Source Code ArmA 3 reversals

[c5]

Just started working on ArmA 3, this is what I have so far.. Still lacking object types and player id's.

class CLIENTPTR;
class World;
class EntityPool;
class Entity;
struct WorldSpace;
struct EntityClass;

class ArmaString;

class CLIENTPTR
{
public:

	World* worldPtr; //0x0000 
	
};//Size=0x0004

class World
{
public:
	char unk[2416];				// 0x000
	float fMyHeading1; 			// 0x970
	char unk0[12];				// 0x974
	float fMyHeading1Neg;		// 0x980
	char unk1[4];				// 0x984
	float fMyHeading2;			// 0x988
	float fLocalX;				// 0x98C
	float fLocalZ;				// 0x990
	float fLocalY;				// 0x994
	char unk2[460];				// 0x998
	EntityPool* firstEntities;	// 0xB64	very close to you
	int nFirstPoolSize;			// 0xB68
	int nFirstPoolMaxSize;		// 0xB6C
	char unk3[156];				// 0xB70
	EntityPool* secondEntities;	// 0xC0C	close to you
	int nSecondPoolSize;		// 0xC10
	int nSecondPoolMaxSize;		// 0xC14
	char unk4[156];				// 0xC18
	EntityPool* thirdEntities;	// 0xCB4	average distance
	int nThirdPoolSize;			// 0xCB8
	int nThirdPoolMaxSize;		// 0xCBC
	char unk5[156];				// 0xCC0 
	EntityPool* forthEntities;	// 0xD5C 	further away from you
	int nForthPoolSize;			// 0xD60
	int nForthPoolMaxSize;		// 0xD64
	
	char padding[3016];			// 0xC18 padding is off, useless anyhow
	BYTE bScopedIn; 			// 0x17E0 
	
};//Size=0x17E1

class EntityPool
{
public:
	Entity* entities[256];		// 256 is just a wild random, iterate according to pool size, and prolly better of to increase the size
};

class Entity
{
public:
	char unk0[0x130];			// 0x000
	EntityClass entityClass;	// 0x130
	char unk1[44];				// 0x134			
	WorldSpace* worldSpace;		// 0x160
};

struct WorldSpace
{
	char unk0[4];
	float fHeading1
	char unk1[4];
	float fHeading2;
	char unk2[4];
	float fHeading21;
	char unk3[4];
	float fHeading22;
	char unk4[8];
	float fXcoord;
	float fZcoord;
	float fYcoord;
};

struct EntityClass {
	char unk0[0x2C];
	ArmaString* className;		// 0x2C
	char unk1[4];				// 0x30
	ArmaString* classSkinPath;	// 0x34;
};


class ArmaString 
{
public:
	char unk0[4];
	int len;
	char string[128];
};

CLIENTPTR is 0x1652C10

 

[c5]

Object type is in the same EntityClass structure I posted above at 0xCC, it's an arma string aswell.

And a few patterns:

== arma 3 == CLIENT PTR (PATTERN)

0041900A   8939             MOV DWORD PTR DS:[ECX],EDI
0041900C   6A 00            PUSH 0x0
0041900E   8BC8             MOV ECX,EAX
00419010   E8 8B4F3A00      CALL arma3.007BDFA0
00419015   8BF0             MOV ESI,EAX
00419017   EB 02            JMP SHORT arma3.0041901B
00419019   33F6             XOR ESI,ESI
0041901B   8B16             MOV EDX,DWORD PTR DS:[ESI]
0041901D   8D43 18          LEA EAX,DWORD PTR DS:[EBX+0x18]
00419020   50               PUSH EAX
00419021   8B82 80000000    MOV EAX,DWORD PTR DS:[EDX+0x80]
00419027   8BCE             MOV ECX,ESI
00419029   FFD0             CALL EAX
0041902B   8B0D 102C6501    MOV ECX,DWORD PTR DS:[0x1652C10]   // client ptr
00419031   56               PUSH ESI
00419032   81C1 000E0000    ADD ECX,0xE00
00419038   E8 739F5C00      CALL arma3.009E2FB0
0041903D   8B7424 34        MOV ESI,DWORD PTR SS:[ESP+0x34]
00419041   8BCF             MOV ECX,EDI
00419043   83CA FF          OR EDX,0xFFFFFFFF
00419046   F0:0FC111        LOCK XADD DWORD PTR DS:[ECX],EDX         ; LOCK prefix

=== arma 3 === TRANSFORMATION PTR (PATTERN)

00419125   F3:0F1080 C40100>MOVSS XMM0,DWORD PTR DS:[EAX+0x1C4]
0041912D   51               PUSH ECX
0041912E   8B4D 08          MOV ECX,DWORD PTR SS:[EBP+0x8]
00419131   F3:0F110424      MOVSS DWORD PTR SS:[ESP],XMM0
00419136   57               PUSH EDI
00419137   51               PUSH ECX
00419138   56               PUSH ESI
00419139   E8 823A0000      CALL arma3.0041CBC0
0041913E   8B15 84956C01    MOV EDX,DWORD PTR DS:[0x16C9584]	// transformation
00419144   8B82 DC000000    MOV EAX,DWORD PTR DS:[EDX+0xDC]        // offset
0041914A   F3:0F1050 2C     MOVSS XMM2,DWORD PTR DS:[EAX+0x2C]
0041914F   F3:0F1040 28     MOVSS XMM0,DWORD PTR DS:[EAX+0x28]
00419154   F3:0F5C43 18     SUBSS XMM0,DWORD PTR DS:[EBX+0x18]
00419159   F3:0F1048 30     MOVSS XMM1,DWORD PTR DS:[EAX+0x30]
0041915E   F3:0F105B 20     MOVSS XMM3,DWORD PTR DS:[EBX+0x20]

 

[c5]

Yeah that's the way I hooked present from swapchain. Offset seems different though, interesting.

 

[c5]

I know man, directx11 is just horrible from our point of view. I haven't tried anything with textures yet and don't know if I will (too complicated lol), need to make my primitives draw perfectly first. And that already is a pain itself lol..

 

[c5]

2 from the top of my head, if I remember correctly.

I was using fontwrapper aswell, I noticed it had some functionality of drawing vertices aswell, gonna take a look at that I guess. Tried s0beits method before but the effects11.lib fucked it up for me big time duh, don't know why..

 

[c5]

Yeah, sorry, I've got it the same way. Device, context and swapchain.

 

[c5]

Little bit of stuff missing, yeah?

 

[c5]

Yeah, I'm trying to grab the matrixes that way (view, proj, word), are they in the same struct as your local position?

I think camera was there indeed, and world, but I get them from another structure.

 

[c5]

I wonder how 'easy' it is to do wireframe, more than 8 lines I'm used to I guess.

 

[c5]

Okay boys and girls, since the game is now officially released, heres a little present for ya'll.

class CLIENTPTR;
class World;
class Entity;
class EntityPool;
class WorldSpace;
class EntityClass;

class ArmaString;

class CLIENTPTR
{
public:

	World* worldPtr; //0x0000 
	
};//Size=0x0004

class World
{
public:
	char unk[2420];				// 0x000 <-- same from here
	float fMyHeading1; 			// 0x970
	char unk0[12];				// 0x974
	float fMyHeading1Neg;		// 0x980
	char unk1[4];				// 0x984
	float fMyHeading2;			// 0x988
	float fLocalX;				// 0x98C
	float fLocalZ;				// 0x990
	float fLocalY;				// 0x994
	char unk2[232];				// 0x998
	float fSimulationSpeed;		// 0xA84           
	char unkpad0[224];
	EntityPool* firstEntities;	// 0xB64	very close to you  <-- same 0xB68 
	int nFirstPoolSize;			// 0xB68
	int nFirstPoolMaxSize;		// 0xB6C
	char unk3[156];				// 0xB70
	EntityPool* secondEntities;	// 0xC0C	close to you
	int nSecondPoolSize;		// 0xC10
	int nSecondPoolMaxSize;		// 0xC14
	char unk4[156];				// 0xC18
	EntityPool* thirdEntities;	// 0xCB4	average distance
	int nThirdPoolSize;			// 0xCB8
	int nThirdPoolMaxSize;		// 0xCBC
	char unk5[156];				// 0xCC0 
	EntityPool* forthEntities;	// 0xD5C 	further away from you
	int nForthPoolSize;			// 0xD60
	int nForthPoolMaxSize;		// 0xD64
	char unk6[2988];
	float fTerrainGrid;			// 0x18E4
	
	//char padding[3016];			// 0xC18 padding is off, useless anyhow
	//BYTE bScopedIn; 			// 0x17E0 

	// simulationspeed (float)	    0xA84
	// setTerrainGrid (50 no grass) 0x18E4 float
	
};//Size=0x17E1

class Entity
{
public:
	/*char unk0[0x114];
	int pad0;//int nOnlineMatchRank;		// 0x114
	char unk1[4];
	int pad1;//nID;					// 0x11C
	char unk2[0x10];*/			
	char unk0[0xD0];
	// 0x90 on ka worldspace
	EntityClass* entityClass;	// 0x130 <-- is the same
	char unk3[44];				// 0x134			
	WorldSpace* worldSpace;		// 0x160    <-- worldspace is different i believe now
	char unk4[100];				// 0x164
	class Health* health;				// 0x1C8 // wrong...
	//char unk5[4];
	char unk5[400];				// 0x1CC
	bool bIsDead;				// 0x35C <-- is the same?
	char pad[1820];				// 0x360
};

class EntityPool
{
public:
	Entity* entities[256];		// 256 is just a wild random, iterate according to pool size, and prolly better of to increase the size
};

class WorldSpace
{
public:
	char unk0[4];
	float fHeading1;
	char unk1[4];
	float fHeading2;
	char unk2[4];
	float fHeading21;
	char unk3[4];
	float fHeading22;
	char unk4[8];
	float fXcoord; // 0x28
	float fZcoord;
	float fYcoord;
	char unk5[224]; 
	float fHeadXcoord; // 0x114
	float fHeadZcoord;
	float fHeadYcoord;
	/*
	float fUnkXcoord;
	float fUnkZcoord;
	float fUnkYcoord;*/
};

class EntityClass 
{
public:
	char unk0[0x30];
	ArmaString* className;		// 0x30
	char unk1[4];				// 0x34
	ArmaString* classSkinPath;	// 0x38
	char unk2[0x94];			// 0x38
	ArmaString* objectType;		// 0xCC
};

class ArmaString
{
public:
	char unk0[4];
	int length;
	char string[128];
};

PS: Don't mind the comments, they are off lol

Here's a preview of what you can do with it

 

[Tarolion]

Hey Dude, I thought I'd post up my offsets so far.. some might be inaccurate, but I'm having issues with finding the transformation matrix for world to screen stuff. If you could help I'd really appreciate it, if not no worries:

    struct Offsets
    {
        public static Int64 OFFSET_WORLDPOINTER     = 0x1685AF4;        // NOTE: Read World before reading Tables, or other offsets in this list.
        public static Int64 OFFSET_TRANSFORMATION   = 0x1675508;        // Transformation base, contains the World 2 Screen Matrix.
        public static Int64 OFFSET_GAMESTATE        = 0x1A93C48;        // Not sure what this is, but a friend said they used it. So there's that one.
    }
    #region [ World Offsets... ]
    //
    struct WorldOffsets
    {
        /*
        To read from these tables, first read world then read the table. I.e:
        base + world] + Mastertable + 0x4 + slaveTable] + i*0x4] 
        will return the object in the table at element i.
        */
        public static Int64[] OFFSET_MASTERTABLES = { 
                                                          0xB90,                            // Entity Table
                                                          0xE38,                            // Effects Table
                                                          0x10DC                            // Another master table, Not sure whats in here.
                                                          };
        public static Int64[] OFFSET_SLAVETABLES = { 0x4, 0xAC, 0x154, 0x1FC };      // Slave Tables.
        /*
        Slave tables can more accurately be described as LOD tables. 
        each table is based on distance from the camera. 0x4 is closest and 0x1FC is farthest.
        To receive the size of the table +0x4 to the offset.	
        */

        public static Int64 OFFSET_CAMERAON = 0x1718;                           // CameraOn - Need to deference then read + 0x4 for the Local Player.
        public static Int64 OFFSET_PLAYERON = 0x1710;                           // PlayerOn
        public static Int64 OFFSET_REALPLAYER = 0x171C;                           // Real Player  
    }

    struct CameraOnOffsets
    {
        public static Int64 OFFSET_ENTITYLINK = 0x4;                              // Reads the Entity linked to the Camera, If in a vehicle it returns the vehicle entity.
    }

    struct VisualStateOffsets
    {
        /*
        I'm pretty sure that 0x4 - 0x24 is some kind of 3x3 Rotation Matrix, but I'm not
        sure how to extract Heading or pitch from this.
        */
        public static Int64 NFacing = 0x4;             // Using these to calculate Heading..
        public static Int64 EFacing = 0x1C;            // Using these to calculate Heading..
        public static Int64 SFacing = 0x24;            // Using these to calculate Heading..
        public static Int64 WFacing = 0xC;             // Using these to calculate Heading..
        // Using these to calculate Heading..
        public static Int64 UpFacing = 0x178;           // Using these to calculate Heading..
        public static Int64 DownFacing = 0x170;           // Using these to calculate Heading..

        public static Int64 HeadPosition = 0x114;
        public static Int64 FeetPosition = 0x28;
    }

    struct EntityOffsets
    {
        // these Vectors are only updated in vehicles
        public static Int64 VehicleUnkVec = 0x38;		// **** Vector
        public static Int64 VehicleUpXZY = 0x44;		// **** Vector
        public static Int64 VehicleDirection = 0x50;		// **** Vector
        public static Int64 VehiclePosition = 0x5C;		// Vector   

        public static Int64 VisualState = 0x68;		// VisualState
        public static Int64 ScriptStuff = 0xD0;		// **** ScriptStuff

        public static Int64 SideIDOffset = 0x210;    // Integer - Entity Team ID, 0 = Opfor, 1 = Blufor, 2 = Independent, 3 = Civilian
        public static Int64 IsDeadOffset = 0x32C;    // Byte    - To turn it into a bool use, Convert.ToBoolean( value ) where value is the byte read from this offset.

        public static Int64 TopBodyPitch = 0xB58;    // Float - Pitch angle of the top portion of the body.
    }

    struct CameraOffsets
    {

    }
    //
    #endregion

    struct TransformationOffsets
    {
        public static Int64 WorldToScreenMatrix     = 0xE4;    // Matrix - World to Screen Matrix
    }

 

[c5]

If I remember correctly, it had a ref to it somewhere in the beginning of the world class as well but I am not sure.

Here are some of my notes from the old days, if you sig scan something out of it.

51 8B 4D ?? ?? ?? ?? ?? ?? 57 51 56

00419125   F3:0F1080 C40100>MOVSS XMM0,DWORD PTR DS:[EAX+0x1C4]
0041912D   51               PUSH ECX
0041912E   8B4D 08          MOV ECX,DWORD PTR SS:[EBP+0x8]
00419131   F3:0F110424      MOVSS DWORD PTR SS:[ESP],XMM0
00419136   57               PUSH EDI
00419137   51               PUSH ECX
00419138   56               PUSH ESI
00419139   E8 823A0000      CALL arma3.0041CBC0
0041913E   8B15 84956C01    MOV EDX,DWORD PTR DS:[0x16C9584]	// transformation
00419144   8B82 DC000000    MOV EAX,DWORD PTR DS:[EDX+0xDC]	// padding to transdata ptr
0041914A   F3:0F1050 2C     MOVSS XMM2,DWORD PTR DS:[EAX+0x2C]
0041914F   F3:0F1040 28     MOVSS XMM0,DWORD PTR DS:[EAX+0x28]
00419154   F3:0F5C43 18     SUBSS XMM0,DWORD PTR DS:[EBX+0x18]
00419159   F3:0F1048 30     MOVSS XMM1,DWORD PTR DS:[EAX+0x30]
0041915E   F3:0F105B 20     MOVSS XMM3,DWORD PTR DS:[EBX+0x20]

Other than that you can find it by CE with zoom in/out and looking for projection, or go between 3rd/1st person and look camera change.

There are also references to it through the game scripting shit engine so you can look for strings, or even go through shaders, easy as well.

 

[Luciz]

#define OFF_FN_SETVELOCITY 0xB50850
#define OFF_O_ISLOCAL 0x21A
class Object
{
public:
	bool IsLocal()
	{
		return *(BYTE*)((DWORD)this + OFF_O_ISLOCAL) == 1;
	}

	void SetLocal(BYTE local)
	{
		*(BYTE*)((DWORD)this + OFF_O_ISLOCAL) = local;
	}

	void SetVelocity(FVector vel)
	{
		typedef int(__thiscall *tSetVelocity)(Object* obj, FVector vel);
		static tSetVelocity setVelocity = (tSetVelocity)GetDynamicAddress(OFF_FN_SETVELOCITY);

		if (IsLocal())
			setVelocity(this, vel);
		else
		{
			SetLocal(1);
			setVelocity(this, vel);
			//SetLocal(0);
		}
	}
}

I reversed this yesterday, gotta be the easiest function to reverse.
Sadly the setVelocity isn't networked and only works on vehicles .
But, people in vehicles still die, lol.