ok... its not a super simple thing, so bear with me... (very possible to make a bot like SV with this)
so you see a person lets call him joe, on your CO screen right?
you search for this memory addresses for "joe" in CE... lets say "01171EFC" (we'll call this the base address) shows up right?
so we will use this address as a template...
please note that when a person jumps off the screen the memory address "01171EFC" changes to ?? or 0 (because the person is no longer on screen)
so when conquer loads joe to 01171EFC address certain info is stored relative to this address these are the ones ive found:
1171FA8 (+AC) = jump address (x) <<< prob could be used for cruddy aimbot
1171FAC (+B0) = jump address (y) <<< prob could be used for cruddy aimbot
1171F34 (+38) = pixels on screen (x) <<< prob what SV uses (could be used with control click)
1171F38 (+3C) = pixels on screen (y) <<< prob what SV uses
1171F4C (+50) = character animation (100 norm, 330 fall death, 340 launched death) <<<theres lots of them
ALSO
lets say Suzy is also on your screen (Assuming theres only 3 people on your screen, including you) then her name would be at the address...
1172CF4 (+DF8) = 2nd person loaded on screen
lets say theres a 4th person (including you) his address would be:
1173AEC (+ 2 * DF8) = 3rd person loaded on screen
see the pattern? i hope so >.>
this would make it very simple to make a bot if the base addresses didn't change, but they do... the address that currently writes to the "character load" address is "0048a246" and this is were im stuck, i dont have the programing knowledge to monitor what this address writes to
though it is possible that there is a limited number of base addresses since quite oftenly they load up to the same base address
Side note: the base address changes usualy when you load new maps (going through portals/market/tg)
also its changes about 30 seconds after you log in then after about 4 or 5 minutes it changes, then it stays the same (unless you change maps)
since u cant get in underground, and i dont think i should hide something like this to u
i will copy and paste one of the thread i have in there:
(u might have a better use of this)
mine is super long and not simple too, so bare with me:
Quote:
the following thread is long as hell, let me give a short introduction here.
the below things are my analysis on coordinates of another character or monster
if u went in the wrong thread, u can press BACK now.
else, lets begin
if u dont mind, let me start off with a screenshot, then explain
(i didnt hide anything, the following is all that i understand)
in the above image, i did the following steps to find it
1. Cheatengine hook to Main account, search text for second account "WalkWalk" (results should be quite a few)
2. open the address that is within 0x4***** (there is only one address that within 0x400000 to 0x4FFFFF
3. memory view
according to my observation, if the WalkWalk address is 0x400000, then the coordinate address will always be +30, which is 0x400030. another example, if WalkWalk address is 0x400A90, then +30 = 0x400B20
now if u please, look at the image
after countless of time, i notice that first 2 column (C0,4A) is representing the Xcoordinate*. and column 5,6 is representing (11,21) is representing the Ycoordinate*.
attention* the XY coordinate i mention above is different from the XYcoordinate system in CO display. the coordinate system in here using is really the vertical and horizontals system that we normally use in math class...
if main account walks, WalkWalk coordinate address value wont change a bit
if WalkWalk move 1 step, WalkWalk value will change value by +/-20
which means there is a completely different coordinate system that generate what point u are standing on the map
example, WalkWalk move 1 step directly down, (11,21) will change to (31,21)
if continue moving down, it will be (51,21) > (71,21) > (91,21) > (B2,21) if more than FF, it will +1 in the 21. so just by pure guessing, there are FF*FF=99*99=9801points, since each step is 20, then 9801/20=490. so that means in each map, the max step u can walk is 490....
now, something wrong...there are coordinates more than 700, how can it be max FF FF?
right now i am guessing maybe XY coorindate each store in 3or4 columns
(sidenote* must be constantly within main account screen, or else all address will be reseted to another one)
what i am trying to do is make a program that does the following:
1.loop read a "NAME" every few seconds
2.+30 of the output address
3.read column 1,2,5,6
4.analysis and calculate the corresponding clicking position by comparing with ur main character's XY
5.after comparing, if close to main character, then Click
5b. else, read for another "Name" and goes back to step2
i believe if one can solve this, it can be used for aimbot (read certain character XY) or read monsters location for bots
however since it is totally using a different coordinate system that it displays, it wont be easy to find the right equation
before i start forming the equation, i would like to ask few things first:
1. One address has both XY coordinate information, how can i read each separately. in this case, read column 1,2,5,6 in address 0x4C01F34
2. Even if i can output X,Y coordinate info separately, AHK dllcall address loop read is too slow to read 130000 items. it will use tons of resources for that if constantly looping. (different story with searching only 1 character name, since the only time it will reset the address is go out of screen) who would like to take this challenge to develop in a faster language?
personally even if this program turns out to be right, i wont use it because i dont play CO anymore.
i am only interested in challenging the god position of SV
Quote:
i think i will give up on this research
just doesnt worth wasting countless of hours developing in a game that i dont play and keep debugging this program til the day it dies out
and i couldnt figure out how to read a 1 memory value in separate columns
and i couldnt figure out how to detect the HP in order to heal/DC when low health
i will release more information that i found though
example: Main character
column1 display=AA
column2 display=11
column5 display=BB
column6 display=22 Target character
column1 display=33
column2 display=11
column5 display=55
column6 display=22
so we have the following equations Main character
Px0=Col2Col1=11AA
Py0=Col6Col5=22BB Target character
Px1=Col2Col1=1133
Py1=Col6Col5=2255
doesnt matter where u are in the map, and its not needed for u to know what XY represent in real display coordinate. because all we want to know is how far the character away from main character and click that point
so we have our 2nd equation, which is:
(Px0 - Px1, Py0 - Py1)
*notice, it needs to be converted from HEX to DEC in order to display correct negative results, so we have:
HEX(11AA - 1133, 22BB - 2255) = DEC(4522 - 4403, 8891 - 8789) = DEC(119, 102)
which means on the main character screen, the target character is at x119,y102 to u.
(which requires u to set the (0,0) at the main character shadow, i remember its around 512,350)
according to my notice, the difference is exactly in PIXEL units, which mean if the difference is 119, that means the target is 119 pixels away. no need to convert.
Quote:
Project finished
concept correct, searching speed horrible (read from 0x4B00000 to 0x4E00000 takes few mins)
is able to generate the actual XY coordinate system, however unless the speed is less than few seconds, everytime out of range then come back search again takes way too much time
ya, was thinking that something like this was probably on underground, but...
since the character model is loaded on the screen @ (the example)
1171F34 (+38) = pixels on screen (x)
1171F38 (+3C) = pixels on screen (y)
it eliminates the need for algorithm to find the point of which to click... you can basicaly slap those values straight into a control click function (please note it changes to like 4294967300 if its offscreen, but you can get it back to understandable (x,y) by "$x = $value - 4294967300" $x being the new x coord)
the only problem that ive come across is monitoring what 0048a246 writes to
btw, nice post, and thanks for sharing... i guess ill look more into it tomorrow, got some hw i need to finish (spring break soon )
the problem is searching speed
if it can solve, other parts are easy for me to developed
btw, all my bots right now is using the XY coordinate system that suggested in the above method
well, since my main pc is broke (ill look into that tommorrow) i wont be able to do anything atm, but tomorrow ill look into if there is a limited amount of addresses written to, but all "base addresses" end in "1EFC"
which could possible reduce searching times (not sure though)
In my opinion this thread is worth staying bumped, it gives alot information to people who are doing research just like this.
P.S Couple things to add to your posts :
*note : using hex with numbers*
Baseaddress ends infact with '1ECC' not '1EFC' like you said. This is because the asm code that 'generates' the playername has instructions : mov[esi+30],bl
wich clearly shows that playername isn't the base but +30 bits from it.
That one works! :P outputs all chars within range. Now only thing to do is to find the static address wich contains the "baseaddress" what I have in above code, ofcourse if I was lazy I could just make my program to read from ouput the First loaded char address because everything else uses it as their base.
Has anyone got the current X, Y offsets? instead of jumpx,jumpy ?
After a while, I found a way to check the baseaddress, only thing you have to input is the charname you think is the first one on the screen. (Not a noob friendly)
Used C#
Code:
BaseAddress = 0;
for (uint i = 0x1000EFC; i < 0xFFFFEFC; i += 0x1000)
{
if (Memory.ReadString(i).Equals(textBox1.Text))
{
BaseAddress = i;
MessageBox.Show("Found it!");
this.Text = "0x" + BaseAddress.ToString("X2");
break;
}
}
if (BaseAddress == 0)
MessageBox.Show(textBox1.Text + " wasn't the first person on screen");
That takes MAX 10 seconds to loop through, it'll tell if the person wasn't first on the screen. (It'll take alot less if it is the first person)
NOTE* this has worked everytime so far, long as you get the right persons name.
nice, glad to see someone make use of this...
about finding a static address that points to the base address, well obviously i haven't found it either
i no longer play CO but i guess i'll have some fun and see what else i can find about this
Finding the static address is hard, so I gave up with even trying to find it. Instead I made that loop to check the 'baseaddress' with given name. (I was actually suprised by the speed of that, it has to loop 61439 times + Read 16 bits from the Memory.
This thread is really helpful, coule be used (need to put some time in this) to make a 'replicate' of ScriptVessel. Free ofcourse for e*pvp members.
Conquer.. They're analyzing the code by asm and trying to design a bot like SV.
its unlikely we'll ever get that far as to achieve an sv status, and by what it looks like it prob be like tanelipe method of just searching in bulk and narrowing it down but just a faster method
[AUFRUF] An alle, die von "[Aimee]", "Blck-Sellerx" & ".Ava" betrogen worden sind! 03/23/2010 - Last Chaos - 34 Replies Hallo libe ehrlichen Member von e*PvPers!
Im LastChaos und Metin Bereich im TBM Forum soll ".Ava" mehrere Leute abgezogen haben. Nun kommen aber plötzlich Gegenstimmen in der iTrader Bewertung die positiv ausfallen von "Black-SellerX" und "" bei genauerem Hinsehen bemerkt man, dass diese 3 Forenuser sich gegenseitig immer wieder positiv bewerten, dennnoch werden diese von vielen Usern negativ bewertet. Von "" wurde ich selber betrogen, daher mein Interesse.
Deshalb vermute ich, dass hinter...
)
