Disabling balance changes

Mass Effect 3 Private Server Emulator is a replacement for the Origin/Blaze backend that handles the online component of Mass Effect 3.

Moderator: PSE Developer

User avatar
Mgamerz
Site Admin
Posts: 571
Joined: Wed Jan 06, 2016 1:13 am

Re: Disabling balance changes

Post by Mgamerz »

Yeah. I was using PSE earlier as MITM and its... Not optimal. I could barely seem to hold a connection. I think my ping is too high for EA at like 168 and it times out because of my big friends list.

I've been looking a lot into ME3OTH and WarrantyVoiders examples. I was able to make his consoleutil one (you've modified it before) into an asi that logs function calls. (Had to make it delay hooking). I was never aware that this had real native memory access... This tool could be very powerful. I wanted to test using the 'spawn' command but I can't seem to figure out how to hook a keypress so it isn't just randomized. I found the getBINI functions and stuff in the SDK feckless made in sfxonlinefoundation. Unfortunately I couldn't seem to see anything useful.

Do you have any tips on using cheatengine/ollydbg as a debugger? I can't seem to use it beyond finding values but you're able to find what's accessing a memory address. I don't know x86 assembly but I've been looking into it and am getting a bit of the hang of it (I know some mips)
User avatar
Erik JS
Posts: 110
Joined: Sun Jan 10, 2016 8:03 pm
Location: Brazil

Re: Disabling balance changes

Post by Erik JS »

Erik JS wrote: I think it would better if I hook the function which does that string concatenation then, so the game will keep receiving the version from the server.
This is how "ME3_BINI_PC_COMPRESSED" is formed:

http://www.mediafire.com/view/kvk6wjsbk ... nipc_1.png
http://www.mediafire.com/view/iregn6mc5 ... nipc_2.png

I thought this shit was going to be harder. :lol:

It seems "ME3_%s" is only used in that part of the code. I was afraid of trying to edit that because there are other request strings which start with "ME3_".

EDIT: it worked. Game receives BINI version, while still not getting the actual thing at all.
Mgamerz wrote: Do you have any tips on using cheatengine/ollydbg as a debugger? I can't seem to use it beyond finding values but you're able to find what's accessing a memory address. I don't know x86 assembly but I've been looking into it and am getting a bit of the hang of it (I know some mips)
There's a command with that exact name... have you tried Cheat Engine Tutorial?
User avatar
Mgamerz
Site Admin
Posts: 571
Joined: Wed Jan 06, 2016 1:13 am

Re: Disabling balance changes

Post by Mgamerz »

I've looked on their site. It seems so outdated and tons of images are dead. I'll take another look. Do you still get suicide at the end? To make the game behave normally it will still require some modifications (like rpctimeout going to 20000 over 15000).

I am looking at the SDK feckless made, but curiously it does not have anything for sfxgamempcontent, only sfxgamecontent. I'm not very versed in C++ but a cursory search for unreal variables (e.g. maxenemies, not native) does not show up at all.
User avatar
Erik JS
Posts: 110
Joined: Sun Jan 10, 2016 8:03 pm
Location: Brazil

Re: Disabling balance changes

Post by Erik JS »

http://forum.cheatengine.org/viewtopic.php?t=542093

Suicide thing still happens here.

And about the SDK, from what I understood it pulled variables and names from the game's memory, but it seems it was made while not under a MP session, and that's why it lacks some MP variables and functions.
User avatar
Mgamerz
Site Admin
Posts: 571
Joined: Wed Jan 06, 2016 1:13 am

Re: Disabling balance changes

Post by Mgamerz »

I didn't even know cheatengine came with a tutorial program (I got portable mode so I guess it didn't really present itself...) It looks quite handy, I'll follow it when I get some time tonight.

The SDK WV has/used is rev50 and the latest is rev51. IDK what the differences are (BACS class, I assume a game?) and have no idea the difficulty of regenerating it, but it looks like somehow we'll need to generate a new one. I know we need the global objects and names offsets from what I have read. Not sure if they were included by feckless/WV but I know in one of me3exp's threads there was some info, maybe I can dig it up. I see feckless has a video tutorial, haven't watched it yet. Hopefully it's helpful.

Edit: Feckless used a different exe (SDK probably still works) but WV used a different one. He may have regenerated the SDK. WV has the global offset and the name one does not look too hard to find according to their forum.

Edit2: from the video it is likely once the game loaded he injected dll and took what was there. Idk if MP content loads until MP option is chosen. Since it is not an active logger I am not sure if we can generate a full sdk for both MP and SP since they load exclusive/or (right?)

Edit: ME3 binary is encrypted, so its not as easy as they seemed to have shown...

Edit: not sure if we have to do all of the work reconstructing the core code since he did that already. That would be quite a bit if worn if we did.

Edit: Good news, bad news. Since feckless did most of hte work he seems to have built in support for SDK generation with ME3 out of the box as long as you modify one of the header files to use the right includes. It has a pattern to find the right data to use with any version so that's good. For the bad news, it crashes anytime there is a level change. I don't know if this is part of the documentation. e.g. I can't load MP and not crash, I can't load al evel and not crash... we may just need multiple SDKs or multiple headers or something. But its good that most of it is done. It generated files I could read, but nowehre near the amount that he released.

Edit: Played it in MP. Nothing MP seemed to show up. I wonder if it only works while it is loading the content rather than during (I injected at start of match)

Edit: Must compile as release, debug will not work. Still misses SFXGameMPContent. Now I am getting about the same output as feckless did.
User avatar
Erik JS
Posts: 110
Joined: Sun Jan 10, 2016 8:03 pm
Location: Brazil

Re: Disabling balance changes

Post by Erik JS »

Mgamerz wrote:Edit: ME3 binary is encrypted, so its not as easy as they seemed to have shown...
Cracked EXE isn't. The value for GObjects which is used in ClientMessage Exposer is valid for original and cracked EXE's. In RAM, both are pretty much the same except that cracked EXE has the DLC check and Origin links patched out (btw I already tracked down the latter, I will talk about this later).
Mgamerz wrote:Edit: Played it in MP. Nothing MP seemed to show up. I wonder if it only works while it is loading the content rather than during (I injected at start of match)
There should be "MP content" available when you enter the initial MP screen (which AFAIK is referred to as "MPLobby", and serves as the main MP screen and the lobby).
But you said you found nothing in a match, which obviously has to have all the stuff from MPLobby already loaded.

I'll take a look at that video (should've done this ages ago) and see what I can come up with.
User avatar
Mgamerz
Site Admin
Posts: 571
Joined: Wed Jan 06, 2016 1:13 am

Re: Disabling balance changes

Post by Mgamerz »

It seems to use a pattern to find the offset at runtime. I saw no hardcoded addresses. He seems to have the base class (core) already done so most of the video is done it seems.

I saw no sfxgamempcontent, and searching through the files made no new mentions of MP objects. I couldn't find some of the exec functions either like setgravity which are SP too (I used it while generating).

I have wv console util as an asi. I will see if that (logs all functions) even sees MP stuff.
User avatar
Erik JS
Posts: 110
Joined: Sun Jan 10, 2016 8:03 pm
Location: Brazil

Re: Disabling balance changes

Post by Erik JS »

https://github.com/Erik-JS/Misc-Stuff/b ... eDumper.cs

This little thing I made pulls names from all GObjects in the GObject pointer collection. It's similar to "dump all" from ME3OTH, assuming I got WV's logic right. You'll see the list is bigger when pulled from an MP screen compared to the main menu.
User avatar
Mgamerz
Site Admin
Posts: 571
Joined: Wed Jan 06, 2016 1:13 am

Re: Disabling balance changes

Post by Mgamerz »

So is something wrong with feckless's SDK generator? I injected (his sdk generator) both before and after MP (different sessions). It didn't see any MP stuff. Perhaps this is why WV was asking how to get the name table/object after the SDK was released.

Haven't had time yet to see your object pointer tool.
User avatar
Mgamerz
Site Admin
Posts: 571
Joined: Wed Jan 06, 2016 1:13 am

Re: Disabling balance changes

Post by Mgamerz »

GREAT SUCCESS!

I took your gobjects offset and went into TFL_SdkGen.cpp of the sdk generator and overwrote their offset by signature detector with it. I can now see MP content. However... lots of stuff is commented out. I don't know if I am supposed to uncomment it, or if it was commented out for a reason. I haven't looked through many files yet though, maybe its cause i'm just in classes instead of functions or something. I'll definitely be trying to hook into something like onWaveEnd() tonight <3

Here's the solution (VS 2015 community... sorry if thats too new)
https://drive.google.com/file/d/0B9bwvh ... sp=sharing

Here's the SDK I got. I played 3 waves on silver, dunno if that made a difference in terms of how much was loaded.
https://drive.google.com/file/d/0B9bwvh ... sp=sharing
Post Reply