Perfect World New Horizon 1.5.1 Build 2309

[Smurfin]

Since there is no more post/information regarding offsets since Horizon or very little about it, I'd like to start a new thread for it. I know by forum rules, this sub forum is supposed to be for releases, but I guess the PW section has been so quiet and not been moderated regularly for a long time and became common for offsets discussion and not just about releases while the parent sub forum for PW is mostly used for selling accounts and other stuffs. Now that PW Indo is now on the same page as PWI which is v1.5.1 build 2309 (cmiiw), I hope we can figure out a working lot of offsets.

I've done some digging and I came across a long list of offsets. I tried some of it and I'm sure this is the right set of offsets for New Horizon 1.5.1 build 2309, just need to figure out which one is which.


Пока в таком виде, без спойлеров, не проверено. Просто собрал в кучу.

New Horizons, Перерождение
BaseAdress =00C9DFAC
GameAdress=00C9E74C

HostPlayer Struct
BA+0x1C+0x30+

+003C LocX, float
+0040 LocZ, float
+0044 LocY, float
+0494 WID, dword /Мировой ID перса/
+04A0 PlayerLvL, dword /Уровень перса/
+04A4 PlayerStatus, dword /Статус перса/
+04A8 HP, dword /Жизненная сила/
+04AC MP, dword /Магическая энергия/
+04B0 Experience, dword /текущий Опыт/
+04B4 Spirit, dword /текущий Дух/
+04B8 SkillPoins, dword /Доступно очков для распределения/
+04BC ChiPoints, dword /Единицы Ярости/
+04C0 Atack /Атака/
+04C4 Def /Защита/
+04C8 Krit /Шанс крита/
+04D0 Steal /Скрытность/
+04D4 Detect /Обнаружение/
+04D8 /Урон по монстрам/
+04DC /Защита от монстров/
+04E0 /Боевой дух/
+04E4 Vitality, dword /Выносливость/
+04E8 Intellect, dword /Интеллект/
+04EC Strength, dword /Сила/
+04F0 Dexterity, dword /Ловкость/
+04F4 MaxHP, dword /Максимум Жизненной Силы/
+04F8 MaxMP, dword /Максимум Магической Энергии/
+0514 Hit, dword /Меткость/
+0518 MinPhyzAtk, dword /Физ Атака, мин/
+051С MaxPhyzAtk, dword /Физ Атака, макс/
+0550 MinMagAtk, dword /Магическая атака, минимум/
+0554 MaxMagAtk, dword /Магическая атака, максимум/
+0558 DefMetal, dword /Защита, Металл/
+055С DefWood, dword /Защита, Дерево/
+0560 DefWater, dword /Защита, Вода/
+0564 DefFire, dword /Защита, Огонь/
+0568 DefEarth, dword /Защита, Земля/
+056С DefPhyz, dword /Физическая защита/
+0570 Flee, dword /Уклонение/
+0574 MaxFury, dword /Ярость, максимум/
+0578 Money, dword /Деньги/
+057С MaxMoney, dword /Деньги, максимально возможное/
+0580 EquipWeapon, word /оружие/
+0584 EquipHelmet, word /шлем/
+0588 EquipNecklace, word /бижа верх/
+058C EquipManteau, word /накидка/
+0590 EquipShirt, word /корпус/
+0594 EquipWaistAdorn, word /бижа низ/
+0598 EquipFootwear, word /штаны/
+059C EquipBoots, word /обувь/
+05A0 EquipWristBracer, word /наручи/
+05A4 EquipRing1, word /кольцо 1/
+05A8 EquipRing2, word /кольцо 2/
+05AC EquipProjectile, word
+05B0 EquipFly, word /ID полета/
+05B4 EquipBodyFashion, word /стиль пиджак/
+05B8 EquipLegwearFashion, word /стиль штаны/
+05BC EquipSpecialFootwears, word /стиль туфли/
+05C0 EquipArmFashion, word /стиль перчатки/
+05C4 /знаки атаки/, word
+05C8 /книга/, word
+05CC EquipSmiley, word /смайлы/
+05D0 Equip GuardianCharm, word /амулет хп/
+05D4 Equip SpiritCharm, word /амулет мп/
+05D8 EquipBox, word
+05DC EquipGenie, word /wid одетого джина/
+05E0 /торговая лавка/, word
+05E4 /стиль прическа/, word
+05F4 /стиль оружие/, word
+0600 /карта Разрушение/, dword
+0604 /карта Уничтожение/, dword
+0608 /карта Долголетие/, dword
+060С /карта Здоровье/, dword
+0610 /карта Тайна/, dword
+0614 /карта Загадка/, dword
+0620 Reputation, dword
+062C FlagPeaceZone, byte
+065C ClanID, dword
+0660 ClanPost /Должность в клане/
+06B0 +0 PlayerName, wchar*8 (UText / Unicode String)
+06B8 ClassID, byte
+06BC Gender, byte
+06C4 WalkMode, byte
+06C8 RunMode, byte
+0740 Meditation, byte /State/
+0784 PartyMember, array /Структуры членов группы/
+0B24 WaitPotHMP, dword
+0B64 WaitPotHP, dword
+0B6C WaitPotMP, dword
+0B84 /откат руна переноса/
+0B94 WaitPlayerInfo
+0D3C Target, dword

+0F48 Инвентарь
+0F48 + 0x10 - Inventory count /количество ячеек инвентаря
+0F48 + 0x0C + [0x04 * I] (I = 0 .. Inv_count) - структура
+ 0x08 - тип предмета (одежда, оружие, зелье и т.п.)
+ 0x0C - ID предмета
+ 0x14 - количество в ячейке
+ 0x4C + 0x0 - название предмета (unicode)
+ 0x18 - максимальное кол-во в ячейке
+ 0x1C - цена (у торговца)
+ 0x64 - требуемый уровень

+13A8 ActionArray
+13B0 QuestArray
+ 13B0 + 0x08 + 0x0 Quest count
+ 13B0 + 0x08 + (0x8+I*0x20) Quest ID (I = 0 .. Quest count)

+13C0 PetArray
+ 0x0C - Pet count / количество петов
+ 0x08 - Pet number / номер призванного пета
+ 0x3C - Pet WID / WID призванного пета
+ [0x10 + I * 0x04] (I = 0 .. Pet count) - массив петов
++ 0x04 - loyale / верность
++ 0x2C - epx / текущий опыт
++ 0x24 - level / уровень питомца
++ 0x38 - HP
++ 0x34 + 0x0 - Pet Name

+13D4 + [0x04 * I] (I=0 .. Skills_count) / массив скиллов
+13D8 - SkillCount
+ 0x08 - Skill_ID
+ 0x0C - Skill_level
+ 0x10 - Cooldown / текущий откат (в миллисекундах)
+ 0x14 - Max Cooldown / максимальный откат скилла

Структура персов
BA + 0x1C + 0x1C + 0x1С + 0x14 Count, dword /Количество/
BA + 0x1C + 0x1C + 0x1С + 0x18 + [i*0x4] /i = 0 - 0x300/

Структура моба, NPC, пета
BA + 0x1C + 0x1C + 0x20 + 0x14 Count, dword /Количество/
BA + 0x1C + 0x1C + 0x20 + 0x18 + [i*0x4] /i = 0 - 0x300/
BA + 0x1C + 0x1C + 0x20 + 0x58 + [i*0x4] /i = 0 - 0x300/ ?
+0x278 +0 Name, wchar (UText / Unicode String)
+0x29C Distance, float

Структура лута
BA + 0x1C + 0x1C + 0x24 + 0x14 Count, dword /Количество/
BA + 0x1C + 0x1C + 0x24 + 0x18 + [i*0x4] /i = 0 - 0x300/

PackCall=0073BB80
флаг таргета BA+1C+30+1458+3C
4D0 UnfreezeOffset
00C9EC00 Unfreeze
Unfreeze 0043BF46 (84 C0 > B0 01 > B0 00)
Unfreeze 0043BF48 (88...75 > C6...01)
ZoomHack=004081D0
Walk1=0048DF20
Walk2=004922D0
Walk3=0048E3D0
Fly=00471CB0
FullTarget=00730FD0
UseSkill=0047CBF0
UseSkillGenie=004F5400
Assist=007704B0
Mining=0076EFE0
Pick=00730F60
PickWalk=00484440
NPCSelect=0076E5C0
TalkToNPC=00731400
Buy=007711A0
Sell=00771240
UseItem=00730D80
ButtonPress=0090F810
IdCancel=00C291E4
GUI=00914A70

Source is from Russian discussion board called zhyk , posted by Sumikot. If anyone find any useful offsets from the list above, any thanks given on this post is considered as for him as well.

So far, I've tried base address, real base address, hp, mp, maxhp, maxmp, target offset, and they fit for v1.5.1 build 2309. Still trying to figure out how to list surrounding players, mats and items, but still stuck at surrounding players. I use autoit for that and I need some help fixing autoit function if anyone familiar with offsets is still around and read this.

This is the function I want to fix, originally posted by lolkop and has been modified to work throughout a lot of pw patches by the help of Interest07.

Code:

Func GetPlayerList()
	Local $array[1][10], $pointer, $player_base, $counter
	$pointer = memread(memread(memread(memread(memread($base) + 0x1C) + 0x1c) + 0x1c) + 0x14)
        $playerCount = memread(memread(memread(memread(memread($base) + 0x1C) + 0x1c) + 0x1c) + 0x18) 
		
	For $x=0 To ($playerCount - 1)
		$player_base = memread($pointer + $x*0x4)
		If  $player_base<>0	Then
			ReDim $array[$counter+1][10]
			$array[$counter][0] = memread(memread($player_base + 0x6b0), 'wchar[30]') ;Name
			$array[$counter][1] = (memread($player_base + 0x3C, 'float')+4000)/10 ;x
			$array[$counter][2] = (memread($player_base + 0x44, 'float')+5500)/10 ;y
			$array[$counter][3] = memread($player_base + 0x40, 'float')/10 ;z
			$array[$counter][4] = hex(memread($player_base + 1172)) ;id
			$array[$counter][5] = (memread($player_base +1192)) ;hp
			$array[$counter][6] = (memread($player_base + 1196)) ;mp
			$array[$counter][7] = (memread($player_base + 1184)) ;lvl
			$array[$counter][8] = (memread($player_base + 1200)) ;exp?
			$array[$counter][9] = hex(memread($pointer))
			$counter += 1
		EndIf
	Next
	Return $array
EndFunc

-edit-
forgot to add the word 'offsets' on thread title >_<'

[Interest07]

I'm pretty sure there should be an ordered playlist instead of the one you're looking for (with 0x14 you get the hashlist / dictionary which is harder to traverse. I admit to no longer having pw installed but that probably won't change.

Is the playercount working? That should be easiest to find

[Smurfin]

The player count is working, I tried several location, and it showed correct number of people around.


But, when I ran the getplayerlist, it won't list anyone


The offsets list I posted above should fit pw indo horizon (or called reincarnation here), from base address, hp, unfreeze, mp, target offset, now playercount too , so the NAME offset should also work too, btw name offset is +06B0 +0 , how should I write that in my function ?

memread(memread($player_base + 0x6b0), 'wchar[30]')

or

memread(memread(memread($player_base + 0x6b0) +0), 'wchar[30]')

or else (both not working, though), I'll figure out the others such as hp mp etc later, but I need it to be able to list names first, figuring out the rest should be easy.

also, coordinates never change, so even if it can't list names, it should at least show coordinates, I wonder where's the mistake in the function.

[xjoss001]

smurf are you sell bot for pw indo?

[sirius21]

Smurfit ,with offset, all can. nama.Lvl, but could not the target mobs, kill mobs, what's wrong huh?

 Spoiler

and What offset of:
TARSTARGET_OffSet=
PlayerBase_Offset=

[Smurfin]

Quote:

Originally Posted by xjoss001

smurf are you sell bot for pw indo?

No, I don't.

Quote:

Originally Posted by sirius21

Smurfit ,with offset, all can. nama.Lvl, but could not the target mobs, kill mobs, what's wrong huh?

 Spoiler

and What offset of:
TARSTARGET_OffSet=
PlayerBase_Offset=

Target Offset is 3388
PlayerBase_Offset , I guess it's the same as HostPlayer Struct BA+0x1C+0x30+

[sirius21]

Thx smurfit,now target work,but PlayerBase_Offset ,
I mean, in Prophetbot: custom_offset

PlayerBase_Offset = 136 <This is what I mean,
PlayerCount_Offset = 20
PlayerID_Offset = 1152
PlayerLVL_Offset = 1164
PlayerName_Offset = 1636
PlayerHP_Offset = 1140

[Smurfin]

Quote:

Originally Posted by sirius21

Thx smurfit,now target work,but PlayerBase_Offset ,
I mean, in Prophetbot: custom_offset

PlayerBase_Offset = 136 <This is what I mean,
PlayerCount_Offset = 20
PlayerID_Offset = 1152
PlayerLVL_Offset = 1164
PlayerName_Offset = 1636
PlayerHP_Offset = 1140

What you posted above are offsets for nation war patch (cmiiw).

got it working now, the PlayerBase_Offset should be 0x94 or 148.

==================================================


But I'm still curious about
Структура персов
BA + 0x1C + 0x1C + 0x1С + 0x14 Count, dword /Количество/ <= this works for playercount
BA + 0x1C + 0x1C + 0x1С + 0x18 + [i*0x4] /i = 0 - 0x300/ <= what is this one ?

I use :
$pointer = memread(memread(memread(memread(memread($base) + 0x1C) + 0x1c) + 0x1c) + 0x94)
$playerCount = memread(memread(memread(memread(memread($base) + 0x1C) + 0x1c) + 0x1c) + 0x14)

and it's working

[sirius21]

Yes it's working thx smurfit,
I do not know what you mean, PPL, which in circumference in the picture?
if yes, I use the player's Base 148 can appear all

 Spoiler

(sorry the post is not enough, can not post the picture: p)

but, when i start bot, client element error, and closing.
whether the action structure and sendingpacket, changed?

[Smurfin]

You probably used a wrong sendingpacket call address, 73BB80 is the correct one, there was probably a typo from the Russian forum as I posted or should I say copy-pasted yesterday and wrote it as 73BBB0.

Use +13A8 ActionArray or 5032 for ACTIONSTRCT2_Offset, and ACTIONSTRCT1_Offset=52 is probably 0x30 or 48 in decimal by now, as you can see from the listed offset HostPlayer Struct BA+0x1C+0x30+. There might still be a lot to figure out before you can get all features working coz ProphetBot utilizes a lot of offsets.

Too bad Interest07 no longer having pw installed

By the way, I have a loader posted by lolkop which enabled a lot of things but it's long gone, didn't work since nation war I guess. I only used it for enabling more than 3 smileys

I'll post it anyway, maybe anyone would share a working RegEx or whatever it's called.

Code:

; loading the file into the memory
$path = "elementclient.exe"
$file = FileOpen($path, 16)
$read = FileRead($file, FileGetSize($path))
FileClose($file)
; search and remove the launcher check
$read = StringRegExpReplace($read, '(558BEC6AFF68.{8}68.{8}64A100000000506489250000000081EC.{8}5356578965.{2}68.{8}8B5D.{2}53FF15.{8}83C4.{2}85C0)75(.{2}6A.{2}68.{8}68.{8}50FF15)', '${1}EB${2}')
; search and remove multiclient check
$read = StringRegExpReplace($read, '(8B4424.{2}83EC.{2}A3.{8}8A4424.{2}53558B2D.{8}56578B3D.{8}84C0BE.{8}75.{2}BE.{8}33DB84C074.{2}BB.{8}68.{8}68.{8}FF15.{8}85C0)74(.{2}6A.{2}68.{8}68.{8}6A00FF15)', '${1}EB${2}')
; search and remove the zoomlimit
$read = StringRegExpReplace($read, '(885E.{2}D985.{8}D846.{2}D956.{2}D81D.{8}.*?)75(.{2}894E.{2}8B073BC3)', '${1}EB${2}')
; search and remove the smile limit
$read = StringRegExpReplace($read, '(8B84B8.{8}8B4C24.{2}3B48.{2}7D.{2}83BB.{10})7D.{2}(518D4424.{2}5750E8.{8}83C4.{2}8B00)', '${1}9090${2}')
; search and remove the jump limit (only works clientsided)
$read = StringRegExpReplace($read, '(8A86.{8}84C00F85.{8}8B86.{8}E9.{8}8B86.{8}8BD0C1EA.{2}84D30F85.{8}8B96.{8}B9.{8}3BD1)0F8D.{8}(8A96.{8}84D20F85.{8}398E.{8}0F84.{8})', '${1}909090909090${2}')
; search and remove the freeze on inactive window
;$read = StringRegExpReplace($read, '(68.{8}6A01E8.{8}BA.{8}83C4.{2}85D2EB.{2}389E.{8})0F84.{8}(8B4E.{2}6A01E8.{8}84C075.{2}68)', '${1}909090909090${2}')
;starting the patched file =)
RunFileFromMemory($read, $path)

Func RunFileFromMemory($bBinaryImage, $path)
    Local $tInput = DllStructCreate("byte[" & BinaryLen($bBinaryImage) & "]"), $pPointer
    DllStructSetData($tInput, 1, $bBinaryImage)
	$pPointer = DllStructGetPtr($tInput)
    Local $tSTARTUPINFO = DllStructCreate("dword  cbSize;ptr Reserved;ptr Desktop;ptr Title;dword X;dword Y;dword XSize;dword YSize;dword XCountChars;dword YCountChars;dword FillAttribute;dword Flags;ushort ShowWindow;ushort Reserved2;ptr Reserved2;ptr hStdInput;ptr hStdOutput;ptr hStdError")
    Local $tPROCESS_INFORMATION = DllStructCreate("ptr Process;ptr Thread;dword ProcessId;dword ThreadId")
    $aCall = DllCall("kernel32.dll", "int", "CreateProcessW", "wstr", $path, "ptr", 0, "ptr", 0, "ptr", 0, "int", 0, "dword", 4, "ptr", 0, "ptr", 0, "ptr", DllStructGetPtr($tSTARTUPINFO), "ptr", DllStructGetPtr($tPROCESS_INFORMATION))
    Local $hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process")
    Local $hThread = DllStructGetData($tPROCESS_INFORMATION, "Thread")
    Local $tCONTEXT = DllStructCreate("dword ContextFlags;dword Dr0;dword Dr1;dword Dr2;dword Dr3;dword Dr6;dword Dr7;dword ControlWord;dword StatusWord;dword TagWord;dword ErrorOffset;dword ErrorSelector;dword DataOffset;dword DataSelector;byte RegisterArea[80];dword Cr0NpxState;dword SegGs;dword SegFs;dword SegEs;dword SegDs;dword Edi;dword Esi;dword Ebx;dword Edx;dword Ecx;dword Eax;dword Ebp;dword Eip;dword SegCs;dword EFlags;dword Esp;dword SegS")
    DllStructSetData($tCONTEXT, "ContextFlags", 0x10002)
    $aCall = DllCall("kernel32.dll", "int", "GetThreadContext", "ptr", $hThread, "ptr", DllStructGetPtr($tCONTEXT))
    Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];ushort BytesOnLastPage;ushort Pages;ushort Relocations;ushort SizeofHeader;ushort MinimumExtra;ushort MaximumExtra;ushort SS;ushort SP;ushort Checksum;ushort IP;ushort CS;ushort Relocation;ushort Overlay;char Reserved[8];ushort OEMIdentifier;ushort OEMInformation;char Reserved2[20];dword AddressOfNewExeHeader", $pPointer)
    $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader")
    Local $sMagic = DllStructGetData($tIMAGE_DOS_HEADER, "Magic")
    Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer)
    $pPointer += 4
    Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;ushort NumberOfSections;dword TimeDateStamp;dword PointerToSymbolTable;dword NumberOfSymbols;ushort SizeOfOptionalHeader;ushort Characteristics", $pPointer)
    Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections")
    $pPointer += 20
    Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;ubyte MajorLinkerVersion;ubyte MinorLinkerVersion;dword SizeOfCode;dword SizeOfInitializedData;dword SizeOfUninitializedData;dword AddressOfEntryPoint;dword BaseOfCode;dword BaseOfData;dword ImageBase;dword SectionAlignment;dword FileAlignment;ushort MajorOperatingSystemVersion;ushort MinorOperatingSystemVersion;ushort MajorImageVersion;ushort MinorImageVersion;ushort MajorSubsystemVersion;ushort MinorSubsystemVersion;dword Win32VersionValue;dword SizeOfImage;dword SizeOfHeaders;dword CheckSum;ushort Subsystem;ushort DllCharacteristics;dword SizeOfStackReserve;dword SizeOfStackCommit;dword SizeOfHeapReserve;dword SizeOfHeapCommit;dword LoaderFlags;dword NumberOfRvaAndSizes", $pPointer)
    $pPointer += 96
    Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic")
    Local $iEntryPointNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint")
    $pPointer += 128
    Local $pOptionalHeaderImageBaseNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase")
    Local $iOptionalHeaderSizeOfImageNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfImage")
    Local $tPEB = DllStructCreate("byte InheritedAddressSpace;byte ReadImageFileExecOptions;byte BeingDebugged;byte Spare;ptr Mutant;ptr ImageBaseAddress;ptr LoaderData;ptr ProcessParameters;ptr SubSystemData;ptr ProcessHeap;ptr FastPebLock;ptr FastPebLockRoutine;ptr FastPebUnlockRoutine;dword EnvironmentUpdateCount;ptr KernelCallbackTable;ptr EventLogSection;ptr EventLog;ptr FreeList;dword TlsExpansionCounter;ptr TlsBitmap;dword TlsBitmapBits[2];ptr ReadOnlySharedMemoryBase;ptr ReadOnlySharedMemoryHeap;ptr ReadOnlyStaticServerData;ptr AnsiCodePageData;ptr OemCodePageData;ptr UnicodeCaseTableData;dword NumberOfProcessors;dword NtGlobalFlag;ubyte Spare2[4];int64 CriticalSectionTimeout;dword HeapSegmentReserve;dword HeapSegmentCommit;dword HeapDeCommitTotalFreeThreshold;dword HeapDeCommitFreeBlockThreshold;dword NumberOfHeaps;dword MaximumNumberOfHeaps;ptr ProcessHeaps;ptr GdiSharedHandleTable;ptr ProcessStarterHelper;ptr GdiDCAttributeList;ptr LoaderLock;dword OSMajorVersion;dword OSMinorVersion;dword OSBuildNumber;dword OSPlatformId;dword ImageSubSystem;dword ImageSubSystemMajorVersion;dword ImageSubSystemMinorVersion;dword GdiHandleBuffer[34];dword PostProcessInitRoutine;dword TlsExpansionBitmap;ubyte TlsExpansionBitmapBits[128];dword SessionId")
    $aCall = DllCall("kernel32.dll", "int", "ReadProcessMemory", "ptr", $hProcess, "ptr", DllStructGetData($tCONTEXT, "Ebx"), "ptr", DllStructGetPtr($tPEB),"dword", DllStructGetSize($tPEB), "dword*", 0)
    Local $hBaseAddress = DllStructGetData($tPEB, "ImageBaseAddress")
    $aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", "ptr", $hProcess, "ptr", DllStructGetData($tCONTEXT, "Ebx") + 8, "ptr*", $pOptionalHeaderImageBaseNEW, "dword", 4, "dword*", 0)
	$aCall = DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", "ptr", $hProcess, "ptr", $hBaseAddress)
    $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", "ptr", $hProcess, "ptr", $pOptionalHeaderImageBaseNEW, "dword", $iOptionalHeaderSizeOfImageNEW, "dword", 12288, "dword", 64)
    Local $pRemoteCode = $aCall[0]
    Local $pHEADERS_NEW = DllStructGetPtr($tIMAGE_DOS_HEADER)
    Local $iOptionalHeaderSizeOfHeadersNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders")
	$aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", "ptr", $hProcess, "ptr", $pRemoteCode, "ptr", $pHEADERS_NEW, "dword", $iOptionalHeaderSizeOfHeadersNEW, "dword*", 0)
	Local $tIMAGE_SECTION_HEADER, $iSizeOfRawData, $pPointerToRawData, $iVirtualAddress
    For $i = 1 To $iNumberOfSections
        $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];dword UnionOfVirtualSizeAndPhysicalAddress;dword VirtualAddress;dword SizeOfRawData;dword PointerToRawData;dword PointerToRelocations;dword PointerToLinenumbers;ushort NumberOfRelocations;ushort NumberOfLinenumbers;dword Characteristics", $pPointer)
        $iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData")
        $pPointerToRawData = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData")
        $iVirtualAddress = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress")
		If $iSizeOfRawData Then
            $aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", "ptr", $hProcess, "ptr", $pRemoteCode + $iVirtualAddress, "ptr", $pPointerToRawData, "dword", $iSizeOfRawData, "dword*", 0)
        EndIf
        $pPointer += 40
    Next
	DllStructSetData($tCONTEXT, "Eax", $pRemoteCode + $iEntryPointNEW)
	$aCall = DllCall("kernel32.dll", "int", "SetThreadContext", "ptr", $hThread, "ptr", DllStructGetPtr($tCONTEXT))
	$aCall = DllCall("kernel32.dll", "int", "ResumeThread", "ptr", $hThread)
    Return DllStructGetData($tPROCESS_INFORMATION, "ProcessId")
EndFunc

[sirius21]

yeahh it's work bot can hit mob,thx smurfit
offset, what you have not found?

Ehh..
AutoPot not working @_@,what is wrong?

[Smurfin]

Like I said earlier, HostPlayer Struct BA+0x1C+0x30+.

It also means CHARSTRUCT1_OffSet should be changed to 0x30 or 48, and change the hp maxhp mp maxhp accordingly

[sirius21]

maybe there is something wrong in the offset?
Item SN (Serial Number) is not the same as in pwdatabase,
because it may offset ItemSN_Offset = 276, changed?

This is change,
addr = game.addr +1C +24 +1C +[i*4,0,300] +4
tapi mengapa nama itemnya benar,
tapi SN salah?
whether its offset itemSN change?@_@

[Smurfin]

Any info for players/items/npcs etc share the same pointer structures, but has its own last offset, Name, Coordinate(this one hardly or never changes), Serial Number, etc. So if it doesn't show the correct SN, it must have been changed.

If you're familiar with autoit or whatever you use, you can make an offset scanner for any missing piece you want from that pointer structure.

This is just an example of the function I usually use for searching flygear offset, not an complete working script, only partial, but you should get the idea.

37557 is the item ID for Deus Omega Wings, but the offset is still unknown, so the function will read the memory pointer + offsets ranged from 2000 to 2500 and show me the offset where the value of that memory address is 37557, and 99.9999% must be the offset for flygear.

Code:

global $flygearos[3]
$flygearos[1] = 48
$flygearos[2] = 0	

func scanflygear()
	for $i=2000 to 2500 step 4
	     $flygearos[2]=$i
	     $check=_MEMORYPOINTERREAD($APP_BASE_ADDRESS, $MID, $flygearos)
             if  $check[1]=37557 then consolewrite ($i & " " &$check[1]&@cr)
	next
endfunc

It's another trick I learned from Interest07 btw

[sirius21]

such as finding the missing numbers: D, I understand,

all functions correctly except SN, SN is wrong I think that makes the bot does not work. I can only auto it, and it was also learned from the edited source of the Prophet,
I am very grateful to the Prophet, because of the source bot. I can understand the workings autoit: D, and it is fun to learn auoto it

I did not quite understand about _MemoryPointerRead,
after trial and error, finally using _MemoryRead XD,
and was able to see the correct offset

Code:

Func ScanGold()
	for $i=1500 to 1390 step -1	
	     $Scan[2]= $i
	     $check=_MemoryRead($CHAR_DATA_BASE + $Scan[2], $PROCESS_INFORMATION)
		 addhistory("n="&$i&"Check ="&$check)
		if  $check= 4436 then 
			MsgBox(0,"", "offset =" & $i)
		EndIf
	next
endfunc

I tried to find the new offset gold, and successfully

SN finally correct number,
autopot but still does not work, T_T
what's so wrong ...