PWI Eclipse changes

[Stark77]

i love u - the pathing is working - thanks again

the address finder sadly isnt working for me:
Base Address = 0x00D22C74
SendPacket Address = 0x415E0BF420000000
AutoPath Address = 0x4151565020000000

[denzjh]

Can u upload the elementclient.exe and link it here? I will try and check whats wrong with it...

[Stark77]

sure. i put it in the attachment. thanks for your effort.

below is my autohotkey version of your autopathing in case some uses this. code AND comments sponsored by Interest in WQ pot :P

 Spoiler

global realBaseAddress := 0xD22C74
global AutoPathAddress := 0x455940

autopath(X,Y,Z=0)
{
if X < 1000
X := floattohex((X*10)-4000)
if Y < 1000
Y := floattohex((Y*10)-5500)
revHex(revX, X)
revHex(revY, Y)
revHex(revZ, Z)
revHex(revBaseAddress, realbaseAddress)
revHex(revAutoPathAddress, AutoPathAddress)

winget, pid, PID, ahk_pid %processID%
ProcessHandle := DllCall("OpenProcess", "int", 2035711, "char", 1, "UInt", PID, "UInt")
functionSize := 0x7F
functionAddress := DllCall("VirtualAllocEx", "Uint", ProcessHandle, "Uint", 0, "Uint", functionSize, "Uint", 0x1000, "Uint", 0x40)
func =
func = %func%60
func = %func%B9%revY%
func = %func%BA%revZ%
func = %func%B8%revX%
func = %func%6a00
func = %func%51
func = %func%52
func = %func%50
func = %func%6a03
func = %func%6a00
func = %func%6a00
func = %func%684A010000
func = %func%b9%revBaseAddress%
func = %func%8B09
func = %func%83C11C
func = %func%8B09
func = %func%BB%revAutoPathAddress%
func = %func%FFD3
func = %func%B9%revZ%
func = %func%6A00
func = %func%6A00
func = %func%6A00
func = %func%51
func = %func%6A01
func = %func%6A00
func = %func%6A00
func = %func%684A010000
func = %func%B9%revBaseAddress%
func = %func%8B09
func = %func%83C11C
func = %func%8B09
func = %func%BB%revAutoPathAddress%
func = %func%FFD3
func = %func%61
func = %func%C3

MCode(autopathFunction, func)
DllCall("WriteProcessMemory", "UInt", ProcessHandle, "UInt", functionAddress, "Uint", &autopathFunction, "Uint", functionSize, "Uint *", 0)
SetFormat, IntegerFast, d
hThrd := DllCall("CreateRemoteThread", "Uint", ProcessHandle, "Uint", 0, "Uint", 0, "Uint", functionAddress, "Uint", 0, "Uint", 0, "Uint", 0)
loop
{
result := DllCall( "WaitForSingleObject", UInt,hThrd, UInt,50 )
if(result <> 258)
{
break
}
sleep 50
if(A_Index > 100)
{
break
}
}
DllCall( "CloseHandle", UInt,hThrd )
DllCall("VirtualFreeEx", "Uint", ProcessHandle, "Uint", functionAddress, "Uint", 0, "Uint", 0x8000)
DllCall( "CloseHandle", UInt,ProcessHandle )
}

MCode(ByRef code, hex) { ; allocate memory and write Machine Code there
VarSetCapacity(code,StrLen(hex)//2)
Loop % StrLen(hex)//2
NumPut("0x" . SubStr(hex,2*A_Index-1,2), code, A_Index-1, "Char")
}

[denzjh]

Quote:

Originally Posted by Stark77

sure. i put it in the attachment. thanks for your effort.

below is my autohotkey version of your autopathing in case some uses this. code AND comments sponsored by Interest in WQ pot :P

 Spoiler

global realBaseAddress := 0xD22C74
global AutoPathAddress := 0x455940

autopath(X,Y,Z=0)
{
if X < 1000
X := floattohex((X*10)-4000)
if Y < 1000
Y := floattohex((Y*10)-5500)
revHex(revX, X)
revHex(revY, Y)
revHex(revZ, Z)
revHex(revBaseAddress, realbaseAddress)
revHex(revAutoPathAddress, AutoPathAddress)

winget, pid, PID, ahk_pid %processID%
ProcessHandle := DllCall("OpenProcess", "int", 2035711, "char", 1, "UInt", PID, "UInt")
functionSize := 0x7F
functionAddress := DllCall("VirtualAllocEx", "Uint", ProcessHandle, "Uint", 0, "Uint", functionSize, "Uint", 0x1000, "Uint", 0x40)
func =
func = %func%60
func = %func%B9%revY%
func = %func%BA%revZ%
func = %func%B8%revX%
func = %func%6a00
func = %func%51
func = %func%52
func = %func%50
func = %func%6a03
func = %func%6a00
func = %func%6a00
func = %func%684A010000
func = %func%b9%revBaseAddress%
func = %func%8B09
func = %func%83C11C
func = %func%8B09
func = %func%BB%revAutoPathAddress%
func = %func%FFD3
func = %func%B9%revZ%
func = %func%6A00
func = %func%6A00
func = %func%6A00
func = %func%51
func = %func%6A01
func = %func%6A00
func = %func%6A00
func = %func%684A010000
func = %func%B9%revBaseAddress%
func = %func%8B09
func = %func%83C11C
func = %func%8B09
func = %func%BB%revAutoPathAddress%
func = %func%FFD3
func = %func%61
func = %func%C3

MCode(autopathFunction, func)
DllCall("WriteProcessMemory", "UInt", ProcessHandle, "UInt", functionAddress, "Uint", &autopathFunction, "Uint", functionSize, "Uint *", 0)
SetFormat, IntegerFast, d
hThrd := DllCall("CreateRemoteThread", "Uint", ProcessHandle, "Uint", 0, "Uint", 0, "Uint", functionAddress, "Uint", 0, "Uint", 0, "Uint", 0)
loop
{
result := DllCall( "WaitForSingleObject", UInt,hThrd, UInt,50 )
if(result <> 258)
{
break
}
sleep 50
if(A_Index > 100)
{
break
}
}
DllCall( "CloseHandle", UInt,hThrd )
DllCall("VirtualFreeEx", "Uint", ProcessHandle, "Uint", functionAddress, "Uint", 0, "Uint", 0x8000)
DllCall( "CloseHandle", UInt,ProcessHandle )
}

MCode(ByRef code, hex) { ; allocate memory and write Machine Code there
VarSetCapacity(code,StrLen(hex)//2)
Loop % StrLen(hex)//2
NumPut("0x" . SubStr(hex,2*A_Index-1,2), code, A_Index-1, "Char")
}

Are you using the script (the one for searching for Base/SendPacket/AutoPath Address) in AutoIt or are you converting them to AutoHotKey?

I attached a zip file with some compiled exe's and the script for the said address retriever.

And here is the code for the said address retriever (PWI client v829 aka PWI Eclipse client):

 Spoiler

Code:

Opt("GUICloseOnESC", 0)
Opt("GUIOnEventMode", 1)
Opt("TrayAutoPause", 0)
Opt("TrayMenuMode", 1)

GUICreate("PWI Essential Addresses", 400, 140)
GUISetOnEvent($GUI_EVENT_CLOSE, "_Exit")
GUICtrlCreateLabel("Base: ", 5, 10)
$OUTPUT_BASE = GUICtrlCreateInput("0x00000000", 100, 10, 80, 18)
GUICtrlCreateLabel("Send Packet: ", 5, 30)
$OUTPUT_PACKET = GUICtrlCreateInput("0x00000000", 100, 30, 80, 18)
GUICtrlCreateLabel("Auto Path: ", 5, 50)
$OUTPUT_AUTOPATH = GUICtrlCreateInput("0x00000000", 100, 50, 80, 18)

GUICtrlCreateLabel("Game Client: ", 5, 80)
$DEFAULT_FOLDER = @ProgramFilesDir & "\Arc\PWI_En\element\"
$DEFAULT_CLIENT = "elementclient.exe"
$INPUT_GAME = GUICtrlCreateInput($DEFAULT_FOLDER & $DEFAULT_CLIENT, 100, 80, 290, 18)
GUICtrlCreateButton("Browse", 100, 100, 50, 25)
GUICtrlSetOnEvent(-1, "GetClientExe")
GUICtrlCreateButton("Retrieve", 160, 100, 50, 25)
GUICtrlSetOnEvent(-1, "RetrieveAddress")
GUISetState()
While 1
	Sleep(100)
WEnd

Func GetClientExe()
	$EXE = FileOpenDialog("Perfect World Client", $DEFAULT_FOLDER, "Executable (*.exe)", 1, $DEFAULT_CLIENT)
	GUICtrlSetData($INPUT_GAME, $EXE)
EndFunc

Func RetrieveAddress()
	GUICtrlSetData($OUTPUT_BASE, "0x00000000")
	GUICtrlSetData($OUTPUT_PACKET, "0x00000000")
	GUICtrlSetData($OUTPUT_AUTOPATH, "0x00000000")
	$EXE = GUICtrlRead($INPUT_GAME)
	If @error Then Return
	$FILE = FileOpen($EXE, 16)
	$DATA = FileRead($FILE, FileGetSize($EXE))
	FileClose($FILE)
	$OPCODEBASE = 'A1(.{8})5332DB8B48.{2}'
	$BASE = StringRegExp($DATA, $OPCODEBASE, 1)
	$OPCODEPACKET = '6AFF68.{8}64A100000000506489250000000083EC185356578BF96A07'
	$PACKET = StringRegExp($DATA, $OPCODEPACKET, 1)
	$OPCODEAUTOPATH = '6AFF68.{8}64A100000000506489250000000083EC2053568BF18D4C2408E8.{8}8B4C243C8B542440'
	$AUTOPATH = StringRegExp($DATA, $OPCODEAUTOPATH, 1)
	If @error Then
		MsgBox(0, "Issues Attaching For Offsets", "There may be another bot attached to this process. Please close that bot and try again")
		Return
	EndIf
	$REALBASEADDRESS = '0x' & Rev($BASE[0])
	$SENDPACKETADDRESS = '0x' & Hex(StringInStr($DATA, $PACKET[0])/2 + 0x400000 - 1)
	$AUTOPATHADDRESS = '0x' & Hex(StringInStr($DATA, $AUTOPATH[0])/2 + 0x400000 - 1)

	GUICtrlSetData($OUTPUT_BASE, $REALBASEADDRESS)
	GUICtrlSetData($OUTPUT_PACKET, $SENDPACKETADDRESS)
	GUICtrlSetData($OUTPUT_AUTOPATH, $AUTOPATHADDRESS)
EndFunc

Func Rev($string)
	Local $all
	For $i = StringLen($string) + 1 To 1 Step -2
		$all = $all & StringMid($string, $i, 2)
	Next
	Return $all
EndFunc

Func _Exit()
	Exit
EndFunc

[Stark77]

thank you alot =)

i am still not sure why this happens but the .exe gives me the correct results. if i run the script in autoit (SciTE editor) its not working. maybe autohotkey and autoit have a conflict. if i compile the au3-file to an exe, this is also not working. ill try to investigate this abit and reinstall autoit. but its working. great job

[jollyjoker0305]

Sorry, i didn't get it clear. PW now have 2 type of Auto Move, i don't know what it's named but this is what they do:
- One can avoid object and only work when you are running or riding your mount
- One go direct to target, and if you are flying, you can adjust Z or stop flying when reach target

What is denzjh's function for?

If you need, i will give you the function i'm using. It is "very old way" move and can fly up/down vertically. But beware, it not use packet to move because i'm too lazy to write a "distance traveled calculator"

[Stark77]

the function in this thread is the autopathing (alt+clickL ingame).

it moves to x,y and avoids obstacles like trees. while flying, it can only adjust the height in 45 degree. so it can not fly vertical up and down. u can also choose to drop down if u are at the destination after flying.

so if u can provide a method to fly vertically without packets or key sending, iam sure it would be useful for the community here.

[Smurfin]

Any news on the other movement method yet ? The one for moving vertically.

[Remmm]

injeckt moveToXYZ

Code:

 Walk1 = $49FF80;
  Walk2 = $4A6320;
  Walk3 = $4A0590;
  ActArr = $13EC;
 injcode.s ="60"                   ;60             PUSHAD
 injcode=injcode+"b800000000"      ;B8 00000000    MOV EAX,#Baseadr
 injcode=injcode+"8b00"            ;8B00           MOV EAX,DWORD PTR DS:[EAX]
 injcode=injcode+"8b401c"          ;8B40 1C        MOV EAX,DWORD PTR DS:[EAX+1C]
 injcode=injcode+"8b7028"          ;8B70 28        MOV ESI,DWORD PTR DS:[EAX+28]
 injcode=injcode+"8B8E00000000"    ;8B8E 11111111  MOV ECX,DWORD PTR DS:[ESI+ActArr]
 injcode=injcode+"6a01"            ;6A 01          PUSH 1
 injcode=injcode+"BA00000000"      ;BA 00000000    MOV EDX,Walk1
 injcode=injcode+"FFD2"            ;FFD2           CALL EDX
 injcode=injcode+"8bf8"            ;8BF8           MOV EDI,EAX
 injcode=injcode+"8d442418"        ;8D4424 18      LEA EAX,DWORD PTR SS:[ESP+18]
 injcode=injcode+"50"              ;50             PUSH EAX
 injcode=injcode+"ba00000000"      ;BA 00000000    MOV EDX, fly mode
 injcode=injcode+"52"              ;52             PUSH EDX
 injcode=injcode+"8bcf"            ;8BCF           MOV ECX,EDI
 injcode=injcode+"BA00000000"      ;BA 00000000    MOV EDX,Walk2
 injcode=injcode+"ffd2"            ;FFD2           CALL EDX
 injcode=injcode+"8b8e00000000"    ;8B8E 22222222  MOV ECX,DWORD PTR DS:[ESI+ActArr]
 injcode=injcode+"b800000000"      ;B8 00000000    MOV EAX,x
 injcode=injcode+"8bd7"            ;8BD7           MOV EDX,EDI
 injcode=injcode+"83c220"          ;83C2 20        ADD EDX,20
 injcode=injcode+"8902"            ;8902           MOV DWORD PTR DS:[EDX],EAX
 injcode=injcode+"b800000000"      ;B8 00000000    MOV EAX,z
 injcode=injcode+"8bd7"            ;8BD7           MOV EDX,EDI
 injcode=injcode+"83c224"          ;83C2 24        ADD EDX,24
 injcode=injcode+"8902"            ;8902           MOV DWORD PTR DS:[EDX],EAX
 injcode=injcode+"b800000000"      ;B8 00000000    MOV EAX,y
 injcode=injcode+"8bd7"            ;8BD7           MOV EDX,EDI
 injcode=injcode+"83c228"          ;83C2 28        ADD EDX,28
 injcode=injcode+"8902"            ;8902           MOV DWORD PTR DS:[EDX],EAX
 injcode=injcode+"6A00"            ;6A 00          PUSH 0
 injcode=injcode+"6A01"            ;6A 01          PUSH 1
 injcode=injcode+"57"              ;57             PUSH EDI
 injcode=injcode+"6A01"            ;6A 01          PUSH 1
 injcode=injcode+"BA00000000"      ;BA 00000000    MOV EDX,Walk3
 injcode=injcode+"ffd2"            ;FFD2           CALL EDX
 injcode=injcode+"61"              ;61             POPAD
 injcode=injcode+"c3"              ;C3             RETN

[denzjh]

Well here is the AutoIt version of the said script. ^_^
Attached is the Address Retriever which includes the 3 new Addresses of the Called Built-in Functions for this new MoveTo Function

It can move vertically so Rejoice!
^___^

 Spoiler

Code:

$ADDRESS_BASE = 0xD22C74
$ADDRESS_ACTION1 = 0x49FF80
$ADDRESS_ACTION2 = 0x4A6320
$ADDRESS_ACTION3 = 0x4A0590
$OFFSET_ACTIONBASE = 0x13EC

Func MoveXYZ($GAME_X, $GAME_Y, $GAME_Z, $MOVEVERT=0)
	$DEST_X = $GAME_X*10-4000
	$DEST_Y = $GAME_Y*10-5500	
	$DEST_Z = $GAME_Z*10
	MoveTo($DEST_X, $DEST_Y, $DEST_Z, $MOVEVERT)
EndFunc

Func MoveTo($DEST_X, $DEST_Y, $DEST_Z, $FLYMODE=0)
	;Declare local variables

	;Open process for given processId
	$processHandle = $GAME_PROCESS[1]

	;Allocate memory for the OpCode and retrieve address for this
	$functionAddress = DllCall('kernel32.dll', 'int', 'VirtualAllocEx', 'int', $processHandle, 'ptr', 0, 'int', 100, 'int', 0x1000, 'int', 0x40)

	;Construct the OpCode for calling the 'MoveXYZ' function
	$OPcode = "60"                   			;60             PUSHAD
	$OPcode &= "B8" & _Hex($ADDRESS_BASE)     	;B8 00000000    MOV EAX,#Baseadr
	$OPcode &= "8B00"            				;8B00           MOV EAX,DWORD PTR DS:[EAX]
	$OPcode &= "8B401C"          				;8B40 1C        MOV EAX,DWORD PTR DS:[EAX+1C]
	$OPcode &= "8B7028"          				;8B70 28        MOV ESI,DWORD PTR DS:[EAX+28]
	$OPcode &= "8B8E" & _Hex($OFFSET_ACTIONBASE);8B8E 11111111  MOV ECX,DWORD PTR DS:[ESI+ActArr]
	$OPcode &= "6A01"            				;6A 01          PUSH 1
	$OPcode &= "BA" & _Hex($ADDRESS_ACTION1)    ;BA 00000000    MOV EDX,Walk1
	$OPcode &= "FFD2"            				;FFD2           CALL EDX
	$OPcode &= "8BF8"            				;8BF8           MOV EDI,EAX
	$OPcode &= "8D442418"        				;8D4424 18      LEA EAX,DWORD PTR SS:[ESP+18]
	$OPcode &= "50"              				;50             PUSH EAX
	$OPcode &= "BA" & _Hex($FLYMODE)      		;BA 00000000    MOV EDX, fly mode
	$OPcode &= "52"              				;52             PUSH EDX
	$OPcode &= "8BCF"            				;8BCF           MOV ECX,EDI
	$OPcode &= "BA" & _Hex($ADDRESS_ACTION2)    ;BA 00000000    MOV EDX,Walk2
	$OPcode &= "FFD2"            				;FFD2           CALL EDX
	$OPcode &= "8B8E" & _Hex($OFFSET_ACTIONBASE);8B8E 22222222  MOV ECX,DWORD PTR DS:[ESI+ActArr]
	$OPcode &= "B8" & _Hex($DEST_X, 8, 'float') ;B8 00000000    MOV EAX,x
	$OPcode &= "8BD7"            				;8BD7           MOV EDX,EDI
	$OPcode &= "83C220"          				;83C2 20        ADD EDX,20
	$OPcode &= "8902"            				;8902           MOV DWORD PTR DS:[EDX],EAX
	$OPcode &= "B8" & _Hex($DEST_Z, 8, 'float') ;B8 00000000    MOV EAX,z
	$OPcode &= "8BD7"            				;8BD7           MOV EDX,EDI
	$OPcode &= "83C224"          				;83C2 24        ADD EDX,24
	$OPcode &= "8902"            				;8902           MOV DWORD PTR DS:[EDX],EAX
	$OPcode &= "B8" & _Hex($DEST_Y, 8, 'float') ;B8 00000000    MOV EAX,y
	$OPcode &= "8BD7"            				;8BD7           MOV EDX,EDI
	$OPcode &= "83C228"          				;83C2 28        ADD EDX,28
	$OPcode &= "8902"            				;8902           MOV DWORD PTR DS:[EDX],EAX
	$OPcode &= "6A00"            				;6A 00          PUSH 0
	$OPcode &= "6A01"            				;6A 01          PUSH 1
	$OPcode &= "57"              				;57             PUSH EDI
	$OPcode &= "6A01"            				;6A 01          PUSH 1
	$OPcode &= "BA" & _Hex($ADDRESS_ACTION3)    ;BA 00000000    MOV EDX,Walk3
	$OPcode &= "FFD2"            				;FFD2           CALL EDX
	$OPcode &= "61"              				;61             POPAD
	$OPcode &= "C3"              				;C3             RETN

	;Put the OpCode into a struct for later memory writing
	$vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
	For $loop = 1 To DllStructGetSize($vBuffer)
		DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
	Next

	;Write the OpCode to previously allocated memory
	DllCall('kernel32.dll', 'int', 'WriteProcessMemory', 'int', $processHandle, 'int', $functionAddress[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)


	;Create a remote thread in order to run the OpCode
	$hRemoteThread = DllCall('kernel32.dll', 'int', 'CreateRemoteThread', 'int', $processHandle, 'int', 0, 'int', 0, 'int', $functionAddress[0], 'ptr', 0, 'int', 0, 'int', 0)

	;Wait for the remote thread to finish
	Do
		$result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
	Until $result[0] <> 258

	;Close the handle to the previously created remote thread
	DllCall('kernel32.dll', 'int', 'CloseHandle', 'int', $hRemoteThread[0])

	;Free the previously allocated memory
	DllCall('kernel32.dll', 'ptr', 'VirtualFreeEx', 'hwnd', $processHandle, 'int', $functionAddress[0], 'int', 0, 'int', 0x8000)

	Return True
EndFunc

Func _Hex($Value, $size=8, $type="int")
	Local $tmp1, $tmp2, $i
	If($type = "int") Then
        $tmp1 = StringRight("000000000" & Hex($Value), $size)
    ElseIf($type = "float") Then
        $tmp1 = StringRight("000000000" & _FloatToHex($Value), $size)
    EndIf
    For $i = 0 To StringLen($tmp1) / 2 - 1
        $tmp2 = $tmp2 & StringMid($tmp1, StringLen($tmp1) - 1 - 2 * $i, 2)
    Next
    Return $tmp2
EndFunc

[Stark77]

You guys are the best

i'd love to know how to find such OPcodes but thanks alot for sharing this.

Also thanks for the exe version of the address finder. I still havent figured out why the au3 isnt working for me so this is very helpful.

here copy pasted to AHK:

 Spoiler

Code:

normalMoveTo(X,Y,Z=0,flyflag=0)
{
	if (X < 1000)
	{
		X := floattohex((X*10)-4000) 
		Y := floattohex((Y*10)-5500) 
		Z := floattohex(Z*10)
	}
		
	revHex(revX, X)
	revHex(revY, Y)
	revHex(revZ, Z)
	revHex(revBaseAddress, realbaseAddress)
	revHex(ADDRESS_ACTION1, 0x49FF80)
	revHex(ADDRESS_ACTION2, 0x4A6320)
	revHex(ADDRESS_ACTION3, 0x4A0590)
	revHex(OFFSET_ACTIONBASE, 0x13EC)
	revHex(FLYMODE, flyflag)
	
	winget, pid, PID, ahk_pid %processID%
	ProcessHandle 	:= 	DllCall("OpenProcess", "int", 2035711, "char", 1, "UInt", PID, "UInt")
	functionSize 	:=  0x6D
	functionAddress :=  DllCall("VirtualAllocEx", "Uint", ProcessHandle, "Uint", 0, "Uint", functionSize, "Uint", 0x1000, "Uint", 0x40)
	
	func =					
	func = %func%60
	func = %func%B8%revBaseAddress%
	func = %func%8B00
	func = %func%8B401C
	func = %func%8B7028
	func = %func%8B8E%OFFSET_ACTIONBASE%
	func = %func%6A01
	func = %func%BA%ADDRESS_ACTION1%
	func = %func%FFD2
	func = %func%8BF8
	func = %func%8D442418
	func = %func%50
	func = %func%BA%FLYMODE%
	func = %func%52
	func = %func%8BCF
	func = %func%BA%ADDRESS_ACTION2%
	func = %func%FFD2
	func = %func%8B8E%OFFSET_ACTIONBASE%
	func = %func%B8%revX%
	func = %func%8BD7
	func = %func%83C220
	func = %func%8902
	func = %func%B8%revZ%
	func = %func%8BD7
	func = %func%83C224
	func = %func%8902
	func = %func%B8%revY%
	func = %func%8BD7
	func = %func%83C228
	func = %func%8902
	func = %func%6A00
	func = %func%6A01
	func = %func%57
	func = %func%6A01
	func = %func%BA%ADDRESS_ACTION3%
	func = %func%FFD2
	func = %func%61
	func = %func%C3

	MCode(normalWalkFunction, func)
	DllCall("WriteProcessMemory", "UInt", ProcessHandle, "UInt", functionAddress, "Uint", &normalWalkFunction, "Uint", functionSize, "Uint *", 0)
	SetFormat, IntegerFast, d
	hThrd := DllCall("CreateRemoteThread", "Uint", ProcessHandle, "Uint", 0, "Uint", 0, "Uint", functionAddress, "Uint", 0, "Uint", 0, "Uint", 0)
	loop
	{
		result := DllCall( "WaitForSingleObject", UInt,hThrd, UInt,50 ) 
		if(result <> 258)
		{
			break
		}
		sleep 50
		if(A_Index > 100)
		{
			break
		}
	}
	DllCall( "CloseHandle", UInt,hThrd )
	DllCall("VirtualFreeEx", "Uint", ProcessHandle, "Uint", functionAddress, "Uint", 0, "Uint", 0x8000)
	DllCall( "CloseHandle", UInt,ProcessHandle ) 
}

-.-.-.-.-.-.--.-.-.-.-.-.--.-.-.-.-.-.--.-.-.-.-.-.--.-.-.-.-.-.--.-.-.-.-.-.--.-.-.-.-.-.-

Does anyone has a snipet how to use skills now since the action structs dont work? I am doing it with packets, but those dont move to the object so i use for skill a normal attack till the skill is in cooldown. see here:

 Spoiler

Code:

UseSkill(skillId,selfbuff=0,fast=0,range=0)
{
	;~ InteractWith(gettarget(), 3, skillId,1) - this was the old action struct
	packet := ""
	revHex(revSkillId, skillId)
	if (selfbuff = 1)
		revHex(target, PlayerID)
	else
		revHex(target, gettarget())
	if (fast = 1)
		packet = %packet%5000%revSkillId%0101%target%
	else
		packet = %packet%2900%revSkillId%0101%target%
	packetSize := 0xC
	packetSizeStr := "0C"

	if (range=1)
	{
		while ((GetSkillCooldown(skillId) = 0) AND (gettargethp() > 0))
		{
			normalattack()
			sleep, 300
			sendPacket(packet, packetSizeStr, packetsize, processID)
			sleep, 500
		}
	}else	
		sendPacket(packet, packetSizeStr, packetsize, processID)
}

to talk to a npc i move near it (must be lower than 5 meter) this way:

 Spoiler

Code:

r := checkRange()  ~; 10*sqrt(dx^2+dy^2+dz^2)
if (r > 5)
{
  x := getx() + ((r-4.8)/r)*(gettargetx()-getx())
  y := gety() + ((r-4.8)/r)*(gettargety()-gety())
  walkto(x,y)	
}

[Smurfin]

Ah finally a working vertical movement script, and it's already in AutoIt. Thanks a ton !

[denzjh]

Quote:

Originally Posted by Stark77

Does anyone has a snipet how to use skills now since the action structs dont work? I am doing it with packets, but those dont move to the object so i use for skill a normal attack till the skill is in cooldown. see here:

For Interact-To-Dig

 Spoiler

Code:

00495D6F  |. 8B8F EC130000  MOV ECX,DWORD PTR DS:[EDI+13EC]
00495D75  |. 6A 02          PUSH 2
00495D77  |. E8 04A20000    CALL PWI.0049FF80
00495D7C  |. 8B5424 14      MOV EDX,DWORD PTR SS:[ESP+14]  <-- ITEM ID/POINTER
00495D80  |. 8BF0           MOV ESI,EAX
00495D82  |. F6DB           NEG BL
00495D84  |. 1BDB           SBB EBX,EBX
00495D86  |. 52             PUSH EDX
00495D87  |. 83E3 03        AND EBX,3
00495D8A  |. 6A 00          PUSH 0
00495D8C  |. 43             INC EBX
00495D8D  |. 8BCE           MOV ECX,ESI
00495D8F  |. 53             PUSH EBX
00495D90  |. 55             PUSH EBP
00495D91  |. E8 2A5A0100    CALL PWI.004AB7C0
00495D96  |. 50             PUSH EAX                                 ; |Arg1
00495D97  |. 8BCE           MOV ECX,ESI                              ; |
00495D99  |. E8 62580100    CALL PWI.004AB600                        ; \PWI.004AB600
00495D9E  |. 8B8F EC130000  MOV ECX,DWORD PTR DS:[EDI+13EC]
00495DA4  |. 6A 00          PUSH 0
00495DA6  |. 56             PUSH ESI
00495DA7  |. 6A 01          PUSH 1
00495DA9  |. E8 E2A70000    CALL PWI.004A0590

To Interact-To-TalktoNPC

 Spoiler

Code:

00490A12  |. 8B8F EC130000  MOV ECX,DWORD PTR DS:[EDI+13EC]
00490A18  |. 6A 02          PUSH 2
00490A1A  |. E8 61F50000    CALL PWI.0049FF80
00490A1F  |. 8B5424 18      MOV EDX,DWORD PTR SS:[ESP+18]
00490A23  |. 6A 00          PUSH 0
00490A25  |. 8BF0           MOV ESI,EAX
00490A27  |. 52             PUSH EDX
00490A28  |. 55             PUSH EBP
00490A29  |. 53             PUSH EBX
00490A2A  |. 8BCE           MOV ECX,ESI
00490A2C  |. E8 8FAD0100    CALL PWI.004AB7C0
00490A31  |. 50             PUSH EAX                                 ; |Arg1
00490A32  |. 8BCE           MOV ECX,ESI                              ; |
00490A34  |. E8 C7AB0100    CALL PWI.004AB600                        ; \PWI.004AB600
00490A39  |. 8B8F EC130000  MOV ECX,DWORD PTR DS:[EDI+13EC]
00490A3F  |. 6A 00          PUSH 0
00490A41  |. 56             PUSH ESI
00490A42  |. 6A 01          PUSH 1
00490A44  |. E8 47FB0000    CALL PWI.004A0590

For Interact-To-Normal Attack (Left Click the NPC when its already selected or double left click when not selected)

 Spoiler

Code:

00495BD9  |> 8B8F EC130000  MOV ECX,DWORD PTR DS:[EDI+13EC]
00495BDF  |. 6A 02          PUSH 2
00495BE1  |. E8 9AA30000    CALL PWI.0049FF80
00495BE6  |. 8BF0           MOV ESI,EAX
00495BE8  |. B3 01          MOV BL,1
00495BEA  |> 85F6           TEST ESI,ESI
00495BEC  |. 74 46          JE SHORT PWI.00495C34
00495BEE  |. 8B4424 14      MOV EAX,DWORD PTR SS:[ESP+14]
00495BF2  |. 8B4C24 18      MOV ECX,DWORD PTR SS:[ESP+18]
00495BF6  |. 50             PUSH EAX
00495BF7  |. 51             PUSH ECX
00495BF8  |. 6A 00          PUSH 0
00495BFA  |. 55             PUSH EBP
00495BFB  |. 8BCE           MOV ECX,ESI
00495BFD  |. E8 BE5B0100    CALL PWI.004AB7C0
00495C02  |. 50             PUSH EAX                                 ; |Arg1
00495C03  |. 8BCE           MOV ECX,ESI                              ; |
00495C05  |. E8 F6590100    CALL PWI.004AB600                        ; \PWI.004AB600
00495C0A  |. 8B5424 1C      MOV EDX,DWORD PTR SS:[ESP+1C]
00495C0E  |. 8B4E 40        MOV ECX,DWORD PTR DS:[ESI+40]
00495C11  |. 52             PUSH EDX
00495C12  |. E8 299D4E00    CALL PWI.0097F940
00495C17  |. 84DB           TEST BL,BL
00495C19  |. 74 10          JE SHORT PWI.00495C2B
00495C1B  |. 8B8F EC130000  MOV ECX,DWORD PTR DS:[EDI+13EC]
00495C21  |. 6A 00          PUSH 0
00495C23  |. 56             PUSH ESI
00495C24  |. 6A 01          PUSH 1
00495C26  |. E8 65A90000    CALL PWI.004A0590

For Interact-To-Cast-Spell

 Spoiler

Code:

0048E559  |. 8B8E EC130000  MOV ECX,DWORD PTR DS:[ESI+13EC]
0048E55F  |. 6A 02          PUSH 2
0048E561  |. E8 1A1A0100    CALL PWI.0049FF80
0048E566  |. 8B4C24 1C      MOV ECX,DWORD PTR SS:[ESP+1C]
0048E56A  |. 8B5424 14      MOV EDX,DWORD PTR SS:[ESP+14]
0048E56E  |. 51             PUSH ECX
0048E56F  |. 8BF8           MOV EDI,EAX
0048E571  |. 52             PUSH EDX
0048E572  |. 6A 03          PUSH 3
0048E574  |. 53             PUSH EBX
0048E575  |. 8BCF           MOV ECX,EDI
0048E577  |. E8 44D20100    CALL PWI.004AB7C0
0048E57C  |. 50             PUSH EAX                                 ; |Arg1
0048E57D  |. 8BCF           MOV ECX,EDI                              ; |
0048E57F  |. E8 7CD00100    CALL PWI.004AB600                        ; \PWI.004AB600
0048E584  |. 6A 00          PUSH 0
0048E586  |. 896F 34        MOV DWORD PTR DS:[EDI+34],EBP
0048E589  |. 8B8E EC130000  MOV ECX,DWORD PTR DS:[ESI+13EC]
0048E58F  |. 57             PUSH EDI
0048E590  |. 6A 01          PUSH 1
0048E592  |. E8 F91F0100    CALL PWI.004A0590

For Cast Spell

 Spoiler

Code:

00482BF9  |> 8B8E EC130000  MOV ECX,DWORD PTR DS:[ESI+13EC]
00482BFF  |. 6A 04          PUSH 4
00482C01  |. E8 7AD30100    CALL PWI.0049FF80
00482C06  |. 8B8E C4070000  MOV ECX,DWORD PTR DS:[ESI+7C4]
00482C0C  |. 8B57 04        MOV EDX,DWORD PTR DS:[EDI+4]
00482C0F  |. 8BD8           MOV EBX,EAX
00482C11  |. 55             PUSH EBP
00482C12  |. 51             PUSH ECX
00482C13  |. 52             PUSH EDX
00482C14  |. 8BCB           MOV ECX,EBX
00482C16  |. E8 D56C0200    CALL PWI.004A98F0
00482C1B  |. 8B8E EC130000  MOV ECX,DWORD PTR DS:[ESI+13EC]
00482C21  |. 6A 00          PUSH 0
00482C23  |. 53             PUSH EBX
00482C24  |. 6A 01          PUSH 1
00482C26  |. E8 65D90100    CALL PWI.004A0590

As you will notice that there are 2 functions called similar to the MoveXYZ function by Remmm. These are "PWI.0049FF80" and "PWI.004A0590". And there are functions called in between them. Thus, we can name them as PerformAction and FinishAction respectively, Right?.

Unfortunately, I do not know ASM language and I can not translate them as Injectable Function...

Hopefully someone like Remmm can

[Remmm]

Code:

Procedure PicWalcLyt(wid,type)
  calladr=$495C40
  GameAdr=$00D23414
  injcode.s ="60"                   ;60             PUSHAD 
  injcode=injcode+"B900000000"      ;B9 00000000    MOV ECX, GameAdr
  injcode=injcode+"8B09"            ;8B09           MOV ECX,DWORD PTR DS:[ECX]
  injcode=injcode+"8B4928"          ;8B49 28        MOV ECX,DWORD PTR DS:[ECX+28] ; pers_str
  injcode=injcode+"6800000000"      ;68 00000000    PUSH 0-lyt , 1- mine
  injcode=injcode+"6800000000"      ;68 00000000    PUSH wid
  injcode=injcode+"BB00000000"      ;BB 00000000    MOV EBX,caladr
  injcode=injcode+"FFD3"            ;FFD3           CALL EBX
  injcode=injcode+"61"              ;61             POPAD
  injcode=injcode+"c3"              ;C3             RETN

[Underavelvetmoon]

So if im correct after reading those snippets, in order to make a function (That doesnt come from Packets or Memory Read/Write) you pretty much copy the opcode from IDA/Olly, find where the function parameters are, attach them to (in my case) autoit declarations e.g Func Move($X, $Y, $Z) then a bunch of opcode where x y z are put into use?

That seems incredibly simple - albeit ive never attempted that - but does make a lot of sense. Would make it incredibly easy to make an API or something if thats the case.

Its a shame that theres no generalized API for PWI, like gwa2 for Guild Wars. Would make coding much more easy, but I guess this way you learn a lot. I would never start experimenting with opcode xD