Thanks for clarifying this :).Quote:
Check the post in this thread where I explained how to send packets with C#. The moveAddress is just an address with enough memory allocated in the client to store your packet. You don't need to find this address as it is returned by the MemFunctions.AllocateMemory function.
Sending Packets
06/19/2011 01:15
roflmfaoo#211
06/21/2011 13:39
unfaceguy#212
Hi mister interest07 , how do you find this ?
Code:
//Harvest resource
private int harvestResourceAddress;
private byte[] harvestResourceAddressRev;
private byte[] harvestResourcePkt = new byte[]
{
0x36, 0x00, //Header
0x00, 0x00, 0x00, 0x00, //uniqueId
0x00, 0x00, 0x1E, 0x00,
0x01, 0x0C, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00
};
public void harvestResource(int uniqueId)
{
//Get size of the packet
int packetSize = harvestResourcePkt.Length;
if (harvestResourceAddress == 0)
{
//load packet in memory
loadPacket(harvestResourcePkt, ref harvestResourceAddress, ref harvestResourceAddressRev);
}
byte[] uniqueIdRev = BitConverter.GetBytes(uniqueId);
uniqueIdRev.Reverse();
MemFunctions.MemWriteBytes(pr_processHandle, harvestResourceAddress + 2, uniqueIdRev);
sendPacket(harvestResourceAddressRev, packetSize);
}
06/21/2011 17:51
Interest07#213
Attach a debugger to the client, then set a breakpoint on the sendPacket function. When the breakpoint is triggered there will be several values on the stack:
[ESP + 0] = Address where the function has to jump back to after it is done. You can use this to figure out what function sent this particular packet.
[ESP + 4] = Packetsize, number of bytes contained in the packet
[ESP + 8] = Pointer to the packet. You can use this to find out what the packet is as follows (in semi code):
Use this to figure out what packets are sent whenever you perform an action.
[ESP + 0] = Address where the function has to jump back to after it is done. You can use this to figure out what function sent this particular packet.
[ESP + 4] = Packetsize, number of bytes contained in the packet
[ESP + 8] = Pointer to the packet. You can use this to find out what the packet is as follows (in semi code):
Code:
size = [ESP + 4]
pPacket = [ESP + 8]
for(int i = 0; i < size; i++)
{
bValue(i) = [pPacket + i * 1]
}
Quote:
Code://Harvest resource private int harvestResourceAddress; private byte[] harvestResourceAddressRev; private byte[] harvestResourcePkt = new byte[] { 0x36, 0x00, //Header 0x00, 0x00, 0x00, 0x00, //uniqueId 0x00, 0x00, 0x1E, 0x00, 0x01, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; public void harvestResource(int uniqueId) { //Get size of the packet int packetSize = harvestResourcePkt.Length; if (harvestResourceAddress == 0) { //load packet in memory loadPacket(harvestResourcePkt, ref harvestResourceAddress, ref harvestResourceAddressRev); } byte[] uniqueIdRev = BitConverter.GetBytes(uniqueId); uniqueIdRev.Reverse(); MemFunctions.MemWriteBytes(pr_processHandle, harvestResourceAddress + 2, uniqueIdRev); sendPacket(harvestResourceAddressRev, packetSize); }
06/22/2011 03:28
msxgames#214
I see the code example you provided and understand how to read the values using a debugger. However I would like to read the values from my program. Is there a way to read (and show) the contents of the stack in my bot (btw it's autoit, but I can still translate as I get the idea). I have seen it, but don't have a clue how to do it.
Quote:
Use this to figure out what packets are sent whenever you perform an action.Code:size = [ESP + 4] pPacket = [ESP + 8] for(int i = 0; i < size; i++) { bValue(i) = [pPacket + i * 1] }
06/22/2011 08:40
Interest07#215
Why would you want to read those values during botting? You only need to know what a packet looks like once and then hardcode that. I use MHS to execute a script that reads out the stack values everytime the breakpoint is hit instead of pausing the game. It works nicely for figuring out the parameters for other functions as well.
I wouldn't know how to do something like that from scratch though I'm afraid, although I did see some tool that looks up what packets are sent somewhere. You might wanna try track the creator of that down :)
I wouldn't know how to do something like that from scratch though I'm afraid, although I did see some tool that looks up what packets are sent somewhere. You might wanna try track the creator of that down :)
06/22/2011 22:20
ayongz#216
hi interest07,
there is a packet for sending mail?:handsdown:
thanks for the code:)
there is a packet for sending mail?:handsdown:
thanks for the code:)
06/29/2011 10:25
Aduhn32#217
hello interest07
I have a problem with the function sendpacket
what is wrong in my code
there is a problem here:
WinAPI
Please help me how to use sendpacket with vb express:):)
I have a problem with the function sendpacket
what is wrong in my code
Code:
Public Function SendPacket(ByVal Packet As String, ByVal Size As Integer, ByVal hProcess As Integer)
Dim vBuffer As Byte() = Nothing, result = Nothing, OPcode As String = Nothing
Dim functionAddress As IntPtr = VirtualAllocEx(hProcess, Nothing, &H46, &H1000, &H40)
Dim packetAddress As IntPtr = VirtualAllocEx(hProcess, Nothing, Size, &H1000, &H40)
Dim hRemoteThread As IntPtr = Nothing
OPcode &= "60" ';//PUSHAD
OPcode &= "B8" & _Hex(sendPacketFunction) ';//MOV EAX, sendPacketAddress
OPcode &= "8B0D" & _Hex(realBaseAddress) ';//MOV ECX, DWORD PTR [revBaseAddress]
OPcode &= "8B4920" ';//MOV ECX, DWORD PTR [ECX+20]
OPcode &= "BF" & _Hex(packetAddress) ';//MOV EDI, packetAddress //src pointer
OPcode &= "6A" & _Hex(Size, 2) ';//PUSH packetSize //size
OPcode &= "57" ';//PUSH EDI
OPcode &= "FFD0" ';//CALL EAX
OPcode &= "61" ';//POPAD
OPcode &= "C3" ';//RET
ReDim vBuffer((OPcode.Length / 2) - 1)
Dim a As Integer = 0
For i = 1 To UBound(vBuffer) Step 2
vBuffer(a) = Int("&H" & Mid(OPcode, i, 2))
a += 1
Next
WriteProcessMemory(hProcess, functionAddress, vBuffer, UBound(vBuffer), Nothing)
hRemoteThread = CreateRemoteThread(hProcess, Nothing, Nothing, functionAddress, Nothing, Nothing, Nothing)
Do
result = WaitForSingleObject(hRemoteThread, 50)
Loop Until (result <> 258)
CloseHandle(hRemoteThread)
VirtualFreeEx(hProcess, functionAddress, Nothing, &H8000)
VirtualFreeEx(hProcess, packetAddress, Nothing, &H8000)
Return True
End Function
Code:
hRemoteThread = CreateRemoteThread(hProcess, Nothing, Nothing, functionAddress, Nothing, Nothing, Nothing)
Code:
Public Declare Function CreateRemoteThread Lib "Kernel32.dll" ( ByVal hProcess As IntPtr, ByVal lpThreadAttributes As IntPtr, ByVal dwStackSize As Integer, ByVal lpStartAddress As IntPtr, ByVal lpParameter As IntPtr, ByVal dwCreationFlags As Integer, ByRef lpThreadId As IntPtr ) As IntPtr
06/29/2011 14:22
Interest07#218
Did you check if it properly wrote the function to that address?
On first sight things seem to be alright.
On first sight things seem to be alright.
06/30/2011 06:43
Aduhn32#219
I get the function address using 'findWQbotOffsets.exe'
(copy 'elementclient.exe' to 'findWQbotOffsets.exe' directory > run 'findWQbotOffsets.exe')
this result (pwindo)
(copy 'elementclient.exe' to 'findWQbotOffsets.exe' directory > run 'findWQbotOffsets.exe')
this result (pwindo)
Code:
[main] logActivities=0 [offsets] realBaseAddress=0xA5B90C SendPacketAddress=0x0060E310 playerCounterOffset=0x000008E4 playerIntervalOffset=0x00000898 questFunctionOffset=0xFFC questFunctionAddress=0x006C98E0 playerNameOffset=0x618 playerTransportModeOffset=0x62C playerFlySpdOffset=0x4D0 playerFlyMountOffset=0x00000570 playerXposOffset=0x3C playerYposOffset=0x40 playerZposOffset=0x44 playerActionStructOffset=0xFF4 baseOffset=0x1C playerOffSet=0x20 nameLengthOffset=0xFFFFFFF8 playerTargetIdOffset=0xB0C npcIdOffset=0x11C sortedNpcListOffset=0x50 baseListsOffset=0x8 npcListOffset=0x24
06/30/2011 09:31
Interest07#220
I mean, did you check whether it wrote the opcode to memory correctly?
07/01/2011 09:42
Aduhn32#221
I have been able to use sendpacket in vb
Wow, that really helped me. thanks Interest07:):)
btw,Do you have a function to move x, y, z?
Wow, that really helped me. thanks Interest07:):)
btw,Do you have a function to move x, y, z?
07/24/2011 14:47
Sturolv#222
Hi all!
I have tried with sending packages to make my character to fly up or down, but have failed.
I've tried to follow Interest07s guides:
[Only registered and activated users can see links. Click Here To Register...] and [Only registered and activated users can see links. Click Here To Register...]
The result so far is that the camera moves in steps of the flight speed every time interval (ie. not smooth) and ends up where it should be but the character stays where it was from the start.
I paste some code (autoit) and hope you guys can help me out:
The offsets for coords2, 3 and 4 is something I'm not sure of if it's correct.
To target an npc with its id is something I've gotten to work with help of the send packets guide: [Only registered and activated users can see links. Click Here To Register...]
Have fun all! /Sturolv
I have tried with sending packages to make my character to fly up or down, but have failed.
I've tried to follow Interest07s guides:
[Only registered and activated users can see links. Click Here To Register...] and [Only registered and activated users can see links. Click Here To Register...]
The result so far is that the camera moves in steps of the flight speed every time interval (ie. not smooth) and ends up where it should be but the character stays where it was from the start.
I paste some code (autoit) and hope you guys can help me out:
Code:
Dim $oposx = 0x3c, $oposy = 0x44, $oposz = 0x40 Dim $oposx2 = 0x7c, $oposy2 = 0x84, $oposz2 = 0x80 Dim $oposx3 = 0x7e8, $oposy3 = 0x7f0, $oposz3 = 0x7ec Dim $oposx4 = 0x828, $oposy4 = 0x830, $oposz4 = 0x82c Fly(20) ;fly 20 units up Func Fly($zfly) local $packedaddress, $packetSize, $speed, $dX, $dY, $dZ, $destZ, $curX, $curY, $curZ GetCharInfo($pid) $speed = $charinfo[$IFlyspeed] $curX = $charinfo[$IX] $curY = $charinfo[$IY] $curZ = $charinfo[$IZ] $pchar = _MemoryRead(_MemoryRead($base, $pid) + 0x34, $pid) $c = _MemoryRead($pchar + 0x928, $pid, 'word') $destZ = $curZ + $zfly $timeinterval = 1000 $timeneeded = DistanceFromMe($curX, $curY, $curZ + $zfly) / $speed $dZ = (($destZ - $curZ) / $timeneeded) * $timeinterval / 1000 If $speed > 0 Then While $timeneeded > ($timeinterval / 1000) $curZ += $dZ $packetAddress = DllCall($pid[0], 'int', 'VirtualAllocEx', 'int', $pid[1], 'ptr', 0, 'int', 0x21, 'int', 0x1000, 'int', 0x40) _MemoryWrite($packetAddress[0], $pid, 0, 'word') _MemoryWrite($packetAddress[0] + 2, $pid, $curX, 'float') _MemoryWrite($packetAddress[0] + 6, $pid, $curY, 'float') _MemoryWrite($packetAddress[0] + 10, $pid, $curZ, 'float') _MemoryWrite($packetAddress[0] + 14, $pid, $curX, 'float') _MemoryWrite($packetAddress[0] + 18, $pid, $curY, 'float') _MemoryWrite($packetAddress[0] + 22, $pid, $curZ, 'float') _MemoryWrite($packetAddress[0] + 26, $pid, $timeinterval, 'word') _MemoryWrite($packetAddress[0] + 28, $pid, Round($speed * 256 + 0.5), 'word') _MemoryWrite($packetAddress[0] + 30, $pid, 0x61, 'byte') _MemoryWrite($packetAddress[0] + 31, $pid, $c, 'word') sendPacket2($packetAddress, 0x21, $pid) DllCall($pid[0], 'ptr', 'VirtualFreeEx', 'hwnd', $pid[1], 'int', $packetAddress[0], 'int', 0, 'int', 0x8000) _MemoryWrite($pchar + $oposx, $pid, $curX, 'float') _MemoryWrite($pchar + $oposy, $pid, $curY, 'float') _MemoryWrite($pchar + $oposz, $pid, $curZ, 'float') _MemoryWrite($pchar + $oposx2, $pid, $curX, 'float') _MemoryWrite($pchar + $oposy2, $pid, $curY, 'float') _MemoryWrite($pchar + $oposz2, $pid, $curZ, 'float') _MemoryWrite($pchar + $oposx3, $pid, $curX, 'float') _MemoryWrite($pchar + $oposy3, $pid, $curY, 'float') _MemoryWrite($pchar + $oposz3, $pid, $curZ, 'float') _MemoryWrite($pchar + $oposx4, $pid, $curX, 'float') _MemoryWrite($pchar + $oposy4, $pid, $curY, 'float') _MemoryWrite($pchar + $oposz4, $pid, $curZ, 'float') $c += 1 _MemoryWrite($pchar + 0x928, $pid, $c, 'word') ;Update counter $timeneeded -= $timeinterval / 1000 Sleep($timeinterval) WEnd EndIf If ($timeneeded > 0) Then $curZ += $dZ * $timeneeded $packetAddress = DllCall($pid[0], 'int', 'VirtualAllocEx', 'int', $pid[1], 'ptr', 0, 'int', 0x16, 'int', 0x1000, 'int', 0x40) _MemoryWrite($packetAddress[0], $pid, 7, 'word') _MemoryWrite($packetAddress[0] + 2, $pid, $curX, 'float') _MemoryWrite($packetAddress[0] + 6, $pid, $curY, 'float') _MemoryWrite($packetAddress[0] + 10, $pid, $curZ, 'float') _MemoryWrite($packetAddress[0] + 14, $pid, Round($speed * 256 + 0.5), 'word') _MemoryWrite($packetAddress[0] + 16, $pid, 0, 'byte') _MemoryWrite($packetAddress[0] + 17, $pid, 0x61, 'byte') _MemoryWrite($packetAddress[0] + 18, $pid, $c, 'word') _MemoryWrite($packetAddress[0] + 20, $pid, $timeneeded * 1000, 'word') sendPacket2($packetAddress, 0x21, $pid) DllCall($pid[0], 'ptr', 'VirtualFreeEx', 'hwnd', $pid[1], 'int', $packetAddress[0], 'int', 0, 'int', 0x8000) _MemoryWrite($pchar + $oposx, $pid, $curX, 'float') _MemoryWrite($pchar + $oposy, $pid, $curY, 'float') _MemoryWrite($pchar + $oposz, $pid, $curZ, 'float') _MemoryWrite($pchar + $oposx2, $pid, $curX, 'float') _MemoryWrite($pchar + $oposy2, $pid, $curY, 'float') _MemoryWrite($pchar + $oposz2, $pid, $curZ, 'float') _MemoryWrite($pchar + $oposx3, $pid, $curX, 'float') _MemoryWrite($pchar + $oposy3, $pid, $curY, 'float') _MemoryWrite($pchar + $oposz3, $pid, $curZ, 'float') _MemoryWrite($pchar + $oposx4, $pid, $curX, 'float') _MemoryWrite($pchar + $oposy4, $pid, $curY, 'float') _MemoryWrite($pchar + $oposz4, $pid, $curZ, 'float') $c += 1 _MemoryWrite($pchar + 0x928, $pid, $c, 'word') ;Update counter EndIf EndFunc
Code:
Func sendPacket2($packetAddress, $packetSize, $pid)
Local $pRemoteThread, $vBuffer, $loop, $result, $OPcode, $processHandle, $functionAddress
$processHandle = $pid[1]
;//Allocate memory for the OpCode and retrieve address for this
$functionAddress = DllCall($pid[0], 'int', 'VirtualAllocEx', 'int', $processHandle, 'ptr', 0, 'int', 0x46, 'int', 0x1000, 'int', 0x40)
;//Construct the OpCode for calling the 'SendPacket' function
$OPcode &= '60' ;//PUSHAD
$OPcode &= 'B8'&_hex($sendPacketFunction) ;//MOV EAX, sendPacketAddress
$OPcode &= '8B0D'&_hex($realBaseAddress) ;//MOV ECX, DWORD PTR [revBaseAddress]
$OPcode &= '8B4920' ;//MOV ECX, DWORD PTR [ECX+20]
$OPcode &= 'BF'&_hex($packetAddress[0]) ;//MOV EDI, packetAddress //src pointer
$OPcode &= '6A'&_hex($packetSize,2) ;//PUSH packetSize //size
$OPcode &= '57' ;//PUSH EDI
$OPcode &= 'FFD0' ;//CALL EAX
$OPcode &= '61' ;//POPAD
$OPcode &= 'C3' ;//RET
;//Put the OpCode into a struct for later memory writing
$vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
For $loop = 1 To DllStructGetSize($vBuffer)
DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
Next
;//Write the OpCode to previously allocated memory
DllCall($pid[0], 'int', 'WriteProcessMemory', 'int', $processHandle, 'int', $functionAddress[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)
;//Create a remote thread in order to run the OpCode
$hRemoteThread = DllCall($pid[0], 'int', 'CreateRemoteThread', 'int', $processHandle, 'int', 0, 'int', 0, 'int', $functionAddress[0], 'ptr', 0, 'int', 0, 'int', 0)
;//Wait for the remote thread to finish
Do
$result = DllCall($pid[0], 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
Until $result[0] <> 258
;//Close the handle to the previously created remote thread
DllCall($pid[0], 'int', 'CloseHandle', 'int', $hRemoteThread[0])
;//Free the previously allocated memory
DllCall($pid[0], 'ptr', 'VirtualFreeEx', 'hwnd', $processHandle, 'int', $functionAddress[0], 'int', 0, 'int', 0x8000)
Return True
EndFunc
To target an npc with its id is something I've gotten to work with help of the send packets guide: [Only registered and activated users can see links. Click Here To Register...]
Have fun all! /Sturolv
07/24/2011 16:12
Interest07#223
Those don't really matter, they're more for yourself to see what's happening (and whether you have the correct coords being sent), and also to make it a bit smoother to change from packet movement to regular movement. They won't influence the actual result though.Quote:
The offsets for coords2, 3 and 4 is something I'm not sure of if it's correct.
On first sight your function appears to work correctly. Which server do you play on? You might want to verify it's the correct packet structure if you're not playing on PWI, as some packets are known to differ slightly from PWI server on for example the Russian server.
07/24/2011 19:33
Sturolv#224
Hi!
I'm on pwi.
I could read the complete message into a hex string and paste here if you wanna have a peak on them. I think it's about 4 or 5 messages including the stop-message.
Btw. I forgotten to mention what my purpose with this is:
To make a program that automates a cleric to follow me around healing and buffing when needed eventually also assisting. I started with this more then a year ago but putted everything on ice, now I'm back again.
I do think it's so fun to make this and I don't know if I really want to play the game when it's done :)
I'm on pwi.
I could read the complete message into a hex string and paste here if you wanna have a peak on them. I think it's about 4 or 5 messages including the stop-message.
Btw. I forgotten to mention what my purpose with this is:
To make a program that automates a cleric to follow me around healing and buffing when needed eventually also assisting. I started with this more then a year ago but putted everything on ice, now I'm back again.
I do think it's so fun to make this and I don't know if I really want to play the game when it's done :)
07/24/2011 21:19
Interest07#225
Yeah, sure post the hex stuff :) That should helpQuote:
I'm on pwi.
I could read the complete message into a hex string and paste here if you wanna have a peak on them. I think it's about 4 or 5 messages including the stop-message.
Btw. I forgotten to mention what my purpose with this is:
To make a program that automates a cleric to follow me around healing and buffing when needed eventually also assisting. I started with this more then a year ago but putted everything on ice, now I'm back again.
I do think it's so fun to make this and I don't know if I really want to play the game when it's done :)
Ahh yes, a cleric assistant is great ;)