[Help] Jump instead of walk using Path-Fidning

04/24/2009 13:09 Alexios#1
Hello everybody!

Firstly I want know,is it possible to jump instead of walk using Path-Finding?
If yes,could some direct me, where/what should I look and which programming language should I use?

Thanks!
04/24/2009 15:01 clintonselke#2
I think _fobos_ knows, if he wants to share :D

i've seen him hook functions using c/c++ of other programs.

He gives an example he made for minesweeper.

[Only registered and activated users can see links. Click Here To Register...]

In his example he hooks the pause and resume function on the timer for minesweeper, allowing you to pause time while playing, and thus achieving really good game times :D

And I know he knows the address of the jump function in Conquer.exe i've seen him talk about it in one of his posts:

[Only registered and activated users can see links. Click Here To Register...]

I know he knows, but i do not know if he would like to share it :p

I know i would really love to know what he knows too :D

so heres a couple of hints... hooks, co jump function (will need memory address for, maybe from ollydbg)

Good Luck!!

Update: Ok i saw this in a tutorial link giving in "Simulating clicks?"

When you jump in a location you can not jump, you get an error message "You can't stop here!"

Now look that up in StrRes.ini, you find the following:

100023=You can't stop here!

OK. 100023 is 186B7 in hexidecimal. So load up Conquer.exe in OllyDBG and

search for "push 186B7"

it should be found at 004C6500

that 004C6500 is the location the function that produces the error message is called, and this function happens to be called inside the jump function. So that location is inside the jump() function.

now, each function returns with a "RETF", so the return of the previous function b4 the jump function will have the command "RETF 8" in our case, then the address below it is the start of our jump() function.

So the jump() function in Conquer.exe is located at 004C6303

Now that is only a part of it, i haven't figured out how it is called yet. Need to find a function that calls this jump() function to get how to use it.

Sorry if its off-topic, but i hope it helps ya.

Update 2: lol, im so dumb... just search now "CALL 004C6303", that will get the code that calls the jump() function and show us how to use it.

00486585 > FF75 EC PUSH DWORD PTR SS:[EBP-14] ; /Arg2
00486588 . 8BCE MOV ECX,ESI ; |
0048658A . FF75 E8 PUSH DWORD PTR SS:[EBP-18] ; |Arg1
0048658D . E8 71FD0300 CALL Conquer.004C6303 ; \Conquer.004C6303

Good takes two arguments, unfortunately im just a noob and still don't understand what it means fully. But it looks like it just puts the x and y coordinates on the stack b4 calling the jump function. not sure yet :p

Edit: This one sorry, same function call but from different location, i attached a break point on this one, and this one called conquer to stop when i click w/ the mouse.

00486919 . FF75 EC PUSH DWORD PTR SS:[EBP-14] ; /Arg2
0048691C . 8BCE MOV ECX,ESI ; |
0048691E . FF75 E8 PUSH DWORD PTR SS:[EBP-18] ; |Arg1
00486921 . E8 DDF90300 CALL Conquer.004C6303 ; \Conquer.004C6303
04/24/2009 17:56 Alexios#3
If I wasn't so noob,I would search to find how it works and how would I call the function while I am in-game... but I unfortunately I have no idea about these... I know a little C and I have followed a guide to see how can I edit CO with Olly in order to make multiclient, but I do not even know what "PUSH" or "MOV" does...

Btw,Nothing of these are off-topic. The only thing that maybe is off-topic is me :D

EDIT:
clintonselke@ Did you saw my post at House Permit Bot? I hope it helped and sorry if it was something( I do not know how to characterize it).(I was a little angry at that moment,not with you of course!)
04/24/2009 18:41 clintonselke#4
Quote:
Originally Posted by Alexios View Post
clintonselke@ Did you saw my post at House Permit Bot? I hope it helped and sorry if it was something( I do not know how to characterize it).(I was a little angry at that moment,not with you of course!)
Nah man... i love ur post, every reply i get helps me a lot. I just had to take a shower, because i was starting to smell bad :o . Then taking a break from the bot for awhile. There is one thing that bugs me alot, when so many noobs in the way of the way points and my bot tries and tries to click around them and gets stuck. Your post here has lead me to find the jump() function in conquer.exe, when i can make a DLL program with and i can use it inside my autoit script. So its all in the right direction. Just would be so nice to jump on a spot where a noob is already standing. :D

I have a start on it anyway in mingw C/C++ . I do not use the Microsoft one... I haven't got it lol... Just free compiliers for me :D

AT&T assembly instead of Intel assembly... looks yuck lol.
PHP Code:
static int ConquerJump_xConquerJump_y;

void ConquerJump(int xint y)
{
    ConquerJump_x x;
    ConquerJump_y y;
    asm("pushl _ConquerJump_x;\n"
        "pushl _ConquerJump_y;\n"
        "movl $0x005DABC0, %ecx;\n"
        "movl $0x004C6303, %eax;\n"
        "call *%eax;\n");
that sucker above is gonna go inside my .DLL, and i will make the DLL host on 127.0.0.1:1234 or something like that... then i will connect to myself lol, and make another program to send it something like "jump (320, 211)" over the socket and then the DLL will call ConquerJump(320,211) for me :D

Doing it this way, any program at all can use the DLL, so others can make programs to call conquer commands like the jump() one.

PS: Sorry for not yet replying on my other thread, just this thread is so interesting atm :p

Edit: I re-read ur first post, you want the Path Finder tool to use jumping instead of walking... I'm so bad, kinda hijacked ur thread :(.. sorry man.

Maybe there is a simple hack though... first find the jump() function (already done), then find the call to the walk() function used for Pathfinding and overwritte its CALL with a CALL to the jump() function.

I really really don't know how to find the walk function :p , bcuz i dont know an error message u get from walking wrong to help find it.. . but i'll have a go. should be able to do it w/ OllyDBG.

Edit: Sorry, addresses were wrong... heres the new ones

Code:
0048672D   > F645 08 08     TEST BYTE PTR SS:[EBP+8],8
00486731   . 74 0F          JE SHORT Conquer.00486742
00486733   . FF75 EC        PUSH DWORD PTR SS:[EBP-14]               ; /Arg2
00486736   . 8BCE           MOV ECX,ESI                              ; |
00486738   . FF75 E8        PUSH DWORD PTR SS:[EBP-18]               ; |Arg1
0048673B   . E8 59F80300    CALL Conquer.004C5F99                    ; \Conquer.004C5F99
and the code for calling jump should now be the following

PHP Code:
static int ConquerJump_xConquerJump_y;

void ConquerJump(int xint y)
{
    cout << "ConquerJump(" << << "," << << ")" << endl;
    ConquerJump_x x;
    ConquerJump_y y;
    asm("pushl _ConquerJump_y;\n"
        "pushl _ConquerJump_x;\n"
        "movl $0x005DABB8, %ecx;\n"
        "movl $0x004C5F99, %eax;\n"
        "call *%eax;\n");
ignore the older ConquerJump() above, i found the address are different when ya check it which OllyDbg by attaching it to the process after its running, instead of loading the executable into OllyDbg.