Welcome
Ladies and Gents:

These forums are now closed and registration disabled.

Please join us at our new forum on Proboards. Our hope is that these new forums are more stable, provide more and better features, and allow continuation of the project forums in a safer, more secure, long term environment.

me3explorer.proboards.com

--The ME3Explorer Team

ME3 Logging Utility

Coder-centric area for programming advice and questions.

Re: ME3 Logging Utility

Postby WarrantyVoider » 22 Oct 2014, 19:18

here in action^^

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 Logging Utility

Postby FemShep » 23 Oct 2014, 17:08

Almost all the cheatmanager functions are defined in BIOMP_COMMON.pcc. those commands seem to be able to be directly executed from the console if you're looking for functions that do that.

I wonder if we can use this (function monitor) to learn how to spawn enemies. That'd be useful.
Image
ME3Tweaks has modding guides, tools, forums for mods, a modding wiki, and ModMaker, an online mod creation tool.
ME3 Mod Manager, the civilized way of installing and managing ME3 mods.
ME3Tweaks Facebook Page
User avatar
FemShep
Modder
 
Posts: 1101
Joined: 18 Oct 2012, 20:48
Has thanked: 42 time
Have thanks: 76 time

Re: ME3 Logging Utility

Postby WarrantyVoider » 26 Oct 2014, 12:45

well I think I found the CallFunction

in PseudoCode: http://pastebin.com/mQrHQbkW
in Assembler: http://pastebin.com/5tnZuwTz
in Hex: http://pastebin.com/J9Cs3RUN

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 Logging Utility

Postby Erik JS » 28 Oct 2014, 00:17

Erik JS wrote:I also set up one of those "find what access this address" through Cheat Engine, and I located the instruction which reads ClientMessage's pointer, but I didn't save anything to show here.


This is what I mentioned earlier, now I have a screen to show what it is.

Image

I think I saw something like eax+168 somewhere else... http://www.unknowncheats.me/forum/750042-post10.html
wwwc aka WarrantyVoider wrote:
.text:0081844C loc_81844C:                             ; CODE XREF: sub_8182E0+C5j
.text:0081844C mov edx, [ebx]
.text:0081844E push 0
.text:00818450 push 0
.text:00818452 push eax
.text:00818453 mov eax, [edx+118h] <---Offset Process Events, Idx= 70!
.text:00818459 mov ecx, ebx
.text:0081845B call eax


So if 70 is 118h divided by 4 (size of an int32 pointer)... then we have: 168h / 4 = 90.
Maybe we can do something with this "90"?
ME3 Private Server Emulator: @ ME3Tweaks | @ SourceForge | @ GitHub | @ Dropbox
Image
User avatar
Erik JS
User
 
Posts: 124
Joined: 31 Jul 2014, 14:44
Has thanked: 13 time
Have thanks: 77 time

Re: ME3 Logging Utility

Postby WarrantyVoider » 28 Oct 2014, 12:04

your math isnt wrong (maybe), but the callfunction is found, we only need to find out how to detour it (having right parameters/return values) you can go through the vmt and look which entry redirects to the callfunction address (faster finding) but we can find it by pattern anyway, so no need for this yet. btw 90 would be the # of your vmt entry, but vmt is only 0x70 entries long

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 Logging Utility

Postby FemShep » 28 Oct 2014, 16:27

Sometimes I wonder if you guys are space wizards when you post things like this ;)
Image
ME3Tweaks has modding guides, tools, forums for mods, a modding wiki, and ModMaker, an online mod creation tool.
ME3 Mod Manager, the civilized way of installing and managing ME3 mods.
ME3Tweaks Facebook Page
User avatar
FemShep
Modder
 
Posts: 1101
Joined: 18 Oct 2012, 20:48
Has thanked: 42 time
Have thanks: 76 time

Re: ME3 Logging Utility

Postby WarrantyVoider » 28 Oct 2014, 16:51

because of this easy stuff? I dont think so... :P

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 Logging Utility

Postby Erik JS » 22 May 2015, 03:03

YES! :D :D :D

Finally, I found a way to track down and expose whatever the hell is passed to ClientMessage!

Spoiler:
Image


So it just occurred to me that, in order to call a function which uses parameters, the parameters themselves need to be resolved first. This whole thing I did here sort of hooks the parameter of ClientMessage rather than the function itself...

ClientMessage (S, Type, MsgLifeTime)

Using the 'dump all' command from ME3OTH, I had a list of locations like this (example):
...
7744 : 0x0FA63520 Function Engine.PlayerController.ClientMessage
7745 : 0x0FA63480 FloatProperty PlayerController.ClientMessage.MsgLifeTime
7746 : 0x0FA633E0 NameProperty PlayerController.ClientMessage.Type
7747 : 0x0FA63340 StrProperty PlayerController.ClientMessage.S
...



I set up a "what access this address" through Cheat Engine at the location in the list shown for ClientMessage function (in this example: 0x0FA63520). With that, I found the address 0x43C94A, which contains "mov eax,[ecx]" - where ecx is the location of CM function. I set up a breakpoint there, with a condition (ecx == 0x0FA63520), and then, after using a console command which uses CM... fly - gives the message "You feel much lighter", I looked for that in the memory while the game was frozen.

What I found out is that the string parameter is "built" as unicode, but I was unable to work out its location based on the values of the registers when the game access CM's location. The next thing I did pretty much solved everything: do what I did before, but this time using the location of S (in this example: 0x0FA63340). I found 0x452B01 -> mov eax,[esi], where esi is the location of S. Setting up proper breakpoint and analyzing the registers, I was able to work out the location of the string by using the value of esp. Long short story, when esi is S, esp points to a location where [esp] is a pointer to an unicode string, and [esp+4] is the size of the string, including its null char terminator.

Everything after that was coding something capable of intercepting when the game code is supposed to handle the S parameter from ClientMessage...

main.cpp
Spoiler:
#include "Header.h"
#define LOC_START 0x452B01
#define LOC_EXIT 0x452B09

void * pointer;
int stringHeader;
int var1;

struct MsgStruct
{
wchar_t * str;
int size;
} *message;

bool GetLocation(int * p)
{
int intLoc = *(int*)0x01AB5634;
intLoc = *(int*)(intLoc + 7747 * 4);
//printf("intLoc: %p\n", (void*)intLoc);
*p = intLoc;
return true;
}

__declspec(naked) void ExposeMessageFunc()
{
__asm
{
mov pointer,esi
mov stringHeader,esp
pushad
}

if(GetLocation(&var1) && pointer == (void*)var1)
{
//printf("pointer: %p ; var1: %p\n", pointer, (void*)var1);
message = (MsgStruct*)stringHeader;
printf("%d> %ls\n", message->size, message->str);
}


__asm
{
popad
mov eax,[esi]
mov edx,[eax+0x000001A0]
mov eax, LOC_EXIT
jmp eax
}
}

void PatchGameMemory()
{
unsigned long hold = NULL;

VirtualProtect((void*)LOC_START, 8, PAGE_EXECUTE_READWRITE, &hold);
*(BYTE*)(LOC_START) = 0xE9;
*(DWORD*)(LOC_START+1) = (unsigned long)&ExposeMessageFunc - (LOC_START + 5);
*(BYTE*)(LOC_START+5) = 0x90;
*(BYTE*)(LOC_START+6) = 0x90;
*(BYTE*)(LOC_START+7) = 0x90;
VirtualProtect((void*)LOC_START, 8, hold, NULL);

AllocConsole();
AttachConsole(GetCurrentProcessId());
freopen( "CON", "w", stdout ) ;
printf("ME3 ClientMessage Exposer by Erik JS\n------------------------------------\n");
}

bool __stdcall DllMain(HANDLE process, DWORD reason, LPVOID lpReserved){
if(reason == DLL_PROCESS_ATTACH){
PatchGameMemory();
return 1;
}
else
return 0;
}


Header.h
Spoiler:
#pragma once
#ifdef _MSC_VER
#define _CRT_SECURE_NO_WARNINGS
#define _CRT_NON_CONFORMING_SWPRINTFS
#endif

#define WIN32_LEAN_AND_MEAN

#include <SDKDDKVer.h>
#include <windows.h>
#include <stdio.h>


Some observations:
1) Values for LOC_START and LOC_EXIT are valid for original exe, I didn't try these with a cracked exe, just came here as soon as possible so I wouldn't forget anything before telling you guys...
2) GetLocation... see this: http://www.mediafire.com/view/0p9n3nwp7l699q3/getlocation.png - so you know what I did there. I used Cheat Engine's pointer scanner in order to determine some reliable chain of pointers which points to the location of S (unlike LOC_START/LOC_EXIT, this was tested with crack).
3) 'ShowLocation' shown in the first image is a valid console command. It makes the current player location visible all the time in the middle of the screen. It can be turned off with 'HideLocation'. By the way, does anybody have any idea of how I found the getlocation command in the first place?

Binary download: http://www.mediafire.com/download/4vdh3d8m7vk79rm/ME3ClientMessageExposer.rar - use with DLL injector (recommended: Winject and RemoteDll32)

EDIT1: link updated with new binary and source. The size is not shown anymore (it's not even needed, since printf renders the string until it hits a null char, on its own). Also, some funny stuff BioWare left in the code:
Spoiler:
Image

Only works for the host.

EDIT2: another update. Last base pointer+offset combo stopped working on the first MP screen... new improved GetLocation with new base pointer (and new offset array):
Spoiler:
bool GetLocation(int * p)
{
int intLoc = *(int*)0x01968624;
int offset[] = {0x470, 0x790, 0};
int sizeOffset = (sizeof(offset)/sizeof(int));

for(int i = 0; i < sizeOffset; i++)
{
if( i == sizeOffset-1 )
intLoc = intLoc + offset[i];
else
intLoc = *(int*)(intLoc + offset[i]);

if(intLoc < 0x400000){
return false;
}
}

*p = intLoc;
//printf("intLoc: %p\n", (void*)intLoc);
return true;
}


EDIT3: the final version of GetLocation - editing the code in the spoiler now, there's no need for a base pointer and offset array...
ME3 Private Server Emulator: @ ME3Tweaks | @ SourceForge | @ GitHub | @ Dropbox
Image

Erik JS has been thanked by:
User avatar
Erik JS
User
 
Posts: 124
Joined: 31 Jul 2014, 14:44
Has thanked: 13 time
Have thanks: 77 time

Re: ME3 Logging Utility

Postby WarrantyVoider » 22 May 2015, 14:28

hey, you do know that stuff like location of player is already accessible by me3oth (on the hook), there you have an entire unreal sdk at disposal. also I suggest to use msdetours for 32bit stuff, its easier to use IMO. anyway, good work as always^^

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 Logging Utility

Postby Erik JS » 22 May 2015, 16:48

Yeah, I know... I was trying to use only the necessary here. Now:
Spoiler:
bool GetLocation(int * p)
{
int intLoc = *(int*)0x01AB5634;
intLoc = *(int*)(intLoc + 7747 * 4);
//printf("intLoc: %p\n", (void*)intLoc);
*p = intLoc;
return true;
}

I took another look at oth and now I found out why it wasn't working... update already online, same link.

EDIT: so i just did this:
Spoiler:
Image
Yay for colored console! :D

While not demonstrated above, it's possible to change the text before it appears on the screen (not sure if others would see it, but I don't think so).
Well, I think this confirms that any string parameter from any UScript function can be tracked down in some way.
ME3 Private Server Emulator: @ ME3Tweaks | @ SourceForge | @ GitHub | @ Dropbox
Image
User avatar
Erik JS
User
 
Posts: 124
Joined: 31 Jul 2014, 14:44
Has thanked: 13 time
Have thanks: 77 time

PreviousNext

Return to Coders' Help

Who is online

Users browsing this forum: No registered users and 1 guest

suspicion-preferred