[Development] CharObject Struct Of Client (Source)

[-=DarkSim=-]

Hello all)

Today i release emulation of ObjectStruct for client (it like OBJECTSTRUCT of GS, but for main.exe), with it very simply "decompile" some main moments and create hard customs.

Spoiler:

Code:

#pragma pack(push, 1)
struct ObjectItem	//-> Complete (size: 107)
{
/*+0*/		short	ItemID;
/*+2*/		int		Level;
/*+6*/		char	Unknown6;
/*+7*/		char	Unknown7;
/*+8*/		char	Unknown8;
/*+9*/		short	DamageMin;
/*+11*/		short	DamageMax;
/*+13*/		char	Unknown13;
/*+14*/		short	Unknown14;
/*+16*/		short	Unknown16;
/*+18*/		char	Unknown18;
/*+19*/		char	Unknown19;
/*+20*/		short	Unknown20;
/*+22*/		char	Durability;
/*+23*/		char	ExcellentOption;
/*+24*/		char	AncientOption;
/*+25*/		short	ReqStrenght;
/*+27*/		short	ReqDextirity;
/*+29*/		short	ReqEnergy;
/*+31*/		short	ReqVitality;
/*+33*/		short	ReqCommand;
/*+35*/		short	ReqLevel;
/*+37*/		char    SpecialCount;
/*+38*/		WORD	SpecialType[8];
/*+54*/		BYTE	SpecialValue[8];
/*+62*/		int		UniqueID;
/*+66*/		char	Unknown66;
/*+67*/		char 	PosX;
/*+68*/		char 	PosY;
/*+69*/		WORD 	HarmonyType;
/*+71*/		short	HarmonyValue;
/*+73*/		char 	Is380Item;
/*+74*/		char	SocketOption[5];
/*+79*/		char	Unknown79;
/*+80*/		char	SocketSeedIndex[5];
/*+85*/		char	SocketSphereLevel[5];
/*+90*/		char	SocketSet;
BYTE gap01[5];
/*+96*/		char	DurabilityState;
/*+97*/		char 	PeriodItem;
/*+98*/		char 	ExpiredItem;
/*+99*/		int		ExpireDateConvert;
/*+103*/	int		Unknown103;
};
#pragma pack(pop)
// ----------------------------------------------------------------------------------------------

#pragma pack(push, 1)
struct UnknownStruct0
{
	/*+0*/	WORD	Unknown0;//?
	/*+2*/	WORD	Unknown2;//?
	/*+4*/	WORD	Unknown4;//?
	/*+6*/	WORD	Unknown6;
	/*+8*/	WORD	Unknown8;
	/*+10*/	WORD	Unknown10;
	/*+12*/	WORD	Unknown12;//?
	/*+14*/	WORD	Unknown14;
	/*+16*/	WORD	Unknown16;
};
#pragma pack(pop)
// ----------------------------------------------------------------------------------------------

#pragma pack(push, 1)
struct ObjectCharacter	//-> ~InDev (size: 6012) [8128AC4 | 8128AC8]
{
/*+0*/		char	Name[11];
/*+11*/		BYTE	Class;
/*+12*/		BYTE	Unknown12;
/*+13*/		BYTE	Unknown13;
/*+14*/		short	Level;
/*+16*/		DWORD	Experience;
/*+20*/		DWORD	NextExperience;
/*+24*/		short	Strength;
/*+26*/		short	Dexterity;
/*+28*/		short	Vitality;
/*+30*/		short	Energy;
/*+32*/		short	Leadership;
/*+34*/		WORD	Life;
/*+36*/		WORD	Mana;
/*+38*/		WORD	MaxLife;
/*+40*/		WORD	MaxMana;
/*+42*/		WORD	Shield;
/*+44*/		WORD	MaxShield;
/*+46*/		WORD	AttackRate;
/*+48*/		WORD	DefenseRate;
/*+50*/		short	AddStrength;
/*+52*/		short	AddDexterity;
/*+54*/		short	AddVitality;
/*+56*/		short	AddEnergy;
BYTE gap01[4];
/*+62*/		WORD	AddLeadership;	//GS use unsigned value...
/*+64*/		WORD	Stamina;
/*+66*/		WORD	MaxStamina;
/*+68*/		BYTE	ItemSpecialUseFlag;		//Bit decomposit (1, 2, 8)
BYTE UnknownGap;
/*+70*/		WORD	ItemSpecialUseTime[3];	//[ ]
/*+76*/		WORD	AddPoint;	//FruitStat start
/*+78*/		WORD	MaxAddPoint;
/*+80*/		WORD	MinusPoint;
/*+82*/		WORD	MaxMinusPoint;	//FruitStat end
/*+84*/		WORD	AttackSpeed;
/*+86*/		WORD	DamageRate;
/*+88*/		WORD	DamageMin;
/*+90*/		WORD	DamageMax;
/*+92*/		WORD	Unknown92;
/*+94*/		WORD	Unknown94;
/*+96*/		WORD	Unknown96;
BYTE gap02[10];
/*+108*/	WORD	Unknown108;
/*+110*/	WORD	Unknown110;
BYTE gap03[4];
/*+116*/	WORD	LevelPoint;
/*+118*/	BYTE	MagicCount;
/*+119*/	BYTE	Unknown119;
/*+120*/	WORD	pMagicList[650];	//maybe 150?
/*1420*/
BYTE gap04[3252];
/*+4672*/	ObjectItem pEquipment[12];
/*+5956*/	DWORD	MoneyInventory;	//(C4)
/*+5960*/	DWORD	MoneyWarehouse;	//(C4)
BYTE gap05[8];
/*+5972*/	UnknownStruct0 Unknown5972;
BYTE gap06[2];
/*+5992*/	WORD	Unknown5992;
/*+5994*/	WORD	Unknown5994;
BYTE gap07[2];
/*+5998*/	WORD	Unknown5998;
/*+6000*/	WORD	Unknown6000;
/*+6002*/	WORD	Unknown6002;
/*+6004*/	WORD	Unknown6004;
/*+6006*/	WORD	Unknown6006;
/*+6008*/	BYTE	Unknown6008;
/*+6009*/	BYTE	Unknown6009;
/*+6010*/	BYTE	Unknown6010;
/*+6011*/	BYTE	Unknown6011;
};
#pragma pack(pop)
// ----------------------------------------------------------------------------------------------

And again some moments with "Unknown" names and gaps, but it work)

Geting structure adress from OllyDbg

Spoiler:

- (Inter commands)

- (Go to result)

-

- (Down list)

8128AC4 -> Structure adress

How call to structure from DLL

Spoiler:

Code:

ObjectCharacter * pPlayer = &*(ObjectCharacter*)*(DWORD*)0x8128AC4;

How add structure to IDA (HexRoys)

Spoiler:

1. Shift + F1
2. Press Insert
3. Paste all code from thread head
4. Go to any function with structure adress

5. Set to he type ObjectCharacter*


6. View in result


Examples:
(everfall.com :: paste,
everfall.com :: paste)

P.S.:
- Same need set it type to +4 from main structure (0x8128AC8)
- Same u can add type to ItemObject vars:

Credits: Me (DarkSim)

Version: Season 6 Episode 3 GMO (maybe 1.04d+)
On other versions need make research and check all struct positions.

Bad english and etc

Good luck to all with it)

[MentaL]

[boncha]

great job !!!
DarkSim keep suprizing :D

[zasmqniq]

wowow thanks you darksim!

[laudaicat]

Here is completely MUItemInfo struct.

PHP Code:

#pragma pack(push, 1)
struct MUItemInfo
{
  __int16 m_wItemType;
  int m_level;
  char gap_6[2];
  char field_8;
  __int16 m_DamageMin;
  __int16 m_DamageMax;
  char field_D;
  __int16 field_E;
  __int16 field_10;
  char gap_12[1];
  char field_13;
  __int16 field_14;
  char m_nDur;
  char m_exl;
  char m_hion;
  __int16 m_reqStr;
  __int16 m_reqAgi;
  __int16 m_reqEne;
  __int16 m_reqVit;
  __int16 m_reqLead;
  __int16 m_reqLevel;
  char m_SpeciaCount;
  WORD m_SpecialType[8];
  BYTE m_SpecialValue[8];
  int m_nUniqueID;
  char m_nCurrentActiveSlotInfex;
  char m_nPosX;
  char m_nPosY;
  WORD m_JOHType;
  __int16 m_JOHValue;
  char m_isItem380Opt;
  char m_SocketOption[5];
  char field_4F;
  char m_SocketSeedIndex[5];
  char m_SocketSphereLevel[5];
  char m_SocketBound;
  DWORD field_5B;
  char gap_5F[1];
  char m_DurabilityState;
  char m_PeriodItem;
  char m_ExpiredItem;
  int m_ExpireDateConvert;
  int m_nMaybeRefCount;
};
#pragma pack(pop) 


[-=DarkSim=-]

laudaicat
- u understand where signed and where unsigned value in manual search of movs in this value?

[laudaicat]

laudaicat
- u understand where signed and where unsigned value in manual search of movs in this value?

I Don't really care about it, it automatic fill. I care 1 bye, 2 bye, 4 byte or custom struct.

[-=DarkSim=-]

laudaicat
- automatic?...

[boncha]

laudaicat
- automatic?...

darksim : one of the popoler main is 1.03K JPN (mabe "the popluer" main ever).
can you make full Object Struct for this main ?

thanks

[-=DarkSim=-]

boncha
- Maybe, if have time.

[boncha]

boncha
- Maybe, if have time.

if you can add makecharset decompile source that fit to 1.03K JPN .
thanks mate :D

[podreca]

Good job.
I wonder if you could post the struct of the MuHelper (or MuBot). I would like to add new features to it.

[-=DarkSim=-]

podreca
- 1.04.04 GMO:

Code:

#pragma pack(push, 1)
typedef struct
{
BYTE gap01[172];
/*+172*/	DWORD	HuntingRange;
/*+176*/	bool	RecoveryPotionOn;
/*+177*/	BYTE	RecoveryPotionPercent;
/*+178*/	bool	RecoveryHealOn;			//-> CLASS_ELF
/*+179*/	BYTE	RecoveryHealPercent;	//-> CLASS_ELF
/*+180*/	bool	RecoveryDrainOn;		//-> CLASS_SUMMONER
/*+181*/	BYTE	RecoveryDrainPercent;	//-> CLASS_SUMMONER
/*+182*/	bool	DistanceLongOn;
/*+183*/	bool	DistanceReturnOn;
/*+184*/	DWORD	DistanceMin;
/*+188*/	DWORD	SkillBasicID;
/*+192*/	DWORD	SkillSecond1ID;
/*+196*/	BOOL	SkillSecond1DelayOn;
/*+200*/	DWORD	SkillSecond1DelayTime;
/*+204*/	BOOL	SkillSecond1CounterOn;
/*+208*/	int		SkillSecond1CounterPre;
/*+212*/	int		SkillSecond1CounterSub;
/*+216*/	DWORD	SkillSecond2ID;
/*+220*/	BOOL	SkillSecond2DelayOn;
/*+224*/	DWORD	SkillSecond2DelayTime;
/*+228*/	BOOL	SkillSecond2CounterOn;
/*+232*/	int		SkillSecond2CounterPre;
/*+236*/	int		SkillSecond2CounterSub;
/*+240*/	bool	ComboOn;				//-> CLASS_KNIGHT
/*+241*/	bool	PartyModeOn;
/*+242*/	bool	PartyModeHealOn;		//-> CLASS_ELF
/*+243*/	BYTE	PartyModeHealPercent;	//-> CLASS_ELF
/*+244*/	BOOL	PartyModeBuffOn;
/*+248*/	DWORD	PartyModeBuffInterval;
/*+252*/	BOOL	DarkSpiritOn;			//-> CLASS_DARKLORD
/*+256*/	DWORD	DarkSpiritMode;			//-> CLASS_DARKLORD
/*+260*/	BOOL	BuffOn;
/*+264*/	DWORD	BuffSkill[3];
/*+276*/	DWORD	BuffExtra[3];
/*+288*/	DWORD	ObtainRange;
/*+292*/	bool	ObtainRepairOn;
/*+293*/	bool	ObtainPickNear;
/*+294*/	bool	ObtainPickSelected;
/*+295*/	bool	ObtainPickJewels;
/*+296*/	bool	ObtainPickAncient;
/*+297*/	bool	ObtainPickMoney;
/*+298*/	bool	ObtainPickExcellent;
/*+299*/	bool	ObtainPickExtra;
/*+300*/	BYTE	ObtainPickItemList[28][12];
/*+636*/	BYTE	Unknown636;
/*+637*/	BYTE	Unknown637;
/*+638*/	BYTE	Unknown638;
} MUHelper, * lpMUHelper;
#pragma pack(pop)

Class address:

Code:

#define pMUHelperClass			*(int*)0xE8CB7C

Example of use:

Code:

lpMUHelper MUHelper = &*(lpMUHelper)pMUHelperClass;
// ----
MUHelper->ObtainRange			= 1;
MUHelper->ObtainRepairOn			= false;
MUHelper->ObtainPickNear			= false;
MUHelper->ObtainPickSelected		= false;

P.S.: a little late maybe...

[mauka]

vot tebe ne lenj xD

Eng: Thank you :D

[mirraseq]

Here is my IDA database of 1.03.25 JPN season 5 main with partially decoded ObjectStruct. There are some interesting values like object scale, rotation, current animation, skill effect counters, etc. Hoever this db is not perfect, it's little messy.

Zippyshare.com - _main.zip
https://www.virustotal.com/pl/file/a...is/1383557429/

[-=DarkSim=-]

mirraseq
- recheck db

---
UP, fixed)
Thanks, OBJ_STRUCT have wrong form, in true model information have own struct, like:

Code:

#pragma pack(push, 1)
struct ObjectModel_424
{
	float Unknown0;
	float Unknown4;
	float Unknown8;
	float Unknown12;
	float Unknown16;
	float Unknown20;
	float Unknown24;
	float Unknown28;
	float Unknown32;
	float Unknown36;
	float Unknown40;
	float Unknown44;
};
#pragma pack(pop)

#pragma pack(push, 1)
struct ObjectModel	//648?
{
BYTE gap00[4];
/*+4*/		BYTE	Unknown4;
BYTE gap01[4];
/*+9*/		BYTE	Unknown9;
BYTE gap02[5];
/*+15*/		BYTE	Unknown15;
BYTE gap03[2];
/*+18*/		WORD	AnimationID;
/*+20*/		WORD	Unknown20;
/*+22*/		BYTE	Unknown22;
/*+23*/		BYTE	Unknown23;
/*+24*/		BYTE	ObjectType;
BYTE gap04[13];
/*+38*/		WORD	Unknown38;
BYTE gap05[8];
/*+48*/		DWORD	Unknown48;
BYTE gap06[44];
/*+96*/		float	Scale;
BYTE gap07[16];
/*+116*/	float	Unknown116;
BYTE gap08[20];
/*+140*/	float	Unknown140;
/*+144*/	float	Unknown144;
BYTE gap09[56];
/*+204*/	VAngle	Unknown204;
/*+216*/	VAngle	Unknown216;
BYTE gap10[24];
/*+252*/	float	VecPosX;
/*+256*/	float	VecPosY;
/*+260*/	float	VecPosZ;
/*+264*/	float	Unknown264;
/*+268*/	float	Unknown268;
/*+272*/	float	Unknown272;
BYTE gap11[148];
/*+424*/	ObjectModel_424 Unknown424;
BYTE gap12[176];
/*+484*/
};
#pragma pack(pop)

in objectstruct of 1.04.04 GMO main:
/*+776*/ ObjectModel m_Model;

its auto-maked structs in ur db?