Here's another tool that might prove useful for people who are just interested in disecting the game... If you just want to download bots and run them, you may as well leave now.
I'm currently working on a system to build custom in-game interfaces using the client's own mechanisms, so it was useful to me to investigate how the whole GUI system hangs together. Sometimes it's quicker to build a tool to investigate things for you than to spend weeks finding offsets, hence this little tool :P
In a nutshell, this tool will search the GUI base
Code:
[[[[baseCall]+0x1C]+0x18]+0x8]
for window objects, retrieving their offsets along with some information about them, plus information about their child objects, e.g., buttons, lists, labels, etc.
Run PWI, then launch this tool and it will list on the left all available GUI wndows in the client. Click on one of them and it will give you more information about the window. You can even open and close windows using the checkboxes next to the list of window objects hehe.
Be warned, trying to open some of them will crash the client... I'm not really too fussed about fixing that as it's only very few of them and they're windows that are not of interest to me.
That's about all there is to it - I won't go into details about how it works because it's fairly straightforward and you can just inspect the code if you're interested.
It's built with C# so you'll need Visual C# or Visual Studio to use it (Download or visual Studio 2010 Express - They're free and they kick AutoShit's arse )
I intend to build on it so that you can actually activate any control on any window via the tool's interface... Just not today lol.
Chances are the project might piss off your antivirus - I have crappy Avira on my Win7 box I tested this on and it kept telling me I had an infection even though I made the bloody thing - Hence I'm uploading the full source and not some dodgy .exe so you can inspect it. I was a little surprised as it only uses some process memory writes and doesn't even inject anything. I'm really not interested in stealing your precious facecock passwords and stuff, so if you don't trust it, don't download it. -(modified Swoosh quote... Thanks :P)
Oh... In another thread I kind of mentioned that it could open the console window. Well that was an inadvertant lie because I had accessed this during the building of this thing, but it's a slightly different approach to do that. As I'm generally a nice chap, I'll explain how to do that anyway lol.
If you want to play with the console stuff, you'll need A utility to "send to command prompt" is quite useful too - I use for this (Crappy Avira even alerted this as an infection - It's safe)
So, download sPCK to a folder somewhere, then copy interfaces.pck from your perfect world element folder into the sPCK folder.
***IMPORTANT*** Make a backup of interfaces.pck in case you screw something up.
Right click sPCK.exe -> Send to command prompt.
Now, to extract the .pck file...
Code:
sPCK.exe -x interfaces.pck
This will generate a folder called interfaces.pck.files
Open interface.pck.files\interfaces\ingame-v1.dcf and find the line:
Code:
Version01\console.xml 0 0 0
and change it to
Code:
Version01\console.xml 0 0 1
Save the file and close it, then delete your interfaces.pck file (the one in your sPCK folder!!!) and run sPCK again
Code:
sPCK.exe -c interfaces.pck.files
This will repack the files into a .pck
Once that's completed, copy the interfaces.pck file back to your element folder and launch the client. Woohoo! You now have a console that you can play around with.
It will stay open and you can't unfocus it, so if you want to remove it, you need to reinstate your original interfaces.pck file. If I can be arsed, I might find the GUI offset to close it lol.... But I can't be arsed today.
The commands for the console are available in the configs.pck file (extract with sPCK again, look for console_cmd.txt) but for your pleasure, here is the list of commands: (don't include the quotes)
Obviously the GM ones wont work so don't bother trying them.
It's not particularly useful as such, but it's quite fun to play around with (d_boundbox looks quite cool ^^)
Well... I say it's not useful, but some of the commands there will display NPC / Player IDs above their heads - So that's very useful if you're looking for offsets etc.
I'm quite curious about the adding your own windows to the gui thing. I'm not gonna continue with the d3d8 stuff for now if that proves possible, because it would be a much cleaner solution
I'm quite curious about the adding your own windows to the gui thing. I'm not gonna continue with the d3d8 stuff for now if that proves possible, because it would be a much cleaner solution
Well... Don't give up on yours just yet lol - So far, I can add my own window into the client just by copy / pasta / editing one of the existing xml files in interfaces\version1. Once it's added, I have to search for it in memory in order to show it. As for actually displaying useful information in it and making buttons work, etc - Well I really have no idea yet how well that's gonna work out because it will require injecting some probably quite substantial code into the client, including code to add it to the guiBase1 windows table.
I wouldn't particularly fancy writing all of the handler code in asm, so I'm gonna need to find a way to somehow compile some other language into usable code that can be injected... I'm very open to suggestions here xD.
Considering this might not be a particularly easy task, I'm not sure how practical this will be in an environment where you typically have to tweak code -> compile it -> inject it -> test it -> rinse and repeat.
Your D3D8 hooking might still be a much more suitable solution ^^
Well... Don't give up on yours just yet lol - So far, I can add my own window into the client just by copy / pasta / editing one of the existing xml files in interfaces\version1. Once it's added, I have to search for it in memory in order to show it. As for actually displaying useful information in it and making buttons work, etc - Well I really have no idea yet how well that's gonna work out because it will require injecting some probably quite substantial code into the client, including code to add it to the guiBase1 windows table.
I wouldn't particularly fancy writing all of the handler code in asm, so I'm gonna need to find a way to somehow compile some other language into usable code that can be injected... I'm very open to suggestions here xD.
Considering this might not be a particularly easy task, I'm not sure how practical this will be in an environment where you typically have to tweak code -> compile it -> inject it -> test it -> rinse and repeat.
Your D3D8 hooking might still be a much more suitable solution ^^
Instead of compiling some code to obtain the asm to inject, why not just inject a dll with the code you need? Should at least save you the horror of asm
Nice, but ower my understandings
At this time, im willed to learn.
i program in the moment a tool to seek for items in catshops, thx to Interest07 Info and posting over it.
not really finish yet, but i had a lucky day testing it.
found in a catshop a primeval stone for 100k, sold him minutes later for 33m *lol*
maybe one day i can use ur info to make some "plugins" for the game, like autopot or autoasisst
Looks cool. Trying to figure out how it works. Thank you.
I have an autoIt dll injector somewhere. I could try to find it if you wish.
Thanks, but I try to avoid using AutoIt wherever possible hehe.
I might ask Interest07 how he did it for his AutoPot thing, as that didn't even seem to trigger my AV - which is a particularly fussy AV lol. I'm assuming he codecaved it maybe?
Quote:
Originally Posted by amineurin
not really finish yet, but i had a lucky day testing it.
found in a catshop a primeval stone for 100k, sold him minutes later for 33m *lol*
The code for the dll injector, taken from . This is all you need to compile it (C++ code). After compiling you would need to put the injector together with a PWdll.dll in your ../element folder. The dll will need to contain a function called "Initialize", as the injector will call this function from the dll after loading it inside the elementclient.exe (via a codecave indeed).
#include <windows.h>
#include <stdio.h>
/***************************************************************************************************/
// Function:
// Inject
//
// Parameters:
// HANDLE hProcess - The handle to the process to inject the DLL into.
//
// const char* dllname - The name of the DLL to inject into the process.
//
// const char* funcname - The name of the function to call once the DLL has been injected.
//
// Description:
// This function will inject a DLL into a process and execute an exported function
// from the DLL to "initialize" it. The function should be in the format shown below,
// not parameters and no return type. Do not forget to prefix extern "C" if you are in C++
//
// __declspec(dllexport) void FunctionName(void)
//
// The function that is called in the injected DLL
// -MUST- return, the loader waits for the thread to terminate before removing the
// allocated space and returning control to the Loader. This method of DLL injection
// also adds error handling, so the end user knows if something went wrong.
/***************************************************************************************************/
void Inject(HANDLE hProcess, const char* dllname, const char* funcname)
{
//------------------------------------------//
// Function variables. //
//------------------------------------------//
// Main DLL we will need to load
HMODULE kernel32 = NULL;
// Main functions we will need to import
FARPROC loadlibrary = NULL;
FARPROC getprocaddress = NULL;
FARPROC exitprocess = NULL;
FARPROC exitthread = NULL;
FARPROC freelibraryandexitthread = NULL;
// The workspace we will build the codecave on locally
LPBYTE workspace = NULL;
DWORD workspaceIndex = 0;
// The memory in the process we write to
LPVOID codecaveAddress = NULL;
DWORD dwCodecaveAddress = 0;
// Strings we have to write into the process
char injectDllName[MAX_PATH + 1] = {0};
char injectFuncName[MAX_PATH + 1] = {0};
char injectError0[MAX_PATH + 1] = {0};
char injectError1[MAX_PATH + 1] = {0};
char injectError2[MAX_PATH + 1] = {0};
char user32Name[MAX_PATH + 1] = {0};
char msgboxName[MAX_PATH + 1] = {0};
// Placeholder addresses to use the strings
DWORD user32NameAddr = 0;
DWORD user32Addr = 0;
DWORD msgboxNameAddr = 0;
DWORD msgboxAddr = 0;
DWORD dllAddr = 0;
DWORD dllNameAddr = 0;
DWORD funcNameAddr = 0;
DWORD error0Addr = 0;
DWORD error1Addr = 0;
DWORD error2Addr = 0;
// Where the codecave execution should begin at
DWORD codecaveExecAddr = 0;
// Handle to the thread we create in the process
HANDLE hThread = NULL;
// Temp variables
DWORD dwTmpSize = 0;
// Old protection on page we are writing to in the process and the bytes written
DWORD oldProtect = 0;
DWORD bytesRet = 0;
//------------------------------------------//
// Variable initialization. //
//------------------------------------------//
// Get the address of the main DLL
kernel32 = LoadLibrary("kernel32.dll");
// Get our functions
loadlibrary = GetProcAddress(kernel32, "LoadLibraryA");
getprocaddress = GetProcAddress(kernel32, "GetProcAddress");
exitprocess = GetProcAddress(kernel32, "ExitProcess");
exitthread = GetProcAddress(kernel32, "ExitThread");
freelibraryandexitthread = GetProcAddress(kernel32, "FreeLibraryAndExitThread");
// This section will cause compiler warnings on VS8,
// you can upgrade the functions or ignore them
// Build names
_snprintf(injectDllName, MAX_PATH, "%s", dllname);
_snprintf(injectFuncName, MAX_PATH, "%s", funcname);
_snprintf(user32Name, MAX_PATH, "user32.dll");
_snprintf(msgboxName, MAX_PATH, "MessageBoxA");
// Build error messages
_snprintf(injectError0, MAX_PATH, "Error");
_snprintf(injectError1, MAX_PATH, "Could not load the dll: %s", injectDllName);
_snprintf(injectError2, MAX_PATH, "Could not load the function: %s", injectFuncName);
// Create the workspace
workspace = (LPBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 1024);
// Allocate space for the codecave in the process
codecaveAddress = VirtualAllocEx(hProcess, 0, 1024, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
dwCodecaveAddress = PtrToUlong(codecaveAddress);
// Note there is no error checking done above for any functions that return a pointer/handle.
// I could have added them, but it'd just add more messiness to the code and not provide any real
// benefit. It's up to you though in your final code if you want it there or not.
//------------------------------------------//
// Data and string writing. //
//------------------------------------------//
// Write out the address for the user32 dll address
user32Addr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = 0;
memcpy(workspace + workspaceIndex, &dwTmpSize, 4);
workspaceIndex += 4;
// Write out the address for the MessageBoxA address
msgboxAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = 0;
memcpy(workspace + workspaceIndex, &dwTmpSize, 4);
workspaceIndex += 4;
// Write out the address for the injected DLL's module
dllAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = 0;
memcpy(workspace + workspaceIndex, &dwTmpSize, 4);
workspaceIndex += 4;
// User32 Dll Name
user32NameAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(user32Name) + 1;
memcpy(workspace + workspaceIndex, user32Name, dwTmpSize);
workspaceIndex += dwTmpSize;
// MessageBoxA name
msgboxNameAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(msgboxName) + 1;
memcpy(workspace + workspaceIndex, msgboxName, dwTmpSize);
workspaceIndex += dwTmpSize;
// Dll Name
dllNameAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectDllName) + 1;
memcpy(workspace + workspaceIndex, injectDllName, dwTmpSize);
workspaceIndex += dwTmpSize;
// Function Name
funcNameAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectFuncName) + 1;
memcpy(workspace + workspaceIndex, injectFuncName, dwTmpSize);
workspaceIndex += dwTmpSize;
// Error Message 1
error0Addr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectError0) + 1;
memcpy(workspace + workspaceIndex, injectError0, dwTmpSize);
workspaceIndex += dwTmpSize;
// Error Message 2
error1Addr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectError1) + 1;
memcpy(workspace + workspaceIndex, injectError1, dwTmpSize);
workspaceIndex += dwTmpSize;
// Error Message 3
error2Addr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectError2) + 1;
memcpy(workspace + workspaceIndex, injectError2, dwTmpSize);
workspaceIndex += dwTmpSize;
// Pad a few INT3s after string data is written for seperation
workspace[workspaceIndex++] = 0xCC;
workspace[workspaceIndex++] = 0xCC;
workspace[workspaceIndex++] = 0xCC;
// Store where the codecave execution should begin
codecaveExecAddr = workspaceIndex + dwCodecaveAddress;
// For debugging - infinite loop, attach onto process and step over
//workspace[workspaceIndex++] = 0xEB;
//workspace[workspaceIndex++] = 0xFE;
//------------------------------------------//
// User32.dll loading. //
//------------------------------------------//
// User32 DLL Loading
// PUSH 0x00000000 - Push the address of the DLL name to use in LoadLibraryA
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &user32NameAddr, 4);
workspaceIndex += 4;
// MOV EAX, ADDRESS - Move the address of LoadLibraryA into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &loadlibrary, 4);
workspaceIndex += 4;
// CALL EAX - Call LoadLibraryA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// MessageBoxA Loading
// PUSH 0x000000 - Push the address of the function name to load
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &msgboxNameAddr, 4);
workspaceIndex += 4;
// Push EAX, module to use in GetProcAddress
workspace[workspaceIndex++] = 0x50;
// MOV EAX, ADDRESS - Move the address of GetProcAddress into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &getprocaddress, 4);
workspaceIndex += 4;
// CALL EAX - Call GetProcAddress
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// MOV [ADDRESS], EAX - Save the address to our variable
workspace[workspaceIndex++] = 0xA3;
memcpy(workspace + workspaceIndex, &msgboxAddr, 4);
workspaceIndex += 4;
//------------------------------------------//
// Injected dll loading. //
//------------------------------------------//
/*
// This is the way the following assembly code would look like in C/C++
// Load the injected DLL into this process
HMODULE h = LoadLibrary("mydll.dll");
if(!h)
{
MessageBox(0, "Could not load the dll: mydll.dll", "Error", MB_ICONERROR);
ExitProcess(0);
}
// Get the address of the export function
FARPROC p = GetProcAddress(h, "Initialize");
if(!p)
{
MessageBox(0, "Could not load the function: Initialize", "Error", MB_ICONERROR);
ExitProcess(0);
}
// So we do not need a function pointer interface
__asm call p
// Exit the thread so the loader continues
ExitThread(0);
*/
// DLL Loading
// PUSH 0x00000000 - Push the address of the DLL name to use in LoadLibraryA
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &dllNameAddr, 4);
workspaceIndex += 4;
// MOV EAX, ADDRESS - Move the address of LoadLibraryA into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &loadlibrary, 4);
workspaceIndex += 4;
// CALL EAX - Call LoadLibraryA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// Error Checking
// CMP EAX, 0
workspace[workspaceIndex++] = 0x83;
workspace[workspaceIndex++] = 0xF8;
workspace[workspaceIndex++] = 0x00;
// JNZ EIP + 0x1E to skip over eror code
workspace[workspaceIndex++] = 0x75;
workspace[workspaceIndex++] = 0x1E;
// Error Code 1
// MessageBox
// PUSH 0x10 (MB_ICONHAND)
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x10;
// PUSH 0x000000 - Push the address of the MessageBox title
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &error0Addr, 4);
workspaceIndex += 4;
// PUSH 0x000000 - Push the address of the MessageBox message
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &error1Addr, 4);
workspaceIndex += 4;
// Push 0
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;
// MOV EAX, [ADDRESS] - Move the address of MessageBoxA into EAX
workspace[workspaceIndex++] = 0xA1;
memcpy(workspace + workspaceIndex, &msgboxAddr, 4);
workspaceIndex += 4;
// CALL EAX - Call MessageBoxA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// ExitProcess
// Push 0
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;
// MOV EAX, ADDRESS - Move the address of ExitProcess into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &exitprocess, 4);
workspaceIndex += 4;
// CALL EAX - Call MessageBoxA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// Now we have the address of the injected DLL, so save the handle
// MOV [ADDRESS], EAX - Save the address to our variable
workspace[workspaceIndex++] = 0xA3;
memcpy(workspace + workspaceIndex, &dllAddr, 4);
workspaceIndex += 4;
// Load the initilize function from it
// PUSH 0x000000 - Push the address of the function name to load
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &funcNameAddr, 4);
workspaceIndex += 4;
// Push EAX, module to use in GetProcAddress
workspace[workspaceIndex++] = 0x50;
// MOV EAX, ADDRESS - Move the address of GetProcAddress into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &getprocaddress, 4);
workspaceIndex += 4;
// CALL EAX - Call GetProcAddress
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// Error Checking
// CMP EAX, 0
workspace[workspaceIndex++] = 0x83;
workspace[workspaceIndex++] = 0xF8;
workspace[workspaceIndex++] = 0x00;
// JNZ EIP + 0x1C to skip eror code
workspace[workspaceIndex++] = 0x75;
workspace[workspaceIndex++] = 0x1C;
// Error Code 2
// MessageBox
// PUSH 0x10 (MB_ICONHAND)
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x10;
// PUSH 0x000000 - Push the address of the MessageBox title
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &error0Addr, 4);
workspaceIndex += 4;
// PUSH 0x000000 - Push the address of the MessageBox message
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &error2Addr, 4);
workspaceIndex += 4;
// Push 0
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;
// MOV EAX, ADDRESS - Move the address of MessageBoxA into EAX
workspace[workspaceIndex++] = 0xA1;
memcpy(workspace + workspaceIndex, &msgboxAddr, 4);
workspaceIndex += 4;
// CALL EAX - Call MessageBoxA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// ExitProcess
// Push 0
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;
// MOV EAX, ADDRESS - Move the address of ExitProcess into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &exitprocess, 4);
workspaceIndex += 4;
// Now that we have the address of the function, we cam call it,
// if there was an error, the messagebox would be called as well.
// CALL EAX - Call ExitProcess -or- the Initialize function
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// If we get here, the Initialize function has been called,
// so it's time to close this thread and optionally unload the DLL.
//------------------------------------------//
// Exiting from the injected dll. //
//------------------------------------------//
// Call ExitThread to leave the DLL loaded
#if 1
// Push 0 (exit code)
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;
// MOV EAX, ADDRESS - Move the address of ExitThread into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &exitthread, 4);
workspaceIndex += 4;
// CALL EAX - Call ExitThread
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
#endif
// Call FreeLibraryAndExitThread to unload DLL
#if 0
// Push 0 (exit code)
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;
// PUSH [0x000000] - Push the address of the DLL module to unload
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0x35;
memcpy(workspace + workspaceIndex, &dllAddr, 4);
workspaceIndex += 4;
// MOV EAX, ADDRESS - Move the address of FreeLibraryAndExitThread into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &freelibraryandexitthread, 4);
workspaceIndex += 4;
// CALL EAX - Call FreeLibraryAndExitThread
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
#endif
//------------------------------------------//
// Code injection and cleanup. //
//------------------------------------------//
// Change page protection so we can write executable code
VirtualProtectEx(hProcess, codecaveAddress, workspaceIndex, PAGE_EXECUTE_READWRITE, &oldProtect);
// Write out the patch
WriteProcessMemory(hProcess, codecaveAddress, workspace, workspaceIndex, &bytesRet);
// Restore page protection
VirtualProtectEx(hProcess, codecaveAddress, workspaceIndex, oldProtect, &oldProtect);
// Make sure our changes are written right away
FlushInstructionCache(hProcess, codecaveAddress, workspaceIndex);
// Free the workspace memory
HeapFree(GetProcessHeap(), 0, workspace);
// Execute the thread now and wait for it to exit, note we execute where the code starts, and not the codecave start
// (since we wrote strings at the start of the codecave) -- NOTE: void* used for VC6 compatibility instead of UlongToPtr
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)((void*)codecaveExecAddr), 0, 0, NULL);
WaitForSingleObject(hThread, INFINITE);
// Free the memory in the process that we allocated
VirtualFreeEx(hProcess, codecaveAddress, 0, MEM_RELEASE);
}
// Program entry point
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPTSTR lpCmdLine, int nCmdShow)
{
// Structures for creating the process
STARTUPINFO si = {0};
PROCESS_INFORMATION pi = {0};
BOOL result = FALSE;
// Hardcoded just for a demo, you will need to use a game/program of your own to test
// It is not a good idea to use stuff in system32 due to the DEP enabled on those apps.
char* exeString = "elementclient.exe";
// Holds where the DLL should be
char dllPath[MAX_PATH + 1] = {0};
// Set the static path of where the Inject DLL is, hardcoded just for a demo
_snprintf(dllPath, MAX_PATH, "PWdll.dll");
// Need to set this for the structure
si.cb = sizeof(STARTUPINFO);
// Try to load our process
result = CreateProcess(NULL, exeString, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
if(!result)
{
MessageBox(0, "Process could not be loaded!", "Error", MB_ICONERROR);
return -1;
}
// Inject the DLL, the export function is named 'Initialize'
Inject(pi.hProcess, dllPath, "Initialize");
// Resume process execution
ResumeThread(pi.hThread);
// Standard return
return 0;
}
Working AutoIt injector. The thing i like with dll injection is that you do not have to use readProcessMemory or so on to get some data and you don't have to do any weird stuff to call some function
*erm* i really dont want do disturb you booth, since you are so silent im shure you work hard on the gui stuff
but would you be so nice to give me the number to send with the packet for refreshing the gold price ?
i dont get it with the mhs script to break the game from Interest07
try to set a break at the auction hall base adress, press the refresh button, but no popup goes up.
like in the description from Interest07.
Sorry, I forgot to answer this post last time I saw it >.>
I never actually got the packet for refreshing gold listings - I assume Interest did though as (I believe) he did some stuff with graphing the gold trends etc.
On another note, I found a better base offset for searching the window offsets in the GUI mapper. It can now find all the dialogue boxes, consoles, etc too.
Just replace Form1.cs from the package in the first post with this:
erm is it possible to use own functions in this kind of menu ?
if yes, how would this work ?
build a dll and load it with the game or any other idea ?
its just a idea i have and im trying to get more info, before i start trying to realising.
im thinking of another hotkey bar in the game, like the two ones allready there.
the idea i have is:
make such a bar in game style
read icons from a ini file and use maybe png images
also read functions from ini file
like:
1 slot = health icon
1 function: send chat message to user xyz "heal me"
2 slot = another heal icon
2 function: send chat message to user xyz "heal selected $playername"
3 slot = buff icon
3 function: send chat message to user xyz "buff me"
and so on...
so u can command maybe a heal bot with chat commands and by using a ingame menu.
its just a idea and maybe here are ppl willed to discuss this
[B]30 e*q [S]Wc 3 Mapper 08/18/2011 - elite*gold Trading - 0 Replies Hey Elitepvper'
Ich hätte ne Idee für ne Warcraft 3 Melee Map, aber kann sie nicht umsetzen, weil ich zu blöd für den World Editor bin.
Es soll eine Lan Map werden, 2 oder 4 Spieler.
Jeder Startpunkt ist eingegrenzt durch Kluften oder sonstigem, Hauptsache man kommt von der Seite nicht rein.
Der einzige Weg führt durch die Mitte, bis zu diesem Weg sind immer stärker werdende Mobs, sodass man seinen Hero gut leveln kann und sich gleichzeitig auf den Weg zum Gegner macht.
In der Mitte ist...
[Suche] Mapper TuT 09/09/2010 - Flyff - 1 Replies hi leute wollte mal fragen ob jemand zufällig ein ausfürliches tutorial zum mappen lernen kennt oder eins machen kann wollte nähmlich gerne das mappen lernen
Mfg Malacha
Mapper. 03/27/2010 - Silkroad Online - 3 Replies I was looking for a program so i can view the ISRO overworld map. I found a program called mapper_2_0_1. However i cannot find where i downloaded if from. I'm pretty sure It was from somewhere in these forums. I'm looking for a new version if in the case that it has been updated with the Alexandria portion of the map.
Does anyone know of it? Or where it is? thx!
WoW-Mapper 12/28/2005 - World of Warcraft - 7 Replies hiho leute ich hab da ne seite gefunden um der es sich um nen WOW-Mapper dreht... kan mir eienr sagen ob man hir die maps der PServer verändern kann ?
hir ist die seite (hab sie über google gefunden als ich unter bilder WoW eingegeben habe) :D
Klickt hir um auf die Seite zu kommen
or visual Studio 2010 Express - They're free and they kick AutoShit's arse 
)
