Pointer collection

vuduy · 04/21/2009, 20:48

I don't use DLL; I inject code directly to the game. To find the point of entry; look through the asm and find all the loops... there are many loops in the game; you can use one of them to gain entry.

For the calling function, you gotta setup lots of break points. Best way to start is break on the HP bar... find out what fills it.... then break before it, and before it until you find the stub that send the "lock target" command to server.

Once you get that, inject that code in the entry loop and voila.

chenhuaishan · 04/22/2009, 12:18

This s " full target" injected ingame from PW VN . Perhaps, it can be references for sb to find out InjectCode in your version. Normal ATK is not problem anymore.
AutoIT language .

Quote:

Func INT2HEX($VALUE, $N)
Dim $TMP1, $TMP2, $I
$TMP1 = StringRight("0000000" & Hex($VALUE), $N)
For $I = 0 To StringLen($TMP1) / 2 - 1
$TMP2 = $TMP2 & StringMid($TMP1, StringLen($TMP1) - 1 - 2 * $I, 2)
Next
Return $TMP2
EndFunc

Func PUSHAD()
$OPCODE = $OPCODE & "60"
EndFunc

Func MOV_EAX_DWORD_PTR($I)
$OPCODE = $OPCODE & "A1" & INT2HEX($I, 8)
EndFunc

Func MOV_EDX_DWORD_PTR_ECX_ADD($I)
If $I <= 255 Then
$OPCODE = $OPCODE & "8B51" & INT2HEX($I, 2)
Else
$OPCODE = $OPCODE & "8B91" & INT2HEX($I, 8)
EndIf
EndFunc

Func MOV_ECX_DWORD_PTR_ESI_ADD($I)
If $I <= 255 Then
$OPCODE = $OPCODE & "8B4E" & INT2HEX($I, 2)
Else
$OPCODE = $OPCODE & "8B8E" & INT2HEX($I, 8)
EndIf
EndFunc

Func MOV_EAX_DWORD_PTR_ESI_ADD($I)
If $I <= 255 Then
$OPCODE = $OPCODE & "8B46" & INT2HEX($I, 2)
Else
$OPCODE = $OPCODE & "8B86" & INT2HEX($I, 8)
EndIf
EndFunc

Func MOV_ECX_DWORD_PTR_EAX_ADD($I)
If $I <= 255 Then
$OPCODE = $OPCODE & "8B48" & INT2HEX($I, 2)
Else
$OPCODE = $OPCODE & "8B88" & INT2HEX($I, 8)
EndIf
EndFunc

Func PUSH($I)
$OPCODE = $OPCODE & "68" & INT2HEX($I, 8)
EndFunc

Func MOV_EDX($I)
$OPCODE = $OPCODE & "BA" & INT2HEX($I, 8)
EndFunc

Func MOV_EDI_EAX()
$OPCODE = $OPCODE & "8BF8"
EndFunc

Func MOV_ECX_EDI()
$OPCODE = $OPCODE & "8BCF"
EndFunc

Func CALL_EDX()
$OPCODE = $OPCODE & "FFD2"
EndFunc

Func POPAD()
$OPCODE = $OPCODE & "61"
EndFunc

Func PUSH_EDI()
$OPCODE = $OPCODE & "57"
EndFunc

Func RET()
$OPCODE = $OPCODE & "C3"
EndFunc

Func MOV_ECX_DWORD_PTR_EDX()
$OPCODE = $OPCODE & "8B0A"
EndFunc

And

Func INJECTCODE($PID)
If $PID <> 0 And $OPCODE <> "" Then
Local $DATA = DllStructCreate("byte[" & StringLen($OPCODE) / 2 & "]")
For $I = 1 To DllStructGetSize($DATA)
DllStructSetData($DATA, 1, Dec(StringMid($OPCODE, ($I - 1) * 2 + 1, 2)), $I)
Next
Local $RESULT, $PROCESS, $ADD, $THREAD
$RESULT = DllCall("Kernel32.Dll", "int", "OpenProcess", "int", 2035711, "int", 0, "int", $PID)
$PROCESS = $RESULT[0]
$RESULT = DllCall("Kernel32.dll", "ptr", "VirtualAllocEx", "int", $PROCESS, "ptr", 0, "int", DllStructGetSize($DATA), "int", 4096, "int", 64)
$ADD = $RESULT[0]
$RESULT = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $PROCESS, "ptr", $ADD, "ptr", DllStructGetPtr($DATA), "int", DllStructGetSize($DATA), "int", 0)
$RESULT = DllCall("kernel32.dll", "int", "CreateRemoteThread", "int", $PROCESS, "ptr", 0, "int", 0, "int", $ADD, "ptr", 0, "int", 0, "int", 0)
$THREAD = $RESULT[0]
Do
$RESULT = DllCall("kernel32.dll", "int", "WaitForSingleObject", "int", $THREAD, "int", 50)
Until $RESULT[0] <> 258
DllCall("Kernel32.dll", "int", "CloseHandle", "int", $THREAD)
$RESULT = DllCall("Kernel32.dll", "ptr", "VirtualFreeEx", "hwnd", $PROCESS, "ptr", DllStructGetPtr($DATA), "int", DllStructGetSize($DATA), "int", 32768)
DllCall("Kernel32.dll", "int", "CloseHandle", "int", $PROCESS)
$OPCODE = ""
$DATA = 0
EndIf
EndFunc

Right Now, im really interested in miners and plants BOT. Lets share ur information

xindobnix · 04/22/2009, 23:10

Finally, there are also discussing the injection ...

0o0 · 04/23/2009, 02:06

Quote:

Originally Posted by Megamorph

hey,

i also figured out some stuff, which is maybe usefull:

1) walk to a mop/attack the mop:
[[Base Adress]+0x20]+0xA54
- insert mop-id here and do normal attack
- calculate the distance with help of the 3D vectors of char and mop to trigger spells and melee attacks in the right distance

2) walk to and forage mines/ressources/herbs:
[[[[[[Base Adress]+0x20]+0xBFC]0x30]+0x8]+0x20] (kind of "move to" id offset)
- freeze that to ur ressource ID (can be found here: [[[[[[[Base Adress]+0x8]+0x28]0x18]+i*0x4]0x4]0x10C])
- insert random (but valid) mop-id here [[Base Adress]+0x20]+0xA54
- do normal attack
--> char will go to mine/herb and forage it automatically

3) walk to item and pickup:
[[[[[[Base Adress]+0x20]+0xBFC]0x30]+0x8]+0x20] (kind of "move to" id offset)
- freeze that to ur item ID (can be found here: [[[[[[Base Adress]+0x8]+0x24]0x50]+i*0x4]+0x11C])
- insert random (but valid) mop-id here [[Base Adress]+0x20]+0xA54
- do normal attack
--> char will go to item (keep checking distance)
- do pick up
--> char will pick up the item

4) how to do "do normal attack" and "do pick up":
- put the actions to the skill bars (1-6,F1-F8)
- use PostMessage/SendMessage to activate it
example:
PostMessage(hWindow, WM_KEYDOWN, VK_F5, 1);
PostMessage(hWindow, WM_KEYDOWN, Ord('5'), 1);
notice:
dont use other functions unlike u want to loose the possibility to minimize the game

5) set 0x0 to the so called "move to" id offset to let the char stop

6) with the same method u can walk to every objekt (NPC,Player,Ressource,Item,Mop)
just check the distance and stop early enough (to not attack a player for example)
maybe "do default attack" also works for start talking with npc's, but haven't tested that until now

For me it would be very interesting to know how u can insert such a "unfreeze" feature like the Revo Bot coder did. I researched on it but found no suitable way. A possibility would be to inject a dll into the game, hook the WinAPI call which gives pw the information (not) being in focus and return wrong values (always in focus). But i dont want to use that method, cuz i want to stay fully extern. RevoBut just uses DLL injection to get the D3D shit work (especially the menu).

thx in advance
Megamorph

From what Megamorph said mining just got really easy !
with the offset
[[[[[[Base Adress]+0x20]+0xBFC]0x30]+0x8]+0x20]
btw this is for PW INT
all you have to do is get a valid mob id and a valid resource id
set the mob id as target.. send in normal attack.. and quickly change the above offset value to the resource id. In this case the player will move to the resouce and gather it insted of moving towards the monster and attacking it.

this has to be done after setting up target and sending normal attack while the char is moving to wards the monster
i tried it and i was amazed it works!
just need to make sure u dont get killed by monster or something like that
best way to do is be in "fly" mode. escape out of there if player health is going down etc etc

keile · 04/23/2009, 10:48

Quote:

Originally Posted by 0o0

From what Megamorph said mining just got really easy !
with the offset
[[[[[[Base Adress]+0x20]+0xBFC]0x30]+0x8]+0x20]
btw this is for PW INT
all you have to do is get a valid mob id and a valid resource id
set the mob id as target.. send in normal attack.. and quickly change the above offset value to the resource id. In this case the player will move to the resouce and gather it insted of moving towards the monster and attacking it.

this has to be done after setting up target and sending normal attack while the char is moving to wards the monster
i tried it and i was amazed it works!
just need to make sure u dont get killed by monster or something like that
best way to do is be in "fly" mode. escape out of there if player health is going down etc etc

Do you know how to get the offset for this in PW Malaysia? or PH?

Thanks.

Megamorph · 04/23/2009, 11:14

Its easy:

1) select something (player, mop, npc, item, ressource/mine)
2) get it's ID (from the SelectedID offset)
3) go away some steps (that u have enough time to search)
4) go there (doubleclick), fastly tab to CheatEngine and search the ID (click "First Scan")

then select another one, copy paste its ID, go there(doubleclick), fastly tab to CE and click "Next Scan"

U now should have from 2 to 8 adresses. Add them all. Now move the windows in a way, that u could see the updating adresses in CE and the game at the same time.
Now click the next target, some adresses are changing now, u can delete them.
Now doubleclick the target (u should go there) and in exactly this moment one of the adresses is changing to the targets ID. That is what ur searching for.

To get the whole pointer path starting from base pointer, just do the comon reversing thing with "What accesses this adress", look the offset, calculate new adress, search for it and so on. Sometimes there are more than one adress, but u can easily sort them out by going to something ingame (doubleclick) and look if there is something in the access window.

Good Luck!

Is there somebody who figured out a more suitable way how to walk?

edit: added "(doubleclick)" to avoid missunderstandings

chenhuaishan · 04/24/2009, 13:55

Yeah! sorry for lack of infomation.
"Full target" that i mean to catch mob's target with his full hp bar that allow u guys can carry out normal attack.
in order to do that, u need find out " opcode" from targeting monster, u guys can search from engine.
With above Opcode libarary ( from VN version), each target is always " full" .
Even, we can creat a tool for smt like " auto target player" with a hotkeys and his/her address.

Quote:

Func SETCURENTMOBID($ID)
_MEMORYWRITE($MOB_ID_ADD, $MEMID, $ID)
If $ID <> 0 Then
$OPCODE = ""
PUSHAD()
MOV_EAX_DWORD_PTR(9810948)
PUSH($ID)
MOV_ECX_DWORD_PTR_EAX_ADD(32)
$OPCODE &= "81c1ec000000"
MOV_EDX(5891280)
CALL_EDX()
POPAD()
RET()
INJECTCODE($PID)
EndIf
EndFunc

U guys must know what the above means with available opcodes.

Megamorph · 04/24/2009, 17:17

Nice, is there also code injection for walking? Or does anybody figured out a way how to walk/move with API's?

I tried the following and Spy++ showed, thats the same like i really press the key (w,a,s,d), but it didnt work for moving (chatting and skills etc. are working).

procedure TPeWoBotMem.SimulateKeyStroke(key:Integer);
begin
PostMessage(hWindow, WM_KEYDOWN, key, 1);
PostMessage(hWindow, WM_CHAR, key, 1);
PostMessage(hWindow, WM_KEYUP, key, $C0000001);
end;

xindobnix · 04/24/2009, 18:50

Quote:

Originally Posted by Megamorph

Nice, is there also code injection for walking? Or does anybody figured out a way how to walk/move with API's?

I tried the following and Spy++ showed, thats the same like i really press the key (w,a,s,d), but it didnt work for moving (chatting and skills etc. are working).

procedure TPeWoBotMem.SimulateKeyStroke(key:Integer);
begin
PostMessage(hWindow, WM_KEYDOWN, key, 1);
PostMessage(hWindow, WM_CHAR, key, 1);
PostMessage(hWindow, WM_KEYUP, key, $C0000001);
end;

try use SendMessage

procedure TPeWoBotMem.SimulateKeyStroke(key:Integer);
begin
SendMessage(hWindow, WM_KEYDOWN, key, 1);
SendMessage(hWindow, WM_CHAR, key, 1);
SendMessage(hWindow, WM_KEYUP, key, $C0000001);
end;

this my code for chat:
procedure TForm1.Button1Click(Sender: TObject);
var
vHwnd: DWORD;
vInt: Integer;
begin
vHwnd := FindWindow(nil, 'Element Client');
if vHwnd <> 0 then
begin
SendMessage(vHwnd, WM_KEYDOWN, VK_RETURN, 0);
for vInt := 1 to Length(Edit1.Text) do
begin
SendMessage(vHwnd, WM_CHAR, Word(Edit1.Text[vInt]), 0);
end;

SendMessage(vHwnd, WM_KEYDOWN, VK_RETURN, 0);
SendMessage(vHwnd, WM_KEYDOWN, VK_RETURN, 0);
// This for clear the chat text...
for vInt := 1 to Length(Edit1.Text) do
begin
SendMessage(vHwnd, WM_CHAR, VK_BACK, 0);
end;
SendMessage(vHwnd, WM_KEYDOWN, VK_ESCAPE, 0);
end;
end;

Mayb can help ...

vuduy · 04/24/2009, 20:16

Can't use Post/SendMessage with WASD and some other keys like jumping etc... The game uses GetKeyState and GetKeyboardState for those keys.

If you want to send these keys, you must use AttachThreadInput, SetFocus, after that Send/PostMessage will work.

xindobnix · 04/24/2009, 21:05

u have any sugestion for this? mayb u have some script?

BuBucekTop · 04/24/2009, 23:50

This is part of my code from RFHelper.

Code:

procedure press_key(key : integer; double : boolean);
var
  hActiveWin: HWND;
  ActiveThreadID : Cardinal;
  aDwordvar: DWORD;
begin
  if (RFWindowHandle <> 0) and (ClientFound) then
  begin
    // Look for active window
    hActiveWin := GetForegroundWindow();
    if hActiveWin = RFWindowHandle then hActiveWin := Application.Handle;
    ActiveThreadID := GetWindowThreadProcessID(hActiveWin, @aDwordvar);
    // Activate RFO window
    sendmessage(RFWindowHandle, WM_ACTIVATEAPP, 1, ActiveThreadID);
    // send keypress
    postmessage(RFWindowHandle, WM_KEYDOWN, key, 0);
    postmessage(RFWindowHandle, WM_KEYUP, key, 0);
    // doubke it if needed
    if double then
    begin
      postmessage(RFWindowHandle, WM_KEYDOWN, key, 0);
      postmessage(RFWindowHandle, WM_KEYUP, key, 0);
    end;
  end;
end;

Erlier in the code you have to define RFWindowHandle (try findwindow =) ) :

Enjoy...

Megamorph · 04/25/2009, 00:33

vuduy

Quote:

Can't use Post/SendMessage with WASD and some other keys like jumping etc... The game uses GetKeyState and GetKeyboardState for those keys.

Right. So we need to hook this functions and manipulate return values or use code injection to change the engine state for moving.

The other way described by BuBucekTop requires pw to be the active window.
But for me it also should work when in background or minimized.

BuBucekTop · 04/25/2009, 08:20

Quote:

Originally Posted by Megamorph

The other way described by BuBucekTop requires pw to be the active window.

No. It works perfectly in inactive, minimized or even hidden window.

Megamorph · 04/25/2009, 08:56

It works for Skills/Jumping/Chatting, but not for flying down (Z), flying up (Space), walk/move (W,A,S,D). And for that we are searching a solution.