[RELEASE] Jawq (WQ bot for PWI)

Page 4 of 17

07/02/2013 21:58 Murmuring#46

hm i used for such a case the sendkey ESC :o
but remember reading about a winaction you can inject in the russian board.

like this one:

Quote:

Func NPCTALKCLOSE()
$OPCODE = ""
PUSHAD()
MOV_EAX(0x950C18) ; // DlgCancelPush
PUSH_EAX()
MOV_EDX($APP_BASE_ADDRESS)
MOV_EDX_DWORD_PTR_EDX()
MOV_EDX_DWORD_PTR_EDX_ADD(Dec("18"))
MOV_EDX_DWORD_PTR_EDX_ADD(Dec("8"))
MOV_EDX_DWORD_PTR_EDX_ADD(Dec("74"))
MOV_ECX_EDX()
MOV_EDX(Dec("0077D3E0")) ;// DialogOpAddr
CALL_EDX()
POPAD()
RET()
INJECTCODE($PROCESS_ID)
Sleep(1000)
EndFunc ;==>NPCTALKCLOSE

link here: [Only registered and activated users can see links. Click Here To Register...]
also here: [Only registered and activated users can see links. Click Here To Register...]

and heres a tutorial how to get that adress: [Only registered and activated users can see links. Click Here To Register...]

07/03/2013 02:12 dumbfck#47

Yeah I was thinking of using that function (I'm guessing that one - haven't checked that code), but I think the requirement will be to have a maintainence free way of getting any function / offset addresses... Which I think I know how to do. Damn update finally finished after 3 hours so I'm taking a look now (well... in between watching Breaking Bad lol).

***EDIT***

Ok, this is pretty much what I've got for this.
I don't know AHK but I suppose AutoShit might be fairly similar and I know the latter a little bit, so I'll try to make sure it's clear what's going on so you can port it to AHK ;)
It should be entirely maintenance free in as much as the only two offset chains required have not changed in as many updates as I can remember.

Basically, we want to call the guiCommand() function which looks something like this:

Code:

guiCommand(DWORD* commandString, DWORD dialogueObject)

Where commandString is a literal string, in this case, "Btn_Close". There are a bunch of other commands you can send to any dialogue, but that's outside the scope of what I am documenting here.
dialogueObject is the base of the dialogue object, e.g., the window we want to close, which we will assume is the currently focused dialogue (if it is necessary for it to not necessarily be the focused dialogue, some additional clevers will be needed but it's not so bad).

Now, if anyone's done any work with GUI stuff or read any of my previous posts, you will probably know that the currently focused dialogue base address can be found at:

Code:

baseCall->structs->guiBase0->guiBase1->focusedDialogue

which is: (and has been since like... forever)

Code:

[[[[[baseCall]+0x1C]+0x18]+0x8]+0x74]

The only other offset we need is the function call and that's also easy to find as it's an integral part of the GUI class.
Currently (v731) this call is at 0x675C40, but more importantly it can be found in the guiBase1 vTable as follows:

Code:

*baseCall->structs->guiBase0->guiBase1->vTable->guiCommand()

Which is:

Code:

[[[[[[baseCall]+0x1C]+0x18]+0x8]+0]+0x14+0]

That offset also hasn't changed for as long as I can remember.

Now, there is a string "Btn_Close" present in the constant string tables within the game, but that has moved a few times. It's findable using an algorithm but frankly isn't worth the aggravation, so it's simpler to just write it into client memory during the function call and access it from there.

Here's my test program if you want to have a play with it. It will basically close whichever dialogue is currently focused (assuming it's a closeable window type dialogue)

Please excuse the mix of _MemoryOpen() and memOpen() kinda stuff, but AutoIt is annoying and I couldn't be bothered to merge them as one lol.

Spoiler

Code:

#include <NomadMemory.au3>

Global $kernel32 = DllOpen('kernel32.dll')
Global $pid = ProcessExists('elementclient.exe')
Global $ph = _MemoryOpen($pid)
Global $baseCall = 0xC0C68C;        ; v731

; Offset chain to find guiCommand() function call
Global $guiCommandCallOffsets[7] = [0, 0x1C, 0x18, 0x8, 0, 0x14, 0]
Global $guiCommandCall = _MemoryPointerRead($baseCall, $ph, $guiCommandCallOffsets)
$guiCommandCall = $guiCommandCall[0]

; Offsets chain to find currently focused dialogue object
Global $focusedDialogueOffsets[5] = [0, 0x1C, 0x18, 0x8, 0x74]
Global $focusedDialogue = _MemoryPointerRead($baseCall, $ph, $focusedDialogueOffsets)
$focusedDialogue = $focusedDialogue[0]

; For debugging purposes
ConsoleWrite(Hex($guiCommandCall) & @CRLF)
ConsoleWrite(Hex($focusedDialogue) & @CRLF)


; Close that window!
guiCommand("Btn_Close", $focusedDialogue)



Func guiCommand($command, $guiObjPtr)
    ; Declare local variables
    Local $pRemoteThread, $vBuffer, $loop, $result, $OPcode, $processHandle, $stringAddress, $stringSize

    $processHandle = memOpen($pid)

    ; First let's write the command string to somewhere in the client memory
    $stringSize = StringLen($command)
    ; Allocate memory for the string to be sent and retrieve the address for this
    $stringAddress = DllCall($kernel32, 'int', 'VirtualAllocEx', 'int',  $processHandle, 'ptr', 0, 'int', $stringSize, 'int', 0x1000, 'int',  0x40)
    
    ConsoleWrite("String Address: " & Hex($stringAddress[0]) & @CRLF)

    ; Put the string into a struct for later memory writing
    $vBuffer = DllStructCreate('byte[' & StringLen($command) & ']')
    For $loop = 1 To DllStructGetSize($vBuffer)
        DllStructSetData($vBuffer, 1, $command)
    Next

    ; Write the string to previously allocated memory
    DllCall($kernel32, 'int', 'WriteProcessMemory', 'int',  $processHandle, 'int', $stringAddress[0], 'int',  DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)



    ; Allocate memory for the OpCode and retrieve address for this
    $functionAddress = DllCall($kernel32, 'int', 'VirtualAllocEx', 'int', $processHandle, 'ptr', 0, 'int', 0x46, 'int', 0x1000, 'int', 0x40)

    ; Construct the OpCode for calling the 'guiCommand' function
    $OPcode &= '60'                                ; PUSHAD
    $OPcode &= 'A1' & _hex($guiObjPtr)            ; MOV EAX, guiObjPtr
    $OPcode &= '50'                                ; PUSH EAX
    $OPcode &= '68' & _hex($stringAddress[0])    ; PUSH commandString
    $OPcode &= 'B8' & _hex($guiCommandCall)     ; MOV EAX, guiCommandCall
    $OPcode &= 'FFD0'                             ; CALL EAX
    $OPcode &= '61'                             ; POPAD
    $OPcode &= 'C3'                             ; RETN


    ; Put the OpCode into a struct for later memory writing
    $vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
    For $loop = 1 To DllStructGetSize($vBuffer)
        DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
    Next

    ; Write the OpCode to previously allocated memory
    DllCall($kernel32, 'int', 'WriteProcessMemory', 'int', $processHandle, 'int', $functionAddress[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)

    ;//Create a remote thread in order to run the OpCode
    $hRemoteThread = DllCall($kernel32, 'int', 'CreateRemoteThread', 'int', $processHandle, 'int', 0, 'int', 0, 'int', $functionAddress[0], 'ptr', 0, 'int', 0, 'int', 0)

    ; Wait for the remote thread to finish
    Do
        $result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
    Until $result[0] <> 258

    ; Close the handle to the previously created remote thread
    DllCall($kernel32, 'int', 'CloseHandle', 'int', $hRemoteThread[0])

    ; Free the previously allocated memory
    DllCall($kernel32, 'ptr', 'VirtualFreeEx', 'hwnd', $processHandle, 'int', $functionAddress[0], 'int', 0, 'int', 0x8000)
    DllCall($kernel32, 'ptr', 'VirtualFreeEx', 'hwnd', $processHandle, 'int', $stringAddress[0], 'int', 0, 'int', 0x8000)

    memClose($processHandle)
    
    Return True

EndFunc   ;==>guiCommand



Func _hex($value, $size = 8)
    Local $tmp1, $tmp2, $i
    $tmp1 = StringRight("000000000" & Hex($value), $size)
    For $i = 0 To StringLen($tmp1) / 2 - 1
        $tmp2 = $tmp2 & StringMid($tmp1, StringLen($tmp1) - 1 - 2 * $i, 2)
    Next
    Return $tmp2
EndFunc   ;==>_hex


Func memopen($pid)
    Local $mid = DllCall($kernel32, 'int', 'OpenProcess', 'int', 0x1F0FFF, 'int', 1, 'int', $pid)
    Return $mid[0]
EndFunc   ;==>memopen

Func memclose($mid)
    DllCall($kernel32, 'int', 'CloseHandle', 'int', $mid)
EndFunc   ;==>memclose

Hope it helps!

Cheers

07/03/2013 08:22 Hayden1988#48

Quote:

Originally Posted by Shareen

Error code 2 is timeout, but I higly doubt that it's a result of a dialog window.

How often do you experience this?

Its pretty random and i couldn't exactly see any particular pattern. But then the recent PWI have some problems with coordinates, i keep getting my preset targets (as in those markers in the map) shifting.

Anyway, I have enabled logging and will see if i can identify a certain pattern after a few days.

BTW, the writeline function in logging doesn't seem to give a newline for each event in the log. So I have slightly amended it so that it gives me a properly lined log.

Code:

	write(logString, useTimestamp := true) {
		if (this._mode = LM_BASIC) {
			if (logString = "") {
				this._fileHandle.WriteLine()
			}
			else {
				if (useTimestamp) {
					FormatTime, currDateTime,,dd.MM.yyyy HH:mm:ss
					[COLOR="Magenta"]this._fileHandle.WriteLine("[" . currDateTime . "] > " . logString . "`n`r")[/COLOR]
				}
				else {
					[COLOR="Magenta"]this._fileHandle.WriteLine(logString . "`n`r")[/COLOR]
				}
			}
		}
	}

Thanks for advising on the code to close the NPC dialog. I was trying to incorporate into the existing code but found that most of the PWI interactions are encapsulated in PWInterface.dll. A quick and dirty way will be to just add the code snippet somewhere in the autoit source, but to be in consistent with the overall design of this solution, i would rather incorporate it into the pwinterface.dll.

Could the source of pwinterface.dll be released?

07/05/2013 14:48 Shareen#49

Thank you dumbfck.

I'll look into it when I get a little free time, swamped by work at the moment.

07/10/2013 22:22 dumbfck#50

Quote:

Originally Posted by martmor

Shareen you are the best, do you have an guide? I found some but at the others I had to much problems. (no clue how to find them)

Which ones do you need help with?

07/16/2013 11:52 SilverStream0#51

I`m sorry for being a noob but I cannot open the file :( Error message comes up
Help would be very much appreciated :)

07/16/2013 15:57 Shareen#52

First make sure the file is inside /lib folder.
I know it sounds silly, but I don't know where you downloaded it from or what you used to unrar it. Perhaps something went wrong during that process. I admit it's clutching at straws a bit :)

Secondly, check AHK version, it needs to be version 1.1.09.00 or higher.
Very low AHK versions tend to skip first part of script and jump straight to include parts ... and sometimes failing there.
Older versions also had problems with locking files when reading them which could potentially lead to such errors.

Third, file permissions?
I don't know what windows system you use or under what privilege you are running the script, but it needs to have read permissions to all folders within Jawq folder.

These are what I can think of.
I cannot replicate the problem on my end and thus, cannot test other methods of solving it.

07/16/2013 20:59 Hayden1988#53

Quote:

Originally Posted by SilverStream0

I`m sorry for being a noob but I cannot open the file :( Error message comes up
Help would be very much appreciated :)

Please unpack the file into folder first before executing the program. Apparently you are trying to execute the script directly from the archive and thats why those dependent files can't be found.

07/17/2013 16:34 Shareen#54

Didn't even know that was allowed, thanks. :)

Never tried it, seemed somewhat silly.

07/27/2013 01:41 Mc_D#55

can anyone upload WQ bot?

07/28/2013 21:08 martmor#56

Quote:

Originally Posted by Mc_D

can anyone upload WQ bot?

Read here careful please:

[Only registered and activated users can see links. Click Here To Register...]

and you will find all informations that you need to download the bot

08/23/2013 22:11 money1994x#57

Anyone got latest offsents for WQ bot (FLYWQ) please?

Anyone got Offsets for FlyWQ bot? (PWI)

08/24/2013 12:00 martmor#58

The most offsets are the same as at this Bot here. The some other offsets you can search manualy. A description how to find the offsets is at the first page of the FlyWQ Bot. Or you take this Bot. Here provided Shareen the current offsets. Thanks!

09/25/2013 15:18 martmor#59

Hi

attached are some Offsets

Transportmethodoffset / Transportmode Offset 0x69C

FlyGearOffset / playerFlyMountOffset / PlayerFlyMountId 0x78C

Name Offset 0x688

Target ID Offset 0xC88

Base Address: 0xC38B6C

sendpacket = 0x6F55E0

To all who asked me via PM about the offsets and did not clicked to any Bot programmer the Thank you button: Sorry, before you ask me something please click the thank you button to the bot programmer entry. Thank you.

Sorry, I did not found more offsets for this bot

09/26/2013 03:08 bigbear72#60

Tried to make these work, not sure what to do. if you have it working correctly can you copy & paste the entire .ini file please?

Quote:

Originally Posted by martmor

Hi

attached are some Offsets

Transportmethodoffset / Transportmode Offset 0x69C

FlyGearOffset / playerFlyMountOffset / PlayerFlyMountId 0x78C

Name Offset 0x688

Target ID Offset 0xC88

Base Address: 0xC38B6C

To all who asked me via PM about the offsets and did not clicked to any Bot programmer the Thank you button: Sorry, before you ask me something please click the thank you button to the bot programmer entry. Thank you.

Sorry, I did not found more offsets for this bot

Page 4 of 17

« First

Last »