And simply modify the "damage modifier" to 0.0f by pushing FLDZ on the stack
instead of what would normally be a "multiplier" for the fall damage..
Code:
Original:
005F5CC3 D945 FC FLD DWORD PTR SS:[EBP-4]
To:
005F5CC3 D9EE 90 FLDZ
....
BYTE patch[2] {0xee,0x90};
This has the net effect of doing 0*damage on fall - try it!
Strangely enough you can actually apply this principle to a lot of the games client side checks for damage, because they all use a simple modifier to check the damage done.
Or for the more advanced reverser, lets look at how we can Resurrect on our own corpse when we die with FULL health, mana, stamina (incoming nerf after I post this)
The game itself uses some components to handle your "character actions" which, to cut a long story short can be mapped using C/C++ hook.
The object is shown below which i've 'conveniently' reversed for you
If you wan't to understand how the code below works I suggest you learn some assembly language and how object code can be mapped to a 'higher level' language such as C/C++.
It all stems from the engine handler @ 0x005C8850 as you will see from my code at the bottom which I slowly studied to build up the virtual table for one of it's "interfaces"
The final result call (see below of how this constructed to make the final call from your hook):
Code:
//The overall engine which powers many of AOC components
_N3Engine* pN3 = GetN3Engine();
//This will respawn you on top of your corpse
//because we have not provided an Graveyard Id location
//the game is forced to resurrect you at your corpse!
//virtual void RespawnMe(DWORD GyInstanceId);
pN3->GetCharAgent(0,0)->RespawnMe(0);
Code:
class _N3Engine
{
public:
_N3CharAgent* GetCharAgent(int,int);
//Cheap way of quickly doing the lookup - use inheritance if you are anal about it :)
_N3CharIHandler* GetCharIHandler()
{
_N3CharIHandler* p = (_N3CharIHandler*)((DWORD)((pLookup->lookup2+4)+(DWORD)(this)));
return p;
}
_N3EngineLookup* pLookup;
virtual void vf00();
......
};
Code:
//The engine uses a lookup table for various actions to perform
//We will look up the "Interface" for all the client actions...
class _N3EngineLookup
{
public:
DWORD unk;
DWORD lookup1;
DWORD lookup2; //Interface"CharAgent"
};
Code:
//Generate the correct virtual table offset distances
//If you are lazy you could simply write a macro to do this
//See very bottom of an example of a virtual call emulation macro
class _N3CharAgent
{
public:
virtual void vf00();
virtual void vf04();
virtual void vf08();
virtual void vf0c();
virtual void vf10();
virtual void vf14();
virtual void vf18();
virtual void vf1c();
virtual void vf20();
virtual void vf24();
virtual void vf28();
virtual void vf2c();
virtual void vf30();
virtual void vf34();
virtual void vf38();
virtual void vf3c();
virtual void vf40();
virtual void vf44();
virtual void vf48();
virtual void vf4c();
virtual void vf50();
virtual void vf54();
virtual void vf58();
virtual void vf5c();
virtual void vf60();
virtual void vf64();
virtual void vf68();
virtual void vf6c();
virtual void vf70();
virtual void vf74();
virtual void RespawnMe(DWORD);
...
};
Code:
//Macro to emulate the games function call
#ifndef FUNCTION_AT_ADDRESS
#define FUNCTION_AT_ADDRESS(function,offset) __declspec(naked) function
{
__asm{mov eax,offset};
__asm{jmp eax};
}
#endif
Code:
//As of aoc 13/09/08
FUNCTION_AT_ADDRESS(_N3Engine* __cdecl GetN3Engine(void), 0x005C8850);
Code:
//A less intuitive approach to looking up your virtual table
#ifndef FUNCTION_AT_VIRTUAL_ADDRESS
#define FUNCTION_AT_VIRTUAL_ADDRESS(function,virtualoffset) __declspec(naked) function
{
__asm{mov eax, [ecx]};
__asm{lea eax, [eax+virtualoffset]};
__asm{mov eax, [eax]};
__asm{jmp eax};
}
#endif
If you were using my ISXAOC extension, you could ignore all this and simply do:
Hack:SuperRez heh [Only registered and activated users can see links. ]
This should make sense to some seasoned coders with some knowledge of asm...
Next Guide, how to locate all the entities in the game ...
More guides to come.. enjoy!
-----
[Only registered and activated users can see links. ] (isxaoc bot) [Only registered and activated users can see links. ]
Site n00b.. (A leecher if I've been here for more than a month and can't earn 5 rep)
Rep Power: 1
Reputation: 1
Posts: 42
Join Date: Jul 2008
09-13-2008
Nice work. Looking forward to seeing the next guide of yours. More interested in making my own programs than using other peoples. So far all I've managed is a radar for players/ncps around me and basic stuff like that.
Currently I'm looking at where exactly that ranger flag is for showing players on the ingame map and how to perform actions ingame like pressing buttons, sending chat etc without using sendkey() something.
(+rep btw )
Site n00b.. (A leecher if I've been here for more than a month and can't earn 5 rep)
Rep Power: 1
Reputation: 1
Posts: 42
Join Date: Jul 2008
09-13-2008
Quote:
Originally Posted by Pickled
Very good, of course - he dosen't actually provide any source.
My goal is to give some insight as to "how".
The learning part is what I'm after. I'm not interested in the actually doing of stuff... Just how it's done. I'm playing AoC a lot atm so I might as well code some stuff to go with it.
Site n00b.. (A leecher if I've been here for more than a month and can't earn 5 rep)
Rep Power: 1
Reputation: 1
Posts: 42
Join Date: Jul 2008
10-03-2008
Are you going to post any more tutorials about anything Pickled? Like finding the entities of the game. I am fine building the game objects up once I have the mem locations but it's getting them in the first place I struggle. Can find the last pointer but not the ones that point to it so any help is appreciated
Let's consider the "logic" of the last offset I posted you can find the entire entity list from that alone
TargetByGUID(...)
Assuming you know assembly which is the first hurdle before even bothering to "find" stuff, you can trace inside this function to find out how to get the list of entities.
--Stop here if you are not clued up on assembly. AOC is HIGHLY Object orientated you will NOT find basic structures in here from simply looking at data.
You need to follow code logic to visualise the objects, some good books to read: Reversing: Secrets of Reversing, Hacker Dissasembling (Kaspersky) and many others... --
Why?
If we are targetting by GUID, then how does the target function "find the entity by GUID"? Think about it, it's not all magic that happens in there, it's simplistic logic.
Well... it will take the GUID and presumably uses a function to iterate through all the entities to find a "matching GUID", yes?
What happens if we study the games logic to look up all entities?
Yes thats right, we can map out the code/data to do the same thing!
Tracing is the secret, having "offsets" is no use if you want to "learn".
[start Dynel::TargetByGUID]
[..Do things.. verifiy we already have this target? (remember that Dynel::TargetByGUID is an object method relative to Player]
[cmp eax, this->TargetGUID.Id]
[no target? then continue else end]
[Dynel = GetDynelGUID(fromTargetGUID params)] ?? Getting hotter?
[SetTheLovelyTargettingRingGFX, SetYourUITargetDetails based on this Dynel]
[end]
For your information Funcom specifically relate to Dynels as "Dynamic Elements".
I highly recommend understanding "calling conventions" so can identify objects in asm (although this is very complex for AOC as it uses optimizations which obscure the standards.. )
Some hacks brought to you by ISXAOC
Some hacks brought to you by ISXAOC -
09-13-2008
.gif "(6)")
3x for this... Rezzing yourself = awesome 
