PW Offset Finder

[Interest07]

Quote:

Originally Posted by somatando

thanks man
is there a way to set the target with addresses?
Or just with sendpacket function?

a packet needs to be sent

[somatando]

Interest, i read about sendpacket and i tried to make a sendpacket class in vb net
can you tell me what is wrong with my code?

Code:

    Public pr_processHandle As IntPtr
    Private sendPacketOpcodeAddress, packetAddressLocation, packetSizeAddress As Integer

    Private sendPacketOpcode As Byte() =
        {&H60,
         &HB8, &H0, &H0, &H0, &H0,
         &H8B, &HD, &H0, &H0, &H0, &H0,
         &H8B, &H49, &H20,
         &HBF, &H0, &H0, &H0, &H0,
         &H6A, &H0,
         &H57,
         &HFF, &HD0,
         &H61,
         &HC3
        }

    Private Sub LoadSendPacketOpcode()

        sendPacketOpcodeAddress = MemFunctions.AllocateMemory(pr_processHandle, sendPacketOpcode.Length)
        MemFunctions.MemWriteBytes(pr_processHandle, sendPacketOpcodeAddress, sendPacketOpcode)
        Dim functionAddress As Byte() = {&H0, &H68, &HD6, &H40}
        Array.Reverse(functionAddress)
        Dim realBaseAddress As Byte() = {&H0, &HB4, &HEF, &H34}
        Array.Reverse(realBaseAddress)
        MemFunctions.MemWriteBytes(pr_processHandle, sendPacketOpcodeAddress + 2, functionAddress)
        MemFunctions.MemWriteBytes(pr_processHandle, sendPacketOpcodeAddress + 8, realBaseAddress)
        packetAddressLocation = sendPacketOpcodeAddress + 16
        packetSizeAddress = sendPacketOpcodeAddress + 21

    End Sub

    Public Sub sendPacket(ByVal packetLocation As Byte(), ByVal packetSize As Integer)
        If sendPacketOpcodeAddress = 0 Then
            LoadSendPacketOpcode()
        End If
        MemFunctions.MemWriteBytes(pr_processHandle, packetAddressLocation, packetLocation)
        MemFunctions.MemWriteByte(pr_processHandle, packetSizeAddress, CByte(packetSize))

        Dim threadHandle As IntPtr = MemFunctions.CreateRemoteThread(pr_processHandle, sendPacketOpcodeAddress)

        MemFunctions.WaitForSingleObject(threadHandle)
        MemFunctions.CloseProcess(threadHandle)
    End Sub

the crash in pw occurs when i call function createremotethread ...
can you help me? thanks in advance

[Interest07]

Quote:

Originally Posted by somatando

Interest, i read about sendpacket and i tried to make a sendpacket class in vb net
can you tell me what is wrong with my code?

Code:

    Public pr_processHandle As IntPtr
    Private sendPacketOpcodeAddress, packetAddressLocation, packetSizeAddress As Integer

    Private sendPacketOpcode As Byte() =
        {&H60,
         &HB8, &H0, &H0, &H0, &H0,
         &H8B, &HD, &H0, &H0, &H0, &H0,
         &H8B, &H49, &H20,
         &HBF, &H0, &H0, &H0, &H0,
         &H6A, &H0,
         &H57,
         &HFF, &HD0,
         &H61,
         &HC3
        }

    Private Sub LoadSendPacketOpcode()

        sendPacketOpcodeAddress = MemFunctions.AllocateMemory(pr_processHandle, sendPacketOpcode.Length)
        MemFunctions.MemWriteBytes(pr_processHandle, sendPacketOpcodeAddress, sendPacketOpcode)
        Dim functionAddress As Byte() = {&H0, &H68, &HD6, &H40}
        Array.Reverse(functionAddress)
        Dim realBaseAddress As Byte() = {&H0, &HB4, &HEF, &H34}
        Array.Reverse(realBaseAddress)
        MemFunctions.MemWriteBytes(pr_processHandle, sendPacketOpcodeAddress + 2, functionAddress)
        MemFunctions.MemWriteBytes(pr_processHandle, sendPacketOpcodeAddress + 8, realBaseAddress)
        packetAddressLocation = sendPacketOpcodeAddress + 16
        packetSizeAddress = sendPacketOpcodeAddress + 21

    End Sub

    Public Sub sendPacket(ByVal packetLocation As Byte(), ByVal packetSize As Integer)
        If sendPacketOpcodeAddress = 0 Then
            LoadSendPacketOpcode()
        End If
        MemFunctions.MemWriteBytes(pr_processHandle, packetAddressLocation, packetLocation)
        MemFunctions.MemWriteByte(pr_processHandle, packetSizeAddress, CByte(packetSize))

        Dim threadHandle As IntPtr = MemFunctions.CreateRemoteThread(pr_processHandle, sendPacketOpcodeAddress)

        MemFunctions.WaitForSingleObject(threadHandle)
        MemFunctions.CloseProcess(threadHandle)
    End Sub

the crash in pw occurs when i call function createremotethread ...
can you help me? thanks in advance

Have you checked if all the bytes get written correctly?

[louco89]

I'm trying to make a bot and with the updates, I always have to look for the new sendpacket address, anyone can help me to make one regexp for sendpacket.
I suck with regexp =/

[Sᴡoosh]

Why does everybody use regex? It's kind of slow searching whole client address space for matching patterns.

Matching byte patterns is a LOT faster from when I tested it. This can even be done on startup, only takes a few hundred ms on 32 matches - wheras regex takes 2-3 seconds. For one match.

[Coinseller]

@louco89
take a look in Interest07 wq bot offset finder, theres a regex for sendpacket:

Quote:

$SEARCH=STRINGREGEXP($DATA,"6A21"&"E8.{8}"&"8BF0"& "83C404"&"85F6"&"74.{2}"&"8A442418"&"668B4C2410"&" 66C7060000"&"88461E"&"8B442408"&"66894E1A"&"D94424 14"&"8B10"&"895602"&"8B4804"&"D80D.{8}"&"894E06"&" 8B5008"&"8B44240C"&"89560A"&"D805.{8}"&"8B08"&"894 E0E"&"8B5004"&"895612"&"8B4008"&"894616"&"E8.{8}"& "668B4C241C"&"6689461C"&"66894E1F"&"8B15(.{8})"&"6 A21"&"56"&"8B4A20"&"E8(.{8})"&"56"&"E8.{8}"&"83C40 4"&"5E"&"C3",2)

@Sᴡoosh
helpfull answer, why dont you show us nubs how to work with byte patterns and write a excellent tutorial ?

[Sᴡoosh]

Quote:

Originally Posted by Coinseller

@louco89
take a look in Interest07 wq bot offset finder, theres a regex for sendpacket:


@Sᴡoosh
helpfull answer, why dont you show us nubs how to work with byte patterns and write a excellent tutorial ?

I don't have time to write any tutorial - but I can show you how I do it for forsaken world :

Some structs...

PHP Code:

type
  TOffsets = record
    BaseAddress: Cardinal;
    SendPacket: Cardinal;
    AttackCall: Cardinal;
    CharStruct: Cardinal;
    Target: Cardinal;
    ActionStruct : Cardinal;
    SkillStruct : cardinal;
    InventoryStruct : Cardinal;
    HP: Cardinal;
    HPMax: Cardinal;
    MP: Cardinal;
    MPMax: Cardinal;
    name: Cardinal;
    NPCDialog : Cardinal;
    WalkStateAddress : Cardinal;
    AutoRouteAddress : Cardinal;
  end;

type
  TSigData = record
    Data: array of byte;
    Signature: array of byte;
    Wildcard: byte;
  end;

type
  TSigQuerryResult = record
    Position: cardinal;
    Value: Cardinal;
  end; 


The actual searching function :

PHP Code:


function TFWOffsetman.GetAddress(Sigdata: TSigData; Readlength: integer): TSigQuerryResult;
var
  i, s, Value: Cardinal;
begin
  result.Position := 0;
  for i := 0 to length(Sigdata.Data) -1 do
  begin
    s := 0;
    for s := 0 to length(Sigdata.Signature) - 1 do
    begin
      if (Sigdata.Data[i + s] <> Sigdata.Signature[s]) and (Sigdata.Signature[s] <> Sigdata.Wildcard) then
        break;
    end;
    if s = length(Sigdata.Signature) then
    begin
      result.Position := i;

      Copymemory(@Result.Value, @SigData.Data[i + length(Sigdata.Signature)], Readlength);

      exit;
    end;
  end;
end; 


Now, one of my patterns looks like this :

PHP Code:

Baseaddr: array[0..16] of byte = ($B0, $01, $5E, $C3, $90, $90, $90, $90, $90, $90, $90, $90, $90, $90, $90, $51, $A1); 


$EE is my wildcard byte due to it's rareness in x86 assembler.

Please note that $ is hex representation in delphi.

And this is how the code is used :

PHP Code:

    setlength(Siggy.Signature, length(ActionStruct));
    Copymemory(@Siggy.Signature[0], @ActionStruct, length(ActionStruct));
    self.LoadedOffsets.ActionStruct := GetAddress(Siggy, 4).value;
    Progress := 10; 


Or, when dealing with RVA :

PHP Code:

    setlength(Siggy.Signature, length(AutoRouteAddress));
    Copymemory(@Siggy.Signature[0], @AutoRouteAddress[0], length(AutoRouteAddress));
    Qresult := GetAddress(Siggy, 4);
    self.LoadedOffsets.AutoRouteAddress :=
      Qresult.position //Physical position of matching pattern starting from 00
      + length(AutoRouteAddress) //length of the pattern
      + $400000 + //Image base, almost always this
      Qresult.value // value of 4 bytes following signature
      + 4; // add the 4 bytes we left out for signature 


Here you go

[Coinseller]

thanks, that will maybe help some users here.
i dont program so i dont understand this

but its interesting to read here, bad luck that i didnt found the page wen i play pwi.
im playing raiderz now

[ptdk]

Hey!

Im trying to find offsets for a private server. This program finds something, but not even half of the adresses(as i understand i would need a different regex file for it).

Could anyone link me a guide, with which i can find the offsets? Preferably something simple, i was looking myself, but they seem quite complicated. So i wouldnt try unless i know they gonna work.

Cheers

[martmor]

Did you took already a look to this page?



Here are Links to all informations like how to search, find and change them.

[ptdk]

Quote:

Originally Posted by martmor

Did you took already a look to this page?



Here are Links to all informations like how to search, find and change them.

Yes.

I got a few offsets with different offset retrievers(never base adress, just HP/MP/unfreeze, etc),and tried to find whole sets by that. None of them worked.

I tried to find the offsets myself, and while i could find 1 or two, i have no idea what exactly it is, how do i find the rest etc, its too complex(i dont even know if i did find what i wanted, as i was following a guide not knowing what im doing).

Guess i can live without it, was just wondering if there is another way.

[martmor]

The most privat servers have the Version 1.4.4

If you have some offsets it should be easy to find the other ones by a search engine.

[mjc88]

(had a stupid question with some research i found my own answer)

[saykses]

does not want to collect the loot .. help please

[martmor]

Quote:

Originally Posted by saykses

does not want to collect the loot .. help please

I do not know which Bot you have. But if you have pgrind or prophetbot you can change the settings so that he do not collect the loot