PWI Eclipse changes

[DurianMontong]

3 hour testing startNpcDialogue($NPCFilteredUID, $pid) still error need more help

 Spoiler

#include <NomadMemory.au3>
#include <Array.au3>

Global $kernel32 = DllOpen('kernel32.dll')

Global $ADDRESS_BASE=0xE5B2A4
Global $realBaseAddress=0xE5B2A4
Global $sendPacketFunction=0x81F130
Global $PlayerOffSet=0x34
Global $PlayerIdOffset=0x4B8
Global $PARTYINV_ADDRESS=0xE67C80

Global $NpcListOffset=0x20
Global $NpcCounterOffset=0x18
Global $sortedNpcListOffset=0x5C
Global $NpcUIDOffset=0x114
Global $NpcX=0x3C
Global $NpcY=0x44
Global $NpcZ=0x40
Global $NpcNameOffset=0x25C
Global $NpcHPOffset=0x128
Global $NpcHPmaxOffset=0x17C
Global $NpcIDOffset=0x118
Global $SORTEDLISTOffset=0x14
global $NpcStatusOffset=0x210

HotKeySet("{Home}", "Go1")

While 1

sleep(100)

WEnd

Func Go1()

$GAME_TITLE = "1"
$pid = WinGetProcess($GAME_TITLE)
$Filter = 4187 ; - Teleport Master Shan
$array = NPCArrayFilter($Filter, $pid)
$NPCFilteredUID = $array[0][0]

startNpcDialogue($NPCFilteredUID, $pid)

EndFunc

Func startNpcDialogue($NPCFilteredUID, $pid)

local $packet, $packetSize

$packet = '2300'
$packet &= _hex($NPCFilteredUID)
$packetSize = 6

sendPacket($packet, $packetSize, $pid)

EndFunc

Func NPCArrayFilter($Filter, $pid)

$GAME_PROCESS = _MemoryOpen($pid)

$POINTER_BASE = _MemoryRead(_MemoryRead($ADDRESS_BASE, $GAME_PROCESS) + 0x1C, $GAME_PROCESS)
$SORTEDLIST = _MemoryRead($POINTER_BASE + $SORTEDLISTOffset, $GAME_PROCESS)
$NPCBASE = _MemoryRead($SORTEDLIST + $NpcListOffset, $GAME_PROCESS)
$NPCCOUNT = _MemoryRead($NPCBASE + $NpcCounterOffset, $GAME_PROCESS)
$NPCLIST = _MemoryRead($NPCBASE + $sortedNpcListOffset, $GAME_PROCESS)
If $NPCCOUNT = 0 Then Return

Dim $array[$NPCCOUNT][9]
For $i = 0 To $NPCCOUNT - 1
$NPC = _MemoryRead($NPCLIST + $i * 4, $GAME_PROCESS)

If ($NPC <> 0 And _MemoryRead($NPC + $NpcUIDOffset, $GAME_PROCESS)) Then
$array[$i][0] = _MemoryRead($NPC + $NpcUIDOffset, $GAME_PROCESS) ; unique ID
$array[$i][1] = _MemoryRead($NPC + $NpcIDOffset, $GAME_PROCESS) ; ID0
$array[$i][2] = _MemoryRead(_MemoryRead($NPC + $NpcNameOffset, $GAME_PROCESS), $GAME_PROCESS, 'wchar[100]')
$array[$i][4] = _MemoryRead($NPC + $NpcX, $GAME_PROCESS, 'float') ;X Coord in Map
$array[$i][5] = _MemoryRead($NPC + $NpcY, $GAME_PROCESS, 'float') ;y Coord in Map
$array[$i][6] = _MemoryRead($NPC + $NpcZ, $GAME_PROCESS, 'float') ;Z Coord or Vertical Altitude
$array[$i][7] = _MemoryRead($NPC + $NpcHPOffset, $GAME_PROCESS) ; HP
$array[$i][8] = _MemoryRead($NPC + $NpcHPmaxOffset, $GAME_PROCESS) ; Max HP
EndIf
Next

For $i = ($NPCCOUNT - 1) To 0 Step -1
If StringInStr($array[$i][2], $Filter) = 0 Then
_ArrayDelete($array, $i)

EndIf
Next

Return $array

EndFunc ;==>NPCArrayFilter

Func _Hex($VALUE, $SIZE = 8, $TYPE = "int")

Local $tmp1, $tmp2, $i
If ($TYPE = "int") Then
$tmp1 = StringRight("000000000" & Hex($VALUE), $SIZE)
ElseIf ($TYPE = "float") Then
$tmp1 = StringRight("000000000" & _FloatToHex($VALUE), $SIZE)
EndIf
For $i = 0 To StringLen($tmp1) / 2 - 1
$tmp2 = $tmp2 & StringMid($tmp1, StringLen($tmp1) - 1 - 2 * $i, 2)
Next
Return $tmp2
EndFunc ;==>_Hex

Func _RevHex($VALUE, $SIZE = 8, $TYPE = "int")
Local $TEMP1, $TEMP2
If ($TYPE = "int") Then
$TEMP1 = StringRight("000000000" & Hex($VALUE), $SIZE)
ElseIf ($TYPE = "float") Then
$TEMP1 = StringRight("000000000" & _FloatToHex($VALUE), $SIZE)
EndIf
For $i = 0 To StringLen($TEMP1) / 2 - 1
$TEMP2 &= StringMid($TEMP1, StringLen($TEMP1) - 1 - 2 * $i, 2)
Next
Return $TEMP2
EndFunc ;==>_RevHex

Func _FloatToHex($floatval)
$sF = DllStructCreate("float")
$sB = DllStructCreate("ptr", DllStructGetPtr($sF))
If $floatval = "" Then Exit
DllStructSetData($sF, 1, $floatval)
$return = DllStructGetData($sB, 1)
Return $return
EndFunc ;==>_FloatToHex

Func sendPacket($packet, $packetSize, $pid)
;//Declare local variables
Local $pRemoteThread, $vBuffer, $loop, $result, $OPcode, $processHandle, $packetAddress

;//Open process for given processId
$processHandle = memopen($pid)

;//Allocate memory for the OpCode and retrieve address for this
$functionAddress = DllCall($kernel32, 'int', 'VirtualAllocEx', 'int', $processHandle, 'ptr', 0, 'int', 0x46, 'int', 0x1000, 'int', 0x40)

;//Allocate memory for the packet to be sent and retrieve the address for this
$packetAddress = DllCall($kernel32, 'int', 'VirtualAllocEx', 'int', $processHandle, 'ptr', 0, 'int', $packetSize, 'int', 0x1000, 'int', 0x40)

;//Construct the OpCode for calling the 'SendPacket' function
$OPcode &= '60' ;//PUSHAD
$OPcode &= 'B8'&_hex($sendPacketFunction) ;//MOV EAX, sendPacketAddress
$OPcode &= '8B0D'&_hex($realBaseAddress) ;//MOV ECX, DWORD PTR [revBaseAddress]
$OPcode &= '8B4920' ;//MOV ECX, DWORD PTR [ECX+20]
$OPcode &= 'BF'&_hex($packetAddress[0]) ;//MOV EDI, packetAddress //src pointer
$OPcode &= '6A'&_hex($packetSize,2) ;//PUSH packetSize //size
$OPcode &= '57' ;//PUSH EDI
$OPcode &= 'FFD0' ;//CALL EAX
$OPcode &= '61' ;//POPAD
$OPcode &= 'C3' ;//RET

;//Put the OpCode into a struct for later memory writing
$vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
For $loop = 1 To DllStructGetSize($vBuffer)
DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
Next

;//Write the OpCode to previously allocated memory
DllCall($kernel32, 'int', 'WriteProcessMemory', 'int', $processHandle, 'int', $functionAddress[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)

;//Put the packet into a struct for later memory writing
$vBuffer = DllStructCreate('byte[' & StringLen($packet) / 2 & ']')
For $loop = 1 To DllStructGetSize($vBuffer)
DllStructSetData($vBuffer, 1, Dec(StringMid($packet, ($loop - 1) * 2 + 1, 2)), $loop)
Next

;//Write the packet to previously allocated memory
DllCall($kernel32, 'int', 'WriteProcessMemory', 'int', $processHandle, 'int', $packetAddress[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)

;//Create a remote thread in order to run the OpCode
$hRemoteThread = DllCall($kernel32, 'int', 'CreateRemoteThread', 'int', $processHandle, 'int', 0, 'int', 0, 'int', $functionAddress[0], 'ptr', 0, 'int', 0, 'int', 0)

;//Wait for the remote thread to finish
Do
$result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
Until $result[0] <> 258

;//Close the handle to the previously created remote thread
DllCall($kernel32, 'int', 'CloseHandle', 'int', $hRemoteThread[0])

;//Free the previously allocated memory
DllCall($kernel32, 'ptr', 'VirtualFreeEx', 'hwnd', $processHandle, 'int', $functionAddress[0], 'int', 0, 'int', 0x8000)
DllCall($kernel32, 'ptr', 'VirtualFreeEx', 'hwnd', $processHandle, 'int', $packetAddress[0], 'int', 0, 'int', 0x8000)

;//Close the Process
memclose($processHandle)

Return True
EndFunc

Func memopen($pid)
Local $mid = DllCall($kernel32, 'int', 'OpenProcess', 'int', 0x1F0FFF, 'int', 1, 'int', $pid)
Return $mid[0]
EndFunc

Func memclose($mid)
DllCall($kernel32, 'int', 'CloseHandle', 'int', $mid)
EndFunc

AutoIT error message

 Spoiler

>"C:\Program Files (x86)\AutoIt3\SciTE\..\autoit3.exe" /ErrorStdOut "D:\AutoIT\0001\dialogauto.au3"
"D:\AutoIT\0001\dialogauto.au3" (41) : ==> Subscript used on non-accessible variable.:
$NPCFilteredUID = $array[0][0]
$NPCFilteredUID = $array^ ERROR
>Exit code: 1 Time: 1.203

[sasukezero]

I cannot test it myself atm, but you set as a filter 4187 which is idk the id or number no clue but it has to be the name so like this(sorry if i wasn't clear before):

$Filter = "Teleport Master Shan"
You can also use this: $Filter = "Tele"
That should do the trick.

Just aside in the script it does:

If StringInStr($array[$i][2], $Filter) = 0 Then

which means check If the string "Tele" exists in array[Row$i][In column number 2] which is when you check the array, how its build → $array[$i][2] = _MemoryRead(_MemoryRead($NPC + $NpcNameOffset, $GAME_PROCESS), $GAME_PROCESS, 'wchar[100]')
Which is a NpcName, there you go

[DurianMontong]

Quote:

Originally Posted by sasukezero

I cannot test it myself atm, but you set as a filter 4187 which is idk the id or number no clue but it has to be the name so like this(sorry if i wasn't clear before):

$Filter = "Teleport Master Shan"
You can also use this: $Filter = "Tele"
That should do the trick.

Just aside in the script it does:

If StringInStr($array[$i][2], $Filter) = 0 Then

which means check If the string "Tele" exists in array[Row$i][In column number 2] which is when you check the array, how its build → $array[$i][2] = _MemoryRead(_MemoryRead($NPC + $NpcNameOffset, $GAME_PROCESS), $GAME_PROCESS, 'wchar[100]')
Which is a NpcName, there you go

i try but still error

Func Go1()

$GAME_TITLE = "PW1"
$pid = WinGetProcess($GAME_TITLE)

$Filter = "Tele" ; >>>>>>>>>>>>> - Teleport Master Shan
$array = NPCArrayFilter($Filter, $pid)
$NPCFilteredUID = $array[0][0] ; <<< should i change this, is still error in here

startNpcDialogue($NPCFilteredUID, $pid)

EndFunc

 Spoiler

>"C:\Program Files (x86)\AutoIt3\SciTE\..\autoit3.exe" /ErrorStdOut "D:\AutoIT\0001\dialogauto2.au3"
"D:\AutoIT\0001\dialogauto2.au3" (42) : ==> Subscript used on non-accessible variable.:
$NPCFilteredUID = $array[0][0]
$NPCFilteredUID = $array^ ERROR
>Exit code: 1 Time: 1.51

[jasty]

$SORTEDLISTOffset should be 0x1C

You could have debugged this by checking the return result from NPCArrayFilter to see that it was null and then you'd see it wasn't able to read the count at the beginning.

[sasukezero]

My mistake here, as i just copied quickly together what you'd need i forgot the check i have build in. Its easy, like this:

If UBound($array) <> 0 Then
$NPCFilteredUID = $array[0][0]
startNpcDialogue($NPCFilteredUID, $pid)
Endif

And like jasty said, you've made a typo ^^

[DurianMontong]

Quote:

Originally Posted by jasty

$SORTEDLISTOffset should be 0x1C

You could have debugged this by checking the return result from NPCArrayFilter to see that it was null and then you'd see it wasn't able to read the count at the beginning.

oh that is i looking to fix error

big thank to sasukezero , jasty to answer my question learn

acceptPartyInvite, and auto get uniqueID NPCArrayFilter

and jasty maybe can give me link to learn "debugged this by checking the return result from NPCArrayFilter to see that it was null"

[sasukezero]

You already see it at this → $NPCFilteredUID = $array^ ERROR
You try to access "$array[0][0]" which throws an error, which means there is nothing to read most likely. To debug you can usually do things like "Msgbox("","",$Somevalue)"
or _ArrayDisplay($array) to see what values are inside the array

That's how i do it tho as autoit doesn't have a nice debugger....

Time to go to bed now, so laters ^^

[DurianMontong]

after testing new function filter npc uid i see auto it is freezing when look npc uid if use more than 4 client can any one give solution,

i use very very basic way lol

 Spoiler

Func NPCArrayFilter($Filter, $pid)

$GAME_PROCESS = _MemoryOpen($pid)

$POINTER_BASE = _MemoryRead(_MemoryRead($ADDRESS_BASE, $GAME_PROCESS) + 0x1C, $GAME_PROCESS)
$SORTEDLIST = _MemoryRead($POINTER_BASE + 0x14, $GAME_PROCESS)
$NPCBASE = _MemoryRead($SORTEDLIST + $NpcListOffset, $GAME_PROCESS)
$NPCCOUNT = _MemoryRead($NPCBASE + $NpcCounterOffset, $GAME_PROCESS)
If $NPCCOUNT = 0 Then Return
$NPCLIST = _MemoryRead($NPCBASE + $sortedNpcListOffset, $GAME_PROCESS)

Dim $ARRAY[$NPCCOUNT][2]
For $i = 0 To $NPCCOUNT - 1
$NPC = _MemoryRead($NPCLIST + $i*4, $GAME_PROCESS)

If ($NPC <> 0 And _MemoryRead($NPC + $NpcUIDOffset, $GAME_PROCESS)) Then
$ARRAY[$i][0] = _MemoryRead($NPC + $NpcUIDOffset, $GAME_PROCESS) ; unique ID
$ARRAY[$i][1] = _MemoryRead($NPC + $NpcIDOffset, $GAME_PROCESS) ; ID
;$ARRAY[$i][2] = _MemoryRead(_MemoryRead($NPC + $NpcNameOffset, $GAME_PROCESS), $GAME_PROCESS, 'wchar[100]')
;$ARRAY[$i][3] =
;$ARRAY[$i][4] = _MemoryRead($NPC + $NpcX, $GAME_PROCESS, 'float') ;X Coord in Map
;$ARRAY[$i][5] = _MemoryRead($NPC + $NpcY, $GAME_PROCESS, 'float') ;y Coord in Map
;$ARRAY[$i][6] = _MemoryRead($NPC + $NpcZ, $GAME_PROCESS, 'float') ;Z Coord or Vertical Altitude
;$ARRAY[$i][7] = _MemoryRead($NPC + $NpcHPOffset, $GAME_PROCESS) ; HP
;$ARRAY[$i][8] = _MemoryRead($NPC + $NpcHPmaxOffset, $GAME_PROCESS) ; Max HP
EndIf
Next
For $i = ($NPCCOUNT - 1) To 0 Step -1
If StringInStr($array[$i][1], $Filter) = 0 Then
_ArrayDelete($array, $i)
EndIf
Next
Return $ARRAY
EndFunc

Func startNpcDialogueUID1($Filter)
$GAME_TITLE = "1"
$pid = WinGetProcess($GAME_TITLE)
$array = NPCArrayFilter($Filter, $pid)
$NPCFilteredUID = $array[0][0]
startNpcDialogueUID($NPCFilteredUID, $pid)
EndFunc
Func startNpcDialogueUID2($Filter)
$GAME_TITLE = "2"
$pid = WinGetProcess($GAME_TITLE)
$array = NPCArrayFilter($Filter, $pid)
$NPCFilteredUID = $array[0][0]
startNpcDialogueUID($NPCFilteredUID, $pid)
EndFunc
Func startNpcDialogueUID3($Filter)
$GAME_TITLE = "3"
$pid = WinGetProcess($GAME_TITLE)
$array = NPCArrayFilter($Filter, $pid)
$NPCFilteredUID = $array[0][0]
startNpcDialogueUID($NPCFilteredUID, $pid)
EndFunc
Func startNpcDialogueUID4($Filter)
$GAME_TITLE = "4"
$pid = WinGetProcess($GAME_TITLE)
$array = NPCArrayFilter($Filter, $pid)
$NPCFilteredUID = $array[0][0]
startNpcDialogueUID($NPCFilteredUID, $pid)
EndFunc
Func startNpcDialogueUID5($Filter)
$GAME_TITLE = "5"
$pid = WinGetProcess($GAME_TITLE)
$array = NPCArrayFilter($Filter, $pid)
$NPCFilteredUID = $array[0][0]
startNpcDialogueUID($NPCFilteredUID, $pid)
EndFunc
Func startNpcDialogueUID6($Filter)
$GAME_TITLE = "6"
$pid = WinGetProcess($GAME_TITLE)
$array = NPCArrayFilter($Filter, $pid)
$NPCFilteredUID = $array[0][0]
startNpcDialogueUID($NPCFilteredUID, $pid)
EndFunc
Func startNpcDialogueUID7($Filter)
$GAME_TITLE = "7"
$pid = WinGetProcess($GAME_TITLE)
$array = NPCArrayFilter($Filter, $pid)
$NPCFilteredUID = $array[0][0]
startNpcDialogueUID($NPCFilteredUID, $pid)
EndFunc
Func startNpcDialogueUID8($Filter)
$GAME_TITLE = "8"
$pid = WinGetProcess($GAME_TITLE)
$array = NPCArrayFilter($Filter, $pid)
$NPCFilteredUID = $array[0][0]
startNpcDialogueUID($NPCFilteredUID, $pid)
EndFunc
Func startNpcDialogueUID9($Filter)
$GAME_TITLE = "9"
$pid = WinGetProcess($GAME_TITLE)
$array = NPCArrayFilter($Filter, $pid)
$NPCFilteredUID = $array[0][0]
startNpcDialogueUID($NPCFilteredUID, $pid)
EndFunc
Func startNpcDialogueUID0($Filter)
$GAME_TITLE = "0"
$pid = WinGetProcess($GAME_TITLE)
$array = NPCArrayFilter($Filter, $pid)
$NPCFilteredUID = $array[0][0]
startNpcDialogueUID($NPCFilteredUID, $pid)
EndFunc

Func startNpcDialogueUID10X($Filter) ;<<< Hotkey / Run from here

$Filter=$Filter
startNpcDialogueUID1($Filter)
startNpcDialogueUID2($Filter)
startNpcDialogueUID3($Filter)
startNpcDialogueUID4($Filter)
startNpcDialogueUID5($Filter)
startNpcDialogueUID6($Filter)
startNpcDialogueUID7($Filter)
startNpcDialogueUID8($Filter)
startNpcDialogueUID9($Filter)
startNpcDialogueUID0($Filter)

EndFunc

[sasukezero]

Here are the changed offsets for the last patch(v955) which i've found yet:

 Spoiler

ADDRESS_BASE=0xE77C24
ADDRESS_SENDPACKET=0x832170
ADDRESS_AUTOPATH=0x459520
ADDRESS_ACTION1=0x004C9290
ADDRESS_ACTION2=0x004CF790
ADDRESS_ACTION3=0x004C9880
ADDRESS_GATHER=0x4BE8D0
ADDRESS_CASTSKILL=0x4B6950
PARTYINV_ADDRESS=0xE84760
ADDRESS_INSTANCE_BASE=0xE783CC
OFFSET_ACTIONBASE=0x1514
PlayerParty_Offset=0x7D0
PlayerNameOffset=0x700
NpcNameOffset=0x260
PlayerNpcWindow=0xEB6
$QuestList_Offset = 0x151C
$PlayerTransportMode_Offset = 70C ; But its now divided into 70C which is for movements and fall etc
and into 710 which is for fly = 2 and not fly = 0 (that's how it seems as i checked in reclass)

InventoryListOffset=0x10B4
PlayerClass_Offset=0x704
PlayerSkill_Offset=0x1540

[Stark77]

i can add those two but not sure if more are missing

InventoryListOffset := 0x10B4
InventorySizeOffset := 0x10

[sasukezero]

Added just before ^^
I couldn't find any more than these yet, but whenever i find something ill add it or add something when you guys find some more changes.

Does anyone know or jasty himself how to create a sig-pattern for offsets that are not just of one state?
Like of jasty's python pattern seach here:

Quote:

Originally Posted by jasty

Here's all of the addresses and offsets I use... its not super well organized and most of the names don't match other stuff though.

 Spoiler

#include-once

Global $ADDRESS_BASE = 0xd56b8c
Global $ADDRESS_SENDPACKET = 0x79d330
Global $ADDRESS_AUTOPATH = 0x457030
Global $ADDRESS_ACTION1 = 0x4a25b0
Global $ADDRESS_ACTION2 = 0x4a8970
Global $ADDRESS_ACTION3 = 0x4a2bc0
Global $ADDRESS_GATHER = 0x497d30
Global $ADDRESS_CASTSKILL = 0x490120
Global $ADDRESS_REGATTACK = 0x497bf0
Global $PARTYINV_ADDRESS = 0xd616c8
Global $ADDRESS_INSTANCE_BASE = 0xd5732c
Global $MACRO_ADDRESS_BASE = 0xd57c4e
Global $OFFSET_ACTIONBASE = 0x1400



global $Player_Offset = 0x28
global $playerIDOffset = 0x4B8
global $PlayerClass_Offset = 0x6EC ;+10
global $PlayerName_Offset = 0x6E8 ;+10
global $PlayerParty_Offset = 0x7B8
global $PlayerCurrentSkill_Offset = 0x7D4
global $playerEquipOffset = 0x5b0 ;+8
global $PlayerAvatarBag_Offset = 0xfec ;+10
global $InventoryListOffset = 0xFA0 ;+20
global $EquippedListOffset = 0xFA4 ;+20
global $QuestInvListOffset = 0xFA8
global $PlayerNpcWindow = 0xDB2 ;+10
global $PhysPosOffset = 0x718-0x40

Global $QuestList_Offset = 0x1408 ;+10
global $PlayerEarningTime_Offset = 0x161C ;+18

global $PlayerMoveCounter_Offset = 0xac8
global $PlayerTransportMode_Offset = 0x6F4
global $PlayerSwimSpeed_Offset = 0x530
global $PlayerWalkSpeed_Offset = 0x530+0x4
global $PlayerFlySpeed_Offset = 0x530+0xC


global $PlayerCamX_Offset = 0x974
global $PlayerCharmActive_Offset = 0x1624
global $PlayerCharmActive_MagBit = 0x10000
global $PlayerCharmActive_PhysBit = 0x100
global $PlayerCharmCooldown_Offset = 0xC04 ;+10


global $PartyCount_Offset = 0x18


;~ #-------- NPC ----------------#
global $NpcListOffset = 0x20
global $sortedNpcListOffset = 0x5c
global $NpcCounterOffset = 0x18
global $NpcUIDOffset = 0x114
global $NpcIDOffset = 0x118
global $NpcNameOffset = 0x25C
global $NpcLVLOffset = 0x120
global $NpcHPOffset = 0x128
global $NpcHPmaxOffset = 0x17C
global $NpcStatusOffset = 0x210
global $NpcSpecialOffset = 0x24C
global $NpcX = 0x3C
global $NpcY = 0x44
global $NpcZ = 0x40

;global $NpcBuffCountOffset = 0x32C

global $NpcStatusBitDead = 0x80
global $NpcStatusBitIncSpeed = 0x100
global $NpcStatusBitIncDef = 0x300
global $NpcStatusBitIncAtt = 0x500
global $NpcStatusBitSacAss = 0x700
global $NpcStatusBitIncLife = 0x800
global $NpcStatusBitWeak = 0x900
global $NpcStatusBitIsPet = 0x1000

global $NpcStatusBitIsNpc = 0x4000
global $NpcStatusBitIsFly = 0x10000
global $NpcStatusBitIsWater = 0x20000



global $bufflist = 0x390
global $buffcount = 0x398 ;check

global $PlayerTarget_Offset = 0x5A4
global $PlayerFactionId_Offset = 0x694 ;+10
global $PlayerChiOffset = 0x4E0

global $sortedInventoryListOffset = 0xC
global $InventorySizeOffset = 0x14
global $InvName_Offset = 0x4C
global $InvID_Offset = 0xC
global $InvDurability_Offset = 0x74
global $InvStackAmount_Offset = 0x14
global $gearAddonList_Offset = 0xb0

global $itemTypeX = 0x8
global $itemIDX = 0xC
global $itemCountX = 0x14


global $HP_OffSet = 0x4cc
global $MaxHP_OffSet = 0x520
global $MP_OffSet = 0x4d0
global $MaxMP_OffSet = 0x524
global $HPCooldown_Offset = 0xBA4
global $MPCooldown_Offset = 0xBAC

global $PlayerSkill_Offset = 0x142c
global $PlayerPassiveSkill_Offset = 0x1444
global $GenieSkill_Offset = 0x145c ;from player, skill count is this +0x4


global $SkillID_Offset=8
global $SkillLVL_Offset=12
global $SkillCurCD_Offset=16
global $SkillCD_Offset=20

global $PlayerGenie_Offset = 0x408
global $GenieEnergy_Offset = 0xAC

;Global $ADDRESS_QUESTAVAILABLE = 0x89E040
;Global $QUEST_LIST_POINTER = 0xD23624

Here is my python script for finding all the function addresses at the top. I havent tried making one for doing all the offsets I use.

 Spoiler

Code:

import re
import binascii
addresses = [
		("ADDRESS_BASE", 'A1(.{8})5332DB8B48.{2}'),
		("ADDRESS_SENDPACKET", '6AFF68.{8}64A100000000506489250000000083EC185356578BF96A07'),
		("ADDRESS_AUTOPATH", '6AFF68.{8}64A100000000506489250000000083EC2053568BF18D4C2408E8.{8}8B4C243C8B542440'),
		("ADDRESS_ACTION1", '64A1.{8}6AFF68.{8}508B442410648925.{8}5683F8138BF1'),
		("ADDRESS_ACTION2", '83EC2453558B6C243056578B7C243C8BF133DB896E2C8B07894620'),
		("ADDRESS_ACTION3", '5355568B74241485F6578BD975095F5E5D32C05BC20C00'),
		("ADDRESS_GATHER", '5355578BF98B87.{8}C1E807A8010F85.{8}E8.{8}84C00F85.{8}8B6C2410'),
		("ADDRESS_CASTSKILL", '535556578BF16A04E8.{8}8B8E.{8}83C40485C974076A02'),
		("ADDRESS_REGATTACK", '53558B6C240C56578BF985ED0F84.{8}3BAF.{8}0F84.{8}A1.{8}'),
		("PARTYINV_ADDRESS", '9068.{8}68.{8}6A066A1068(.{8})E8.{8}C390', 0x20),
		("ADDRESS_INSTANCE_BASE", '5F5E5B8BE55DC21000E8....FFFF8B0D(.{8})898D....FFFFE8....FFFF84C07525'),
		("MACRO_ADDRESS_BASE ", '81C4.{8}C21000A0(.{8})8BB424.{8}8B3D.{8}84C074056A0656FFD76A0056FFD781C5', 0x1E),
		("OFFSET_ACTIONBASE ", '8B40..8B0D.{8}3BC1740B837E..027C05C64424..018B8F(.{8})6A006A016A02C64424..00E8.{8}85C0'),
		("GameRun", "5f5e5b8be55dc21000e8....ffff8b0d(.{8})898d....ffffe8....ffff84c075")
		]
		
		
		
def retrieveAddresses(file, addresses):
	for address in addresses:
		pattern = address[1]
		match = re.search(pattern.lower(), ascii)
		if match:
			value = hex(match.start()/2 + 0x400000)
			if len(match.groups()) > 0:
				#print match.groups(0)[0]
				value = revHex(match.groups(0)[0])
				offset = address[2] if len(address) > 2 else 0
				value = hex(int(value, 16)+offset)
			
			print "Global $"+address[0],"=", value
		else:
			print "; Not found: $"+address[0] 



def revHex(string):
	return ''.join([str(string[x:x+2]) for x in range(len(string)-2, -2, -2)])

f = open("C:\Games\PWI_en\element\elementclient.exe", 'rb')
data = f.read()
ascii = binascii.hexlify(data)


retrieveAddresses(ascii, addresses)

Currently i am comparing exe files via pattern search for patterns that i cant find anymore. However, I'm using currently reclass to find more advanced offsets, but would like to know how i could find or create a pattern for them :/
Like jasty has done it with the actionbase_offset. Does anyone know?

[jasty]

If it's a function pointer than I can go to the start of the function and copy the bytecode putting in wildcards for jump offsets that are likely to change. Compare the regex for sendpacket with the actual send packet function.



The way that script is set up if you don't capture any sub pattern in the regex it will use the offset of the whole regex as the result.

For pointers that are not function pointers I have to find where they occur in the code and capture that in the regex. As an offset in the code they will be encoded in bigendian so you also have to reverse the hex after you capture it.

To make the regex I would do a regex search for the known value that I already know from cheat engine and work my way back from there.

If address base is 0xe77c24 then my search for it would look like

match = re.search("247ce700", ascii) #big endian
offset = hex(match.start()/2 + 0x400000)

Then I open that offset in a disassembler to see what I am working with.



Sometimes I can't actually find the pointer I want which is likely because it is member data inside some global struct somewhere and so I try to find the start of the struct by decrementing the value I want to find by a few bytes and try searching again. My script lets me specify an offset from a captured address.

I don't really use regex for the smaller offsets in the player struct because if those ever change it's almost always they just get bigger by a few bytes so I can find it in cheat engine in a few seconds. I probably should make patterns for them but with testing and translating the assembly into regex it would probably take quite a few patches for that effort to pay off.

For those I would first find the memory in CE, then do "find what accesses this memory", do actions ingame that would update the memory, then check the assembly of what shows up.

[Remmm]

 Spoiler

BaseAdress = 00E77C24
GameAdress = 00E783CC
ExpArr = 00E79260 +[(Lvl)*4]
UnfreezeOffset = 04EC
Unfreeze = 00E77C24 + $04EC
Unfreeze = 0044C530 (84 C0 > B0 01 > B0 00)
Unfreeze = 0044C532 (88...75 > C6...01)
FreezeFlag = 00E47C5C
ZoomHack = 004090D0 (75 03 > EB 03)
FaceHack = 0072BEAC
InGameFlag = 00E77FE8
ChatStart = 00E7E060
ChatEnd = 00E7E060 + 4
ChatMax = 00E7E060 + 8
ChatNumber = 00E7E06C
Message = [[ChatStart]+((0 to ChatNumber)*0x1C+0x08)]+0]
PackCall = 00832170
FullTarget = 00825C20
Action_1 = 004C9290
Action_2 = 004CF790
Action_3 = 004C9880
UseSkill = 004B6950
UseSkillGenie = 00554E50
Attack = 0086ADA0
ToVillage = 0086B490
MeditRest = 0086B680
MeditCancel = 0086B6C0
Assist = 0086CD90
Mining = 0086B820
Pick = 00825BB0
PickWalk = 004BE8D0
PetAction = 007A7B80
PetAttack = 00E0BE00
PetStop = 00E02014
PetFollow = 00E0BDF8
PetOffensive = 00E0BDEC
PetDefensive = 00E0BDE0
PetCombat = 00E0BDD8
PetCancel = 00DF345C
PetSkillUse = 006A7980
PetSetMode1 = 0073CF50
PetSetMode2 = 00826040
PetEvocative = 0086D140
NPCSelect = 0086AD60
TalkToNPC = 008260A0
Buy = 0086DA80
Sell = 0086DB20
RepairAll = 0086DB20
UseItem = 008259D0
IdCancel = 00DF345C
GUI = 00A7F710
ButtonPress = 00A7A520
AutoPath = 00459520
ZoomHack = 004090D0
HostPlayer Struct = BA + 1C + 34
WID = 04B8
PlayerLvL = 04C4
PlayerStatus = 04F0
HP = 04CC
MP = 04D0
Experience = 04D4
Spirit = 04D8
ChiPoints = 04E0
MaxHP = 0520
MaxMP = 0524
MaxChi = 05A0
ClanID = 0694
Name = 0700
ClassID = 0704
Meditation = 078C
WaitSkill = 07EC
Target = 05A4
ActionArray = 1514
PetAddr = 152C
SkillArray = 1540
ActiveSkillCnt = 1544
PassiveSkillArray = 1558
PassiveSkillCnt = 155C
GenieArray = 1570
GenieCnt = 1574

found by using the OpcodeScan_10 author diagnost "http://zhyk.ru/forum/showthread.php?t=1075310"

[sasukezero]

I guess i have to learn russian lol...In that forum are some pretty skilled people as i've checked it before a few times. Pretty cool, thanks for sharing

To jasty: thx for sharing your way, it seems like you do everything with cheat engine, right?
I didn't use it this heavy yet, as i do a lot of things via reclass and IDA lately.
Good to know what is possible with it! And by scripts you mean some written in lua right?
I once took a look at it, but never went further.

[diagnost]

Quote:

Originally Posted by sasukezero

I guess i have to learn russian lol...In that forum are some pretty skilled people as i've checked it before a few times. Pretty cool, thanks for sharing

To jasty: thx for sharing your way, it seems like you do everything with cheat engine, right?
I didn't use it this heavy yet, as i do a lot of things via reclass and IDA lately.
Good to know what is possible with it! And by scripts you mean some written in lua right?
I once took a look at it, but never went further.

Вот sourese не жалко