How To Find Skill Offset with CE

ntldr32 · 07/25/2013, 23:00

Use this guide, if you download

, to update the SkillBase offset
__________________
1. Make new character lvl1, and do nothing
2. Open CE and attach it with your character client
3. Search this value 11394732 (used on PWInter Server, not sure if all server have same number XD)

All address you got is the base for every skill index(if u scan with high lvl character it will include the genie and weapon skill). if u add 8 to that address, you got the id of skill relative to that address.
4. Pick one of that address, and do new Scan, search for that address dont forget to tick "Hex"

You will got some result, but not much, maybe only 4 to 5 address, add all address to Address List

5. Investigate / (Find out what access this addres) all that address one by one,

Do that until u got reslut like this

You see that "eax+edi*4". eax is the pointer and edi is the index, clic More Info to see the value
The ESI in this section, is the character base
You see the "esi+00001298", its mean 0x00001298 (dec 4760) (PWInter, maybe differ with other server) is the offset for charracter current skills

__________________________________________________ __________
INVENTORYSTRUCT1_OffSet, CHARSTRUCT1_OffSet and Base_Address

__________________________________________________ __________

why the images not apear 0o?

~~dumbfck~~ · 07/26/2013, 00:42

If you post the images in IMG tags, they should show, e.g.

Code:

[IM G]http://i.epvpimg.com/fnPwg.jpg[/IM G]

(but remove the spaces in IM G)

ntldr32 · 07/26/2013, 01:44

Quote:
Originally Posted by dumbfck
If you post the images in IMG tags, they should show, e.g.
Code:
[IM G]http://i.epvpimg.com/fnPwg.jpg[/IM G]
(but remove the spaces in IM G)

i did that, but not show the image, only show on preview only, lol,
at least ppl can browse that images manualy XD
_________________
do u think 11394732 is a relevant number that contains in every skillBase(i)?, i not test it on other server ijs :/. bcos if not, this thread is useless at all XD

Murmuring · 07/26/2013, 10:38

you need 30 or 50 postings first, then you can post images here.

thanks for the work you did

~~dumbfck~~ · 07/26/2013, 11:14

Oh, I didn't realise there was a minimum post count for linking images lol. That must not have been in place when I joined :P
And yes, that value does look like a legitimate constant address, however, it will differ on different servers and will change every time elementclient is updated.

shadowfang1 · 07/26/2013, 22:32

Thanks for this, do you mind also explaining how to find the INVENTORYSTRUCT1_OffSet and CHARSTRUCT1_OffSet? Haven't been able to figure those two out.

Murmuring · 07/27/2013, 00:02

Quote:

Originally Posted by shadowfang1

Thanks for this, do you mind also explaining how to find the INVENTORYSTRUCT1_OffSet and CHARSTRUCT1_OffSet? Haven't been able to figure those two out.

take a look here:

simple way is:
make a short function accessing the 1 item in inv. with old offset in a loop.
add every loop +1 to the old offset and check the results in an array.
lets say your loop goes up to 1000 trys...a minute later you should have the new offset.

thats how i find most of the offsets in a couple of minutes without using cheat engine or olly.
not really pro...but worked fine since 2 years

shadowfang1 · 07/27/2013, 02:09

Quote:

Originally Posted by Murmuring

take a look here:

simple way is:
make a short function accessing the 1 item in inv. with old offset in a loop.
add every loop +1 to the old offset and check the results in an array.
lets say your loop goes up to 1000 trys...a minute later you should have the new offset.

thats how i find most of the offsets in a couple of minutes without using cheat engine or olly.
not really pro...but worked fine since 2 years

Thanks for the reply, not sure what you mean by accessing 1 item in the inventory while scanning though. Went ahead and tried something similar, but got no results. (Tried to find the correct offset by verifying the inventorysize result).

Code:

Global $player = _MemoryRead(_MemoryRead($base, $pi) + 0x1C, $pi)
For $i = 0 to 10000
	$inventorysize = _MemoryRead(_MemoryRead($player + "0x" & _DecimalToHex($i), $pi) + 0x10, $pi)
	If $inventorysize == 64 Then
		ConsoleWrite("0x" & _DecimalToHex($i) & '  ')
	EndIf
Next

Murmuring · 07/27/2013, 10:15

by using the old offset i mean:

Quote:

$oldOFFSET= 3624 ; < the inv. struct on pw-int
$EndSearch=$oldOFFSET+1000
For $i = $oldOFFSET to $EndSearch

you start searching on offset $i = 0, then 1, 2, 3, 4...up to 10.000
also you dont need "0x" & _DecimalToHex.

with 1 item in inventory i mean use only...
$pointer = _MemoryRead(_MemoryRead($CHAR_DATA_BASE + $i, $PROCESS_INFORMATION) + 0xC, $PROCESS_INFORMATION)
$inventory_base = _MemoryRead($pointer + 0 * 0x4, $PROCESS_INFORMATION); 0 = first item
now you can read out the sell price or itemID and write the result, if found, to console or an array.

ntldr32 · 07/27/2013, 23:26

Quote:

Originally Posted by shadowfang1

Thanks for this, do you mind also explaining how to find the INVENTORYSTRUCT1_OffSet and CHARSTRUCT1_OffSet? Haven't been able to figure those two out.

__________________________________________________ _____________
make you bag empty, and put a pot in the 1st index of your bag.
search this number(4byte) 11385488
now you got the itembase(0) for the 1st index (on me its 0x029D6C18)
now serach the itembase(0), u will got more than one result, but not much, maybe only 3 to 4 addresses
one by one , "find out what access this address", click more info until u got some result like this

PHP Code:


			
    004B0C72 - 8B 0E  - mov ecx,[esi]

    004B0D1C - 83 39 00 - cmp dword ptr [ecx],00

    004D1E09 - 8B 01  - mov eax,[ecx]

    004B0C3D - 8B 0A  - mov ecx,[edx]

if u see something like that, its mean the address is the pointer for inventory items. currently on me its 0x1A266A78.
now search that pointer, you will got more than 1 result, again one by one "find out what access this address", until u got something like this

PHP Code:


			
    004B0C6A - 8B 71 0C  - mov esi,[ecx+0C]

if u see something like that, its mean that address is the pointer_address. on me its 0x1BF09E04.
now click more info on "004B0C6A - 8B 71 0C - mov esi,[ecx+0C]".
see the value of ECX, on me it was 0x1BF09DF8
now search that ECX
pick the first address u got and find out what access this address.
if u see something like this

PHP Code:


			
    007CB803 - 8B 88 280E0000  - mov ecx,[eax+00000E28]

then the 0x00000E28 is the INVENTORYSTRUCT1_OffSet in hex, or 3624 in dec
____________________________________
u still need the CHARSTRUCT1_OffSet?

PHP Code:


			
    eax+00000E28

that EAX is the CHAR_DATA_BASE in prophet bot that stored in address
search that eax, you will got more than 1 address.
one by one find out what access to those addresses, until u got something like this

PHP Code:


			
    00440E2D - 8B 4F 34  - mov ecx,[edi+34]

that your CHARSTRUCT1_OffSet its 34 or 52 in decimal(since i start play this is always 52 XD).
______________________________
you got bonus XD, Base_Address
the EDI is the value inside Base_Address, its mean u can also trace the Base_Address
if u search the EDI, you will got more than one result, and one of them that have collor red(or green, im collor blind) is Base_Address.

for other offset that you need to find, u can see the code on prophet bot, and see how he read the value on that offset, and reverse that step in CE XD. some magic number will help

yuhanz · 11/03/2013, 18:29

Quote:

Search this value 11394732 (used on PWInter Server, not sure if all server have same number XD)

Apparently, this yields no results in my server
so yeah....