[CODE]Ingame Functions( POST YOUR FINDINGS HERE )

[AlainProvist]

@ntKid : sent you a pm (in case you didn't noticed it)

@TheStupidDog : offsets not/no more valid. Don't know if this is caused by the latest patch that occured yesterday or the fact that I'm running the french client. Anyway I digged a little and as Oriya9 said there are a lot of things using the xyz coordinates. Was looking for something that could have been a matrix 44 or a vector 4 + quaternion but only found vector 3 or 4. It seems that they are rounding float values for coordinate display, instead of truncating it. I'll give another try tonight.

[TheStupidDog]

Quote:

Originally Posted by AlainProvist

@ntKid : sent you a pm (in case you didn't noticed it)

@TheStupidDog : offsets not/no more valid. Don't know if this is caused by the latest patch that occured yesterday or the fact that I'm running the french client. Anyway I digged a little and as Oriya9 said there are a lot of things using the xyz coordinates. Was looking for something that could have been a matrix 44 or a vector 4 + quaternion but only found vector 3 or 4. It seems that they are rounding float values for coordinate display, instead of truncating it. I'll give another try tonight.

Yeah, I had a feeling the offsets will change (after a patch), but I can track them down really fast now. There were several coords that looked like they moved you character but didn't but I eliminated them one by one and I'm almost certain they were the correct ones, but I found a totally new problem. It seems that certain zones you enter will use different pointers, so while those pointers work in most zones, they won't work in all of them lol. I've been kind of busy in the last few days so haven't been able to do much about it but its on my list of things to do (will also be trying to track down the movement speed).

[AlainProvist]

It makes sense if there is something called World structure instanciating the current map and containing pointers to entities like your own character. When you change to another map, you destroy the old one and allocate a new one that will reference your character again, but the old refenrence will be erased by something else.

There is a high probability that the dynamic adress of your coordinates doesn't change since your character's data should not be destroyed when you change the map. So maybe if you store the address of your character at the begining of the game (when spawning the first time) with your current method and then only use this address instead or recalculating it each time, then you'll keep it correct through map changes. But it's only guess from me... the only thing to do to make sure of this is to verify it with CE.

[FlyCraft.TobiLap]

Quote:

Originally Posted by ntKid

-

Could you please change this to the following link? Source release

[Shane¸]

to be always up-to-date with the offsets, gather the array of bytes and search in it

[shelepet09]

where/how to use this codes anyway?
the bot works for me thanks for that!
i am using the default macro.lua , but i want to try something with your new codes
"where to paste the code?"
"where to save the file?"
"is there any file to delete before you paste the new code?"

[AlainProvist]

Some maybe-usefull things about TargetInfo structure :


Lose my entire day to reach this address and opcode and realized at the end that this code was commented with a so explicit name TT...
game.bin+28D3E6 - 68 A8B5E300 - push game.bin+A3B5A8 [TargetInfoWnd]


About the target ID :
- NPC/mobs and resources seem to have an id like 0xFFFFxxxx or 0xFFFExxxx
- Players have a full id 0xXXXXXXXX with the high part < 0xFFFE

ps : forgot to mention in my screenshot that the 3 float values after 0xFFFFFF00 (after the current target id) seem to be related to the camera position or orientation.

[biloon]

Hi! I am new to all reverse engineering business, so I am still learning. For some reason, I found out that the login part uses wininet library to send packets via HTTPS. If I remembered correctly, you can actually create an account using your facebook login. Socket sniffer told me that when client logins ( via _Launcher), the process established about 4-5 connections to multiple login servers including facebook, main server, etc. If this login packet is sent and read by facebook server, then the raw data should be kept unobfuscated.... UNLESS you can implement your custom encrypt/decrypt on facebook server (including the other 3-4 servers). So, I am not sure if the packet data before HTTPS or SSL is encrypted or not.

On the other hand, I am now looking into the client's packet sending. It uses WS2 WSASend to send out packet. I once saw an ingame login interface before, so I believe the login launcher and the game client are developed separately. Therefore, it is not a surprise that both process may have different packet encryption/send policy. My current goal is to backtrace that call and find the packet encrypt algorithm.

[AlainProvist]

@ntKid : Is there a chance you could give (here or privately) some explainations about this ?

Code:

VOID mySelectNearestTarget( ULONG lpBase = 0x00F38224, ULONG lpFunction = 0x0068DB50 )
{
	__asm
	{
		mov esi, lpBase;
		mov esi, [ esi ];
		push 0x00000001;
		mov ecx, esi;
		call lpFunction;
	}
}

//most basic multiclient bot example.
mySelectNearestTarget( );
mySendSkillID( myGetSkillIdFromSlotBar( 1 ) );

What did you searched for to get the lpBase and what does it represent ? How did you find the lpFunction address ?

Your explainations would really unstuck me and allow me to understand how to go further than heap memory reading stuff. I've made lots of searches on the web to find tutos about similar stuff but ppl never explain how they found addresses...


Edit : (damned auto merge ^^)

Finally got it !!! ^^

Code:

0068DC12  push        1    
0068DC14  mov         ecx,esi 
0068DC16  call        0068D870

I was actually 2 call after this one in the callstack, in the part that apply the target it to the targetInfo structure. Was missing the code gathering the id from the nearest mob.

@ntKid : Thanks a lot for your pm . (Talking of this, are you receiving my pm or is your inbox full ? Maybe i'm paranoid but I always fear those limited message boxes -_-)

[AlainProvist]

Ok I successfully implemented my functions and have now a minimal bot working (target selection + skill use). The problem I have now is a random dead lock of the game. Did you encountered similar issues ntKid ? I first thought it was due to my use of a rand() call in my main loop (debugger stopped at this line in my thread), but after removing it I'm now crashing in the sleep() call that means that the game is crashing from itself... I'm injecting my code dll and Antimutex dll, but I still have no idea of what this last dll is for.

[Shane¸]

Quote:

Originally Posted by AlainProvist

Ok I successfully implemented my functions and have now a minimal bot working (target selection + skill use). The problem I have now is a random dead lock of the game. Did you encountered similar issues ntKid ? I first thought it was due to my use of a rand() call in my main loop (debugger stopped at this line in my thread), but after removing it I'm now crashing in the sleep() call that means that the game is crashing from itself... I'm injecting my code dll and Antimutex dll, but I still have no idea of what this last dll is for.

mutex is used for 1 connection between server and client so it just won't allow you to run multiple clients

[AlainProvist]

OK, I was fearing it was removing magically any mutex of the game lol. So I suppose my deadlock problem comes from something wrong I do in my code (memory corruption ?)...


edit : Tried to debug the multiple crashed I got and still no clue of what happens... my latest crash is just crazy : I crashed in a read only call function of mine :

Code:

// disassembly view 
__asm
	{
		mov eax, lpBase;
5F6815B5  mov         eax,dword ptr [lpBase] 
		mov eax, [ eax ];
5F6815B8  mov         eax,dword ptr [eax] 
		mov eax, [ eax + 0x000000E0 ];
5F6815BA  mov         eax,dword ptr [eax+0E0h] 
		mov eax, [ eax + 0x00000010 ];
5F6815C0  mov         eax,dword ptr [eax+10h] 
		mov eax, [ eax + 0x0000000C ];
5F6815C3  mov         eax,dword ptr [eax+0Ch] ---> crashed here because eax is out of memory
		mov dwRes, eax;
5F6815C6  mov         dword ptr [dwRes],eax 
	}

Since my debugger was attached : I steped backward on the 1st intruction and executed the lines step by step, finally reaching the correct address... How the hell is it possible to have got an out of memory on this ? where does this out of memory pointer come from ?

[ntKid]

Quote:

Originally Posted by AlainProvist

OK, I was fearing it was removing magically any mutex of the game lol. So I suppose my deadlock problem comes from something wrong I do in my code (memory corruption ?)...


edit : Tried to debug the multiple crashed I got and still no clue of what happens... my latest crash is just crazy : I crashed in a read only call function of mine :

Code:

// disassembly view 
__asm
	{
		mov eax, lpBase;
5F6815B5  mov         eax,dword ptr [lpBase] 
		mov eax, [ eax ];
5F6815B8  mov         eax,dword ptr [eax] 
		mov eax, [ eax + 0x000000E0 ];
5F6815BA  mov         eax,dword ptr [eax+0E0h] 
		mov eax, [ eax + 0x00000010 ];
5F6815C0  mov         eax,dword ptr [eax+10h] 
		mov eax, [ eax + 0x0000000C ];
5F6815C3  mov         eax,dword ptr [eax+0Ch] ---> crashed here because eax is out of memory
		mov dwRes, eax;
5F6815C6  mov         dword ptr [dwRes],eax 
	}

Since my debugger was attached : I steped backward on the 1st intruction and executed the lines step by step, finally reaching the correct address... How the hell is it possible to have got an out of memory on this ? where does this out of memory pointer come from ?

check if eax is valid to read before reading it, you may be trying to read something that it is still not created or being deleted, "IsBadReadPtr" eax before assuming it is a valid pointer. imagine if the eax = 0 and you do mov eax, [ eax ] it will try to read a invalid memory region.
If you are concerned about multithread you can detour the functions that you are going to call and add a critical section

INT ( WINAPI *pDetoured )( );
INT WINAPI myDetoured( )
{
INT dwRes = NULL;
EnterCriticalSection( &cs );
dwRes = pDetoured( );
LeaveCriticalSection( &cs );
return dwRes;
}

cheers.

[pureleech]

how to make this work on private server? i wanna test it

[ntKid]

[UPDATE]( 1 ) ( CHECK FIRST POST )
-Added SelectNearestTarget function using game engine( without sending tab key ) to my research
-Linked AlainProvist research on post #19 to first post.

[UPDATE]( 2 ) ( CHECK FIRST POST )
-Added basic editable LUA multiclient bot example using AFKLoader and the published functions.

[UPDATE]( 3 ) ( CHECK FIRST POST )
-Added Camera ViewDistance variable
-Added Source Code of CLua

[UPDATE]( 4 ) ( CHECK FIRST POST )
-Added Thr!ce research on GetInventoryBase.
-Added my research on Thr!ce function to perform a linked list.
-Added LetsPlayPixelz research on target information.

[UPDATE]( 5 ) ( CHECK FIRST POST )
-Added Move to Position.
-Added Warp to Position.

Move to position will provide a fix for melee class to return back to spot when botting or whatever you want to use it for.

Warp to Position will allow you to skip little mobs in dungeon and go directly to the bosses by pressing the boss name on your quest list.

--
AlainProvist nice to know you changed to process context dll injection, will make your life easier except for the GUI part.

Thank you all for testing, debugging, sharing and being this friendly.
Keep it comming =)