1. rafzi Avatar rafzi
  2. Untitled project
  3. hacklib_gw2
  4. Issues

Offset notes

Issue #7 new
hairys created an issue

Let's throw notes about offsets here, that way everyone can contribute.

Comments (75)

  1. hairys reporter

    I'll start: these are notes I had at the bottom of gw2lib.h. They're assert strings that I plan to investigate further.

    // "CParser::Validate(sourceBuffer.Ptr(), sourceBuffer.Term(), true ) == sourceBuffer.Term()"
// "squadContext"
// "kennel->GetOwner() == CharClientContext()->GetControlledCharacter()"
// "ConstWvwTeamIsPlayerTeam(wvwTeamId)" ebp-0x8 = pGadget, ebp+0x8 = team id

// "mc->recvMsgPacked->defArray[0].defSize" = network packets
// "rawDataBuffer"
// "mc->mode == MSGCONN_MODE_ENCRYPTED"

// "radiusCollision > 0" = (char)agent constructor
// "m_characterArray.Count() <= agentId || !m_characterArray[agentId]" = add char to array
// "!m_profession" = char constructor
// "..\..\..\Game\Ui\Widgets\AgentStatus\AsName.cpp" = get agent name?
// "TextValidateCoded(undecoratedCodedName)" = char name?
// "guildTagLogoFrame" = char name?

// agent vt+0x38 = get undecoratedName ?
// char vt+0x14 = get char def?

// "buffStatusKey->totalCount" - buff bar stuff
// "!m_buffs.Find(buffId)"
// "skillDef->GetBuff()"

// "bytes < MAX_ALLOC" - memory allocator (__fastcall)
// "Heap, bytes=%u"

// collision (aka transform struct)
// "..\..\..\Engine\Map\Collide\CoCharSimpleCli.cpp" - (AgChar)Transform constructor?
  2. David Yolle

    wonder what undecoratedcodedName could be. maybe wvw? how you get changed to 'server name Bronze Invader' or whatever

  3. hairys reporter

    Has something to do with names in general, like npc names, gadget names, etc. They come from the dat file (modelDefs). They're coded in some special format (encrypted maybe?). Names that are dynamic, like player/pet names, come directly from the server and are stored in their respective structs.

  4. David Yolle

    ViewAdvanceWvw = 0x1c - where all the others are just +1 this one seems to be +0x1c from the results of the pattern scanner. havent been able to extract anything yet from there

  6. David Yolle

    WvwCliContext. has stuff related to objectives things like hold events (capturing objectives)

    ViewAdvanceWorldMapModel is at the same offsets as the other stuff in the scanner, and 0xe8 and 0xb8 are some kind of arrays. think they are arrays of map markers, gonna look more into it later

  7. David Yolle

    there seems to be some compass thing at compass + vt0x44

    the position of your character in the world is at 0x24 (x), 0x28 (y), and 0x2c (z), ther are some other coords below these that are just x,y

    the relative x,y position of your mouse within the mini map are at 0x74 and 0x78

    some other x,y that move when you drag the map are at 0xac and 0xb0

    compass focus is at 0x60 basically this goes from 0.0 to 1.0 as you hold your mouse over the mini map

    theres a bunch of arrays at the original offset of 0x44, no idea what they do. leading a lot to agkeyframed and agchar

  9. Ryan

    Just speculation about the arrays at the original offset of 0x44 - perhaps they are used for drawing the markers on the mini-map for player/agent locations?

  11. David Yolle

    sigh, ViewAdvanceWorldMapModel (WmmContext) has arrays at

    0xa8 - 1532

    0xbc - 721

    0x10c - 407

    0x148 - 189

    all of these arrays change in size when you enter wvw or for example heart of the mists. these arrays contains all map markers on the world map. the second array 0xbc adds and removes items in real time as objectives in wvw get swords and orange swords appear, yaks spawning/dying etc. each map marker within these arrays has a member (dnno offset yet) that has the x/y/z coordinates of where it is at in game.

    there are things as well like m_marker and markerDef - each marker has a type:

    model->GetModelType() == WORLD_MAP_MODEL_TYPE_CAMERA

    model->GetModelType() == WORLD_MAP_MODEL_TYPE_MARKER

    model->GetModelType() == WORLD_MAP_MODEL_TYPE_TRACKED_PLAYER

    model->GetModelType() == WORLD_MAP_MODEL_TYPE_RES_SHRINE

    model->GetModelType() == WORLD_MAP_MODEL_TYPE_RESOURCE_NODE

    model->GetModelType() == WORLD_MAP_MODEL_TYPE_WVW_OBJECTIVE

    model->GetModelType() == WORLD_MAP_MODEL_TYPE_AGENT

    model->GetModelType() == WORLD_MAP_MODEL_TYPE_PING

    though haven't found where this is at within the marker object yet. MODEL_TYPE_PING is when you hold control and click on the map to get the red icon thing. TRACKED_PLAYER is a squad, guild, or party member. the standard MARKER is a generic map marker or anything that can't be categorized into the other groups i.e. waypoints vistas wvw keep icons and so on.

  12. hairys reporter

    32-bit struct sizes:

    (Keyframed)Agent struct size = 128 (0x80) bytes

    (Char)Agent struct size = 264 (0x108) bytes
    Char struct size = 928 (0x3a0) bytes

    (AgChar)Collide struct size = 272 (0x110) bytes

  14. hairys reporter

    I'm sure there's a lot more. Try injecting on the launcher screen, before the game even starts.

  15. David Yolle

    added more from char select/create

    32bit inventory stuff

    inventory items = 0x6c;

    item

    |__stacksize = 0x64;

    |__itemLocation = 0x24; (inventory,bank,etc. see that gw2ca page for enums)

    |__ itemSlot = 0x10; (where the item is in your inventory. not sure what its relative to)

    |__ m_itemDef = 0x2c;

    |____ isLootable = 0x40;

    |____ isBindOnUse = 0x44;

    |____ itemType = 0x24;

    trying to get currency but no luck so far. i found a struct that has type and then amount for each currency type but cant find where its at from inventory

  16. hairys reporter

    I managed to find currencies off player struct. It's 2 VT calls. One to get the currencies list, the other to get the actual number (eg. coppers) given a currency type (pass it 0x1 for coppers, 0x2 for karma, etc).

  19. hairys reporter

    If you're curious:

    player struct VT call 0xc4 for the list, then VT call 0x0 off it. Pass a single parameter (int, like 0x1, the currency type).

  21. David Yolle

    nvm, i figured it out. i guess going to character pointer and doing +0x114 doesnt actually get me the right player struct

  22. hairys reporter

    More buff bar notes (32-bit), it's a bit unorganized:

    (Dictionary struct)
    buff bar + 0x8 = buffs array capacity
    buff bar + 0xC = buffs array count
    buff bar + 0x10 = buffs array
    each buff array entry = 0xC bytes

    entry struct:
    buffId
    buff ptr
    hash

    buff struct:
    effect type = 0x4
    effect def = 0x8
    buff id = 0xC
    ptr back to buff bar = 0x10
    src agent = 0x14

    effect type matches this list http://gw2ca.recodesystems.com/namespace_g_w2.html#a14b9fe26d0bd8b3269b74cb779e53526
    One thing I can't seem to find is stack count or the time remaining for a buff, although, it gets removed from the array if it's not active. Also, there seems to be extra buffs that I can't identify. Like, my own buffs array currently has 61 permanent entries o.o

  23. hairys reporter

    Boon/condi count array = buff bar +0x4C
    each entry = 0x10 bytes

    entry struct:
    unknown (id?)
    stack count
    unknown (always zero)
    hash

  24. David Yolle

    What exactly is the difference between noon and condi bar and the buff bar you posted earlier? Would the buff bar include things like signet effects and attunements?

    And what is that 4c offset from, character?

  28. David Yolle

    what i dont get about the buff array is why so many of the entries change when i apply a boon to myself - you think only one would get added or modified..

  29. hairys reporter

    I'm pretty sure it's more of an "effects" array. It just so happens to have the boon/condi effects we're looking for (based on this list). Effects can range widely, like casting effects (portal, temporal curtain), etc.
    Also, the array can have duplicate effects, based on stacking.

  30. David Yolle

    siege weapon offset from gadget pointer + 0x1a0

    Map

    ID  Name
18025   Oil 1
18031   Trebuchet
18034   Cannon
18043   Ballista
18047   AC
28471   Oil 2
435323146   Super Cata
532862282   Super treb
557809930   Super AC
997687566   Mortar
  31. David Yolle

    hey @hairys do you think you could check out Compass and follow the pointer at 0x44?compass.png

    I think this could be useful - but i figured I would let you handle the implementation since you have things set up how you want them?

  33. David Yolle

    GetCompass().m_ptr->pComp

    This is what I came up with... seems to work, but i'm hesistant about the first 2 hl::ForeignClass bits

    hl::ForeignClass compPos = comp.get<void*>(0x44);

        if (compPos) {
            hl::ForeignClass cpd = compPos.get<void*>(0x0);

            if (cpd) {
                float scrollX = cpd.get<float>(0xac);
                float scrollY = cpd.get<float>(0xb0);

                float lockedX = cpd.get<float>(0xb4);
                float lockedY = cpd.get<float>(0xb8);

                pCompData->scrollX = scrollX;
                pCompData->scrollY = scrollY;

                pCompData->lockedX = lockedX;
                pCompData->lockedY = lockedY;
            }
        }

    compscroll.png

    and as you can see.. the CScroll values are the center coordinates of where i've dragged the map to and CLocked is pretty much where my character marker is on the map

  34. hairys reporter

    ohhh, you also follow the pointer at 0x0
    I was looking at the data at 0x44 thinking "nothing's moving...", heh
    I'll take a look at it here after I install vs2015.

  35. David Yolle

    @hairys 

    wvwAbilityMgr: player + 0x174

wvwRank (int): wvwAbilityMgr + 0x28

    wvw rank is also at 0x20 but is only for controlled character. the one at 0x28 works for all players. i really get on the 64 bit client lol

  37. hairys reporter

    It's still there, it just got moved to a sub-class. It's the call dword ptr [eax+04] above it.

  38. nodooooka

    add some codes for gw2(china) to display correct playername

            char *name2 = character.get<char*>(m_pubmems.charName);
        int num = WideCharToMultiByte(CP_ACP, 0, (wchar_t*)name2, -1, NULL, 0, NULL, 0);
        char *name = new char[num + 1];
        WideCharToMultiByte(CP_ACP, 0, (wchar_t*)name2, -1, name, num, NULL, 0);
        if (name) {
            int i = 0;
            pCharData->name = "";
            while (name[i]) {
                pCharData->name += name[i];
                i += 1;
            }
        }
        delete[] name;

            char *name2 = player.get<char*>(m_pubmems.playerName);
        int num = WideCharToMultiByte(CP_ACP, 0, (wchar_t*)name2, -1, NULL, 0, NULL, 0);
        char *name = new char[num + 1];
        WideCharToMultiByte(CP_ACP, 0, (wchar_t*)name2, -1, name, num, NULL, 0);
        int i = 0;
        pPlayerData->name = "";
        while (name[i]) {
            pPlayerData->name += name[i];
            i += 1;
        }
        delete[] name;

    QQ截图20161107153744.png

  41. hairys reporter

    I haven't looked for any 64-bit offset patterns, yet. I'm working my way through all the 32-bit patterns first. I had to change some code in main.cpp to accommodate the patterns and I didn't update the 64-bit version, yet. I'll eventually get to them, unless someone else wants to tackle it :)
    Take a look at what changed in main.cpp (look at the last few commits) to get an idea of what to look for in the 64-bit version.

    EDIT: I should also point out that the hard-coded offsets will still function. Any patterns you put in OffsetScan will over-write it, so you can just look for updated offsets and put them in offsets.h if you don't want to look for patterns.

  42. Former user Account Deleted

    huh? the sample project changes the camera zoom. i was under the impression that changing things like that resulted in being flagged?

    anywho, I tested the sample project and made the esp display just stats and coins, but they all return 0 on anyone but myself. are these varaibles client side now? i don't think it's the offsets, because if that were the case, it wouldn't be showing me my stats.

    also, what is the best point to load the library in to gw2? upon launch? at the character screen?

    i know these are all dumb questions but im relatively new to reversing (and brand new to breaking guild wrs) and im learning through this project so deal with it

  43. hairys reporter

    The sampleapp is meant to show many parts of the library. If any patterns/offsets are broken, it will be obvious here so we can fix them.

    The server doesn't supply stats or coin values for any other player except yourself. That's why there all 0. Any pets you control will show stats, tho.
    You'll want to inject the dll on the char select screen or anytime after that. Don't do it on the launcher.

  45. David Yolle

    i only use a few things from this and i only use 32 bit but afaik only these changed -

    charSkillbar = 0x2c0

    charCoreStats = 0x1b0

    charEndurance = 0x1d4

    charHealth = 0x200

    charInventory = 0x204

    charVtControlled = 0x18c

    charVtPlayer = 0x220

  47. David Yolle

    4/20

    charVtGetPlayer = 0x140

    charVtDowned = 0x1d8

    charVtPlayer = 0x224

    charCoreStats = 0x1d8

    charEndurance = 0x1fc

    charHealth = 0x228

    charInventory = 0x22c

  49. David Yolle

    haven't been playing lately, here's the new offsets

    charName = 0x10c

    charCoreStats = 0x1b8

    charHealth = 0x208

    charEndurance = 0x1d8

    charInventory = 0x20c

  50. David Yolle

    a couple of the logger hooks broke - i dont use them so i just commented them out logger, logger2, and the allocator hooks seem to be fucked.

    ismonsterclone has been removed and isn't in the game anymore

    somme offsets have changed

    inventory -> 0x208, endurance -> 0x1f8, charHealth -> 0x204, charSkillbar -> 0x2c4, charProfession -> 0x2bc, charvtinwater -> 0x1a8, charvtdowned -> 0x1dc

  52. Ryan

    WindowProc is a callback function that receives any messages to a particular window -- typical messages include user mouse or keyboard input, and things like minimization, loss of focus, or resizing.

    Commenting it out means that any interactive ui overlay that uses a WndProc hook to enable user input will likely stop working.

  55. Josom

    Patch today is causing [RefreshDataPlayer] access violation spam in output log. Player names not always appearing. Class floaters are now only showing base game classes regardless of spec.

  56. David Yolle

    Here's what change for the patch

    uintptr_t specMgrSpecsArr = 0x2c;
uintptr_t specMgrTraitsArr = 0x3c;
uintptr_t playerVtGetTrainMgr = 0x170; 
uintptr_t playerVtGetAchMgr = 0x9c; 
uintptr_t playerVtGetSpecMgr = 0x158;
  57. Josom

    Have these changed recently? Tried the updates provided by David (thanks), but the nearby players list is now empty & class floaters just show base game symbols, no specializations.

  58. Josom

    A bump for any fix for class floaters only showing base classes. Any updates would be greatly appreciated.

  59. Croissant

    This week's update only seems to have broken the offset for skillDefInfo as far as I can tell. This is the new value I could find for x64 "33 F6 44 89 ?? 24 48 41 8D ?? 01 3C FF 75". I'm not certain if it is correct. I've looked in memory and the buff count was very close to the address from that offset.

  60. Former user Account Deleted

    has anyone found the offsets for equipment upgrades like runs and infusions? i've been bashing my head over it all weekend and can't figure it out.

  61. Joe Hagens

    August 27 Patch caused the following issue:
    [GW2LIB::DataScan] Could not find pattern: "agent->GetCategory() == AGENT_CATEGORY_CHAR"

  63. Joe Hagens

    1st Oct patch. Inject failure due to :
    ERROR: [GW2LIB::DataScan] Verifying pattern failed (offset: 0x0000000140A64832, value: 0x7B830674, pattern: "targetAgent && targetAgent->GetAgentId()")

    Thanks

  64. hairys reporter

    It seems anet changed quite a lot this time. I’m honestly shocked people still use this library haha

  66. Former user Account Deleted

    idk what im doing but I managed to find a few things, maybe someone will find them useful (but probably not, lol)

    (equip->pItemDef )+ 0x74 - item level

    (equip->pItemDef) + 0x88 - item sell value

    (equip + 0xA0) - pointer to item stats definition for armor pieces only

    (equip + 0xA8) - pointer to item stats definition for weapons only, probably same structure

    ( (equip + 0xA0 or 0xA8) + 0x28) - item stat id (example: 161 for berserker’s)

    ( (equip + 0xA0 or 0xA8) + 0x2c) - item stat hash id

    that’s all i got. i pieced this together with ReClass64, but idk where it is in the code. im not advanced enough to find it and subsequently make a signature, but perhaps someone might find this useful still lol

    ive typed this same post up 3 times, this better submit this time….

  67. Joe Hagens

    Been getting an error since the May 26 patch. Does anyone have a fix?

    [GW2LIB::DataScan] Verifying pattern failed (offset: 0x00007FF72EE10965, value: 0x5050FF41, pattern: "m_ownerCharacter->GetPlayer() == CharClientContext()->GetControlledPlayer()")

    Thanks

  68. Joe Hagens

    28 July patch caused the player list to no longer work and there was no error log output identifying what the issue was.

    Thanks

  71. Joe Hagens

    World space class symbol floaters and player list seem to not be working with this patch.

    Thanks

  72. Joe Hagens

    Does anyone have the fix for m.charVtGetAgent and m.charVtGetAgentId in DataScan?

    Thanks as always

  73. Adam Schauer

    Are you sure that the hook on MsgSend is placed properly?

    When calculating the resulting address that’s being hooked it seems to be wrong (unless it’s an inline hook which I doubt)

  74. hairys reporter

    It’s correct. The count starts from E34A02, where the string pattern was found (mid-opcode). It will place the hook at E34A44.

  75. Adam Schauer

    So it’s a mid function hook after all, I guess you’re using VEH breakpoints to get the current context for registers etc. Thank you for the answer and for supporting this little project, it gave me plenty of useful infos to get started with an ESP.

  76. Log in to comment
Assignee
Type
enhancement
Priority
trivial
Status
new
Votes
0
Watchers
10
Jira: the preferred issue tracker for Bitbucket. Join the team!