{"id":1442,"date":"2021-04-04T17:26:33","date_gmt":"2021-04-04T22:26:33","guid":{"rendered":"https:\/\/badecho.com\/?p=1442"},"modified":"2021-06-06T21:37:34","modified_gmt":"2021-06-07T02:37:34","slug":"hacking-witcher-part-1","status":"publish","type":"post","link":"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/","title":{"rendered":"Hacking The Witcher 3 &#8211; Part 1 (Data Structure Analysis)"},"content":{"rendered":"\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"366\" height=\"181\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/WitcherLogo-e1617575127960.png\" alt=\"\" class=\"wp-image-1444\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/WitcherLogo-e1617575127960.png 366w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/WitcherLogo-e1617575127960-300x148.png 300w\" sizes=\"(max-width: 366px) 100vw, 366px\" \/><\/figure><\/div>\n\n\n\n<p>Today, we start the the <a href=\"https:\/\/badecho.com\/index.php\/what-is-omnified\/\" target=\"_blank\" rel=\"noreferrer noopener\">Omnification<\/a> of <em>The Witcher 3<\/em>! This has been one of my favorite games to have come out in the last few years, and one I&#8217;ve been waiting to Omnify since I started the whole Omnifying shebang. The Witcher is definitely a game rich with story and interesting characters; all it is missing is an adequate level of hellish gameplay difficulty.<\/p>\n\n\n\n<p>By the time we&#8217;re done here, it certainly won&#8217;t be wanting in that department any longer. We&#8217;ll begin our hacking by charting out some of the most important of data structures as it pertains to our player and other creatures.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_11 counter-hierarchy counter-decimal ez-toc-grey\">\r\n<div class=\"ez-toc-title-container\">\r\n<p class=\"ez-toc-title\">Table of Contents<\/p>\r\n<span class=\"ez-toc-title-toggle\"><a class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\"><i class=\"ez-toc-glyphicon ez-toc-icon-toggle\"><\/i><\/a><\/span><\/div>\r\n<nav><ul class=\"ez-toc-list ez-toc-list-level-1\"><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#The_Matter_of_Geralt%E2%80%99s_Health\" title=\"The Matter of Geralt&#8217;s Health\">The Matter of Geralt&#8217;s Health<\/a><ul class=\"ez-toc-list-level-3\"><li class=\"ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#Finding_a_Proper_Place_to_Hook_the_Player_Health\" title=\"Finding a Proper Place to Hook the Player Health\">Finding a Proper Place to Hook the Player Health<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#Looking_at_Vitals_Access_Code_and_Data_Structure\" title=\"Looking at Vitals Access Code and Data Structure\">Looking at Vitals Access Code and Data Structure<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#Player_Vitals_Structure_Pointer_Creation_via_Injection\" title=\"Player Vitals Structure Pointer Creation via Injection\">Player Vitals Structure Pointer Creation via Injection<\/a><ul class=\"ez-toc-list-level-4\"><li class=\"ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#Player_Vitals_Structure_Hook\" title=\"Player Vitals Structure Hook\">Player Vitals Structure Hook<\/a><\/li><\/ul><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#The_Matter_of_Geralt%E2%80%99s_Location\" title=\"The Matter of Geralt&#8217;s Location\">The Matter of Geralt&#8217;s Location<\/a><ul class=\"ez-toc-list-level-3\"><li class=\"ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#Finding_a_Proper_Place_to_Hook_the_Player_Coordinates\" title=\"Finding a Proper Place to Hook the Player Coordinates\">Finding a Proper Place to Hook the Player Coordinates<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#Player_Location_Structure_Pointer_Creation_via_Injection\" title=\"Player Location Structure Pointer Creation via Injection\">Player Location Structure Pointer Creation via Injection<\/a><ul class=\"ez-toc-list-level-4\"><li class=\"ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#Player_Location_Structure_Hook\" title=\"Player Location Structure Hook\">Player Location Structure Hook<\/a><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#On_the_Relationship_Between_Immediate_and_Actual_Position\" title=\"On the Relationship Between Immediate and Actual Position\">On the Relationship Between Immediate and Actual Position<\/a><ul class=\"ez-toc-list-level-4\"><li class=\"ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#Player_Physics_Structure_Hook\" title=\"Player Physics Structure Hook\">Player Physics Structure Hook<\/a><\/li><\/ul><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#On_the_Matter_of_the_Root_Structure\" title=\"On the Matter of the Root Structure\">On the Matter of the Root Structure<\/a><ul class=\"ez-toc-list-level-3\"><li class=\"ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#Analyzing_the_Root_Player_Structure\" title=\"Analyzing the Root Player Structure\">Analyzing the Root Player Structure<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#Tracking_Our_W3AbilityManager_Resolution\" title=\"Tracking Our W3AbilityManager Resolution\">Tracking Our W3AbilityManager Resolution<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#Player_Root_Structure_Pointer_Creation_via_Injection\" title=\"Player Root Structure Pointer Creation via Injection\">Player Root Structure Pointer Creation via Injection<\/a><ul class=\"ez-toc-list-level-4\"><li class=\"ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#Player_Root_Structure_Hook\" title=\"Player Root Structure Hook\">Player Root Structure Hook<\/a><\/li><\/ul><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#A_Fantastic_Initial_Look_Into_Witcher_3\" title=\"A Fantastic Initial Look Into Witcher 3\">A Fantastic Initial Look Into Witcher 3<\/a><\/li><\/ul><\/nav><\/div>\r\n<h2><span class=\"ez-toc-section\" id=\"The_Matter_of_Geralt%E2%80%99s_Health\"><\/span>The Matter of Geralt&#8217;s Health<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>As is tradition, we typically start by locating the player&#8217;s health. It is a requirement of a number of our game-neutral systems, and it gives us a good head start in finding (if we&#8217;re lucky) a <em>root structure<\/em> for the player. More often than not the exact numeric value for the player&#8217;s health is hidden from us in the user interface. Fortunately, in <em>The Witcher 3<\/em>, the health is displayed to us, plain as day.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"136\" height=\"193\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/PlayerHealth.png\" alt=\"Behold! The player vitality is displayed to unabashedly!\" class=\"wp-image-1445\"\/><figcaption>Behold! The health!<\/figcaption><\/figure><\/div>\n\n\n\n<p>So it&#8217;s a simple matter of just plugging this into our friendly Cheat Engine and searching for changes being made to the value. The only question we have is what particular data type it might be. It would appear to be an integer based value, however, a little birdy has just whispered into my ear that it might indeed actually be a<em> float<\/em> (translation: I tried searching for integers earlier and failed). Let&#8217;s see if I am correct.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"687\" height=\"818\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/HealthSearch.png\" alt=\"Behold! 189 results and counting! Soon we shall narrow it down!\" class=\"wp-image-1446\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/HealthSearch.png 687w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/HealthSearch-252x300.png 252w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/HealthSearch-480x572.png 480w\" sizes=\"(max-width: 687px) 100vw, 687px\" \/><figcaption>Only 189 floats set to 3500 in memory&#8230;this&#8217;ll be like shootin&#8217; fish in a barrel.<\/figcaption><\/figure><\/div>\n\n\n\n<p>We quickly narrow it down to just four results after searching for a single value change (from 3500 to 3271). From there we just change each of the four remaining addresses&#8217; values until we find the one that is directly responsible for updating the player&#8217;s health in the game.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"723\" height=\"757\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/FoundPlayerHealthWow.png\" alt=\"Behold! I have found the player's health!\" class=\"wp-image-1447\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/FoundPlayerHealthWow.png 723w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/FoundPlayerHealthWow-287x300.png 287w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/FoundPlayerHealthWow-480x503.png 480w\" sizes=\"(max-width: 723px) 100vw, 723px\" \/><figcaption>Behold! I have found the player&#8217;s health!<\/figcaption><\/figure><\/div>\n\n\n\n<h3><span class=\"ez-toc-section\" id=\"Finding_a_Proper_Place_to_Hook_the_Player_Health\"><\/span>Finding a Proper Place to Hook the Player Health<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Now that we have found the source of truth for the player&#8217;s health, time to learn a little more about the data structure housing our player&#8217;s health value. While we do that, we can start to find a suitable piece of code to hook into in order to reliably create a pointer to our player&#8217;s health between game sessions. <\/p>\n\n\n\n<p>We give our new field in our address list a little right click and choose <strong>Find out what accesses this address<\/strong>, and soon enough we&#8217;re greeted with some jovial looking instructions.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"811\" height=\"540\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/InstructionsAccessingPlayerHealth.png\" alt=\"Four instructions are accessing the player's health. Which one will be of most use to us?\" class=\"wp-image-1448\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/InstructionsAccessingPlayerHealth.png 811w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/InstructionsAccessingPlayerHealth-300x200.png 300w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/InstructionsAccessingPlayerHealth-768x511.png 768w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/InstructionsAccessingPlayerHealth-480x320.png 480w\" sizes=\"(max-width: 811px) 100vw, 811px\" \/><figcaption>A reasonably small number of functions are reading our health.<\/figcaption><\/figure><\/div>\n\n\n\n<p>Hopefully from these four instructions we can find one ideally only accessing our player&#8217;s health. What we&#8217;re likely to see is a number of these accessing health values belonging to multiple NPCs, as many of these kinds of functions tend to be map or area-wide HP pollers for the entities that lie within its borders. <\/p>\n\n\n\n<p>Unfortunately, most of them appear to be accessing too many addresses to be of any real use to us.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"508\" height=\"440\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/EvenWorseEvenMoreAccessesOfHealth.png\" alt=\"Shows too many addresses being accessed for the instruction to be of use to us.\" class=\"wp-image-1449\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/EvenWorseEvenMoreAccessesOfHealth.png 508w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/EvenWorseEvenMoreAccessesOfHealth-300x260.png 300w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/EvenWorseEvenMoreAccessesOfHealth-480x416.png 480w\" sizes=\"(max-width: 508px) 100vw, 508px\" \/><figcaption>We&#8217;re looking for a function accessing a single address, not a bunch.<\/figcaption><\/figure><\/div>\n\n\n\n<p>Upon reaching the very end of the list however, we find a very interesting instruction that, while accessing more than one address in memory, appeared to be accessing three <em>very<\/em> different kinds of values. <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"605\" height=\"410\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/AddressesAccessByBetterHealthAccess.png\" alt=\"Shows what the most promising of the health instructions is accessing.\" class=\"wp-image-1450\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/AddressesAccessByBetterHealthAccess.png 605w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/AddressesAccessByBetterHealthAccess-300x203.png 300w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/AddressesAccessByBetterHealthAccess-480x325.png 480w\" sizes=\"(max-width: 605px) 100vw, 605px\" \/><figcaption>Three addresses &#8212; perhaps related to various player stats?<\/figcaption><\/figure><\/div>\n\n\n\n<p>Initially the second address listed above was at a <strong>100.0<\/strong>. Suspicious, I made my character run around a bit, and noticed it drop down. Clearly, this second address is pointing towards the player&#8217;s stamina. <em>Plot twist<\/em>.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"257\" height=\"261\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/StaminaSameAsBetterHealthAccess.png\" alt=\"Shows the stamina bar having the same value as the second address in the previous image.\" class=\"wp-image-1451\"\/><figcaption>Ah hah! It is the stamina!<\/figcaption><\/figure><\/div>\n\n\n\n<p>The addresses being accessed are all statistics related to, and only to, the player. My guess is that these are functions used to poll for various stat values for the purpose of displaying them on the screen. The first value is clearly the health, the second is the stamina, and the third could be either toxicity or even adrenaline, I suppose.<\/p>\n\n\n\n<h3><span class=\"ez-toc-section\" id=\"Looking_at_Vitals_Access_Code_and_Data_Structure\"><\/span>Looking at Vitals Access Code and Data Structure<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>So, if we want to use this code, how can we differentiate between whether our player&#8217;s health is being accessed vs our stamina? Does it matter?<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"946\" height=\"533\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RAXIsCharStatsRDXIsIndexer3IsStam.png\" alt=\"Shows the instruction polling the player stats.\" class=\"wp-image-1452\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RAXIsCharStatsRDXIsIndexer3IsStam.png 946w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RAXIsCharStatsRDXIsIndexer3IsStam-300x169.png 300w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RAXIsCharStatsRDXIsIndexer3IsStam-768x433.png 768w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RAXIsCharStatsRDXIsIndexer3IsStam-480x270.png 480w\" sizes=\"(max-width: 946px) 100vw, 946px\" \/><figcaption>The rax register is the base address for the player vitals structure, with rdx serving as an indexer.<\/figcaption><\/figure><\/div>\n\n\n\n<p>I noticed from how the code behaved during execution that the base address for this vitals structure seemed to be stored in <code>rax<\/code>, with an indexer stored in <code>rdx<\/code> being applied to this base address in order to yield the desired stat. Here are the stats returned for each possible value of <code>rdx<\/code>:<\/p>\n\n\n\n<ul><li><strong>rdx = 0<\/strong>: Health<\/li><li><strong>rdx = 3<\/strong>: Stamina<\/li><li><strong>rdx = 6<\/strong>: Toxicity<\/li><\/ul>\n\n\n\n<p>The whole indexed-based access thing doesn&#8217;t matter much here, the address of interest for us seems to always be found in the <code>rax<\/code> register. Lets have a gander at this vitals data structure next then.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"915\" height=\"525\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/VitalsStruct.png\" alt=\"Shows the contents of our mapped Vitals structure for the player.\" class=\"wp-image-1454\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/VitalsStruct.png 915w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/VitalsStruct-300x172.png 300w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/VitalsStruct-768x441.png 768w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/VitalsStruct-480x275.png 480w\" sizes=\"(max-width: 915px) 100vw, 915px\" \/><figcaption>I&#8217;ve filled in the stats I was able to identify: Health, Stamina, and Toxicity (both currents and maximums).<\/figcaption><\/figure><\/div>\n\n\n\n<p>So we&#8217;ve got the player&#8217;s most basic stats available right in this vitals structure. There appear to be additional game stats as well, although I haven&#8217;t been able to identify them yet. These are actually live values, so updating the maximum for health, for example, actually changes my maximum health amount. It&#8217;s nice to have them all stored in this single data structure as opposed to some of the values being stored in a separate, more &#8220;character-defining&#8221; data structure (which I&#8217;ve seen in games).<\/p>\n\n\n\n<p>At this point in time, it doesn&#8217;t appear as if this game has any <a href=\"https:\/\/en.wikipedia.org\/wiki\/Run-time_type_information\" target=\"_blank\" rel=\"noreferrer noopener\">RTTI<\/a> (I named the <strong>Vitals<\/strong> structure myself). We can&#8217;t be sure of this 100% yet, but I&#8217;ve grown accustomed to not having it present anyway. We&#8217;ll just cross our fingers and hope for the best&#8230;<\/p>\n\n\n\n<p>With all of this in hand, I think it&#8217;s fair to say that we should now be able to create our first hook into the game that will secure our player&#8217;s vitals structure.<\/p>\n\n\n\n<h3><span class=\"ez-toc-section\" id=\"Player_Vitals_Structure_Pointer_Creation_via_Injection\"><\/span>Player Vitals Structure Pointer Creation via Injection<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>For our first bit of code, we&#8217;ll create a simple hook that&#8217;ll grab the vitals structure stored in <code>rax<\/code> and set our pointer to&#8230;point to it!<\/p>\n\n\n\n<h4><span class=\"ez-toc-section\" id=\"Player_Vitals_Structure_Hook\"><\/span>Player Vitals Structure Hook<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n<pre class=\"brush: csharp; title: ; notranslate\" title=\"\">\n\/\/ Gets the player's vitals.\ndefine(omniPlayerVitalsHook, &quot;witcher3.exe&quot; + E3BEB1)\n\nassert(omniPlayerVitalsHook, 8B 0C 90 89 0E)\nalloc(getPlayerVitals,$1000, omniPlayerVitalsHook)\nalloc(playerVitals,8)\n\nregistersymbol(omniPlayerVitalsHook)\nregistersymbol(playerVitals)\n\ngetPlayerVitals:\n  pushf\n  push rbx\n  mov rbx,playerVitals\n  mov [rbx],rax\n  pop rbx\ngetPlayerVitalsOriginalCode:\n  popf\n  mov ecx,[rax+rdx*4]\n  mov [rsi],ecx\n  jmp getPlayerVitalsReturn\n\n\nomniPlayerVitalsHook:\n  jmp getPlayerVitals\n  \ngetPlayerVitalsReturn:\n<\/pre>\n\n\n<p>Pretty simple stuff: we&#8217;re just grabbing what&#8217;s in <code>rax<\/code> and setting it to <code>playerVitals<\/code>. <\/p>\n\n\n\n<p>Knowing our health is a requirement for a number of our Omnified systems. It would be great to figure out where our root structure for the player is kept, but we don&#8217;t have enough information yet.<\/p>\n\n\n\n<h2><span class=\"ez-toc-section\" id=\"The_Matter_of_Geralt%E2%80%99s_Location\"><\/span>The Matter of Geralt&#8217;s Location<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>After finding our player&#8217;s vitals, the next most important bits of information most certainly have to be that which pertains to the character&#8217;s locational coordinates. By tradition, we look for the player&#8217;s coordinates after we find the health, and I mean to keep to that tradition!<\/p>\n\n\n\n<p>Since we haven&#8217;t found a root structure yet, we&#8217;re going to need to perform another &#8220;change in values&#8221; search in order to find the coordinates. We typically make use of the vertical plane of movement, as that&#8217;s the easiest to isolate from the other axes. So, we&#8217;ll begin with an <strong>Unknown initial value<\/strong> search for <strong>Float<\/strong> (almost always the value type used for coordinates) value types.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"350\" height=\"463\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/SearchingForUnknownCoordinates.png\" alt=\"Shows over a billion floats to sift through in order to find the coordinates.\" class=\"wp-image-1455\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/SearchingForUnknownCoordinates.png 350w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/SearchingForUnknownCoordinates-227x300.png 227w\" sizes=\"(max-width: 350px) 100vw, 350px\" \/><figcaption>Whelp, only about 1.4 billion values to look through. Not the worst I&#8217;ve seen.<\/figcaption><\/figure><\/div>\n\n\n\n<p>We then proceed to move the character up and down an incline, narrowing down our search results by looking for both <strong>Increased values<\/strong> and <strong>Decreased values<\/strong> as appropriate. After dealing with a few crashes and much hair pulling, I finally was able to isolate a particular value in memory which seemed to control the character&#8217;s vertical position.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"802\" height=\"846\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/FloatingAboveEarth.png\" alt=\"Shows the character floating far above the ground after changing the immediate Z value.\" class=\"wp-image-1456\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/FloatingAboveEarth.png 802w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/FloatingAboveEarth-284x300.png 284w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/FloatingAboveEarth-768x810.png 768w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/FloatingAboveEarth-480x506.png 480w\" sizes=\"(max-width: 802px) 100vw, 802px\" \/><figcaption>Increasing this value boosts our character high into the sky.<\/figcaption><\/figure><\/div>\n\n\n\n<p>Note that I said it <em>seemed<\/em> to control our vertical position. After increasing the value, I would observe the character hanging out high in the sky. The character remains there until we make some sort of movement. After initiating said movement, instead of our character falling to their deaths, our character would immediately return to their original location and carry out the movement.<\/p>\n\n\n\n<p>Furthermore, freezing the value (preventing updates) does nothing to actually prevent the player from changing position along the vertical axis. What this all means, then, is that the value we found was not actually the source of truth vertical axis coordinate position. What it reminded me of immediately was a similar acting value that was present in <em>Dark Souls II<\/em>. Not being what we were looking for, I tabled it and began a new search.<\/p>\n\n\n\n<p>After an hour or so (broadcasting live might I say) of searching, I simply could not find the character&#8217;s actual source of truth vertical coordinate point in memory. Desperate to maintain my &#8220;aura of coolness&#8221; in front of the viewers, I started to panic internally. So, looking for some clues, I decided to venture into some code that was responsible for updating the previously found &#8220;immediate vertical position&#8221; value we were just discussing.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"946\" height=\"533\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/CodeWritingToImmediateZ.png\" alt=\"Shows some code that goes off before our &quot;immediate vertical position&quot; value is written to.\" class=\"wp-image-1457\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/CodeWritingToImmediateZ.png 946w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/CodeWritingToImmediateZ-300x169.png 300w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/CodeWritingToImmediateZ-768x433.png 768w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/CodeWritingToImmediateZ-480x270.png 480w\" sizes=\"(max-width: 946px) 100vw, 946px\" \/><figcaption>The &#8220;immediate vertical position&#8221; value seems to be sourcing values that were originally DOUBLES.<\/figcaption><\/figure><\/div>\n\n\n\n<p>The place from which the &#8220;immediate vertical position&#8221; was getting its value from might have nothing to do with the actual vertical position, but there was a chance it might. Looking at the code writing to the immediate value, I quickly saw the use of a <code>cvtpd2ps<\/code> instruction, meaning that the reason why we were unable to find the actual positional values might&#8217;ve been because these values were not float, but <strong><em>DOUBLES<\/em><\/strong>.<\/p>\n\n\n\n<p>I was in shock at the implications. Of all the games I&#8217;ve hacked, the only time <em>ever<\/em> that I&#8217;ve seen anything other than float used for a coordinate&#8217;s value type was while hacking <em>Subnautica<\/em>. Even then, it was <em>only<\/em> the character&#8217;s coordinates <em>while they were on land<\/em>. In water, it reverted to using normal floats.<\/p>\n\n\n\n<p>That&#8217;s why I was unable to, thus far, find the location coordinates! With renewed vigor, I redid all the previous steps, this time looking for doubles instead of floats. Not long after, I managed to find them!<\/p>\n\n\n\n<h3><span class=\"ez-toc-section\" id=\"Finding_a_Proper_Place_to_Hook_the_Player_Coordinates\"><\/span>Finding a Proper Place to Hook the Player Coordinates<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Now that I the found the coordinates, we of course want to be able to reliably find them again in the future. Therefore, time to find a reliable bit of code accessing them which we can hook into. Looking at what was accessing the coordinates, I found the following instructions:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"865\" height=\"471\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/LocationPollingFunctions.png\" alt=\"Shows the instructions reading from our location coordinates.\" class=\"wp-image-1458\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/LocationPollingFunctions.png 865w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/LocationPollingFunctions-300x163.png 300w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/LocationPollingFunctions-768x418.png 768w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/LocationPollingFunctions-480x261.png 480w\" sizes=\"(max-width: 865px) 100vw, 865px\" \/><figcaption>A respectable number of instructions are reading our location coordinates.<\/figcaption><\/figure><\/div>\n\n\n\n<p>Out of all of these instructions, the only one that was running constantly was the first one, highlighted above. All of the other instructions only seemed to be executing when the player was moving. For our purposes, we need to be able to detect the player&#8217;s location in memory at any given point in time, not just when we&#8217;re moving. This is mainly due to us having to filter out the player from being affected by the Predator system (otherwise the player will ZOOOOOM), etc.<\/p>\n\n\n\n<p>So, the only viable instruction to hook into from above is the first one. Unfortunately, the address being used to access the location in that instruction is aligned to be directly on top of the X coordinate. This is most likely not how the location structure is aligned in other parts of the program, in particular the code responsible for making creatures move. <\/p>\n\n\n\n<p>We&#8217;ll need to be able to do a straight compare between what&#8217;s moving and our player&#8217;s own coordinates in order to filter them out, so we&#8217;ll want to realign the structure prior to creating a pointer pointing to it.<\/p>\n\n\n\n<h3><span class=\"ez-toc-section\" id=\"Player_Location_Structure_Pointer_Creation_via_Injection\"><\/span>Player Location Structure Pointer Creation via Injection<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>This will be another simple hook, for the most part, and it will simply create a pointer that is pointing to what&#8217;s in <code>rax<\/code> after its address has been adjusted for proper alignment.<\/p>\n\n\n\n<h4><span class=\"ez-toc-section\" id=\"Player_Location_Structure_Hook\"><\/span>Player Location Structure Hook<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n<pre class=\"brush: csharp; title: ; notranslate\" title=\"\">\n\/\/ Gets the player's location.\ndefine(omniPlayerLocationHook, &quot;witcher3.exe&quot; + 31A26D)\n\nassert(omniPlayerLocationHook, F2 0F 10 00 F3 0F 11 74 24 74)\nalloc(getPlayerLocation,$1000, omniPlayerLocationHook)\nalloc(playerLocation,8)\n\nregistersymbol(omniPlayerLocationHook)\nregistersymbol(playerLocation)\n\ngetPlayerLocation:\n  pushf\n  push rax\n  push rbx\n  mov rbx,playerLocation\n  sub rax,0x1B8\n  mov [rbx],rax\n  pop rbx\n  pop rax\ngetPlayerLocationOriginalCode:\n  popf\n  movsd xmm0,[rax]\n  movss [rsp+74],xmm6\n  jmp getPlayerLocationReturn\n\n\nomniPlayerLocationHook:\n  jmp getPlayerLocation\n  nop 5\ngetPlayerLocationReturn:\n<\/pre>\n\n\n<p>Again, a fairly simple hook. We adjust the location structure pointed to by <code>rax<\/code> by an amount of <code>0x1B8<\/code>, which I confirmed is the offset used in the movement code to access the coordinates.<\/p>\n\n\n\n<h3><span class=\"ez-toc-section\" id=\"On_the_Relationship_Between_Immediate_and_Actual_Position\"><\/span>On the Relationship Between Immediate and Actual Position<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Just because we found the actual position in memory for the character does not mean that the &#8220;immediate&#8221; value we were exploring earlier is useless to us. In fact, it is very much required. The immediate value, while confusingly not representing the <em>actual<\/em> value, is interpreted by the game to be the location in which the player last occupied for purposes of fall damage and movement, etc.<\/p>\n\n\n\n<p>That means if I boost the character up into the sky with the actual vertical position, and neglect to update the immediate &#8220;apparent&#8221; position, the character will fall to the ground and not suffer any wounds. The camera also doesn&#8217;t move correctly to track the character. This is because the game thinks that the character is actually still on the ground as their last position. We need to update both to achieve a true and total locational change.<\/p>\n\n\n\n<p>So, knowing this, we must create a hook for these particular &#8220;immediate&#8221; coordinate positions as well. While examining its data structure, I was delighted to see that it had an assigned name, meaning that RTTI was indeed present in the binary. Fabulous! Since the given name was <code>CPhysicsCharacterWrapper<\/code>, we shall call this new data structure the player&#8217;s &#8220;physics structure&#8221;. <\/p>\n\n\n\n<h4><span class=\"ez-toc-section\" id=\"Player_Physics_Structure_Hook\"><\/span>Player Physics Structure Hook<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n<pre class=\"brush: csharp; title: ; notranslate\" title=\"\">\n\/\/ Gets the player's physics wrapper.\ndefine(omniPlayerPhysicsHook, &quot;witcher3.exe&quot; + 30FCA9)\n\nassert(omniPlayerPhysicsHook, 0F 2F 83 98 01 00 00)\nalloc(getPlayerPhysics,$1000, omniPlayerPhysicsHook)\nalloc(playerPhysics,8)\n\nregistersymbol(omniPlayerPhysicsHook)\nregistersymbol(playerPhysics)\n\ngetPlayerPhysics:\n  pushf\n  push rax\n  mov rax,playerPhysics\n  mov [rax],rbx\n  pop rax\ngetPlayerPhysicsOriginal:\n  popf\n  comiss xmm0,[rbx+00000198]\n  jmp getPlayerPhysicsReturn\n\nomniPlayerPhysicsHook:\n  jmp getPlayerPhysics\n  nop 2\ngetPlayerPhysicsReturn:\n<\/pre>\n\n\n<p>Excellent. I confirmed that I was able to send the player hurtling to their death by increasing both the source of truth vertical position and the immediate vertical position. <\/p>\n\n\n\n<p>Now that we have all these basic data types in hand, it&#8217;s time to see if we can&#8217;t find the root structure for the player.<\/p>\n\n\n\n<h2><span class=\"ez-toc-section\" id=\"On_the_Matter_of_the_Root_Structure\"><\/span>On the Matter of the Root Structure<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Up until now, the holy grail of data structures (the root structure for character entities) has eluded us. From all the data structures we&#8217;ve examined, it became painfully evident that these (most likely) child data structures had no knowledge of their parents (the structures containing them). There is nothing offensive or surprising about this; in fact I&#8217;ve always been surprised to not see more games following such a model. Nevertheless, it makes things a lot less convenient for us.<\/p>\n\n\n\n<p>When there are no direct links to a parent structure in a given data structure, the way you go about finding said parent structure then is to look at the code accessing our given child data structure and seeing where and how that code is sourcing the child data structure&#8217;s address. Clearly, it must be sourcing it from a parent of some type, no?<\/p>\n\n\n\n<p>So with the vitals structure, for example, we take a look at the code accessing that, and soon see it&#8217;s being access via the <code>0x60<\/code> offset of some other structure:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"1024\" height=\"698\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure1-1024x698.png\" alt=\"Shows where the player vitals structure comes from.\" class=\"wp-image-1461\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure1-1024x698.png 1024w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure1-300x205.png 300w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure1-768x524.png 768w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure1-480x327.png 480w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure1.png 1031w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>The player vitals structure is living comfortable inside another one, being accessed by the highlighted instruction.<\/figcaption><\/figure><\/div>\n\n\n\n<p>Taking a look at the parent data structure pointed to by <code>rsi<\/code>, we&#8217;re greeted with a new data structure, the <strong>W3AbilityManager<\/strong>:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"946\" height=\"674\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure2.png\" alt=\"Shows the W3AbilityManager structure, with the Vitals structure highlighted.\" class=\"wp-image-1462\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure2.png 946w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure2-300x214.png 300w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure2-768x547.png 768w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure2-480x342.png 480w\" sizes=\"(max-width: 946px) 100vw, 946px\" \/><figcaption>The W3AbilityManager, with our Vitals structure highlighted.<\/figcaption><\/figure><\/div>\n\n\n\n<p>Is this the root structure for our player? Well, it could be, although the name is a bit strange for such a structure. Typically root structures will be named something with &#8220;Player&#8221; or &#8220;Entity&#8221; in the name or some such. The only way to find out is to see where this ability manager structure comes from.<\/p>\n\n\n\n<p>Long story short, I had issues finding the origin of this particular data structure and didn&#8217;t actually stumble onto the root structure until looking at how damage is handled in the game. It was actually rather random; I just took a random address stored in one of the registers, plopped it into the <em>Structure dissect<\/em> window, and saw that we found a new type: <strong>CR4Player<\/strong>. Definitely the root structure for a player.<\/p>\n\n\n\n<h3><span class=\"ez-toc-section\" id=\"Analyzing_the_Root_Player_Structure\"><\/span>Analyzing the Root Player Structure<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"942\" height=\"675\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure3.png\" alt=\"Shows the contents of the root player structure.\" class=\"wp-image-1463\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure3.png 942w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure3-300x215.png 300w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure3-768x550.png 768w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure3-480x344.png 480w\" sizes=\"(max-width: 942px) 100vw, 942px\" \/><figcaption>The contents of the root player structure.<\/figcaption><\/figure><\/div>\n\n\n\n<p>When I first started Omnifying games, I usually had trouble finding creature root structures. Since I started being able to find them, they&#8217;ve all been structured more or less as expected in each game I found them in. These data structures act as a <em>table of contents<\/em> of sorts for entities, containing static links that point to <em>topics of interests<\/em>, or in our case, other structures containing player-related data.<\/p>\n\n\n\n<p>So, after finding the root structure, I assumed I would be able to crawl down through it and find all other previously discovered structures, etc. However, this turned out to not be the case. I was first alerted to something amiss when trying to find the vitals structure from the root. <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"942\" height=\"675\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure4.png\" alt=\"Shows the &quot;character stats&quot; structure within our root structure.\" class=\"wp-image-1464\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure4.png 942w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure4-300x215.png 300w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure4-768x550.png 768w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure4-480x344.png 480w\" sizes=\"(max-width: 942px) 100vw, 942px\" \/><figcaption>At 0x1C0 inside the root structure, we see a CCharacterStats structure.<\/figcaption><\/figure><\/div>\n\n\n\n<p>Nestled within our root structure, at offset <code>0x1C0<\/code>, we stumble upon a structure seemingly responsible for containing various player stats. Fantastic. If we go a bit deeper into this structure, we eventually stumble upon our much desired ability manager class.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"942\" height=\"751\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure5.png\" alt=\"Shows the incorrect ability manager structure found in the previous character stat\" class=\"wp-image-1465\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure5.png 942w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure5-300x239.png 300w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure5-768x612.png 768w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure5-480x383.png 480w\" sizes=\"(max-width: 942px) 100vw, 942px\" \/><figcaption>Here&#8217;s our ability manager, pointed to by the root structure. The various values for the vitals, however, are bad.<\/figcaption><\/figure><\/div>\n\n\n\n<p>As you might be able to tell from looking at the values in the Vitals structure, this is not actually our ability manager structure for our player. This is not good. How does the game figure out where in memory the ability manager is for a given creature then?<\/p>\n\n\n\n<p>Infuriated, I decided I had to reexamine how the code was getting our <strong>W3AbilityManager<\/strong> instance; something which I previously gave up on fully figuring out, due to code that was utterly confounding in how difficult it was to debug.<\/p>\n\n\n\n<h3><span class=\"ez-toc-section\" id=\"Tracking_Our_W3AbilityManager_Resolution\"><\/span>Tracking Our W3AbilityManager Resolution<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>How did the game acquire our ability manager? Typically, you would find it on a root structure. Not in the case of <em>The Witcher 3<\/em>. When I tried to see how it was coming up with the ability manager&#8217;s address before, I was led to a section of code that was very difficult to debug.<\/p>\n\n\n\n<p>It was difficult to debug because its purpose was very <em>generic<\/em> in that it was being used to resolve a plethora of data types. Not only that, but it was highly recursive, something I haven&#8217;t had to deal with much when reverse engineering. That means to actually figure out how something was getting resolved required basically guessing on the meaning behind particular register states and trying to break execution on the correct value or values of said registers.<\/p>\n\n\n\n<p>So, to start off, we looked at all the code accessing our ability manager&#8217;s address directly. This led us to this particular instruction:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"1024\" height=\"698\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure6-1024x698.png\" alt=\"Shows code directly accessing our ability manager.\" class=\"wp-image-1466\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure6-1024x698.png 1024w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure6-300x205.png 300w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure6-768x524.png 768w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure6-480x327.png 480w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure6.png 1031w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>This code is reading our ability manager from rcx, so where does rcx&#8217;s value come from?<\/figcaption><\/figure><\/div>\n\n\n\n<p>Figuring out where <code>rcx<\/code> comes from here is very difficult. If you look at the stack, you&#8217;ll see we&#8217;re in the middle of a recursive call chain, with who knows how many various jumps and other function calls between each of them. Going up  a single level on the stack leads us to an <em>oh-so-lovely<\/em> dynamically addressed function call, which makes things even more difficult.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"1024\" height=\"698\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure7-1024x698.png\" alt=\"Shows code at the top of this recursive property lookup scheme.\" class=\"wp-image-1467\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure7-1024x698.png 1024w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure7-300x205.png 300w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure7-768x524.png 768w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure7-480x327.png 480w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure7.png 1031w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>A dynamically addressed function is called here at the start of the lookup. What are the register states to filter on?<\/figcaption><\/figure><\/div>\n\n\n\n<p>This function here is actually called at the very start of this long chain of recursive function calls, and it is executed for <em>a ton of things<\/em>. We had to <em>hope<\/em> that some kind of register state existed that we could break on. One thing I did notice while debugging this is that the <code>r12<\/code> register appeared to be our root structure (not in the above photo, that is just a random breakpoint hit)! So, we could at least filter out on data requests for our own character.<\/p>\n\n\n\n<p>So what I did then is add a breakpoint with a condition just for our root structure, and then I hit the <strong>Run <\/strong>button until the ability manager access occurred. This is a rather&#8230;primitive way to do things, and it requires near perfect photographic memory, but luckily I managed to notice that the <code>rax<\/code> register was <code>0x1C<\/code> before the ability manager was accessed.<\/p>\n\n\n\n<p>Ah hah! It would appear then perhaps that <code>rax <\/code>is used as a data discriminator value, provided to this &#8220;lookup function&#8221; in order to tell it what type of data to retrieve. And, it seems <code>0x1C<\/code> is the code for ability manager lookups.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"1024\" height=\"698\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure8.Actual-1024x698.png\" alt=\"Shows execution stopped at lookup start with proper data discriminator for ability manager.\" class=\"wp-image-1472\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure8.Actual-1024x698.png 1024w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure8.Actual-300x205.png 300w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure8.Actual-768x524.png 768w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure8.Actual-480x327.png 480w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure8.Actual.png 1031w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>It appears that rax is used as a data discriminator, and 0x1C indicates the ability manager.<\/figcaption><\/figure><\/div>\n\n\n\n<p>Each time this breakpoint hits, execution would immediately shift to the ability manager access. Perfect! We found the perfect place to do a big ol&#8217; execution trace. So that&#8217;s what I did. A trace of 10,000 instructions, conditioned to only go off when <code>rax<\/code> was 0x1C and <code>r12<\/code> was my root structure address, and then I delved deep into it, and discovered the magic sauce.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"945\" height=\"650\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure9.png\" alt=\"Shows a gigantic execution trace from the lookup start, and the magic sauce therein.\" class=\"wp-image-1469\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure9.png 945w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure9-300x206.png 300w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure9-768x528.png 768w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure9-480x330.png 480w\" sizes=\"(max-width: 945px) 100vw, 945px\" \/><figcaption>Here&#8217;s the magic sauce baby. Thousands of instructions from the start.<\/figcaption><\/figure><\/div>\n\n\n\n<p>It was buried deep in the trace, but I actually managed to figure out how the hell the game was looking up creature data! If you&#8217;ll look at the above picture, you&#8217;ll see that <code>rcx<\/code> has our root structure for the player, and that we&#8217;re adding the value stored in <code>r8<\/code> to the value stored at <code>0x20<\/code> in that root structure. <\/p>\n\n\n\n<p>The value in <code>r8<\/code> comes from another structure, and specifically from offset <code>0x20<\/code> in it. That structure, it turns out, is a property definition structure named <strong>CProperty<\/strong>:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"928\" height=\"711\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure9.5.png\" alt=\"Shows the property definition class for our ability manager property.\" class=\"wp-image-1471\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure9.5.png 928w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure9.5-300x230.png 300w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure9.5-768x588.png 768w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure9.5-480x368.png 480w\" sizes=\"(max-width: 928px) 100vw, 928px\" \/><figcaption>This is a property definition for our ability manager property.<\/figcaption><\/figure><\/div>\n\n\n\n<p>Very interesting! It appears that the value being read from this structure is an offset to add on to a base property address stored in our root player structure, so I named the field shown above at <code>0x20<\/code> as the <strong>Property Offset<\/strong>. If you scroll up to the original root player structure image I provided, you&#8217;ll see that I named the field at <code>0x20<\/code> as the <strong>Property Base<\/strong>.<\/p>\n\n\n\n<p>After adding the offset to the base property address we get <code>0x16D66D943F8<\/code>. So what the hell is this? It is an unnamed structure, but it contains the goods.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"946\" height=\"847\" src=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure10.png\" alt=\"Shows the contents of the resolved data structure for our ability manager.\" class=\"wp-image-1470\" srcset=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure10.png 946w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure10-300x269.png 300w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure10-768x688.png 768w, https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/RootStructure10-480x430.png 480w\" sizes=\"(max-width: 946px) 100vw, 946px\" \/><figcaption>Here it is folks. The actual data manager, resolved by applying the defined property offset to our root structure&#8217;s property base address.<\/figcaption><\/figure><\/div>\n\n\n\n<p>And there it is! This is how the game resolves properties dynamically. Not going to lie, I&#8217;m a bit proud of myself for figuring it out!<\/p>\n\n\n\n<h3><span class=\"ez-toc-section\" id=\"Player_Root_Structure_Pointer_Creation_via_Injection\"><\/span>Player Root Structure Pointer Creation via Injection<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>While analyzing the <strong>CR4Player<\/strong> struct I came across a few (actually quite a few) instructions accessing it. After going through a number of them I found one that was dedicated to only accessing our own struct. By the by, the name for the struct when it belongs to an NPC appears to be <strong>CNewNPC<\/strong>. We&#8217;ll verify that later&#8230;<\/p>\n\n\n\n<h4><span class=\"ez-toc-section\" id=\"Player_Root_Structure_Hook\"><\/span>Player Root Structure Hook<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n<pre class=\"brush: csharp; title: ; notranslate\" title=\"\">\n\/\/ Gets the player's root structure.\ndefine(omniPlayerHook,&quot;witcher3.exe&quot;+AB139)\n\nassert(omniPlayerHook,48 8B 01 48 8D 54 24 60)\nalloc(getPlayer,$1000,omniPlayerHook)\nalloc(player,8)\n\nregistersymbol(omniPlayerHook)\nregistersymbol(player)\n\ngetPlayer:\n  pushf\n  push rax\n  mov rax,player\n  mov [rax],rcx\n  pop rax\ngetPlayerOriginalCode:\n  popf\n  mov rax,[rcx]\n  lea rdx,[rsp+60]\n  jmp getPlayerReturn\n\nomniPlayerHook:\n  jmp getPlayer\n  nop 3\ngetPlayerReturn:\n<\/pre>\n\n\n<p>Given the number of steps required in order to calculate addresses to other data types from the root structure, we will keep the other hooks we defined earlier in the article for purposes of convenience.<\/p>\n\n\n\n<h2><span class=\"ez-toc-section\" id=\"A_Fantastic_Initial_Look_Into_Witcher_3\"><\/span>A Fantastic Initial Look Into Witcher 3<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>This article was written live on my <a href=\"https:\/\/twitch.tv\/omni\" target=\"_blank\" rel=\"noreferrer noopener\">stream<\/a>. Thanks to everyone who kept me company during the start of the new journey!<\/p>\n\n\n\n<p>I am also extremely pleased to announce that I have completely changed the &#8220;tooling&#8221; behind my hacks &#8212; all work on the hacks is now done through a single editor: VS Code. I have organized the way the hacks are organized so that the assembly code is actually completely separated from the Cheat Engine tables &#8212; we now have a &#8220;boilerplate&#8221; Cheat Engine table file that I just copy and paste between games. The Omnified framework code is also now in a common location that all games will be referencing.<\/p>\n\n\n\n<p>This means my live hacking workspace is ready to be able to be checked into <a href=\"https:\/\/github.com\/BadEcho\/core\" target=\"_blank\" rel=\"noreferrer noopener\">source control<\/a>! I&#8217;ll post an announcement on that soon. <\/p>\n\n\n\n<p>Next up for <em>The Witcher 3<\/em> is the implementation of my <a href=\"https:\/\/badecho.com\/index.php\/2020\/10\/19\/apocalypse-system\/\" target=\"_blank\" rel=\"noreferrer noopener\">Apocalypse system<\/a>! I cannot wait. This <a href=\"https:\/\/badecho.com\/index.php\/what-is-omnified\/\" target=\"_blank\" rel=\"noreferrer noopener\">Omnified<\/a> game is truly going to be something else. Pay attention to the latest <a href=\"https:\/\/badecho.com\/index.php\/tag\/schedule\/\" target=\"_blank\" rel=\"noreferrer noopener\">scheduling updates<\/a> to know when you&#8217;ll be able to catch me online, or simply join my <a href=\"https:\/\/discord.gg\/omni\" target=\"_blank\" rel=\"noreferrer noopener\">Discord server<\/a> to get real time go-live notifications.<\/p>\n\n\n\n<p>Until next time, take care!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today, we start the the Omnification of The Witcher 3! This has been one of my favorite games to have [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[9,60],"tags":[24,22],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v14.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\r\n<title>Hacking The Witcher 3 - Part 1 (Data Structure Analysis) - omni&#039;s hackpad<\/title>\r\n<meta name=\"description\" content=\"Time to Omnify one of my favorite recent games: The Witcher 3. We&#039;ll start by looking at basic data structures and doing some simple hacks.\" \/>\r\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\r\n<link rel=\"canonical\" href=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/\" \/>\r\n<meta property=\"og:locale\" content=\"en_US\" \/>\r\n<meta property=\"og:type\" content=\"article\" \/>\r\n<meta property=\"og:title\" content=\"Hacking The Witcher 3 - Part 1 (Data Structure Analysis) - omni&#039;s hackpad\" \/>\r\n<meta property=\"og:description\" content=\"Time to Omnify one of my favorite recent games: The Witcher 3. We&#039;ll start by looking at basic data structures and doing some simple hacks.\" \/>\r\n<meta property=\"og:url\" content=\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/\" \/>\r\n<meta property=\"og:site_name\" content=\"omni&#039;s hackpad\" \/>\r\n<meta property=\"article:published_time\" content=\"2021-04-04T22:26:33+00:00\" \/>\r\n<meta property=\"article:modified_time\" content=\"2021-06-07T02:37:34+00:00\" \/>\r\n<meta property=\"og:image\" content=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/WitcherLogo-e1617575127960.png\" \/>\r\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\r\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/badecho.com\/#website\",\"url\":\"https:\/\/badecho.com\/\",\"name\":\"omni&#039;s hackpad\",\"description\":\"Game Code Disassembly. Omnified Modification. Madness.\",\"publisher\":{\"@id\":\"https:\/\/badecho.com\/#\/schema\/person\/3de67496328be7ae6e1f52faf582e9d2\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/badecho.com\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/04\/WitcherLogo-e1617575127960.png\",\"width\":366,\"height\":181},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#webpage\",\"url\":\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/\",\"name\":\"Hacking The Witcher 3 - Part 1 (Data Structure Analysis) - omni&#039;s hackpad\",\"isPartOf\":{\"@id\":\"https:\/\/badecho.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#primaryimage\"},\"datePublished\":\"2021-04-04T22:26:33+00:00\",\"dateModified\":\"2021-06-07T02:37:34+00:00\",\"description\":\"Time to Omnify one of my favorite recent games: The Witcher 3. We'll start by looking at basic data structures and doing some simple hacks.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/\"]}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#webpage\"},\"author\":{\"@id\":\"https:\/\/badecho.com\/#\/schema\/person\/3de67496328be7ae6e1f52faf582e9d2\"},\"headline\":\"Hacking The Witcher 3 &#8211; Part 1 (Data Structure Analysis)\",\"datePublished\":\"2021-04-04T22:26:33+00:00\",\"dateModified\":\"2021-06-07T02:37:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#webpage\"},\"publisher\":{\"@id\":\"https:\/\/badecho.com\/#\/schema\/person\/3de67496328be7ae6e1f52faf582e9d2\"},\"image\":{\"@id\":\"https:\/\/badecho.com\/index.php\/2021\/04\/04\/hacking-witcher-part-1\/#primaryimage\"},\"keywords\":\"Hacking,Omnifying\",\"articleSection\":\"Games,Witcher 3\",\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/badecho.com\/#\/schema\/person\/3de67496328be7ae6e1f52faf582e9d2\",\"name\":\"Matt Weber\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/badecho.com\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/7e345ac2708b3a41c7bd70a4a0440d41?s=96&d=mm&r=g\",\"caption\":\"Matt Weber\"},\"logo\":{\"@id\":\"https:\/\/badecho.com\/#personlogo\"}}]}<\/script>\r\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/posts\/1442"}],"collection":[{"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/comments?post=1442"}],"version-history":[{"count":7,"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/posts\/1442\/revisions"}],"predecessor-version":[{"id":1476,"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/posts\/1442\/revisions\/1476"}],"wp:attachment":[{"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/media?parent=1442"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/categories?post=1442"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/tags?post=1442"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}