After much work, I have a preview version ready for testing.
Warning: Buggy, unoptimized and still missing features :tongue:

Watch the video or you may miss a few features like how to reorder the classes.

I'm looking for feedback on what features you would like added, how to make things work smoother, bugs etc...

After all features are stable, it may be another 4 years before the next version :redface:

PS:
You can import the old reclass.rdc files

Known Issues:
Array/Instance will shift offsets...have to manually fix for now.
Memory Leaks
Missing Features (debug/search)


BETA1/2/3/4/5/6: - REMOVED
BETA7: - Current

Download Latest Version:
http://gameanarchy.co/files/ReClass2011_beta74.rar
http://gameanarchy.co/files/ReClass2011_beta73.rar
http://gameanarchy.co/files/ReClass2011_beta72.rar

*Video if wanted
http://gameanarchy.co/files/Video.rar


*i'll upload the final to the forums since this is just a preview

(Jun 10, 2012) EDIT:
I never really finished or cleaned up the code...Since I don't plan to update, here is the source code:
http://gameanarchy.co/files/ReClass2011_SourceCode.rar


Coded Using:
MFC, tinyXML, SQLite, BeaEngine, Scintilla

The beta looks pretty goddamn awesome, can't wait for the final release.

thank you, i love that tool!

Awesome!

I've stickied the topic, so feel free to use this thread to post updates.

Hum I just tried it out, and I can't get to open a process... The button isn't bringing up the list of processes.

Yes I'm running it in admin.

PS:: Running Windows 7 x86

Hum I just tried it out, and I can't get to open a process... The button isn't bringing up the list of processes.

Yes I'm running it in admin.

PS:: Running Windows 7 x86

i'm testing on Win7 64bit...most likely a bug in my 32bit process detection.
also found i'm using a function not available on XP (QueryFullProcessImageName)

Next beta i'll test on XP 32bit, Win7 32/64 before release. (fuck vista :) )

Edit:
confirmed not working on Win7 32bit, next beta...you can still play around, just not with a "live" process

Fixed Check for 32bit?...



typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
LPFN_ISWOW64PROCESS fnIsWow64Process;
BOOL is32Bit(HANDLE hProcess)
{
fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(GetModuleHandle(TEXT("kernel32")),"IsWow64Process");
if (!fnIsWow64Process) return TRUE;//WTF update, assume 32bit noob

BOOL bIs64BitOS = FALSE;
fnIsWow64Process(GetCurrentProcess(),&bIs64BitOS);//are we running as a 32bit in a 64bit OS (assume we compiled as a 32bit process)
if (bIs64BitOS)
{
BOOL bIs32Bit;
fnIsWow64Process(hProcess,&bIs32Bit);//is this 32bit process in a 64bit OS?
return bIs32Bit;
}
else
return TRUE;// 32bit OS, so it's a 32bit process
}

now using GetModuleFileNameEx so it works on XP...

*original post updated with new link

tested now on XP, Win 7 32/64


*Also added manifest so it will ask to run as admin

http://screensnapr.com/v/e4jibo.png

This is a problem...

It works well on Windows 7 x86 now. One behavior I would rather see is inserting AFTER the position of your line. Right now, the new insertions are done before the selected line. The problem with that is that if you're selected on the last lane, there's no way of adding a new line after unless you use the small arrow icon.

Outstanding, I'll try to use it as much as possible and report bugs if I find any.

mattdog, i'll check that out


updated some:
Better Editor
-Color Coded
-Added File open/save
Hover Tips
-Multi Select info
-Disassemble Function pointers
other small fixes

Download Beta 3:
http://gameanarchy.co/files/ReClass2011_beta3.rar

*Video if wanted
http://gameanarchy.co/files/Video.rar

this is madness (http://i56.tinypic.com/14mbf2a.jpg) :P i think old dlg is better than this 'menu'

Fixed Check for 32bit?...



typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
LPFN_ISWOW64PROCESS fnIsWow64Process;
BOOL is32Bit(HANDLE hProcess)
{
fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(GetModuleHandle(TEXT("kernel32")),"IsWow64Process");
if (!fnIsWow64Process) return TRUE;//WTF update, assume 32bit noob

BOOL bIs64BitOS = FALSE;
fnIsWow64Process(GetCurrentProcess(),&bIs64BitOS);//are we running as a 32bit in a 64bit OS (assume we compiled as a 32bit process)
if (bIs64BitOS)
{
BOOL bIs32Bit;
fnIsWow64Process(hProcess,&bIs32Bit);//is this 32bit process in a 64bit OS?
return bIs32Bit;
}
else
return TRUE;// 32bit OS, so it's a 32bit process
}

now using GetModuleFileNameEx so it works on XP...

*original post updated with new link

tested now on XP, Win 7 32/64


*Also added manifest so it will ask to run as admin

If you want to check whether the user is running a 32-bit or 64-bit OS please use GetNativeSystemInfo. IsWoW64Process is useful for detecting whether a 32-bit process is running under WoW64, however it is not suitable for OS architecture detection.

This would be awesome:

The user is able to write down a table with names and values he already knows like:

sName | "blarandom"
iHealth | 100
iAmmo | 27
fPos_x | 200.77

...

Reclass begins to search this values in the current class. If it finds a value, it gives the value the correct name+size.
This would be usefull for games where you already know many information.

Updated to beta 4:

Added missing icons
Added Hover over hex types
Added Function Pointer Assembly Snapshot
*useful for comparing if functions match after a patch
Added display for matrix

Great release bro, I wondered if/when this would ever be released, Alot of great new features and love the new design, Great Job DC.

good job, very nice designer
tnx

Looks pretty nice, good job!

Good to see your still active :-)

Suggestion:
Not being familiar with the previous version, I found it hard to edit the structure (e.g. rename members, remove members) and set addresses.
I think what would have helped me would be a context menu for right-clicking that could do things like change type, etc.

This is a welcome update!

keep up good work ;)

Fixed - All settings now saved
Fixed - Taskbar Preview in Vista/Win7
Added - Topmost
Added - Resize Left/Right
Added - Assembly Snapshot for functions
*Very useful for checking vtable functions match after game patches
Other fixes and tweaks

*First Post updated with links

WishList:

1. Have an option to make EVERYTHING in 'hexidecimal'
2. Provide offsets on each line for where you are in the class
3. Have the 'unknown' areas refer to these offsets.

Here's an example of a VERY old thing I did with Aion back when I thought I might want to play it...


// Size: 0x458 (1.0.5.8)
class IEntity
{
public:

#pragma region VirtualFunctions
virtual char* GetLUAClassName();
virtual void vFunction04();
virtual void vFunction08();
virtual void vFunction0c();
virtual char* GetName();
virtual void vFunction14();
virtual void vFunction18();
virtual void vFunction1c();
virtual void vFunction20();
virtual void vFunction24();
virtual void DrawEntity(DWORD Unknown0);
virtual void vFunction2c();
virtual void vFunction30();
virtual void vFunction34();
virtual void vFunction38();
virtual void vFunction3c();
virtual void vFunction40();
virtual void vFunction44();
virtual void vFunction48();
virtual void vFunction4c();
virtual void vFunction50();
virtual void vFunction54();
virtual void vFunction58();
virtual void vFunction5c();
virtual void vFunction60();
virtual void vFunction64();
virtual void vFunction68();
virtual void vFunction6c();
virtual void vFunction70();
virtual void vFunction74();
virtual void vFunction78();
virtual void vFunction7c();
virtual void vFunction80();
virtual void vFunction84();
virtual void vFunction88();
virtual void vFunction8c();
virtual void vFunction90();
virtual void vFunction94();
virtual void vFunction98();
virtual void vFunction9c();
virtual void vFunctiona0();
virtual void vFunctiona4();
virtual void vFunctiona8();
virtual void vFunctionac();
virtual void vFunctionb0();
virtual void vFunctionb4();
virtual void vFunctionb8();
virtual void vFunctionbc();
virtual void vFunctionc0();
virtual void vFunctionc4();
virtual void vFunctionc8();
virtual void vFunctioncc();
virtual void vFunctiond0();
virtual void vFunctiond4();
virtual void vFunctiond8();
virtual void vFunctiondc();
virtual void vFunctione0();
virtual void vFunctione4();
virtual void vFunctione8();
virtual void vFunctionec();
virtual void vFunctionf0();
virtual void vFunctionf4();
virtual void vFunctionf8();
virtual void vFunctionfc();
virtual void vFunction100();
virtual void vFunction104();
virtual void vFunction108();
virtual void vFunction10c();
virtual void vFunction110();
virtual void vFunction114();
virtual void vFunction118();
virtual void vFunction11c();
virtual void vFunction120();
virtual void vFunction124();
virtual void vFunction128();
virtual void vFunction12c();
virtual short GetEntityID();
virtual void vFunction134();
virtual void vFunction138();
virtual void Update(DWORD &updateContext); //virtual void Update( SEntityUpdateContext &updateContext )
virtual void Reset();
virtual bool GetNetPresence();
virtual void SetNetPresence(bool bPresent);
virtual void SetName(char *Name);
virtual void SetLUAClassName(char *Name);
virtual void GetEntityDesc(CEntityDesc &desc);
virtual void GetHelperPosition(const char *helper, Vec3 &pos, bool objectspace = false);
virtual unsigned short GetClassId();
virtual void SetClassId(unsigned short ID);
virtual void Shutdown();
virtual bool IsGarbage();
virtual int GetObjectFlags(int nSubObj);
virtual void SetFlags(unsigned int flags);
virtual void ClearFlags(unsigned int flags);
virtual unsigned int GetFlags();
virtual IEntityCamera* GetCamera();
virtual void SetCamera(IEntityCamera *cam);
virtual void vFunction184();
virtual void vFunction188();
virtual void vFunction18c();
virtual void SendScriptEvent(int EventID, void *IScriptObjectParameter, bool *pRet=NULL); // virtual void SendScriptEvent(enum EScriptEventId Event, IScriptObject *pParamters, bool *pRet=NULL)
virtual void SendScriptEvent(int EventID, const char *str, bool *pRet=NULL); // virtual void SendScriptEvent(enum EScriptEventId Event, const char *str, bool *pRet=NULL )
virtual void SendScriptEvent(int EventID, int nParam,bool *pRet=NULL); // virtual void SendScriptEvent(enum EScriptEventId Event, int nParam, bool *pRet=NULL )
virtual void vFunction19c();
virtual void vFunction1a0();
virtual void vFunction1a4();
virtual void vFunction1a8();
virtual void vFunction1ac();
virtual void vFunction1b0();
virtual void vFunction1b4();
virtual void vFunction1b8();
virtual void vFunction1bc();
virtual bool LoadVehicle(const char *objfile, void *pparts, void *params, bool nDestroy = false); // virtual bool LoadVehicle(const char *objfile, pe_cargeomparams *pparts, pe_params_car *params,bool bDestroy=false)
virtual bool LoadBoat(const char *objfile, float mass, int SurfaceID);
virtual void vFunction1c8();
virtual bool LoadObject(unsigned int slot, const char *filename, float scale, const char *geoName=NULL);
virtual bool GetObjectPos(unsigned int slot, Vec3 &pos);
virtual bool SetObjectPos(unsigned int slot, Vec3 &pos);
virtual bool GetObjectAngles(unsigned int slot, Vec3 &ang);
virtual bool SetObjectAngles(unsigned int slot, Vec3 &ang);
virtual void LoadBreakableObject(const char *fileName);
virtual bool SetEntityObject(unsigned int slot, const CEntityObject &object);
virtual bool GetEntityObject(unsigned int slot, CEntityObject &object);
virtual int GetNumObjects();
virtual DWORD GetIStatObj(unsigned int pos); // struct IStatObj *GetIStatObj(unsigned int pos)
virtual DWORD GetIStatObj2(unsigned int pos);
virtual void PlaySound(void *pSound, float fSoundScale, Vec3 &offset); // void PlaySound(ISound *pSound, float fSoundScale, Vec3 &Offset)
virtual void DrawObject(unsigned int pos, int mode);
virtual void DrawObject(int mode);
virtual void DrawCharacter(int pos, int mode);
virtual void NeedsUpdateCharacter(int pos, bool updt);
virtual void SetBBox(Vec3 &mins, Vec3 &maxs);
virtual void GetBBox(Vec3 &mins, Vec3 &maxs);
virtual void InvalidateBBox();
virtual void TrackColliders(bool Enable);
virtual bool CreateParticleEntity(float size, float mass, Vec3 heading, float acc_thrust=0, float k_air_resistance=0, float acc_lift=0, float gravity=9.8, int surface_idx=0, bool bSingleContact=true);
virtual void SetPos(const Vec3 &pos, bool bWorldOnly);
virtual void vFunction224();
virtual void SetAngles(const Vec3 &pos, bool bNotifyContainer=true,bool bUpdatePhysics=true, bool forceInWorld=false);
virtual void SetScale(float Scale);
virtual void SetRadius(float r);
virtual float GetRadius();
virtual void vFunction238();
virtual void vFunction23c();
virtual void Sleep(bool bSleep);
virtual void SetNeedUpdate(bool needUpdate);
virtual bool NeedUpdate();
virtual void vFunction24c();
virtual void SetUpdateRadius(float fUpdateRadius);
virtual float GetUpdateRadius();
virtual void ForceRegisterInSectors();
virtual bool IsMoving();
virtual bool IsBound();
virtual void Bind(short id, unsigned char cBind=0, const bool bClientOnly=false, const bool bSetPos=false);
virtual void UnBind(short id, unsigned char cBind, const bool bClientOnly=false);
virtual void ForceBindCalculation(bool bEnable);
virtual void SetParentLocale(DWORD &matParent); // void SetParentLocale(const Matrix44 &matParent)
virtual void CalculateInWorld();
virtual void AttachToBone(short id, const char* boneName);
virtual unsigned long AttachObjectToBone(int slot, const char* boneName, bool bMultipleAttachments=false, bool bUseZOffset=false);
virtual void DetachObjectToBone(const char* boneName, unsigned long objectBindHandle=-1);
virtual void SetScriptObject(void* pObject); // void SetScriptObject(IScriptObject *pObject)
virtual void* GetScriptObject(); // IScriptObject* GetScriptObject();
virtual bool Write(DWORD CStream, void* EntityCloneState=NULL); // bool Write(CStream&,EntityCloneState *cs=NULL)
virtual bool Read(DWORD CStream, bool bNoUpdate=false); // bool Read(CStream&,bool bNoUpdate=false)
virtual bool PostLoad();
virtual bool Save(DWORD CStream, void* IScriptObject=NULL); // Save(CStream &stm,IScriptObject *pStream=NULL) = 0;
virtual bool Load(DWORD CStream, void* IScriptObject=NULL); // Load(CStream &stm,IScriptObject *pStream=NULL) = 0;
virtual bool LoadRELEASE(DWORD CStream, void* IScriptObject=NULL); // LoadRELEASE(CStream &stm,IScriptObject *pStream=NULL) = 0;
virtual bool LoadPATCH1(DWORD CStream, void* IScriptObject=NULL); // LoadPATCH1(CStream &stm,IScriptObject *pStream=NULL) = 0;
virtual void SetContainer(CEntityContainer *pContainer);
virtual IEntityCharacter* GetCharInterface();
virtual bool StartAnimation(int pos, const char *animname, int iLayerID=0, float fBlendTime=1.5f, bool bStartWithLayer0Phase=false);
virtual void SetAnimationSpeed(float scale=1.0f);
virtual int GetCurrentAnimation(int pos, int iLayerID);
virtual void vFunction2bc();
virtual void vFunction2c0();
virtual void vFunction2c4();
virtual void vFunction2c8();
virtual void vFunction2cc();
virtual void vFunction2d0();
virtual bool IsAnimationPresent(int pos, const char *animation);
virtual void ResetAnimations(int pos);
virtual void ResetAnimations2(int pos);
virtual void vFunction2e0();
virtual void vFunction2e4();
virtual void vFunction2e8();
virtual void vFunction2ec();
virtual void vFunction2f0();
virtual bool GotoState(std::string State);
virtual bool GotoState(int nState);
virtual bool IsInState(const char *State);
virtual char *GetState();
virtual int GetStateIdx();
virtual void RegisterState(const char *State);
virtual bool IsStateClientside();
virtual void SetStateClientside(const bool bEnable);
virtual void OnTimer(int TimerID);
virtual void OnDamage(void *IScriptObject); // void OnDamage( IScriptObject *pObj )
virtual void OnEnterArea(IEntity *pEntity, const int areaID);
virtual void vFunction320();
virtual void vFunction324();
virtual void vFunction328();
virtual void vFunction32c();
virtual void vFunction330();
virtual void vFunction334();
virtual void vFunction338();
virtual void SetTimer(int msec);
virtual void KillTimer();
virtual void SetScriptUpdateRate(float fUpdateEveryNSeconds);
virtual void ApplyForceToEnvironment(const float radius, const float force);
virtual int GetSide(const Vec3 &direction);
virtual void Hide(bool b);
virtual bool IsHidden();
virtual void SetDestroyable(bool b);
virtual bool IsDestroyable();
virtual void SetGarbageFlag(bool bGarbage);
#pragma endregion
// TO DO (finish this long ass list...)

#pragma region InlineFunctions
////////
// All entities have an EntityID; most have a true "ID" (if they have a container). This function returns the proper response for each entity
inline unsigned int GetID()
{
if (pEntityContainer)
{
if (pEntityContainer->ID > 0)
return pEntityContainer->ID;
else
return GetEntityID();
}
else
return GetEntityID();

// NOTE: GetEntityID() does return a SIGNED short integer...but, it really doesn't matter for anything for which I'd be using this.
}
inline Vec3 GetLocation()
{
if (Location.x != -1000.0f)
return Location;
else
return Location2;
}

inline float GetHeading()
{
if (Heading != -1000.0f)
return Heading;
else
return Heading2;
}

inline IEntity* GetTarget()
{
if (!pEntityContainer)
return NULL;

switch (GetClassId())
{
case 1:
case 2:
case 3:
{
if (pEntityContainer->GetCharacterObject()->TargetID == 0)
return NULL;

return GetEntityByID(pEntityContainer->GetCharacterObject()->TargetID);
}
default: break;
}

return NULL;
}
#pragma endregion

/*0x004*/ unsigned char Unknown4[0x20-0x04];
/*0x020*/ void *Unknown20; // class related to logging errors (vfunction of this class at 0x50 called with arguments)
/*0x024*/ unsigned int Unknown24;
/*0x028*/ Vec3 AvatarLocation;
/*0x034*/ Vec3 AvatarLocation2;
/*0x040*/ unsigned char Unknown40[0x88-0x40];
/*0x088*/ IEntityCharacter* CharInterface; // IEntity__GetCharInterface
/*0x08c*/ unsigned int Flags2; // See IEntity__IsGarbage, etc...
/*0x090*/ float Unknown90; // related to particles? [ 10042540 (7.27.2009) ]
/*0x094*/ DWORD Unknown94; // IMPORTANT
/*0x098*/ DWORD Unknown98; // returned by [ 10029260 (7.27.2009) ]
/*0x09c*/ unsigned char Unknown9c[0xac-0x9c];
/*0x0ac*/ short ID; // IEntity__GetID (similar to GhostID from eq2?)
/*0x0ae*/ unsigned short ClassId; // IEntity__GetClassId
/*0x0b0*/ std::string Name; // IEntity__GetName
/*0x0cc*/ std::string LUAClassName; // IEntity__LUAClassName
/*0x0e8*/ unsigned int Flags; // IEntity__GetFlags
/*0x0ec*/ unsigned char Unkonwnec[0x124-0xec];
/*0x124*/ std::string State; // IEntity__GetState
/*0x140*/ unsigned char Unknown140[0x15c-0x140];
/*0x15c*/ IEntityCamera* Camera;
/*0x160*/ unsigned char Unknown160[0x16c-0x160];
/*0x16c*/ IScriptObject* ScriptObject; // IEntity__GetScriptObject
/*0x170*/ unsigned char Unknown170[0x1b4-0x170];
/*0x1b4*/ CEntitySystem* ParentEntitySystem;
/*0x1b8*/ unsigned char Unknown1b8[0x1c4-0x1b8];
/*0x1c4*/ CEntityContainer *pEntityContainer; // IEntity__GetContainer
/*0x1c8*/ unsigned char Unknown1c8[0x350-0x1c8];
/*0x1cc entity's sub objects (see IEntity__GetObjectsFlags) */
/*0x350*/ Vec3 Location;
/*0x35c*/ Vec3 Location2;
/*0x368*/ float UnknownLocationRelated1a;
/*0x36c*/ float UnknownLocationRelated2a;
/*0x370*/ float Heading; // "West" is zero...
/*0x374*/ Vec3 Location3;
/*0x380*/ float Unknown380;
/*0x384*/ float UnknownLocationRelated1b;
/*0x388*/ float UnknownLocationRelated2b;
/*0x38c*/ float Heading2;
/*0x390*/ Vec3 Location4;
/*0x39c*/ unsigned char Unknown39c[0x3fc-0x39c];
/*0x3fc*/ float Radius; // IEntity__GetRadius
/*0x400*/ float UpdateRadius; // IEntity__GetUpdateRadius
/*0x404*/ float ScriptUpdateRate; // in seconds
/*0x408*/ DWORD Unknown408;
/*0x40c*/ float UnknownLocationRelated3a; // Scale?
/*0x410*/ float UnknownLocationRelated3b; // Scale?

/*0x458*/
};

oh yea, and a "#pragma region" option (similar to my example above) would be hot.

Maybe I don't understand what your asking, but it already does what you are talking about. example..your "pragma" regions, just put it in the code for that class.

Your wish list
1. Not sure?
2. it does? adds them to the comment
3. it does? the varname is _offset[length]

sample of your class in reclass:


class IEntity;
class IEntityCharacter;

class IEntity
{
public:
virtual char* GetLUAClassName(); //
virtual void Function1(); //
virtual void Function2(); //
virtual void Function3(); //
virtual char* GetName(); //
virtual void Function5(); //
virtual void Function6(); //
virtual void Function7(); //
virtual void Function8(); //
virtual void Function9(); //
virtual void DrawEntity(DWORD Unknown0); //

char _0x0004[36];
D3DXVECTOR3 AvatarLocation; //0x0028
char _0x0034[84];
IEntityCharacter* CharInterface; //0x0088 IEntity__GetCharInterface

#pragma endregion
// TO DO (finish this long ass list...)
#pragma region InlineFunctions
////////
// All entities have an EntityID; most have a true "ID" (if they have a container). This function returns the proper response for each entity
inline unsigned int GetID()
{
if (pEntityContainer)
{
if (pEntityContainer->ID > 0)
return pEntityContainer->ID;
else
return GetEntityID();
}
else
return GetEntityID();

// NOTE: GetEntityID() does return a SIGNED short integer...but, it really doesn't matter for anything for which I'd be using this.
}

};//Size=0x008C

class IEntityCharacter
{
public:
char _0x0000[64];

};//Size=0x0040

Here's an example of what I'm suggesting -- from your example that comes with ReClass:



};//Size=0x103C

class CObject
{
public:

char _0x0000[36];
CObject* object_root; //0x0024
char _0x0028[4];
CTemplate* pTemplate; //0x002C
char _0x0030[24];
CGeometry* object_mesh; //0x0048
CArmor* pArmor; //0x004C
CCollisionMesh* object_collision; //0x0050
CPhysicsNode* pPhysics; //0x0054
char _0x0058[96];
D3DXMATRIX Matrix; //0x00B8


};//Size=0x00F8


I would like to suggest something more like this:


//Size=0x103C
class CObject
{
public:

/*0x0000*/ char _0x0000[0x0024-0x0000];
/*0x0024*/ CObject* object_root;
/*x00028*/ char _0x0028[0x0002c-0x0028];
/*0x002c*/ CTemplate* pTemplate;
/*0x0030*/ char _0x0030[0x0048-0x0030];
/*0x0048*/ CGeometry* object_mesh;
/*0x004c*/ CArmor* pArmor;
/*0x0050*/ CCollisionMesh* object_collision;
/*0x0054*/ CPhysicsNode* pPhysics;
/*0x0058*/ char _0x0058[0x00b8-0x0058];
/*0x00b8*/ D3DXMATRIX Matrix;
/*0x00bc*/ char _0x00bc[0x103c-0x00bc];
/*0x103c*/
};


Don't get me wrong, I don't want to come across as being critical or anything ...this application is GREAT! (And I wish I would have had it years ago.) I'm just providing a suggestion based upon years of maintaining classes for various games. I developed this format a few years ago and it seems to make everything so much easier to maintain.

So, yea, just a suggestion.


(p.s. The reason I like using hexidecimal for everything is because disassembly tends to use it. It's easier for me to use just ONE type of number rather than going back and forth. ....one of the few things I HATE about the hexrays decomplier plugin.)

nice tool

I'm just providing a suggestion based upon years of maintaining classes for various games. I developed this format a few years ago and it seems to make everything so much easier to maintain.

So, yea, just a suggestion.


I understand now, and would be very ez to change the output...however, I don't see how it would be useful. Let me explain....the output isn't made to be hand edited and "maintained", that's defeats the purpose of the tool. With the header/footer and code options you should be able to create a final .h file that doesn't need to be touched.
*I will consider adding more output options

anyway, found a problem importing old files (old reclass that had inherited class)
updated first post with a fix.

Thanks for the great tool, much appreciate it.

Let me explain....the output isn't made to be hand edited and "maintained", that's defeats the purpose of the tool.

It could be a purpose of the tool though. I have to maintain classes and I need to be able to see them in a format that is easy to read and understand. Your tool could help with that :)

Oh well, please post if you ever are willing to release the source, then I could just do it myself.

Or, perhaps you could add a 'template' option where a person could edit a template as to how their output would look -- then everyone could have it the way they wanted! :)

Fixed Check for 32bit?...



typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
LPFN_ISWOW64PROCESS fnIsWow64Process;
BOOL is32Bit(HANDLE hProcess)
{
fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(GetModuleHandle(TEXT("kernel32")),"IsWow64Process");
if (!fnIsWow64Process) return TRUE;//WTF update, assume 32bit noob

BOOL bIs64BitOS = FALSE;
fnIsWow64Process(GetCurrentProcess(),&bIs64BitOS);//are we running as a 32bit in a 64bit OS (assume we compiled as a 32bit process)
if (bIs64BitOS)
{
BOOL bIs32Bit;
fnIsWow64Process(hProcess,&bIs32Bit);//is this 32bit process in a 64bit OS?
return bIs32Bit;
}
else
return TRUE;// 32bit OS, so it's a 32bit process
}

now using GetModuleFileNameEx so it works on XP...

*original post updated with new link

tested now on XP, Win 7 32/64


*Also added manifest so it will ask to run as admin


If you want to check whether the user is running a 32-bit or 64-bit OS please use GetNativeSystemInfo. IsWoW64Process is useful for detecting whether a 32-bit process is running under WoW64, however it is not suitable for OS architecture detection.

saw this
http://www.kernelmode.info/forum/viewtopic.php?f=13&t=755
then this
http://int0h.wordpress.com/2011/02/22/anti-anti-debugging-via-wow64/
then this
http://int0h.wordpress.com/2009/12/24/the-power-of-wow64/
then



// inb4 useless code
enum os_type
{
// CS register changes,
// depending on Windows architecture:
native32 = 0x1B,// 32 bits (native) = 0x1B
wow64_32 = 0x23,// 32 bits (wow64 ) = 0x23
native64 = 0x33,// 64 bits (native) = 0x33
unknown = -1 // no tits (GTFO!!) = -1
};

bool _whatos( os_type& inf )
{
__int16 csreg = 0;
__asm mov csreg , cs;

bool _rv;

os_type _wois = ((os_type)csreg);
switch ( _wois )
{
case os_type::native64:
case os_type::wow64_32:
case os_type::native32:
_rv = true;
inf = _wois;
break;
case os_type::unknown :
_rv = false;
inf = os_type::unknown;
break;
default:
__assume(-1);
break;
}
return _rv;
}

bool _wow64_32_2_64_jump( pbyte _64_bit_code_to_exec )
{
if ( !_wow_emu() )
{
speak("only possible from a 32 bit program executed witthin wow64");
return false;
}
#ifdef _X86_
unsigned __int64 jmpaddr = 0;

if ( _64_bit_code_to_exec != NULL )
{
__asm
{
lea eax, jmpaddr;
mov dword ptr[eax], offset payload_AMD64_MODE;
mov dword ptr[eax + 4], 0x33; // 33 = x64 , 23 = x86
jmp qword ptr[eax]; // jmp to 64 bit
};
}
else
{
__asm
{
lea eax, jmpaddr;
mov dword ptr[eax], offset no_payload_AMD64_MODE;
mov dword ptr[eax + 4], 0x33; // 33 = x64 , 23 = x86
jmp qword ptr[eax]; // jmp to 64 bit
};
}

// eax automatically
// fixed up to rax at exec,
// but for reading purpose.
#define _rax eax

__asm
{
no_payload_AMD64_MODE:
jmp return_to_IA32_MODE;

payload_AMD64_MODE:
// whatever, no args please...
call qword ptr [_64_bit_code_to_exec];

return_to_IA32_MODE:
mov dword ptr[_rax], offset _IA32_MODE;
mov dword ptr[_rax + 4], 0x23; // 33 = x64 , 23 = x86
jmp qword ptr[_rax]; // jmp to 32 bit

_IA32_MODE:
};
#endif _X86_

return true;
}

BOOL _wow_emu(void)
{
BOOL retval = FALSE;

os_type inf;
if ( _whatos( inf ) )
{
switch ( inf )
{
case os_type::native64: retval = FALSE; break;
case os_type::native32: retval = FALSE; break;
case os_type::wow64_32: retval = TRUE ; break;
}
}
else
{
// incase previous thing failed.
static dword magic = -616;
static BOOL is_64 = magic; // check only once k (slow shit)
if ( is_64 == magic )
{
if ( _IsWow64Process(NtCurrentProcess(),&is_64) == FALSE )
{
return FALSE;
}
}
retval = is_64;
}
return retval;
}

BOOL _wine_emu(void)
{
// bored...
struct {
pchar a;
handle b;
BOOL c;
} linux = {
"__WINE_FONT_MUTEX__",
_OpenMutexA(MAXIMUM_ALLOWED,0,linux.a),
( linux.b == NULL || linux.b == INVALID_HANDLE_VALUE ) ? FALSE : TRUE
};
return linux.c;
}

void test()
{

// os infos, exploit wow64?
os_type inf;
if ( _whatos(inf) )
{
switch ( inf )
{
default:
{
if ( _wine_emu() )
{
tools::speak("lulz this thing runs in wine ...");
}
else
{
tools::speak("fuck you!!!");
}
break;
}
case os_type::wow64_32:
{
// lets play some tetris motherfucker!
tools::speak("64 bit windows / 32 bit exe ...");

// just jump in and out
if ( !_wow64_32_2_64_jump() )
tools::speak("<9000");
else
tools::speak(">9000");

// our payload / shellcode
byte _64bitpl[] =
{
////////
// it's an example, what you expect?
////////
0xC3, // ret
0xCC // int 3
};

// jump in, exec payload, jump out
if ( !_wow64_32_2_64_jump(_64bitpl) )
tools::speak("<9000");
else
tools::speak(">9000");

break;
}
case os_type::native32:
{
tools::speak("32 bit windows / 32 bit exe ...");
break;
}
case os_type::native64:
{
tools::speak("64 bit windows / 64 bit exe ...");
break;
}
}
}
else
{
tools::speak("unknown system, die.");
}
}


:confused2:

saw this
http://www.kernelmode.info/forum/viewtopic.php?f=13&t=755
then this
http://int0h.wordpress.com/2011/02/22/anti-anti-debugging-via-wow64/
then this
http://int0h.wordpress.com/2009/12/24/the-power-of-wow64/
then



// inb4 useless code
enum os_type
{
// CS register changes,
// depending on Windows architecture:
native32 = 0x1B,// 32 bits (native) = 0x1B
wow64_32 = 0x23,// 32 bits (wow64 ) = 0x23
native64 = 0x33,// 64 bits (native) = 0x33
unknown = -1 // no tits (GTFO!!) = -1
};

bool _whatos( os_type& inf )
{
__int16 csreg = 0;
__asm mov csreg , cs;

bool _rv;

os_type _wois = ((os_type)csreg);
switch ( _wois )
{
case os_type::native64:
case os_type::wow64_32:
case os_type::native32:
_rv = true;
inf = _wois;
break;
case os_type::unknown :
_rv = false;
inf = os_type::unknown;
break;
default:
__assume(-1);
break;
}
return _rv;
}

bool _wow64_32_2_64_jump( pbyte _64_bit_code_to_exec )
{
if ( !_wow_emu() )
{
speak("only possible from a 32 bit program executed witthin wow64");
return false;
}
#ifdef _X86_
unsigned __int64 jmpaddr = 0;

if ( _64_bit_code_to_exec != NULL )
{
__asm
{
lea eax, jmpaddr;
mov dword ptr[eax], offset payload_AMD64_MODE;
mov dword ptr[eax + 4], 0x33; // 33 = x64 , 23 = x86
jmp qword ptr[eax]; // jmp to 64 bit
};
}
else
{
__asm
{
lea eax, jmpaddr;
mov dword ptr[eax], offset no_payload_AMD64_MODE;
mov dword ptr[eax + 4], 0x33; // 33 = x64 , 23 = x86
jmp qword ptr[eax]; // jmp to 64 bit
};
}

// eax automatically
// fixed up to rax at exec,
// but for reading purpose.
#define _rax eax

__asm
{
no_payload_AMD64_MODE:
jmp return_to_IA32_MODE;

payload_AMD64_MODE:
// whatever, no args please...
call qword ptr [_64_bit_code_to_exec];

return_to_IA32_MODE:
mov dword ptr[_rax], offset _IA32_MODE;
mov dword ptr[_rax + 4], 0x23; // 33 = x64 , 23 = x86
jmp qword ptr[_rax]; // jmp to 32 bit

_IA32_MODE:
};
#endif _X86_

return true;
}

BOOL _wow_emu(void)
{
BOOL retval = FALSE;

os_type inf;
if ( _whatos( inf ) )
{
switch ( inf )
{
case os_type::native64: retval = FALSE; break;
case os_type::native32: retval = FALSE; break;
case os_type::wow64_32: retval = TRUE ; break;
}
}
else
{
// incase previous thing failed.
static dword magic = -616;
static BOOL is_64 = magic; // check only once k (slow shit)
if ( is_64 == magic )
{
if ( _IsWow64Process(NtCurrentProcess(),&is_64) == FALSE )
{
return FALSE;
}
}
retval = is_64;
}
return retval;
}

BOOL _wine_emu(void)
{
// bored...
struct {
pchar a;
handle b;
BOOL c;
} linux = {
"__WINE_FONT_MUTEX__",
_OpenMutexA(MAXIMUM_ALLOWED,0,linux.a),
( linux.b == NULL || linux.b == INVALID_HANDLE_VALUE ) ? FALSE : TRUE
};
return linux.c;
}

void test()
{

// os infos, exploit wow64?
os_type inf;
if ( _whatos(inf) )
{
switch ( inf )
{
default:
{
if ( _wine_emu() )
{
tools::speak("lulz this thing runs in wine ...");
}
else
{
tools::speak("fuck you!!!");
}
break;
}
case os_type::wow64_32:
{
// lets play some tetris motherfucker!
tools::speak("64 bit windows / 32 bit exe ...");

// just jump in and out
if ( !_wow64_32_2_64_jump() )
tools::speak("<9000");
else
tools::speak(">9000");

// our payload / shellcode
byte _64bitpl[] =
{
////////
// it's an example, what you expect?
////////
0xC3, // ret
0xCC // int 3
};

// jump in, exec payload, jump out
if ( !_wow64_32_2_64_jump(_64bitpl) )
tools::speak("<9000");
else
tools::speak(">9000");

break;
}
case os_type::native32:
{
tools::speak("32 bit windows / 32 bit exe ...");
break;
}
case os_type::native64:
{
tools::speak("64 bit windows / 64 bit exe ...");
break;
}
}
}
else
{
tools::speak("unknown system, die.");
}
}


:confused2:

Sorry but I think I'm missing your point. What are you getting at?

I was simply pointing out that his OS architecture detection code was technically 'incorrect', and proposing a solution (as per Microsoft's guidelines).

You've just linked a bunch of articles/snippets about WoW64 internals and (ab)using them for anti-debug purposes... That has nothing to do with my original point.

Sorry but I think I'm missing your point. What are you getting at?

I was simply pointing out that his OS architecture detection code was technically 'incorrect', and proposing a solution (as per Microsoft's guidelines).

You've just linked a bunch of articles/snippets about WoW64 internals and (ab)using them for anti-debug purposes... That has nothing to do with my original point.

it does not apply only to wow64(for the os detect part not the antidebug trick)
just it achieve the same thing w/o calling any api(just if fails)

host 2008 r2 x64, guest win8 x32

it does not apply only to wow64(for the os detect part not the antidebug trick)
just it achieve the same thing w/o calling any api(just if fails)

host 2008 r2 x64, guest win8 x32

Errr, what's wrong with just calling the API? Why rely on undocumented behavior unnecessarily?

The stuff that you linked has its place, but that is not here. ReClass is a piece of legitimate software, not a piece of malware. It has no need to avoid calling APIs or do undocumented things to mask its behaviour...

Errr, what's wrong with just calling the API? Why rely on undocumented behavior unnecessarily?

The stuff that you linked has its place, but that is not here. ReClass is a piece of legitimate software, not a piece of malware. It has no need to avoid calling APIs or do undocumented things to mask its behaviour...

yep you are right,
i not saw it this way,
nothing has to be hidden therefore calling the api has no need to be avoided.

I would suggest/ask politely not speaking so openly about this type of thing (wow64 interception..), as drawing too much attention to it ... would not be helpful.

=)

not to mention, link for reclass is not work... can someone upload or attach inline?

I would suggest/ask politely not speaking so openly about this type of thing (wow64 interception..), as drawing too much attention to it ... would not be helpful.

=)

not to mention, link for reclass is not work... can someone upload or attach inline?

Link works here, but whatever...

3914

I would suggest/ask politely not speaking so openly about this type of thing (wow64 interception..), as drawing too much attention to it ... would not be helpful.

=)

not to mention, link for reclass is not work... can someone upload or attach inline?

Not helpful for who? Imo the opposite is true. This forum is designed for the discussion of exactly such things.

Not helpful for who? Imo the opposite is true. This forum is designed for the discussion of exactly such things.

Yes, forum is designed for this. At same time, this method is what allows for successful OllyDbg use on packed exe/dll on Windows 7 X64... this OS which I do my unpacking, so longer certain vendors not check for this type of thing, the better... (IMHO). Discuss of subject away from public eyes, I have no problems with.

Yes, forum is designed for this. At same time, this method is what allows for successful OllyDbg use on packed exe/dll on Windows 7 X64... this OS which I do my unpacking, so longer certain vendors not check for this type of thing, the better... (IMHO). Discuss of subject away from public eyes, I have no problems with.
understood your point but;
saw this here firstly then int0 posts
so i guess it was public already and whoever wanting infos could have them (if they were using the search button or google).

https://www.gamedeception.net/threads/17473-KiFastSystemCall-Wrapper?
https://www.gamedeception.net/threads/19922-NTCalls-Manually-call-them-is-that-possible?
https://www.gamedeception.net/threads/20063-WOW64-ntdll-hooking-nonsense?highlight=ssdt+wow64

i have 1 question while using reclass...when i put the address of the base of my class i see this commeneted next to certain bytes

*->BF2.exe[00720001]
*->[0030065]

what is the difference between the above 2?
what would be the equivalent C/C++ code for it?

int0 is only bringing to light method which is known, just not widely discussed.

public? someone with enough of a clue can use available information to produce project, or detect method, sure... 99% of all others, will have nfc... but i suppose this applies to most things...

-fyyre



understood your point but;
saw this here firstly then int0 posts
so i guess it was public already and whoever wanting infos could have them (if they were using the search button or google).

I kinda got burned out after a few weeks of coding this, but I do plan to continue.
Remember this was just a preview :)

On a side note, what are your thoughts on the Ribbon interface....The more I use it, the more I hate it. I find myself putting all the commands I use in a toolbar and hiding the ribbon.

Make it stable, then I'm happy: D

I kinda got burned out after a few weeks of coding this, but I do plan to continue.
Remember this was just a preview :)

On a side note, what are your thoughts on the Ribbon interface....The more I use it, the more I hate it. I find myself putting all the commands I use in a toolbar and hiding the ribbon.

As much as I kinda disliked it at first, I think I prefer the ribbon interface now. It definitely takes some getting used to, and it does use up more valuable screen real estate, but it seems like a more 'natural' way to interface with the software.

Also, Windows seems to be moving to a more ribbon-oriented interface experience, especially with Windows 8 (Explorer has received a WIP ribbon interface in the leaked builds), and consistency is important in UI design.

Though, at the end of the day it's what your users prefer... Perhaps support both for the time being? Just add a switch to swap between a ribbon and a normal menu.

tbh i prefer context menu's over a ribbon interface :)

I hate all ribbon interfaces, especially M$ Office...

i'm really missing the option to do: &module.dll + 0x0FFSET,

and reclass is always on top, hiding it's own messageboxes.

and reclass is always on top, hiding it's own messageboxes.

settings->topmost, that annoyed me too.

It would be nice to have an option to auto-create new class with a pointer from another class when ReClass detects it. Right now every time I suspect a given field to be a pointer to another class, I have to create new class, then remember the pointer and put it into new class (of course I go back to prev class few times to make sure I type address right etc. etc.).

Pleame make it so you can inspect memory dumps (or any kind of file) and not only current memory, I think it will be useful (at least for me it would :))

BugFix update, nothing new added yet.
Random crashes caused by a string formatting error...doh
*ie...last version would crash if say %s was in memory of the struct

http://gameanarchy.co/files/ReClass2011_beta72.rar

Looks good :D

I'll try this version of Re-Clas now. I always used the old ReClass :)

omg this tool is really fantastic, thanks for the hard work :)now I have to play a lot with it :Pbye

Added - Displays Float and Int for every line after comment
*small change I added for myself...can't turn it off yet so if you don't like it use last version.
Fixed - Vars having the same name when converted

http://gameanarchy.co/files/ReClass2011_beta73.rar

Nice, thanks! :)

sweet :)

Pleame make it so you can inspect memory dumps (or any kind of file) and not only current memory, I think it will be useful (at least for me it would :))

Seconded, I've got some memory from linux to look at! I would also also like to see an Undo feature, would come especially in handy with this. Even with just 1 or 2 history. Oh, more datatypes, 64 bit ints, wide characters. All I can think of now, great app. :)

is there any way to use the double float ( 64 bit float/long float ) data-type? Other than that, this tool is amazing. thank you very much

is there any way to use the double float ( 64 bit float/long float ) data-type? Other than that, this tool is amazing. thank you very much

You can use custom data types for anything and just set the size and name.

Yes, but you won't have binary data (hex) converted to number, like you have it for float, int, etc. and this is very useful during research and examining fields types.

it would be usefull to have support for char*
wchar_t[n] and wchar_t*

Can't seem to delete multiple nodes in a single go. ? /british

Logically, you should be able to select multiple items, hit the "del" key, and be done with it. (Right click options would be nice too, and as suggested, char* support, etc,.)

Anyways, looks useful, I'll keep an eye on it, I'm going to be needing a tool like this very soon, I just started expanding my RE skills, and classes are next on my list. (It looks painful, tools would be nice.)

If I'm right you can do this. Select one field, hold Shift, and click lower field to select range of fields. Then press X (Delete) button etc. It should work.

About char* support, it could be partially done if combined with my question about auto-opening new tabs for fields that are detected as potential pointers.

You can assign keyboard shortcuts to any command...I just tested adding the delete key to the toolbar delete and it worked fine

char* is a valid option, I'll see about adding it in a future release.

Finally learnt how to use this bad boy. It's awesome! Thanks

Small Update...

Added - String Detection for pointers, Displayed in comments
Added - Settings for Comments (Float/Int/String/Pointer)
Added - Old style address for classes *

Old Style:
|offset| + |offset| + etc...
*Use & for address of .dll
*Use * to deference pointer

********************
* How to enter addresses
********************
Addresses are added from left to right, and
you can use the & to get the address of a
exe/dll base, and use * to deference to a
pointer.

Some examples

-Use a simple hex offset
0400000

-Offset into a module
&dllname+0500

-offset into a module as a pointer
&dllname+*0500

-offset into a module as a pointer, then offset
&dllname+*0500+25

-offset into a module as a pointer, then offset to a pointer
&dllname+*0500+*25
etc...

*remember to use the full name...ie it must include ".dll"

http://gameanarchy.co/files/ReClass2011_beta74.rar


*As for adding Char* ....meh, I should have designed "pointers" better...just use the custom type

an 'open in new tab' right click function would be nice, for pointers and such :) or just a way to copy the addr from the table

How about reading the EAT of modules so when you get what seems to be a pointer you can compare it with the EAT of the module it resides in and maybe give us a name for it? :D

Looks great

I'm trying to get this thing to work on my notebook, Windows 7 64 bit.
And this is what i get : http://i40.tinypic.com/1f53s.png

Works fine on my PC, though.

This also happens on beta74 aswell as beta73.

Pm me if you need more info on it.

set your DPI to 100% Benj__

http://i.imgur.com/TOkiV.jpg

I'll have to make my own at this rate :D

http://i.imgur.com/TOkiV.jpg

I'll have to make my own at this rate :D

you may want to get started then, it did take me 4 years to update from the last version.

In CE's structure builder you can add multiple addresses and see where the structs differ.

This is especially helpful if you want to find stuff like a units team. It doesn't change but it differs from unit to unit.
Is there a feature like this already implemented?
I case you don't understand just look at this:
4244

This is from CE's memory dissect, attached to "Command and Conquer generals"
the first and second address are two of my own units, the third address is an enemy worker.
I assigned Group0 to my own units and put the third address (the enemy) into Group1.

I can see that offset 0x1C might be the team id this units belongs to. The different colors for different values are a great help too.

thanks for this great tool drunkencheetah. the only room for improvement that I can see is support for 64bit datatypes (int64 double etc) but other than that your tool is pretty much perfect. thanks again

The latest version has no GUI, the window shows up, and I can see where the tool bar should be, but, it's all blank, clicking anywhere does nothing, ie, the buttons aren't invisible, they aren't there, at all.

Does this require some sort of lib to be installed? (I do lot's of development, for many things, so, I could have a conflicting version of something installed.)

Any help would be nice, I'm reversing some classes(Finally figured it out.), and I want something I can overlay with the real data, this seems to be the tool for that job.

---

Win7 x64 Ultimate SP1 (Should be fully updated.)
HD 4250 (Integrated) Catalyst 12.2
Monitor: HDMI => HDTV

Not sure what other info would be relevant.

Edit: Just tried downloading 74 again, and different beta's, same problem, it's likely UI lib related, I had another application do this recently too. (GTA IV Universal Shader Patch. Probably used the same UI lib.)

Are there any updates on this? like ReClass 2012 lol

This one won't be updated anymore....

Here is the source code....
Warning: It's messy, and so much just "hacked" into it so it would just work..

http://gameanarchy.co/files/ReClass2011_SourceCode.rar

thx very usefull it for me :)