You last visited: Today at 20:59
Advertisement
PWI Eclipse changes
Discussion on PWI Eclipse changes within the PW Hacks, Bots, Cheats, Exploits forum part of the Perfect World category.
01/14/2015, 20:03
#16
elite*gold: 0
Join Date: Sep 2013
Posts: 146
Received Thanks: 84
i love u - the pathing is working - thanks again
the address finder sadly isnt working for me:
Base Address = 0x00D22C74
SendPacket Address = 0x415E0BF420000000
AutoPath Address = 0x4151565020000000
01/14/2015, 20:47
#17
elite*gold: 0
Join Date: Sep 2011
Posts: 46
Received Thanks: 144
Can u upload the elementclient.exe and link it here? I will try and check whats wrong with it...
01/14/2015, 21:03
#18
elite*gold: 0
Join Date: Sep 2013
Posts: 146
Received Thanks: 84
sure. i put it in the attachment. thanks for your effort.
below is my autohotkey version of your autopathing in case some uses this. code AND comments sponsored by Interest in WQ pot :P
global realBaseAddress := 0xD22C74
global AutoPathAddress := 0x455940
autopath(X,Y,Z=0)
{
if X < 1000
X := floattohex((X*10)-4000)
if Y < 1000
Y := floattohex((Y*10)-5500)
revHex(revX, X)
revHex(revY, Y)
revHex(revZ, Z)
revHex(revBaseAddress, realbaseAddress)
revHex(revAutoPathAddress, AutoPathAddress)
winget, pid, PID, ahk_pid %processID%
ProcessHandle := DllCall("OpenProcess", "int", 2035711, "char", 1, "UInt", PID, "UInt")
functionSize := 0x7F
functionAddress := DllCall("VirtualAllocEx", "Uint", ProcessHandle, "Uint", 0, "Uint", functionSize, "Uint", 0x1000, "Uint", 0x40)
func =
func = %func%60
func = %func%B9%revY%
func = %func%BA%revZ%
func = %func%B8%revX%
func = %func%6a00
func = %func%51
func = %func%52
func = %func%50
func = %func%6a03
func = %func%6a00
func = %func%6a00
func = %func%684A010000
func = %func%b9%revBaseAddress%
func = %func%8B09
func = %func%83C11C
func = %func%8B09
func = %func%BB%revAutoPathAddress%
func = %func%FFD3
func = %func%B9%revZ%
func = %func%6A00
func = %func%6A00
func = %func%6A00
func = %func%51
func = %func%6A01
func = %func%6A00
func = %func%6A00
func = %func%684A010000
func = %func%B9%revBaseAddress%
func = %func%8B09
func = %func%83C11C
func = %func%8B09
func = %func%BB%revAutoPathAddress%
func = %func%FFD3
func = %func%61
func = %func%C3
MCode(autopathFunction, func)
DllCall("WriteProcessMemory", "UInt", ProcessHandle, "UInt", functionAddress, "Uint", &autopathFunction, "Uint", functionSize, "Uint *", 0)
SetFormat, IntegerFast, d
hThrd := DllCall("CreateRemoteThread", "Uint", ProcessHandle, "Uint", 0, "Uint", 0, "Uint", functionAddress, "Uint", 0, "Uint", 0, "Uint", 0)
loop
{
result := DllCall( "WaitForSingleObject", UInt,hThrd, UInt,50 )
if(result <> 258)
{
break
}
sleep 50
if(A_Index > 100)
{
break
}
}
DllCall( "CloseHandle", UInt,hThrd )
DllCall("VirtualFreeEx", "Uint", ProcessHandle, "Uint", functionAddress, "Uint", 0, "Uint", 0x8000)
DllCall( "CloseHandle", UInt,ProcessHandle )
}
MCode(ByRef code, hex) { ; allocate memory and write Machine Code there
VarSetCapacity(code,StrLen(hex)//2)
Loop % StrLen(hex)//2
NumPut("0x" . SubStr(hex,2*A_Index-1,2), code, A_Index-1, "Char")
}
Attached Files
elementclient.zip
(3.96 MB, 54 views)
01/15/2015, 06:50
#19
elite*gold: 0
Join Date: Sep 2011
Posts: 46
Received Thanks: 144
Quote:
Originally Posted by
Stark77
sure. i put it in the attachment. thanks for your effort.
below is my autohotkey version of your autopathing in case some uses this. code AND comments sponsored by Interest in WQ pot :P
global realBaseAddress := 0xD22C74
global AutoPathAddress := 0x455940
autopath(X,Y,Z=0)
{
if X < 1000
X := floattohex((X*10)-4000)
if Y < 1000
Y := floattohex((Y*10)-5500)
revHex(revX, X)
revHex(revY, Y)
revHex(revZ, Z)
revHex(revBaseAddress, realbaseAddress)
revHex(revAutoPathAddress, AutoPathAddress)
winget, pid, PID, ahk_pid %processID%
ProcessHandle := DllCall("OpenProcess", "int", 2035711, "char", 1, "UInt", PID, "UInt")
functionSize := 0x7F
functionAddress := DllCall("VirtualAllocEx", "Uint", ProcessHandle, "Uint", 0, "Uint", functionSize, "Uint", 0x1000, "Uint", 0x40)
func =
func = %func%60
func = %func%B9%revY%
func = %func%BA%revZ%
func = %func%B8%revX%
func = %func%6a00
func = %func%51
func = %func%52
func = %func%50
func = %func%6a03
func = %func%6a00
func = %func%6a00
func = %func%684A010000
func = %func%b9%revBaseAddress%
func = %func%8B09
func = %func%83C11C
func = %func%8B09
func = %func%BB%revAutoPathAddress%
func = %func%FFD3
func = %func%B9%revZ%
func = %func%6A00
func = %func%6A00
func = %func%6A00
func = %func%51
func = %func%6A01
func = %func%6A00
func = %func%6A00
func = %func%684A010000
func = %func%B9%revBaseAddress%
func = %func%8B09
func = %func%83C11C
func = %func%8B09
func = %func%BB%revAutoPathAddress%
func = %func%FFD3
func = %func%61
func = %func%C3
MCode(autopathFunction, func)
DllCall("WriteProcessMemory", "UInt", ProcessHandle, "UInt", functionAddress, "Uint", &autopathFunction, "Uint", functionSize, "Uint *", 0)
SetFormat, IntegerFast, d
hThrd := DllCall("CreateRemoteThread", "Uint", ProcessHandle, "Uint", 0, "Uint", 0, "Uint", functionAddress, "Uint", 0, "Uint", 0, "Uint", 0)
loop
{
result := DllCall( "WaitForSingleObject", UInt,hThrd, UInt,50 )
if(result <> 258)
{
break
}
sleep 50
if(A_Index > 100)
{
break
}
}
DllCall( "CloseHandle", UInt,hThrd )
DllCall("VirtualFreeEx", "Uint", ProcessHandle, "Uint", functionAddress, "Uint", 0, "Uint", 0x8000)
DllCall( "CloseHandle", UInt,ProcessHandle )
}
MCode(ByRef code, hex) { ; allocate memory and write Machine Code there
VarSetCapacity(code,StrLen(hex)//2)
Loop % StrLen(hex)//2
NumPut("0x" . SubStr(hex,2*A_Index-1,2), code, A_Index-1, "Char")
}
Are you using the script (the one for searching for Base/SendPacket/AutoPath Address) in AutoIt or are you converting them to AutoHotKey?
I attached a zip file with some compiled exe's and the script for the said address retriever.
And here is the code for the said address retriever (PWI client v829 aka PWI Eclipse client):
Code:
Opt("GUICloseOnESC", 0)
Opt("GUIOnEventMode", 1)
Opt("TrayAutoPause", 0)
Opt("TrayMenuMode", 1)
GUICreate("PWI Essential Addresses", 400, 140)
GUISetOnEvent($GUI_EVENT_CLOSE, "_Exit")
GUICtrlCreateLabel("Base: ", 5, 10)
$OUTPUT_BASE = GUICtrlCreateInput("0x00000000", 100, 10, 80, 18)
GUICtrlCreateLabel("Send Packet: ", 5, 30)
$OUTPUT_PACKET = GUICtrlCreateInput("0x00000000", 100, 30, 80, 18)
GUICtrlCreateLabel("Auto Path: ", 5, 50)
$OUTPUT_AUTOPATH = GUICtrlCreateInput("0x00000000", 100, 50, 80, 18)
GUICtrlCreateLabel("Game Client: ", 5, 80)
$DEFAULT_FOLDER = @ProgramFilesDir & "\Arc\PWI_En\element\"
$DEFAULT_CLIENT = "elementclient.exe"
$INPUT_GAME = GUICtrlCreateInput($DEFAULT_FOLDER & $DEFAULT_CLIENT, 100, 80, 290, 18)
GUICtrlCreateButton("Browse", 100, 100, 50, 25)
GUICtrlSetOnEvent(-1, "GetClientExe")
GUICtrlCreateButton("Retrieve", 160, 100, 50, 25)
GUICtrlSetOnEvent(-1, "RetrieveAddress")
GUISetState()
While 1
Sleep(100)
WEnd
Func GetClientExe()
$EXE = FileOpenDialog("Perfect World Client", $DEFAULT_FOLDER, "Executable (*.exe)", 1, $DEFAULT_CLIENT)
GUICtrlSetData($INPUT_GAME, $EXE)
EndFunc
Func RetrieveAddress()
GUICtrlSetData($OUTPUT_BASE, "0x00000000")
GUICtrlSetData($OUTPUT_PACKET, "0x00000000")
GUICtrlSetData($OUTPUT_AUTOPATH, "0x00000000")
$EXE = GUICtrlRead($INPUT_GAME)
If @error Then Return
$FILE = FileOpen($EXE, 16)
$DATA = FileRead($FILE, FileGetSize($EXE))
FileClose($FILE)
$OPCODEBASE = 'A1(.{8})5332DB8B48.{2}'
$BASE = StringRegExp($DATA, $OPCODEBASE, 1)
$OPCODEPACKET = '6AFF68.{8}64A100000000506489250000000083EC185356578BF96A07'
$PACKET = StringRegExp($DATA, $OPCODEPACKET, 1)
$OPCODEAUTOPATH = '6AFF68.{8}64A100000000506489250000000083EC2053568BF18D4C2408E8.{8}8B4C243C8B542440'
$AUTOPATH = StringRegExp($DATA, $OPCODEAUTOPATH, 1)
If @error Then
MsgBox(0, "Issues Attaching For Offsets", "There may be another bot attached to this process. Please close that bot and try again")
Return
EndIf
$REALBASEADDRESS = '0x' & Rev($BASE[0])
$SENDPACKETADDRESS = '0x' & Hex(StringInStr($DATA, $PACKET[0])/2 + 0x400000 - 1)
$AUTOPATHADDRESS = '0x' & Hex(StringInStr($DATA, $AUTOPATH[0])/2 + 0x400000 - 1)
GUICtrlSetData($OUTPUT_BASE, $REALBASEADDRESS)
GUICtrlSetData($OUTPUT_PACKET, $SENDPACKETADDRESS)
GUICtrlSetData($OUTPUT_AUTOPATH, $AUTOPATHADDRESS)
EndFunc
Func Rev($string)
Local $all
For $i = StringLen($string) + 1 To 1 Step -2
$all = $all & StringMid($string, $i, 2)
Next
Return $all
EndFunc
Func _Exit()
Exit
EndFunc
Attached Files
AddressRetriever.zip
(705.1 KB, 85 views)
01/15/2015, 14:30
#20
elite*gold: 0
Join Date: Sep 2013
Posts: 146
Received Thanks: 84
thank you alot =)
i am still not sure why this happens but the .exe gives me the correct results. if i run the script in autoit (SciTE editor) its not working. maybe autohotkey and autoit have a conflict. if i compile the au3-file to an exe, this is also not working. ill try to investigate this abit and reinstall autoit. but its working. great job
01/15/2015, 18:35
#21
elite*gold: 0
Join Date: Jan 2010
Posts: 21
Received Thanks: 10
Sorry, i didn't get it clear. PW now have 2 type of Auto Move, i don't know what it's named but this is what they do:
- One can avoid object and only work when you are running or riding your mount
- One go direct to target, and if you are flying, you can adjust Z or stop flying when reach target
What is denzjh's function for?
If you need, i will give you the function i'm using. It is "very old way" move and can fly up/down vertically. But beware, it not use packet to move because i'm too lazy to write a "distance traveled calculator"
01/15/2015, 20:14
#22
elite*gold: 0
Join Date: Sep 2013
Posts: 146
Received Thanks: 84
the function in this thread is the autopathing (alt+clickL ingame).
it moves to x,y and avoids obstacles like trees. while flying, it can only adjust the height in 45 degree. so it can not fly vertical up and down. u can also choose to drop down if u are at the destination after flying.
so if u can provide a method to fly vertically without packets or key sending, iam sure it would be useful for the community here.
01/22/2015, 17:05
#23
elite*gold: 0
Join Date: Oct 2008
Posts: 1,243
Received Thanks: 670
Any news on the other movement method yet ? The one for moving vertically.
01/25/2015, 13:43
#24
elite*gold: 0
Join Date: Dec 2011
Posts: 15
Received Thanks: 26
injeckt moveToXYZ
Code:
Walk1 = $49FF80;
Walk2 = $4A6320;
Walk3 = $4A0590;
ActArr = $13EC;
injcode.s ="60" ;60 PUSHAD
injcode=injcode+"b800000000" ;B8 00000000 MOV EAX,#Baseadr
injcode=injcode+"8b00" ;8B00 MOV EAX,DWORD PTR DS:[EAX]
injcode=injcode+"8b401c" ;8B40 1C MOV EAX,DWORD PTR DS:[EAX+1C]
injcode=injcode+"8b7028" ;8B70 28 MOV ESI,DWORD PTR DS:[EAX+28]
injcode=injcode+"8B8E00000000" ;8B8E 11111111 MOV ECX,DWORD PTR DS:[ESI+ActArr]
injcode=injcode+"6a01" ;6A 01 PUSH 1
injcode=injcode+"BA00000000" ;BA 00000000 MOV EDX,Walk1
injcode=injcode+"FFD2" ;FFD2 CALL EDX
injcode=injcode+"8bf8" ;8BF8 MOV EDI,EAX
injcode=injcode+"8d442418" ;8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
injcode=injcode+"50" ;50 PUSH EAX
injcode=injcode+"ba00000000" ;BA 00000000 MOV EDX, fly mode
injcode=injcode+"52" ;52 PUSH EDX
injcode=injcode+"8bcf" ;8BCF MOV ECX,EDI
injcode=injcode+"BA00000000" ;BA 00000000 MOV EDX,Walk2
injcode=injcode+"ffd2" ;FFD2 CALL EDX
injcode=injcode+"8b8e00000000" ;8B8E 22222222 MOV ECX,DWORD PTR DS:[ESI+ActArr]
injcode=injcode+"b800000000" ;B8 00000000 MOV EAX,x
injcode=injcode+"8bd7" ;8BD7 MOV EDX,EDI
injcode=injcode+"83c220" ;83C2 20 ADD EDX,20
injcode=injcode+"8902" ;8902 MOV DWORD PTR DS:[EDX],EAX
injcode=injcode+"b800000000" ;B8 00000000 MOV EAX,z
injcode=injcode+"8bd7" ;8BD7 MOV EDX,EDI
injcode=injcode+"83c224" ;83C2 24 ADD EDX,24
injcode=injcode+"8902" ;8902 MOV DWORD PTR DS:[EDX],EAX
injcode=injcode+"b800000000" ;B8 00000000 MOV EAX,y
injcode=injcode+"8bd7" ;8BD7 MOV EDX,EDI
injcode=injcode+"83c228" ;83C2 28 ADD EDX,28
injcode=injcode+"8902" ;8902 MOV DWORD PTR DS:[EDX],EAX
injcode=injcode+"6A00" ;6A 00 PUSH 0
injcode=injcode+"6A01" ;6A 01 PUSH 1
injcode=injcode+"57" ;57 PUSH EDI
injcode=injcode+"6A01" ;6A 01 PUSH 1
injcode=injcode+"BA00000000" ;BA 00000000 MOV EDX,Walk3
injcode=injcode+"ffd2" ;FFD2 CALL EDX
injcode=injcode+"61" ;61 POPAD
injcode=injcode+"c3" ;C3 RETN
01/25/2015, 20:16
#25
elite*gold: 0
Join Date: Sep 2011
Posts: 46
Received Thanks: 144
Well here is the AutoIt version of the said script. ^_^
Attached is the Address Retriever which includes the 3 new Addresses of the Called Built-in Functions for this new MoveTo Function
It can move vertically so Rejoice!
^___^
Code:
$ADDRESS_BASE = 0xD22C74
$ADDRESS_ACTION1 = 0x49FF80
$ADDRESS_ACTION2 = 0x4A6320
$ADDRESS_ACTION3 = 0x4A0590
$OFFSET_ACTIONBASE = 0x13EC
Func MoveXYZ($GAME_X, $GAME_Y, $GAME_Z, $MOVEVERT=0)
$DEST_X = $GAME_X*10-4000
$DEST_Y = $GAME_Y*10-5500
$DEST_Z = $GAME_Z*10
MoveTo($DEST_X, $DEST_Y, $DEST_Z, $MOVEVERT)
EndFunc
Func MoveTo($DEST_X, $DEST_Y, $DEST_Z, $FLYMODE=0)
;Declare local variables
;Open process for given processId
$processHandle = $GAME_PROCESS[1]
;Allocate memory for the OpCode and retrieve address for this
$functionAddress = DllCall('kernel32.dll', 'int', 'VirtualAllocEx', 'int', $processHandle, 'ptr', 0, 'int', 100, 'int', 0x1000, 'int', 0x40)
;Construct the OpCode for calling the 'MoveXYZ' function
$OPcode = "60" ;60 PUSHAD
$OPcode &= "B8" & _Hex($ADDRESS_BASE) ;B8 00000000 MOV EAX,#Baseadr
$OPcode &= "8B00" ;8B00 MOV EAX,DWORD PTR DS:[EAX]
$OPcode &= "8B401C" ;8B40 1C MOV EAX,DWORD PTR DS:[EAX+1C]
$OPcode &= "8B7028" ;8B70 28 MOV ESI,DWORD PTR DS:[EAX+28]
$OPcode &= "8B8E" & _Hex($OFFSET_ACTIONBASE);8B8E 11111111 MOV ECX,DWORD PTR DS:[ESI+ActArr]
$OPcode &= "6A01" ;6A 01 PUSH 1
$OPcode &= "BA" & _Hex($ADDRESS_ACTION1) ;BA 00000000 MOV EDX,Walk1
$OPcode &= "FFD2" ;FFD2 CALL EDX
$OPcode &= "8BF8" ;8BF8 MOV EDI,EAX
$OPcode &= "8D442418" ;8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
$OPcode &= "50" ;50 PUSH EAX
$OPcode &= "BA" & _Hex($FLYMODE) ;BA 00000000 MOV EDX, fly mode
$OPcode &= "52" ;52 PUSH EDX
$OPcode &= "8BCF" ;8BCF MOV ECX,EDI
$OPcode &= "BA" & _Hex($ADDRESS_ACTION2) ;BA 00000000 MOV EDX,Walk2
$OPcode &= "FFD2" ;FFD2 CALL EDX
$OPcode &= "8B8E" & _Hex($OFFSET_ACTIONBASE);8B8E 22222222 MOV ECX,DWORD PTR DS:[ESI+ActArr]
$OPcode &= "B8" & _Hex($DEST_X, 8, 'float') ;B8 00000000 MOV EAX,x
$OPcode &= "8BD7" ;8BD7 MOV EDX,EDI
$OPcode &= "83C220" ;83C2 20 ADD EDX,20
$OPcode &= "8902" ;8902 MOV DWORD PTR DS:[EDX],EAX
$OPcode &= "B8" & _Hex($DEST_Z, 8, 'float') ;B8 00000000 MOV EAX,z
$OPcode &= "8BD7" ;8BD7 MOV EDX,EDI
$OPcode &= "83C224" ;83C2 24 ADD EDX,24
$OPcode &= "8902" ;8902 MOV DWORD PTR DS:[EDX],EAX
$OPcode &= "B8" & _Hex($DEST_Y, 8, 'float') ;B8 00000000 MOV EAX,y
$OPcode &= "8BD7" ;8BD7 MOV EDX,EDI
$OPcode &= "83C228" ;83C2 28 ADD EDX,28
$OPcode &= "8902" ;8902 MOV DWORD PTR DS:[EDX],EAX
$OPcode &= "6A00" ;6A 00 PUSH 0
$OPcode &= "6A01" ;6A 01 PUSH 1
$OPcode &= "57" ;57 PUSH EDI
$OPcode &= "6A01" ;6A 01 PUSH 1
$OPcode &= "BA" & _Hex($ADDRESS_ACTION3) ;BA 00000000 MOV EDX,Walk3
$OPcode &= "FFD2" ;FFD2 CALL EDX
$OPcode &= "61" ;61 POPAD
$OPcode &= "C3" ;C3 RETN
;Put the OpCode into a struct for later memory writing
$vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
For $loop = 1 To DllStructGetSize($vBuffer)
DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
Next
;Write the OpCode to previously allocated memory
DllCall('kernel32.dll', 'int', 'WriteProcessMemory', 'int', $processHandle, 'int', $functionAddress[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)
;Create a remote thread in order to run the OpCode
$hRemoteThread = DllCall('kernel32.dll', 'int', 'CreateRemoteThread', 'int', $processHandle, 'int', 0, 'int', 0, 'int', $functionAddress[0], 'ptr', 0, 'int', 0, 'int', 0)
;Wait for the remote thread to finish
Do
$result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
Until $result[0] <> 258
;Close the handle to the previously created remote thread
DllCall('kernel32.dll', 'int', 'CloseHandle', 'int', $hRemoteThread[0])
;Free the previously allocated memory
DllCall('kernel32.dll', 'ptr', 'VirtualFreeEx', 'hwnd', $processHandle, 'int', $functionAddress[0], 'int', 0, 'int', 0x8000)
Return True
EndFunc
Func _Hex($Value, $size=8, $type="int")
Local $tmp1, $tmp2, $i
If($type = "int") Then
$tmp1 = StringRight("000000000" & Hex($Value), $size)
ElseIf($type = "float") Then
$tmp1 = StringRight("000000000" & _FloatToHex($Value), $size)
EndIf
For $i = 0 To StringLen($tmp1) / 2 - 1
$tmp2 = $tmp2 & StringMid($tmp1, StringLen($tmp1) - 1 - 2 * $i, 2)
Next
Return $tmp2
EndFunc
Attached Files
AddressRetriever.zip
(706.2 KB, 83 views)
01/25/2015, 21:01
#26
elite*gold: 0
Join Date: Sep 2013
Posts: 146
Received Thanks: 84
You guys are the best
i'd love to know how to find such OPcodes but thanks alot for sharing this.
Also thanks for the exe version of the address finder. I still havent figured out why the au3 isnt working for me so this is very helpful.
here copy pasted to AHK:
Code:
normalMoveTo(X,Y,Z=0,flyflag=0)
{
if (X < 1000)
{
X := floattohex((X*10)-4000)
Y := floattohex((Y*10)-5500)
Z := floattohex(Z*10)
}
revHex(revX, X)
revHex(revY, Y)
revHex(revZ, Z)
revHex(revBaseAddress, realbaseAddress)
revHex(ADDRESS_ACTION1, 0x49FF80)
revHex(ADDRESS_ACTION2, 0x4A6320)
revHex(ADDRESS_ACTION3, 0x4A0590)
revHex(OFFSET_ACTIONBASE, 0x13EC)
revHex(FLYMODE, flyflag)
winget, pid, PID, ahk_pid %processID%
ProcessHandle := DllCall("OpenProcess", "int", 2035711, "char", 1, "UInt", PID, "UInt")
functionSize := 0x6D
functionAddress := DllCall("VirtualAllocEx", "Uint", ProcessHandle, "Uint", 0, "Uint", functionSize, "Uint", 0x1000, "Uint", 0x40)
func =
func = %func%60
func = %func%B8%revBaseAddress%
func = %func%8B00
func = %func%8B401C
func = %func%8B7028
func = %func%8B8E%OFFSET_ACTIONBASE%
func = %func%6A01
func = %func%BA%ADDRESS_ACTION1%
func = %func%FFD2
func = %func%8BF8
func = %func%8D442418
func = %func%50
func = %func%BA%FLYMODE%
func = %func%52
func = %func%8BCF
func = %func%BA%ADDRESS_ACTION2%
func = %func%FFD2
func = %func%8B8E%OFFSET_ACTIONBASE%
func = %func%B8%revX%
func = %func%8BD7
func = %func%83C220
func = %func%8902
func = %func%B8%revZ%
func = %func%8BD7
func = %func%83C224
func = %func%8902
func = %func%B8%revY%
func = %func%8BD7
func = %func%83C228
func = %func%8902
func = %func%6A00
func = %func%6A01
func = %func%57
func = %func%6A01
func = %func%BA%ADDRESS_ACTION3%
func = %func%FFD2
func = %func%61
func = %func%C3
MCode(normalWalkFunction, func)
DllCall("WriteProcessMemory", "UInt", ProcessHandle, "UInt", functionAddress, "Uint", &normalWalkFunction, "Uint", functionSize, "Uint *", 0)
SetFormat, IntegerFast, d
hThrd := DllCall("CreateRemoteThread", "Uint", ProcessHandle, "Uint", 0, "Uint", 0, "Uint", functionAddress, "Uint", 0, "Uint", 0, "Uint", 0)
loop
{
result := DllCall( "WaitForSingleObject", UInt,hThrd, UInt,50 )
if(result <> 258)
{
break
}
sleep 50
if(A_Index > 100)
{
break
}
}
DllCall( "CloseHandle", UInt,hThrd )
DllCall("VirtualFreeEx", "Uint", ProcessHandle, "Uint", functionAddress, "Uint", 0, "Uint", 0x8000)
DllCall( "CloseHandle", UInt,ProcessHandle )
}
-.-.-.-.-.-.--.-.-.-.-.-.--.-.-.-.-.-.--.-.-.-.-.-.--.-.-.-.-.-.--.-.-.-.-.-.--.-.-.-.-.-.-
Does anyone has a snipet how to use skills now since the action structs dont work? I am doing it with packets, but those dont move to the object so i use for skill a normal attack till the skill is in cooldown. see here:
Code:
UseSkill(skillId,selfbuff=0,fast=0,range=0)
{
;~ InteractWith(gettarget(), 3, skillId,1) - this was the old action struct
packet := ""
revHex(revSkillId, skillId)
if (selfbuff = 1)
revHex(target, PlayerID)
else
revHex(target, gettarget())
if (fast = 1)
packet = %packet%5000%revSkillId%0101%target%
else
packet = %packet%2900%revSkillId%0101%target%
packetSize := 0xC
packetSizeStr := "0C"
if (range=1)
{
while ((GetSkillCooldown(skillId) = 0) AND (gettargethp() > 0))
{
normalattack()
sleep, 300
sendPacket(packet, packetSizeStr, packetsize, processID)
sleep, 500
}
}else
sendPacket(packet, packetSizeStr, packetsize, processID)
}
to talk to a npc i move near it (must be lower than 5 meter) this way:
Code:
r := checkRange() ~; 10*sqrt(dx^2+dy^2+dz^2)
if (r > 5)
{
x := getx() + ((r-4.8)/r)*(gettargetx()-getx())
y := gety() + ((r-4.8)/r)*(gettargety()-gety())
walkto(x,y)
}
01/25/2015, 21:22
#27
elite*gold: 0
Join Date: Oct 2008
Posts: 1,243
Received Thanks: 670
Ah finally a working vertical movement script, and it's already in AutoIt. Thanks a ton !
01/27/2015, 11:46
#28
elite*gold: 0
Join Date: Sep 2011
Posts: 46
Received Thanks: 144
Quote:
Originally Posted by
Stark77
Does anyone has a snipet how to use skills now since the action structs dont work? I am doing it with packets, but those dont move to the object so i use for skill a normal attack till the skill is in cooldown. see here:
For Interact-To-Dig
Code:
00495D6F |. 8B8F EC130000 MOV ECX,DWORD PTR DS:[EDI+13EC]
00495D75 |. 6A 02 PUSH 2
00495D77 |. E8 04A20000 CALL PWI.0049FF80
00495D7C |. 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14] <-- ITEM ID/POINTER
00495D80 |. 8BF0 MOV ESI,EAX
00495D82 |. F6DB NEG BL
00495D84 |. 1BDB SBB EBX,EBX
00495D86 |. 52 PUSH EDX
00495D87 |. 83E3 03 AND EBX,3
00495D8A |. 6A 00 PUSH 0
00495D8C |. 43 INC EBX
00495D8D |. 8BCE MOV ECX,ESI
00495D8F |. 53 PUSH EBX
00495D90 |. 55 PUSH EBP
00495D91 |. E8 2A5A0100 CALL PWI.004AB7C0
00495D96 |. 50 PUSH EAX ; |Arg1
00495D97 |. 8BCE MOV ECX,ESI ; |
00495D99 |. E8 62580100 CALL PWI.004AB600 ; \PWI.004AB600
00495D9E |. 8B8F EC130000 MOV ECX,DWORD PTR DS:[EDI+13EC]
00495DA4 |. 6A 00 PUSH 0
00495DA6 |. 56 PUSH ESI
00495DA7 |. 6A 01 PUSH 1
00495DA9 |. E8 E2A70000 CALL PWI.004A0590
To Interact-To-TalktoNPC
Code:
00490A12 |. 8B8F EC130000 MOV ECX,DWORD PTR DS:[EDI+13EC]
00490A18 |. 6A 02 PUSH 2
00490A1A |. E8 61F50000 CALL PWI.0049FF80
00490A1F |. 8B5424 18 MOV EDX,DWORD PTR SS:[ESP+18]
00490A23 |. 6A 00 PUSH 0
00490A25 |. 8BF0 MOV ESI,EAX
00490A27 |. 52 PUSH EDX
00490A28 |. 55 PUSH EBP
00490A29 |. 53 PUSH EBX
00490A2A |. 8BCE MOV ECX,ESI
00490A2C |. E8 8FAD0100 CALL PWI.004AB7C0
00490A31 |. 50 PUSH EAX ; |Arg1
00490A32 |. 8BCE MOV ECX,ESI ; |
00490A34 |. E8 C7AB0100 CALL PWI.004AB600 ; \PWI.004AB600
00490A39 |. 8B8F EC130000 MOV ECX,DWORD PTR DS:[EDI+13EC]
00490A3F |. 6A 00 PUSH 0
00490A41 |. 56 PUSH ESI
00490A42 |. 6A 01 PUSH 1
00490A44 |. E8 47FB0000 CALL PWI.004A0590
For Interact-To-Normal Attack (Left Click the NPC when its already selected or double left click when not selected)
Code:
00495BD9 |> 8B8F EC130000 MOV ECX,DWORD PTR DS:[EDI+13EC]
00495BDF |. 6A 02 PUSH 2
00495BE1 |. E8 9AA30000 CALL PWI.0049FF80
00495BE6 |. 8BF0 MOV ESI,EAX
00495BE8 |. B3 01 MOV BL,1
00495BEA |> 85F6 TEST ESI,ESI
00495BEC |. 74 46 JE SHORT PWI.00495C34
00495BEE |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
00495BF2 |. 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
00495BF6 |. 50 PUSH EAX
00495BF7 |. 51 PUSH ECX
00495BF8 |. 6A 00 PUSH 0
00495BFA |. 55 PUSH EBP
00495BFB |. 8BCE MOV ECX,ESI
00495BFD |. E8 BE5B0100 CALL PWI.004AB7C0
00495C02 |. 50 PUSH EAX ; |Arg1
00495C03 |. 8BCE MOV ECX,ESI ; |
00495C05 |. E8 F6590100 CALL PWI.004AB600 ; \PWI.004AB600
00495C0A |. 8B5424 1C MOV EDX,DWORD PTR SS:[ESP+1C]
00495C0E |. 8B4E 40 MOV ECX,DWORD PTR DS:[ESI+40]
00495C11 |. 52 PUSH EDX
00495C12 |. E8 299D4E00 CALL PWI.0097F940
00495C17 |. 84DB TEST BL,BL
00495C19 |. 74 10 JE SHORT PWI.00495C2B
00495C1B |. 8B8F EC130000 MOV ECX,DWORD PTR DS:[EDI+13EC]
00495C21 |. 6A 00 PUSH 0
00495C23 |. 56 PUSH ESI
00495C24 |. 6A 01 PUSH 1
00495C26 |. E8 65A90000 CALL PWI.004A0590
For Interact-To-Cast-Spell
Code:
0048E559 |. 8B8E EC130000 MOV ECX,DWORD PTR DS:[ESI+13EC]
0048E55F |. 6A 02 PUSH 2
0048E561 |. E8 1A1A0100 CALL PWI.0049FF80
0048E566 |. 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
0048E56A |. 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14]
0048E56E |. 51 PUSH ECX
0048E56F |. 8BF8 MOV EDI,EAX
0048E571 |. 52 PUSH EDX
0048E572 |. 6A 03 PUSH 3
0048E574 |. 53 PUSH EBX
0048E575 |. 8BCF MOV ECX,EDI
0048E577 |. E8 44D20100 CALL PWI.004AB7C0
0048E57C |. 50 PUSH EAX ; |Arg1
0048E57D |. 8BCF MOV ECX,EDI ; |
0048E57F |. E8 7CD00100 CALL PWI.004AB600 ; \PWI.004AB600
0048E584 |. 6A 00 PUSH 0
0048E586 |. 896F 34 MOV DWORD PTR DS:[EDI+34],EBP
0048E589 |. 8B8E EC130000 MOV ECX,DWORD PTR DS:[ESI+13EC]
0048E58F |. 57 PUSH EDI
0048E590 |. 6A 01 PUSH 1
0048E592 |. E8 F91F0100 CALL PWI.004A0590
For Cast Spell
Code:
00482BF9 |> 8B8E EC130000 MOV ECX,DWORD PTR DS:[ESI+13EC]
00482BFF |. 6A 04 PUSH 4
00482C01 |. E8 7AD30100 CALL PWI.0049FF80
00482C06 |. 8B8E C4070000 MOV ECX,DWORD PTR DS:[ESI+7C4]
00482C0C |. 8B57 04 MOV EDX,DWORD PTR DS:[EDI+4]
00482C0F |. 8BD8 MOV EBX,EAX
00482C11 |. 55 PUSH EBP
00482C12 |. 51 PUSH ECX
00482C13 |. 52 PUSH EDX
00482C14 |. 8BCB MOV ECX,EBX
00482C16 |. E8 D56C0200 CALL PWI.004A98F0
00482C1B |. 8B8E EC130000 MOV ECX,DWORD PTR DS:[ESI+13EC]
00482C21 |. 6A 00 PUSH 0
00482C23 |. 53 PUSH EBX
00482C24 |. 6A 01 PUSH 1
00482C26 |. E8 65D90100 CALL PWI.004A0590
As you will notice that there are 2 functions called similar to the MoveXYZ function by Remmm. These are "PWI.0049FF80" and "PWI.004A0590". And there are functions called in between them. Thus, we can name them as PerformAction and FinishAction respectively, Right?.
Unfortunately, I do not know ASM language and I can not translate them as Injectable Function...
Hopefully someone like Remmm can
01/27/2015, 20:25
#29
elite*gold: 0
Join Date: Dec 2011
Posts: 15
Received Thanks: 26
Code:
Procedure PicWalcLyt(wid,type)
calladr=$495C40
GameAdr=$00D23414
injcode.s ="60" ;60 PUSHAD
injcode=injcode+"B900000000" ;B9 00000000 MOV ECX, GameAdr
injcode=injcode+"8B09" ;8B09 MOV ECX,DWORD PTR DS:[ECX]
injcode=injcode+"8B4928" ;8B49 28 MOV ECX,DWORD PTR DS:[ECX+28] ; pers_str
injcode=injcode+"6800000000" ;68 00000000 PUSH 0-lyt , 1- mine
injcode=injcode+"6800000000" ;68 00000000 PUSH wid
injcode=injcode+"BB00000000" ;BB 00000000 MOV EBX,caladr
injcode=injcode+"FFD3" ;FFD3 CALL EBX
injcode=injcode+"61" ;61 POPAD
injcode=injcode+"c3" ;C3 RETN
01/28/2015, 14:07
#30
elite*gold: 0
Join Date: May 2011
Posts: 98
Received Thanks: 85
So if im correct after reading those snippets, in order to make a function (That doesnt come from Packets or Memory Read/Write) you pretty much copy the opcode from IDA/Olly, find where the function parameters are, attach them to (in my case) autoit declarations e.g Func Move($X, $Y, $Z) then a bunch of opcode where x y z are put into use?
That seems incredibly simple - albeit ive never attempted that - but does make a lot of sense. Would make it incredibly easy to make an API or something if thats the case.
Its a shame that theres no generalized API for PWI, like gwa2 for Guild Wars. Would make coding much more easy, but I guess this way you learn a lot. I would never start experimenting with opcode xD
Similar Threads
WTS 4 lvl 50 -Red eclipse
04/27/2013 - Star Wars: The Old Republic Trading - 1 Replies
================High-End Account================
Hi there
I want to sell my High-end SWTOR account wich is based on the server " The Red-eclipse "
I am a Hard-core gamer and always want the best gear for my characters, this is no diferant with this account. I am a well known and respected player on this server ( the char names are in good standing :). How ever i dont have the time to play anymore wich ofcourse breaks my heart but my career comes first.
Here by i am offering my...
Fly For Eclipse !!
07/18/2011 - Flyff Private Server - 5 Replies
Kann es sein das der Server oft abkackt?:D
und wenn ja wie lange bleibt er dann off??
Eclipse Flyff
07/12/2011 - Flyff Trading - 2 Replies
Hey, hat jemand Interesse an mehrere Imba Eclipse Flyff Chars?
http://www7.pic-upload.de/thumb/01.06.11/y9n1bcfi twcx.png
Hab noch viele Rare Item's wo du locker 500b zusammen bekommst
hab noch mehrere Imba chars.
Interesse? dann schreib hier :>
My Eclipse to your Demon.
04/04/2011 - Flyff Trading - 0 Replies
Hi dears..
I'm Trading all my itens and money on Eclipse flyff to itens or money on demon flyff.
On Eclipse,I have Many Solar Weapon's,Cs Sets,Bike,Pets
and so much money.
If you are interested,add me on msn.
[email protected]
:mofo:
C++ in Eclipse
02/01/2010 - C/C++ - 2 Replies
Huhu,
kann mir mal bitte jemand helfen. Ich habe im Internet ein Tutorial befolgt um C++/C auf Eclipse zu programmieren. Ich habe alles befolgt wies sein sollte, laut Tutorial. Wenn ich nun build mache, dann kommt folgendes:
Habe die Eclipse CDT und MinGW installiert.
Habe danach auch ein wenig gegoogelt und nichts hilfreiches gefunden. Ich vermute, dass ich irgendwo noch einen Pfad verändern muss, aber ich weiß nicht wo.
All times are GMT +2. The time now is 20:59 .