Pointer collection

[reallythatscool]

Quote:

Originally Posted by 0o0

so i've been working on for a while on char name offset and i've come across this..

you need the char's name length in order to read it all
so i searched for the name and got that its at 0x54CC890, type UText[length of t the char name]
so knowing that unicode is 2 bytes u start reading what each 2 by letter is
assuming the name is TEST
0x54CC890 = T
0x54CC892 = E
0x54CC894 = S
0x54CC896 = T

btw this is PW international
i figgured out the mem adres by recording it after changing characters a few times and thats the only one that always showed the name of the char
however if i login to Player 1 read the name.. i have 7 Finds for the name
if i login to player 2 read the player 2 name off the 7 finds (only 1 changes)
login to player 3 read the name points me to same place as other 2

so i concluded that the adress ( 0x54CC890) was stores the names for chars all the time
however if u login to player 1 and do fresh search name then login player 2 and do fresh search name you will get 6 difrent mem adress all the time 1 stays the same for all.

so i decided to see what acesss that adress and what writes to it i find
edi = 0x54CC890
ecx = 0x3
eax = 00610066
mov [edi + ecx*4-0c] eax

and there is a pattern the 0c is subtracted by 4 all the time
next line doesn't really involve edi
next time
mov [edi + ecx*4 - 08 // notice the 4 subtracted

anyway thats for acess..
then for writes to this acesss
same thing as above i got the same lines..

i entered the address for the name as value into ce and came across
0x964CF8 //in Green
i'm on pw int and the base add here is 0x9652E4
so i geuss the offset is NEgative 5EC lol
i just took my base add and subtracted the adresss i got in green
0x9652E4 - 0x964CF8 = 5EC
to get the char name...
base add sub 5EC
then ready as many chars u have in the name as unicode.. :\

TO SUM IT UP!

Read memroy at base adress - 5EC w/e Value you get

read memroy of that for every 2 byte for X # of letters in char name ... kind sucks but
for pw int
9652E4 - 5EC = 964CD8
964CD8 = someADD
change last # in some add and keep adding 2 to it until you get full name .

my 2 cents. i just wanted to share it cause i spend to much time on it lol


edit: Method tested and varified. in c++

Hmmm.. do they have another address that stores the size of the name? or do they end it with a \0 null terminator?

[0o0]

it doesn't end with a numm terminator because when i loged in two diffrent char without reseting the string the char name wasnt changed all

for exmple
first name was " TESTT "
2nd name was " LOL "

when i read the string the name will be " LOLTT" this proves there has to be a pointer for name size would be wierd to find it u will have to try few chars

[vuduy]

All wchar_t types in PW games must be null terminated. You guys have no idea what you're doing.

[reallythatscool]

Quote:

Originally Posted by vuduy

All wchar_t types in PW games must be null terminated. You guys have no idea what you're doing.

i figured it should have a null terminator thats why i asked i havent had time to test it. Because i would expect the game to use something similar to an LEA instruction and like a Trap 22 instruction and it would end with a null terminator or else it wouldn't make any sense. I just wanted to verify it and yes I do know what I am doing not sure about him.

[xindobnix]

Quote:

Originally Posted by reallythatscool

juga nomor yang tercakup

program apa yang di screenshot?
bagaimana anda menemukan playerlist pointer dan barang?

Maaf sebelumnya (Saya tidak bisa bahasa Inggris)
Program "NeoH2K", saya buat dengan Delphi 7, utk playerlist pointer sama dengan pointer karakter kita, tapi utk exp, gold, skill tidak sama hasilnya cuma 0,
playerlist keluar info Lvl, HP, MP setelah player lain di klik dengan mouse.

for vInt := 0 to vOPlayMCount - 1 do
begin
ReadProcessMemory(vPID, Pointer(vOPlayABase + (4 * vInt)), @vOPlayDestPoint, 4, vNum);
if vOPlayDestPoint > 0 then
begin
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0004), @vOPlayDestPoint, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $043C), @vOPlayID, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $05E0), @vOPlayTp, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0448), @vOPlayLvl, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0450), @vOPlayHP, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0454), @vOPlayMP, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0480), @vOPlayHPM, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0484), @vOPlayMPM, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0504), @vOPlayXp, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $05E4), @vOPlaySex, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $003C), @vOPlayX, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0044), @vOPlayY, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0040), @vOPlayZ, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $070C), @vOPlayD, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0710), @vOPlayDH, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $05D8), @vTmpA, 4, vNum);
ReadProcessMemory(vPID, Pointer(vTmpA + $0000), @vOPlayNm, 52, vNum);
end;
end;

maaf klu program ini hanya sebatas experiment..

[reallythatscool]

Quote:

Originally Posted by xindobnix

Maaf sebelumnya (Saya tidak bisa bahasa Inggris)
Program "NeoH2K", saya buat dengan Delphi 7, utk playerlist pointer sama dengan pointer karakter kita, tapi utk exp, gold, skill tidak sama hasilnya cuma 0,
playerlist keluar info Lvl, HP, MP setelah player lain di klik dengan mouse.

for vInt := 0 to vOPlayMCount - 1 do
begin
ReadProcessMemory(vPID, Pointer(vOPlayABase + (4 * vInt)), @vOPlayDestPoint, 4, vNum);
if vOPlayDestPoint > 0 then
begin
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0004), @vOPlayDestPoint, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $043C), @vOPlayID, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $05E0), @vOPlayTp, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0448), @vOPlayLvl, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0450), @vOPlayHP, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0454), @vOPlayMP, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0480), @vOPlayHPM, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0484), @vOPlayMPM, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0504), @vOPlayXp, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $05E4), @vOPlaySex, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $003C), @vOPlayX, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0044), @vOPlayY, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0040), @vOPlayZ, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $070C), @vOPlayD, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0710), @vOPlayDH, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $05D8), @vTmpA, 4, vNum);
ReadProcessMemory(vPID, Pointer(vTmpA + $0000), @vOPlayNm, 52, vNum);
end;
end;

maaf klu program ini hanya sebatas experiment..

do you have msn? atau e-mail saya ingin menghubungi Anda untuk membantu saya lebih menyukai program anda

juga bagaimana anda lakukan daftar item?

[Shareen]

Where strings aren't null terminated, one would expect string length to be in front of actual text in memory.
Given example of string "Test", memory view would be:

Code:

04 00 00 00 54 65 73 74 - memory (hex)
LENGTH (4)  T  e   s  t

That is a standard for example Delphi strings. Variable defined as string (i.e. MyVar: String) is a pointer that points to first letter of text, in the example above T. So string length would be address of MyVar - $04, value at the address casted as 4 byte unsigned integer, Cardinal in Delphi.

PW bends this "rule" a bit however, by having string length offset by -$08 instead of -$04 bytes. Using above example of Test, in PW memory view, this would be:

Code:

04 00 00 00 3F 00 00 00 54 00 65 00 73 00 74 00
LENGTH (4)  UNKNOWN     T     e     s     t

Bright ones among you will also notice that Test is written in unicode, just as PW does it. For this reason LENGTH indicates string length not number of bytes, but as excepted string length * 2 = number of bytes.
This format is similar (though not indentical) to how unicode strings are stored in memory. I do not know what 3F 00 00 00 before string is, some observations I made seem to indicate text formatting, but that has yet to be confirmed.

Logged in character name can be obtained from the following (base pointer + 3 offsets):
$0095BAA4 + $20 + $5F0 + $0

Base address and offsets are valid for current official version of PW International (european, hosted by Games-Masters), but same rule applies to other versions, in that name is always 3 level pointer. First offset should be $20 on all versions as well as third one being $0, base address and second offset will differ however.

Same logic applies to other texts in PW; players names, npcs names, item names, etc,...

[0o0]

i see that the length is there before the name however im having trouble reaching the offset im on pw international using the bypass client.

[xindobnix]

who have any offset for the mouse?

[rahulsk8erboi]

wher 2 paste this thinge...
me newbie to this game...
plzz
reply...

[rahulsk8erboi]

wher 2 paste this thinge...
me newbie to this game...
plzz
reply...

[Shareen]

Quote:

Originally Posted by 0o0

i see that the length is there before the name however im having trouble reaching the offset im on pw international using the bypass client.

Not all values are as easily found as HP for instance, but with a little detective work and patience, not to mention logic, it is doable.
Starting off with correct value is in most cases only way to go (and always proper way to go).
Same as cat skinning, there are more than one way to find values. Method described below is not what I used, but it is one I tested before posting this and hopefully should work for you. Remember that it's written specifically for finding nickname in Perfect World and is not to be used as a general rule to finding texts (though it may work in some other cases).
While it assumes using Cheat Engine as memory scanning tool, others will work as well long as you modify operations to software of your choice.

Right, let's clear out the basics in case you or any other aren't familiar with CE:
- start game (good approach is to start with fresh "run", less memory to scan for and less false positives)
- start cheat engine
- hook cheat engine to game process.

Set scanning option to:
- value type to: text
- check checkbox Case sensitive (you know what case your name is)
- check checkbox Unicode (we covered that already )

Click First Scan

So far so good, we get loads of matches, some are ok, others are just in the way. Obviously, some filtering is required.

I realize this isn't school, but it won't kill anyone to learn something. Hopefully.

Strings, especially ones that change length often, are a tricky business. They can be constantly copied around memory, according to the new length they are set to. For example, if we assign a value of "Test" to a variable of type string (or whatever it might be called in language of your choice), pointer is created. This pointer points to a first letter (char) in memory location that was selected to hold this particular value. 8 bytes are reserved for it, 4 for length and 4 for our value. Unicode will take a bit more, 4 for length, and 8 for value, since every unicode character takes 2 bytes.
Because space after 12 bytes we occupy is assigned to other things already and space before it was occupied even before string was assigned, our value is now neatly boxed in. Since values aren't prone to claustrophobia, this isn't a problem, however if "Test" should decide to grow a bit and become "Test I am"... the dog house will not be enough anymore.
Doesn't take a rocket scientist (though he may be helpful if you got one handy) to figure out that 22 bytes (new length of unicode "Test I am" + length it self) will not fit into 12 bytes "box". We can't very well push stuff that's around out of our way to make room, since that would make all other variables point to wrong memory addresses. Solution is to find a new home in memory that has at least the amount of space we need, copy existing string value there and add " I am".
Note that I said copy not move. Old value is still there, it may not be used by anything and it's marked as unused, but it's still there. Those values are false positives. Remnants of things passed for dramatic. Luckily for us, since they are marked as unused, they can freely be overwritten and some will, exactly what we want.

So, lesson over, back to work.
Loads of matches all pointing at the same value. Let's allow dynamic memory to work in our favour, make the game overwrite some of our false positives. How? Easy, force it to load more things into memory. Run around, go into crowded places, take a quest, kill a mob,... be inventive.

Soon, some of the matches will loose your nickname and get assigned a different value. As that happens, keep clicking Next scan to remove unwanted ones. Don't bother doing this for longer than 2-3 minutes however, whatever is left is what you'll have to work with.
Not all will go away this easy, some simply didn't get overwritten while other are still in use.

Let's move remaining matches to bottom window (don't really know how it's called) by selecting them and clicking on a red arrow button.

We started off with fresh run of the game, thus following assumption can be made: low lying addresses were assigned before high lying ones, i.e. value at address 0x04C6FFF0 was most likely assigned before value at address 0x0B446424.

Armed with this knowledge (and a little of the game itself) we should probably start from the bottom up, in this case from higher addresses towards lower ones.
Right click bottom most entry and from dropdown select "What accesses this address". Alt tab the game into focus for a second, than back to CE. If the little window that opened is still empty, close it and remove offending entry (right click and Delete this address). It's not the one we are looking for. Rinse and repeat, eliminating all that don't yield any results and keeping those that do.
Please note we aren't looking for first offset yet, only trying to eliminate false matches.

When I tried that, I was left with 2 entries and to give you a little hint: lower one (one with higher address) was correct one. If you are unsure of which one is good, attempt finding base pointer on both. You know right one will only have 3 levels and it's very likely that incorrect one will lead you pass 3 levels at which point you can eliminate it.

Value searched is now found and you can begin finding offsets till they lead you to the base pointer.
To throw some more hints your way, although mentioned in my previous post:
- first offset will be 0
- third (and last) offset will be 0x20
- second offset will something like (but not exactly, I made them up to provide an example) 0x4EC or 0x604 and not 0x4C, 0x1C, etc,...

It occurred to me while writing this novel that you may very well know all this things already, but I figured someone else may not, so I kept going.

Can't really provide you with specifics on how to find offsets, apart from be patient and diligent. I guess step by step “guide” would help you find it, but wouldn't teach you much in the end.

Unless of course offsets are all you are after, in which case just send me cracked .exe and save me the time to write 2 pages long forum posts.

Quote:

Originally Posted by rahulsk8erboi

wher 2 paste this thinge...
me newbie to this game...
plzz
reply...

After 25 pages in this thread of people posting all sorts of "things", you might want to narrow your definition of "thinge" just a bit if you in fact expect a constructive reply.
I also have a sneaky suspicion that you (in general) often opt for Post option where Search would be a far better alternative.

[asgborges]

Quote:

Originally Posted by xindobnix

Maaf sebelumnya (Saya tidak bisa bahasa Inggris)
Program "NeoH2K", saya buat dengan Delphi 7, utk playerlist pointer sama dengan pointer karakter kita, tapi utk exp, gold, skill tidak sama hasilnya cuma 0,
playerlist keluar info Lvl, HP, MP setelah player lain di klik dengan mouse.

for vInt := 0 to vOPlayMCount - 1 do
begin
ReadProcessMemory(vPID, Pointer(vOPlayABase + (4 * vInt)), @vOPlayDestPoint, 4, vNum);
if vOPlayDestPoint > 0 then
begin
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0004), @vOPlayDestPoint, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $043C), @vOPlayID, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $05E0), @vOPlayTp, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0448), @vOPlayLvl, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0450), @vOPlayHP, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0454), @vOPlayMP, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0480), @vOPlayHPM, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0484), @vOPlayMPM, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0504), @vOPlayXp, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $05E4), @vOPlaySex, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $003C), @vOPlayX, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0044), @vOPlayY, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0040), @vOPlayZ, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $070C), @vOPlayD, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $0710), @vOPlayDH, 4, vNum);
ReadProcessMemory(vPID, Pointer(vOPlayDestPoint + $05D8), @vTmpA, 4, vNum);
ReadProcessMemory(vPID, Pointer(vTmpA + $0000), @vOPlayNm, 52, vNum);
end;
end;

maaf klu program ini hanya sebatas experiment..

its is working with what PW version/language??

[reallythatscool]

Quote:

Originally Posted by asgborges

its is working with what PW version/language??

this is the code he used for PW Indo

[reallythatscool]

Quote:

Originally Posted by xindobnix

who have any offset for the mouse?

Anda bisa mendapatkan delphi 7 kode untuk neoh2k?