thanks chakjii :handsdown:, it's working nicely with the added filter and distance :)
Mob and Item Listings
08/30/2010 05:28
Smurfin#16
09/08/2010 12:54
lolkop#17
well since i've got the russian client now its kinda easy to convert all of their functions to pwi...
for example the jump function:
and you can easily make autoit get the needed offsets and calls for you.
here's the updated get_adresses.au3 with added jumpstuff:
the asm stuff can be used like i did it in the older functions.
now all of these functuions:
[Only registered and activated users can see links. Click Here To Register...]
can be converted easily to work with all other clients =)
for example the jump function:
Code:
pushad mov ecx, dword ptr [$base] mov ecx, dword ptr [ecx+0x1C] mov ecx, dword ptr [ecx+0x20] mov eax, 0x41200000 mov dword ptr[ecx+$jump_offset1], eax mov dword ptr[ecx+$jump_offset2], 1 mov dword ptr[ecx+$jump_offset3], eax mov dword ptr[ecx+$jump_offset4], 0 mov dword ptr[ecx+$jump_offset5], 0 mov dword ptr[ecx+$jump_offset6], 0 mov dword ptr[ecx+$jump_offset7], 0 push 0 push 0xC8 push 1 push 0x3F800000 push 4 call $jump_call popad
here's the updated get_adresses.au3 with added jumpstuff:
Code:
$path = "elementclient.exe"
$file = FileOpen($path, 16)
$data = FileRead($file, FileGetSize($path))
FileClose($file)
$select = StringRegExp($data, '(A1(.{8})578B482081C1EC000000E8(.{8}))', 1)
$call_pos = StringInStr($data, $select[0])/2 + 0x40000E
ConsoleWrite('$base = '&rev($select[1])&@CRLF)
ConsoleWrite('$select_call = 0x'&Hex(rev($select[2]) + $call_pos + 5)&@CRLF)
$pick = StringRegExp($data, '(8B15(.{8})50518B4A2081C1EC000000E8(.{8}))', 1)
$call_pos = StringInStr($data, $pick[0])/2 + 0x400010
ConsoleWrite('$pick_call = 0x'&Hex(rev($pick[2]) + $call_pos + 5)&@CRLF)
$jump = StringRegExp($data, '(75.{2}6A0068C80000006A00680000803F6A058BCEE8(.{8})5F5E5D5B83C418C20400)', 1)
$call_pos = StringInStr($data, $jump[0])/2 + 0x400013
ConsoleWrite('$jump_call = 0x'&Hex(rev($jump[1]) + $call_pos + 5)&@CRLF)
$jump_offsets = StringRegExp($data, '0F85.{8}8B8E.{8}8B442408418986(.{8})898E(.{8})8BC8898E(.{8})89BE(.{8})89BE(.{8})89BE(.{8})89BE(.{8})8B86.{8}83F8010F85.{8}', 1)
For $i=0 To 6
ConsoleWrite('$jump_offset'&$i+1&' = '&rev($jump_offsets[$i])&@CRLF)
Next
Func rev($string)
Local $all
For $i = StringLen($string) + 1 To 1 Step -2
$all = $all & StringMid($string, $i, 2)
Next
While StringLeft($all, 1) = '0'
$all = StringTrimLeft($all, 1)
WEnd
Return '0x'&$all
EndFunc
now all of these functuions:
[Only registered and activated users can see links. Click Here To Register...]
can be converted easily to work with all other clients =)
09/11/2010 15:13
Volldagora#18
Quote:
well since there have been many questsions about this before, i'll give some example codes, of how to list mobs and select them, and how to list items and pick them up.
these functions are a great start for a bot =)
we'll start with the listing functions:
both functions will return arrays with informations about the listed stuff. these informations should be enough to build up a good item/mob filter.Code:Func GetNpcList() Local $array[1][8], $pointer, $npc_base, $counter $pointer = memread(memread(memread(memread(memread($base) + 0x1C) + 0x8) + 0x24) + 0x18) For $x=0 To 768 $npc_base = memread(memread($pointer + $x*0x4) + 0x4) If $npc_base<>0 Then ReDim $array[$counter+1][8] $array[$counter][0] = memread($npc_base, 'byte') ;NPC Type (NPC/MOB/PET) $array[$counter][1] = memread($npc_base + 0x11C) ;NPC ID $array[$counter][2] = memread(memread($npc_base + 0x254), 'wchar[30]') ;NPC Name $array[$counter][3] = memread($npc_base + 0x124) ;NPC Level $array[$counter][4] = memread($npc_base + 0x248) ;Special Info $array[$counter][5] = (memread($npc_base + 0x3C, 'float')+4000)/10 ;NPC x-position $array[$counter][6] = (memread($npc_base + 0x44, 'float')+5500)/10 ;NPC y-position $array[$counter][7] = memread($npc_base + 0x40, 'float')/10 ;NPC z-position $counter += 1 EndIf Next Return $array EndFunc Func GetItemList() Local $array[1][6], $pointer, $item_base, $counter $pointer = memread(memread(memread(memread(memread($base) + 0x1C) + 0x8) + 0x28) + 0x18) For $i=0 To 768 $item_base = memread(memread($pointer + $i*4) + 0x4) If $item_base<>0 Then ReDim $array[$counter+1][6] $array[$counter][0] = memread($item_base + 0x110) ;Item-SN $array[$counter][1] = memread($item_base + 0x10C) ;Item-ID $array[$counter][2] = memread(memread($item_base + 0x164), 'wchar[30]') ;Item-Name $array[$counter][3] = (memread($item_base + 0x3C, 'float')+4000)/10 ;Item x-position $array[$counter][4] = (memread($item_base + 0x44, 'float')+5500)/10 ;Item y-position $array[$counter][5] = memread($item_base + 0x40, 'float')/10 ;Item z-position $counter += 1 EndIf Next Return $array EndFunc Func GetPlayerList() Local $array[1][5], $pointer, $player_base, $counter $pointer = memread(memread(memread(memread(memread($base) + 0x1C) + 0x8) + 0x20) + 0x18) For $x=0 To 768 $player_base = memread(memread($pointer + $x*0x4) + 0x4) If $player_base<>0 Then ReDim $array[$counter+1][5] $array[$counter][0] = memread(memread($player_base + 0x610), 'wchar[30]') ;Name $array[$counter][1] = $class_info[memread($player_base + 0x618)] ;class $array[$counter][2] = (memread($player_base + 0x3C, 'float')+4000)/10 ;x $array[$counter][3] = (memread($player_base + 0x44, 'float')+5500)/10 ;y $array[$counter][4] = memread($player_base + 0x40, 'float')/10 ;z $counter += 1 EndIf Next Return $array EndFunc
now we have to use the select and pick function from the client, to select/pick the specified ids.
well i've written my own memory functions, and a function to turn integers into reversed hexstrings, usable for the cpu (needed in asm functions)Code:Func SelectMob($id) Local $pRemoteThread, $vBuffer, $loop, $result, $OPcode ; --- save the position of the allocated memory --- $pRemoteMem = DllCall($kernel32, 'int', 'VirtualAllocEx', 'int', $mid, 'ptr', 0, 'int', 0x46, 'int', 0x1000, 'int', 0x40) ; --- build up the asm code --- ; 0046061D A1 6C3E9F00 MOV EAX,DWORD PTR DS:[9F3E6C] ; 00460622 57 PUSH EDI <---- EDI Contains Mob-ID ; 00460623 8B48 20 MOV ECX,DWORD PTR DS:[EAX+20] ; 00460626 81C1 EC000000 ADD ECX,0EC ; 0046062C E8 8F961800 CALL elementc.005E9CC0 $OPcode &= '60' ; pushad $OPcode &= 'A1'&_hex($base) ; mov eax, [base] $OPcode &= '68'&_hex($id) ; push mob-id $OPcode &= '8B4820' ; mov ecx, [eax+0x20] $OPcode &= '81C1'&_hex(0xEC) ; add ecx, 0xEC $OPcode &= 'E8'&_hex($select_call-$pRemoteMem[0]-5-StringLen($OPcode)/2) ; call select_call $OPcode &= '61' ; popad $OPcode &= 'C3' ; retn ; --- enter the asm code to to a dllstruct, which can be used with WriteProcessMemory --- $vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']') For $loop = 1 To DllStructGetSize($vBuffer) DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop) Next ; --- now letz write the code from our dllstruct --- DllCall($kernel32, 'int', 'WriteProcessMemory', 'int', $mid, 'int', $pRemoteMem[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0) ; --- now we run the asm code we've just written --- $hRemoteThread = DllCall($kernel32, 'int', 'CreateRemoteThread', 'int', $mid, 'int', 0, 'int', 0, 'int', $pRemoteMem[0], 'ptr', 0, 'int', 0, 'int', 0) ; --- wait till the thread did his job --- Do $result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50) Until $result[0] <> 258 ; --- close everything we've opened --- DllCall($kernel32, 'int', 'CloseHandle', 'int', $hRemoteThread[0]) DllCall($kernel32, 'ptr', 'VirtualFreeEx', 'hwnd', $mid, 'int', $pRemoteMem[0], 'int', 0, 'int', 0x8000) Return True EndFunc Func PickItem($sn, $id) Local $pRemoteThread, $vBuffer, $loop, $result, $OPcode ; --- save the position of the allocated memory --- $pRemoteMem = DllCall($kernel32, 'int', 'VirtualAllocEx', 'int', $mid, 'ptr', 0, 'int', 0x46, 'int', 0x1000, 'int', 0x40) ; --- build up the asm code --- ;~ 004707F8 |. 8B15 6C3E9F00 MOV EDX,DWORD PTR DS:[9F3E6C] ; edx <- [base] ;~ 004707FE |. 50 PUSH EAX ; /Item-SN ;~ 004707FF |. 51 PUSH ECX ; |Item- ID ;~ 00470800 |. 8B4A 20 MOV ECX,DWORD PTR DS:[EDX+20] ; | ;~ 00470803 |. 81C1 EC000000 ADD ECX,0EC ; | ;~ 00470809 |. E8 42941700 CALL elementc.005E9C50 ; \elementc.005E9C50 $OPcode &= '60' ; pushad $OPcode &= '8B15'&_hex($base) ; mov edx, [base] $OPcode &= '68'&_hex($sn) ; push item-sn $OPcode &= '68'&_hex($id) ; push item-id $OPcode &= '8B4A20' ; mov ecx, [edx+0x20] $OPcode &= '81C1'&_hex(0xEC) ; add ecx, 0xEC $OPcode &= 'E8'&_hex($pick_call-$pRemoteMem[0]-5-StringLen($OPcode)/2) ; call pick_call $OPcode &= '61' ; popad $OPcode &= 'C3' ; retn ; --- enter the asm code to to a dllstruct, which can be used with WriteProcessMemory --- $vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']') For $loop = 1 To DllStructGetSize($vBuffer) DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop) Next ; --- now letz write the code from our dllstruct --- DllCall($kernel32, 'int', 'WriteProcessMemory', 'int', $mid, 'int', $pRemoteMem[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0) ; --- now we run the asm code we've just written --- $hRemoteThread = DllCall($kernel32, 'int', 'CreateRemoteThread', 'int', $mid, 'int', 0, 'int', 0, 'int', $pRemoteMem[0], 'ptr', 0, 'int', 0, 'int', 0) ; --- wait till the thread did his job --- Do $result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50) Until $result[0] <> 258 ; --- close everything we've opened --- DllCall($kernel32, 'int', 'CloseHandle', 'int', $hRemoteThread[0]) DllCall($kernel32, 'ptr', 'VirtualFreeEx', 'hwnd', $mid, 'int', $pRemoteMem[0], 'int', 0, 'int', 0x8000) Return True EndFunc
there's just one more thing to say. the item listing lists all normal items, plus the harvest stuff. the pickup function is only made to pickup normal items. there's another function in the client for harvest stuff, but i'm not realy able to use it yet :sCode:Func memopen($pid) Local $mid = DllCall($kernel32, 'int', 'OpenProcess', 'int', 0x1F0FFF, 'int', 1, 'int', $pid) Return $mid[0] EndFunc Func memread($adress, $type = 'dword') Local $struct = DllStructCreate($type) DllCall($kernel32, 'int', 'ReadProcessMemory', 'int', $mid, 'int', $adress, 'ptr', DllStructGetPtr($struct), 'int', DllStructGetSize($struct), 'int', '') Return DllStructGetData($struct, 1) EndFunc Func memclose($mid) DllCall($kernel32, 'int', 'CloseHandle', 'int', $mid) EndFunc Func _hex($Value) Local $tmp1, $tmp2, $i $tmp1 = StringRight("0000000" & Hex($Value), 8) For $i = 0 To StringLen($tmp1) / 2 - 1 $tmp2 = $tmp2 & StringMid($tmp1, StringLen($tmp1) - 1 - 2 * $i, 2) Next Return $tmp2 EndFunc
as soon as i'm able to use it, i'll post it here.
well for those of you who need an example of usage for my functions:
as you can see $kernel32, $pid, $mid, $base, $select_call and $pick_call ain't defined in my functions, so you have to do that or pre-define them as global constants, which is more efficient :PCode:#include <array.au3> Global $kernel32 = DllOpen('kernel32.dll') Global Const $base = 0x9F3E6C, $select_call = 0x5E9CC0, $pick_call = 0x5E9C50 Global $class_info[8] = ['Blademaster', 'Wizzard', 'Psychic', 'Venomancer', 'Barbarian', 'Assassin', 'Archer', 'Cleric'] Global $special_info[10] = ['None', 'Increased Movement', 'Unknown Special', 'Increased Defence', 'Increased Mag Resistance', 'Increased Attack', 'Increased Magical Attack', 'Sacrificial Assault', 'Increased Life', 'Weak'] Global $pid = ProcessExists('elementclient.exe') Global $mid = memopen($pid) $npcs = GetNpcList() _ArrayDisplay($npcs) $items = GetItemList() _ArrayDisplay($items) $players = GetPlayerList() _ArrayDisplay($players) memclose($mid) DllClose($kernel32)
I don't understand what u wrote about finding ID's......
12/17/2010 19:02
cort-exx#19
I tested the script, there is a problem in the list of players: the name and the class does not appear ...... you know why?