Let's talk about the recent patch and changes

Page 2 of 4

05/21/2009 22:12 IAmHawtness#16

Quote:

Originally Posted by high6

No, the moblist is at like 0x64XXXX. It is around "ClientInfo".

There is 2 easy ways to find it.

1 You use a multiclient. You have a second character move around while you search the coords. Then you trace back from there.

2 You breakpoint the receive mob packet and go from there.

Why would you need a multi-client when you only need two characters for option number 1? Lol :p.

Ps. anyone got any updates on what the connection between Target/MobBaseAddress and Target/MobNameAddress is? :)

05/22/2009 00:17 high6#17

You guys are lazy :P.

All I am going to say is that the name has a start ptr followed by an end ptr in the Role structure.

05/22/2009 01:24 ookamocka#18

Quote:

Originally Posted by high6

No, the moblist is at like 0x64XXXX. It is around "ClientInfo".

There is 2 easy ways to find it.

1 You use a multiclient. You have a second character move around while you search the coords. Then you trace back from there.

2 You breakpoint the receive mob packet and go from there.

kk thx ^_^ i'll use the first method see if i get any success :)

Quote:

Originally Posted by high6

You guys are lazy :P.

All I am going to say is that the name has a start ptr followed by an end ptr in the Role structure.

being lazy and just simply not knowing are 2 diff things XD... like i didn't know how to find the mob structure... didn't mean i didn't want to do it :-P

05/22/2009 01:42 high6#19

Quote:

Originally Posted by ookamocka

kk thx ^_^ i'll use the first method see if i get any success :)

being lazy and just simply not knowing are 2 diff things XD... like i didn't know how to find the mob structure... didn't mean i didn't want to do it :-P

You think I knew how to find it at first?

05/22/2009 04:08 SwiftWeapon#20

I have a question I find that this thread seems to be appropriate...

I am new to finding values in memory in regards to games but I have been a C# programmer for a few years now, so please bare with me as I am learning a lot of things...

I have spent the last 3 hours getting new memory addresses and I have gotten to a challenge trying to find the Char Name address... So far I have been able to find it for any character besides my ninja which leads me to believe that it is not a dynamic address, so, could anyone enlighten me as to what I am doing wrong here? PLEASE!! Do NOT give me that fricken address lol, I want to learn how to get it myself!

I have tried looking up my ninja chars name through text, a byte array, and even snooping around the other values thinking i might find it... major fail.

Btw, I am using CheatEngine and i have found Char name at address 0x013A8468 but it seems to work for only non-ninja chars...

Any clues or help is greatly appreciated and if anyone wants other addresses please let me know and i'll be glad to share.

05/22/2009 04:13 Evan Lim#21

SwiftWeapon@
player's character name has changed to Dynamic
it used to be around 0x64xxxx (any results that is above 0xffffff is not static, it changes every time u open another client)
but now, at that spot, it is blank
all the XY coordinates are also changed to Dynamic except the real map coordinate

05/22/2009 04:28 SwiftWeapon#22

Quote:

Originally Posted by Evan Lim

SwiftWeapon@
player's character name has changed to dramatic
it used to be around 0x64xxxx (any results that is above 0xffffff is not static, it changes every time u open another client)
but now, at that spot, it is blank
all the XY coordinates are also changed to dramatic except the real map coordinate

I have opened 10 clients and each one i can find the character name for my water tao.. same address everytime and when I change it, it also changes on CO for my character... it cannot be dynamic.

However, when I try that same thing for my Ninja.. it is blank.. are you saying that the Ninja class has a dynamic Character name ? lol

Also, you have your addresses wrong I think... they used to be at 005D**** and now they are around 013A****

05/22/2009 04:30 32991304#23

Quote:

I have a question I find that this thread seems to be appropriate...

I am new to finding values in memory in regards to games but I have been a C# programmer for a few years now, so please bare with me as I am learning a lot of things...

I have spent the last 3 hours getting new memory addresses and I have gotten to a challenge trying to find the Char Name address... So far I have been able to find it for any character besides my ninja which leads me to believe that it is not a dynamic address, so, could anyone enlighten me as to what I am doing wrong here? PLEASE!! Do NOT give me that fricken address lol, I want to learn how to get it myself!

I have tried looking up my ninja chars name through text, a byte array, and even snooping around the other values thinking i might find it... major fail.

Btw, I am using CheatEngine and i have found Char name at address 0x013A8468 but it seems to work for only non-ninja chars...

Any clues or help is greatly appreciated and if anyone wants other addresses please let me know and i'll be glad to share.

I was trying that too , but each client get a different address >.< , i dunno what are happening

05/22/2009 04:36 Evan Lim#24

SwiftWeapon@
0x5dxxxx, i think that was previous
anyhow, 0x64xxxx is what the current location is, just that it shows blank now
but the stats, coordinates are still there under the blank

05/22/2009 04:40 SwiftWeapon#25

Quote:

Originally Posted by Evan Lim

SwiftWeapon@
0x5dxxxx, i think that was previous
anyhow, 0x64xxxx is what the current location is, just that it shows blank now
but the stats, coordinates are still there under the blank

I just checked again and you are correct; Character name's are Dynamic... However, ALL addresses above 0xffffff are not dynamic...

Character HP is at 0x013A9920

Also, server time is in the 013A*** range and also not dynamic.. but most other values in there are now dynamic... hmmm... now I must learn how to get values from pointers in memory :) shouldn't be too hard...

05/22/2009 05:18 high6#26

If the address is not inside a module (IE Conquer.exe in the process is 0x400000-0x678000) it is dynamic.

Anyways... Just searching for the name wont get you very far.

05/22/2009 05:28 SwiftWeapon#27

Quote:

Originally Posted by high6

If the address is not inside a module (IE Conquer.exe in the process is 0x400000-0x678000) it is dynamic.

Anyways... Just searching for the name wont get you very far.

Do you have any insight to what I should be searching for then? Thank you for the info about where the dynamics are, it should help me in my quest. :)

05/22/2009 06:31 clintonselke#28

I haven't found the dequeEx yet... about to try a new method of finding it... gonna write a funcition for scanning the conquer memory for all 32 byte consecutive value... then apply that to the formula for the number of mobs in the DequeEx and see if it returns the correct value. If it does, then that the most probable location of the Deque.

From high6 the scan should be from 640000 64FFFF, thats only 64K values to search through.

anyway, i believe i know the real beginning of the mob structs (using the attack function)

char* mobName = mobBaseAddr + 0xE4
int mobXCoord = mobBaseAddr + 0x0298
int mobYCoord = mobBaseAddr + 0x029C

i know its different from the top of the thread, but this works every time for me (when using the first param of the attack function as a pointer to the mob structure)

Edit Notice the mob name is no longer a static string, but a pointer to a string. That must be why we dont see the name of the mob in the mob structure.

05/22/2009 07:12 high6#29

Quote:

Originally Posted by clintonselke

Edit Notice the mob name is no longer a static string, but a pointer to a string. That must be why we dont see the name of the mob in the mob structure.

This has been said :P.

+E8 is the ptr to the end of the string.

Also I think it is either a CString or a std::string in the structure. Will check it out more later.

05/22/2009 07:27 clintonselke#30

Alright, i wiped up a program to search from 640000 to 64FFFF to find the mob deque... no luck yet.

Has the formula for the size of the DequeEx changed?

PHP Code:


			
#include <windows.h>
#include <Tlhelp32.h>
#include <stdint.h>
#include <iostream>
#include <iomanip>
#include <string>
#include <conio.h>

using namespace std;

uint32_t const START_ADDR = 0x640000;
uint32_t const END_ADDR = 0x64FFFF;

int main()
{
    PROCESSENTRY32 pe32;
    pe32.dwSize = sizeof(PROCESSENTRY32);
    HANDLE hTool32 = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);
    if (!Process32First(hTool32, &pe32)) {
        cerr << "ERROR: Failed to retrieve first running process info." << endl;
        return 1;
    }
    bool conquerFound = false;
    do {
        if (strcmp(pe32.szExeFile, "Conquer.exe") == 0) {
            conquerFound = true;
            break;
        }
    } while (Process32Next(hTool32, &pe32));
    if (!conquerFound) {
        cerr << "ERROR: Could not find running process of Conquer.exe." << endl;
        return 1;
    }
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
    bool foundDequeEx = false;
    uint32_t addr;
    for (addr = START_ADDR; addr < END_ADDR; ++addr) {
        // From the genius that is high6 ^_^
        // unsafe public int GetSize()
        // {
        //      byte[] data = ReadBytes(Handle, Address, 0x20);
        //
        //      fixed (byte* b = data)
        //      {
        //           return (((*(int*)(b + 0x1C) - *(int*)(b + 0xC) >> 2) << 5) +
        //                    (*(int*)(b + 0x10) - *(int*)(b + 0x14) >> 2)) +
        //                    (*(int*)(b + 0x8) - *(int*)(b + 0x0) >> 2) - 0x20;
        //      }
        // }
        char b[0x20];
        ReadProcessMemory(hProcess, (void*)addr, b, 0x20, NULL);
        uint32_t size = (((*(int*)(b + 0x1C) - *(int*)(b + 0xC) >> 2) << 5) +
                          (*(int*)(b + 0x10) - *(int*)(b + 0x14) >> 2)) +
                          (*(int*)(b + 0x8) - *(int*)(b + 0x0) >> 2) - 0x20;
        //if (size < 100) {
        if (size < 20) {
            foundDequeEx = true;
            cout << "DequeEx might be located at " << uppercase << hex << addr << "." << endl;
            getch();
            // Just test it first.
            cout << "TESTING" << endl;
            while (!kbhit()) {
                char b[0x20];
                ReadProcessMemory(hProcess, (void*)addr, b, 0x20, NULL);
                uint32_t size = (((*(int*)(b + 0x1C) - *(int*)(b + 0xC) >> 2) << 5) +
                                  (*(int*)(b + 0x10) - *(int*)(b + 0x14) >> 2)) +
                                  (*(int*)(b + 0x8) - *(int*)(b + 0x0) >> 2) - 0x20;
                cout << "Number of mobs on screen is " << dec << size << "." << endl;
                Sleep(1000);
            }
            if (getch() == 'n') {
                continue;
            } else {
                break;
            }
        }
    }
    if (!foundDequeEx) {
        cerr << "ERROR: Could not find DequeEx." << endl;
        CloseHandle(hProcess);
        return 1;
    }

    // Test it until keypress.
    cout << "DequeEx might be located at " << uppercase << hex << addr << "." << endl;
    cout << "Final test run." << endl;
    while (!kbhit()) {
        char b[0x20];
        ReadProcessMemory(hProcess, (void*)addr, b, 0x20, NULL);
        uint32_t size = (((*(int*)(b + 0x1C) - *(int*)(b + 0xC) >> 2) << 5) +
                          (*(int*)(b + 0x10) - *(int*)(b + 0x14) >> 2)) +
                          (*(int*)(b + 0x8) - *(int*)(b + 0x0) >> 2) - 0x20;
        cout << "Number of mobs on screen is " << dec << size << "." << endl;
        Sleep(1000);
    }
    getch();

    CloseHandle(hProcess);
    return 0;
}

EDIT: WOOT FOUND IT!!! xD @ 6502D4.... i swear that works for me :D
EDIT: Hang on, thats reporting twice as many mobs (exactly x 2)... i know im close atleast. xD

Page 2 of 4