Pointer collection

Quote:

Originally Posted by 0o0 why is the Target HP not there? Any way to fix? Need to get that normal attack first.

When list of players and NPCs around you is created/modified, some values (ie. coordinates) get real values, while others (ie. hp, mp) are set to default value (in case of hp that default is 0). To put is simple, only data your client needs to properly display those entities is provided, rest of fields in struct contain default values.
This is most likely done for optimization purposes, for you hardly need all information on all entities at any given time.

Lots of people writing bots have bypassed this by setting TargetID field to that of monster they wish to attack. But all that does it seems, is activate client UI to display target vitals, it does NOT however request additional info from server for that particular target.
Reason this works for them while using skills as first attack is in my opinion a bug. Since target UI is active client believes it has target lock and sends a command to server to attack that target. Here is the bug: server does not check if client sent lock target command (like it checks for normal attacks) and thus damage is done to target. Since target was hit, server now sends command to client that target has agroed you and as a result your client displays proper target lock.
In a way, those bots don't really lock target, but rather force server to lock it for them.

At least that's how I figured it out :)

Now to your question on how to solve it.
Option 1:
Use screen coordinates of target to click on target like human would.

Option 2:
vuduy was talking about triggers for different actions. If he still has them and is willing to share, that might work as well. I however have no offsets for these triggers and parameters you need to set before triggering them, since my interests do not lie in bot making and thus I have no need for them.

Option 3 (theoretical):
This one is based on theory that it's not server that prevents you from attacking a target with 0 hp, but rather your client because it thinks target you wish to attack is already dead.
To test this theory, set hp and max hp of target to some value other than 0, say 500. Then set that same target id to target offset (like most bots do). Client target UI that activates should show full hp of that target. Now attempt a normal attack.
It will either work or ... though luck, it's server that is checking.
Considering message delay (as well as stuff mentioned above), I think it's server that does the checking but I guess it won't hurt you to try and be sure.

Quote:

Originally Posted by vuduy I haven't played PW for almost 2 years so I don't have the learned skills offset to share. However, I do have one for Zhu Xian if you are interested. The avatar's structure is different in ZX than PW; so this offset is guaranteed not to be the same as PW. ZX learned-skill-list offset: base, avatar offset (in this case it's 0x28), 0x1064 Count is +4 from the list as usual.

This list contains some struct or just ID's one after another?

BTW, if you aren't playing PW anymore, why the interest in skills list? Or any other list for that matter?

Thats what i was thinking that if i can get MAX HP of any monster of the same type then i can just input that as the MAXHP value and maybe that way, when the monster is attacked, the HP will get new value from server.

Thanks Shareen i'm going to try it.

please share if anyone managed to find a way for proper mob targetting so we can use normal attack, my bs and archer got stucked with some skills not leveled up to conserve mp. Maybe then zevorc can implement it to his zpw bot

Nope, no luck...
I just tried setting the monster HP to to some X value even and even its exact value and also for MAX HP, the bot still doesn't attack with normal. :( any other options?

edit : when i gave fake hp value it did show as "red bar" also so i'm guessing there is something more.. to this.

edit : using the X, Y coords, it still sucks if the monster isn't in the screen but behind you and in close proximity to be a target.. :/
and the X Y offset for PW INT X = 2DC , Y = 2E0, i believe they are 4 byte ints. :D

edit: I guess botting has to be done with BIGGG ZOOM OUT, but no good.. if there is air monster in the middle.
btw vuduy you ever figured out way to send WSAD keys to game? through memory?

hey,

i also figured out some stuff, which is maybe usefull:

1) walk to a mop/attack the mop:
[[Base Adress]+0x20]+0xA54
- insert mop-id here and do normal attack
- calculate the distance with help of the 3D vectors of char and mop to trigger spells and melee attacks in the right distance

2) walk to and forage mines/ressources/herbs:
[[[[[[Base Adress]+0x20]+0xBFC]0x30]+0x8]+0x20] (kind of "move to" id offset)
- freeze that to ur ressource ID (can be found here: [[[[[[[Base Adress]+0x8]+0x28]0x18]+i*0x4]0x4]0x10C])
- insert random (but valid) mop-id here [[Base Adress]+0x20]+0xA54
- do normal attack
--> char will go to mine/herb and forage it automatically

3) walk to item and pickup:
[[[[[[Base Adress]+0x20]+0xBFC]0x30]+0x8]+0x20] (kind of "move to" id offset)
- freeze that to ur item ID (can be found here: [[[[[[Base Adress]+0x8]+0x24]0x50]+i*0x4]+0x11C])
- insert random (but valid) mop-id here [[Base Adress]+0x20]+0xA54
- do normal attack
--> char will go to item (keep checking distance)
- do pick up
--> char will pick up the item

4) how to do "do normal attack" and "do pick up":
- put the actions to the skill bars (1-6,F1-F8)
- use PostMessage/SendMessage to activate it
example:
PostMessage(hWindow, WM_KEYDOWN, VK_F5, 1);
PostMessage(hWindow, WM_KEYDOWN, Ord('5'), 1);
notice:
dont use other functions unlike u want to loose the possibility to minimize the game

5) set 0x0 to the so called "move to" id offset to let the char stop

6) with the same method u can walk to every objekt (NPC,Player,Ressource,Item,Mop)
just check the distance and stop early enough (to not attack a player for example)
maybe "do default attack" also works for start talking with npc's, but haven't tested that until now

For me it would be very interesting to know how u can insert such a "unfreeze" feature like the Revo Bot coder did. I researched on it but found no suitable way. A possibility would be to inject a dll into the game, hook the WinAPI call which gives pw the information (not) being in focus and return wrong values (always in focus). But i dont want to use that method, cuz i want to stay fully extern. RevoBut just uses DLL injection to get the D3D shit work (especially the menu).

thx in advance
Megamorph

Quote:

Originally Posted by Shareen Reason this works for them while using skills as first attack is in my opinion a bug. Since target UI is active client believes it has target lock and sends a command to server to attack that target. Here is the bug: server does not check if client sent lock target command (like it checks for normal attacks) and thus damage is done to target. Since target was hit, server now sends command to client that target has agroed you and as a result your client displays proper target lock. In a way, those bots don't really lock target, but rather force server to lock it for them.

Actually, it is not a bug; the game allows using skills on specific target id without locking onto target first (eg. healing skills); so it's just a bonus that you can execute attack skills on a target id without lock.

Quote:

vuduy was talking about triggers for different actions. If he still has them and is willing to share, that might work as well. I however have no offsets for these triggers and parameters you need to set before triggering them, since my interests do not lie in bot making and thus I have no need for them.

Some of them were posted by Megamorph; there are at least 4 actions offsets that you can manipulate; using skills, moving, following, looting. If you play with these, you no longer have to send keypresses/mouse clicks to the game.

Quote:

Option 3 (theoretical): This one is based on theory that it's not server that prevents you from attacking a target with 0 hp, but rather your client because it thinks target you wish to attack is already dead. To test this theory, set hp and max hp of target to some value other than 0, say 500. Then set that same target id to target offset (like most bots do). Client target UI that activates should show full hp of that target. Now attempt a normal attack. It will either work or ... though luck, it's server that is checking. Considering message delay (as well as stuff mentioned above), I think it's server that does the checking but I guess it won't hurt you to try and be sure.

This won't work; to do normal attack, the target must be locked first. One way is to send an attack skill to the target id; the other is to send a "lock target" command to the server.

Quote:

This list contains some struct or just ID's one after another? BTW, if you aren't playing PW anymore, why the interest in skills list? Or any other list for that matter?

It contains a sequential list of skills that are learned.
I am not playing PW anymore but I'm actively playing Zhu Xian; the same game engine with same offset structures. I was able to transformed my PW bot to ZX bot with minimal work.

You can check out my SIN Bot for Zhu Xian at [Only registered and activated users can see links. Click Here To Register...]

Features:
=======
- multi clients (as many clients as your system can run)
- any resolution windowed or fullscreen
- minimize game to tray (ie: hide the game window)
- loot filter both by item id and/or partial name
- mob filter
- full HP target mode
- smart auto pot (trigger at certain % for each type of pot)
- AI skill (skills executed by artificial intelligence triggers)
- no keys or mouse buttons sent... able to chat normally
- auto respawn
- zoom slider/unlimited zoom using mouse wheels
- lag meter
- chat monitor
- text to speech for all kind of chats
- auto quest (keepsake)
- auto vendor (buy/sell)
- auto follow
- reduce game's memory usage
- uses about 2-5% CPU per game client

:handsdown: :handsdown: :handsdown:

so vuduy i'm guessing there is no other way to get target lock?

Maybe there is who knows... for my ZX bot, I'm using code injection to send "lock target" command to the server. If you are good with debugger and asm, you can easily find point of entry and the calling stubs for the function in PW as well.

Sry that im asking again: How to do such an unfreeze feature?

What is unfreeze feature?

PW stops rendering when its not in focus (top window).
I want to avoid that for testing purpose.

Megamorph, as mentioned in neighbour thread ([Only registered and activated users can see links. Click Here To Register...]) :

Video Hack:

--------------*
Open OllyDBG
--------------*
File -> Open -> Choose your elementclient.exe
Right click -> Search for -> All referenced text strings(#pic1)

In the Text strings window
*Scroll to top & left click any line(#pic2)
Right click -> Search for Text
key in "CECGame::Run(), break because CECGameRun::Tick return false " -> OK
Double click the line


In the CPU window :
jmp 0042bfac
cmp [esi+00000418],bl
je XXXXXXXX <---- Nop BELOW cmp(fill with nops)

Quote:

Originally Posted by vuduy ...for my ZX bot, I'm using code injection to send "lock target" command to the server....

I'm familar with dll injection and already made some attempts, but...
Please can you explain some things or give hints how to :
1. find point of entry and the calling stubs for the function in PW
2. remote call these funcs from injected dll

PM is also welcome.

Quote:

Originally Posted by vuduy Maybe there is who knows... for my ZX bot, I'm using code injection to send "lock target" command to the server. If you are good with debugger and asm, you can easily find point of entry and the calling stubs for the function in PW as well.

yah.. i know.. this is the only the way to get the correct HP bar (in my opinon)...
and some ppl like me tried this already...

but im my case i always stuck in debugging..
i almost close to get right pointers but im stuck im some offsets that show like 4000+ results (thats sucks to check :mad:)...

fill the correct registers (eax,esi...) with correct address (0x??????) and JMP or CALL to a especific address (simulation mouse-over/point/click).. it will work well... but i thinking now -> im not good enogh with debugging...

so.. im asking to you now...
can you help us to asnwer the "epic" question in this forum: HOW THE FUCK CAN I GET THE CORRECT HP BAR??? :p

(dont need do all job, just give us a little example, not from the dll, but stubs/stacks/address/triggers or whatever)
:)