PWI Eclipse changes

Stark77 · 01/03/2015, 01:03

A few weeks before xmas PWI changed to Eclipse Version (829).

0) Offsets:
Here you can find most of the new offsets (

)

1) Interact:
i used the following code to interact (open npc, use skills) but i cannot get it to work again. source for this was Interest's post

. Swoosh already said, that actionstructs dont work anymore for movements, i was wondering if those kind of interactions are still possible without big changes. Does anyone know if it possible to fix the red offsets or if its not possible anymore?

Spoiler

2) GuiClose:
i used a snipet from DumbFck to close a NPC dialog window. code below. since update its not working anymore and i struggle to check the offset or call. Would be very cool if someone knows how to fix this or might have another idea how to atleast disable the dialog's.

Spoiler

3) Movement:
Its seems to be not possible to move with actionstructs the way many bots did before but there is a way to use the ingame autopathing. pgrind and vanillaBot have this already and jollyjoker0305 started a thread with first thoughts about it

. Any hints would be great for tools that follow main chars or healing tools.

---------------------------------------------------------------------------------------

Remmm · 01/03/2015, 07:28

- autopath

Smurfin · 01/04/2015, 00:27

Found something for replacing the action struct yet ? The autopath is in assembler, Is it gonna be like that or can it be translated into memory write codes ?

Is using autopath as good as moving using the old movement struct ? like for moving precisely to x,y and or z on the dot. Does it work for flying vertically up and down as well ?

Btw why did they change the action/movement thingy, is it for fighting bots or just part of the 'new engine' or so they say.

Stark77 · 01/04/2015, 01:17

well the autopathing of pGrind works prety good but so far its not able to fly up.
a big advantage of this is collision detection.
i am not sure why they changed the action structs... but seems not many pro ppl are active in this forum to talk about it^^. and i am just a helpless person learning from this forum abit.

was trying to translate the asm code from the russian forum to AHK but without success.... functionsize, call address changed in version 1.52 or anything else could be the reason... but i dont know how to deal with it.

Spoiler

Remmm · 01/04/2015, 23:18

to respond to the Z need to add

Code:

    opcode.s ="60"                  ;60  PUSHAD
    opcode=opcode+"b900000000"      ;B9 00000000    MOV ECX,z
    opcode=opcode+"6A00"            ;6A 00          PUSH 0
    opcode=opcode+"6A00"            ;6A 00          PUSH 0
    opcode=opcode+"6A00"            ;6A 00          PUSH 0 1-преземлится у цели
    opcode=opcode+"51"              ;51             PUSH ECX
    opcode=opcode+"6A01"            ;6A 01          PUSH 1
    opcode=opcode+"6A00"            ;6A 00          PUSH 0
    opcode=opcode+"6A00"            ;6A 00          PUSH 0
    opcode=opcode+"684A010000"      ;68 4A010000    PUSH 14A
    opcode=opcode+"b900000000"      ;B9 00000000    MOV ECX,BA
    opcode=opcode+"8B09"            ;8B09           MOV ECX,DWORD PTR DS:[ECX]
    opcode=opcode+"83C11C"          ;83C1 1C        ADD ECX,1C
    opcode=opcode+"8B09"            ;8B09           MOV ECX,DWORD PTR DS:[ECX]
    opcode=opcode+"BB00000000"      ;BB 00000000    MOV EBX,calladr
    opcode=opcode+"FFD3"            ;FFD3           CALL EBX
    opcode=opcode+"61"              ;61             POPAD
    opcode=opcode+"c3"              ;C3

then changes the height

Stark77 · 01/11/2015, 19:55

2) disable Gui: there is an easy way to disable a dialog window of NPC by simply changing a flag. this will disable the dialog but its still visible. there is also a flag to hide it, but i wasnt able to find out the offset chain.

Spoiler

1) interactions: i am still lost at performing actions like talk to NPC or attack without packets. i can easily find out if there is an action performed but not fix the offsets (like in first post). maybe the old concept isnt working anymore. Does anyone know how to fix it?

Spoiler

Smurfin · 01/11/2015, 20:43

Interest07's startNpcDialogue packet also doesn't work now ?

Have you got the movement working ? please post the new working solution if you don't mind.

Stark77 · 01/11/2015, 20:49

the startDialog is working just fine with packets but i didnt know before how to close it again^^. And no sorry the auto pathing is still not working for me. the OP codes from russian version or my callAddress seem to be wrong.

its not very nice but moving on even ground or flyup with the move packets like Interest explained is quite easy. i added the offsets and direction calculation. but since its not possible to know the height of where u wanna go (steps between), this is kinda useless as general movement function.

Spoiler

PHP Code:



Move2(X, Y, Z=0)
{
    if (Z=0)
        Z := getz()
    direction := atan((Y-gety())/(X-getx()))*180/3.141
    if ((getx() > X) AND (gety() > Y))
      direction := direction + 180
    else if ((getx() < X) AND (gety() > Y))
      direction := 360 + direction
    else if ((getx() < X) AND (gety() < Y))
      direction := direction
    else if ((getx() > X) AND (gety() < Y))
      direction := 180 + direction
    direction := direction*(255/360)
    revhex(direction,round(direction),2)
    t := 0.5
    t_total := 2
   
    while (t_total > 1)
    {
        t_total := getMoveRange(X,Y,Z)/MoveSpeed()
        x_0 := getx()
        s_x := x_0 + (X - x_0)/t_total*t
        s_x := floattohex((s_x*10)-4000) 
        revHex(s_rev_x,s_x)
        y_0 := gety()
        s_y := y_0 + (Y - y_0)/t_total*t
        s_y := floattohex((s_y*10)-5500) 
        revHex(s_rev_y,s_y)
        z_0 := getz()
        s_z := z_0 + (Z - z_0)/t_total*t
        s_z := floattohex(s_z*10) 
        s_z2 := floattohex((z_0 + (Z - z_0)/t_total*t+0.1)*10) 
        revHex(s_rev_z,s_z)
        movepacket := "0000" . s_rev_x . s_rev_z . s_rev_y . s_rev_x . s_rev_z . s_rev_y . "F401" . getmoveSpeed() . GetmoveMode() . getrevHex(getmoveCounter(),4)
        SendPacketFast(movepacket)
        PlayerPositionPointer := ReadMemoryUint(PlayerPointer + 0x3C0, processID) ; position
        writeMemory(s_x,PlayerPositionPointer + XposOffset, processID)
        writeMemory(s_y,PlayerPositionPointer + YposOffset, processID)
        writeMemory(s_z,PlayerPositionPointer + ZposOffset, processID)
        PlayerPositionPointer := ReadMemoryUint(PlayerPointer + 0xA58, processID) ; camera
        writeMemory(s_x,PlayerPositionPointer + XposOffset, processID)
        writeMemory(s_y,PlayerPositionPointer + YposOffset, processID)
        writeMemory(s_z,PlayerPositionPointer + ZposOffset, processID)
        writeMemory(s_x,PlayerPointer + 0x734, processID) ; name and guild
        writeMemory(s_y,PlayerPointer + 0x73C, processID)
        writeMemory(s_z2,PlayerPointer + 0x738, processID)
        counter := dec2hex(getmoveCounter()+1)
        writeMemory(counter,PlayerPointer + 0xAB0, processID,2)
        sleep, 500
    }

    if (gethp() > 0)
    {
        s_x := floattohex((X*10)-4000) 
        revHex(s_rev_x,s_x)
        s_y := floattohex((Y*10)-5500) 
        revHex(s_rev_y,s_y)
        s_z := floattohex(Z*10) 
        s_z2 := floattohex((Z+0.1)*10) 
        revHex(s_rev_z,s_z)
        stoppacket := "0700" . s_rev_x . s_rev_z . s_rev_y . getmoveSpeed() . direction . GetmoveMode() . getrevHex(getmoveCounter(),4) . "F401"
        SendPacketFast(stoppacket)
        PlayerPositionPointer := ReadMemoryUint(PlayerPointer + 0x3C0, processID) ; position
        writeMemory(s_x,PlayerPositionPointer + XposOffset, processID)
        writeMemory(s_y,PlayerPositionPointer + YposOffset, processID)
        writeMemory(s_z,PlayerPositionPointer + ZposOffset, processID)
        PlayerPositionPointer := ReadMemoryUint(PlayerPointer + 0xA58, processID) ; camera
        writeMemory(s_x,PlayerPositionPointer + XposOffset, processID)
        writeMemory(s_y,PlayerPositionPointer + YposOffset, processID)
        writeMemory(s_z,PlayerPositionPointer + ZposOffset, processID)
        writeMemory(s_x,PlayerPointer + 0x734, processID) ; name and guild
        writeMemory(s_y,PlayerPointer + 0x73C, processID)
        writeMemory(s_z2,PlayerPointer + 0x738, processID)
        counter := dec2hex(getmoveCounter()+1)
        writeMemory(counter,PlayerPointer + 0xAB0, processID,2)
        sleep, 500
    }
}

getMoveCounter()
{
    moveCounter := ReadMemoryUint(PlayerPointer + 0xAB0, processID)
    return moveCounter
}

getMoveMode()
{
    TransportMode := ReadMemoryUint(PlayerPointer + 0x6E8, processID)
    if (TransportMode = 0)
        moveMode := 21
    else if (TransportMode = 2)
        moveMode := 61
    else
        moveMode := A1
    return moveMode
}

MoveSpeed()
{
    TransportMode := ReadMemoryUint(PlayerPointer + 0x6E8, processID)
    if (TransportMode = 0)
        speedOffset := 0x52C
    else if (TransportMode = 2)
        speedOffset := 0x534
    else
        speedOffset := 0x528
    SetFormat, IntegerFast, hex
    moveSpeedInfo := hextofloat(ReadMemoryUint(PlayerPointer + speedOffset, processID) + 0) + 0
    SetFormat, IntegerFast, d
    return moveSpeedInfo
}

getMoveSpeed()
{
    TransportMode := ReadMemoryUint(PlayerPointer + 0x6E8, processID)
    if (TransportMode = 0)
        speedOffset := 0x52C
    else if (TransportMode = 2)
        speedOffset := 0x534
    else
        speedOffset := 0x528
    SetFormat, IntegerFast, hex
    moveSpeedInfo := hextofloat(ReadMemoryUint(PlayerPointer + speedOffset, processID) + 0) + 0
    SetFormat, IntegerFast, d
    revHex(moveSpeed,floor((moveSpeedInfo*256) + 0.5),4)
    return moveSpeed
}

getMoveRange(x,y,z)
{
   thisRange := 10*sqrt((x-getX())**2+(y-gety())**2+(z-getz())**2)
   return thisRange
}

So if anyone knows the callAddress and OPcodes for auto pathing, this would be more than welcome =)

Smurfin · 01/12/2015, 14:39

I usually close the startNpcDialogue by sending 'esc' keypress 3 times, but that'd need the clients to be unfreezed.

It'd look like this for mine, I always send esc after doing anything with the npc so I can put taking quest and handing in quest in one function and don't bother about the error.

Spoiler

Sᴡoosh · 01/12/2015, 16:41

Stark, why would you want to do any interaction without packets? Without packets, you are just calling wrapper functions which send packets somewhere further down the line. The advantage of packets is that you only need to maintain one address in order to do many things.

Also, the russians are doing it in a weird way. The injection I use only needs a register populated with a ptr to character struct, a parameter on stack pointing to destination data, a call, and off it goes.

Stark77 · 01/12/2015, 17:51

well it was way more comfortable to use those action structs for interactions like talking to NPC because those also moved to it... same for casting skill. if i use a packet to cast the skill and the character is out of range, nothing happens so i have to check the max range for every skill and stuff. but ya its not the biggest issue atm. if i figure out how to move again, everything is fine^^

thanks for your hints

ill try out if i can use that and get it to work.

_-_-__-_-__-_-__-_-__-_-__-_-__-_-__-_-__-_-__-_-__-_-__-_-__-_-__-_

btw this is the updated accept invite. LeaderID is the playerID of the party leader that sent the invite. PlayerPID is the process ID of the client that want to accept the invite.

Spoiler

~~denzjh~~ · 01/14/2015, 18:21

This is the AutoPath Function in AutoIt Script...
Unfortunately, can't fly up vertically Y_Y

Spoiler

Code:

Global $GAME_TITLE = "Perfect World"
Global $GAME_PID = WinGetProcess($GAME_TITLE)
Global $GAME_PROCESS = _MemoryOpen($GAME_PID)
Global $ADDRESS_CALLAUTOPATH = 0x455940
Global $ADDRESS_BASE = 0xD22C74

Func AutoPath($DEST_X, $DEST_Y, $ALT=0)
    $processHandle = $GAME_PROCESS[1]
    $functionAddress = DllCall('kernel32.dll', 'int', 'VirtualAllocEx', 'int', $processHandle, 'ptr', 0, 'int', 100, 'int', 0x1000, 'int', 0x40)

    $OPcode = '60'
    $OPcode &= 'B9' & _Hex($DEST_Y, 8, 'float')
    $OPcode &= 'BA' & _Hex($ALT)
    $OPcode &= 'B8' & _Hex($DEST_X, 8, 'float')
    $OPcode &= '6A00'
    $OPcode &= '51'
    $OPcode &= '52'
    $OPcode &= '50'
    $OPcode &= '6A03'
    $OPcode &= '6A00'
    $OPcode &= '6A00'
    $OPcode &= '684A010000'
    $OPcode &= 'B9'&_Hex($ADDRESS_BASE)
    $OPcode &= '8B09'
    $OPcode &= '83C11C'
    $OPcode &= '8B09'
    $OPcode &= 'BB'&_Hex($ADDRESS_CALLAUTOPATH)
    $OPcode &= 'FFD3'
    $OPcode &= 'B9' & _Hex($ALT)
    $OPcode &= '6A00'
    $OPcode &= '6A00'
    $OPcode &= '6A00'
    $OPcode &= '51'
    $OPcode &= '6A01'
    $OPcode &= '6A00'
    $OPcode &= '6A00'
    $OPcode &= '684A010000'
    $OPcode &= 'B9'&_Hex($ADDRESS_BASE)
    $OPcode &= '8B09'
    $OPcode &= '83C11C'
    $OPcode &= '8B09'
    $OPcode &= 'BB'&_Hex($ADDRESS_CALLAUTOPATH)
    $OPcode &= 'FFD3'
    $OPcode &= '61'
    $OPcode &= 'C3'

    $vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
    For $loop = 1 To DllStructGetSize($vBuffer)
        DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
    Next

    DllCall('kernel32.dll', 'int', 'WriteProcessMemory', 'int', $processHandle, 'int', $functionAddress[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)

    $hRemoteThread = DllCall('kernel32.dll', 'int', 'CreateRemoteThread', 'int', $processHandle, 'int', 0, 'int', 0, 'int', $functionAddress[0], 'ptr', 0, 'int', 0, 'int', 0)

    Do
        $result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
    Until $result[0] <> 258

    DllCall('kernel32.dll', 'int', 'CloseHandle', 'int', $hRemoteThread[0])
    DllCall('kernel32.dll', 'ptr', 'VirtualFreeEx', 'hwnd', $processHandle, 'int', $functionAddress[0], 'int', 0, 'int', 0x8000)

    Return True
EndFunc

Func _Hex($Value, $size=8, $type="int")
    Local $tmp1, $tmp2, $i
    if($type = "int") Then
        $tmp1 = StringRight("000000000" & Hex($Value), $size)
    ElseIf($type = "float") Then
        $tmp1 = StringRight("000000000" & _FloatToHex($Value), $size)
    EndIf
    For $i = 0 To StringLen($tmp1) / 2 - 1
        $tmp2 = $tmp2 & StringMid($tmp1, StringLen($tmp1) - 1 - 2 * $i, 2)
    Next
    Return $tmp2
EndFunc

Func _FloatToHex($floatval)
    $sF = DllStructCreate("float")
    $sB = DllStructCreate("ptr", DllStructGetPtr($sF))
    If $floatval = "" Then Exit
    DllStructSetData($sF, 1, $floatval)
    $return=DllStructGetData($sB, 1)
    Return $return
EndFunc

Yep, it's from the russian site

I don't claim a thing from this script...
I just translate it into AutoIt so others who hate the said scripting language will get Eye Spasms!!!

And most of all, I just want to share... enjoy ^^

Note: If you want your input to be in INT (In-game coordinates) then

Spoiler

Code:

Global $GAME_TITLE = "Perfect World"
Global $GAME_PID = WinGetProcess($GAME_TITLE)
Global $GAME_PROCESS = _MemoryOpen($GAME_PID)
Global $ADDRESS_CALLAUTOPATH = 0x455940
Global $ADDRESS_BASE = 0xD22C74

Func AutoPath($DEST_X, $DEST_Y, $ALT=0)
    $processHandle = $GAME_PROCESS[1]
    $functionAddress = DllCall('kernel32.dll', 'int', 'VirtualAllocEx', 'int', $processHandle, 'ptr', 0, 'int', 100, 'int', 0x1000, 'int', 0x40)

    $OPcode = '60'
    $OPcode &= 'B9' & _Hex($DEST_Y*10-5500, 8, 'float')
    $OPcode &= 'BA' & _Hex($DEST_Z)
    $OPcode &= 'B8' & _Hex($DEST_X*10-4000, 8, 'float')
    $OPcode &= '6A00'
    $OPcode &= '51'
    $OPcode &= '52'
    $OPcode &= '50'
    $OPcode &= '6A03'
    $OPcode &= '6A00'
    $OPcode &= '6A00'
    $OPcode &= '684A010000'
    $OPcode &= 'B9'&_Hex($ADDRESS_BASE)
    $OPcode &= '8B09'
    $OPcode &= '83C11C'
    $OPcode &= '8B09'
    $OPcode &= 'BB'&_Hex($ADDRESS_CALLAUTOPATH)
    $OPcode &= 'FFD3'
    $OPcode &= 'B9' & _Hex($ALT)
    $OPcode &= '6A00'
    $OPcode &= '6A00'
    $OPcode &= '6A00'
    $OPcode &= '51'
    $OPcode &= '6A01'
    $OPcode &= '6A00'
    $OPcode &= '6A00'
    $OPcode &= '684A010000'
    $OPcode &= 'B9'&_Hex($ADDRESS_BASE)
    $OPcode &= '8B09'
    $OPcode &= '83C11C'
    $OPcode &= '8B09'
    $OPcode &= 'BB'&_Hex($ADDRESS_CALLAUTOPATH)
    $OPcode &= 'FFD3'
    $OPcode &= '61'
    $OPcode &= 'C3'

    $vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
    For $loop = 1 To DllStructGetSize($vBuffer)
        DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
    Next

    DllCall('kernel32.dll', 'int', 'WriteProcessMemory', 'int', $processHandle, 'int', $functionAddress[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)

    $hRemoteThread = DllCall('kernel32.dll', 'int', 'CreateRemoteThread', 'int', $processHandle, 'int', 0, 'int', 0, 'int', $functionAddress[0], 'ptr', 0, 'int', 0, 'int', 0)

    Do
        $result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
    Until $result[0] <> 258

    DllCall('kernel32.dll', 'int', 'CloseHandle', 'int', $hRemoteThread[0])
    DllCall('kernel32.dll', 'ptr', 'VirtualFreeEx', 'hwnd', $processHandle, 'int', $functionAddress[0], 'int', 0, 'int', 0x8000)

    Return True
EndFunc

Func _Hex($Value, $size=8, $type="int")
    Local $tmp1, $tmp2, $i
    if($type = "int") Then
        $tmp1 = StringRight("000000000" & Hex($Value), $size)
    ElseIf($type = "float") Then
        $tmp1 = StringRight("000000000" & _FloatToHex($Value), $size)
    EndIf
    For $i = 0 To StringLen($tmp1) / 2 - 1
        $tmp2 = $tmp2 & StringMid($tmp1, StringLen($tmp1) - 1 - 2 * $i, 2)
    Next
    Return $tmp2
EndFunc

Func _FloatToHex($floatval)
    $sF = DllStructCreate("float")
    $sB = DllStructCreate("ptr", DllStructGetPtr($sF))
    If $floatval = "" Then Exit
    DllStructSetData($sF, 1, $floatval)
    $return=DllStructGetData($sB, 1)
    Return $return
EndFunc

Smurfin · 01/14/2015, 18:39

Thanks for the script, will be useful a few months later when Eclipse hits PW Indo

If you don't mind please post the tutorial on how to find the Autopath call address as well. Or with regexp.

Stark77 · 01/14/2015, 18:46

thanks alot for sharing this

the call address is the same as in the russian forum. i would also love to know how to find it^^

btw: in the 2nd script you dont multiply the z coord with 10. is that intended?

~~denzjh~~ · 01/14/2015, 18:49

Nope, the $DEST_Z in the script is the value of sliding bar(altitude) when the autopath function is on-going in-game.

As per Smurfin Request ^^

Spoiler