PWI Imperial Fury Offsets

martmor · 05/23/2012, 10:40

Hello

Here are the first offsets from PW Imperial Fury

In_Decimal

Unfreeze_Address=11779444
Base_Address=11778308
BaseCall_Address=11776588

Jump_Offset=3280
CastID_Offset=1832
State_Offset=1740
Class_Offset=1652
Reputation_Offset=1504
Gold_Offset=1376
MaxCHI_Offset=1372
CHI_Offset=1340
MaxMP_OffSet=1248
MaxHP_Offset=1244
DEX_Offset=1240
STR_Offset=1236
MAG_Offset=1232
VIT_Offset=1228
Spirit_Offset=1184
EXP_Offset=1180
MP_Offset=1176
HP_Offset=1172
Culti_Offset=1168
LVL_Offset=1164
CharID_Offset=1152

Base_AddressEXP=11781160

From amineurin

ChatBase_Offset=11796888
LastChatBase_Offset=11796900

SendPacketAdress=6824784

PlayerName_Offset=1644

ActionstructBase=4284

CatshopName=1896

TargetID_Offset=3028

from Swoosh @ surrosoft

RealBase_Address=11764288
NPCBase_Offset=80
NPCPAI_Offset=748
NPCCount_Offset=20
NPCID_Offset=288
NPCName_Offset=608
NPCLVL_Offset=296
NPCHP_Offset=304
NPCMAXHP_Offset=376
NPCSpecial_Offset=596
TARSTARGET_OffSet=748
PetBase_OffSet=4308

INVENTORYSTRUCT1_OffSet=3352

(I hope all the offsets are from his software and I hope that I did not forgot now any)

So as summary about the current Bot status with these offstes and changed send packet address:

Working:

Getting Herbs and Mats (running killrail)
Add Mobs to Target List
Select Mobs and kill them
Self Buffing
taking Pots if low HP / MP

Not Working:

Bot under water

Other things are not tested.

Here is the offset file:

[Perfect_World_Base_Address_In_Decimal]
Application_Title=Perfect World International
Base_Address=11778308
Base_AddressFZ=11779444
Base_AddressEXP=11781160
ChatBase_Address=11796888
LastChat_Address=11796900

[Custom_32_Offsets_In_Decimal]
CHARSTRUCT1_OffSet=52
Casting_Offset=1824
Name_offset=1644
LVL_Offset=1164
Class_offset=1652
HP_OffSet=1172
MaxHP_OffSet=1244
EXP_OffSet=1180
MP_OffSet=1176
CHARID_Offset=1152
MaxMP_OffSet=1248
STR_offset=1236
DEX_offset=1240
VIT_offset=1228
MAG_offset=1232
Spirit_offset=1184
Gold_offset=1376
FlySpeed_Offset=1272
FlyCounter_Offset=2408
MoveMode_OffSet=1656
CHI_Offset=1340
MAXCHI_Offset=1372
Jump_Offset=3280
CastID_Offset=1832
CharState_Offset=1740
Reputation_Offset=1504
Culti_Offset=1168
X_Offset=60
Y_Offset=68
Z_Offset=64

Target_OffSet=3028
PetBase_Offset=4308
PetHP_OffSet=56
PetHunger_OffSet=8

ACTIONSTRCT1_Offset=52
ACTIONSTRCT2_Offset=4284
ACTIONSTRCT3_Offset=48
ACTIONSTRCT4A_Offset=4
ACTIONSTRCT4B_Offset=8

ActionFlag_Offset=24
ActionRead_Offset=4
ActionRead2_Offset=8
ActionRead3_Offset=28
ActionWrite_Offset=12
ActionWrite2_Offset=20
ActionSkill_Offset=80
ActionMoveX_Offset=32
ActionMoveY_Offset=40
ActionMoveZ_Offset=36
ActionHeight_OffSet=104
ActionHeightFlag_OffSet=100
ActionHeightFlag2_OffSet=108
ActionDoneFlag_Offset=8
ActionValue_Offset=44
ActionValue2_Offset=64
ActionSetError_Offset=76
ActionFinished_Offset=8
ActionStart_Offset=20
ActionNotStart_Offset=36
ActionObject_Offset=32
ObjectAction_Offset=56

PLAYERSTRUCT1_OffSet=28
PLAYERSTRUCT2_OffSet=32

PlayerBase_Offset=136
PlayerCount_Offset=20
PlayerID_Offset=1152
PlayerLVL_Offset=1160
PlayerName_Offset=1644
PlayerHP_Offset=1140
PlayerMAXHP_Offset=1232
PlayerClass_Offset=1596

NPCSTRUCT1_OffSet=28
NPCSTRUCT1_OffSet=36

NPCBase_Offset=80
NPCPAI_Offset=748
NPCCount_Offset=20
NPCID_Offset=288
NPCName_Offset=608
NPCLVL_Offset=296
NPCHP_Offset=304
NPCMAXHP_Offset=376
NPCSpecial_Offset=596
TARSTARGET_OffSet=748

ITEMSTRUCT1_OffSet=28
ITEMSTRUCT2_OffSet=40

ItemBase_Offset=24
ItemID_Offset=272
ItemSN_Offset=273
ItemName_Offset=360

INVENTORYSTRUCT1_OffSet=3352

InventoryBase_Offset=12
InventoryID_Offset=8
InventoryStackAmount_Offset=16
InventoryMAXStackAmount_Offset=20
InventorySellPrice_Offset=24
InventoryBuyPrice_Offset=28
InventoryDescription_Offset=64

EQUIPPEDINVENTORSTRUCT1_OffSet=3324

Interest07 · 05/23/2012, 11:05

So soon lol, I'm still busy patching

Sᴡoosh · 05/23/2012, 12:16

Ugh. NPC struct ID is +120h now.

Posting more here while I find.

Edit : Anybody noticed gather function pushing two additional registers now?

Spoiler

Code:

0046F760   /$  53                PUSH EBX //This is new...
0046F761   |.  55                PUSH EBP //This is new also...
0046F762   |.  57                PUSH EDI
0046F763   |.  8BF9              MOV EDI,ECX
0046F765   |.  8B87 CC060000     MOV EAX,DWORD PTR DS:[EDI+6CC]
0046F76B   |.  C1E8 07           SHR EAX,7
0046F76E   |.  A8 01             TEST AL,1
0046F770   |.  0F85 D7000000     JNZ elementc.0046F84D
0046F776   |.  E8 45CBFFFF       CALL elementc.0046C2C0
0046F77B   |.  84C0              TEST AL,AL
0046F77D   |.  0F85 CA000000     JNZ elementc.0046F84D
0046F783   |.  8B6C24 10         MOV EBP,DWORD PTR SS:[ESP+10]
0046F787   |.  85ED              TEST EBP,EBP
0046F789   |.  0F84 BE000000     JE elementc.0046F84D
0046F78F   |.  8BCD              MOV ECX,EBP
0046F791   |.  81E1 000000C0     AND ECX,C0000000
0046F797   |.  81F9 000000C0     CMP ECX,C0000000
0046F79D   |.  0F85 AA000000     JNZ elementc.0046F84D
0046F7A3   |.  8B15 4CB2B300     MOV EDX,DWORD PTR DS:[B3B24C]              ;  elementc.00B3B8E8
0046F7A9   |.  6A 00             PUSH 0
0046F7AB   |.  55                PUSH EBP
0046F7AC   |.  8B42 1C           MOV EAX,DWORD PTR DS:[EDX+1C]
0046F7AF   |.  8B48 1C           MOV ECX,DWORD PTR DS:[EAX+1C]
0046F7B2   |.  8B49 28           MOV ECX,DWORD PTR DS:[ECX+28]
0046F7B5   |.  E8 36851E00       CALL elementc.00657CF0
0046F7BA   |.  85C0              TEST EAX,EAX
0046F7BC   |.  0F84 8B000000     JE elementc.0046F84D
0046F7C2   |.  8A90 50010000     MOV DL,BYTE PTR DS:[EAX+150]
0046F7C8   |.  8A5C24 14         MOV BL,BYTE PTR SS:[ESP+14]
0046F7CC   |.  80FA 02           CMP DL,2
0046F7CF   |.  0F94C2            SETE DL
0046F7D2   |.  3ADA              CMP BL,DL
0046F7D4   |.  75 77             JNZ SHORT elementc.0046F84D
0046F7D6   |.  84DB              TEST BL,BL
0046F7D8   |.  74 0C             JE SHORT elementc.0046F7E6
0046F7DA   |.  50                PUSH EAX
0046F7DB   |.  8BCF              MOV ECX,EDI
0046F7DD   |.  E8 7E000000       CALL elementc.0046F860
0046F7E2   |.  84C0              TEST AL,AL
0046F7E4   |.  74 67             JE SHORT elementc.0046F84D
0046F7E6   |>  8B87 BC100000     MOV EAX,DWORD PTR DS:[EDI+10BC]
0046F7EC   |.  8B48 0C           MOV ECX,DWORD PTR DS:[EAX+C]
0046F7EF   |.  85C9              TEST ECX,ECX
0046F7F1   |.  74 26             JE SHORT elementc.0046F819
0046F7F3   |.  8379 04 02        CMP DWORD PTR DS:[ECX+4],2
0046F7F7   |.  75 15             JNZ SHORT elementc.0046F80E
0046F7F9   |.  F6DB              NEG BL
0046F7FB   |.  1BDB              SBB EBX,EBX
0046F7FD   |.  83E3 03           AND EBX,3
0046F800   |.  43                INC EBX
0046F801   |.  53                PUSH EBX                                   ; /Arg2 = 2B81E4E8
0046F802   |.  55                PUSH EBP                                   ; |Arg1 = 0870B9D8
0046F803   |.  E8 18E50000       CALL elementc.0047DD20                     ; \elementc.0047DD20
0046F808   |.  5F                POP EDI
0046F809   |.  5D                POP EBP
0046F80A   |.  5B                POP EBX
0046F80B   |.  C2 0800           RETN 8
0046F80E   |>  8B11              MOV EDX,DWORD PTR DS:[ECX]
0046F810   |.  6A 04             PUSH 4
0046F812   |.  FF52 10           CALL DWORD PTR DS:[EDX+10]
0046F815   |.  84C0              TEST AL,AL
0046F817   |.  74 34             JE SHORT elementc.0046F84D
0046F819   |>  8B8F BC100000     MOV ECX,DWORD PTR DS:[EDI+10BC]
0046F81F   |.  56                PUSH ESI
0046F820   |.  6A 02             PUSH 2
0046F822   |.  E8 59680000       CALL elementc.00476080
0046F827   |.  F6DB              NEG BL
0046F829   |.  1BDB              SBB EBX,EBX
0046F82B   |.  8BF0              MOV ESI,EAX
0046F82D   |.  83E3 03           AND EBX,3
0046F830   |.  8BCE              MOV ECX,ESI
0046F832   |.  43                INC EBX
0046F833   |.  53                PUSH EBX                                   ; /Arg2 = 2B81E4E8
0046F834   |.  55                PUSH EBP                                   ; |Arg1 = 0870B9D8
0046F835   |.  E8 E6E40000       CALL elementc.0047DD20                     ; \elementc.0047DD20
0046F83A   |.  8B8F BC100000     MOV ECX,DWORD PTR DS:[EDI+10BC]
0046F840   |.  6A 00             PUSH 0
0046F842   |.  6A 01             PUSH 1
0046F844   |.  56                PUSH ESI
0046F845   |.  6A 01             PUSH 1
0046F847   |.  E8 A46C0000       CALL elementc.004764F0
0046F84C   |.  5E                POP ESI
0046F84D   |>  5F                POP EDI
0046F84E   |.  5D                POP EBP
0046F84F   |.  5B                POP EBX
0046F850   \.  C2 0800           RETN 8

boredsauce · 05/23/2012, 14:36

So wtf... PWI went from d3d9 back to d3d8 again? ...

Code:

.rdata:00AC9D36                 db 'Direct3DCreate8',0
.rdata:00AC9D46 aD3d8_dll       db 'd3d8.dll',0         ; DATA XREF: .rdata:00AC8134o

was

Code:

.rdata:00A21E20                 db 'Direct3DCreate9',0
.rdata:00A21E30 aD3d9_dll       db 'd3d9.dll',0         ; DATA XREF: .rdata:00A20B34o

Sᴡoosh · 05/23/2012, 17:33

Quote:

Originally Posted by boredsauce

So wtf... PWI went from d3d9 back to d3d8 again? ...

Code:

.rdata:00AC9D36                 db 'Direct3DCreate8',0
.rdata:00AC9D46 aD3d8_dll       db 'd3d8.dll',0         ; DATA XREF: .rdata:00AC8134o

was

Code:

.rdata:00A21E20                 db 'Direct3DCreate9',0
.rdata:00A21E30 aD3d9_dll       db 'd3d9.dll',0         ; DATA XREF: .rdata:00A20B34o

Yepp.

Code:

Executable modules, item 8
 Base=58DF0000
 Size=00105000 (1069056.)
 Entry=58E2B626 d3d8.<ModuleEntryPoint>
 Name=d3d8
 File version=6.1.7600.16385 (win7_rtm.090713
 Path=C:\Windows\SysWOW64\d3d8.dll

Why would they do that?

~~amineurin~~ · 05/23/2012, 21:15

and here are some i found meanwhile

Quote:

Decimal:
ChatBase_Offset=11796888
LastChatBase_Offset=11796900

SendPacketAdress=6824784

PlayerName_Offset=1644

ActionstructBase=4284

CatshopName=1896

TargetID_Offset=3028

to be continued...

Hope Merkada shows up here soon, Interest07 seams still busy

Sᴡoosh · 05/23/2012, 21:36

Here's some more offsets/addresses.

Just open the pgo file with attached viewer.

altivex · 05/23/2012, 23:50

The correct base is Base_Address=11778308
Prophet bot scans hp and mp of my char, also spirit count , and money count is correct.
But bot stuns at phase - [[[Searching For Character]]]
What offsets are currently answer for this action?
CHARSTRUCT1_OffSet=52 is correct - it`s already cheeked.
CHARID_Offset=1152- searching depends on this one?

~~dumbfck~~ · 05/24/2012, 00:46

What the ****.... another big patch already? Not sure I can be arsed anymore lol.

~~amineurin~~ · 05/24/2012, 00:51

@dumbfck:
yes new one, most added +8

shock: after update token price raise to 20-50k each one o.O

@altivex:
there much more offsets the bot used then we all had actual posted.
u need action struc and target offsets to.
and some more if i remember right.

KarmielKid · 05/24/2012, 06:27

Quote:

Originally Posted by Sᴡoosh

Here's some more offsets/addresses.

Just open the pgo file with attached viewer.

Requires vista or better have anything for XP?

altivex · 05/24/2012, 08:12

Quote:

shock: after update token price raise to 20-50k each one o.O

I gess it`s a weekly madness. Or let`s hope so.
It`s all about of

quest....

martmor · 05/24/2012, 09:02

With the offsets here written, should work prophetbot a little bit. Thank you very much for all the offsets.

I only tried until now running the farm rail (collecting herbs and mats) in flymode.

Can work better, but it work. Sometimes he change from flymode to running mode.

Maybe one of these offsets isn't correct?
Anybody know these offsets?

FlySpeed_Offset=1272
FlyCounter_Offset=2408
MoveMode_OffSet=1656

And these 2 I think are wrong too

PetHP_OffSet=56
PetHunger_OffSet=8

But I did not tried until now to use the bot for fight or with an Veno.

@KarmielKid

Swoosh attached a picture with the offsets.

@Swoosh

Your offset finder work at Win7 64 Bit fine. Nice Work. Thank you very much.

KarmielKid · 05/24/2012, 09:39

Quote:

Originally Posted by martmor

With the offsets here written, should work prophetbot a little bit. Thank you very much for all the offsets. I only tried until now running the farm rail (collecting herbs and mats) in flymode.

Can work better, but it work. Sometimes he change from flymode to running mode.

So what offsets do we have altogether now?

~~amineurin~~ · 05/24/2012, 09:58

Quote:

Originally Posted by KarmielKid

So what offsets do we have altogether now?

maybe all u can read in this thread

click here:

@martmor:
whats all missing for u, maybe i can take a look ?
u can try ad +4 on the offset, if its not working ad again +4...and so on.
im interest to help and not busy