|
You last visited: Today at 17:20
Advertisement
PWI Eclipse changes
Discussion on PWI Eclipse changes within the PW Hacks, Bots, Cheats, Exploits forum part of the Perfect World category.
01/03/2015, 01:03
|
#1
|
elite*gold: 0
Join Date: Sep 2013
Posts: 146
Received Thanks: 84
|
PWI Eclipse changes
A few weeks before xmas PWI changed to Eclipse Version (829).
0) Offsets:
Here you can find most of the new offsets ( )
1) Interact:
i used the following code to interact (open npc, use skills) but i cannot get it to work again. source for this was Interest's post . Swoosh already said, that actionstructs dont work anymore for movements, i was wondering if those kind of interactions are still possible without big changes. Does anyone know if it possible to fix the red offsets or if its not possible anymore?
InteractWith(objectId, interactionType, skillId=0)
{
actionStruct := ReadMemoryUint(playerPointer + playerActionStructOffset, processID)
actionList := ReadMemoryUint(actionStruct+0x30,processID)
WalkToAction := ReadMemoryUint(actionList+0x8,processID)
writeMemory(0, WalkToAction+0x8, processID) ;Action finished = 0
writeMemory(1, WalkToAction+0x14, processID) ;Action Start = 1
writeMemory(0, WalkToAction+0x24, processID) ;Action Not Start = 0
writeMemory(objectId, WalkToAction+0x20, processID) ;Set objectId to interact with
writeMemory(interactionType, WalkToAction+0x38, processID) ;Set type of action to perform (0 = regAtk, 1 = pick item, 2 = talk to NPC,3 = useSkill, 4 = gatherResources)
writeMemory(0, WalkToAction+0x34, processID) ;Set error = 0
skillPointer := 0
if !(skillId = 0)
{
i := -0x4
loop %nActiveSkills%
{
i := i + 0x4
skillPointer := ReadMemoryUint(skillListPointer+i, processID)
thisSkillId := ReadMemoryUint(skillPointer + 0x8, processID)
if(skillId = thisSkillId)
break
}
}
writeMemory(skillPointer, WalkToAction+0x50, processID)
writeMemory(WalkToAction, actionstruct+0xC, processID) ;Set new action type WalkTo in action struct position action1
writeMemory(1, actionstruct+0x18, processID) ;Set next action position to 1
writeMemory(WalkToAction, actionstruct+0x14, processID) ;Set new action type WalkTo in action struct as next action
}
2) GuiClose:
i used a snipet from DumbFck to close a NPC dialog window. code below. since update its not working anymore and i struggle to check the offset or call. Would be very cool if someone knows how to fix this or might have another idea how to atleast disable the dialog's.
; Offset chain to find guiCommand() function call
Global $guiCommandCallOffsets[7] = [0, 0x1C, 0x18, 0x8, 0, 0x14, 0]
Global $guiCommandCall = _MemoryPointerRead($baseCall, $ph, $guiCommandCallOffsets)
$guiCommandCall = $guiCommandCall[0]
; Offsets chain to find currently focused dialogue object
Global $focusedDialogueOffsets[5] = [0, 0x1C, 0x18, 0x8, 0x74]
Global $focusedDialogue = _MemoryPointerRead($baseCall, $ph, $focusedDialogueOffsets)
$focusedDialogue = $focusedDialogue[0]
...
; Construct the OpCode for calling the 'guiCommand' function
$OPcode &= '60' ; PUSHAD
$OPcode &= 'A1' & _hex($guiObjPtr) ; MOV EAX, guiObjPtr
$OPcode &= '50' ; PUSH EAX
$OPcode &= '68' & _hex($stringAddress[0]) ; PUSH commandString
$OPcode &= 'B8' & _hex($guiCommandCall) ; MOV EAX, guiCommandCall
$OPcode &= 'FFD0' ; CALL EAX
$OPcode &= '61' ; POPAD
$OPcode &= 'C3' ; RETN
3) Movement:
Its seems to be not possible to move with actionstructs the way many bots did before but there is a way to use the ingame autopathing. pgrind and vanillaBot have this already and jollyjoker0305 started a thread with first thoughts about it . Any hints would be great for tools that follow main chars or healing tools.
---------------------------------------------------------------------------------------
|
|
|
01/03/2015, 07:28
|
#2
|
elite*gold: 0
Join Date: Dec 2011
Posts: 15
Received Thanks: 26
|
- autopath
|
|
|
01/04/2015, 00:27
|
#3
|
elite*gold: 0
Join Date: Oct 2008
Posts: 1,243
Received Thanks: 670
|
Found something for replacing the action struct yet ? The autopath is in assembler, Is it gonna be like that or can it be translated into memory write codes ?
Is using autopath as good as moving using the old movement struct ? like for moving precisely to x,y and or z on the dot. Does it work for flying vertically up and down as well ?
Btw why did they change the action/movement thingy, is it for fighting bots or just part of the 'new engine' or so they say.
|
|
|
01/04/2015, 01:17
|
#4
|
elite*gold: 0
Join Date: Sep 2013
Posts: 146
Received Thanks: 84
|
well the autopathing of pGrind works prety good but so far its not able to fly up.
a big advantage of this is collision detection.
i am not sure why they changed the action structs... but seems not many pro ppl are active in this forum to talk about it^^. and i am just a helpless person learning from this forum abit.
was trying to translate the asm code from the russian forum to AHK but without success.... functionsize, call address changed in version 1.52 or anything else could be the reason... but i dont know how to deal with it.
autopath(X,Y,Z=0)
{
if X < 1000
thisX := floattohex((X*10)-4000)
if Y < 1000
thisY := floattohex((Y*10)-5500)
if Z < 1000
thisZ := floattohex(Z*10)
winget, pid, PID, ahk_pid %processID%
ProcessHandle := DllCall("OpenProcess", "int", 2035711, "char", 1, "UInt", PID, "UInt")
functionSize := 100
returnAddress := DllCall("VirtualAllocEx", "Uint", ProcessHandle, "Uint", 0, "Uint", 0x4, "Uint", 0x1000, "Uint", 0x40)
functionAddress := DllCall("VirtualAllocEx", "Uint", ProcessHandle, "Uint", 0, "Uint", functionSize, "Uint", 0x1000, "Uint", 0x40)
revHex(revBaseAddress, BaseAddress)
revHex(revCallAddress,0x455940)
func =
func = %func%60
func = %func%B9%thisX%
func = %func%BA%thisZ%
func = %func%B8%thisY%
func = %func%6a00
func = %func%51
func = %func%52
func = %func%50
func = %func%6a03
func = %func%6a00
func = %func%6a00
func = %func%684A010000
func = %func%b9%revBaseAddress%
func = %func%8B09
func = %func%83C11C
func = %func%8B09
func = %func%BB%revCallAddress%
func = %func%FFD3
func = %func%61
func = %func%c3
MCode(autopathFunction, func)
DllCall("WriteProcessMemory", "UInt", ProcessHandle, "UInt", functionAddress, "Uint", &autopathFunction, "Uint", functionSize, "Uint *", 0)
SetFormat, IntegerFast, d
hThrd := DllCall("CreateRemoteThread", "Uint", ProcessHandle, "Uint", 0, "Uint", 0, "Uint", functionAddress, "Uint", 0, "Uint", 0, "Uint", 0)
loop
{
result := DllCall( "WaitForSingleObject", UInt,hThrd, UInt,50 )
if(result <> 258)
{
break
}
sleep 50
if(A_Index > 100)
{
break
}
}
DllCall( "CloseHandle", UInt,hThrd )
DllCall("VirtualFreeEx", "Uint", ProcessHandle, "Uint", functionAddress, "Uint", 0, "Uint", 0x8000)
DllCall( "CloseHandle", UInt,ProcessHandle )
}
|
|
|
01/04/2015, 23:18
|
#5
|
elite*gold: 0
Join Date: Dec 2011
Posts: 15
Received Thanks: 26
|
to respond to the Z need to add
Code:
opcode.s ="60" ;60 PUSHAD
opcode=opcode+"b900000000" ;B9 00000000 MOV ECX,z
opcode=opcode+"6A00" ;6A 00 PUSH 0
opcode=opcode+"6A00" ;6A 00 PUSH 0
opcode=opcode+"6A00" ;6A 00 PUSH 0 1-преземлится у цели
opcode=opcode+"51" ;51 PUSH ECX
opcode=opcode+"6A01" ;6A 01 PUSH 1
opcode=opcode+"6A00" ;6A 00 PUSH 0
opcode=opcode+"6A00" ;6A 00 PUSH 0
opcode=opcode+"684A010000" ;68 4A010000 PUSH 14A
opcode=opcode+"b900000000" ;B9 00000000 MOV ECX,BA
opcode=opcode+"8B09" ;8B09 MOV ECX,DWORD PTR DS:[ECX]
opcode=opcode+"83C11C" ;83C1 1C ADD ECX,1C
opcode=opcode+"8B09" ;8B09 MOV ECX,DWORD PTR DS:[ECX]
opcode=opcode+"BB00000000" ;BB 00000000 MOV EBX,calladr
opcode=opcode+"FFD3" ;FFD3 CALL EBX
opcode=opcode+"61" ;61 POPAD
opcode=opcode+"c3" ;C3
then changes the height
|
|
|
01/11/2015, 19:55
|
#6
|
elite*gold: 0
Join Date: Sep 2013
Posts: 146
Received Thanks: 84
|
2) disable Gui: there is an easy way to disable a dialog window of NPC by simply changing a flag. this will disable the dialog but its still visible. there is also a flag to hide it, but i wasnt able to find out the offset chain.
DisableNPCdialog()
{
baseAddress := ReadMemoryUint(realBaseAddress, processID)
structurePointer := ReadMemoryUint(baseAddress + baseOffset, processID)
playerPointer := ReadMemoryUint(structurePointer + playerOffset, processID)
writeMemory(0, playerPointer + 0xD9E, processID)
sleep, 1000
}
return
1) interactions: i am still lost at performing actions like talk to NPC or attack without packets. i can easily find out if there is an action performed but not fix the offsets (like in first post). maybe the old concept isnt working anymore. Does anyone know how to fix it?
;~ check if action is performed
actionStruct := ReadMemoryUint(playerPointer + playerActionStructOffset, processID) ;~ 0x13EC
ActionState := ReadMemoryUint(actionstruct+0x38,processID) ;~ 0=idle, 1=action (walk,attack...)
|
|
|
01/11/2015, 20:43
|
#7
|
elite*gold: 0
Join Date: Oct 2008
Posts: 1,243
Received Thanks: 670
|
Interest07's startNpcDialogue packet also doesn't work now ?
Have you got the movement working ? please post the new working solution if you don't mind.
|
|
|
01/11/2015, 20:49
|
#8
|
elite*gold: 0
Join Date: Sep 2013
Posts: 146
Received Thanks: 84
|
the startDialog is working just fine with packets but i didnt know before how to close it again^^. And no sorry the auto pathing is still not working for me. the OP codes from russian version or my callAddress seem to be wrong.
its not very nice but moving on even ground or flyup with the move packets like Interest explained is quite easy. i added the offsets and direction calculation. but since its not possible to know the height of where u wanna go (steps between), this is kinda useless as general movement function.
PHP Code:
Move2(X, Y, Z=0) { if (Z=0) Z := getz() direction := atan((Y-gety())/(X-getx()))*180/3.141 if ((getx() > X) AND (gety() > Y)) direction := direction + 180 else if ((getx() < X) AND (gety() > Y)) direction := 360 + direction else if ((getx() < X) AND (gety() < Y)) direction := direction else if ((getx() > X) AND (gety() < Y)) direction := 180 + direction direction := direction*(255/360) revhex(direction,round(direction),2) t := 0.5 t_total := 2 while (t_total > 1) { t_total := getMoveRange(X,Y,Z)/MoveSpeed() x_0 := getx() s_x := x_0 + (X - x_0)/t_total*t s_x := floattohex((s_x*10)-4000) revHex(s_rev_x,s_x) y_0 := gety() s_y := y_0 + (Y - y_0)/t_total*t s_y := floattohex((s_y*10)-5500) revHex(s_rev_y,s_y) z_0 := getz() s_z := z_0 + (Z - z_0)/t_total*t s_z := floattohex(s_z*10) s_z2 := floattohex((z_0 + (Z - z_0)/t_total*t+0.1)*10) revHex(s_rev_z,s_z) movepacket := "0000" . s_rev_x . s_rev_z . s_rev_y . s_rev_x . s_rev_z . s_rev_y . "F401" . getmoveSpeed() . GetmoveMode() . getrevHex(getmoveCounter(),4) SendPacketFast(movepacket) PlayerPositionPointer := ReadMemoryUint(PlayerPointer + 0x3C0, processID) ; position writeMemory(s_x,PlayerPositionPointer + XposOffset, processID) writeMemory(s_y,PlayerPositionPointer + YposOffset, processID) writeMemory(s_z,PlayerPositionPointer + ZposOffset, processID) PlayerPositionPointer := ReadMemoryUint(PlayerPointer + 0xA58, processID) ; camera writeMemory(s_x,PlayerPositionPointer + XposOffset, processID) writeMemory(s_y,PlayerPositionPointer + YposOffset, processID) writeMemory(s_z,PlayerPositionPointer + ZposOffset, processID) writeMemory(s_x,PlayerPointer + 0x734, processID) ; name and guild writeMemory(s_y,PlayerPointer + 0x73C, processID) writeMemory(s_z2,PlayerPointer + 0x738, processID) counter := dec2hex(getmoveCounter()+1) writeMemory(counter,PlayerPointer + 0xAB0, processID,2) sleep, 500 }
if (gethp() > 0) { s_x := floattohex((X*10)-4000) revHex(s_rev_x,s_x) s_y := floattohex((Y*10)-5500) revHex(s_rev_y,s_y) s_z := floattohex(Z*10) s_z2 := floattohex((Z+0.1)*10) revHex(s_rev_z,s_z) stoppacket := "0700" . s_rev_x . s_rev_z . s_rev_y . getmoveSpeed() . direction . GetmoveMode() . getrevHex(getmoveCounter(),4) . "F401" SendPacketFast(stoppacket) PlayerPositionPointer := ReadMemoryUint(PlayerPointer + 0x3C0, processID) ; position writeMemory(s_x,PlayerPositionPointer + XposOffset, processID) writeMemory(s_y,PlayerPositionPointer + YposOffset, processID) writeMemory(s_z,PlayerPositionPointer + ZposOffset, processID) PlayerPositionPointer := ReadMemoryUint(PlayerPointer + 0xA58, processID) ; camera writeMemory(s_x,PlayerPositionPointer + XposOffset, processID) writeMemory(s_y,PlayerPositionPointer + YposOffset, processID) writeMemory(s_z,PlayerPositionPointer + ZposOffset, processID) writeMemory(s_x,PlayerPointer + 0x734, processID) ; name and guild writeMemory(s_y,PlayerPointer + 0x73C, processID) writeMemory(s_z2,PlayerPointer + 0x738, processID) counter := dec2hex(getmoveCounter()+1) writeMemory(counter,PlayerPointer + 0xAB0, processID,2) sleep, 500 } }
getMoveCounter() { moveCounter := ReadMemoryUint(PlayerPointer + 0xAB0, processID) return moveCounter }
getMoveMode() { TransportMode := ReadMemoryUint(PlayerPointer + 0x6E8, processID) if (TransportMode = 0) moveMode := 21 else if (TransportMode = 2) moveMode := 61 else moveMode := A1 return moveMode }
MoveSpeed() { TransportMode := ReadMemoryUint(PlayerPointer + 0x6E8, processID) if (TransportMode = 0) speedOffset := 0x52C else if (TransportMode = 2) speedOffset := 0x534 else speedOffset := 0x528 SetFormat, IntegerFast, hex moveSpeedInfo := hextofloat(ReadMemoryUint(PlayerPointer + speedOffset, processID) + 0) + 0 SetFormat, IntegerFast, d return moveSpeedInfo }
getMoveSpeed() { TransportMode := ReadMemoryUint(PlayerPointer + 0x6E8, processID) if (TransportMode = 0) speedOffset := 0x52C else if (TransportMode = 2) speedOffset := 0x534 else speedOffset := 0x528 SetFormat, IntegerFast, hex moveSpeedInfo := hextofloat(ReadMemoryUint(PlayerPointer + speedOffset, processID) + 0) + 0 SetFormat, IntegerFast, d revHex(moveSpeed,floor((moveSpeedInfo*256) + 0.5),4) return moveSpeed }
getMoveRange(x,y,z) { thisRange := 10*sqrt((x-getX())**2+(y-gety())**2+(z-getz())**2) return thisRange }
So if anyone knows the callAddress and OPcodes for auto pathing, this would be more than welcome =)
|
|
|
01/12/2015, 14:39
|
#9
|
elite*gold: 0
Join Date: Oct 2008
Posts: 1,243
Received Thanks: 670
|
I usually close the startNpcDialogue by sending 'esc' keypress 3 times, but that'd need the clients to be unfreezed.
It'd look like this for mine, I always send esc after doing anything with the npc so I can put taking quest and handing in quest in one function and don't bother about the error.
Code:
Func takeQuestMuHoffenEnergy()
getTargetID("Smurfin")
$npcId = $targetID
for $i = 1 to $wintitles[0]
if winexists($wintitles[$i]) Then
$pid = wingetprocess($wintitles[$i])
$npcId = $targetID
startNpcDialogue($npcId, $pid)
sleep(300)
controlsend($wintitles[$i], "", "", "{ESC}")
controlsend($wintitles[$i], "", "", "{ESC}")
controlsend($wintitles[$i], "", "", "{ESC}")
$questId = 30673
acceptQuest($questId, $pid)
controlsend($wintitles[$i], "", "", "{ESC}")
controlsend($wintitles[$i], "", "", "{ESC}")
controlsend($wintitles[$i], "", "", "{ESC}")
handInQuest($questId, 1, $pid)
controlsend($wintitles[$i], "", "", "{ESC}")
controlsend($wintitles[$i], "", "", "{ESC}")
controlsend($wintitles[$i], "", "", "{ESC}")
sleep(300)
consolewrite($wintitles[$i] & @cr)
EndIf
Next
endfunc ;==>takeQuestMuHoffenEnergy
|
|
|
01/12/2015, 16:41
|
#10
|
elite*gold: 20
Join Date: May 2009
Posts: 1,290
Received Thanks: 325
|
Stark, why would you want to do any interaction without packets? Without packets, you are just calling wrapper functions which send packets somewhere further down the line. The advantage of packets is that you only need to maintain one address in order to do many things.
Also, the russians are doing it in a weird way. The injection I use only needs a register populated with a ptr to character struct, a parameter on stack pointing to destination data, a call, and off it goes.
|
|
|
01/12/2015, 17:51
|
#11
|
elite*gold: 0
Join Date: Sep 2013
Posts: 146
Received Thanks: 84
|
well it was way more comfortable to use those action structs for interactions like talking to NPC because those also moved to it... same for casting skill. if i use a packet to cast the skill and the character is out of range, nothing happens so i have to check the max range for every skill and stuff. but ya its not the biggest issue atm. if i figure out how to move again, everything is fine^^
thanks for your hints ill try out if i can use that and get it to work.
_-_-__-_-__-_-__-_-__-_-__-_-__-_-__-_-__-_-__-_-__-_-__-_-__-_-__-_
btw this is the updated accept invite. LeaderID is the playerID of the party leader that sent the invite. PlayerPID is the process ID of the client that want to accept the invite.
acceptPartyInvite(LeaderId,PlayerPID=0)
{
packet := ""
revHex(revLeaderId, LeaderId)
InvitePointer := ReadMemoryUint(0xD2D3A0, PlayerPID)
InviteCounter := ReadMemoryUint(InvitePointer + 0x14, PlayerPID)
revHex(revInviteCounter, InviteCounter)
packet = %packet%1C00%revLeaderId%%revInviteCounter%
packetSize := 0xA
packetSizeStr := "0A"
sendPacket(packet, packetSizeStr, packetsize, PlayerPID)
}
|
|
|
01/14/2015, 18:21
|
#12
|
elite*gold: 0
Join Date: Sep 2011
Posts: 46
Received Thanks: 144
|
This is the AutoPath Function in AutoIt Script...
Unfortunately, can't fly up vertically Y_Y
Code:
Global $GAME_TITLE = "Perfect World"
Global $GAME_PID = WinGetProcess($GAME_TITLE)
Global $GAME_PROCESS = _MemoryOpen($GAME_PID)
Global $ADDRESS_CALLAUTOPATH = 0x455940
Global $ADDRESS_BASE = 0xD22C74
Func AutoPath($DEST_X, $DEST_Y, $ALT=0)
$processHandle = $GAME_PROCESS[1]
$functionAddress = DllCall('kernel32.dll', 'int', 'VirtualAllocEx', 'int', $processHandle, 'ptr', 0, 'int', 100, 'int', 0x1000, 'int', 0x40)
$OPcode = '60'
$OPcode &= 'B9' & _Hex($DEST_Y, 8, 'float')
$OPcode &= 'BA' & _Hex($ALT)
$OPcode &= 'B8' & _Hex($DEST_X, 8, 'float')
$OPcode &= '6A00'
$OPcode &= '51'
$OPcode &= '52'
$OPcode &= '50'
$OPcode &= '6A03'
$OPcode &= '6A00'
$OPcode &= '6A00'
$OPcode &= '684A010000'
$OPcode &= 'B9'&_Hex($ADDRESS_BASE)
$OPcode &= '8B09'
$OPcode &= '83C11C'
$OPcode &= '8B09'
$OPcode &= 'BB'&_Hex($ADDRESS_CALLAUTOPATH)
$OPcode &= 'FFD3'
$OPcode &= 'B9' & _Hex($ALT)
$OPcode &= '6A00'
$OPcode &= '6A00'
$OPcode &= '6A00'
$OPcode &= '51'
$OPcode &= '6A01'
$OPcode &= '6A00'
$OPcode &= '6A00'
$OPcode &= '684A010000'
$OPcode &= 'B9'&_Hex($ADDRESS_BASE)
$OPcode &= '8B09'
$OPcode &= '83C11C'
$OPcode &= '8B09'
$OPcode &= 'BB'&_Hex($ADDRESS_CALLAUTOPATH)
$OPcode &= 'FFD3'
$OPcode &= '61'
$OPcode &= 'C3'
$vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
For $loop = 1 To DllStructGetSize($vBuffer)
DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
Next
DllCall('kernel32.dll', 'int', 'WriteProcessMemory', 'int', $processHandle, 'int', $functionAddress[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)
$hRemoteThread = DllCall('kernel32.dll', 'int', 'CreateRemoteThread', 'int', $processHandle, 'int', 0, 'int', 0, 'int', $functionAddress[0], 'ptr', 0, 'int', 0, 'int', 0)
Do
$result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
Until $result[0] <> 258
DllCall('kernel32.dll', 'int', 'CloseHandle', 'int', $hRemoteThread[0])
DllCall('kernel32.dll', 'ptr', 'VirtualFreeEx', 'hwnd', $processHandle, 'int', $functionAddress[0], 'int', 0, 'int', 0x8000)
Return True
EndFunc
Func _Hex($Value, $size=8, $type="int")
Local $tmp1, $tmp2, $i
if($type = "int") Then
$tmp1 = StringRight("000000000" & Hex($Value), $size)
ElseIf($type = "float") Then
$tmp1 = StringRight("000000000" & _FloatToHex($Value), $size)
EndIf
For $i = 0 To StringLen($tmp1) / 2 - 1
$tmp2 = $tmp2 & StringMid($tmp1, StringLen($tmp1) - 1 - 2 * $i, 2)
Next
Return $tmp2
EndFunc
Func _FloatToHex($floatval)
$sF = DllStructCreate("float")
$sB = DllStructCreate("ptr", DllStructGetPtr($sF))
If $floatval = "" Then Exit
DllStructSetData($sF, 1, $floatval)
$return=DllStructGetData($sB, 1)
Return $return
EndFunc
Yep, it's from the russian site I don't claim a thing from this script...
I just translate it into AutoIt so others who hate the said scripting language will get Eye Spasms!!!
And most of all, I just want to share... enjoy ^^
Note: If you want your input to be in INT (In-game coordinates) then
Code:
Global $GAME_TITLE = "Perfect World"
Global $GAME_PID = WinGetProcess($GAME_TITLE)
Global $GAME_PROCESS = _MemoryOpen($GAME_PID)
Global $ADDRESS_CALLAUTOPATH = 0x455940
Global $ADDRESS_BASE = 0xD22C74
Func AutoPath($DEST_X, $DEST_Y, $ALT=0)
$processHandle = $GAME_PROCESS[1]
$functionAddress = DllCall('kernel32.dll', 'int', 'VirtualAllocEx', 'int', $processHandle, 'ptr', 0, 'int', 100, 'int', 0x1000, 'int', 0x40)
$OPcode = '60'
$OPcode &= 'B9' & _Hex($DEST_Y*10-5500, 8, 'float')
$OPcode &= 'BA' & _Hex($DEST_Z)
$OPcode &= 'B8' & _Hex($DEST_X*10-4000, 8, 'float')
$OPcode &= '6A00'
$OPcode &= '51'
$OPcode &= '52'
$OPcode &= '50'
$OPcode &= '6A03'
$OPcode &= '6A00'
$OPcode &= '6A00'
$OPcode &= '684A010000'
$OPcode &= 'B9'&_Hex($ADDRESS_BASE)
$OPcode &= '8B09'
$OPcode &= '83C11C'
$OPcode &= '8B09'
$OPcode &= 'BB'&_Hex($ADDRESS_CALLAUTOPATH)
$OPcode &= 'FFD3'
$OPcode &= 'B9' & _Hex($ALT)
$OPcode &= '6A00'
$OPcode &= '6A00'
$OPcode &= '6A00'
$OPcode &= '51'
$OPcode &= '6A01'
$OPcode &= '6A00'
$OPcode &= '6A00'
$OPcode &= '684A010000'
$OPcode &= 'B9'&_Hex($ADDRESS_BASE)
$OPcode &= '8B09'
$OPcode &= '83C11C'
$OPcode &= '8B09'
$OPcode &= 'BB'&_Hex($ADDRESS_CALLAUTOPATH)
$OPcode &= 'FFD3'
$OPcode &= '61'
$OPcode &= 'C3'
$vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
For $loop = 1 To DllStructGetSize($vBuffer)
DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
Next
DllCall('kernel32.dll', 'int', 'WriteProcessMemory', 'int', $processHandle, 'int', $functionAddress[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)
$hRemoteThread = DllCall('kernel32.dll', 'int', 'CreateRemoteThread', 'int', $processHandle, 'int', 0, 'int', 0, 'int', $functionAddress[0], 'ptr', 0, 'int', 0, 'int', 0)
Do
$result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
Until $result[0] <> 258
DllCall('kernel32.dll', 'int', 'CloseHandle', 'int', $hRemoteThread[0])
DllCall('kernel32.dll', 'ptr', 'VirtualFreeEx', 'hwnd', $processHandle, 'int', $functionAddress[0], 'int', 0, 'int', 0x8000)
Return True
EndFunc
Func _Hex($Value, $size=8, $type="int")
Local $tmp1, $tmp2, $i
if($type = "int") Then
$tmp1 = StringRight("000000000" & Hex($Value), $size)
ElseIf($type = "float") Then
$tmp1 = StringRight("000000000" & _FloatToHex($Value), $size)
EndIf
For $i = 0 To StringLen($tmp1) / 2 - 1
$tmp2 = $tmp2 & StringMid($tmp1, StringLen($tmp1) - 1 - 2 * $i, 2)
Next
Return $tmp2
EndFunc
Func _FloatToHex($floatval)
$sF = DllStructCreate("float")
$sB = DllStructCreate("ptr", DllStructGetPtr($sF))
If $floatval = "" Then Exit
DllStructSetData($sF, 1, $floatval)
$return=DllStructGetData($sB, 1)
Return $return
EndFunc
|
|
|
01/14/2015, 18:39
|
#13
|
elite*gold: 0
Join Date: Oct 2008
Posts: 1,243
Received Thanks: 670
|
Thanks for the script, will be useful a few months later when Eclipse hits PW Indo
If you don't mind please post the tutorial on how to find the Autopath call address as well. Or with regexp.
|
|
|
01/14/2015, 18:46
|
#14
|
elite*gold: 0
Join Date: Sep 2013
Posts: 146
Received Thanks: 84
|
thanks alot for sharing this
the call address is the same as in the russian forum. i would also love to know how to find it^^
btw: in the 2nd script you dont multiply the z coord with 10. is that intended?
|
|
|
01/14/2015, 18:49
|
#15
|
elite*gold: 0
Join Date: Sep 2011
Posts: 46
Received Thanks: 144
|
Nope, the $DEST_Z in the script is the value of sliding bar(altitude) when the autopath function is on-going in-game.
As per Smurfin Request ^^
Code:
$EXE = FileOpenDialog("Perfect World Client", @DesktopCommonDir, "Executable (*.exe)", 1, "elementclient.exe")
If @error Then Exit
$FILE = FileOpen($EXE, 16)
$DATA = FileRead($FILE, FileGetSize($EXE))
FileClose($FILE)
$OPCODEBASE = 'A1(.{8})5332DB8B48.{2}'
$BASE = StringRegExp($DATA, $OPCODEBASE, 1)
$OPCODEPACKET = '6AFF68.{8}64A100000000506489250000000083EC185356578BF96A07'
$PACKET = StringRegExp($DATA, $OPCODEPACKET, 1)
$OPCODEAUTOPATH = '6AFF68.{8}64A100000000506489250000000083EC2053568BF18D4C2408E8.{8}8B4C243C8B542440'
$AUTOPATH = StringRegExp($DATA, $OPCODEAUTOPATH, 1)
If @error Then
MsgBox(0, "Issues Attaching For Offsets", "There may be another bot attached to this process. Please close that bot and try again")
Exit
EndIf
$REALBASEADDRESS = '0x' & Rev($BASE[0])
$SENDPACKETADDRESS = '0x' & Hex(StringInStr($DATA, $PACKET[0])/2 + 0x400000 - 1)
$AUTOPATHADDRESS = '0x' & Hex(StringInStr($DATA, $AUTOPATH[0])/2 + 0x400000 - 1)
ConsoleWrite("Base Address = " & $REALBASEADDRESS & @CRLF _
& "SendPacket Address = " & $SENDPACKETADDRESS & @CRLF _
& "AutoPath Address = " & $AUTOPATHADDRESS & @CRLF)
Func Rev($string)
Local $all
For $i = StringLen($string) + 1 To 1 Step -2
$all = $all & StringMid($string, $i, 2)
Next
Return $all
EndFunc
|
|
|
|
|
Similar Threads
|
WTS 4 lvl 50 -Red eclipse
04/27/2013 - Star Wars: The Old Republic Trading - 1 Replies
================High-End Account================
Hi there
I want to sell my High-end SWTOR account wich is based on the server " The Red-eclipse "
I am a Hard-core gamer and always want the best gear for my characters, this is no diferant with this account. I am a well known and respected player on this server ( the char names are in good standing :). How ever i dont have the time to play anymore wich ofcourse breaks my heart but my career comes first.
Here by i am offering my...
|
Fly For Eclipse !!
07/18/2011 - Flyff Private Server - 5 Replies
Kann es sein das der Server oft abkackt?:D
und wenn ja wie lange bleibt er dann off??
|
Eclipse Flyff
07/12/2011 - Flyff Trading - 2 Replies
Hey, hat jemand Interesse an mehrere Imba Eclipse Flyff Chars?
http://www7.pic-upload.de/thumb/01.06.11/y9n1bcfi twcx.png
Hab noch viele Rare Item's wo du locker 500b zusammen bekommst
hab noch mehrere Imba chars.
Interesse? dann schreib hier :>
|
My Eclipse to your Demon.
04/04/2011 - Flyff Trading - 0 Replies
Hi dears..
I'm Trading all my itens and money on Eclipse flyff to itens or money on demon flyff.
On Eclipse,I have Many Solar Weapon's,Cs Sets,Bike,Pets
and so much money.
If you are interested,add me on msn.
[email protected]
:mofo:
|
C++ in Eclipse
02/01/2010 - C/C++ - 2 Replies
Huhu,
kann mir mal bitte jemand helfen. Ich habe im Internet ein Tutorial befolgt um C++/C auf Eclipse zu programmieren. Ich habe alles befolgt wies sein sollte, laut Tutorial. Wenn ich nun build mache, dann kommt folgendes:
Habe die Eclipse CDT und MinGW installiert.
Habe danach auch ein wenig gegoogelt und nichts hilfreiches gefunden. Ich vermute, dass ich irgendwo noch einen Pfad verändern muss, aber ich weiß nicht wo.
|
All times are GMT +2. The time now is 17:20.
|
|