[Help] How do I send orders to units without a desync?

[Mr Nukealizer]

Ok, so I'm working on a bot for micromanaging units. And I was wondering how to have it give orders without using the mouse or keyboard or going out of sync. I don't care what it looks like in a replay, as long as it doesn't cause a desync or get detected by Warden. I'm currently trying to make it work as an external program, but I don't mind if I have to inject some code to make this work. My idea of what needs happen is to have it call some function in the game that is normally triggered by user input, or change some memory location that stores the current order. But if I'm wrong, please tell me.

[longx]

Yes best way is via function calling

First you need to find the function you want to use, then figure out function types and parameters, then write the codes to call them, then compile the DLL, and lastly inject the DLL into the sc2 process to use it

oh and since it's internal you need to make sure you are safe from Warden, although if you do not modify any offsets and don't make any hooks and keep it private then you should be safe.

[Mr Nukealizer]

Yes best way is via function calling

First you need to find the function you want to use, then figure out function types and parameters, then write the codes to call them, then compile the DLL, and lastly inject the DLL into the sc2 process to use it

oh and since it's internal you need to make sure you are safe from Warden, although if you do not modify any offsets and don't make any hooks and keep it private then you should be safe.

Ok, thanks for confirming my thoughts. Now I still need to figure out what function... Which would have been much easier if not for the update right when I was getting close

[longx]

someone once taught me to make use of sc2's own galaxy documentations, for example like this file:

[C] Starcraft 2 natives.galaxy [patch 1.4] - Pastebin.com

(you can use MPQ editor to retrieve the latest version yourself)

in the above file you can see there is:

Code:

// Unit orders
const int c_orderQueueReplace       = 0;
const int c_orderQueueAddToEnd      = 1;
const int c_orderQueueAddToFront    = 2;
native order    UnitOrder (unit inUnit, int inIndex);
native int      UnitOrderCount (unit inUnit);
native bool     UnitOrderHasAbil (unit inUnit, string abilLink);
native bool     UnitOrderIsValid (unit inUnit, order inOrder);
native bool     UnitIsHarvesting (unit inUnit, int inResource);
 native bool     UnitIssueOrder (unit inUnit, order inOrder, int inQueueType);

looks like those are galaxy functions deals with issuing orders, now you can go into game code and r/e (reverse engineering) those functions and figure out how it is done

and here is a GREAT resource on how to dump the galaxy functions, made by crash_man and rolle3k, it gives you the address of each galaxy function that you want to work on:
http://www.blizzhackers.cc/viewtopic...540e70c8834503

from there you see:

Code:

0x00B89A20->UnitIssueOrder

so now just go into sc2.exe and study the function at 0xB89A20, see how it's done, and write code to do it yourself

--this is just one of the many methods to do this, it takes some effort and time and of course also r/e skills, there are few people here are very knowledgeable on this area, if they want to help

[Mr Nukealizer]

Thanks for the info about the documentation! What MPQ is that in? I was already working on UnitIssueOrder(), but it seems that for the same order, it gets different data for inOrder every time within the same game. However if I start a new game, it gets the same values in the same order. But even if I give it the same data in the same order, the function returns true, but it does nothing. And looking at Order() it appears the input is not a string and int like the trigger editor shows ( Order("stop",0) ), but is actually the output from the last time the function was run.

EDIT: Also, you have the 1.4.1 offsets. UnitIssueOrder is now 0x00B24420.
EDIT 2: LOL I think I see the problem now that I look at the documentation......
EDIT 3: Yes, I see why my approach didn't work. Now the problem seems to be creating a new string in SC2's variable list and possibly keeping it around long enough to get the ability data, then possibly keeping the ability data long enough to use it.

[ValiantChaos]

When searching for something try to use things that you think will be related and close to what your trying to find, my explanation is bad I know, probably don't make sense. Anyways, what longx provided with the galaxy function for UnitIssueOrder is a start, however I probably wouldn't work with that.

You know when issuing a unit command you get error messages, if you have already found this function or perhaps you should then you can backtrace from there until your out of the error handling stuff and can start checking the functions under the call and where the code would skip and jump over if a unit error message was to appear.

If you have no luck there maybe search for something else first that you think will help you locate what you need, obviously there is some global command send function for selections, groups, commands, camera movement etc which this SendUnitCommand( ) would also call. So perhaps find one of them other functions first, for select units function start with something like your selection count, search for that with a memory editor tool and set some breakpoints on your results. One of them results is likely to be accessed when you select a unit, so the breakpoint should put you in the select units function and from there do some backtracing until you have the start of function. Once you have that you can start from top and nop a bunch of calls until you narrow it down to the one that has the effect you want, in this case selecting any unit and trying to command it will not work. Now set a breakpoint inside this call at start of function and try to command a unit, it will most likely trigger your debug breakpoint and the calling function will be what your looking for or you may need to step out a few more times.

^ That's what I mean by the first part of this post, search for something else first and use that if you think it can help you in locating what you need.

I can say the function you want is a fastcall and takes a struct for the first arg with all the unit command information which is like 38bytes in length.

[longx]

haha mass NOP FTW


I should remind you thou, do all the analysis offline (at login screen, select "Play as guest"),
chances are you will be working at sensitive functions/offsets, and you could well get flagged by warden during r/e

PS: just by setting up break point you actually make modifications to the memory, e.g. if you put bp at a detected offset you will get banned

[ValiantChaos]

Suppose you can avoid NOP'ing some calls if the function doesn't appear to be capable of doing what your searching for, and follow the conditional jumps to speed things up. Also don't forgot to adjust the stack if your NOP'ing functions that pushed args onto the stack, probably already knew that but in case you didn't.

[Mr Nukealizer]

Ok, thanks for all the help! When clicking to make a unit move, I have traced from the pointer to a unit's current order all the way up to the main loop. Now I'm planning on doing the same when a trigger makes it move and see what they have in common, then work from there. My main problem is that I'm a bit of a noob to assembly. I'm learning but current I rely quite a bit on the Hex-Rays decompiler in IDA, and it seems to have some issues with function signatures; several functions have been called as void** __stdcall(DWORD,DWORD), yet when I decompile those functions they're int __thiscall(void* this,int a1,int a2) and many other times the return value is not used in the decompiled view, but they obviously use EAX later in the function.
So what should I do? Should I just try to make sense of it in pure assembly, or is there a way to fix the issues with the decompiler?

[longx]

r/e is a heavily personalized task, since it is not exactly a "textbook" topic so many people just do it with their own methods and tricks, and pick up different things on the road

i know some people like to use hex-rays to study decompiled function, and some use purely olly, i dont think one is better then another, all have its up and downs

the guy who showed me how he uses hex-rays, you could double click on variable name (for example, a1, a2) and rename them, and all a1/a2 will be renamed altogether in the code, so your goal is to decode function calls from " __thiscall(void* this,int a1,int a2)" to " __thiscall(void* this,int unit_number,int order_type)", after you figure out what the function parameters are, and then look at how the functions are used, then things will be clear

curious how VC does his r/e work