WQ bot for PWI

Page 1 of 33

09/08/2010 23:28 Interest07#1

I no longer support this bot, adjust the source code / offsets in order to get it to work for your version. Check for the latest version here: [Only registered and activated users can see links. Click Here To Register...]

latest version of bot as of 24/3/13:
[Only registered and activated users can see links. Click Here To Register...]

This bot should work for every (official) version of PW

Latest version for PWI can be found here, thanks to msxgames for continuing the bot :)
[Only registered and activated users can see links. Click Here To Register...]
Next version, thanks again :P
[Only registered and activated users can see links. Click Here To Register...]

Setting up the bot
Download the latest FlyWQ .rar
Unpack it
Update your WQing.ini file
There are two ways of going about this:

1) Copy the elementclient.exe from your Perfect World folder to where you unpacked the FlyWQ. Run the "findWQbotOffsets.exe". This should update the offsets in your WQing.ini

2) Copy or Move the "findWQbotOffsets.exe" to your Perfect World folder containing the elementclient.exe file. Run the offset finder. It should create a WQing.ini file. Move this file to your FlyWQ folder and overwrite the existing WQing.ini with the one you just created.

You will most likely need to update the WQing.ini after every patch.

Run the bot

It should automatically detect the chars you have logged in. You select the ones you want to do WQ on in the left list and press the >> button to have it start working on the WQ. It works without any clicks or keypresses and I believe it even works when minimized to tray icon.

Updates
edit: Now added an offset finder. Place it in the same folder as your elementclient.exe and it should get the offsets you need. Shouldn't need to add NPCids anymore.

edit 2.2: Added support for oddly named characters
edit 2.4: Added support for '|' character in names

(I'm keeping older versions just in case something gets messed up in a later one, but please always download the latest version)

09/09/2010 06:47 kulas2k2#2

hi, how to get questfunctionddress/offsets? im playing at pw-ph. it would be cool if it works on other pw servers.. thank you..

09/09/2010 12:58 Interest07#3

Open up your elementclient.exe in IDA pro

1)
search for text:

Code:

offset aCheckprerequis

2)
You should get only one result. Double click it, this should take you to this function:
[Only registered and activated users can see links. Click Here To Register...]

3)
Go to the top and check the Xrefs, it should be the second Xref shown
[Only registered and activated users can see links. Click Here To Register...]

4)
Go to the top of that function and check the address, this is the address for the questFunction
[Only registered and activated users can see links. Click Here To Register...]

5)
Check the Xrefs again, it should be the third xref shown, follow it. We are now looking for the offset from your character_database to the thisValue. As you can see, it is contained in edi in this example:
[Only registered and activated users can see links. Click Here To Register...]

6)
Now look where edi gets its value from. It'll be one of the parameters of the function we are currently in, in this case the first parameter.
[Only registered and activated users can see links. Click Here To Register...]

7)
Now we'll see where it gets its value. Luckily there is only one Xref here to follow.

[Only registered and activated users can see links. Click Here To Register...]
There we go, it is 0xDDC in this example.

finding the sendPacketFunction is much easier:

1)
search for:

Code:

(void *Src, size_t Size)

2)
You'll get 7 results (most likely), pick the third one:
[Only registered and activated users can see links. Click Here To Register...]

3)
It'll look like this (lots of Xrefs)
[Only registered and activated users can see links. Click Here To Register...]

and there you go, the address of this function.

1)

To find the counter and interval offsets (they're used in sending movement packets) you go up from the send packet function we just found. Follow the second Xref from the large list (this is the function responsible for sending a movement packet), verify by looking for the "push 21h" opcode, as this is the size of a regular move packet. In this example cx will contain the counter value.

[Only registered and activated users can see links. Click Here To Register...]

2)

Go to the top of the function, it will be the last argument when this function is called:

[Only registered and activated users can see links. Click Here To Register...]

3)

Folly the Xref to the preceding function
As we can see, the counter value comes from [esi+0x64]:

[Only registered and activated users can see links. Click Here To Register...]

4)

If we follow the function up to the top, we can see that as usual esi takes on the value of ecx

[Only registered and activated users can see links. Click Here To Register...]

5)

Take the first Xref you see again, and see what the offset to ecx is.

[Only registered and activated users can see links. Click Here To Register...]

6)

There we go, in this example the offset to playercounter is 0x858 + 0x64 = 0x8BC
Usign the 0x858 value we just found, we also know that the offset to interval is 0x858 + 0x18 = 0x870
(So for your version always add 0x64 and 0x18 to whatever value you find in this last step)

FlyspeedOffset:

1) attach CheatEngine to your client window, have a character logged in that can fly and has a standard free airmount. Now search for a float with value 5.5 (your flyspeed).

[Only registered and activated users can see links. Click Here To Register...]

2)

This should result in quite a lot of addresses:

[Only registered and activated users can see links. Click Here To Register...]

3)

Press the increase fly speed button, this should enhance your flyspeed to 7.5, so search next for this value, it should be reduced to one result:

[Only registered and activated users can see links. Click Here To Register...]

4)

Select find out what accesses this address and go ingame and fly a little bit. You should have results like this:

[Only registered and activated users can see links. Click Here To Register...]

5)

Congratulations, your flyspeedoffset is 0x4b0

Transportmode offset:
the values here will be 2 for flying and 0 for on the ground.

1)

Let's start off flying and search for value 2:

[Only registered and activated users can see links. Click Here To Register...]

2)

Pheww, that's a lot of results:

[Only registered and activated users can see links. Click Here To Register...]

3)

now lets drop down and search next for 0:

[Only registered and activated users can see links. Click Here To Register...]

4)

Still quite a few, so we best repeat this step a few times till we only have a couple left. Then it'll be easy to see which address keeps changing to the right value if we fly and stop flying. Take this value and see what accesses this address:

[Only registered and activated users can see links. Click Here To Register...]

5) There we go, offset is 0x608

FlyGearOffset:

Lets take a werefox or werebeast, their standard free flymount Id is 12791.

1)

Search for this value:

[Only registered and activated users can see links. Click Here To Register...]

2)

Now unequip it and search for 0:

[Only registered and activated users can see links. Click Here To Register...]

3)

You'll have one or two values left most likely, just requip the flymount and see which changes. You now have the address value for your flyMount. When looking for what accesses this address, you won't find the offsets as easily, so lets use a different method. We use the transportmode offset we found earlier and display it in CheatEngine:

[Only registered and activated users can see links. Click Here To Register...]

4)

FlyGear: 0x069144B0
TransportMode: 0x06914568

We know the offset for transportmode is 0x608, so to get the offset for FlyGear we simply to the following calculation:

offset = FlyGearAddress - TransportModeAddress + 0x608 =
0x069144B0 - 0x06914568 + 0x608 = 0x550

TargetOffset:

First of all lets select a good friend of all World Questers, Armerigo (the guy you start and end your WQ at). His NPCid is 0x8010449D (This will NOT be his id for all versions of PW), if you do not know his uniqueId for your version, just look at any value, and swap between different NPCs and deselecting and searching for 0.

1)

Search for this value once you have selected him, you'll get a couple of values:

[Only registered and activated users can see links. Click Here To Register...]

2)

Deselect him (don't have anything selected), now search for next value 0:

[Only registered and activated users can see links. Click Here To Register...]

3)

check what accesses this address:

[Only registered and activated users can see links. Click Here To Register...]

tadaa your offset is 0xAD4

Actionstruct offset:

When you are performing an action, [actionstruct + 0x18] will be 1, if you are idle, it will be 0. We will be using this to find out actionstructOffset:

1)

We once again take our trusty flyer and click far away in the distance so we know it will be moving for a while. We then search in cheatEngine for the value 1.

[Only registered and activated users can see links. Click Here To Register...]

2)

These are quite a few... now lets stop moving and search for the value 0:

[Only registered and activated users can see links. Click Here To Register...]

3)

Ah, that's a bit better. Repeat this a few times, once you have whittled it down to a few, usually falling from the sky will show which address is the one you need (it will turn 1, while the last few you have left wont change). Now we will see what accesses this address:

[Only registered and activated users can see links. Click Here To Register...]

4)

double click it and see what the value for the pointer is according to CheatEngine:

[Only registered and activated users can see links. Click Here To Register...]

5)

Search for this value:

[Only registered and activated users can see links. Click Here To Register...]

6)

One by one, try out each of the resulting address:

[Only registered and activated users can see links. Click Here To Register...]

7)

and see what accesses the resulting pointers, if something like this shows up, you've got the actionstruct offset:

[Only registered and activated users can see links. Click Here To Register...]

0xDD4 it is :)

NameOffset:

Well, we know what the name of our character is, it is stored as unicode so:

1)

Search for Text Value, don't forget to check UniCode:

[Only registered and activated users can see links. Click Here To Register...]

2)

now for each of these check what accesses the address until you get something as follows:

[Only registered and activated users can see links. Click Here To Register...]

3)

Double click and take note of the address:

[Only registered and activated users can see links. Click Here To Register...]

4)

Search for this value:

[Only registered and activated users can see links. Click Here To Register...]

5)

Make a pointer to that address with offset 0:

[Only registered and activated users can see links. Click Here To Register...]

6)

find out what accesses this pointer:

[Only registered and activated users can see links. Click Here To Register...]

And there we have our offset.

I believe the other few are so common they'll be around somewhere :P

09/09/2010 17:34 Interest07#4

Added quite some detailed instructions on how to obtain the offsets, I wasn't quite sure which ones can be gotten by using noobs offset retriever, so just threw on most of them.

And the source code... be gentle, I hacked this thing together and it looks like crap, with some redundant bits of code in there too. I only made it cos I wanted to see if I could, but figured might as well have someone benefitting from it:

Spoiler

Code:

#Include C:\Documents and Settings\Administrator\My Documents\AutoHotkey\Lib\PWlib.ahk
#Persistent
#SingleInstance
DetectHiddenWindows, On
SetKeyDelay,,50

;Offsets & Addresses


IniRead, realBaseAddress		, WQing.ini, offsets,realBaseAddress						
IniRead, baseOffset			, WQing.ini, offsets,baseOffset						
IniRead, playerOffSet			, WQing.ini, offsets,playerOffSet						
IniRead, playerNameOffset		, WQing.ini, offsets,playerNameOffset					
IniRead, nameLengthOffset		, WQing.ini, offsets,nameLengthOffset					
IniRead, playerTargetIdOffset		, WQing.ini, offsets,playerTargetIdOffset					
IniRead, playerActionStructOffset	, WQing.ini, offsets,playerActionStructOffset				
IniRead, playerCounterOffset		, WQing.ini, offsets,playerCounterOffset					
IniRead, playerIntervalOffset		, WQing.ini, offsets,playerIntervalOffset					
IniRead, playerFlyMountOffset		, WQing.ini, offsets,playerFlyMountOffset					
IniRead, playerFlySpdOffset		, WQing.ini, offsets,playerFlySpdOffset					
IniRead, playerTransportModeOffset	, WQing.ini, offsets,playerTransportModeOffset				
IniRead, playerXposOffset		, WQing.ini, offsets,playerXposOffset					
IniRead, playerYposOffset		, WQing.ini, offsets,playerYposOffset					
IniRead, playerZposOffset		, WQing.ini, offsets,playerZposOffset					
IniRead, SendPacketAddress		, WQing.ini, offsets,SendPacketAddress					
IniRead, questFunctionAddress		, WQing.ini, offsets,questFunctionAddress					
IniRead, questFunctionOffset		, WQing.ini, offsets,questFunctionOffset					




npcId8348	:=	2148549543
npcId8349	:=	2148550935
npcId8350	:=	2148534247
npcId8351	:=	2148554076
npcId8352	:=	2148551836
npcId8353	:=	2148553067
npcId8354	:=	2148552508
npcId8355	:=	2148549629
npcId8356	:=	2148545508
npcId8357	:=	2148539187
npcId8358	:=	2148535618
npcId8359	:=	2148543511
npcId8360	:=	2148542384
npcId8361	:=	2148536961
npcId8362	:=	2148550184
npcId8363	:=	2148547070
npcId8364	:=	2148550666
npcId8365	:=	2148555818
npcId8366	:=	2148559593
npcId8367	:=	2148560356
npcId8368	:=	2148560368
npcId8369	:=	2148559655
npcId8370	:=	2148559654
npcId8371	:=	2148556102
npcId8372	:=	2148557068
npcId8373	:=	2148553095
npcId8374	:=	2148553080
npcId8375	:=	2148549823
npcId8376	:=	2148549821
npcId8377	:=	2148535683
npcId8378	:=	2148549789
npcId8379	:=	2148549789
npcId8380	:=	2148549789
npcId8381	:=	2148549789
npcId8382	:=	2148549789
npcId8383	:=	2148549789
npcId8384	:=	2148549789
npcId8385	:=	2148549789
npcId8386	:=	2148549789
npcId8387	:=	2148549789
npcId8388	:=	2148549789
npcId8389	:=	2148549789
npcId8390	:=	2148549789
npcId8391	:=	2148549789
npcId8392	:=	2148549789
npcId8393	:=	2148549789
npcId8394	:=	2148549789
npcId8395	:=	2148549789
npcId8396	:=	2148549241
npcId8397	:=	2148549789
npcId8398	:=	2148549685

xCoord8348	:=	1150922672
xCoord8349	:=	3302385319
xCoord8350	:=	1148557837
xCoord8351	:=	3303292969
xCoord8352	:=	1142127397
xCoord8353	:=	1156113401
xCoord8354	:=	1156110694
xCoord8355	:=	1155705131
xCoord8356	:=	1158297134
xCoord8357	:=	1159710894
xCoord8358	:=	1160108504
xCoord8359	:=	1134178481
xCoord8360	:=	3285809922
xCoord8361	:=	3290771596
xCoord8362	:=	3308040683
xCoord8363	:=	3307254531
xCoord8364	:=	3297816607
xCoord8365	:=	1135247292
xCoord8366	:=	1143076818
xCoord8367	:=	1160136679
xCoord8368	:=	1160190578
xCoord8369	:=	1152945684
xCoord8370	:=	1153034387
xCoord8371	:=	1152265176
xCoord8372	:=	1159054997
xCoord8373	:=	1159086744
xCoord8374	:=	1159662514
xCoord8375	:=	1160067557
xCoord8376	:=	1159191720
xCoord8377	:=	3305664239
xCoord8378	:=	1151616945
xCoord8379	:=	1151616945
xCoord8380	:=	1151616945
xCoord8381	:=	1151616945
xCoord8382	:=	1151616945
xCoord8383	:=	1151616945
xCoord8384	:=	1151616945
xCoord8385	:=	1151616945
xCoord8386	:=	1151616945
xCoord8387	:=	1151616945
xCoord8388	:=	1151616945
xCoord8389	:=	1151616945
xCoord8390	:=	1151616945
xCoord8391	:=	1151616945
xCoord8392	:=	1151616945
xCoord8393	:=	1151616945
xCoord8394	:=	1151616945
xCoord8395	:=	1151616945
xCoord8396	:=	1154882031
xCoord8397	:=	1151616945
xCoord8398	:=	1151749044

yCoord8348	:=	1130077739
yCoord8349	:=	1130079036
yCoord8350	:=	1130021976
yCoord8351	:=	1141044657
yCoord8352	:=	1130042464
yCoord8353	:=	1131590663
yCoord8354	:=	1131336105
yCoord8355	:=	1130076569
yCoord8356	:=	1130234513
yCoord8357	:=	1130031613
yCoord8358	:=	1132208056
yCoord8359	:=	1130168939
yCoord8360	:=	1134634916
yCoord8361	:=	1130096160
yCoord8362	:=	1141030586
yCoord8363	:=	1140993714
yCoord8364	:=	1141067583
yCoord8365	:=	1130090536
yCoord8366	:=	1132295168
yCoord8367	:=	1130628796
yCoord8368	:=	1130627738
yCoord8369	:=	1130689735
yCoord8370	:=	1130518019
yCoord8371	:=	1130027594
yCoord8372	:=	1130154748
yCoord8373	:=	1130073206
yCoord8374	:=	1130614368
yCoord8375	:=	1130092715
yCoord8376	:=	1130117314
yCoord8377	:=	1130496656
yCoord8378	:=	1130077739
yCoord8379	:=	1130077739
yCoord8380	:=	1130077739
yCoord8381	:=	1130077739
yCoord8382	:=	1130077739
yCoord8383	:=	1130077739
yCoord8384	:=	1130077739
yCoord8385	:=	1130077739
yCoord8386	:=	1130077739
yCoord8387	:=	1130077739
yCoord8388	:=	1130077739
yCoord8389	:=	1130077739
yCoord8390	:=	1130077739
yCoord8391	:=	1130077739
yCoord8392	:=	1130077739
yCoord8393	:=	1130077739
yCoord8394	:=	1130077739
yCoord8395	:=	1130077739
yCoord8396	:=	1130136969
yCoord8397	:=	1130077739
yCoord8398	:=	1130077739

zCoord8348	:=	1148590119
zCoord8349	:=	1115520494
zCoord8350	:=	1166235043
zCoord8351	:=	3298807030
zCoord8352	:=	1138268421
zCoord8353	:=	1125415571
zCoord8354	:=	1126821456
zCoord8355	:=	1151963447
zCoord8356	:=	1155092500
zCoord8357	:=	1161783713
zCoord8358	:=	1166197254
zCoord8359	:=	1156163994
zCoord8360	:=	1158984367
zCoord8361	:=	1160585847
zCoord8362	:=	1137289047
zCoord8363	:=	1147499808
zCoord8364	:=	1126624420
zCoord8365	:=	3294985570
zCoord8366	:=	3305352074
zCoord8367	:=	3303123588
zCoord8368	:=	3302758014
zCoord8369	:=	3302842554
zCoord8370	:=	3302573762
zCoord8371	:=	3299372414
zCoord8372	:=	3292082340
zCoord8373	:=	1125247490
zCoord8374	:=	1058505046
zCoord8375	:=	1142385946
zCoord8376	:=	1143040737
zCoord8377	:=	1162223519
zCoord8378	:=	1147533066
zCoord8379	:=	1147533066
zCoord8380	:=	1147533066
zCoord8381	:=	1147533066
zCoord8382	:=	1147533066
zCoord8383	:=	1147533066
zCoord8384	:=	1147533066
zCoord8385	:=	1147533066
zCoord8386	:=	1147533066
zCoord8387	:=	1147533066
zCoord8388	:=	1147533066
zCoord8389	:=	1147533066
zCoord8390	:=	1147533066
zCoord8391	:=	1147533066
zCoord8392	:=	1147533066
zCoord8393	:=	1147533066
zCoord8394	:=	1147533066
zCoord8395	:=	1147533066
zCoord8396	:=	1148540945
zCoord8397	:=	1147533066
zCoord8398	:=	1148064643

;List Variables

ActiveList =
InActiveList =
ActiveNitems := 0
InActiveNitems := 0

createGui()
SetTimer, mainloop, 500
return


GuiClose:
ExitApp

showStats:
Gui Submit, nohide
selectedPlayer := Active
StringSplit, statusParam, PWstatus%selectedPlayer%, `,
questInfo := getQuestInfo(nextQuest%selectedPlayer%)
currentStatus := statusParam1 . " [" . questInfo . "]"
GuiControl,, StatusText, %currentStatus%
return

Button>>:
gui submit, nohide
item = %InActive%
if(item <> "")
{
	removeItem("inactive", item)
	addItem("active", item)
	PWstatus%item% := "Idle"
}
return

Button<<:
gui submit, nohide
item = %Active%
if(item <> "")
{
	removeItem("active", item)
	addItem("inactive", item)
	PWstatus%item% := "Idle"
}
return

addItem(listBox, item)
{
	%listBox%List := %listBox%List . "|" . item
	Sort, %listBox%List, U D|
	if errorlevel = 0
		%listBox%Nitems := %listBox%Nitems + 1
	theList := %listBox%List
	GuiControl,, %listBox%, %theList%
	
}

removeItem(listBox, item)
{
	StringReplace, theList, %listBox%List, |%item%
	%listBox%List := theList
	GuiControl,, %listBox%, %theList%
	%listBox%Nitems := %listBox%Nitems - 1
	if(%listBox%Nitems < 1)
	{
		createGui()

	}
}

createGui()
{
	global

	Gui, Destroy
	Gui, Add, ListBox, vInActive x16 y44 w100 h147 %ActiveList%
	Gui, Add, Button, x126 y84 w50 h30 , >>
	Gui, Add, Button, x126 y124 w50 h30 , <<
	Gui, Add, ListBox, vActive gShowStats x186 y44 w110 h147 %InActiveList%
	Gui, Add, Text, x16 y14 w100 h20 , Inactive
	Gui, Add, Text, x186 y14 w110 h20 , Doing WQ
	Gui, Add, Text, vStatusText x316 y44 w130 h150 , Stats
	Gui, Show, x131 y91 h215 w464, Auto WQ
}


mainLoop:

;Get all clients with a char logged in


WinGet, winList ,List
PWlist =
nPWs = 0
loop %winList%
{

	windId := winList%A_Index%

	WinGet, processName ,processName , ahk_id %windId%
	if(processName = "elementclient.exe")
	{
		Winget, pId, PID, ahk_id %windId%
		
		theId = ahk_pid %pid%
		playerName := getPlayerName(theId)
		if(playerName <> "")
		{
			nPWs := nPWs + 1
			PWlist%nPWs% = %playerName%
			PWidList%playerName% = %theId%
		}
	}
}



;Add any newly logged chars to the InActive list

addNewPlayers()

removeNonPresentPlayers()

StringSplit, activeArray, ActiveList, |

loop %activeArray0%
{
	if(A_index > 1)
	{
		index := A_index
		playerName := activeArray%index%
		updateStatus(playerName)
		Gui Submit, nohide
		selectedPlayer := Active
		StringSplit, statusParam, PWstatus%selectedPlayer%, `,

		questInfo := getQuestInfo(nextQuest%selectedPlayer%)
		currentStatus := statusParam1 . " [" . questInfo . "]"
		GuiControl,, StatusText, %currentStatus%
	}
}


return

getQuestInfo(questId)
{

	returnValue := ""
	if(questId = 8348)
	{
	returnValue = Volume 1
	}
	else if(questId = 8349)
	{
	returnValue = Volume 2	
	}
	else if(questId = 8350)
	{
	returnValue = Volume 3	
	}
	else if(questId = 8351)
	{
	returnValue = Volume 4	
	}
	else if(questId = 8352)
	{
	returnValue = Volume 5	
	}
	else if(questId = 8353)
	{
	returnValue = Volume 6	
	}
	else if(questId = 8354)
	{
	returnValue = Volume 7	
	}
	else if(questId = 8355)
	{
	returnValue = Volume 8	
	}
	else if(questId = 8356)
	{
	returnValue = Volume 9	
	}
	else if(questId = 8357)
	{
	returnValue = Volume 10	
	}
	else if(questId = 8358)
	{
	returnValue = Volume 11	
	}
	else if(questId = 8359)
	{
	returnValue = Volume 12	
	}
	else if(questId = 8360)
	{
	returnValue = Volume 13	
	}
	else if(questId = 8361)
	{
	returnValue = Volume 14	
	}
	else if(questId = 8362)
	{
	returnValue = Volume 15	
	}
	else if(questId = 8363)
	{
	returnValue = Volume 16	
	}
	else if(questId = 8364)
	{
	returnValue = Volume 17	
	}
	else if(questId = 8365)
	{
	returnValue = Volume 18	
	}
	else if(questId = 8366)
	{
	returnValue = Volume 19	
	}
	else if(questId = 8367)
	{
	returnValue = Volume 20	
	}
	else if(questId = 8368)
	{
	returnValue = Volume 21	
	}
	else if(questId = 8369)
	{
	returnValue = Volume 22	
	}
	else if(questId = 8370)
	{
	returnValue = Volume 23	
	}
	else if(questId = 8371)
	{
	returnValue = Volume 24	
	}
	else if(questId = 8372)
	{
	returnValue = Volume 25	
	}
	else if(questId = 8373)
	{
	returnValue = Volume 26	
	}
	else if(questId = 8374)
	{
	returnValue = Volume 27	
	}
	else if(questId = 8375)
	{
	returnValue = Volume 28	
	}
	else if(questId = 8376)
	{
	returnValue = Volume 29	
	}
	else if(questId = 8377)
	{
	returnValue = Volume 30	
	}
	else if(questId = 8378)
	{
	returnValue = No Bonus	
	}
	else if(questId = 8379)
	{
	returnValue = Exp Bonus	
	}
	else if(questId = 8380)
	{
	returnValue = SP Bonus	
	}
	else if(questId = 8381)
	{
	returnValue = Reputation	
	}
	else if(questId = 8382)
	{
	returnValue = Gold Bonus	
	}
	else if(questId = 8383)
	{
	returnValue = Mirage	
	}
	else if(questId = 8384)
	{
	returnValue = No Bonus	
	}
	else if(questId = 8385)
	{
	returnValue = Exp Bonus	
	}
	else if(questId = 8386)
	{
	returnValue = SP Bonus	
	}
	else if(questId = 8387)
	{
	returnValue = Reputation	
	}
	else if(questId = 8388)
	{
	returnValue = Gold Bonus	
	}
	else if(questId = 8389)
	{
	returnValue = Mirage	
	}
	else if(questId = 8390)
	{
	returnValue = No Bonus	
	}
	else if(questId = 8391)
	{
	returnValue = Exp Bonus	
	}
	else if(questId = 8392)
	{
	returnValue = SP Bonus	
	}
	else if(questId = 8393)
	{
	returnValue = Reputation	
	}
	else if(questId = 8394)
	{
	returnValue = Gold Bonus	
	}
	else if(questId = 8395)
	{
	returnValue = Mirage	
	}
	else if(questId = 8396)
	{
	returnValue = Elder
	}
	else if(questId = 8397)
	{
	returnValue = Armerigo
	}
	else if(questId = 8398)
	{
	returnValue = Penney
	}
	return returnValue
}
	


getPlayerName(theId)
{
	global
	
	local baseAddress := ReadMemory(realBaseAddress, theId)
	local structurePointer := ReadMemory(baseAddress + baseOffset, theId)
	local playerPointer := ReadMemory(structurePointer + playerOffset, theId)
	local playerNamePointer := ReadMemory(playerPointer + playerNameOffset, theId)
	
	local playerNameLength := ReadMemory(playerNamePointer + nameLengthOffset, theId)
	
	local playerName := ""
	local tempOffset := 0xFFFFFFFD

	loop %playerNameLength%
	{
		tempOffset := tempOffset + 0x2
		local character := ReadMemory(playerNamePointer + tempOffset,theId, 2)

		SetFormat, IntegerFast, hex
		character += 0  
		character .= ""  
		SetFormat, IntegerFast, d

		playerName := playerName Hex2txt(character)
	}
	
	return playerName
}

getNextQuest(theId)
{
	global
	
	returnValue := 0
	questId := 8348
	loop 51
	{	
		value := checkQuestPresent(questId, theId)	
		if(value = 0)
		{
			returnValue := questId
			break
		}
		questId := questId + 1
	}
	return returnValue
}

npcIsClose(questId, theId)
{

	global
	
	local baseAddress := ReadMemory(realBaseAddress, theId)
	local structurePointer := ReadMemory(baseAddress + baseOffset, theId)
	local playerPointer := ReadMemory(structurePointer + playerOffset, theId)
	
	SetFormat, IntegerFast, hex
	
	local xCoord := ReadMemory(playerPointer + playerXposOffset, theId)
	local yCoord := ReadMemory(playerPointer + playerYposOffset, theId)
	local zCoord := ReadMemory(playerPointer + playerZposOffset, theId)
	
	local npcX := xCoord%questId%
	local npcY := yCoord%questId%
	local npcZ := zCoord%questId%

	SetFormat, IntegerFast, d
	
	local dX := hextofloat(xcoord) - hextofloat(npcx)
	local dY := hextofloat(ycoord) - hextofloat(npcy)
	local dZ := hextofloat(zcoord) - hextofloat(npcz)
	
	distance := sqrt(dX * dX + dY * dY + dZ * dZ)
	
	if(distance < 5)
	{
		return 1
	}
	else
	{
		return 0
	}

}

handleNpc(questId, theId)
{
	global
	
	SetFormat, IntegerFast, hex
	
	;select NPC
	
	npcId := npcId%questId%
	revHex(revNpcId, npcId)
	packet := ""
	packet = %packet%0200%revNpcId%
	packetSize := 0x6
	packetSizeStr := "06"
	sendPacket(packet, packetSizeStr, packetsize, theId)

	local baseAddress := ReadMemory(realBaseAddress, theId)
	local structurePointer := ReadMemory(baseAddress + baseOffset, theId)
	local playerPointer := ReadMemory(structurePointer + playerOffset, theId)

	
	loop
	{
		local targetId := ReadMemory(playerPointer + playerTargetIdOffset, theId)
		if(targetId = npcId)
		{
			break
		}
		sleep 100
	}
	
	;start interaction
	
	packet := ""
	packet = %packet%2300%revNpcId%
	packetSize := 0x6
	packetSizeStr := "06"
	sendPacket(packet, packetSizeStr, packetsize, theId)
	
	sleep 100
	
	;hand in quest
	
	revHex(revQuestId, questId)
	packet := ""
	packet = %packet%25000700000004000000%revQuestId%
	packetSize := 0xE
	packetSizeStr := "0E"
	sendPacket(packet, packetSizeStr, packetsize, theId)
	
	sleep 3000
	
}

getMoveMethod(questId, theId)
{
	global
	
	local x := xCoord%questId%
	local y := yCoord%questId%
	local z := zCoord%questId%
	local baseAddress := ReadMemory(realBaseAddress, theId)
	local structurePointer := ReadMemory(baseAddress + baseOffset, theId)
	local playerPointer := ReadMemory(structurePointer + playerOffset, theId)
	
	SetFormat, IntegerFast, hex
	
	local xCoord := ReadMemory(playerPointer + playerXposOffset, theId)
	local yCoord := ReadMemory(playerPointer + playerYposOffset, theId)
	local zCoord := ReadMemory(playerPointer + playerZposOffset, theId)
	

	SetFormat, IntegerFast, d
	
	local dX := hextofloat(xcoord) - hextofloat(x)
	local dY := hextofloat(ycoord) - hextofloat(y)
	local dZ := hextofloat(zcoord) - hextofloat(z)
	
	distance := sqrt(dX * dX + dZ * dZ)
	
	if(distance < 5)
	{
		returnValue = Falling
	}
	else
	{
		local height := 77.0

		local nTimesUp := 20

		returnValue = FlyUp@%nTimesUp%@SetFlyTo@%x%@%y%@%z%@%height%@Flying@Falling
	}	
	
	return returnValue

	


}


flymodeActive(theId)
{
	global

	local baseAddress := ReadMemory(realBaseAddress, theId)
	local structurePointer := ReadMemory(baseAddress + baseOffset, theId)
	local playerPointer := ReadMemory(structurePointer + playerOffset, theId)
	local transportMode := ReadMemory(playerPointer + playerTransportModeOffset, theId)
	
	if(transportMode = 2)
	{
		return 1
	}
	else
	{
		return 0
	}
}


toggleFlying(theId)
{
	global
	local baseAddress := ReadMemory(realBaseAddress, theId)
	local structurePointer := ReadMemory(baseAddress + baseOffset, theId)
	local playerPointer := ReadMemory(structurePointer + playerOffset, theId)
	local flyMountId := ReadMemory(playerPointer + playerFlyMountOffset, theId)
	
	revHex(revFlyMountId, flyMountId)
	packet := ""
	packet = 280001010C00%revFlyMountId%
	packetSize := 0xA
	packetSizeStr := "0A"
	sendPacket(packet, packetSizeStr, packetsize, theId)
	sleep 2000
}





setFlyTo(theId, xCoord, yCoord, zCoord, height)
{
	global
	local baseAddress := ReadMemory(realBaseAddress, theId)
	local structurePointer := ReadMemory(baseAddress + baseOffset, theId)
	local playerPointer := ReadMemory(structurePointer + playerOffset, theId)
	local actionStruct := ReadMemory(playerPointer + playerActionStructOffset, theId)

	MoveTo(Xcoord, Ycoord, Zcoord, 0, theId, actionStruct, height)
}


getCurrentCoords(theId)
{
	global
	local baseAddress := ReadMemory(realBaseAddress, theId)
	local structurePointer := ReadMemory(baseAddress + baseOffset, theId)
	local playerPointer := ReadMemory(structurePointer + playerOffset, theId)
		
	local xCoord := ReadMemory(playerPointer + playerXposOffset, theId)
	local yCoord := ReadMemory(playerPointer + playerYposOffset, theId)
	local zCoord := ReadMemory(playerPointer + playerZposOffset, theId)

	returnValue = %xCoord%@%yCoord%@%zCoord%
	
	return returnValue

}

isIdle(theId)
{
	global
	local baseAddress := ReadMemory(realBaseAddress, theId)
	local structurePointer := ReadMemory(baseAddress + baseOffset, theId)
	local playerPointer := ReadMemory(structurePointer + playerOffset, theId)
	local actionStruct := ReadMemory(playerPointer + playerActionStructOffset, theId)
	local moving := ReadMemory(actionstruct+0x18,theId)

	if(moving = 0)
	{
		return 1
	}
	else
	{
		return 0
	}
	



}



updateStatus(name)
{
	global
	nextQuest := nextQuest%Name%
	clientId := PWidList%Name%
	StringSplit, statusParam, PWstatus%Name%, `,
	currentStatus := statusParam1
	if(currentStatus = "Idle")
	{
		nextQuest := getNextQuest(clientId)
		nextQuest%Name% := nextQuest
		if(nextQuest = 0)
		{
			;Stay Idle
		}
		else ;There is a new quest
		{
			if(NpcIsClose(questId, clientId) = 1)
			{
				handleNpc(questId, clientId)
				;Idle again
			}
			else	;You have to move to the Npc
			{
				moveMethod := getMoveMethod(questId, clientId)
				PWstatus%Name% = Moving,%moveMethod%
			}
		}
	}
	else if(currentStatus = "Moving")
	{
		
		moveMethod := statusParam2
		stringsplit, moving, moveMethod, @
		if(moving1 = "FlyUp")
		{
			if(flyModeActive(clientId) = 1)
			{
				flyUp(clientId, moving2)
				
				;remove this parameter
				nParams := moving0 - 2
				newMoveMethod := ""
				loop %nParams%
				{
					paramIndex := A_Index + 2
					newMoveMethod := newMoveMethod . moving%paramIndex%
					if(A_Index < nParams)
					{
						newMoveMethod := newMoveMethod . "@"
					}
				}
				PWstatus%Name% = Moving,%newMoveMethod%
			}
			else
			{
				toggleFlying(clientId)
			}
		}
		else if(moving1 = "SetFlyTo")
		{
			setFlyTo(clientId, moving2, moving3, moving4, moving5)
			currentCoords := getCurrentCoords(clientId)
			
			;remove this parameter
			nParams := moving0 - 5
			newMoveMethod := ""
			loop %nParams%
			{
				paramIndex := A_Index + 5
				newMoveMethod := newMoveMethod . moving%paramIndex%
				if(A_Index < nParams)
				{
					newMoveMethod := newMoveMethod . "@"
				}
			}
			PWstatus%Name% = Moving,%newMoveMethod%,%currentCoords%
		}
		else if(moving1 = "Flying")
		{
			currentCoords := getCurrentCoords(clientId)

			if (isIdle(clientId) = 1)
			{	

				;Done Flying
				
				;remove this parameter
				nParams := moving0 - 1
				newMoveMethod := ""
				loop %nParams%
				{
					paramIndex := A_Index + 1
					newMoveMethod := newMoveMethod . moving%paramIndex%
					if(A_Index < nParams)
					{
						newMoveMethod := newMoveMethod . "@"
					}
				}
				MoveMethod := newMoveMethod

			}

			PWstatus%Name% = Moving,%MoveMethod%,%currentCoords%

		}
		else if(moving1 = "Falling")
		{
			
			if(flymodeActive(clientId) = 1)
			{
				toggleFlying(clientId)
			}
			else
			{
			
				currentCoords := getCurrentCoords(clientId)
				if (isIdle(clientId) = 1)
				{
					;Stopped Falling

					;remove this parameter
					nParams := moving0 - 1
					newMoveMethod := ""
					loop %nParams%
					{
						paramIndex := A_Index + 1
						newMoveMethod := newMoveMethod . moving%paramIndex%
						if(A_Index < nParams)
						{
							newMoveMethod := newMoveMethod . "@"
						}
					}
					PWstatus%Name% = Idle
				}
				else
				{
					if(flymodeActive(clientId) = 1)
					{
						toggleFlying(clientId)
					}
					PWstatus%Name% = Moving,%MoveMethod%,%currentCoords%
				}
			}
		}				
		
	}
}


addNewPlayers()
{
	global
	
	loop %nPWs%
	{
		playerName := PWlist%A_Index%
		if(playerNameInLists(playerName) = 0)
		{
			addItem("inactive", playerName)
			PWstatus%playerName% := "Idle"
		}
	}
}

removeNonPresentPlayers()
{
	global
	
	StringSplit, activeArray, ActiveList, |
	
	loop %ActiveNitems%
	{
		index := A_Index + 1
		playerInList := activeArray%index%
		playerPresent := 0
		loop %nPWs%
		{
			playerName := PWlist%A_Index%
			if(playerInList = playerName)
			{
				playerPresent = 1
				break
			}
		}
		if (playerPresent = 0)
		{
			removeItem("active", playerInList)
		}
	}
	StringSplit, inactiveArray, inActiveList, |
	
	loop %InActiveNitems%
	{
		index := A_Index + 1
		playerInList := inactiveArray%index%
		playerPresent := 0
		loop %nPWs%
		{
			playerName := PWlist%A_Index%
			if(playerInList = playerName)
			{
				playerPresent = 1
				break
			}
		}
		if (playerPresent = 0)
		{
			removeItem("inactive", playerInList)
		}
	}
	

}


playerNameInLists(playerName)
{

	global

	StringSplit, activeArray, ActiveList, |
	playerPresent := 0
	loop %ActiveNitems%
	{
		index := A_Index + 1
		playerInList := activeArray%index%
		if(playerInList = playerName)
		{
			playerPresent := 1
			break
		}
	}
	if(playerPresent = 0)
	{
		StringSplit, inactiveArray, inActiveList, |

		loop %InActiveNitems%
		{
			index := A_Index + 1
			playerInList := inactiveArray%index%

			if(playerInList = playerName)
			{
				playerPresent := 1
				break
			}
		}
	}

	return playerPresent
}


checkQuestPresent(questId, client)
{
	global

	;Get the process Id from the given client title
	winget, pid, PID, %client%

	;Get the process handle from the given client title
	ProcessHandle 	:= 	DllCall("OpenProcess", "int", 2035711, "char", 1, "UInt", PID, "UInt")
	
	functionSize := 100
	
	;Allocate memory to store the packet to be sent, and the method to call the send packet function
	returnAddress 	:=   	DllCall("VirtualAllocEx", "Uint", ProcessHandle, "Uint", 0, "Uint", 0x4, "Uint", 0x1000, "Uint", 0x40)
	functionAddress :=   	DllCall("VirtualAllocEx", "Uint", ProcessHandle, "Uint", 0, "Uint", functionSize, "Uint", 0x1000, "Uint", 0x40)


	revHex(revReturnAddress, returnAddress)	
	revHex(revQuestId, questId)
	revHex(revQuestFunctionAddress, questFunctionAddress)
	revHex(revBaseAddress, realBaseAddress)
	revHex(revQuestFunctionOffset, questFunctionOffset)
	
	;60 			PUSHAD
	;B8 80 45 66 00 	MOV     EAX, 00664580
	;8B 0D 7C 65 98 00 	MOV     ECX, DWORD PTR [98657C]
	;8B 49 1C 		MOV     ECX, DWORD PTR [ECX+1C]
	;8B 49 20 		MOV     ECX, DWORD PTR [ECX+20]
	;8B 89 DC 0D 		MOV     ECX, DWORD PTR [ECX+DDC]
	;68 DD 06 		PUSH    6DD
	;FF D0 			CALL    NEAR EAX
	;A3 32 54 76 98 	MOV     DWORD PTR [98765432], EAX
	;61 			POPAD
	;C3			RET



	func =					
	func = %func%60					;PUSHAD
	func = %func%B8%revQuestFunctionAddress%	;MOV     EAX, questFunction
	func = %func%8B0D%revBaseAddress%		;MOV     ECX, DWORD PTR [baseAddress]
	func = %func%8B491C				;MOV     ECX, DWORD PTR [ECX+1C]
	func = %func%8B4920				;MOV     ECX, DWORD PTR [ECX+20]
	func = %func%8B89%revQuestFunctionOffset%	;MOV     ECX, DWORD PTR [ECX+questFuncOffset]
	func = %func%68%revQuestId%			;PUSH    questId
	func = %func%FFD0				;CALL    NEAR EAX
	func = %func%A3%revReturnAddress%		;MOV     DWORD PTR [returnAddress], EAX
	func = %func%61					;POPAD
	func = %func%C3					;RET


	MCode(checkQuestFunction, func)
	
	
	DllCall("WriteProcessMemory", "UInt", ProcessHandle, "UInt", functionAddress, "Uint", &checkQuestFunction, "Uint", functionSize, "Uint *", 0)
	
	
	
	
	SetFormat, IntegerFast, d
	
	hThrd := DllCall("CreateRemoteThread", "Uint", ProcessHandle, "Uint", 0, "Uint", 0, "Uint", functionAddress, "Uint", 0, "Uint", 0, "Uint", 0)
	loop
	{
		result := DllCall( "WaitForSingleObject", UInt,hThrd, UInt,50 ) 
		if(result <> 258)
		{
			break
		}
		sleep 50
		if(A_Index > 100)
		{
			break
		}
	}
	
	
	DllCall( "CloseHandle", UInt,hThrd )
	
	DllCall("VirtualFreeEx", "Uint", ProcessHandle, "Uint", functionAddress, "Uint", 0, "Uint", 0x8000)
	
	DllCall( "CloseHandle", UInt,ProcessHandle ) 
	
	returnValue := readMemory(returnAddress, client)
	
	return returnValue
	
}


sendPacket(packet, packetSizeStr, packetsize, client)
{
	global

	MCode(processedPacket, packet)
	
	;Get the process Id from the given client title
	winget, pid, PID, %client%

	;Get the process handle from the given client title
	ProcessHandle 	:= 	DllCall("OpenProcess", "int", 2035711, "char", 1, "UInt", PID, "UInt")
	
	;Allocate memory to store the packet to be sent, and the method to call the send packet function
	packetAddress 	:=   	DllCall("VirtualAllocEx", "Uint", ProcessHandle, "Uint", 0, "Uint", packetSize, "Uint", 0x1000, "Uint", 0x40)
	functionAddress :=   	DllCall("VirtualAllocEx", "Uint", ProcessHandle, "Uint", 0, "Uint", 0x1B, "Uint", 0x1000, "Uint", 0x40)
	
	revHex(packetAddressRev, packetAddress)
	revHex(revSendPacketAddress, SendPacketAddress)
	revHex(revBaseAddress, realBaseAddress)


	func =
	func = %func%60				;PUSHAD
	func = %func%B8%revSendPacketAddress%	;MOV	 EAX, sendPacketAddress
	func = %func%8B0D%revBaseAddress%	;MOV     ECX, DWORD PTR [revBaseAddress]
	func = %func%8B4920			;MOV     ECX, DWORD PTR [ECX+20]
	func = %func%BF%packetAddressRev%	;MOV     EDI, packetAddress	//src pointer
	func = %func%6A%packetSizeStr%		;PUSH    packetSize		//size
	func = %func%57				;PUSH    EDI
	func = %func%FFD0			;CALL    EAX
	func = %func%61				;POPAD
	func = %func%C3				;RET	
	MCode(sendFunction, func)

	
	DllCall("WriteProcessMemory", "UInt", ProcessHandle, "UInt", packetAddress, "Uint", &processedPacket, "Uint", packetSize, "Uint *", 0)
	DllCall("WriteProcessMemory", "UInt", ProcessHandle, "UInt", functionAddress, "Uint", &sendFunction, "Uint", 0x1B, "Uint *", 0)

	hThrd := DllCall("CreateRemoteThread", "Uint", ProcessHandle, "Uint", 0, "Uint", 0, "Uint", functionAddress, "Uint", 0, "Uint", 0, "Uint", 0)
	loop
	{
		result := DllCall( "WaitForSingleObject", UInt,hThrd, UInt,50 ) 
		if(result <> 258)
		{
			break
		}
		sleep 50
		if(A_Index > 100)
		{
			break
		}
	}
	
	DllCall( "CloseHandle", UInt,hThrd )
	
	DllCall("VirtualFreeEx", "Uint", ProcessHandle, "Uint", packetAddress, "Uint", 0, "Uint", 0x8000)
	DllCall("VirtualFreeEx", "Uint", ProcessHandle, "Uint", functionAddress, "Uint", 0, "Uint", 0x8000)
	
	DllCall( "CloseHandle", UInt,ProcessHandle ) 
}


MCode(ByRef code, hex) { ; allocate memory and write Machine Code there
   VarSetCapacity(code,StrLen(hex)//2)
   Loop % StrLen(hex)//2
      NumPut("0x" . SubStr(hex,2*A_Index-1,2), code, A_Index-1, "Char")
}

revHex(byref CodeRev, Code, requestedLength=8)
{
	;Return a reverse hex string of Code
	
	SetFormat, IntegerFast, hex
	Code += 0  
	Code .= ""  
	SetFormat, IntegerFast, d
	CodeRev =
	temp2 := substr(Code, 3)
	temp2 := "00000000" . temp2

	temp := strlen(temp2)-requestedLength + 1
	temp2 := substr(temp2, temp)

	i := requestedLength - 1
	looplength := requestedLength // 2
	loop %loopLength%
	{

		CodeRev := CodeRev . substr(temp2, i, 2)
		i := i - 2
	}
}



MoveTo(X, Y, Z, moveType, client, actionStruct, height=-1.0)
{
	actionList := ReadMemory(actionStruct+0x30,client)
	MoveAction := ReadMemory(actionList+0x4,client)

	writeMemory(0, MoveAction+0x8, client)				;Action finished = 0
	writeMemory(1, MoveAction+0x14, client)				;Action Start = 1	
	writeMemory(X, MoveAction + 0x20, client)
	writeMemory(Y, MoveAction + 0x24, client)
	writeMemory(Z, MoveAction + 0x28, client)
	writeMemory(FloatToHex(height), MoveAction + 0x68, client)
	if(height >= 0.0)
	{
		writeMemory(26625, MoveAction + 0x64, client)
		writeMemory(256, MoveAction + 0x6C, client) 
	}
	else 
	{
		writeMemory(26624, MoveAction + 0x64, client)
		writeMemory(65536, MoveAction + 0x6C, client) 
	}
	writeMemory(moveType, MoveAction + 0x2C, client)		;Not supported yet
	writeMemory(MoveAction, actionstruct+0xC, client)
	writeMemory(1, actionstruct+0x18, client)
	writeMemory(moveAction, actionstruct+0x14, client)
}



flyUp(client, times)
{

	global

	local loopn := times - 1
	local time := 0.5 ;s
	local baseAddress := ReadMemory(realBaseAddress,client) ;00986c00
	local pointer1 := ReadMemory(baseAddress+baseOffset,client) ;04c88408
	local player := ReadMemory(pointer1+playerOffset,client)
	
	SetFormat, IntegerFast, hex	
	
	local yCoord := readmemory(player+playerYposOffset, client, 4)
	local yCoordFloat := hextofloat(yCoord)

	if(yCoordFloat < 700)
	{

		loop %times%
		{
			sleep 500
			local packet := "0700"
			local counter := readmemory(player+playerCounterOffset, client, 2)
			local interval := readmemory(player+playerIntervalOffset, client, 2) ;0x01F4
			local xCoord := readmemory(player+playerXposOffset, client, 4)
			local zCoord := readmemory(player+playerZposOffset, client, 4)
			local speed := readmemory(player+playerFlySpdOffset, client, 4)
			local moveType := 0x61

			local speedFloat := hextofloat(speed)

			local yCoordFloat := yCoordFloat + speedFloat * time
			local sendSpeedFloat := speedFloat * 256 + 0.5
			local sendSpeedHex := floor(sendSpeedFloat)
			local sendYcoordHex := floattohex(yCoordFloat)
			revHex(value, xCoord)
			packet := packet . value
			revHex(value, sendYcoordHex)
			packet := packet . value
			revHex(value, zCoord)
			packet := packet . value
			revHex(value, sendSpeedHex, 4)
			packet := packet . value
			packet := packet . "00"		;direction
			revHex(value, moveType, 2)
			packet := packet . value
			revHex(value, counter, 4)
			packet := packet . value
			packet := packet . "F401"	;unknown value

			writeMemory(counter + 1,player+playerCounterOffset, client, 2)
			writeMemory(sendYcoordHex,player+playerYposOffset, client)
			sendPacket(packet, "16", 0x16, client)	

		}
		;Send an invalid packet so the server updates your location properly :P:P
		
		local packet := "0700"
		local counter := readmemory(player+playerCounterOffset, client, 2)
		local speedFloat := hextofloat(speed)

		local yCoordFloat := yCoordFloat + speedFloat * time
		local sendSpeedFloat := speedFloat * 256 + 0.5
		local sendSpeedHex := floor(sendSpeedFloat)
		local sendYcoordHex := floattohex(yCoordFloat)
		revHex(value, xCoord)
		packet := packet . value
		revHex(value, sendYcoordHex)
		packet := packet . value
		revHex(value, zCoord)
		packet := packet . value
		revHex(value, sendSpeedHex, 4)
		packet := packet . value
		packet := packet . "00"		;direction
		revHex(value, moveType, 2)
		packet := packet . value
		revHex(value, counter, 4)
		packet := packet . value
		packet := packet . "0000"	;unknown value

		writeMemory(counter + 1,player+playerCounterOffset, client, 2)
		writeMemory(sendYcoordHex,player+playerYposOffset, client)
		sendPacket(packet, "16", 0x16, client)	
		SetFormat, IntegerFast, d	

		sleep 2000
	}
}

09/09/2010 20:41 PW-Prophets#5

This looks amazeing!
Thank you!

09/10/2010 08:30 Interest07#6

TWo easy ways to determine where your function was called from (if you can't use the Xrefs, for example with dynamic functions), is setting a breakpoint at the very start of the function. [ESP] will then contain the address of the instruction the function will go to after it has finished, thus leading you to where the function was called from in the first place. Another way is to set the breakpoint and go step by step until you move out of the function, you will then end up in the same place as [ESP] contained.

I prefer the first method as it is a little less work, and if a function is called often from different locations you don't need to perform the step by step stuff a million times. Furthermore, with the first method you can print out [ESP + 4], [ESP + 8], etc for the parameters of the function while you're at it.

09/10/2010 18:00 AEBus#7

What the file "C:\Documents and Settings\Administrator\My Documents\AutoHotkey\Lib\PWlib.ahk"?
And... You source code... this is autohotkey script?

09/10/2010 22:02 AEBus#8

Dear Interest07, I tried to find the offset by IDA, but ....

Quote:

3)
Go to the top and check the Xrefs, it should be the first Xref shown

How check the Xrefs? I could not find a similar code...

Quote:
1)
search for:
Code:
(void *Src, size_t Size)
2)
You'll get 7 results (most likely), pick the third one:

[Only registered and activated users can see links. Click Here To Register...]
still go to the third value?

etc....

i'm noob for a IDA...

Could you find offsets that are using IDA Pro in my client? Offset, which are using CE, I found myself.
[Only registered and activated users can see links. Click Here To Register...] - this is PW Rus client, 1.4.2 build 2305

[Only registered and activated users can see links. Click Here To Register...]

09/11/2010 00:07 Interest07#9

Yeah, my source code is autohotkey script. The PWlib just contains some functions like memory read and possibly converting hex to floats etcetera:

Code:

ReadMemory(MADDRESS=0,PROGRAM="", size=4, retType="UInt*")
{
   Static OLDPROC, ProcessHandle
   VarSetCapacity(MVALUE,size,0)							;Make a variable MVALUE with a capacity of 4 bytes
   If PROGRAM != %OLDPROC%							;If the program is not previously opened
   {
      WinGet, pid, pid, % OLDPROC := PROGRAM					;Get the program's process id
      ProcessHandle := ( ProcessHandle ? 0*(closed:=DllCall("CloseHandle"	;
      ,"UInt",ProcessHandle)) : 0 )+(pid ? DllCall("OpenProcess"		;Make sure the program is open
      ,"Int",16,"Int",0,"UInt",pid) : 0)					;
   }
   If (ProcessHandle) && DllCall("ReadProcessMemory","UInt",ProcessHandle,"UInt",MADDRESS,retType,MVALUE,"UInt",size,"UInt *",0)
   	return MVALUE ;return *(&MVALUE+3)<<24 | *(&MVALUE+2)<<16 | *(&MVALUE+1)<<8 | *(&MVALUE)
   return !ProcessHandle ? "Handle Closed: " closed : "Fail"
}

WriteMemory(WVALUE,MADDRESS,PROGRAM, size=4)
{
	winget, pid, PID, %PROGRAM%

	ProcessHandle := DllCall("OpenProcess", "int", 2035711, "char", 0, "UInt", PID, "UInt")
	DllCall("WriteProcessMemory", "UInt", ProcessHandle, "UInt", MADDRESS, "Uint*", WVALUE, "Uint", size, "Uint *", 0)

	DllCall("CloseHandle", "int", ProcessHandle)
	return
}

HexToFloat(d) {
      Return (1-2*(d>>31)) * (2**((d>>23 & 255)-127)) * (1+(d & 8388607)/8388608) ; 2**23
}

FloatToHex(f) {
   form := A_FormatInteger
   SetFormat Integer, HEX
   v := DllCall("MulDiv", Float,f, Int,1, Int,1, UInt)
   SetFormat Integer, %form%
   Return v
}

In Ida you can name the functions you find (which I did), in your case they'll still all be called their default names, so yes pick the third one :)

For xrefs, go to ida options:

[Only registered and activated users can see links. Click Here To Register...]

change the number of xrefs displayed to 100 or 200 or so. When you're digging around the code a lot, it helps a lot to rename any variables and functions you figure out and add comments. I suppose I shouldve removed them for the screenies. I'll just look into your exe.

09/11/2010 00:37 Interest07#10

sendPacket function:
0x005D7C30

the offset to playercounter is 0x86C + 0x64 = 0x8D0
the offset to interval is 0x86C + 0x18 = 0x884

questFunction:
0x00687CF0

offset:
0xFE8

these are the values for the exe you provided. Also noticed two tiny mistakes in my xplanation on how to find these values :p edited them now, instead of first and second Xref, it should say 2nd and 3rd.

09/11/2010 17:15 AEBus#11

How to find
realBaseAddress
baseOffset
playerOffSet
nameLengthOffset
playerFlyMountOffset
playerXposOffset
playerYposOffset
playerZposOffset
?

09/11/2010 17:37 Interest07#12

nameLengthOffset is always the same
playerFlyMountOffset has been included in the explanation as FlyGearOffset

Assuming you're playing the russian version according to [Only registered and activated users can see links. Click Here To Register...] these are the values you are missing:

realBaseAddress = 0x009C0E6C
baseOffset = 0x1C
playerOffset = 0x20
playerXposOffset = 0x3C
playerYposOffset = 0x40
playerZposOffset = 0x44
playerFlyMountOffset = 0x560

If you think I should add how to find them I will though. Besides the baseAddress (and the flymount offset) they have never changed though

09/12/2010 17:18 AEBus#13

You wq bot don't work in a russian client :( I ordered all offset but the bot does not show any information about the player, nor available quests ... may be the fact that the client's name we do not Element Client a Perfect World?
[Only registered and activated users can see links. Click Here To Register...]

09/12/2010 17:53 Interest07#14

Hmmm, it does not find any character? or did you white out the name?

Where it says stats it will only write the current action (idle, moving[volume 1-30]) not the actual stats of your character. Can you give me a link to where I can download the entire russian pw?

Hmm I can't seem to register an account tehre for some reason

Ah I managed and downloading the client now.

I'll see what I can do to fix it tonight

could you post the offsets you are using here?

09/12/2010 18:37 AEBus#15

[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]

or torrent

[Only registered and activated users can see links. Click Here To Register...]

I registered an account for you, all the data entered in a PM

Page 1 of 33

Last »