[ASK] about memory address

Smurfin · 08/28/2010, 13:17

Quote:

Originally Posted by No0oB

for me it works idk why it didn't show the table to you maybe you don't have runned it in your ..\element\ folder of your pw
the script needs to be in the same dir with 'elementclient.exe' file ^^

It still won't work for me, could you please check how it's written in my autoit editor, and see if there is anything wrong with the formatting after being copy pasted.

I already put it in my element folder, also tried putting the script file seperately and put a copy of elementclient.exe instead but still the same.

I only paste an exact copy of what lolkop posted above and add a consolwrite in there to check what value would $offsets[i] have, but it also doesn't show anything.

Spoiler

lolkop · 08/28/2010, 13:59

Quote:

Originally Posted by Smurfin

It still won't work for me, could you please check how it's written in my autoit editor, and see if there is anything wrong with the formatting after being copy pasted.

I already put it in my element folder, also tried putting the script file seperately and put a copy of elementclient.exe instead but still the same.

I only paste an exact copy of what lolkop posted above and add a consolwrite in there to check what value would $offsets[i] have, but it also doesn't show anything.

Spoiler

run no0obs offsetfinder:

and remove the offsets that can't be found from the function....

Smurfin · 08/28/2010, 14:02

thanks for the news, going there now

unnang · 08/28/2010, 14:37

yes... it's work lol.. thanks ..

@Lolkop

$offsets = StringRegExp($read, '.*?895D0089BE(.{8})'& _ ;PhyDefSearch
'.*?89AE(.{8})'& _ ;EvasioSearch
'.*?8B0D(.{8})898D40F1FFFF6A01'& _ ;BaseAddress
'.*?33C98986(.{8})8A4F03'& _ ;LevelSearch
'.*?898E(.{8})'& _ ;CultiSearch
'.*?8B57148996(.{8})8B4718'& _ ;ExpSearch
'.*?8B4F04898E(.{8})8B570C'& _ ;HpSearch
'.*?8996(.{8})'& _ ;MpSearch
'.*?8B471C8986(.{8})8B4F08'& _ ;ChiSearch
'.*?898E(.{8})'& _ ;MaxHpSearch
'.*?8B57108996(.{8})8B4720'& _ ;MaxMpSearch
'.*?8986(.{8})8A4702'& _ ;MaxChiSearch
'.*?8BC28991(.{8})8B0D'& _ ;TargetSearch
'.*?8B108996(.{8})8B4004'& _ ;GoldSearch
'.*?898E(.{8})8BC8898E'& _ ;JumpSearch
'.*?6A0A8986(.{8})'& _ ;StateSearch
'.*?8986(.{8})8B40048BC8'& _ ;CastingIDSearch
'.*?A1(.{8})578B482081C1EC'& _ ;BaseCall
'.*?8B8E(.{8})3BCB740655'& _ ;PetSearch
'.*?8B8E(.{8})8B47503BC8'& _ ;StrSearch
'.*?8B96(.{8})8B47543BD0'& _ ;DexSearch
'.*?8B86(.{8})8B4F5C3BC1'& _ ;VitSearch
'.*?8B8E(.{8})8B47603BC8'& _ ;MagSearch
'.*?8B96(.{8})8B47643BD0'& _ ;ReputationSearch
'.*?EB5D8B8E(.{8})B801'& _ ;CharClassSearch
'.*?8B83(.{8})8D4C243C', 1) ;NameSearch

how can i obtain all that searching pattern? where should i look ?
can i search for skill and action offset or input key offset?
wow.. nice coding.. thanks a lots lol

Smurfin · 08/29/2010, 18:34

@Interest07 :
I want to test digging resources on ground using your function you posted earlier, the one I quote below. Here is how I write each pointer in autoit, could you please check if I write each one correctly ? just for these ones, because it's kinda confusing which one I should use memread or don't memread, but I made it exactly like what you posted below.

$AppBaseAddress=memread($base)+0x1c
$CharacterDatabase = memread(memread($AppBaseAddress) + 0x20) ; I use ProphetBot's $CHAR_DATA_BASE
$ActionStruct=$CharacterDatabase+0xFF4 ; check with the darkred colored below
$ActionList=memread($ActionStruct+0x30) ; check with the red colored below
$WalkToAction=memread($ActionList+0x8) ; check with the dimgray colored below

$CharacterDatabase makes me confused because it uses memread twice, also in $ActionStruct there is no memread used.

Quote:
Originally Posted by Interest07
This isn't quite AutoIt code, but it should be clear how it works. actionStruct is [CHARACTER_DATABASE + 0xFF4] in PWI. This function is for starting conversation with NPC, performing regular attack on a mob, using skill on a mob or yourself, mining resources, or picking up an item from floor, depending on the interactionType you pass along.

WalkToAction is a wrong name for the variable, but it was due to some copy pasting, should see that more as "InteractWith"
Code:
InteractWith(objectId, interactionType, client, actionStruct, skillPointer=0)
{
	[COLOR="Red"]actionList := ReadMemory(actionStruct+0x30,client)[/COLOR]
	[COLOR="DimGray"]WalkToAction := ReadMemory(actionList+0x8,client)[/COLOR]

	writeMemory(0, WalkToAction+0x8, client)		;Action finished = 0
	writeMemory(1, WalkToAction+0x14, client)		;Action Start = 1
	writeMemory(0, WalkToAction+0x24, client)		;Action Not Start = 0
	writeMemory(objectId, WalkToAction+0x20, client)	;Set objectId to interact with
	writeMemory(interactionType, WalkToAction+0x38, client)	;Set type of action to perform (0 = regAtk, 1 = pick item, 2 = talk to NPC,3 = useSkill, 4 = gatherResources)
	writeMemory(0, WalkToAction+0x34, client)		;Set error = 0
	writeMemory(skillPointer, WalkToAction+0x50, client)
	writeMemory(WalkToAction, actionstruct+0xC, client)	;Set new action type WalkTo in action struct position action1
	writeMemory(1, actionstruct+0x18, client)		;Set next action position to 1
	writeMemory(WalkToAction, actionstruct+0x14, client)	;Set new action type WalkTo in action struct as next action	
}

Smurfin · 08/29/2010, 21:31

I just finished rewriting it using nomadmemory, comparing your autohotkey's follow function and this picker function then changing my autoit autofollow script slowly to match your autohotkey picker function, not quite understand what I really typed, more like translating, but surprisingly it works, weird

Interest07 · 08/29/2010, 22:36

AHhh I see you managed without me

Glad it's working for you

Good thing too, cos I'm not too great with autoIt

Smurfin · 08/29/2010, 22:47

I'm still curious about it though, when to use memread(memread , or just memread ($x + 0x1c) for example, it's too confusing for me lol because I learn pattern in dealing with memory addresses , not really understanding how it works

but hey, it works, got 5 ref.stl already, wonder how many will I have tomorrow when I wake up

hehe, tks again for the function, can use it to gain more gold, have to make a better script to deal with the mobs if want to put several mats id

oh, btw, Interest07, can that function be used to fly up ? or go to x,y,z coordinate, or maybe x,y are enough and no need a z

Interest07 · 08/30/2010, 12:58

the difference between memread(memread($x)+0x1C) and memread($x + 0x1C) is as follows:

Code:

address		value
00000000	00000000
00000004	00000010
00000008	00000000
0000000C	00000000
00000010	00000028
00000014	00000000
00000018	00000000
0000001C	00000000
00000020	AAAAAAAA
00000024	00000000
00000028	BBBBBBBB
0000002C	CCCCCCCC

say $x = 00000004
with the first method it would work out as follows:
memread($x) gives 00000010
memread(00000010 + 1c) = memread(0000002C) gives CCCCCCCC

second method works as follows:
memread(00000004 + 1C) = memread(00000020) gives AAAAAAAA

You'd use the first method if $x is the address where the address of a structure is stored (say your player data) and 1C is the offset from the start of the structure to the value you desire.

The second method would be used if $x contained the address to the start of a structure (say your player data) and 1C is again the offset from the start of the structure to the value you want.

THe particular function you use for gathering mats is only for interacting with other objects (with their own objectId). In order to move you use a different function, mine would look as follows:

Code:

MoveTo(X, Y, Z, moveType, client, actionStruct, height=-1.0)
{
	actionList := ReadMemory(actionStruct+0x30,client)
	MoveAction := ReadMemory(actionList+0x4,client)

	writeMemory(0, MoveAction+0x8, client)				;Action finished = 0
	writeMemory(1, MoveAction+0x14, client)				;Action Start = 1	
	writeMemory(FloatToHex(X), MoveAction + 0x20, client)
	writeMemory(FloatToHex(Y), MoveAction + 0x24, client)
	writeMemory(FloatToHex(Z), MoveAction + 0x28, client)
	writeMemory(FloatToHex(height), MoveAction + 0x68, client)
	if(height >= 0.0)
	{
		writeMemory(26625, MoveAction + 0x64, client)
		writeMemory(256, MoveAction + 0x6C, client) 
	}
	else 
	{
		writeMemory(26624, MoveAction + 0x64, client)
		writeMemory(65536, MoveAction + 0x6C, client) 
	}
	writeMemory(moveType, MoveAction + 0x2C, client)		;Not supported yet
	writeMemory(MoveAction, actionstruct+0xC, client)
	writeMemory(1, actionstruct+0x18, client)
	writeMemory(moveAction, actionstruct+0x14, client)
}

For movement Type use 0. [3 would be for using WASD (and space when flying) and 4 would be jumping, but I haven't looked into getting them to work yet.] If you don't specify a height, the character will just move towards the specified X, Y coordinates. If you do specify a height, it will act like it does when you click on the radar or map to move and will slowly increase (or decrease) altitude as normal towards the value indicated in height. In order to fly straight up, you'd need to either look for a way to use moveType 3, or use the sending packets method i posted somewhere in the prophets thread.

Smurfin · 08/30/2010, 13:31

thanks for the illustration and moveto function

I'll try to make an autoit function based on that as well

turns out the char need to be moved a bit closer because sometimes even though some ground resources are nearby, the function won't pick them, but it's not the function's fault because items detection function also won't list in in arraydisplay even though it's really not too far, it's just the game's behaviour.

about the example, assuming $x=$base=00000004, for $AppBaseAddress=memread($base)+0x1c, then the result would be :
00000010 + 0x1C = 2C , right ?

and for $CharacterDatabase = memread(memread($AppBaseAddress) + 0x20)
the result would be memread(2C+20) = memread(0000004C), and the result would be taken from value column.

hehe tks again for the example, I hope I got it right

Interest07 · 08/30/2010, 15:02

Quote:

Originally Posted by Smurfin

thanks for the illustration and moveto function I'll try to make an autoit function based on that as well turns out the char need to be moved a bit closer because sometimes even though some ground resources are nearby, the function won't pick them, but it's not the function's fault because items detection function also won't list in in arraydisplay even though it's really not too far, it's just the game's behaviour.

about the example, assuming $x=$base=00000004, for $AppBaseAddress=memread($base)+0x1c, then the result would be :
00000010 + 0x1C = 2C , right ?

and for $CharacterDatabase = memread(memread($AppBaseAddress) + 0x20)
the result would be memread(2C+20) = memread(0000004C), and the result would be taken from value column.

hehe tks again for the example, I hope I got it right

Almost, you got $appBaseAddress = 2C, so then $characterDatabase = memread(memread(2C) + 0x20) = memread(CCCCCCCC + x20) = memread(CCCCCCEC)

example for reading say, your HP:

memread(memread(memread(memread($baseAddress)+0x1C )+0x20)+$hpOffset) would be the HP value of your character for example. SO you'd get to this value by doing it as follows, say $HPOffset = 0x464:

Code:

address		value
00000000	00000000
00000004	00000010
00000008	00000000
0000000C	00000000
00000010	00000028
00000014	00000000
00000018	00000000
0000001C	00000000
00000020	AAAAAAAA
00000024	00000000
00000028	BBBBBBBB
0000002C	CCCCCCCC
------------------------
CCCCCCEC	87654320
------------------------
57463524	76463768	
57463528	00000003	
5746352C	00000001	
57463530	87654320	

------------------------
876546C0	57463524	;

8765477C	0000005B	;91
87654780	00000030	;
87654784	000013EC	;5100
87654788	00000546	;1350
8765478C	0023CACE	;2345678
87654790	0009FBF1	;654321
87654794	00000000	;0
87654798	0000012B	;299




$val1 = memread($baseAddress)                        ;00000010        (no offsets used here)
$val2 = memread($val1 + 0x1C)                         ;memread(0000002C) = CCCCCCCC
$character_database = memread($val2 + 0x20)    ;memread(CCCCCEC) = 87654320
$HP = memread($character_database +0x464)     ;memread(87654784) = 5100

As you can see, 4 bytes below in memory the MP would be located (offset 0x468), 8 bytes above it would be your lvl, etcetera. All the values contained in the addresses between 0x87654320 and 0x8765477C would also contain values that are inherent to your character, either actual values, such as your level, or your chi, or addresses to the start of other structures/strings/lists that should be part of your character, such as lists of your equipment, your character name, or your genie. These things have an address instead of a value, because they usually envelop more than 4 bytes and are stored elsewhere in memory.

Take for example your genie, it's an object and thus too big to be stored in just 4 bytes. Instead you will get an address of the start of this object in memory. This address will be stored somewhere in your character_database, say at offset 0x3A0. So in order to get values belonging to your genie, you'd do:
$genie = memread($character_database + 0x3A0) = 0x57463524
now if you'd want the genie type for example you'd do
$geneType = memread($genie + 0x8) = memread(0x5746352C ) = 1
or if you'd want to see the owner of the genie you'd do
$owner = memread($genie + 0xC) = 87654320, which is the address of our character_database again

Smurfin · 08/30/2010, 19:20

I think I get it now, the value of a pointer+offset can still contain another pointer and need another offset until we get to the pointer/address in which the real value of what we're looking for is stored.

That's why we need to know the starting point first and follow a custom offset-pointer rule in between before then we can get to the real value. Kinda similar to what Shareen explained earlier. Can't really find a fixed/static address even for the easiest to find like HP in PW, I was so wrong lol

thanks Interest07, and everyone for the explanations

I hope it can be easier the next time I'm in the middle of this kind of thing when dealing with memory address.

Interest07 · 08/30/2010, 21:00

Yeah, you will almost always be looking for a value you can only get by using pointers when viewing memory in games or any other program really. Takes some getting used to, but I find it quite interesting to see how programs work at this low level.

unnang · 08/31/2010, 00:38

hello..
after read your post here, i turn my attention back in memory address reading.

according to Interest07 (thanks before), i made a func to do a normal attack. here is the code

;writeMemory(0, WalkToAction+0x34, client) ;Set error = 0
_MEMORYPOINTERWRITE($APP_BASE_ADDRESS, $PROCESS_INFORMATION, $SETERR, 0)
;writeMemory(objectId, WalkToAction+0x20, client) ;Set objectId to interact with
$OBJECTID = MEMREAD(MEMREAD(MEMREAD($APP_BASE_ADDRESS) + 0X20) + 0XAF8)
_MEMORYPOINTERWRITE($APP_BASE_ADDRESS, $PROCESS_INFORMATION, $OFF_OBJECTID, $OBJECTID)
;writeMemory(interactionType, WalkToAction+0x38, client) ;Set INTERACT type of action to perform (0 = regAtk, 1 = pick item, 2 = talk to NPC,3 = useSkill, 4 = gatherResources)
_MEMORYPOINTERWRITE($APP_BASE_ADDRESS, $PROCESS_INFORMATION, $ACTTYPE, 0)

;writeMemory(WalkToAction, actionstruct+0xC, client) ;Set new action type walkTo in action struct position action1
$NORMALATTACK = MEMREAD(MEMREAD(MEMREAD(MEMREAD(MEMREAD($APP_BASE_ ADDRESS) + 0X20) + 0XFE0) + 0X30) + 0X8)
_MEMORYPOINTERWRITE($APP_BASE_ADDRESS, $PROCESS_INFORMATION, $NEWACTIONTYPEINACT, $NORMALATTACK)
;writeMemory(1, actionstruct+0x18, client) ;Set next action position to 1
_MEMORYPOINTERWRITE($APP_BASE_ADDRESS, $PROCESS_INFORMATION, $NEXTACTPOS, 1)
;writeMemory(WalkToAction, actionstruct+0x14, client) ;Set new action type WalkTo in action struct as next action
_MEMORYPOINTERWRITE($APP_BASE_ADDRESS, $PROCESS_INFORMATION, $NEXTACT, $NORMALATTACK)

but, the function only can kill 1 mobs, after that, my char just standing there. no movement. sometime, my char run to target, but nothing happen, even mobs did do anything to my char? just like being disconnected, so.. please check my code n what i'm miss here? thanks lol..

Interest07 · 08/31/2010, 09:22

For this function to work, you have to have the mob you are attacking selected, or it will only run up to the mob but not attack. Furthermore, this function is only designed to attack a single mob. You'd need to search around the mob list for a next target to kill after the previous one is dead.