need help finding adresses

[Mystery Joe]

hello everyone,
i wrote a script lately based on imagesearch and moveclick/move commands with autoit. when i got to know about the memory stuff i decided to rewrite it with those functions. unfortunatly i have some problems finding the adresses for certain things. hope you guys might help me with those.
the most important adress i need is the one to move. i tried finding that adress by searching for 1 when running and 0 when standing. the adress i got was just toggling on and off the animation for running.
what i also need help with is how to find out out the adresses that are relevant to navigate in a npc window, selling a certain item and checking what stats an item has.i was using ce before to find out adresses so if it is possible please explain it with ce since im familiar with it. also i wasnt sure if you can do all those things with just editing the values of the adresses if you dont just tell me.
thx in advanced Joe

[Interest07]

For moving and certain other actions I'd suggest the link in my sig about 'sending packets'. For moving, follow the link in that thread about actionstructs, for other actions, the packets might help you.

Item lists can be found in the player struct:

Code:

       0xC50		inventoryItemList;
       0xC54		equipmentItemList;
       0xC58		questItemList;
       0xC6C	 	shopItemList1;
       0xC70	      	shopItemList2;
       0xC74	      	shopItemList3;
       0xC78	      	shopItemList4;
       0xC7C	      	shopItemList5;
       0xC80	      	shopItemList6;
       0xC84	      	shopItemList7;
       0xC88	      	shopItemList8;
       0xC8C	      	bankItemList;
       0xC90	      	matBankItemList;
       0xC94	      	fashionBankItemList;
       0xCA4	      	catShopSellingItemList;
       0xCA8	      	catShopBuyingItemList;
       0xCAC	      	viewPlayerInfoItemList;

so to look at the description of item i in your inv for example you'd look at
[[[[player + 0xC50] + 0xC] + i * 0x4] + 0x40]
or for the item type id
[[[[player + 0xC50] + 0xC] + i * 0x4] + 0x8]

I'd recommended checking out other offsets to find the remaining values you are interested in. Keep in mind that durability is stored as a value 100 * what you see in game (the game only shows a decrease in durability every 100 hits). Also attack speed is stored in intervals of 0.05 seconds. So to get your ingame attack speed you'd have do 20 / what you find in memory.

Item mods / addons / whatever you might want to call it like +hp are stored in a separate list with a special id indicating what type of mod they are. I don't believe there is currently an online database for those available.

edit: oops I was assuming you play PWI, these offsets are for PWI at least, for other versions they are likely to be around the same bit in your player struct though.

[Mystery Joe]

ok thx for your response. well i just started studying this memory coding stuff. thats why i didnt get the main idea about structs and sending packet(thought i might avoid that topic). so pls dont mind if i ask you some questions that might be noobish.
1. what is the difference between the base adress and the real base adress?
2. what are structs and how do you find them?
there is another post of you where you wrote this

Code:

baseAddress = [0xA5B90C]
structureAddress = [baseAddress + 0x1C]
playerAddress = [structureAddress + 0x20]
actionStructAddress = [playerAddress + 0xFF4]

to explain how to find the actionstruct. i looked at it to try understanding it. however i still have some questions about what the single offsets stand for.
i read somewhere that baseAdress + 0x1c is the real base adress but still 0x20 and 0xff4 are unclear.
3. let me post another example from your sending packets thread.

Code:

#include <GUIButton.au3>
#include <GUIToolbar.au3>
#include <GUIConstantsEx.au3>
#include <ProgressConstants.au3>
#include <StaticConstants.au3>
#include <WindowsConstants.au3>
#include <EditConstants.au3>
#include <NomadMemory.au3>
#include <Array.au3>

Global $kernel32 = DllOpen('kernel32.dll')
Global $pid = ProcessExists('elementclient.exe')
global $realBaseAddress = 0x0098657C
global $sendPacketFunction = 0x005BD7B0

Func swapItemInBank($bankIndex1, $bankIndex2, $pid)
    ;//swaps the location of two stacks in bank. bankIndex runs
    ;//from 0, topleft,  to 15, bottomright, in a standard non 
    ;//upgraded bank.
    local $packet, $packetSize

    $packet = '3800'
    $packet &= '03'
    $packet &= _hex($bankIndex1, 2)
    $packet &= _hex($bankIndex2, 2)
    
    $packetSize = 5
    
    sendPacket($packet, $packetSize, $pid)
EndFunc

ok lets start^^
how do you find the sendpacketfunction adress?(without your retriever because it tells me some error and it might not work on the privat server anyway)
what does that 3800 and 03 stand for? i guess it has soemthing to do with the opcode correct me if im wrong.

hmm ok thats all for first and sry if that questions are dumb. if there is a something i should study first before asking let me know^^ oh and ye its not pwi but a privat server i want to make that bot work on

[Interest07]

Quote:

Originally Posted by Mystery Joe

ok thx for your response. well i just started studying this memory coding stuff. thats why i didnt get the main idea about structs and sending packet(thought i might avoid that topic). so pls dont mind if i ask you some questions that might be noobish.
1. what is the difference between the base adress and the real base adress?

This is more a bit of a difference of opinion. Originally people used a certain baseAddress as base address. Let's call this address X. Other people however, discovered you got to address X by looking at a value [Y + 0x1C]. Since people were already calling X baseAddress and this value was called as such in ini files etcetera, I took to calling address Y 'realBaseAddress' as when you look in the game code, X will generally be derived from Y, so Y would be the real base address, instead of what was before mistakingly thought as base address.

Quote:

2. what are structs and how do you find them?

structures are what you store data in in programming, kinda like arrays, has an explanation on itm structures more or less.
or check out this thread for information on how memory is structured:

Quote:

there is another post of you where you wrote this

Code:

baseAddress = [0xA5B90C]
structureAddress = [baseAddress + 0x1C]
playerAddress = [structureAddress + 0x20]
actionStructAddress = [playerAddress + 0xFF4]

to explain how to find the actionstruct. i looked at it to try understanding it. however i still have some questions about what the single offsets stand for.
i read somewhere that baseAdress + 0x1c is the real base adress but still 0x20 and 0xff4 are unclear.

After reading the previous examples these offsets will make more sense I hope, 0x20 basically leads to your player structure which contains values such as hp, mp, exp, your stats, but also things like your action structures.The 0xFF4 points to your action structures in PWI. For your private server it will undoubtedly be different.

Quote:

3. let me post another example from your sending packets thread.

Code:

#include <GUIButton.au3>
#include <GUIToolbar.au3>
#include <GUIConstantsEx.au3>
#include <ProgressConstants.au3>
#include <StaticConstants.au3>
#include <WindowsConstants.au3>
#include <EditConstants.au3>
#include <NomadMemory.au3>
#include <Array.au3>

Global $kernel32 = DllOpen('kernel32.dll')
Global $pid = ProcessExists('elementclient.exe')
global $realBaseAddress = 0x0098657C
global $sendPacketFunction = 0x005BD7B0

Func swapItemInBank($bankIndex1, $bankIndex2, $pid)
    ;//swaps the location of two stacks in bank. bankIndex runs
    ;//from 0, topleft,  to 15, bottomright, in a standard non 
    ;//upgraded bank.
    local $packet, $packetSize

    $packet = '3800'
    $packet &= '03'
    $packet &= _hex($bankIndex1, 2)
    $packet &= _hex($bankIndex2, 2)
    
    $packetSize = 5
    
    sendPacket($packet, $packetSize, $pid)
EndFunc

ok lets start^^
how do you find the sendpacketfunction adress?(without your retriever because it tells me some error and it might not work on the privat server anyway)

The retriever might work, you have to have it in the same folder as your elementclient.exe before running it, that might be the issue? Otherwise the client is too different. I did post a guide on how to find the address though with IDA pro in that same thread(the WQ bot thread).

Quote:

what does that 3800 and 03 stand for? i guess it has soemthing to do with the opcode correct me if im wrong.

yup, that';s just basically for the server to know what type of packet it is, they make no specific sense, as in there's no meaning behind those specific numbers. They're were arbitrarily chosen by the makers of the game.

Quote:

hmm ok thats all for first and sry if that questions are dumb. if there is a something i should study first before asking let me know^^ oh and ye its not pwi but a privat server i want to make that bot work on

no such thing as a dumb question, well, there is, but these weren't dumb questions

[Interest07]

Quote:

Originally Posted by Mystery Joe

ok thx for your response. well i just started studying this memory coding stuff. thats why i didnt get the main idea about structs and sending packet(thought i might avoid that topic). so pls dont mind if i ask you some questions that might be noobish.
1. what is the difference between the base adress and the real base adress?

This is more a bit of a difference of opinion. Originally people used a certain baseAddress as base address. Let's call this address X. Other people however, discovered you got to address X by looking at a value [Y + 0x1C]. Since people were already calling X baseAddress and this value was called as such in ini files etcetera, I took to calling address Y 'realBaseAddress' as when you look in the game code, X will generally be derived from Y, so Y would be the real base address, instead of what was before mistakingly thought as base address.

Quote:

2. what are structs and how do you find them?

edit: pastebin seems to be down, I wrote what that links to about a month ago, so I'm not entirely sure what is in it exactly, but it did explain something about structures for items I'm pretty sure

structures are what you store data in in programming, kinda like arrays, has an explanation on itm structures more or less.
or check out this thread for information on how memory is structured:

Quote:

there is another post of you where you wrote this

Code:

baseAddress = [0xA5B90C]
structureAddress = [baseAddress + 0x1C]
playerAddress = [structureAddress + 0x20]
actionStructAddress = [playerAddress + 0xFF4]

to explain how to find the actionstruct. i looked at it to try understanding it. however i still have some questions about what the single offsets stand for.
i read somewhere that baseAdress + 0x1c is the real base adress but still 0x20 and 0xff4 are unclear.

After reading the previous examples these offsets will make more sense I hope, 0x20 basically leads to your player structure which contains values such as hp, mp, exp, your stats, but also things like your action structures.The 0xFF4 points to your action structures in PWI. For your private server it will undoubtedly be different.

Quote:

3. let me post another example from your sending packets thread.

Code:

#include <GUIButton.au3>
#include <GUIToolbar.au3>
#include <GUIConstantsEx.au3>
#include <ProgressConstants.au3>
#include <StaticConstants.au3>
#include <WindowsConstants.au3>
#include <EditConstants.au3>
#include <NomadMemory.au3>
#include <Array.au3>

Global $kernel32 = DllOpen('kernel32.dll')
Global $pid = ProcessExists('elementclient.exe')
global $realBaseAddress = 0x0098657C
global $sendPacketFunction = 0x005BD7B0

Func swapItemInBank($bankIndex1, $bankIndex2, $pid)
    ;//swaps the location of two stacks in bank. bankIndex runs
    ;//from 0, topleft,  to 15, bottomright, in a standard non 
    ;//upgraded bank.
    local $packet, $packetSize

    $packet = '3800'
    $packet &= '03'
    $packet &= _hex($bankIndex1, 2)
    $packet &= _hex($bankIndex2, 2)
    
    $packetSize = 5
    
    sendPacket($packet, $packetSize, $pid)
EndFunc

ok lets start^^
how do you find the sendpacketfunction adress?(without your retriever because it tells me some error and it might not work on the privat server anyway)

The retriever might work, you have to have it in the same folder as your elementclient.exe before running it, that might be the issue? Otherwise the client is too different. I did post a guide on how to find the address though with IDA pro in that same thread(the WQ bot thread).

Quote:

what does that 3800 and 03 stand for? i guess it has soemthing to do with the opcode correct me if im wrong.

yup, that';s just basically for the server to know what type of packet it is, they make no specific sense, as in there's no meaning behind those specific numbers. They're were arbitrarily chosen by the makers of the game.

Quote:

hmm ok thats all for first and sry if that questions are dumb. if there is a something i should study first before asking let me know^^ oh and ye its not pwi but a privat server i want to make that bot work on

no such thing as a dumb question, well, there is, but these weren't dumb questions

[Mystery Joe]

Hello,
thx for your post it was really enlightening xD. I think i understood most now. So let me make something sure.
[[[[player + 0xC50] + 0xC] + i * 0x4] + 0x40]
as you posted this is the adress for the description in the item list for pwi.

Player – adress of the playerstruct
0x40 – the offset that points to the describtion
0xc50 – the offset that points to the inventory
0xc - the offset of the real base adress
i - the inventory slot
0x4 - idk (maybe the bytes?^^ however should be 0x4 always anyway right?)

so in my case the actionstruct adress would be 0x0092764c + 20
the 'i' and the '0x4' should be clear also but how do i search for the adress for the inventory list and the one for the describtion?
And about the sending packets thing: can i just edit the baseadress and sendpacketfuncadress and put the rest to the include folder to use those funcs it in my scripts? That just sounds too simple^^
yes ofc i put the elementclient.exe in the same folder as the offset finder but it shows me the following error: 'subscript used with non-array variable' in line 13
tried nooob's offset retriever also but it gets the wrong adresses.
Joe

[Interest07]

Quote:

Originally Posted by Mystery Joe

Hello,
thx for your post it was really enlightening xD. I think i understood most now. So let me make something sure.
[[[[player + 0xC50] + 0xC] + i * 0x4] + 0x40]
as you posted this is the adress for the description in the item list for pwi.

Player – adress of the playerstruct
0x40 – the offset that points to the describtion
0xc50 – the offset that points to the inventory
0xc - the offset of the real base adress
i - the inventory slot
0x4 - idk (maybe the bytes?^^ however should be 0x4 always anyway right?)

Well, it's actually:

player = [[[realBaseAddress] + 0x1C] + 0x20]
itemDescription[i] = [[[[player + 0xC50] + 0xC] + i * 0x4] + 0x40] + 0x0
0x1C - Structures
0x20 - Player
0xC50 - Inventory
0xC - List (0x10 instead of 0xC would point to max amount of slots)
This results in a list of pointers (so 4 byte values) to each of the items in inventory, sorted based on inventory slot so:
i * 0x4 - pointer to item i, i.e. item 0 is at 0, item 1 is at 0x4, item 2 at 0x8, etc
0x40 - item description pointer (is only updated after you've hovered over the item, its just an example to check if you found the right pointer for item)
0x0 - as with all strings, the actual characters will be found at the string pointer

Quote:

so in my case the actionstruct adress would be 0x0092764c + 20
the 'i' and the '0x4' should be clear also but how do i search for the adress for the inventory list and the one for the describtion?

First of all, actionstructs are not your player struct. They can be found inside the playerstruct. (In PWI they'd be found at [player + 0xFF4]). What you are looking at is the player struct (I Hope ) Try and use the 'realBaseAddress' though when getting to your player struct, as this will prevent confusion when calling certain ingame functions.

The best way to find the inventory offset would be to look up the itemId of an item you place in slot 0 (top left) of your inventory. Search for it in CE. Then move the item out of the top left inv slot (don't replace with another item) and search for 0. Repeat this process till you have one address left, then start working your way back. The first offset you'll meet will be 0x8 if all things are correct. This offset is very unlikely to be different on your version. Then 0x0 and same for the 0xC. The offset after that will probably be quite a bit lower than 0xC50, as your version is older, and less variables have been squeezed in between.

Another way to find it (providing you have the correct address for your player struct), is to simply look at
itemId of item in top left slot = [[[[player + X] + 0xC] +0] + 0x8]
starting with X = 0xC50, then decreasing X by 0x4 until you find the correct itemId.

Quote:

And about the sending packets thing: can i just edit the baseadress and sendpacketfuncadress and put the rest to the include folder to use those funcs it in my scripts? That just sounds too simple^^

Providing the packets are the same format for your version of PW, then yes, all you need is the proper base address and sendpacket address. It is likely that most of the packets will be the same, with perhaps one or two exceptions. This very much depends on how much your private server has been modified (which is usually not the case, as the people running private servers tend to leave it as is, for easier updates when new pirated content becomes available)

Quote:

yes ofc i put the elementclient.exe in the same folder as the offset finder but it shows me the following error: 'subscript used with non-array variable' in line 13
tried nooob's offset retriever also but it gets the wrong adresses.
Joe

Hmmm yeah, your private version uses a modified or really old version of PW then. Sorry, had to ask, a certain someone who I will not name failed to do this

[Sᴡoosh]

Quote:

Originally Posted by Interest07

Sorry, had to ask, a certain someone who I will not name failed to do this

<-----

Dun allways remind me you evil man!
Cheers^^

[Mystery Joe]

Quote:

The first offset you'll meet will be 0x8 if all things are correct. This offset is very unlikely to be different on your version. Then 0x0 and same for the 0xC. The offset after that will probably be quite a bit lower than 0xC50, as your version is older, and less variables have been squeezed in between.

did that and i found the offsets as you said. howveer i think that is the adress for the unique itemID so i still dont know how to find the description adress.

[/QUOTE]First of all, actionstructs are not your player struct.[/QUOTE]
yes sry actually i wanted to write player struct.

[/QUOTE] Providing the packets are the same format for your version of PW, then yes, all you need is the proper base address and sendpacket address.
[/QUOTE]
awesome^^ but since i cant use your retriever, is there a way to find the sendfuncadress without having to use ida pro? i dont like that at all. furthermore what is the sendfunctionadress?

and my last question: can you do every action ingame( like running/crafting/selling) without having to send packets just by editing the values stored in the memory? i tried several things like setting the adress for running on 1 but the char doesnt move.i looked at the adresses that are used for crafting a certain item to edit it but it wont craft the item. so is there anything i do wrong or cant you influence the gamne that way?

E: sry for failing at quoting-.-

[Interest07]

For some actions you can use the actionstructs that can be found in my packet thread (these work just by editing memory, no sending packets required here). For most other actions you'll need to inject functions. You can choose to either inject for packet function, or for each separate function that you need. Advantages to using packets for everything is that you only need to change one address after a patch. Benefits of using separate functions is that you perform actions as the game intends it, which in some cases can make things appear a bit more smooth.

The description offset will almost definitely be 0x40, so as long as you know how to get to the item, you'll be able to find the description.

sendFunctionAddress is the memory address of the function that sends packets in game. I suppose you might be able to find it using ollydbg, but I personally prefer ida. I doubt it will be easy to find with cheatEngine though.

[Mystery Joe]

well i really would like to use your functions but unfortunately i cant get this sendfunction adress. now that yours and other retriever do not work i tried it the way you wrote in the wq bot thread but im already stuck at the first step when im supposed to look for the text (void *Src, size_t size) it just doesnt find the text. so do you have any suggestion to figure it out another way?

i doubt the offset for the desprition is 0x40 because when i use that offset like this: ((((([0x0092764c+0x20]+0xB4C)+0xC)+0x0)+0x40)+0x0)
i dont get the description.

however do you know a tutorial about injection function except for the only written by toxic6666? cuz its kinda hard for me getting into that.

[Interest07]

Where can i get your version of PW?

[Mystery Joe]

check your private messages for which server and where to download it if you havent done it yet^^