[Tut] Full Recovery trigger

iktov2 · 06/03/2011, 16:59

Code:

void FullRecover()
		{
			UINT_PTR adr = 0x004A5570; //Old address
			__asm
			{
				CALL adr    
			}
		}

This is the function that I used to trigger the Full Recovery option in the game with my bot.

The function I used to tell the bot when to use the function is pretty much the way you would make an Autopiller, but instead of calling a function to use pills you just call the FullRecovery function:

Code:

bool rec;
float HPPercent;
float MPPercent; 

void FullRecovery()
{
    
	float RestoreMP  = MyChar->MaxMP * MPPercent; 
	float RestoreHP  = MyChar->MaxHP * HPPercent;
    if(rec)
	{
		if(MyChar->Exists == 1)
		{
			if(MyChar->CurMP <= RestoreMP)
			{
				 FullRecover(); 
			}
			if(MyChar->CurHP <= RestoreHP)
			{
				 FullRecover();
			}
		}
	}
}

Now for updating the address of the full recovery function you would just need to search a sequence of bytes in Ollydebug:

Code:

004A2291   |.  50                      PUSH EAX                             ; /Arg2
004A2292   |.  8B4D 8C                 MOV ECX,DWORD PTR SS:[EBP-74]        ; |
004A2295   |.  51                      PUSH ECX                             ; |Arg1
004A2296   |.  B9 A0AA5900             MOV ECX,TwelveSk.0059AAA0            ; |
004A229B   |.  E8 00FBF7FF             CALL TwelveSk.00421DA0               ; \TwelveSk.00421DA0
004A22A0   |.  5F                      POP EDI                              ;  0012FD30

Just load the game into Olly, use "Search for sequence of bytes" and just search the first few lines of the function above:

Code:

PUSH EAX                             
MOV ECX,DWORD PTR SS:[EBP-74]        
PUSH ECX

You need to just keep searching until you find a function that looks exactly like the function I posted above(obviously the address will differ however, this is the whole point of the search to find the new address).

The address you will be interested in here will obviously be the call:

Code:

 CALL TwelveSk.00421DA0

If this were from the new game client, then 0x00421DA0 would be the new address. Just plug the new address into the __asm function I posted on the top of this thread and now you have a fully working FullRecovery option for your botting pleasure.

The way this function got started: I believe it was Seth_day that contacted me one day telling me of an option he had found that was located on a hidden menu in the game that had some "Full Recovery" option to reload HP/Chi. He asked me if I could find a way to use the function manually from anywhere within a bot. After about 10minutes of searching I came up with the function above.

Enjoy, hopefully some generous people will figure this out and release a public copy for everyone to enjoy. If not, I have found my old source so I may eventually release an update, but its just not my main concern right now.

Credits:

as always: Megabyte for a major support in getting me started with my bot ideas(the ollydebug config that allowed to actually use BP's was the headstart I needed"
Seth_day for tipping me off about the FullRecovery function existing in the game client.
Wazzapoo helped me on a good deal of C++ functions in my bot for a few things such as putting my AutoLooting/Loot Filter functions to work in the bot.

Sidenote: You can just plug this code into any .dll source and get it working. Just make a base .dll project with the .dll entry point. Begin a thread from the .dll main and call the code from within the thread. Use MSDN if you cannot figure out how to do that. There are also a couple of simple .dll projects posted by Megabyte and I believe I posted a small source as well. Use Microsoft visual studio to compile it and your good to go.

Also you obviously need to clean up my code a bit. Example: where I use MyChar->MaxHP, just replace this with whatever pointer you assign your characters maxhp address to or use ReadProcessMemory to read your chars maxhp from the games memory. My->MaxHP refers to the character struct I had in my bot to read characters information from the game client easily.

Mega Byte · 06/04/2011, 01:55

Nicely done

and yes very many thanks to Seth_day for letting us know about Full Recovery, ide seen it but never clicked it haha

iktov2 · 06/04/2011, 02:00

I did make one small mistake in my tut there. Not sure if anybody caught it or not. However you don't search for a "Sequence of bytes" but rather a "Sequence of commands". Sorry I mixed that up when typing out the "tut".

If anyone uses this please give proper credits.

Enjoy.

d4v1dru5se · 06/04/2011, 10:37

misteriös

____________

strikeraid · 06/05/2011, 23:06

Thanks for the contribution iktov (:

I still find it weird that they have this in their client. Confuses me so much. hahaha.

You guys ever find the autoloot function in the client? Not sure how your autolooting/filter functions work, but the client has a built in autoloot function as well. :/ Just thought it'd be a fun project for you guys to work on. Hahaha. Thanks again for this iktov. If I still played TS2, this would be the most fun tweak out there.

Mega Byte · 06/06/2011, 00:32

Built in auto loot? I know it has the tild key ~ and pressing an emote to pick up but an auto loot that lets you set rareness and stuff? Well either way just find the games PickupItem_FromGround function and pass it the item id and your player struct details like X Z Y i think. Providing your at the items X Z Y server side and you can pick it up it should work.

You can find that function from breakpointing send unbreaking everything not to do with items eg run around for a bit. Then pick up an item it will break remove breakpoint Press Ctrl+F9 then F7 to step out scroll up slightly observe whats around there if not go up again and so on. If you go up enough and your clicking on the item you can find the CheckItemPickup( MouseX,MouseY ) function.

iktov2 · 06/07/2011, 22:27

Curious is anybody has gotten it working yet? If I can tear myself away from Rift for a while I will post a working .dll for this soon.

Also I may be inclined to post my Auto-Loot function function here too if anyone is interested?

strikeraid · 06/07/2011, 23:35

i gave up. LOL! i crash when i call the address.

iktov2 · 06/07/2011, 23:46

Quote:

Originally Posted by strikeraid

i gave up. LOL! i crash when i call the address.

PM me with what you have done so far and I'll see if I can help you out.

andrewfam · 07/17/2011, 03:44

hi iktov2,

i'm try to do the full recovery function using your provided codes with this post. i kept it as original, the only thing i changed was i replaced in the new address for this function call. it's 0x04422CC0. i injected it fine, but as soon as i hit keypad number 1 the game crashed. do you have any idea?

thanks
andrew

Mega Byte · 07/17/2011, 04:29

use ollydbg and check your registers and stack when calling the function and after compare them to using it from the game. If they do not match yourve done something wrong similarly check your addresses

muro6807 · 07/17/2011, 09:26

The Karahan Turkish version of the game do not cheat, I cheat If you want to do the trick karahan

Mega Byte · 07/18/2011, 01:37

what is with this language barrier....

muro6807 · 07/18/2011, 12:25

turkish version: karahan online
I am from you
karahan online cheat I would like to

iktov2 · 07/18/2011, 19:14

Quote:

Originally Posted by muro6807

turkish version: karahan online
I am from you
karahan online cheat I would like to

Trolling?