Current Base Address Discovery Methods

Page 1 of 4 1 23 Last »
01/30/2014 06:54 R3D23R0#1
All the tutorials across this forum don't seem to apply to the current version of PWI. For instance, searching for unfreeze addresses and then using the 'what accesses/writes to this address' no longer provides the base address.

Update: I've been tinkering around with some more stuff on the forums and this method seems to work:

Search for Unfreeze Address
(add it to list in CE)
Find out what accesses this address
(more info)
mine says ebp+000004D0, and ebp is 00c76db0
Search for 00c76db0 in hex and the green address seems to be the base address: 00C7662C

Now, I've got a project where I'm trying to display the hp, and I can do it easily by grabbing the hp address using CE and plugging it into my ini file and reading that using PID.

Edit: Updated working testing code below, if you want to toy around with it.

Update: I'm going to keep posting tips and tricks in this thread, if the info in the thread isn't on the first page I'm going to link to it here:
01/31/2014 10:04 R3D23R0#2
*epic double facepalm facedesk* I forgot to add player struct... derp derp

Code:
#include <NomadMemory.au3>
#include <GUIConstants.au3>
#include <GUIListBox.au3>
#include <Misc.au3>
#include <Array.au3>

#RequireAdmin

$vBaseAdress = 13067820
$vBaseOffset = 28
$vplayeroffset = 44
$vCurHP = 1192


$vOpen = _MemoryOpen(ProcessExists("elementclient.exe"))


While 1 ;loop
Sleep(3000)



$vReadBase = _MemoryRead($vBaseAdress, $vOpen, "dword") + $vBaseOffset
$vReadBaseplayer = _MemoryRead($vReadBase, $vOpen, "dword") + $vplayeroffset
$vReadPtr = _MemoryRead($vReadBaseplayer, $vOpen, "dword") + $vCurHP
$vReadCurHP = _MemoryRead($vReadPtr, $vOpen, "dword")


		ToolTip("base offset: " & $vBaseOffset & @CRLF & "hp: " & $vReadCurHP & @CRLF & $vReadBase & @CRLF & $vReadPtr)
;$vBaseOffset = $vBaseOffset + 1

WEnd

_MemoryClose($vOpen)
01/31/2014 17:19 cerbere63#3
hello,
i like what you've done.
i try to find pwi current offsets but it didn't really work. i don't manage to find real base address etc..
good luck with this project . i will try to work on it too
01/31/2014 19:40 R3D23R0#4
Quote:
Originally Posted by cerbere63 View Post
hello,
i like what you've done.
i try to find pwi current offsets but it didn't really work. i don't manage to find real base address etc..
good luck with this project . i will try to work on it too
I stumbled around for a long time before I finally sifted through the rubble here to find something that still worked. Here's how you can do it:

Find unfreeze address
----
1. Open PWI client, log in, get on a character, then go to Cheat Engine(CE)
2. Search for 0, exact value, 4 bytes
3. After scan finishes, go to PWI client
4. Freeze PWI with hotkey(don't use f12 if auto culti is set to f12, you'll crash PWI client)
5. Go back to CE, search 1 instead of 0 with "Next scan", and wait for scan to finish.
6. Go back to PWI client, unfreeze with hotkey, go back to CE, search 0 in "Next Scan"
7. After scan finishes, go to PWI client
8. Repeat steps 4 to 7 until you're left with a handful of addresses. When I get down to 10 I'll just add them all to my list below, and one by one I'll click the box on the left that forces change, and change the value to 1, and see if PWI client is unfreezed. If it isn't the one, uncheck it, and try the next one. Once you get the one that unfreezes the client, you're ready to find the base address

Find base address:
----
1. Add that unfreeze address to your list in CE (well, we already did, didn't we?)
2. Right click on that address, and choose 'find out what accesses this address'.
3. Go back to the PWI client, and attack some mobs, lose some hp, whatever, for about 10 seconds. I'm not sure how long it takes, but it doesn't take long.
4. Go back to CE. It's got a box with 'opcodes'.
5. Look in that box, there should be 3 or 4 addresses. They'll say something like 'xxx, [aaa + 00000zzz]'. That zzz in hex is your unfreeze address offset.
6. We're not done yet. Copy that zzz to notepad or write it down. Where it said 'aaa', copy that too, or write it down.
7. Stop that 'opcodes' process and close that box.
8. In CE, search for 'aaa', and make sure to tick the 'hex' box.
9. On the left in the results, you should see a green address. That's your base address.
10. Do a victory dance because you just got the base address in probably less than a minute. If, on the other hand, it didn't work, ...well, try it again? I'm not sure where you need to go from there.

Finding the base and char struct offsets
----
Now these I'm not 100% sure about, and this is where it gets tricky and complicated. Anyone who uses CE should know how to get HP values, basically it's just searching for your hp, going back into the client, losing or gaining hp, and then checking with 'next scan' again.

Anyway, you get the HP address, and then add it to your list in CE, and find out 'what accesses this address'. Go back into PWI and goof around and lose some hp, then come back to CE. You should have a few addresses in the 'opcodes' box. They should all have the same suffix, (i.e. this time it's 000004A8). 4A8/1192 is your HP offset.

Find base and player offset
----
While you're there on the 'opcodes' box, check out all four lines. You might see something like this:

------------first line
Code:
00480113 - 8B 8E F4040000  - mov ecx,[esi+000004F4]
00480119 - 88 44 24 28  - mov [esp+28],al
0048011D - 8B 86 A8040000  - mov eax,[esi+000004A8] <<
00480123 - 89 4C 24 30  - mov [esp+30],ecx
00480127 - 8B 8E 140F0000  - mov ecx,[esi+00000F14]
---------------fourth line
Code:
005846AE - 8B D8  - mov ebx,eax
005846B0 - 89 5C 24 28  - mov [esp+28],ebx
005846B4 - 8B 83 A8040000  - mov eax,[ebx+000004A8] <<
005846BA - 8B BB A0040000  - mov edi,[ebx+000004A0]
005846C0 - 89 44 24 34  - mov [esp+34],eax
Don't worry, yes, it's confusing at first, but do you see the similarities? esp+28 is in both addresses, before the HP offset is named. I think I can safely say with a reasonable amount of confidence that that number is your base offset. I just know it works this time (28), it may not work next time.

------------ third line
Code:
0046910D - 89 86 B4040000  - mov [esi+000004B4],eax
00469113 - 8B 4F 04  - mov ecx,[edi+04]
00469116 - 89 8E A8040000  - mov [esi+000004A8],ecx <<
0046911C - 8B 57 0C  - mov edx,[edi+0C]
0046911F - 89 96 AC040000  - mov [esi+000004AC],edx
I'm guessing on this one too, but do you see the numbers around 4A8? 04 + 0c in hex = 16, and 16+28 = 44, and that's the current player offset (44).

Another way that you might be able to find the player offset is to take that address up above, [esi+000004A8], and find out what ESI stands for down below. When you find that out, (for example, esi = 18864850), take that address and search for it in HEX with CE.

Pick the first result, I'm not sure if it matters or not, and add it below to your list. Double click it in your list, and tick the 'pointer' box, and below, put in
18864850, and in the 'offset' smaller box above, put your hp offset (4A8, currently) Hit ok, and you'll see the address in your list changed. Now 'find out what accesses this address' on that new address, and it will say 'pointer?', so you say, 'of course, CE, I know it's a pointer, I just put it in there!' :p

My first result says:


Code:
00444ED1 - 0F84 E8000000 - je elementclient.exe+44FBF
00444ED7 - 8B 7C 24 2C  - mov edi,[esp+2C]
00444EDB - 8B 11  - mov edx,[ecx] <<
00444EDD - 57 - push edi
00444EDE - B3 01 - mov bl,01
2c in hex is 44, and that is the player offset, no?

Anyways, I hope this helps someone.
02/01/2014 08:58 cerbere63#5
thank you for this.
i have a little question. do you know how to find the real base adress , used in prophet bot?
02/01/2014 08:59 Hype#6
Thank you dude :)
02/02/2014 05:55 R3D23R0#7
Quote:
Originally Posted by cerbere63 View Post
thank you for this.
i have a little question. do you know how to find the real base adress , used in prophet bot?
Quote:
Originally Posted by No0oB View Post

no ^^... 0xA5BFCC is not the real base it's 0xA5BFB0 (0xA5BFCC-0x1C) and the memory of elementclient.exe has a range from 0x00400000 to XXX sry idk the end address ^^
and pointers can point to any address in the memory ^^ (lower and higher as the baseaddress)
So if current base address is 00c7662c / 13067820, and 0x1c = 28, that's a real base address of 13067792, right? Why do people call it the 'real base'? We already had a base address years ago. Can we come up with a better name? Second base? :D
02/02/2014 18:09 Interest07#8
Quote:
Originally Posted by R3D23R0 View Post
So if current base address is 00c7662c / 13067820, and 0x1c = 28, that's a real base address of 13067792, right? Why do people call it the 'real base'? We already had a base address years ago. Can we come up with a better name? Second base? :D
It's called 'real base address' because someone used base address for the result of [realBaseAddress] + 0x1C and that was already prevalent in so many places that some sort of distinction needed to be made.
02/17/2014 21:48 lars911#9
Quote:
4. Freeze PWI with hotkey(don't use f12 if auto culti is set to f12, you'll crash PWI client)
Sorry but i don't quite understand this step , what do you mean by freeze pwi with hotkey ? do you mean setting a hot key in cheat engine for " Pause the selected process " ?
02/17/2014 22:08 R3D23R0#10
Quote:
Originally Posted by lars911 View Post
Sorry but i don't quite understand this step , what do you mean by freeze pwi with hotkey ? do you mean setting a hot key in cheat engine for " Pause the selected process " ?
Yes
02/24/2014 20:12 wawtal#11
Won't work for me :( PWE
02/25/2014 07:42 martmor#12
Quote:
Originally Posted by wawtal View Post
Won't work for me :( PWE
The private Server PWE have an hackshield. (had some years ago an hackshield)
02/25/2014 20:46 R3D23R0#13
Here's some more info that may help some of you. I searched for offsets to find the current weapon durability, but they're not where they used to be, and it was taking too long to find them. Yes, I could use a timer, but I want something more precise. I realized when equipment is close to breaking it throws a flag that says 'please take care of your equipment'.

If you have your weapon handy, auto cultivate or bot with your character until you get that flag thrown, and the yellow icon shows up top right corner of your client saying 'take care of your equipment'. Open up CE and search 4 byte, exact match, for the value "1". After it's done, go back to the client, and swap that weapon with one that doesn't need to be repaired, and doesn't throw the yellow icon. Go back to CE and search for "0". Then go back to the client when it's done searching and swap back to the nearly broken weapon again. Repeat those steps until you only have a handful of addresses left. Keep the CE window near the edge of the PWI client and play around swapping weapons back and forth and eliminate any that don't immediately swap from 0 to 1 and vice versa. When you've only got about 4 or 5 left, (you should only have 4 left, really), go to the BS and repair the weapon. One of the '1''s should have switched to 0 when you repaired it. That's your current durability flag, as far as I know. Now, that changes every time you relaunch the client, and I'm currently hunting down the offset for it...

The old offset was here:

currentDur = [[[[[[[realBaseAddress] + 0x1C] + 0x34] + 0xCB0] + 0xC] + 0x0] + 0x68]
maxDur = [[[[[[[realBaseAddress] + 0x1C] + 0x34] + 0xCB0] + 0xC] + 0x0] + 0x6C]

So far I've gotten to here:

Code:
Global $baseaddress = _MemoryRead($realbaseaddress, $vOpen) + 0x1c

Global $vReadBaseplayer = _MemoryRead($baseaddress, $vOpen, "dword") + 0x2c

Global $dur1 = _MemoryRead(_MemoryRead($vReadBaseplayer, $vOpen) + 0xf18, $vOpen);
f18 being the inventory struct, but I can't pull up the durability flag on anythin g past that.
02/25/2014 22:16 msxgames#14
0xF10 is the let's say "normal" inventory structure, 0xF18 is the "quest" inventory structure and 0xF14 is the "gear" inventory structure. Under 0xF14 you can find the gear listed under 0xC. 0x0 is the weapon, 0x4 is the hat, 0x8 is the necklace, 0xC is the robe and so on......

currentDur = [[[[[[[realBaseAddress] + 0x1C] + 0x2C] + 0xF14] + 0xC] + 0x0] + 0x74]
maxDur = [[[[[[[realBaseAddress] + 0x1C] + 0x2C] + 0xF14] + 0xC] + 0x0] + 0x78]

The durability is calculated using CEIL(currentDur/100) and CEIL(maxDur/100).
02/26/2014 10:03 wawtal#15
Quote:
Originally Posted by martmor View Post
The private Server PWE have an hackshield. (had some years ago an hackshield)

Well that's too bad :( i was hoping for a bot in PWE :( , cause i can see some players using bot, they won't tell me though what to use :(
Page 1 of 4 1 23 Last »