New to Plugin Development : Developer's Corner

Posted: May 14th, 2004, 7:24 am

Dreadnok
Dreadnok's Reps:

Heres the deal. Im a Lotus Domino Developer(VBS, Java, and Javascript). I've been meaning to pick up and add C++ to my skill set. I play a lot of the games supported by XU. So I figure plugin development would be a good place to learn C++ as well as apply it in a real world scenario.

As a learning experience my first goal is build a simple plugin for Lineage 2. Specificly I want to log all calls to a function inside a dll from the game as well as log the parameters and return value. I would like to know if im barking up the wrong tree though.

Knowns:
1)The ingame hotkey for NextTarget eventually fires off UNetHandler::GetNextEnemy() from Network.dll.
2)<b>virtual struct User * __thiscall UNetHandler::GetNextEnemy(float,int)</b> is the exported function.
3)<b>struct User & __thiscall User::operator=(struct User const &)</b> is the struct from Engine.dll

Dissassembly of the Struct:

(!empty($user->lang['CODE'])) ? $user->lang['CODE'] : ucwords(strtolower(str_replace('_', ' ', 'CODE'))):

DEBUG :: public: struct User & __thiscall User::operator=(struct User const &)
=========
??4User@@QAEAAU0@ABU0@@Z
=========
:10301172 E9B9770400              jmp 10348930
:10301177 E974DB1F00              jmp 104FECF0


---------
:10348930 56                      push esi
:10348931 8B742408                mov esi, dword[esp+08]
:10348935 57                      push edi
:10348936 8BC1                    mov eax, ecx
:10348938 B97C000000              mov ecx, <b>0000007C</b>
:1034893D 8BF8                    mov edi, eax
:1034893F F3A5                    <b>rep movsd</b>
:10348941 5F                      pop edi
:10348942 5E                      pop esi
:10348943 C20400                  ret 0004

:10348946 90 90 90 90 90 90 90 90 90 90 CC CC CC CC CC CC   ................
:10348956 CC CC CC CC CC CC CC CC CC CC                     ..........

---------
:104FECF0 56                      push esi
:104FECF1 8B742408                mov esi, dword[esp+08]
:104FECF5 57                      push edi
:104FECF6 8B7C2410                mov edi, dword[esp+10]
:104FECFA 6A04                    push 004
:104FECFC 57                      push edi
:104FECFD 8BCE                    mov ecx, esi
:104FECFF FF15A8F51614            call dword[1416F5A8 ->03E718D6 ?ByteOrderSerialize@FArchive@@QAEAAV1@PAXH@Z]
:104FED05 6A04                    push 004
:104FED07 83C704                  add edi, 004
:104FED0A 57                      push edi
:104FED0B 8BCE                    mov ecx, esi
:104FED0D FF15A8F51614            call dword[1416F5A8 ->03E718D6 ?ByteOrderSerialize@FArchive@@QAEAAV1@PAXH@Z]
:104FED13 5F                      pop edi
:104FED14 8BC6                    mov eax, esi
:104FED16 5E                      pop esi
:104FED17 C3                      ret

:104FED18 90 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC   ................
:104FED28 CC CC CC CC CC CC CC CC                           ........

So lets look at:

(!empty($user->lang['CODE'])) ? $user->lang['CODE'] : ucwords(strtolower(str_replace('_', ' ', 'CODE'))):

:10348938 B97C000000   mov ecx, 0000007C       //Move 7C into ECX (124 in decimal)
:1034893D 8BF8         mov edi, eax            
:1034893F F3A5         rep movsd               //4Byte Copy to EDI for 124 DWords = 992 bytes?

So is the User struct 992 bytes? Or am I wayyyy off?

Ok so back to the GetNextEnemy. Can I hook that dll(CreateProcessThread) and use code injection to dump the values in the return value and int/float args to a log?

The end goal of this is to find the array of users to determine closest enemy instead of next. And return that instead. Of course im assuming that the the User object for you and all the mobs contain X/Y/Z coords.

If im going the wrong way please redirect me in the correct direction.

Thanks,
-Dreadnok