Pointer collection

vuduy · 07/15/2009, 22:31

Quote:

Originally Posted by Smurfin

i've tried it several times and the results gave me around 1000+ addresses all the time.

1. I put 9941820 [pw id's base address], then tick [v] fast scan, change scan type to [bigger than...] , 4 bytes. then I click [First Scan]
2. execute teleport portal
3. while still executing teleport portal, i search for changed value.
4. cancel skill, search changed value.
5. run around a bit, stand in a spot, then search unchanged value
6. i repeat 2-5 many times and still got 1000+ results.

around how many addresses should i expect ?

Then move around then stand in 1 spot (stand, not sit, not meditate), and search for "Unchanged Value"

Do this a lot to remove the excess.

Basically, when you are standing in one spot, I call that Idle state - this is one action pointer.

The other action pointer you want to search for is casting skills. For this, there are two. One is queuing skill action pointer; the 2nd is current skill action pointer.

By using CE, you can find the current skill action pointer because you are searching for it while the skill is STILL casting.

Anyway, keep trying to get the offsets, once you get one, you can get all the other action pointers easily.

A list of action pointers:
- moving
- looting
- queuing skill
- current skill
- following
- idling

and many others...

Smurfin · 07/16/2009, 04:29

that's great, i've been wanting a [following] pointer for so long, should be able to make my chars always follow my main without using mouseclick macro, it'll also be useful for pk using multi chars lol.

ok, instead of redoing from the start, i kept trying to reduce the excess and managed to reduce it to 361, but then it won't change no matter what i do, i even teleported to many areas and the results won't go down further. I also used other long casting skill like revive pet, heal hp, heal mp for variation, but it's still the same.

btw why should the first search's value begin from value bigger than base address ? aren't we usually using unknown initial value to start a search, while base address is already an address and its value is weird to use as a starting value.

vuduy · 07/16/2009, 08:00

Because the pointer will always be greater than the base address. If you search for all, then you will even get more results.

Try to use the "Same as original value" search to reduce it further.

Original value should be the "Idle state".

Smurfin · 07/16/2009, 08:11

i'm confused, it's the pointer that's always greater than the base address, but why we use base address for comparing value to find another pointer/memory address.

isn't in ce we search memory address based on a value, not pointer ? for example the pointer for HP will always greater than base address, but we input the ingame value to search for it, not the base address.

or maybe i don't follow the steps correctly and should set pointer search, but i don't see the option.

vuduy · 07/16/2009, 09:34

Because the base address is static, while all other addresses are dynamic.

My instructions are so clear already; if you can't do this then you might as well give up on it.

Smurfin · 07/16/2009, 10:26

i get it now, if we use [hex] search in ce, it'll search pointer, while i used base add in decimal previously

ok then i'll try it on my own atm, i'll post result if i found something

-edit-

ok, i got 8 addresses now, now need to do step. 7
7. Once you get the address, do a complete trace back to get all the "offsets" until you hit the base address.
how to do a complete trace back to get all offsets.

what i found look like this, am i in the right direction ?

xavierk · 07/16/2009, 14:13

anyone knows how to search the target name with CE ... i get allways a deadend...

incyberz · 07/20/2009, 09:56

Quote:

Originally Posted by ericjohn

you need 2 pointers 20 is the first offset written on the lowest part of after the base adress

can u give me some screenshoot

Megamorph · 07/22/2009, 15:38

I found this one:

[[[Base Adress]+0x20]+0xC70]+0x14

It seems it cointains the pointer to an action?

vuduy · 07/23/2009, 17:38

That means the pointer [[[base] + 0x20] + 0xc70] is the action structure.

From here, it becomes easy.
0x8 = current active mode flag (1 = on, 0 = off)
0xc = current active mode copy (used by the game to indicate start/stop of an action)
0x14 = current active mode (found by Megamorph)
0x18 = current active mode flag (1 is for on, 0 is for off)
0x30 = action mode types (all the action pointers are under here)
Here's a list of them:
[0x30] + 0x0 = idle mode (when doing nothing)
[0x30] + 0x4 = normal movement mode
[0x30] + 0x8 = queue skill mode
[0x30] + 0xc = normal attack mode (you still need to lock target first before using this)
[0x30] + 0x10 = current executing skill mode
[0x30] + 0x1c = follow mode

Note each action mode pointer is an actual structure to the action. Play around with the offsets to find the parameters of those action modes. An example for queue skill mode is:

0x8 = done flag
0x20 = target id
0x38 = type (usually the same number but might be different for a specific skill)
0x4c = skill error (must set this to 0)
0x50 = skill address (you must find the skill list and use the address of each skill in here)

Another example for normal movement mode:
0x8 = done flag (bool)
0x20 = X (float)
0x24 = Z (float)
0x28 = Y (float)
0x2c = type (int) (movement by mouse click = one type, movement by WASD is another type)

So let's say you want to move your character to coordinate (1,2,3) then you would do:

1. Write int 0 to done flag: [[[[[base] + 0x20] + 0xc70] + 0x30] + 0x4] + 0x8
2. Write float value 1 to X: [[[[[base] + 0x20] + 0xc70] + 0x30] + 0x4] + 0x20
3. Write float value 2 to Y: [[[[[base] + 0x20] + 0xc70] + 0x30] + 0x4] + 0x28
4. Write float value 3 to Z: [[[[[base] + 0x20] + 0xc70] + 0x30] + 0x4] + 0x24
5. Write int 0 to type: [[[[[base] + 0x20] + 0xc70] + 0x30] + 0x4] + 0x2c
6. Write int 1 to current action mode flag: [[[base] + 0x20] + 0xc70] + 0x8
7. Read normal movement mode pointer to: value = [[[[base] + 0x20] + 0xc70] + 0x30] + 0x4
8. Write value above to current action mode: [[[base] + 0x20] + 0xc70] + 0x14
9. Write same value to current action mode copy: [[[base] + 0x20] + 0xc70] + 0x8

And watch it moves.

Smurfin · 07/23/2009, 19:45

sounds complicated, i guess it's not for a noob, it's enough just to look at how it works at the moment.

btw about follow mode, does it work like this :
01. select target (passing char id value to target offset)
02. write value to [[[[[base] + 0x20] + 0xc70] + 0x30] + 0x1c] (should check what's the value on this one when using ingame's follow button first)

i'd like to make use of it to make a script for pk using several chars, so my chars will always follow my main chars and if i click a target they will attack the same target i click (i already have the script for auto aim my main char's target and attack, still using keypress macro) but after one kill i have to use mouseclick macro to make them follow me which takes time. If somehow I can utilize your method to make autofollow for my other chars it'll be perfect!

I'll be able to just focus on controlling one main char.

i'll just give it up if the steps above won't work, because that's all i can think with what i already know.

vuduy · 07/23/2009, 20:10

No, you have to write the parameters to the follow action structure.

Start at 0x4 to 0x30, you should have all the parameters for follow mode.

Smurfin · 07/23/2009, 20:26

ahh ok then, i'll just observe the discussion further, maybe it'll bring some light later.

Megamorph · 07/23/2009, 20:28

wow big thx for the share vuduy!

btw: did u already figured out something about patching the lag-back after increasing the swim/walk/run/fly speed through memory?

vuduy · 07/23/2009, 21:11

You can't patch that; that's server sided resync. You cannot speed-hack in this game. If anyone claims they can, slap them in the face.