Sending Packets

Page 22 of 29

04/27/2012 17:48 ntldr32#316

PHP Code:


			
Func cek_rep($PROCESS_ID)

    ;Declare local variables

    Local $pRemoteThread, $vBuffer, $loop, $result, $OPcode, $processHandle, $packetAddress, $functionSize, $QuestFunctionAddress, $PlayerOffSet, $QuestFunctionOffset, $QuestId, $returnValue

    $functionSize = '100'

    $QuestFunctionAddress = '0x0073D780'

    $QuestFunctionOffset = '0x1058'

    $PlayerOffSet = '0x34'

    $QuestId = '53762'

    ;Open process for given processId

    $processHandle = $PROCESS_INFORMATION[1]

    ;Allocate memory for the OpCode and retrieve address for this

    $functionAddress = DllCall($KERNEL32, 'int', 'VirtualAllocEx', 'int', $processHandle, 'int', 0, 'int', 0x4, 'int', 0x1000, 'int', 0x40)    

    ;Allocate memory for the packet to be sent and retrieve the address for this

    $packetAddress = DllCall($KERNEL32, 'VirtualAllocEx', 'int', $processHandle, 'int', 0, 'int', $functionSize, 'int', 0x1000, 'int', 0x40)

    $OPcode &= '60'                    ;PUSHAD

    $OPcode &= 'B8'&_hex($QuestFunctionAddress)    ;MOV     EAX, questFunction

    $OPcode &= '8B0D'&_hex($APP_BASE_ADDRESS)        ;MOV     ECX, DWORD PTR [baseAddress]

    $OPcode &= '8B491C'                ;MOV     ECX, DWORD PTR [ECX+1C]

    $OPcode &= '8B49'&_hex($PlayerOffSet)                ;MOV     ECX, DWORD PTR [ECX+playerOffSet]

    $OPcode &= '8B89'&_hex($QuestFunctionOffset)    ;MOV     ECX, DWORD PTR [ECX+questFuncOffset]

    $OPcode &= '68'&_hex($QuestId)            ;PUSH    questId

    $OPcode &= 'FFD0'                ;CALL    NEAR EAX

    $OPcode &= 'A3'&_hex($functionAddress)        ;MOV     DWORD PTR [returnAddress], EAX

    $OPcode &= '61'                    ;POPAD

    $OPcode &= 'C3'                    ;RET

    ;Put the OpCode into a struct for later memory writing

    $vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')

    For $loop = 1 To DllStructGetSize($vBuffer)

        DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)

    Next

    ;Write the OpCode to previously allocated memory

    DllCall($KERNEL32, 'int', 'WriteProcessMemory', 'int', $processHandle, 'int', $functionAddress[0], 'int', DllStructGetPtr($vBuffer), 'int', $functionSize, 'int *', 0)

    ;Create a remote thread in order to run the OpCode

    $hRemoteThread = DllCall($KERNEL32, 'int', 'CreateRemoteThread', 'int', $processHandle, 'int', 0, 'int', 0, 'int', $functionAddress, 'int', 0, 'int', 0, 'int', 0)

    ;Wait for the remote thread to finish

    Do

        $result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)

        ;"WaitForSingleObject", int,hThrd, int,50

    Until $result[0] <> 258

    ;Close the handle to the previously created remote thread

    DllCall($KERNEL32, 'int', 'CloseHandle', 'int', $hRemoteThread[0])

    ;Free the previously allocated memory

    DllCall($KERNEL32, 'ptr', "VirtualFreeEx", "int", $processHandle, "int", $functionAddress, "int", 0, "int", 0x8000)

    $returnValue = _MemoryRead($functionAddress, $PROCESS_ID)

    Return $returnValue

EndFunc

_________
These functions using procedures adopted from checkQuestPresentWQBOT function. I tried to check whether the quest with id:53762 active or not. But when I try to run the function that happens is elementclient going crash.
Did I forget something.?
Btw, that quest id is only in private servers (ko2w-Ultimate and h2w-Revo) :rolleyes:.

04/27/2012 19:06 Interest07#317

Quote:

Originally Posted by ntldr32

PHP Code:

Func cek_rep($PROCESS_ID) ;Declare local variables Local $pRemoteThread, $vBuffer, $loop, $result, $OPcode, $processHandle, $packetAddress, $functionSize, $QuestFunctionAddress, $PlayerOffSet, $QuestFunctionOffset, $QuestId, $returnValue $functionSize = '100' $QuestFunctionAddress = '0x0073D780' $QuestFunctionOffset = '0x1058' $PlayerOffSet = '0x34' $QuestId = '53762' ;Open process for given processId $processHandle = $PROCESS_INFORMATION[1] ;Allocate memory for the OpCode and retrieve address for this $functionAddress = DllCall($KERNEL32, 'int', 'VirtualAllocEx', 'int', $processHandle, 'int', 0, 'int', 0x4, 'int', 0x1000, 'int', 0x40) ;Allocate memory for the packet to be sent and retrieve the address for this $packetAddress = DllCall($KERNEL32, 'VirtualAllocEx', 'int', $processHandle, 'int', 0, 'int', $functionSize, 'int', 0x1000, 'int', 0x40) $OPcode &= '60' ;PUSHAD $OPcode &= 'B8'&_hex($QuestFunctionAddress) ;MOV EAX, questFunction $OPcode &= '8B0D'&_hex($APP_BASE_ADDRESS) ;MOV ECX, DWORD PTR [baseAddress] $OPcode &= '8B491C' ;MOV ECX, DWORD PTR [ECX+1C] $OPcode &= '8B49'&_hex($PlayerOffSet) ;MOV ECX, DWORD PTR [ECX+playerOffSet] $OPcode &= '8B89'&_hex($QuestFunctionOffset) ;MOV ECX, DWORD PTR [ECX+questFuncOffset] $OPcode &= '68'&_hex($QuestId) ;PUSH questId $OPcode &= 'FFD0' ;CALL NEAR EAX $OPcode &= 'A3'&_hex($functionAddress) ;MOV DWORD PTR [returnAddress], EAX $OPcode &= '61' ;POPAD $OPcode &= 'C3' ;RET ;Put the OpCode into a struct for later memory writing $vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']') For $loop = 1 To DllStructGetSize($vBuffer) DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop) Next ;Write the OpCode to previously allocated memory DllCall($KERNEL32, 'int', 'WriteProcessMemory', 'int', $processHandle, 'int', $functionAddress[0], 'int', DllStructGetPtr($vBuffer), 'int', $functionSize, 'int *', 0) ;Create a remote thread in order to run the OpCode $hRemoteThread = DllCall($KERNEL32, 'int', 'CreateRemoteThread', 'int', $processHandle, 'int', 0, 'int', 0, 'int', $functionAddress, 'int', 0, 'int', 0, 'int', 0) ;Wait for the remote thread to finish Do $result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50) ;"WaitForSingleObject", int,hThrd, int,50 Until $result[0] <> 258 ;Close the handle to the previously created remote thread DllCall($KERNEL32, 'int', 'CloseHandle', 'int', $hRemoteThread[0]) ;Free the previously allocated memory DllCall($KERNEL32, 'ptr', "VirtualFreeEx", "int", $processHandle, "int", $functionAddress, "int", 0, "int", 0x8000) $returnValue = _MemoryRead($functionAddress, $PROCESS_ID) Return $returnValue EndFunc

_________
These functions using procedures adopted from checkQuestPresentWQBOT function. I tried to check whether the quest with id:53762 active or not. But when I try to run the function that happens is elementclient going crash.
Did I forget something.?
Btw, that quest id is only in private servers (ko2w-Ultimate and h2w-Revo) :rolleyes:.

You appear to be passing strings instead of numbers here:

Code:

	$functionSize = '100'
	$QuestFunctionAddress = '0x0073D780'
	$QuestFunctionOffset = '0x1058'
	$PlayerOffSet = '0x34'
	$QuestId = '53762'

Not sure if those are the correct values either.

04/27/2012 23:36 ntldr32#318

Quote:
Originally Posted by Interest07
You appear to be passing strings instead of numbers here:
Code:
	$functionSize = '100'
	$QuestFunctionAddress = '0x0073D780'
	$QuestFunctionOffset = '0x1058'
	$PlayerOffSet = '0x34'
	$QuestId = '53762'
Not sure if those are the correct values either.

Its value is correct, a function to handle the NPC and take the quest goes well. I took it directly from the offset wqbot "FlyWQ 2.7" is going well on private server ("ko2w-utimate" and "h2w-Revo"). The bottom line is I want to take a few functions to create a bot that take a quest that has a certain time limit, while waiting for the timeout, the bot will do the hunting. Initially I used a timer but it becomes a problem because I often start the bot while the deadline is already running. That is why I try to use the functionality that the bot will only take a new quest if the quest is complete length of the deadline.:confused::confused:.

05/28/2012 09:49 jollyjoker0305#319

Hi Interest07,
I need your help.
I have problem with buyitem function.It can't buy anything from NPC.
I read at page 7 that buyitem function have something wrong? Can you check this func again?
This is function, copy from your #1 post

Spoiler

If it still work for you then maybe my PW version is diffirent from your -> our packet diffirent ?

I try to find packet before encrypt like you said there.

Spoiler

This is result for buying a sword with $itemTypeId=41, $shopIndex = 0, $amount=1
I'm not familiar with MHS , i can't see what look like packet in these stack :(

Spoiler

Please help me, Thanks you !

Sr for my poor English :(

05/28/2012 14:26 Sᴡoosh#320

Would help knowing "your" version...

PWI version is 12 bytes longer then older 1.4.4 ones.

I posted the buy packet before, so if you search, you will find it, it was even posted in Tresure map post...

Seriously.

05/28/2012 15:01 jollyjoker0305#321

Thks 4 ur reply,

I'm from PW Vietnam and i think we use diffirent version number, my version is 191.
That not mean much so i think this will help us:

Quote:

global $realBaseAddress = 0xB28AC4
global $sendPacketFunction = 0x6734C0

I searched for buy packet, but 2 method i use is google and Ctrl + F in alot of page seem not working. Will try again with your name Sᴡoosh

Thanks again!

05/28/2012 15:10 Sᴡoosh#322

That's your game specific version number. I am talking about the Client/Server version, which is a constant accross all servers/frenchises.

PWI runs 1.4.6 (or 1.4.5 still? did they change version with latest expansion?), Indo/mylasia 1.4.4, Brazil 1.4.5, And most private servers are now 1.4.4 , with the exception of the rich ones which can afford 1.4.5.

1.4.5 server version's buy packet is 12 bytes longer then the older ones. I hate this packet, it seems they change it for fun with every new version. The 12 new bytes are 00 .... so I think the chinese are laughing at bot creators.

05/28/2012 15:25 jollyjoker0305#323

My client is 1.4.4.
I use your buy packet (with packet size = 50) and still not working.

Spoiler

Edit: I found it, Buy packet of Interest07 is 30 bytes, Sᴡoosh is 50 bytes, and according to your word: "12 bytes longer". I guess that there is a packet with 38 bytes. And yes, it's working :D

Thanks a lot with your help!!!

05/28/2012 15:42 Sᴡoosh#324

Yeah, that was what I was talking about - 12 bytes difference. This was the difference 1.4.4 -> 1.4.5.

Cool that you got it working.

Cheers

05/28/2012 15:47 jollyjoker0305#325

Quote:

1.4.5 server version's buy packet is 12 bytes longer then the older ones. I hate this packet, it seems they change it for fun with every new version. The 12 new bytes are 00 .... so I think the chinese are laughing at bot creators.

I just know what does those longer bytes mean.
It use to store Merit points for Guild (from 30-38 bytes), and 3 merit points of 3 Orders (from 38-50) when you buy item need merit point

I hope this help buy packet get away from your "hate" , Swoosh!

Again, thanks you a lot for your help :)

05/28/2012 18:16 Sᴡoosh#326

Ahh, thanks for that info. It's nothing I use though, so I guess i'll leave it at 0 :)

I dislike Buy packet only because it changes often, and I need to maintain stuff accross several versions.

05/29/2012 10:33 Interest07#327

It kind of worries me that they require the client to send how much merit you're spending... Perhaps you can leave it at 0 even then swoosh ;)

05/29/2012 11:25 Sᴡoosh#328

Hmm, none of PWI users had problems with buying, so I think that it doesn't really matter if I send them with 0 :D

08/01/2012 23:30 dumbfck#329

Hi all,
I'm not back, just popping in briefly :P
Anyone know if they've fixed the charm dropping glitch? Just updated my dropper tool and now it comes up "unable to discard item". It would make sense that they have, but just wondering lol.
Cheers.

Edit: Nevermind, just found it in the cabbage patch notes lol.
"Fixed an exploit to drop bound-equipment/items"

08/02/2012 00:13 Sᴡoosh#330

Yes. Fixed :(

Page 22 of 29

« First

Last »