[5777+] Memory offsets/pointers

phize · 09/06/2013, 13:42

Memory-fun!

You can do some pretty cool stuff with this, like enumerating nearby players/monsters/items, casting magic, attacking, un-/equipping etc.

In fact, this should cover most of the things needed for basic botting functionality.

Code:

class Pointers
{
    public enum CGamePlayerSet : uint
    {
        // Functions
        GetPlayerByIndex = 0x0070632A,

        // Offsets
        Deque = 0x14,
        Count = 0x30,
    }

    public enum CGameMap : uint
    {
        // Functions
        GetItemByIndex = 0x00629174,

        // Offsets
        CMapItemManager__InstancePtr = 0x7C,
    }

    public enum CGameMsg : uint
    {
        // Functions
        AddMsg = 0x005DBD20,
    }

    public enum CHero : uint
    {
        // Functions
        GetItemByIndex = 0x006F3B0B,
        GetStandByEquipment = 0x006F58B2,
        UnequipItem = 0x006F636B,
        EquipItem = 0x006F5927,
        UseItem = 0x006F507A,
        DropItem = 0x006F4C60,
        PickUpItem = 0x006F35D3,
        Emotion = 0x0065D667,
        MagicAttack = 0x007146BD,
        MagicAttack_0 = 0x00715889,
        Jump = 0x0065CAF5,
        Attack = 0x0066574F,

        // Offsets
        ID = 0xD8,
        Name = 0x150,
        X = 0x250,
        Y = 0x254,
        Stamina = 0x928,
    }

    public enum CItem : uint
    {
        // Offsets
        ID = 0xC,
        TypeID = 0x1C,
        Name = 0x24,
    }

    public enum Misc : uint
    {
        CGameMsg__InstancePtr = 0x009D3FC8,
        CGameMap__InstancePtr = 0x009D3FC4,
        CHero__InstancePtr = 0x009D3FD0,
        CGamePlayerSet__InstancePtr = 0x009D8410,
    }
}

Here's an example on how to retrieve ground items:

Code:

public static MapItemInfo GetItemByIndex(int index)
{
    uint vectorPtr = Manager.Conquer.ReadUInt((uint)Client.Pointers.Misc.CGameMap__InstancePtr) + (uint)Client.Pointers.CGameMap.CMapItemManager__InstancePtr + 4 + 0x0C;
    uint itemInfoArray = Manager.Conquer.ReadUInt(vectorPtr);
    uint curObj = Manager.Conquer.ReadUInt(itemInfoArray + ((uint)index * 4));
    return (MapItemInfo)Manager.Conquer.ReadObject(curObj, typeof(MapItemInfo));
}

Also, just to show a little example of what you can do with no hooking and no touching packets:

darkhc · 09/12/2013, 12:37

men you can post the source of the hack? is cool xD

~~nicolastyler~~ · 09/13/2013, 08:36

Good Job, i like the way how you never gave any info away but still got peoples attention with the code. :P I guess you would save someone the effort of finding the pointers.

phize · 09/13/2013, 10:44

Quote:

Originally Posted by nicolastyler

Good Job, i like the way how you never gave any info away but still got peoples attention with the code. :P I guess you would save someone the effort of finding the pointers.

Well, finding them is the "hard" part. It's not that hard to look them up from here and see how they can be used.

Seems like there's not much interest for stuff like this these days though.

~~nicolastyler~~ · 09/13/2013, 10:50

I actually liked your post kinda useful. I might end up using it. Could you help me find the current and maximum HP of the hero? I want to make an app that can display the players health.

lina111 · 09/13/2013, 12:32

how i can use this code !! i don't know how to put this code can any one helpe or give mé this programme

i don't how to put this code in vs there is more euror with mé can any one helpe mé or give link of this programme

accpete my thxxx brother's

~~nicolastyler~~ · 09/13/2013, 13:03

You have to read the conquer process memory at the addresses he provided above, with the offset. But im not an expert.

phize · 09/13/2013, 19:12

Quote:

Originally Posted by nicolastyler

I actually liked your post kinda useful. I might end up using it. Could you help me find the current and maximum HP of the hero? I want to make an app that can display the players health.

Code:

uint ptr1 = Manager.Conquer.ReadUInt(Client.RoleManager.Local.BaseAddress + 0xAD0);
uint ptr2 = Manager.Conquer.ReadUInt(ptr1 + 0xC);
uint currentHp = Manager.Conquer.ReadUInt(ptr2);

Tested this on a a class with no MP, so you'll have to find that yourself, but just search for the value with CE and trace back from there to your CHero base address (what CHero__InstancePtr points to).

CE table attached so you can try it out for yourself.

~~nicolastyler~~ · 09/14/2013, 12:45

Quote:
Originally Posted by phize
Code:
uint ptr1 = Manager.Conquer.ReadUInt(Client.RoleManager.Local.BaseAddress + 0xAD0);
uint ptr2 = Manager.Conquer.ReadUInt(ptr1 + 0xC);
uint currentHp = Manager.Conquer.ReadUInt(ptr2);
Tested this on a a class with no MP, so you'll have to find that yourself, but just search for the value with CE and trace back from there to your CHero base address (what CHero__InstancePtr points to).

CE table attached so you can try it out for yourself.

Thanks, i never had cheat engine installed on my laptop so i made my own memory scanner, but it wasn't the best. Have to download it!

EDIT: Got it working like this, thanks a bunch!

Code:

int ptr1 = MemoryManager.ReadInt(0x009D3FD0); // CHero__InstancePtr
int ptr2 = MemoryManager.ReadInt(ptr1 + 0xAD0);
int ptr3 = MemoryManager.ReadInt(ptr2 + 0xC);
int currentHp = MemoryManager.ReadInt(ptr3);

I struggle to find the pointers, you must be pro at this to find all of those.

darkhc · 09/24/2013, 14:12

men post the source of your hack please

~~nicolastyler~~ · 09/24/2013, 15:37

i basically told you the source...

I used C#, some pinvoke methods to open/read the conquer process and i read an integer (4 bytes)

EDIT:
I found some offsets you could add it to your post

Code:

    public enum CHero : uint
    {
        // Offsets
        MaxHp = 0x60C,
        CurrentHp1 = 0xAD0,
        CurrentHp2 = 0xC,
        XpSkillTimer = 0x608, //the yellow bar around your hp
        BattlePower = 0xa30,
        Gold = 0xC,
        WarehouseGold = 0x16AC, //can only be seen when the warehouse is open
        XP = 0x958,
        Ping = 0x3734,
    }

Could you explain how you would use the functions?
Like send a message, I understand you have to use the 009D3FC8(message base) and 5dbd20(message function), but what do i do with it to make the message on the client?

phize · 10/06/2013, 22:37

Quote:
Originally Posted by nicolastyler
i basically told you the source...

I used C#, some pinvoke methods to open/read the conquer process and i read an integer (4 bytes)

EDIT:
I found some offsets you could add it to your post
Code:
    public enum CHero : uint
    {
        // Offsets
        MaxHp = 0x60C,
        CurrentHp1 = 0xAD0,
        CurrentHp2 = 0xC,
        XpSkillTimer = 0x608, //the yellow bar around your hp
        BattlePower = 0xa30,
        Gold = 0xC,
        WarehouseGold = 0x16AC, //can only be seen when the warehouse is open
        XP = 0x958,
        Ping = 0x3734,
    }
Could you explain how you would use the functions?
Like send a message, I understand you have to use the 009D3FC8(message base) and 5dbd20(message function), but what do i do with it to make the message on the client?

You can call them by injecting code into the process and then creating a thread on the beginning of that stub/function (with CreateRemoteThread), or just use DLL injection and call via a function pointer or inline asm. Use Olly to see how they're used by the client.

How I do it from an external process:

Code:

public static unsafe void AddMsg(string message, MessageChannel channel, System.Drawing.Color color)
{
    uint stringAddr = ProcessMemory.Allocate((uint)message.Length + 1);
    if (stringAddr != 0)
    {
        ProcessMemory.WriteString(stringAddr, message);

        var asm = new byte[]
        {
            0x6A, 0x00,
            0x6A, 0x00
            0x68, 0x00, 0x00, 0x00, 0x00,
            0x68, 0x00, 0x00, 0x00, 0x00,
            0x68, 0x00, 0x00, 0x00, 0x00,
            0xB9, 0x00, 0x00, 0x00, 0x00,
            0x8B, 0x09,
            0xB8, 0x00, 0x00, 0x00, 0x00,
            0xFF, 0xD0,
            0xC3
        };

        fixed (byte* ptr = asm)
        {
            *(uint*)(ptr + 4 + 1) = (uint)color.ToArgb();
            *(uint*)(ptr + 9 + 1) = (uint)channel;
            *(uint*)(ptr + 14 + 1) = (uint)stringAddr;
            *(uint*)(ptr + 19 + 1) = (uint)Pointers.Misc.CGameMsg__InstancePtr;
            *(uint*)(ptr + 26 + 1) = (uint)Pointers.CGameMsg.AddMsg;
        }

        ProcessMemory.Execute(asm);
        ProcessMemory.Free(stringAddr, (uint)message.Length + 1);
    }
}

There are .NET libraries that make this easier for you, just google them.

BTW, both your Gold and CurrentHp2 have the offset 0xC

~~nicolastyler~~ · 10/07/2013, 09:31

Thanks,

I assume that:

ProcessMemory.Allocate is VirtualAllocEx
ProcessMemory.WriteString is WriteProcessMemory
ProcessMemory.Execute is CreateRemoteThread
ProcessMemory.Free is CloseHandle/VirtualFreeEx

and i think MessageChannel is

Gold is just a 0xC offset
"0x009D3FD0 -> 0xC = gold"

CurrentHp has 2 offsets CurrentHp1 and CurrentHp2.
"0x009D3FD0 -> 0xAD0 -> 0xC = CurrentHP"

More offsets:

Code:

    public enum CHero : uint
    {
        // Offsets
        Cps = 0x10,
        BoundCps = 0x14,
    }

neosammy · 10/07/2013, 15:52

phize could you upload your bot? ^_^

abdoumatrix · 11/09/2013, 16:00

could i have some refrences to learn from.? and know about this ?