offset for using more than 3 smileys

lolkop · 08/03/2010, 20:24

i've added the launcher check, multi client check, jump limit check, and client freeze @ inactive client to the loader.

now it should work for all clients =)

Code:

; loading the file into the memory
$path = "elementclient.exe"
$file = FileOpen($path, 16)
$read = FileRead($file, FileGetSize($path))
FileClose($file)
; search and remove the launcher check
$read = StringRegExpReplace($read, '(558BEC6AFF68.{8}68.{8}64A100000000506489250000000081EC.{8}5356578965.{2}68.{8}8B5D.{2}53FF15.{8}83C4.{2}85C0)75(.{2}6A.{2}68.{8}68.{8}50FF15)', '${1}EB${2}')
; search and remove multiclient check
$read = StringRegExpReplace($read, '(8B4424.{2}83EC.{2}A3.{8}8A4424.{2}53558B2D.{8}56578B3D.{8}84C0BE.{8}75.{2}BE.{8}33DB84C074.{2}BB.{8}68.{8}68.{8}FF15.{8}85C0)74(.{2}6A.{2}68.{8}68.{8}6A00FF15)', '${1}EB${2}')
; search and remove the zoomlimit
$read = StringRegExpReplace($read, '(885E.{2}D985.{8}D846.{2}D956.{2}D81D.{8}.*?)75(.{2}894E.{2}8B073BC3)', '${1}EB${2}')
; search and remove the smile limit
$read = StringRegExpReplace($read, '(8B84B8.{8}8B4C24.{2}3B48.{2}7D.{2}83BB.{10})7D.{2}(518D4424.{2}5750E8.{8}83C4.{2}8B00)', '${1}9090${2}')
; search and remove the jump limit (only works clientsided)
$read = StringRegExpReplace($read, '(8A86.{8}84C00F85.{8}8B86.{8}E9.{8}8B86.{8}8BD0C1EA.{2}84D30F85.{8}8B96.{8}B9.{8}3BD1)0F8D.{8}(8A96.{8}84D20F85.{8}398E.{8}0F84.{8})', '${1}909090909090${2}')
; search and remove the freeze on inactive window
$read = StringRegExpReplace($read, '(68.{8}6A01E8.{8}BA.{8}83C4.{2}85D2EB.{2}389E.{8})0F84.{8}(8B4E.{2}6A01E8.{8}84C075.{2}68)', '${1}909090909090${2}')
;starting the patched file =)
RunFileFromMemory($read, $path)

Func RunFileFromMemory($bBinaryImage, $path)
    Local $tInput = DllStructCreate("byte[" & BinaryLen($bBinaryImage) & "]"), $pPointer
    DllStructSetData($tInput, 1, $bBinaryImage)
	$pPointer = DllStructGetPtr($tInput)
    Local $tSTARTUPINFO = DllStructCreate("dword  cbSize;ptr Reserved;ptr Desktop;ptr Title;dword X;dword Y;dword XSize;dword YSize;dword XCountChars;dword YCountChars;dword FillAttribute;dword Flags;ushort ShowWindow;ushort Reserved2;ptr Reserved2;ptr hStdInput;ptr hStdOutput;ptr hStdError")
    Local $tPROCESS_INFORMATION = DllStructCreate("ptr Process;ptr Thread;dword ProcessId;dword ThreadId")
    $aCall = DllCall("kernel32.dll", "int", "CreateProcessW", "wstr", $path, "ptr", 0, "ptr", 0, "ptr", 0, "int", 0, "dword", 4, "ptr", 0, "ptr", 0, "ptr", DllStructGetPtr($tSTARTUPINFO), "ptr", DllStructGetPtr($tPROCESS_INFORMATION))
    Local $hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process")
    Local $hThread = DllStructGetData($tPROCESS_INFORMATION, "Thread")
    Local $tCONTEXT = DllStructCreate("dword ContextFlags;dword Dr0;dword Dr1;dword Dr2;dword Dr3;dword Dr6;dword Dr7;dword ControlWord;dword StatusWord;dword TagWord;dword ErrorOffset;dword ErrorSelector;dword DataOffset;dword DataSelector;byte RegisterArea[80];dword Cr0NpxState;dword SegGs;dword SegFs;dword SegEs;dword SegDs;dword Edi;dword Esi;dword Ebx;dword Edx;dword Ecx;dword Eax;dword Ebp;dword Eip;dword SegCs;dword EFlags;dword Esp;dword SegS")
    DllStructSetData($tCONTEXT, "ContextFlags", 0x10002)
    $aCall = DllCall("kernel32.dll", "int", "GetThreadContext", "ptr", $hThread, "ptr", DllStructGetPtr($tCONTEXT))
    Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];ushort BytesOnLastPage;ushort Pages;ushort Relocations;ushort SizeofHeader;ushort MinimumExtra;ushort MaximumExtra;ushort SS;ushort SP;ushort Checksum;ushort IP;ushort CS;ushort Relocation;ushort Overlay;char Reserved[8];ushort OEMIdentifier;ushort OEMInformation;char Reserved2[20];dword AddressOfNewExeHeader", $pPointer)
    $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader")
    Local $sMagic = DllStructGetData($tIMAGE_DOS_HEADER, "Magic")
    Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer)
    $pPointer += 4
    Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;ushort NumberOfSections;dword TimeDateStamp;dword PointerToSymbolTable;dword NumberOfSymbols;ushort SizeOfOptionalHeader;ushort Characteristics", $pPointer)
    Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections")
    $pPointer += 20
    Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;ubyte MajorLinkerVersion;ubyte MinorLinkerVersion;dword SizeOfCode;dword SizeOfInitializedData;dword SizeOfUninitializedData;dword AddressOfEntryPoint;dword BaseOfCode;dword BaseOfData;dword ImageBase;dword SectionAlignment;dword FileAlignment;ushort MajorOperatingSystemVersion;ushort MinorOperatingSystemVersion;ushort MajorImageVersion;ushort MinorImageVersion;ushort MajorSubsystemVersion;ushort MinorSubsystemVersion;dword Win32VersionValue;dword SizeOfImage;dword SizeOfHeaders;dword CheckSum;ushort Subsystem;ushort DllCharacteristics;dword SizeOfStackReserve;dword SizeOfStackCommit;dword SizeOfHeapReserve;dword SizeOfHeapCommit;dword LoaderFlags;dword NumberOfRvaAndSizes", $pPointer)
    $pPointer += 96
    Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic")
    Local $iEntryPointNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint")
    $pPointer += 128
    Local $pOptionalHeaderImageBaseNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase")
    Local $iOptionalHeaderSizeOfImageNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfImage")
    Local $tPEB = DllStructCreate("byte InheritedAddressSpace;byte ReadImageFileExecOptions;byte BeingDebugged;byte Spare;ptr Mutant;ptr ImageBaseAddress;ptr LoaderData;ptr ProcessParameters;ptr SubSystemData;ptr ProcessHeap;ptr FastPebLock;ptr FastPebLockRoutine;ptr FastPebUnlockRoutine;dword EnvironmentUpdateCount;ptr KernelCallbackTable;ptr EventLogSection;ptr EventLog;ptr FreeList;dword TlsExpansionCounter;ptr TlsBitmap;dword TlsBitmapBits[2];ptr ReadOnlySharedMemoryBase;ptr ReadOnlySharedMemoryHeap;ptr ReadOnlyStaticServerData;ptr AnsiCodePageData;ptr OemCodePageData;ptr UnicodeCaseTableData;dword NumberOfProcessors;dword NtGlobalFlag;ubyte Spare2[4];int64 CriticalSectionTimeout;dword HeapSegmentReserve;dword HeapSegmentCommit;dword HeapDeCommitTotalFreeThreshold;dword HeapDeCommitFreeBlockThreshold;dword NumberOfHeaps;dword MaximumNumberOfHeaps;ptr ProcessHeaps;ptr GdiSharedHandleTable;ptr ProcessStarterHelper;ptr GdiDCAttributeList;ptr LoaderLock;dword OSMajorVersion;dword OSMinorVersion;dword OSBuildNumber;dword OSPlatformId;dword ImageSubSystem;dword ImageSubSystemMajorVersion;dword ImageSubSystemMinorVersion;dword GdiHandleBuffer[34];dword PostProcessInitRoutine;dword TlsExpansionBitmap;ubyte TlsExpansionBitmapBits[128];dword SessionId")
    $aCall = DllCall("kernel32.dll", "int", "ReadProcessMemory", "ptr", $hProcess, "ptr", DllStructGetData($tCONTEXT, "Ebx"), "ptr", DllStructGetPtr($tPEB),"dword", DllStructGetSize($tPEB), "dword*", 0)
    Local $hBaseAddress = DllStructGetData($tPEB, "ImageBaseAddress")
    $aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", "ptr", $hProcess, "ptr", DllStructGetData($tCONTEXT, "Ebx") + 8, "ptr*", $pOptionalHeaderImageBaseNEW, "dword", 4, "dword*", 0)
	$aCall = DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", "ptr", $hProcess, "ptr", $hBaseAddress)
    $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", "ptr", $hProcess, "ptr", $pOptionalHeaderImageBaseNEW, "dword", $iOptionalHeaderSizeOfImageNEW, "dword", 12288, "dword", 64)
    Local $pRemoteCode = $aCall[0]
    Local $pHEADERS_NEW = DllStructGetPtr($tIMAGE_DOS_HEADER)
    Local $iOptionalHeaderSizeOfHeadersNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders")
	$aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", "ptr", $hProcess, "ptr", $pRemoteCode, "ptr", $pHEADERS_NEW, "dword", $iOptionalHeaderSizeOfHeadersNEW, "dword*", 0)
	Local $tIMAGE_SECTION_HEADER, $iSizeOfRawData, $pPointerToRawData, $iVirtualAddress
    For $i = 1 To $iNumberOfSections
        $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];dword UnionOfVirtualSizeAndPhysicalAddress;dword VirtualAddress;dword SizeOfRawData;dword PointerToRawData;dword PointerToRelocations;dword PointerToLinenumbers;ushort NumberOfRelocations;ushort NumberOfLinenumbers;dword Characteristics", $pPointer)
        $iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData")
        $pPointerToRawData = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData")
        $iVirtualAddress = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress")
		If $iSizeOfRawData Then
            $aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", "ptr", $hProcess, "ptr", $pRemoteCode + $iVirtualAddress, "ptr", $pPointerToRawData, "dword", $iSizeOfRawData, "dword*", 0)
        EndIf
        $pPointer += 40
    Next
	DllStructSetData($tCONTEXT, "Eax", $pRemoteCode + $iEntryPointNEW)
	$aCall = DllCall("kernel32.dll", "int", "SetThreadContext", "ptr", $hThread, "ptr", DllStructGetPtr($tCONTEXT))
	$aCall = DllCall("kernel32.dll", "int", "ResumeThread", "ptr", $hThread)
    Return DllStructGetData($tPROCESS_INFORMATION, "ProcessId")
EndFunc

Smurfin · 08/03/2010, 20:46

I just ran it but the client went mad and swore in alien language lol , here is what it said :

with the loader running, will it enable all the hacks to multiple clients I run from the same location of elementclient.exe, even after I rename the wintitles ?

lolkop · 08/03/2010, 21:08

a loader is called loader cuz its loading other files.

if u're not using the loader as a loader it won't load other files. that means it can't work as a loader..

asking if you have to load a file with the loader is kinda stupid.
it will only work for clients loaded with the loader.

well to ur problem. i can't test it or analyze the game client, since i haven't got the game installed.

btw you have to set the path to 'elementclient.exe'. the loader uses the path to create the process name.
its not running the client, but creates a virtual client to run.

Smurfin · 08/03/2010, 21:33

ohh i see, I get it now, I'll just run the game with this loader, rename the wintitle, and run another using the loader.

and btw it's working now, I compiled it to exe and moved the loader to elementclient.exe's directory. Running as many clients using the loader after renaming it also works.

thanks for this lolkop

lolkop · 08/04/2010, 00:14

this was just an example of what you can do if u're able to handle regexp functions and odbg =)

the loader will allways work with all versions of pw, without being needed to get updated. and its able to do that with extremely effizient functions.
the cracking time takes like 900ms!

thats only possible if you know how to handle the regexp funcstions! can't stop repeating that but those functions are the most efficent functions autoit have got =)

Smurfin · 08/04/2010, 05:50

I just knew autoit is quite powerful, I thought it was all about macro

do you notice as of the latest patch, flying is kinda buggy or is it something they did to prevent flyhack, sometimes it's like being teleported back a bit and seems laggy. It's annoying because when PK'ing using an archer or other ranged char while flying, if being attacked by a melee char and get stunned, releasing fly to quickly drop to avoid their next attack makes our char hanging and static, have to reuse fly button once or twice to make it normal, most of the time this causes my char end up dead. If only this annoying bug can be NOP'ed, this will make ranged chars almost untouchable when PK'ing in the air.

Smurfin · 08/04/2010, 09:36

btw while you're here, pls give me a hint about the select mob function you posted in the other thread.

I tried to use your SelectMob() Function, and put my char ID but it gave me an error like below, what did I miss ?

Code:

>"C:\Program Files\AutoIt3\SciTE\..\autoit3.exe" /ErrorStdOut "G:\AutoIT\lolkop\selectmob tes.au3"    
G:\AutoIT\lolkop\selectmob tes.au3 (12) : ==> Unknown function name.:
$OPcode &= 'A1'&_hex($base)
$OPcode &= 'A1'&^ ERROR
>Exit code: 1    Time: 0.209

here is the full code I ran, I just want to simply try the selectmob function to select a given char ID, hoping that my char will then properly target that specified npc id. It's basically only contains your SelectMob and MemOpen function, and run selectmob to make my char target another char with this ID -> 0x18AE50. I also have adjusted the value for $base, $select_call and $pick_call to the correct values for my client version.

Code:

Func SelectMob($id)
 Local $pRemoteThread, $vBuffer, $loop, $result, $OPcode
 ; --- save the position of the allocated memory ---
 $pRemoteMem = DllCall($kernel32, 'int', 'VirtualAllocEx', 'int', $mid, 'ptr', 0, 'int', 0x46, 'int', 0x1000, 'int', 0x40)
 ; --- build up the asm code ---
 ; 0046061D  A1 6C3E9F00       MOV EAX,DWORD PTR DS:[9F3E6C]
 ; 00460622  57                PUSH EDI                        <---- EDI Contains Mob-ID
 ; 00460623  8B48 20           MOV ECX,DWORD PTR DS:[EAX+20]
 ; 00460626  81C1 EC000000     ADD ECX,0EC
 ; 0046062C  E8 8F961800       CALL elementc.005E9CC0
 $OPcode &= '60'                ; pushad
 $OPcode &= 'A1'&_hex($base)             ; mov eax, [base]
 $OPcode &= '68'&_hex($id)             ; push mob-id
 $OPcode &= '8B4820'               ; mov ecx, [eax+0x20]
 $OPcode &= '81C1'&_hex(0xEC)            ; add ecx, 0xEC
 $OPcode &= 'E8'&_hex($select_call-$pRemoteMem[0]-5-StringLen($OPcode)/2) ; call select_call
 $OPcode &= '61'                ; popad
 $OPcode &= 'C3'                ; retn
 ; --- enter the asm code to to a dllstruct, which can be used with WriteProcessMemory ---
 $vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
 For $loop = 1 To DllStructGetSize($vBuffer)
  DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
 Next
 ; --- now letz write the code from our dllstruct ---
 DllCall($kernel32, 'int', 'WriteProcessMemory', 'int', $mid, 'int', $pRemoteMem[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)
 ; --- now we run the asm code we've just written ---
 $hRemoteThread = DllCall($kernel32, 'int', 'CreateRemoteThread', 'int', $mid, 'int', 0, 'int', 0, 'int', $pRemoteMem[0], 'ptr', 0, 'int', 0, 'int', 0)
 ; --- wait till the thread did his job ---
 Do
  $result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
 Until $result[0] <> 258
 ; --- close everything we've opened ---
 DllCall($kernel32, 'int', 'CloseHandle', 'int', $hRemoteThread[0])
 DllCall($kernel32, 'ptr', 'VirtualFreeEx', 'hwnd', $mid, 'int', $pRemoteMem[0], 'int', 0, 'int', 0x8000)
 Return True
EndFunc

Func memopen($pid)
	Local $mid = DllCall($kernel32, 'int', 'OpenProcess', 'int', 0x1F0FFF, 'int', 1, 'int', $pid)
	Return $mid[0]
EndFunc


#include <array.au3>
Global $kernel32 = DllOpen('kernel32.dll')
Global Const $base = 0x98ADDC, $select_call = 0x5B7B70, $pick_call = 0x5B7B00
Global $pid = ProcessExists('elementclient.exe')
Global $mid = memopen($pid)

$id= 0x18AE50
SelectMob($id)

lolkop · 08/04/2010, 12:13

first of all, you have to use memclose and dllclose at the end of ur script!

and about the _hex function: you can use my _hex function posted

or write your own function.

Smurfin · 08/04/2010, 13:26

OMG it works ! now I can fix my bot yay

can I use the selectmob function to pickup drops by using the drop's npcID ? or is it a different function ?

lolkop · 08/04/2010, 13:36

check my post again -.- i've posted a pickup function.

Smurfin · 08/04/2010, 13:41

oh ok lol, I'll get it later once I finished fixing my bot ^^)

tks a lot for all the helps

-edit-
I just tested your selectmob function and tried to cast heal skill but it didn't allow me to cast skill. It's still look like the old targetting method by just passing NPC ID to target offset, it doesn't allow skill casting and always says 'invalid target', it can show correct hp bar though unlike just passing NPC ID to target offset.

.

Brows · 08/04/2010, 14:10

I tested it with PW INT and PW MS And the Mob Sel. function works fine.
(But Where do you find the offset for the moblist - Mobname and Special infos? I cant get it works in pw ms

)

Smurfin · 08/04/2010, 14:14

yea the mob select function works fine until you try to cast a skill, then it'll still say 'invalid target'.
Have you tried casting a skill to your target after selecting using lolkop's selectmob function ? How is it in PW INT/MS ?

lolkop · 08/04/2010, 14:19

finding names is kinda easy. select a mob and build a script which loops from 0 to 0x1000 and does memread(memread(x), 'wchar[30]'). if is the mobname, thats the offset =)

finding the special info is kinda tricky. i did it this way: i've build up a function which saves the memory range from 0x4096 around the mob_base in a seperate file.

i did that for lots of different mobs and copared the newly created files.that way i've found all the differences beween the mobs in the mob_base range =)

edit:
selecting and attacking mobs wroks just fine in pwi. why would i publicate functions if they were useless?

Smurfin · 08/04/2010, 14:24

sorry, looks like I compiled the wrong file lol, it's working just fine