Current Base Address Discovery Methods

goder2910 · 03/09/2014, 06:55

Quote:

Originally Posted by R3D23R0

That's pretty much what the auto cultivation bot does, and it's already all there to use, except for the auto pot. You can use a simple script that read the char hp from the client, the offsets are posted around here somewhere, but if you know how to program in C you probably already know how to find offsets with CE. Otherwise there's the auto recovery stone in the boutique that does that for you, you can make up the cost of it within a fraction of the amount of time it lasts for you.

Thank for your answer, the auto cultivation bot is interesting.

But i really want to make a myself bot.

After researching few hours, i found some ways to make an simple auto bot. But i got stuck in finding base address and offset.

I read PWReclass from msxgames, there are a lot of offset that relates to character 's stat => this is amazing.

I read your tutorial, too, but i got stuck in finding char 's hp offset.

I really want to know how to find these offsets. Can you make a simple tutorial (with picture) that show me the way to get Target ID 's HP ? (mob 's hp)

Thank in advanced

martmor · 03/09/2014, 07:17

Quote:

Originally Posted by goder2910

I really want to know how to find these offsets. Can you make a simple tutorial (with picture) that show me the way to get Target ID 's HP ? (mob 's hp)

Thank in advanced

i did not tried it until now but I would say that you select a mob, search in cheat engine for targets HP, if you finde more results, select an other mob with different hp and search for the new HP in ce. you make this till you have just one result.

goder2910 · 03/09/2014, 08:59

Quote:

Originally Posted by martmor

i did not tried it until now but I would say that you select a mob, search in cheat engine for targets HP, if you finde more results, select an other mob with different hp and search for the new HP in ce. you make this till you have just one result.

Thank for your answer.

I followed your tut.

Below is my steps:

- Find new scan with value is 226
- Fight mob to decrease its HP to 151
- Find next scan with value is 151
- After getting only one record -> add to list -> choose "Find out what accesses this address"
=> I got these:

Instruction box - Record 1

Code:

006017E3 - 8B 8D 30010000  - mov ecx,[ebp+00000130]

Code:

006017DA - FF 50 38  - call dword ptr [eax+38]
006017DD - 8B 85 7C010000  - mov eax,[ebp+0000017C]
006017E3 - 8B 8D 30010000  - mov ecx,[ebp+00000130] <<
006017E9 - 83 F8 01 - cmp eax,01
006017EC - 89 4C 24 24  - mov [esp+24],ecx

EAX=000000E2
EBX=2164AD70
ECX=000000A3
EDX=1036F028
ESI=02E75040
EDI=02E74E18
ESP=21F8FB7C
EBP=0FF4D770
EIP=006017E9

Instruction box - Record 2

Code:

006FA42D - 89 90 30010000  - mov [eax+00000130],edx

Code:

006FA428 - 74 12 - je elementclient.exe+2FA43C
006FA42A - 8B 56 04  - mov edx,[esi+04]
006FA42D - 89 90 30010000  - mov [eax+00000130],edx <<
006FA433 - 8B 4E 08  - mov ecx,[esi+08]
006FA436 - 89 88 7C010000  - mov [eax+0000017C],ecx

EAX=0FF4D770
EBX=030E9BA8
ECX=26D1A3A0
EDX=000000A4
ESI=010E243A
EDI=21F8FE80
ESP=21F8FE10
EBP=00000000
EIP=006FA433

I think the Target 's cur HP is 130 or 17C. Iam not sure.

I use below codes in autoIt but the result is wrong.

Code:

$BaseAdress = 0xC7662C
$BaseOffset = 0x1C
$PlayerStruct_Offset = 0x2C

$Name_Offset = 0x6B0
$LVL_Offset = 0x4A0
$HP_OffSet = 0x4A8
$MaxHP_OffSet = 0x4F4
$MP_OffSet = 0x4AC
$MaxMP_OffSet = 0x4F8
$MinEnemyHP_Offset = 0x17C

$PW_Client = _MemoryOpen(ProcessExists("elementclient.exe"))

$PlayerBase = _MemoryRead(_MemoryRead($BaseAdress, $PW_Client, "dword") + $BaseOffset, $PW_Client, "dword") + $PlayerStruct_Offset

$String7 = _MemoryRead(_MemoryRead($PlayerBase, $PW_Client, "dword") + $MinEnemyHP_Offset, $PW_Client, "dword")

The problem is 17C or 130 is not sub offset of Player Structure. So how can find base address of Target 's cur HP ?

Interest07 · 03/09/2014, 10:10

I'm pretty sure the way it works is that you have the targetId in your player struct, but in order to get more info about your target you need to get it from the NPClist using the uniqueId (the targetId). It's been a while since I wrote any bots, but I doubt you'll be finding an offset for mob HP in your player struct...

~~denzjh~~ · 03/09/2014, 11:03

Quote:
Originally Posted by goder2910
I think the Target 's cur HP is 130 or 17C. Iam not sure.

I use below codes in autoIt but the result is wrong.
Code:
$BaseAdress = 0xC7662C
$BaseOffset = 0x1C
$PlayerStruct_Offset = 0x2C

$Name_Offset = 0x6B0
$LVL_Offset = 0x4A0
$HP_OffSet = 0x4A8
$MaxHP_OffSet = 0x4F4
$MP_OffSet = 0x4AC
$MaxMP_OffSet = 0x4F8
$MinEnemyHP_Offset = 0x17C

$PW_Client = _MemoryOpen(ProcessExists("elementclient.exe"))

$PlayerBase = _MemoryRead(_MemoryRead($BaseAdress, $PW_Client, "dword") + $BaseOffset, $PW_Client, "dword") + $PlayerStruct_Offset

$String7 = _MemoryRead(_MemoryRead($PlayerBase, $PW_Client, "dword") + $MinEnemyHP_Offset, $PW_Client, "dword")
The problem is 17C or 130 is not sub offset of Player Structure. So how can find base address of Target 's cur HP ?

Here is my working Offsets regarding NPC's HP

Code:

$NPCHP_Offset = 0x130
$NPCMaxHP_Offset = 0x17C

Currently working on ItemSortList but since I'm busy at work, maybe I will post those results on Thursday...

goder2910 · 03/09/2014, 13:38

@Interest07 : Thank for your suggestion. I will research more.

@dezjh : Can you share your 'getting NPC 's HP' code ?

I used above codes and always getting long number, not the NPC ' HP

Example : HP is 152 but the script displays 2152023xx..

Maybe problem is the conversion between variable 's type.

Thank in advanced.

~~denzjh~~ · 03/09/2014, 20:22

use the pointer i commented on post #26. and use the npc offsets I used in post #35. @msgames already shown the table...
the code for the hp of target is very long... you need to identify your target if it is a player or an NPC... then get the unqiue id of it. now you need to make a function that enlists/populate the players/npc around your character. You can search on that list using the unique id of your target and return the corresponding HP or other data that you want to have.
I have problems on displaying players HP since i need to be on same squad with them or something like an eye of observation/jungle belt and cast them. Also, your character's stat offsets are the same as the stat offsets of other players.
to summarize what i have learned so far:

Code:

basepointer = [baseaddress + "base_offset"]
char_pointer = [basepointer + "charbase_offset"]

surroundings_pointer = [baseaddress + "surroundingsbase_offset"]
otherplayers_pointer = [surroundings_pointer + "otherplayersbase_offset"]
otherplayers_count = [otherplayers_pointer + "otherplayerscount_offset"] <--- will return number of players around your character
nonplayers_pointer = [surroundings_pointer + "nonplayersbase_offset"]
nonplayers_count = [nonplayers_pointer + "nonplayerscount_offset"] <--- will return number of non-players around your character
items_pointer = [surroundings_pointer + "itemsbase_offset"]
items_count = [items_pointer + "itemscount_offset"] <--- will return number of loots around your character

for the pointers of lists:
otherplayerlist_pointer = [otherplayers_pointer + "otherplayerslist_offset"]
nonplayerlist_pointer = [nonplayers_pointer + "nonplayerlist_offset"]
itemlist_pointer = [items_pointer + "itemlist_offset"]

for the data you want to obtain (unique_id, database_id, name, level, hp, max_hp):
data = [pointer + "data_offset"]

If anyone knows itemlist offset, would save me time

Underavelvetmoon · 03/31/2014, 22:33

Hey guys! Im having a little trouble reversing some of the packets, and seeing as this is a very active, intelligent thread, I thought id ask here for some help xD

So after much trial and error, and what has pretty much been my whole day, Ive managed to locate the the SendPacketAddress: 0x722840. The only problem im having is that compared to dumbfck's tutorial on gathering packet information, the packets are structured differently, and give no obvious information to follow. Im about 95% sure this is the correct address, so im really stuck trying to figure this out. I'd appreciate any help!

There isnt any clear definition or address to follow. Like, the Meditate packet on Interests "Sending Packets" comes up as 2E 00. On mine I can only trace it down to 66 8B or something like that. Very frustrating after all this work, and im so sure the SendPacket is right haha

~~denzjh~~ · 04/03/2014, 14:35

nope, your other 5% doubt is correct. SendPacket_Address is 0x725700.

Underavelvetmoon · 04/03/2014, 22:21

Quote:

Originally Posted by denzjh

nope, your other 5% doubt is correct. SendPacket_Address is 0x725700.

Really?! ****! The address I posted was breaking whenever I sent a packet so I was convinced it was that! I tried many address's too which didnt break! How did you find it may I ask? I wasnt off by far but I must of took a wrong step.

I back traced from the "send" function in ws2_32. I tried WSASend and WSASendTo also but they wernt producing breaks for me. At least im getting better at this xD

bogsik · 10/22/2014, 02:00

I've retired from this game since 5 years ago but recently my wife started playing again because she's pregnant and stays at home. She asked me to do some bot config for her but apparently the MHS bot I've used for many years aren't working already.

Been working on R3D23R0 guide about getting the base address and spent 6 hours but **** I can't find the one which unfreezes the client.

By the way, the server is pw-ph. Anyone knows if it's a hack shield like any other server?

Sᴡoosh · 10/22/2014, 10:17

As far as I know, no pw server employs hackshield.

MHS will not work anymore, since it uses a method of targeting which is fixed since around 3 years.

~~denzjh~~ · 10/22/2014, 21:30

Quote:

Originally Posted by bogsik

I've retired from this game since 5 years ago but recently my wife started playing again because she's pregnant and stays at home. She asked me to do some bot config for her but apparently the MHS bot I've used for many years aren't working already.

Been working on R3D23R0 guide about getting the base address and spent 6 hours but **** I can't find the one which unfreezes the client.

By the way, the server is pw-ph. Anyone knows if it's a hack shield like any other server?

DO u mind upload an elementclient.exe of the said server ^_^ i want to try to look for its base address. thanks in advance

tempus fugitus · 11/03/2014, 10:24

can somone post working offsets for PWI international?
please

Stark77 · 11/03/2014, 14:01