Current Base Address Discovery Methods

Page 3 of 4 12 3 4
03/09/2014 06:55 goder2910#31
Quote:
Originally Posted by R3D23R0 View Post
That's pretty much what the auto cultivation bot does, and it's already all there to use, except for the auto pot. You can use a simple script that read the char hp from the client, the offsets are posted around here somewhere, but if you know how to program in C you probably already know how to find offsets with CE. Otherwise there's the auto recovery stone in the boutique that does that for you, you can make up the cost of it within a fraction of the amount of time it lasts for you.
Thank for your answer, the auto cultivation bot is interesting.

But i really want to make a myself bot.

After researching few hours, i found some ways to make an simple auto bot. But i got stuck in finding base address and offset.

I read PWReclass from msxgames, there are a lot of offset that relates to character 's stat => this is amazing.

I read your tutorial, too, but i got stuck in finding char 's hp offset.

I really want to know how to find these offsets. Can you make a simple tutorial (with picture) that show me the way to get Target ID 's HP ? (mob 's hp)

Thank in advanced :)
03/09/2014 07:17 martmor#32
Quote:
Originally Posted by goder2910 View Post
I really want to know how to find these offsets. Can you make a simple tutorial (with picture) that show me the way to get Target ID 's HP ? (mob 's hp)

Thank in advanced :)
i did not tried it until now but I would say that you select a mob, search in cheat engine for targets HP, if you finde more results, select an other mob with different hp and search for the new HP in ce. you make this till you have just one result.
03/09/2014 08:59 goder2910#33
Quote:
Originally Posted by martmor View Post
i did not tried it until now but I would say that you select a mob, search in cheat engine for targets HP, if you finde more results, select an other mob with different hp and search for the new HP in ce. you make this till you have just one result.
Thank for your answer.

I followed your tut.

Below is my steps:

- Find new scan with value is 226
- Fight mob to decrease its HP to 151
- Find next scan with value is 151
- After getting only one record -> add to list -> choose "Find out what accesses this address"
=> I got these:

Instruction box - Record 1
Code:
006017E3 - 8B 8D 30010000  - mov ecx,[ebp+00000130]
Code:
006017DA - FF 50 38  - call dword ptr [eax+38]
006017DD - 8B 85 7C010000  - mov eax,[ebp+0000017C]
006017E3 - 8B 8D 30010000  - mov ecx,[ebp+00000130] <<
006017E9 - 83 F8 01 - cmp eax,01
006017EC - 89 4C 24 24  - mov [esp+24],ecx

EAX=000000E2
EBX=2164AD70
ECX=000000A3
EDX=1036F028
ESI=02E75040
EDI=02E74E18
ESP=21F8FB7C
EBP=0FF4D770
EIP=006017E9
Instruction box - Record 2
Code:
006FA42D - 89 90 30010000  - mov [eax+00000130],edx
Code:
006FA428 - 74 12 - je elementclient.exe+2FA43C
006FA42A - 8B 56 04  - mov edx,[esi+04]
006FA42D - 89 90 30010000  - mov [eax+00000130],edx <<
006FA433 - 8B 4E 08  - mov ecx,[esi+08]
006FA436 - 89 88 7C010000  - mov [eax+0000017C],ecx

EAX=0FF4D770
EBX=030E9BA8
ECX=26D1A3A0
EDX=000000A4
ESI=010E243A
EDI=21F8FE80
ESP=21F8FE10
EBP=00000000
EIP=006FA433
I think the Target 's cur HP is 130 or 17C. Iam not sure.

I use below codes in autoIt but the result is wrong.

Code:
$BaseAdress = 0xC7662C
$BaseOffset = 0x1C
$PlayerStruct_Offset = 0x2C

$Name_Offset = 0x6B0
$LVL_Offset = 0x4A0
$HP_OffSet = 0x4A8
$MaxHP_OffSet = 0x4F4
$MP_OffSet = 0x4AC
$MaxMP_OffSet = 0x4F8
$MinEnemyHP_Offset = 0x17C

$PW_Client = _MemoryOpen(ProcessExists("elementclient.exe"))

$PlayerBase = _MemoryRead(_MemoryRead($BaseAdress, $PW_Client, "dword") + $BaseOffset, $PW_Client, "dword") + $PlayerStruct_Offset

$String7 = _MemoryRead(_MemoryRead($PlayerBase, $PW_Client, "dword") + $MinEnemyHP_Offset, $PW_Client, "dword")
The problem is 17C or 130 is not sub offset of Player Structure. So how can find base address of Target 's cur HP ?
03/09/2014 10:10 Interest07#34
I'm pretty sure the way it works is that you have the targetId in your player struct, but in order to get more info about your target you need to get it from the NPClist using the uniqueId (the targetId). It's been a while since I wrote any bots, but I doubt you'll be finding an offset for mob HP in your player struct... :)
03/09/2014 11:03 denzjh#35
Quote:
Originally Posted by goder2910 View Post
I think the Target 's cur HP is 130 or 17C. Iam not sure.

I use below codes in autoIt but the result is wrong.

Code:
$BaseAdress = 0xC7662C
$BaseOffset = 0x1C
$PlayerStruct_Offset = 0x2C

$Name_Offset = 0x6B0
$LVL_Offset = 0x4A0
$HP_OffSet = 0x4A8
$MaxHP_OffSet = 0x4F4
$MP_OffSet = 0x4AC
$MaxMP_OffSet = 0x4F8
$MinEnemyHP_Offset = 0x17C

$PW_Client = _MemoryOpen(ProcessExists("elementclient.exe"))

$PlayerBase = _MemoryRead(_MemoryRead($BaseAdress, $PW_Client, "dword") + $BaseOffset, $PW_Client, "dword") + $PlayerStruct_Offset

$String7 = _MemoryRead(_MemoryRead($PlayerBase, $PW_Client, "dword") + $MinEnemyHP_Offset, $PW_Client, "dword")
The problem is 17C or 130 is not sub offset of Player Structure. So how can find base address of Target 's cur HP ?
Here is my working Offsets regarding NPC's HP :)
Code:
$NPCHP_Offset = 0x130
$NPCMaxHP_Offset = 0x17C
:)

Currently working on ItemSortList but since I'm busy at work, maybe I will post those results on Thursday...
03/09/2014 13:38 goder2910#36
@Interest07 : Thank for your suggestion. I will research more.

@dezjh : Can you share your 'getting NPC 's HP' code ?

I used above codes and always getting long number, not the NPC ' HP

Example : HP is 152 but the script displays 2152023xx..

Maybe problem is the conversion between variable 's type.

Thank in advanced.
03/09/2014 20:22 denzjh#37
use the pointer i commented on post #26. and use the npc offsets I used in post #35. @msgames already shown the table...
the code for the hp of target is very long... you need to identify your target if it is a player or an NPC... then get the unqiue id of it. now you need to make a function that enlists/populate the players/npc around your character. You can search on that list using the unique id of your target and return the corresponding HP or other data that you want to have.
I have problems on displaying players HP since i need to be on same squad with them or something like an eye of observation/jungle belt and cast them. Also, your character's stat offsets are the same as the stat offsets of other players.
to summarize what i have learned so far:
Code:
basepointer = [baseaddress + "base_offset"]
char_pointer = [basepointer + "charbase_offset"]

surroundings_pointer = [baseaddress + "surroundingsbase_offset"]
otherplayers_pointer = [surroundings_pointer + "otherplayersbase_offset"]
otherplayers_count = [otherplayers_pointer + "otherplayerscount_offset"] <--- will return number of players around your character
nonplayers_pointer = [surroundings_pointer + "nonplayersbase_offset"]
nonplayers_count = [nonplayers_pointer + "nonplayerscount_offset"] <--- will return number of non-players around your character
items_pointer = [surroundings_pointer + "itemsbase_offset"]
items_count = [items_pointer + "itemscount_offset"] <--- will return number of loots around your character

for the pointers of lists:
otherplayerlist_pointer = [otherplayers_pointer + "otherplayerslist_offset"]
nonplayerlist_pointer = [nonplayers_pointer + "nonplayerlist_offset"]
itemlist_pointer = [items_pointer + "itemlist_offset"]

for the data you want to obtain (unique_id, database_id, name, level, hp, max_hp):
data = [pointer + "data_offset"]
If anyone knows itemlist offset, would save me time :D
03/31/2014 22:33 Underavelvetmoon#38
Hey guys! Im having a little trouble reversing some of the packets, and seeing as this is a very active, intelligent thread, I thought id ask here for some help xD

So after much trial and error, and what has pretty much been my whole day, Ive managed to locate the the SendPacketAddress: 0x722840. The only problem im having is that compared to dumbfck's tutorial on gathering packet information, the packets are structured differently, and give no obvious information to follow. Im about 95% sure this is the correct address, so im really stuck trying to figure this out. I'd appreciate any help!

There isnt any clear definition or address to follow. Like, the Meditate packet on Interests "Sending Packets" comes up as 2E 00. On mine I can only trace it down to 66 8B or something like that. Very frustrating after all this work, and im so sure the SendPacket is right haha
04/03/2014 14:35 denzjh#39
nope, your other 5% doubt is correct. SendPacket_Address is 0x725700. :D
04/03/2014 22:21 Underavelvetmoon#40
Quote:
Originally Posted by denzjh View Post
nope, your other 5% doubt is correct. SendPacket_Address is 0x725700. :D
Really?! Damn! The address I posted was breaking whenever I sent a packet so I was convinced it was that! I tried many address's too which didnt break! How did you find it may I ask? I wasnt off by far but I must of took a wrong step.

I back traced from the "send" function in ws2_32. I tried WSASend and WSASendTo also but they wernt producing breaks for me. At least im getting better at this xD
10/22/2014 02:00 bogsik#41
I've retired from this game since 5 years ago but recently my wife started playing again because she's pregnant and stays at home. She asked me to do some bot config for her but apparently the MHS bot I've used for many years aren't working already.

Been working on R3D23R0 guide about getting the base address and spent 6 hours but damn I can't find the one which unfreezes the client.

By the way, the server is pw-ph. Anyone knows if it's a hack shield like any other server?
10/22/2014 10:17 Sᴡoosh#42
As far as I know, no pw server employs hackshield.

MHS will not work anymore, since it uses a method of targeting which is fixed since around 3 years.
10/22/2014 21:30 denzjh#43
Quote:
Originally Posted by bogsik View Post
I've retired from this game since 5 years ago but recently my wife started playing again because she's pregnant and stays at home. She asked me to do some bot config for her but apparently the MHS bot I've used for many years aren't working already.

Been working on R3D23R0 guide about getting the base address and spent 6 hours but damn I can't find the one which unfreezes the client.

By the way, the server is pw-ph. Anyone knows if it's a hack shield like any other server?
DO u mind upload an elementclient.exe of the said server ^_^ i want to try to look for its base address. thanks in advance
11/03/2014 10:24 tempus fugitus#44
can somone post working offsets for PWI international?
please
11/03/2014 14:01 Stark77#45
[Only registered and activated users can see links. Click Here To Register...]
Page 3 of 4 12 3 4