PWI GUI Mapper

Page 1 of 4

09/16/2011 02:16 dumbfck#1

Hi folks,

Here's another tool that might prove useful for people who are just interested in disecting the game... If you just want to download bots and run them, you may as well leave now.

I'm currently working on a system to build custom in-game interfaces using the client's own mechanisms, so it was useful to me to investigate how the whole GUI system hangs together. Sometimes it's quicker to build a tool to investigate things for you than to spend weeks finding offsets, hence this little tool :P

In a nutshell, this tool will search the GUI base

Code:

[[[[baseCall]+0x1C]+0x18]+0x8]

for window objects, retrieving their offsets along with some information about them, plus information about their child objects, e.g., buttons, lists, labels, etc.

[Only registered and activated users can see links. Click Here To Register...]

Run PWI, then launch this tool and it will list on the left all available GUI wndows in the client. Click on one of them and it will give you more information about the window. You can even open and close windows using the checkboxes next to the list of window objects hehe.
Be warned, trying to open some of them will crash the client... I'm not really too fussed about fixing that as it's only very few of them and they're windows that are not of interest to me.

That's about all there is to it - I won't go into details about how it works because it's fairly straightforward and you can just inspect the code if you're interested.
It's built with C# so you'll need Visual C# or Visual Studio to use it (Download [Only registered and activated users can see links. Click Here To Register...] or visual Studio 2010 Express - They're free and they kick AutoShit's arse ;))

I intend to build on it so that you can actually activate any control on any window via the tool's interface... Just not today lol.

Chances are the project might piss off your antivirus - I have crappy Avira on my Win7 box I tested this on and it kept telling me I had an infection even though I made the bloody thing - Hence I'm uploading the full source and not some dodgy .exe so you can inspect it. I was a little surprised as it only uses some process memory writes and doesn't even inject anything. I'm really not interested in stealing your precious facecock passwords and stuff, so if you don't trust it, don't download it. -(modified Swoosh quote... Thanks :P)

Oh... In another thread I kind of mentioned that it could open the console window. Well that was an inadvertant lie because I had accessed this during the building of this thing, but it's a slightly different approach to do that. As I'm generally a nice chap, I'll explain how to do that anyway lol.

If you want to play with the console stuff, you'll need [Only registered and activated users can see links. Click Here To Register...]
A utility to "send to command prompt" is quite useful too - I use [Only registered and activated users can see links. Click Here To Register...] for this (Crappy Avira even alerted this as an infection - It's safe)
So, download sPCK to a folder somewhere, then copy interfaces.pck from your perfect world element folder into the sPCK folder.

***IMPORTANT*** Make a backup of interfaces.pck in case you screw something up.

Right click sPCK.exe -> Send to command prompt.
Now, to extract the .pck file...

Code:

sPCK.exe -x interfaces.pck

This will generate a folder called interfaces.pck.files
Open interface.pck.files\interfaces\ingame-v1.dcf and find the line:

Code:

Version01\console.xml        0        0        0

and change it to

Code:

Version01\console.xml        0        0        1

Save the file and close it, then delete your interfaces.pck file (the one in your sPCK folder!!!) and run sPCK again

Code:

sPCK.exe -c interfaces.pck.files

This will repack the files into a .pck
Once that's completed, copy the interfaces.pck file back to your element folder and launch the client. Woohoo! You now have a console that you can play around with.

It will stay open and you can't unfocus it, so if you want to remove it, you need to reinstate your original interfaces.pck file. If I can be arsed, I might find the GUI offset to close it lol.... But I can't be arsed today.

The commands for the console are available in the configs.pck file (extract with sPCK again, look for console_cmd.txt) but for your pleasure, here is the list of commands: (don't include the quotes)

Code:

"d_cameramode"
"d_boundbox"
"d_rtdebug"
"d_npcid"
"d_runspeed"
"d_goto"
"d_fly"
"d_c2scmd"
"d_viewradius"
"d_relogin"
"d_skill"
"d_render_water"
"d_render_grass"
"d_render_forest"
"d_render_shadow"
"d_render_outline"
"d_turnaround"
"d_testdist"
"d_gfx"
"d_showpos"
"d_trnlayer"
"d_a3dstat"
"d_gamestat"
"d_treelod"
"d_fps"
"d_playerradius"
"d_showid"
"d_skipframe"
"d_modelupdate"
"d_minidump"
"d_settimeofday"
"d_getservertime"
"d_task"
"d_mipmapbias"
"d_trncull"
"d_gscmd"
"d_delcmd"
"d_title"
"d_namepos"
"d_createtime"
"d_lastlogintime"
"d_money"
"d_go"
"d_query"
"d_querynpc"
"d_theme"
"d_queryservice"
"d_uidebug"

// ========== GM commands ==========

"gm_kickout_role"
"gm_kickout_user"
"gm_list_user"
"gm_online_num"
"gm_restart_sev"
"gm_shutup_role"
"gm_shutup_user"
"gm_moveto_player"
"gm_callin_player"
"gm_broadcast"
"gm_showid"
"gm_forbid_role"
"gm_trigger_chat"
"gm_generate"

Obviously the GM ones wont work so don't bother trying them.
It's not particularly useful as such, but it's quite fun to play around with (d_boundbox looks quite cool ^^)
Well... I say it's not useful, but some of the commands there will display NPC / Player IDs above their heads - So that's very useful if you're looking for offsets etc.

Anyway - I hope someone finds it useful :)

Cheers.

09/16/2011 09:01 Interest07#2

Awesome, you 'finished' this project then :D

I'm quite curious about the adding your own windows to the gui thing. I'm not gonna continue with the d3d8 stuff for now if that proves possible, because it would be a much cleaner solution :)

09/16/2011 09:48 dumbfck#3

Quote:

Originally Posted by Interest07

Awesome, you 'finished' this project then :D

I'm quite curious about the adding your own windows to the gui thing. I'm not gonna continue with the d3d8 stuff for now if that proves possible, because it would be a much cleaner solution :)

Well... Don't give up on yours just yet lol - So far, I can add my own window into the client just by copy / pasta / editing one of the existing xml files in interfaces\version1. Once it's added, I have to search for it in memory in order to show it. As for actually displaying useful information in it and making buttons work, etc - Well I really have no idea yet how well that's gonna work out because it will require injecting some probably quite substantial code into the client, including code to add it to the guiBase1 windows table.
I wouldn't particularly fancy writing all of the handler code in asm, so I'm gonna need to find a way to somehow compile some other language into usable code that can be injected... I'm very open to suggestions here xD.
Considering this might not be a particularly easy task, I'm not sure how practical this will be in an environment where you typically have to tweak code -> compile it -> inject it -> test it -> rinse and repeat.
Your D3D8 hooking might still be a much more suitable solution ^^

09/16/2011 11:34 Interest07#4

Quote:

Originally Posted by dumbfck

Well... Don't give up on yours just yet lol - So far, I can add my own window into the client just by copy / pasta / editing one of the existing xml files in interfaces\version1. Once it's added, I have to search for it in memory in order to show it. As for actually displaying useful information in it and making buttons work, etc - Well I really have no idea yet how well that's gonna work out because it will require injecting some probably quite substantial code into the client, including code to add it to the guiBase1 windows table.
I wouldn't particularly fancy writing all of the handler code in asm, so I'm gonna need to find a way to somehow compile some other language into usable code that can be injected... I'm very open to suggestions here xD.
Considering this might not be a particularly easy task, I'm not sure how practical this will be in an environment where you typically have to tweak code -> compile it -> inject it -> test it -> rinse and repeat.
Your D3D8 hooking might still be a much more suitable solution ^^

Instead of compiling some code to obtain the asm to inject, why not just inject a dll with the code you need? Should at least save you the horror of asm :p

09/16/2011 11:53 dumbfck#5

Good thinking... No idea how to do that, but hey - Something new to learn xD

09/17/2011 14:17 xoraxax#6

Looks cool. Trying to figure out how it works. Thank you.
I have an autoIt dll injector somewhere. I could try to find it if you wish.

09/17/2011 14:33 amineurin#7

Nice, but ower my understandings :(
At this time, im willed to learn.

i program in the moment a tool to seek for items in catshops, thx to Interest07 Info and posting over it.
not really finish yet, but i had a lucky day testing it.
found in a catshop a primeval stone for 100k, sold him minutes later for 33m *lol*

maybe one day i can use ur info to make some "plugins" for the game, like autopot or autoasisst :)

09/17/2011 18:39 dumbfck#8

Quote:

Originally Posted by xoraxax

Looks cool. Trying to figure out how it works. Thank you.
I have an autoIt dll injector somewhere. I could try to find it if you wish.

Thanks, but I try to avoid using AutoIt wherever possible hehe.
I might ask Interest07 how he did it for his AutoPot thing, as that didn't even seem to trigger my AV - which is a particularly fussy AV lol. I'm assuming he codecaved it maybe?

Quote:

Originally Posted by amineurin

not really finish yet, but i had a lucky day testing it.
found in a catshop a primeval stone for 100k, sold him minutes later for 33m *lol*

Niiiiice! Wish I was lucky like that xD

09/17/2011 21:16 Interest07#9

The code for the dll injector, taken from [Only registered and activated users can see links. Click Here To Register...]. This is all you need to compile it (C++ code). After compiling you would need to put the injector together with a PWdll.dll in your ../element folder. The dll will need to contain a function called "Initialize", as the injector will call this function from the dll after loading it inside the elementclient.exe (via a codecave indeed).

Spoiler

Code:

#include <windows.h>
#include <stdio.h>

/***************************************************************************************************/
//	Function: 
//		Inject
//	
//	Parameters:
//		HANDLE hProcess - The handle to the process to inject the DLL into.
//
//		const char* dllname - The name of the DLL to inject into the process.
//		
//		const char* funcname - The name of the function to call once the DLL has been injected.
//
//	Description:
//		This function will inject a DLL into a process and execute an exported function
//		from the DLL to "initialize" it. The function should be in the format shown below,
//		not parameters and no return type. Do not forget to prefix extern "C" if you are in C++
//
//			__declspec(dllexport) void FunctionName(void)
//
//		The function that is called in the injected DLL
//		-MUST- return, the loader waits for the thread to terminate before removing the 
//		allocated space and returning control to the Loader. This method of DLL injection
//		also adds error handling, so the end user knows if something went wrong.
/***************************************************************************************************/

void Inject(HANDLE hProcess, const char* dllname, const char* funcname)
{
//------------------------------------------//
// Function variables.						//
//------------------------------------------//

	// Main DLL we will need to load
	HMODULE kernel32	= NULL;

	// Main functions we will need to import
	FARPROC loadlibrary		= NULL;
	FARPROC getprocaddress	= NULL;
	FARPROC exitprocess		= NULL;
	FARPROC exitthread		= NULL;
	FARPROC freelibraryandexitthread = NULL;

	// The workspace we will build the codecave on locally
	LPBYTE workspace		= NULL;
	DWORD workspaceIndex	= 0;

	// The memory in the process we write to
	LPVOID codecaveAddress	= NULL;
	DWORD dwCodecaveAddress = 0;

	// Strings we have to write into the process
	char injectDllName[MAX_PATH + 1]	= {0};
	char injectFuncName[MAX_PATH + 1]	= {0};
	char injectError0[MAX_PATH + 1]		= {0};
	char injectError1[MAX_PATH + 1]		= {0};
	char injectError2[MAX_PATH + 1]		= {0};
	char user32Name[MAX_PATH + 1]		= {0};
	char msgboxName[MAX_PATH + 1]		= {0};

	// Placeholder addresses to use the strings
	DWORD user32NameAddr	= 0;
	DWORD user32Addr		= 0;
	DWORD msgboxNameAddr	= 0;
	DWORD msgboxAddr		= 0;
	DWORD dllAddr			= 0;
	DWORD dllNameAddr		= 0;
	DWORD funcNameAddr		= 0;
	DWORD error0Addr		= 0;
	DWORD error1Addr		= 0;
	DWORD error2Addr		= 0;

	// Where the codecave execution should begin at
	DWORD codecaveExecAddr = 0;

	// Handle to the thread we create in the process
	HANDLE hThread = NULL;

	// Temp variables
	DWORD dwTmpSize = 0;

	// Old protection on page we are writing to in the process and the bytes written
	DWORD oldProtect	= 0;	
	DWORD bytesRet		= 0;

//------------------------------------------//
// Variable initialization.					//
//------------------------------------------//

	// Get the address of the main DLL
	kernel32	= LoadLibrary("kernel32.dll");

	// Get our functions
	loadlibrary		= GetProcAddress(kernel32,	"LoadLibraryA");
	getprocaddress	= GetProcAddress(kernel32,	"GetProcAddress");
	exitprocess		= GetProcAddress(kernel32,	"ExitProcess");
	exitthread		= GetProcAddress(kernel32,	"ExitThread");
	freelibraryandexitthread = GetProcAddress(kernel32,	"FreeLibraryAndExitThread");

// This section will cause compiler warnings on VS8, 
// you can upgrade the functions or ignore them

	// Build names
	_snprintf(injectDllName, MAX_PATH, "%s", dllname);
	_snprintf(injectFuncName, MAX_PATH, "%s", funcname);
	_snprintf(user32Name, MAX_PATH, "user32.dll");
	_snprintf(msgboxName, MAX_PATH, "MessageBoxA");

	// Build error messages
	_snprintf(injectError0, MAX_PATH, "Error");
	_snprintf(injectError1, MAX_PATH, "Could not load the dll: %s", injectDllName);
	_snprintf(injectError2, MAX_PATH, "Could not load the function: %s", injectFuncName);

	// Create the workspace
	workspace = (LPBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 1024);

	// Allocate space for the codecave in the process
	codecaveAddress = VirtualAllocEx(hProcess, 0, 1024, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	dwCodecaveAddress = PtrToUlong(codecaveAddress);

// Note there is no error checking done above for any functions that return a pointer/handle.
// I could have added them, but it'd just add more messiness to the code and not provide any real
// benefit. It's up to you though in your final code if you want it there or not.

//------------------------------------------//
// Data and string writing.					//
//------------------------------------------//

	// Write out the address for the user32 dll address
	user32Addr = workspaceIndex + dwCodecaveAddress;
	dwTmpSize = 0;
	memcpy(workspace + workspaceIndex, &dwTmpSize, 4);
	workspaceIndex += 4;

	// Write out the address for the MessageBoxA address
	msgboxAddr = workspaceIndex + dwCodecaveAddress;
	dwTmpSize = 0;
	memcpy(workspace + workspaceIndex, &dwTmpSize, 4);
	workspaceIndex += 4;

	// Write out the address for the injected DLL's module
	dllAddr = workspaceIndex + dwCodecaveAddress;
	dwTmpSize = 0;
	memcpy(workspace + workspaceIndex, &dwTmpSize, 4);
	workspaceIndex += 4;

	// User32 Dll Name
	user32NameAddr = workspaceIndex + dwCodecaveAddress;
	dwTmpSize = (DWORD)strlen(user32Name) + 1;
	memcpy(workspace + workspaceIndex, user32Name, dwTmpSize);
	workspaceIndex += dwTmpSize;

	// MessageBoxA name
	msgboxNameAddr = workspaceIndex + dwCodecaveAddress;
	dwTmpSize = (DWORD)strlen(msgboxName) + 1;
	memcpy(workspace + workspaceIndex, msgboxName, dwTmpSize);
	workspaceIndex += dwTmpSize;

	// Dll Name
	dllNameAddr = workspaceIndex + dwCodecaveAddress;
	dwTmpSize = (DWORD)strlen(injectDllName) + 1;
	memcpy(workspace + workspaceIndex, injectDllName, dwTmpSize);
	workspaceIndex += dwTmpSize;

	// Function Name
	funcNameAddr = workspaceIndex + dwCodecaveAddress;
	dwTmpSize = (DWORD)strlen(injectFuncName) + 1;
	memcpy(workspace + workspaceIndex, injectFuncName, dwTmpSize);
	workspaceIndex += dwTmpSize;

	// Error Message 1
	error0Addr = workspaceIndex + dwCodecaveAddress;
	dwTmpSize = (DWORD)strlen(injectError0) + 1;
	memcpy(workspace + workspaceIndex, injectError0, dwTmpSize);
	workspaceIndex += dwTmpSize;

	// Error Message 2
	error1Addr = workspaceIndex + dwCodecaveAddress;
	dwTmpSize = (DWORD)strlen(injectError1) + 1;
	memcpy(workspace + workspaceIndex, injectError1, dwTmpSize);
	workspaceIndex += dwTmpSize;

	// Error Message 3
	error2Addr = workspaceIndex + dwCodecaveAddress;
	dwTmpSize = (DWORD)strlen(injectError2) + 1;
	memcpy(workspace + workspaceIndex, injectError2, dwTmpSize);
	workspaceIndex += dwTmpSize;

	// Pad a few INT3s after string data is written for seperation
	workspace[workspaceIndex++] = 0xCC;
	workspace[workspaceIndex++] = 0xCC;
	workspace[workspaceIndex++] = 0xCC;

	// Store where the codecave execution should begin
	codecaveExecAddr = workspaceIndex + dwCodecaveAddress;

// For debugging - infinite loop, attach onto process and step over
	//workspace[workspaceIndex++] = 0xEB;
	//workspace[workspaceIndex++] = 0xFE;

//------------------------------------------//
// User32.dll loading.						//
//------------------------------------------//

// User32 DLL Loading
	// PUSH 0x00000000 - Push the address of the DLL name to use in LoadLibraryA
	workspace[workspaceIndex++] = 0x68;
	memcpy(workspace + workspaceIndex, &user32NameAddr, 4);
	workspaceIndex += 4;

	// MOV EAX, ADDRESS - Move the address of LoadLibraryA into EAX
	workspace[workspaceIndex++] = 0xB8;
	memcpy(workspace + workspaceIndex, &loadlibrary, 4);
	workspaceIndex += 4;

	// CALL EAX - Call LoadLibraryA
	workspace[workspaceIndex++] = 0xFF;
	workspace[workspaceIndex++] = 0xD0;

// MessageBoxA Loading
	// PUSH 0x000000 - Push the address of the function name to load
	workspace[workspaceIndex++] = 0x68;
	memcpy(workspace + workspaceIndex, &msgboxNameAddr, 4);
	workspaceIndex += 4;

	// Push EAX, module to use in GetProcAddress
	workspace[workspaceIndex++] = 0x50;

	// MOV EAX, ADDRESS - Move the address of GetProcAddress into EAX
	workspace[workspaceIndex++] = 0xB8;
	memcpy(workspace + workspaceIndex, &getprocaddress, 4);
	workspaceIndex += 4;

	// CALL EAX - Call GetProcAddress
	workspace[workspaceIndex++] = 0xFF;
	workspace[workspaceIndex++] = 0xD0;

	// MOV [ADDRESS], EAX - Save the address to our variable
	workspace[workspaceIndex++] = 0xA3;
	memcpy(workspace + workspaceIndex, &msgboxAddr, 4);
	workspaceIndex += 4;

//------------------------------------------//
// Injected dll loading.					//
//------------------------------------------//

/*
	// This is the way the following assembly code would look like in C/C++

	// Load the injected DLL into this process
	HMODULE h = LoadLibrary("mydll.dll");
	if(!h)
	{
		MessageBox(0, "Could not load the dll: mydll.dll", "Error", MB_ICONERROR);
		ExitProcess(0);
	}

	// Get the address of the export function
	FARPROC p = GetProcAddress(h, "Initialize");
	if(!p)
	{
		MessageBox(0, "Could not load the function: Initialize", "Error", MB_ICONERROR);
		ExitProcess(0);
	}

	// So we do not need a function pointer interface
	__asm call p

	// Exit the thread so the loader continues
	ExitThread(0);
*/

// DLL Loading
	// PUSH 0x00000000 - Push the address of the DLL name to use in LoadLibraryA
	workspace[workspaceIndex++] = 0x68;
	memcpy(workspace + workspaceIndex, &dllNameAddr, 4);
	workspaceIndex += 4;

	// MOV EAX, ADDRESS - Move the address of LoadLibraryA into EAX
	workspace[workspaceIndex++] = 0xB8;
	memcpy(workspace + workspaceIndex, &loadlibrary, 4);
	workspaceIndex += 4;

	// CALL EAX - Call LoadLibraryA
	workspace[workspaceIndex++] = 0xFF;
	workspace[workspaceIndex++] = 0xD0;

// Error Checking
	// CMP EAX, 0
	workspace[workspaceIndex++] = 0x83;
	workspace[workspaceIndex++] = 0xF8;
	workspace[workspaceIndex++] = 0x00;

// JNZ EIP + 0x1E to skip over eror code
	workspace[workspaceIndex++] = 0x75;
	workspace[workspaceIndex++] = 0x1E;

// Error Code 1
	// MessageBox
		// PUSH 0x10 (MB_ICONHAND)
		workspace[workspaceIndex++] = 0x6A;
		workspace[workspaceIndex++] = 0x10;

		// PUSH 0x000000 - Push the address of the MessageBox title
		workspace[workspaceIndex++] = 0x68;
		memcpy(workspace + workspaceIndex, &error0Addr, 4);
		workspaceIndex += 4;

		// PUSH 0x000000 - Push the address of the MessageBox message
		workspace[workspaceIndex++] = 0x68;
		memcpy(workspace + workspaceIndex, &error1Addr, 4);
		workspaceIndex += 4;

		// Push 0
		workspace[workspaceIndex++] = 0x6A;
		workspace[workspaceIndex++] = 0x00;

		// MOV EAX, [ADDRESS] - Move the address of MessageBoxA into EAX
		workspace[workspaceIndex++] = 0xA1;
		memcpy(workspace + workspaceIndex, &msgboxAddr, 4);
		workspaceIndex += 4;

		// CALL EAX - Call MessageBoxA
		workspace[workspaceIndex++] = 0xFF;
		workspace[workspaceIndex++] = 0xD0;

	// ExitProcess
		// Push 0
		workspace[workspaceIndex++] = 0x6A;
		workspace[workspaceIndex++] = 0x00;

		// MOV EAX, ADDRESS - Move the address of ExitProcess into EAX
		workspace[workspaceIndex++] = 0xB8;
		memcpy(workspace + workspaceIndex, &exitprocess, 4);
		workspaceIndex += 4;

		// CALL EAX - Call MessageBoxA
		workspace[workspaceIndex++] = 0xFF;
		workspace[workspaceIndex++] = 0xD0;

//	Now we have the address of the injected DLL, so save the handle

	// MOV [ADDRESS], EAX - Save the address to our variable
	workspace[workspaceIndex++] = 0xA3;
	memcpy(workspace + workspaceIndex, &dllAddr, 4);
	workspaceIndex += 4;

// Load the initilize function from it

	// PUSH 0x000000 - Push the address of the function name to load
	workspace[workspaceIndex++] = 0x68;
	memcpy(workspace + workspaceIndex, &funcNameAddr, 4);
	workspaceIndex += 4;

	// Push EAX, module to use in GetProcAddress
	workspace[workspaceIndex++] = 0x50;

	// MOV EAX, ADDRESS - Move the address of GetProcAddress into EAX
	workspace[workspaceIndex++] = 0xB8;
	memcpy(workspace + workspaceIndex, &getprocaddress, 4);
	workspaceIndex += 4;

	// CALL EAX - Call GetProcAddress
	workspace[workspaceIndex++] = 0xFF;
	workspace[workspaceIndex++] = 0xD0;

// Error Checking
	// CMP EAX, 0
	workspace[workspaceIndex++] = 0x83;
	workspace[workspaceIndex++] = 0xF8;
	workspace[workspaceIndex++] = 0x00;

// JNZ EIP + 0x1C to skip eror code
	workspace[workspaceIndex++] = 0x75;
	workspace[workspaceIndex++] = 0x1C;

// Error Code 2
	// MessageBox
		// PUSH 0x10 (MB_ICONHAND)
		workspace[workspaceIndex++] = 0x6A;
		workspace[workspaceIndex++] = 0x10;

		// PUSH 0x000000 - Push the address of the MessageBox title
		workspace[workspaceIndex++] = 0x68;
		memcpy(workspace + workspaceIndex, &error0Addr, 4);
		workspaceIndex += 4;

		// PUSH 0x000000 - Push the address of the MessageBox message
		workspace[workspaceIndex++] = 0x68;
		memcpy(workspace + workspaceIndex, &error2Addr, 4);
		workspaceIndex += 4;

		// Push 0
		workspace[workspaceIndex++] = 0x6A;
		workspace[workspaceIndex++] = 0x00;

		// MOV EAX, ADDRESS - Move the address of MessageBoxA into EAX
		workspace[workspaceIndex++] = 0xA1;
		memcpy(workspace + workspaceIndex, &msgboxAddr, 4);
		workspaceIndex += 4;

		// CALL EAX - Call MessageBoxA
		workspace[workspaceIndex++] = 0xFF;
		workspace[workspaceIndex++] = 0xD0;

	// ExitProcess
		// Push 0
		workspace[workspaceIndex++] = 0x6A;
		workspace[workspaceIndex++] = 0x00;

		// MOV EAX, ADDRESS - Move the address of ExitProcess into EAX
		workspace[workspaceIndex++] = 0xB8;
		memcpy(workspace + workspaceIndex, &exitprocess, 4);
		workspaceIndex += 4;

//	Now that we have the address of the function, we cam call it, 
// if there was an error, the messagebox would be called as well.

	// CALL EAX - Call ExitProcess -or- the Initialize function
	workspace[workspaceIndex++] = 0xFF;
	workspace[workspaceIndex++] = 0xD0;

	// If we get here, the Initialize function has been called, 
	// so it's time to close this thread and optionally unload the DLL.

//------------------------------------------//
// Exiting from the injected dll.			//
//------------------------------------------//

// Call ExitThread to leave the DLL loaded
#if 1
	// Push 0 (exit code)
	workspace[workspaceIndex++] = 0x6A;
	workspace[workspaceIndex++] = 0x00;

	// MOV EAX, ADDRESS - Move the address of ExitThread into EAX
	workspace[workspaceIndex++] = 0xB8;
	memcpy(workspace + workspaceIndex, &exitthread, 4);
	workspaceIndex += 4;

	// CALL EAX - Call ExitThread
	workspace[workspaceIndex++] = 0xFF;
	workspace[workspaceIndex++] = 0xD0;
#endif

// Call FreeLibraryAndExitThread to unload DLL
#if 0
	// Push 0 (exit code)
	workspace[workspaceIndex++] = 0x6A;
	workspace[workspaceIndex++] = 0x00;

	// PUSH [0x000000] - Push the address of the DLL module to unload
	workspace[workspaceIndex++] = 0xFF;
	workspace[workspaceIndex++] = 0x35;
	memcpy(workspace + workspaceIndex, &dllAddr, 4);
	workspaceIndex += 4;

	// MOV EAX, ADDRESS - Move the address of FreeLibraryAndExitThread into EAX
	workspace[workspaceIndex++] = 0xB8;
	memcpy(workspace + workspaceIndex, &freelibraryandexitthread, 4);
	workspaceIndex += 4;

	// CALL EAX - Call FreeLibraryAndExitThread
	workspace[workspaceIndex++] = 0xFF;
	workspace[workspaceIndex++] = 0xD0;
#endif

//------------------------------------------//
// Code injection and cleanup.				//
//------------------------------------------//

	// Change page protection so we can write executable code
	VirtualProtectEx(hProcess, codecaveAddress, workspaceIndex, PAGE_EXECUTE_READWRITE, &oldProtect);

	// Write out the patch
	WriteProcessMemory(hProcess, codecaveAddress, workspace, workspaceIndex, &bytesRet);

	// Restore page protection
	VirtualProtectEx(hProcess, codecaveAddress, workspaceIndex, oldProtect, &oldProtect);

	// Make sure our changes are written right away
	FlushInstructionCache(hProcess, codecaveAddress, workspaceIndex);

	// Free the workspace memory
	HeapFree(GetProcessHeap(), 0, workspace);

	// Execute the thread now and wait for it to exit, note we execute where the code starts, and not the codecave start
	// (since we wrote strings at the start of the codecave) -- NOTE: void* used for VC6 compatibility instead of UlongToPtr
	hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)((void*)codecaveExecAddr), 0, 0, NULL);
	WaitForSingleObject(hThread, INFINITE); 

	// Free the memory in the process that we allocated
	VirtualFreeEx(hProcess, codecaveAddress, 0, MEM_RELEASE);
}

// Program entry point
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPTSTR lpCmdLine, int nCmdShow)
{
	// Structures for creating the process
	STARTUPINFO si = {0};
	PROCESS_INFORMATION pi = {0};
	BOOL result = FALSE;

	// Hardcoded just for a demo, you will need to use a game/program of your own to test
	// It is not a good idea to use stuff in system32 due to the DEP enabled on those apps.
	char* exeString = "elementclient.exe";

	// Holds where the DLL should be
	char dllPath[MAX_PATH + 1] = {0};

	// Set the static path of where the Inject DLL is, hardcoded just for a demo
	_snprintf(dllPath, MAX_PATH, "PWdll.dll");

	// Need to set this for the structure
	si.cb = sizeof(STARTUPINFO);

	// Try to load our process
	result = CreateProcess(NULL, exeString, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
	if(!result)
	{
		MessageBox(0, "Process could not be loaded!", "Error", MB_ICONERROR);
		return -1;
	}

	// Inject the DLL, the export function is named 'Initialize'
	Inject(pi.hProcess, dllPath, "Initialize");

	// Resume process execution
	ResumeThread(pi.hThread);

	// Standard return
	return 0;
}

09/18/2011 13:18 xoraxax#10

[Only registered and activated users can see links. Click Here To Register...]

Working AutoIt injector. The thing i like with dll injection is that you do not have to use readProcessMemory or so on to get some data and you don't have to do any weird stuff to call some function

09/18/2011 16:12 dumbfck#11

Cool, thanks guys :D

09/18/2011 21:38 Interest07#12

here's the source for the dll

09/20/2011 23:54 amineurin#13

*erm* i really dont want do disturb you booth, since you are so silent im shure you work hard on the gui stuff [Only registered and activated users can see links. Click Here To Register...]
but would you be so nice to give me the number to send with the packet for refreshing the gold price ?

i dont get it with the mhs script to break the game from Interest07 :(
try to set a break at the auction hall base adress, press the refresh button, but no popup goes up.
like in the description from Interest07.

ur foolish padawan [Only registered and activated users can see links. Click Here To Register...]

09/26/2011 14:47 dumbfck#14

Sorry, I forgot to answer this post last time I saw it >.>
I never actually got the packet for refreshing gold listings - I assume Interest did though as (I believe) he did some stuff with graphing the gold trends etc.

On another note, I found a better base offset for searching the window offsets in the GUI mapper. It can now find all the dialogue boxes, consoles, etc too.
Just replace Form1.cs from the package in the first post with this:

Spoiler

Code:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.IO;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text.RegularExpressions;


namespace guiMapper
{
    public partial class Form1 : Form
    {
        static Process[] processes = System.Diagnostics.Process.GetProcessesByName("elementclient");
        //static int pid = System.Diagnostics.Process.GetProcessesByName("elementclient")[0].Id;
        static int pid;
        //open process
        public static IntPtr pr_processHandle = MemFunctions.OpenProcess(pid);
        elements elements = new elements();

        uint structOffsetGuiBase1;

        Dictionary<uint, windowObj> windows = new Dictionary<uint, windowObj>();
        List<Panel> panels = new List<Panel>();
        List<CheckBox> chkBoxes = new List<CheckBox>();

        string debugText = "";

        bool formLoaded = false;


        public Form1()
        {
            InitializeComponent();
        }

        private unsafe void Form1_Load(object sender, EventArgs e)
        {
            if (processes.Length == 0)
            {
                MessageBox.Show("No elementclients were found");
                Application.Exit();
            }
            else
            {
                // @TODO Change this later for multiclient support.
                pid = processes[0].Id;
                //open process
                pr_processHandle = MemFunctions.OpenProcess(pid);
            }         
            
            
            
           // Construct base structures
            GUIBASE1 guiBase1 = new GUIBASE1();                 // Instantiate objDbBase0 structure
            byte* lpGuiBase1 = &guiBase1.bytes[0];                // Structure base byte pointer
            int sizeGuiBase1 = sizeof(GUIBASE1);                // To pass to mem functions
            structOffsetGuiBase1 = MemFunctions.resolveNestedPointer(pr_processHandle, elements.baseCall, 0x1C, 0x18, 0x08, 0xC4, 0);
            MemFunctions.MemReadBytesToStruct(pr_processHandle, structOffsetGuiBase1, lpGuiBase1, sizeGuiBase1);

            byte[] dialogueListBytes = new byte[0x4000] ;
            dialogueListBytes = MemFunctions.MemReadBytes(pr_processHandle, (int)structOffsetGuiBase1, 0x1000);
            uint[] dialogueListInts = new uint[0x4000 / 4];
            for (int i = 0; i < (0x4000 / 4)-1; i+=4)
            {
                dialogueListInts[i / 4] = BitConverter.ToUInt32(dialogueListBytes, i);
            }

            for (uint i = 0; i < dialogueListInts.Length - 1; i++)
            {
                if (dialogueListInts[i] < 0x600000)
                    break;
                getWindowData(i * 4, dialogueListInts[i]);
            }

            rtfOutput.Text = debugText;

            int xPos = 10;
            int yPos = 10;

            foreach (KeyValuePair<uint, windowObj> w in windows)
            {
                panels.Add(new Panel());
                panels.Last().BorderStyle = BorderStyle.FixedSingle;
                panels.Last().Size = new Size(180, 22);
                panels.Last().Location = new Point(xPos, yPos);
                panels.Last().Name = "p_" + w.Key.ToString();
                
                panels.Last().Click += new EventHandler(this.panelClick);

                Label l = new Label();
                l.Text = w.Value.name;
                l.Top = 3;
                l.Width = panels.Last().Width;
                l.Click += new EventHandler(this.panelClick);
                l.Name = "l_" + w.Key.ToString();
                panels.Last().Controls.Add(l);
                this.Controls.Add(panels.Last());

                chkBoxes.Add(new CheckBox());
                chkBoxes.Last().CheckState = CheckState.Unchecked;
                chkBoxes.Last().Location = new Point(196, yPos);
                chkBoxes.Last().Name = "chk_" + w.Key.ToString();

                chkBoxes.Last().CheckStateChanged += new EventHandler(this.chkBoxChanged);

                this.Controls.Add(chkBoxes.Last());

                yPos += 24;
            }

            formLoaded = true;
            timer1.Start();
        }

        private void getWindowData(uint ndx, uint baseOffset)
        {
            uint temp = MemFunctions.resolveNestedPointer(pr_processHandle, baseOffset + 0x4C, 0);
            if (temp > 0 && temp < 0x3FFFFFFF)
            {
                string dirtyString = MemFunctions.ByteArrayToString(MemFunctions.MemReadBytes(pr_processHandle, (int)temp, 50), MemFunctions.EncodingType.ASCII);
                string cleanString = Regex.Replace(dirtyString, "[^a-zA-Z0-9_.\\*]+", "", RegexOptions.Compiled);
                debugText += ndx.ToString("X8") + " -> " + baseOffset.ToString("X8") + ": " + cleanString + "\n";
                if (!windows.ContainsKey(ndx))
                    windows.Add(ndx, new windowObj(cleanString, ndx, baseOffset));
                else
                {
                    windows[ndx] = new windowObj(cleanString, ndx, baseOffset);
                }
            }
            else
            {
                debugText += ndx.ToString("X8") + " -> " + temp.ToString("X8") + "\n";
            }
        }

        private void timer1_Tick(object sender, EventArgs e)
        {
            checkWindowStates();
        }
        
        private void checkWindowStates()
        {
            // First check if focused window has changed (at offset [[guiBase1]+0x74])

            uint currentFocused = MemFunctions.MemReadUInt(pr_processHandle, structOffsetGuiBase1 + windows.First().Value.guiBase1Offset);
            if (windows.First().Value.baseAddress != currentFocused)
            {
                getWindowData(windows.First().Key, currentFocused);
                panels.First().Controls[0].Text = windows.First().Value.name;
            }


            foreach (KeyValuePair<uint, windowObj> w in windows)
            {
                byte isVisible = MemFunctions.MemReadBytes(pr_processHandle, (int)w.Value.baseAddress + 0x90, 1)[0];
                CheckBox c = (CheckBox)this.Controls.Find("chk_" + w.Key.ToString(), true)[0];
                c.CheckState = isVisible == 0 ? CheckState.Unchecked : CheckState.Checked;
            }
        }

        private void chkBoxChanged(Object sender, EventArgs e)
        {
            if (formLoaded)
            {
                CheckBox c = (CheckBox)sender;
                uint winOffset = UInt32.Parse(c.Name.Substring(4));
                uint winBase = windows[winOffset].baseAddress;
                bool open = c.CheckState == CheckState.Checked ? true : false;
                alterWindowState(winBase, open);
            }
        }

        private void alterWindowState(uint baseAddress, bool open)
        {
            MemFunctions.MemWriteByte(pr_processHandle, (int)baseAddress + 0x90, open ? (byte)1 : (byte)0);
        }

        private void panelClick(Object sender, EventArgs e)
        {
            Panel p = null;
            Label l = null;

            try
            {
               p = (Panel)sender;
            }
            catch
            {
                l = (Label)sender;
            }

            string outString = "";
            uint offset = UInt32.Parse(Regex.Match(p == null ? l.Name : p.Name, ".+_([0-9]+)").Groups[1].Value);
            outString += "0x" + offset.ToString("X3") + " -> " + windows[offset].name + "\n";
            outString += "Window base address:  " + windows[offset].baseAddress.ToString("X8") + "\n";
            outString += "Child objects:\n";
            foreach (controlObj c in windows[offset].children)
            {
                outString += "\n";
                outString += "Control ID:                   0x" + c.id.ToString("X8") + "\n";
                outString += "      Control base address:   0x" + c.baseAddress.ToString("X8") + "\n";
                outString += "      Control handler func:   0x" + c.handlerFunc.ToString("X8") + "\n";
                outString += "      Name:                   " + c.name + "\n";
                outString += "      Text:                   " + c.text + "\n";
                outString += "      Command:                " + c.command + "\n";
            }


            rtbWindowInfo.Text = outString;
        }

    }
}

Enjoy :)
I'll hopefully be releasing the custom in-game GUI development kit soon ;)
It's going rather nicely hehe.

04/21/2012 23:49 amineurin#15

erm is it possible to use own functions in this kind of menu ?
if yes, how would this work ?
build a dll and load it with the game or any other idea ?

its just a idea i have and im trying to get more info, before i start trying to realising.

im thinking of another hotkey bar in the game, like the two ones allready there.

the idea i have is:
make such a bar in game style
read icons from a ini file and use maybe png images
also read functions from ini file

like:
1 slot = health icon
1 function: send chat message to user xyz "heal me"
2 slot = another heal icon
2 function: send chat message to user xyz "heal selected $playername"
3 slot = buff icon
3 function: send chat message to user xyz "buff me"
and so on...

so u can command maybe a heal bot with chat commands and by using a ingame menu.

its just a idea and maybe here are ppl willed to discuss this :)

Page 1 of 4

Last »