Using ingame "Automatic Find Way" in bot

[jollyjoker0305]

At this moment, PW have include a "Automatic find way" into game.

I did some digging and find that Address: 0x469AD0

 Spoiler

CPU Disasm
Address Hex dump Command Comments
00469AD0 /$ 83EC 18 SUB ESP,18 ; elementclient.00469AD0(guessed Arg1)
00469AD3 |. 53 PUSH EBX
00469AD4 |. 55 PUSH EBP
00469AD5 |. 56 PUSH ESI
00469AD6 |. 8BF1 MOV ESI,ECX
00469AD8 |. 57 PUSH EDI
00469AD9 |. 8B86 A8130000 MOV EAX,DWORD PTR DS:[ESI+13A8]
00469ADF |. 8B40 14 MOV EAX,DWORD PTR DS:[EAX+14]
00469AE2 |. 85C0 TEST EAX,EAX
00469AE4 |. 74 21 JE SHORT 00469B07
00469AE6 |. 8378 04 0A CMP DWORD PTR DS:[EAX+4],0A
00469AEA |. 75 1B JNE SHORT 00469B07
00469AEC |. E8 8F533000 CALL 0076EE80
00469AF1 |. 6A 00 PUSH 0 ; /Arg2 = 0
00469AF3 |. 6A 00 PUSH 0 ; |Arg1 = 0
00469AF5 |. E8 96F54100 CALL 00889090 ; \elementclient.00889090
00469AFA |. 83C4 08 ADD ESP,8
00469AFD |. 5F POP EDI
00469AFE |. 5E POP ESI
00469AFF |. 5D POP EBP
00469B00 |. 5B POP EBX
00469B01 |. 83C4 18 ADD ESP,18
00469B04 |. C2 0400 RETN 4
00469B07 |> BB 01000000 MOV EBX,1
00469B0C |. 8BCE MOV ECX,ESI
00469B0E |. 53 PUSH EBX ; /Arg1 => 1
00469B0F |. E8 3CAF0100 CALL 00484A50 ; \elementclient.00484A50
00469B14 |. 84C0 TEST AL,AL
00469B16 |. 75 16 JNE SHORT 00469B2E
00469B18 |> 6A 00 PUSH 0 ; /Arg2 = 0
00469B1A |. 6A 00 PUSH 0 ; |Arg1 = 0
00469B1C |. E8 6FF54100 CALL 00889090 ; \elementclient.00889090
00469B21 |. 83C4 08 ADD ESP,8
00469B24 |. 5F POP EDI
00469B25 |. 5E POP ESI
00469B26 |. 5D POP EBP
00469B27 |. 5B POP EBX
00469B28 |. 83C4 18 ADD ESP,18
00469B2B |. C2 0400 RETN 4
00469B2E |> 8B7C24 2C MOV EDI,DWORD PTR SS:[ARG.1]
00469B32 |. 8B47 0C MOV EAX,DWORD PTR DS:[EDI+0C]
00469B35 |. 85C0 TEST EAX,EAX
00469B37 |. 0F85 D8000000 JNE 00469C15
00469B3D |. DB47 10 FILD DWORD PTR DS:[EDI+10]
00469B40 |. 8B86 A8130000 MOV EAX,DWORD PTR DS:[ESI+13A8]
00469B46 |. 8B4F 18 MOV ECX,DWORD PTR DS:[EDI+18]
00469B49 |. 85C9 TEST ECX,ECX
00469B4B |. 8B68 0C MOV EBP,DWORD PTR DS:[EAX+0C]
00469B4E |. C74424 14 000 MOV DWORD PTR SS:[LOCAL.4],0
00469B56 |. D95C24 10 FSTP DWORD PTR SS:[LOCAL.5]
00469B5A |. DB47 14 FILD DWORD PTR DS:[EDI+14]
00469B5D |. 0F95C1 SETNE CL
00469B60 |. 85ED TEST EBP,EBP
00469B62 |. D95C24 18 FSTP DWORD PTR SS:[LOCAL.3]
00469B66 |. 884C24 2C MOV BYTE PTR SS:[ARG.1],CL
00469B6A |. 74 3B JE SHORT 00469BA7
00469B6C |. 395D 04 CMP DWORD PTR SS:[EBP+4],EBX
00469B6F |. 75 24 JNE SHORT 00469B95
00469B71 |. 8D5424 10 LEA EDX,[LOCAL.5]
00469B75 |. 8BCD MOV ECX,EBP
00469B77 |. 52 PUSH EDX ; /Arg2 => OFFSET LOCAL.5
00469B78 |. 6A 00 PUSH 0 ; |Arg1 = 0
00469B7A |. E8 51870200 CALL 004922D0 ; \elementclient.004922D0
00469B7F |. 8B4424 2C MOV EAX,DWORD PTR SS:[ARG.1]
00469B83 |. 8BCD MOV ECX,EBP
00469B85 |. 50 PUSH EAX ; /Arg1 => [ARG.1]
00469B86 |. E8 C5B60200 CALL 00495250 ; \elementclient.00495250
00469B8B |. 5F POP EDI
00469B8C |. 5E POP ESI
00469B8D |. 5D POP EBP
00469B8E |. 5B POP EBX
00469B8F |. 83C4 18 ADD ESP,18
00469B92 |. C2 0400 RETN 4
00469B95 |> 8B55 00 MOV EDX,DWORD PTR SS:[EBP]
00469B98 |. 6A 02 PUSH 2
00469B9A |. 8BCD MOV ECX,EBP
00469B9C |. FF52 10 CALL DWORD PTR DS:[EDX+10]
00469B9F |. 84C0 TEST AL,AL
00469BA1 |.^ 0F84 71FFFFFF JE 00469B18
00469BA7 |> 8B46 44 MOV EAX,DWORD PTR DS:[ESI+44]
00469BAA |. 8B4E 40 MOV ECX,DWORD PTR DS:[ESI+40]
00469BAD |. 8B56 3C MOV EDX,DWORD PTR DS:[ESI+3C]
00469BB0 |. 50 PUSH EAX ; /Arg3
00469BB1 |. 51 PUSH ECX ; |Arg2
00469BB2 |. 52 PUSH EDX ; |Arg1
00469BB3 |. 8D4C24 28 LEA ECX,[LOCAL.2] ; |
00469BB7 |. E8 94DFF9FF CALL 00407B50 ; \elementclient.00407B50
00469BBC |. D94424 10 FLD DWORD PTR SS:[LOCAL.5]
00469BC0 |. D86424 1C FSUB DWORD PTR SS:[LOCAL.2]
00469BC4 |. D94424 18 FLD DWORD PTR SS:[LOCAL.3]
00469BC8 |. D86424 24 FSUB DWORD PTR SS:[LOCAL.0]
00469BCC |. D9C1 FLD ST(1)
00469BCE |. DECA FMULP ST(2),ST
00469BD0 |. D9C0 FLD ST
00469BD2 |. D8C9 FMUL ST,ST(1)
00469BD4 |. DEC2 FADDP ST(2),ST
00469BD6 |. D9C9 FXCH ST(1)
00469BD8 |. D9FA FSQRT
00469BDA |. D9C9 FXCH ST(1)
00469BDC |. DDD8 FSTP ST
00469BDE |. D81D F81BB500 FCOMP DWORD PTR DS:[0B51BF8] ; FLOAT 0.5000000
00469BE4 |. DFE0 FSTSW AX
00469BE6 |. F6C4 41 TEST AH,41
00469BE9 |.^ 0F85 29FFFFFF JNE 00469B18
00469BEF |. 8B8E A8130000 MOV ECX,DWORD PTR DS:[ESI+13A8]
00469BF5 |. 53 PUSH EBX ; /Arg1
00469BF6 |. E8 25430200 CALL 0048DF20 ; \elementclient.0048DF20
00469BFB |. 8BF8 MOV EDI,EAX
00469BFD |. 8D4424 10 LEA EAX,[LOCAL.5]
00469C01 |. 50 PUSH EAX ; /Arg2
00469C02 |. 6A 00 PUSH 0 ; |Arg1 = 0
00469C04 |. 8BCF MOV ECX,EDI ; |
00469C06 |. E8 C5860200 CALL 004922D0 ; \elementclient.004922D0
00469C0B |. 8B4C24 2C MOV ECX,DWORD PTR SS:[ARG.1]
00469C0F |. 51 PUSH ECX
00469C10 |. E9 43010000 JMP 00469D58
00469C15 |> 3BC3 CMP EAX,EBX
00469C17 |. 75 4A JNE SHORT 00469C63
00469C19 |. 8B96 A8130000 MOV EDX,DWORD PTR DS:[ESI+13A8]
00469C1F |. 6A 00 PUSH 0
00469C21 |. 68 187BC200 PUSH OFFSET 00C27B18 ; PTR to ASCII "eu�"
00469C26 |. 68 007BC200 PUSH OFFSET 00C27B00 ; PTR to ASCII "eu�"
00469C2B |. 8B42 0C MOV EAX,DWORD PTR DS:[EDX+0C]
00469C2E |. 6A 00 PUSH 0
00469C30 |. 50 PUSH EAX
00469C31 |. E8 80DB6700 CALL <JMP.&MSVCRT.__RTDynamicCast>
00469C36 |. 83C4 14 ADD ESP,14
00469C39 |. 85C0 TEST EAX,EAX
00469C3B |. 0F84 2E010000 JE 00469D6F
00469C41 |. DB47 10 FILD DWORD PTR DS:[EDI+10]
00469C44 |. 8858 6D MOV BYTE PTR DS:[EAX+6D],BL
00469C47 |. C640 6E 00 MOV BYTE PTR DS:[EAX+6E],0
00469C4B |. D958 68 FSTP DWORD PTR DS:[EAX+68]
00469C4E |. 8B4F 14 MOV ECX,DWORD PTR DS:[EDI+14]
00469C51 |. 5F POP EDI
00469C52 |. 3BCB CMP ECX,EBX
00469C54 |. 5E POP ESI
00469C55 |. 0F94C1 SETE CL
00469C58 |. 5D POP EBP
00469C59 |. 8848 6C MOV BYTE PTR DS:[EAX+6C],CL
00469C5C |. 5B POP EBX
00469C5D |. 83C4 18 ADD ESP,18
00469C60 |. C2 0400 RETN 4
00469C63 |> 83F8 02 CMP EAX,2
00469C66 |. 75 40 JNE SHORT 00469CA8
00469C68 |. 8B96 A8130000 MOV EDX,DWORD PTR DS:[ESI+13A8]
00469C6E |. 6A 00 PUSH 0
00469C70 |. 68 187BC200 PUSH OFFSET 00C27B18 ; PTR to ASCII "eu�"
00469C75 |. 68 007BC200 PUSH OFFSET 00C27B00 ; PTR to ASCII "eu�"
00469C7A |. 8B42 0C MOV EAX,DWORD PTR DS:[EDX+0C]
00469C7D |. 6A 00 PUSH 0
00469C7F |. 50 PUSH EAX
00469C80 |. E8 31DB6700 CALL <JMP.&MSVCRT.__RTDynamicCast>
00469C85 |. 8BF0 MOV ESI,EAX
00469C87 |. 83C4 14 ADD ESP,14
00469C8A |. 85F6 TEST ESI,ESI
00469C8C |. 0F84 DD000000 JE 00469D6F
00469C92 |. 6A 00 PUSH 0 ; /Arg1 = 0
00469C94 |. 8BCE MOV ECX,ESI ; |
00469C96 |. E8 B5B50200 CALL 00495250 ; \elementclient.00495250
00469C9B |. 885E 40 MOV BYTE PTR DS:[ESI+40],BL
00469C9E |. 5F POP EDI
00469C9F |. 5E POP ESI
00469CA0 |. 5D POP EBP
00469CA1 |. 5B POP EBX
00469CA2 |. 83C4 18 ADD ESP,18
00469CA5 |. C2 0400 RETN 4
00469CA8 |> 83F8 03 CMP EAX,3
00469CAB |. 0F85 BE000000 JNE 00469D6F
00469CB1 |. 8B86 A8130000 MOV EAX,DWORD PTR DS:[ESI+13A8]
00469CB7 |. D947 10 FLD DWORD PTR DS:[EDI+10]
00469CBA |. 8B68 0C MOV EBP,DWORD PTR DS:[EAX+0C]
00469CBD |. D95C24 10 FSTP DWORD PTR SS:[LOCAL.5]
00469CC1 |. D947 14 FLD DWORD PTR DS:[EDI+14]
00469CC4 |. D95C24 14 FSTP DWORD PTR SS:[LOCAL.4]
00469CC8 |. D947 18 FLD DWORD PTR DS:[EDI+18]
00469CCB |. D95C24 18 FSTP DWORD PTR SS:[LOCAL.3]
00469CCF |. 85ED TEST EBP,EBP
00469CD1 |. 74 34 JE SHORT 00469D07
00469CD3 |. 395D 04 CMP DWORD PTR SS:[EBP+4],EBX
00469CD6 |. 75 21 JNE SHORT 00469CF9
00469CD8 |. 8D4C24 10 LEA ECX,[LOCAL.5]
00469CDC |. 51 PUSH ECX ; /Arg2 => OFFSET LOCAL.5
00469CDD |. 6A 05 PUSH 5 ; |Arg1 = 5
00469CDF |. 8BCD MOV ECX,EBP ; |
00469CE1 |. E8 EA850200 CALL 004922D0 ; \elementclient.004922D0
00469CE6 |. 6A 00 PUSH 0 ; /Arg1 = 0
00469CE8 |. 8BCD MOV ECX,EBP ; |
00469CEA |. E8 61B50200 CALL 00495250 ; \elementclient.00495250
00469CEF |. 5F POP EDI
00469CF0 |. 5E POP ESI
00469CF1 |. 5D POP EBP
00469CF2 |. 5B POP EBX
00469CF3 |. 83C4 18 ADD ESP,18
00469CF6 |. C2 0400 RETN 4
00469CF9 |> 8B55 00 MOV EDX,DWORD PTR SS:[EBP]
00469CFC |. 6A 02 PUSH 2
00469CFE |. 8BCD MOV ECX,EBP
00469D00 |. FF52 10 CALL DWORD PTR DS:[EDX+10]
00469D03 |. 84C0 TEST AL,AL
00469D05 |. 74 68 JE SHORT 00469D6F
00469D07 |> D946 3C FLD DWORD PTR DS:[ESI+3C]
00469D0A |. D946 44 FLD DWORD PTR DS:[ESI+44]
00469D0D |. D95C24 24 FSTP DWORD PTR SS:[ESP+24]
00469D11 |. D86C24 10 FSUBR DWORD PTR SS:[ESP+10]
00469D15 |. D94424 18 FLD DWORD PTR SS:[ESP+18]
00469D19 |. D86424 24 FSUB DWORD PTR SS:[ESP+24]
00469D1D |. D9C0 FLD ST
00469D1F |. D8C9 FMUL ST,ST(1)
00469D21 |. D9C2 FLD ST(2)
00469D23 |. D8CB FMUL ST,ST(3)
00469D25 |. DEC1 FADDP ST(1),ST
00469D27 |. D9FA FSQRT
00469D29 |. DDDA FSTP ST(2)
00469D2B |. DDD8 FSTP ST
00469D2D |. D81D F81BB500 FCOMP DWORD PTR DS:[0B51BF8] ; FLOAT 0.5000000
00469D33 |. DFE0 FSTSW AX
00469D35 |. F6C4 41 TEST AH,41
00469D38 |. 75 35 JNE SHORT 00469D6F
00469D3A |. 8B8E A8130000 MOV ECX,DWORD PTR DS:[ESI+13A8]
00469D40 |. 53 PUSH EBX ; /Arg1
00469D41 |. E8 DA410200 CALL 0048DF20 ; \elementclient.0048DF20
00469D46 |. 8BF8 MOV EDI,EAX
00469D48 |. 8D4424 10 LEA EAX,[ESP+10]
00469D4C |. 50 PUSH EAX ; /Arg2
00469D4D |. 6A 05 PUSH 5 ; |Arg1 = 5
00469D4F |. 8BCF MOV ECX,EDI ; |
00469D51 |. E8 7A850200 CALL 004922D0 ; \elementclient.004922D0
00469D56 |. 6A 00 PUSH 0
00469D58 |> 8BCF MOV ECX,EDI
00469D5A |. E8 F1B40200 CALL 00495250 ; \elementclient.00495250
00469D5F |. 8B8E A8130000 MOV ECX,DWORD PTR DS:[ESI+13A8]
00469D65 |. 6A 00 PUSH 0 ; /Arg4 = 0
00469D67 |. 53 PUSH EBX ; |Arg3
00469D68 |. 57 PUSH EDI ; |Arg2
00469D69 |. 53 PUSH EBX ; |Arg1
00469D6A |. E8 61460200 CALL 0048E3D0 ; \elementclient.0048E3D0
00469D6F |> 5F POP EDI
00469D70 |. 5E POP ESI
00469D71 |. 5D POP EBP
00469D72 |. 5B POP EBX
00469D73 |. 83C4 18 ADD ESP,18
00469D76 \. C2 0400 RETN 4

That is the function client call when initiate AutoFindWay.

If we can call it with right param. We can use AutoFindWay, an highly improved way to move character than we using now.

But i stuck here. I don't have any idea how to find param for that. The "follow in dump" gave me something i didn't see any connection with X,Y,Z .

Anyone have looked into or have idea about it?

[jollyjoker0305]

Follow in dump give me some:
Param is x and y (no z) of target and something else.
But i tried push "x,y and something else" to memory, then call address with it. But game crash. No idea how to do next.

[Smurfin]

Do you mean the ingame Auto Route for this Automatic Find Way ? I think it's not 100% working anywhere, like in 89 instances for example, it didn't work the last time I did quest in there. Or in primal world, it just flies and go straight to destination ignoring trees and rocks and could still get stuck.

Jollyjoker0305 , do you play PWI or PW Vietnam (PW Vietnam already got Eclipse ?) I just read Swoosh's post in other thread about action struct not working anymore, are you working on other method for movement ?