
HP
0x15ef558
0x150,0x3C,0x10
max HP
0x15ef558
0x150,0x3C,0x14
Even though I have the addresses for objects around me still looking for hp and such for those mobs
Found an address for "element, F1 F2 F3 F4" not static and didn't seem to be any other skill info nearby. Not high priority atm, might look at it again in a few weeks.
0x16BEDAC target address, killable.
0x16BEE04 target address, all
coords of spot mouse is pointing to, yay AOE skills
0x16BEE38 X
0x16BEE3C Z
0x16BEE40 Y
0x16bdf7c loot window, 0 or 1
"F" interaction
0x16BEDE0 = address of object to interact with or 0
--=== player ===--
HP
0x15ef558
0x150,0x3C,0x10
max HP
0x15ef558
0x150,0x3C,0x14
Even though I have the addresses for objects around me still looking for hp and such for those mobs
Found an address for "element, F1 F2 F3 F4" not static and didn't seem to be any other skill info nearby. Not high priority atm, might look at it again in a few weeks.
Remember no matter you do in life to always have a little fun while you are at it
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
Re: knowledge from beta weekend
I keep coming back to this topic hoping that it will suddenly all fall into place.
I am still struggling to get a table of objects/mobs/npc.
What I know
There is ALWAYS 2 places for object HP and ALWAYS 2 places for object Max HP, I assume the first of each is to do with the health bar you can see on screen as those 2 addresses are ALWAYS 4 bytes apart, i.e. 1047658, 104765C.
The second set of hp/maxhp are very random in their address location but usually within say 0x10000 of each other.
In my investigations I have come across several occurances of the same object X,Z,Y, and face direction.
Today I found character actual level and adjusted level, always 2 of each for any character, seems like the data is repeated after itself, I can't get a link between that info and the target Address though.
Still plugging away at it, hopefully I get a table of objects soon.
I am still struggling to get a table of objects/mobs/npc.
What I know
There is ALWAYS 2 places for object HP and ALWAYS 2 places for object Max HP, I assume the first of each is to do with the health bar you can see on screen as those 2 addresses are ALWAYS 4 bytes apart, i.e. 1047658, 104765C.
The second set of hp/maxhp are very random in their address location but usually within say 0x10000 of each other.
In my investigations I have come across several occurances of the same object X,Z,Y, and face direction.
Today I found character actual level and adjusted level, always 2 of each for any character, seems like the data is repeated after itself, I can't get a link between that info and the target Address though.
Still plugging away at it, hopefully I get a table of objects soon.
Remember no matter you do in life to always have a little fun while you are at it
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
wiki here http://www.solarstrike.net/wiki/index.php?title=Manual
Who is online
Users browsing this forum: No registered users and 0 guests