PWI Eclipse changes

[denzjh]

I don't use FollowPlayer Function since mine's a herbs-farmer bot but here it is anyways...

 Spoiler

Code:

#include <NomadMemory.au3>

Global $GAME_CLIENT = "elementclient.exe"
Global $GAME_PID = ProcessExists($GAME_CLIENT)
Global $GAME_PROCESS = _MemoryOpen($GAME_PID)
Global $ADDRESS_BASE = 0xD22C74
Global $OFFSET_ACTIONBASE = 0x13EC
	
Func FollowPlayer()
	$ADDRESS_ACTION1 = 0x49FF80
	$ADDRESS_FOLLOW = 0x6820C0
	$ADDRESS_ACTION3 = 0x4A0590

	;Construct the OpCode for calling the 'FollowPlayer' function
	$OPcode = "60"                   			;60             PUSHAD

	$OPcode &= "B9" & _Hex($ADDRESS_BASE)       ;B8 00000000    MOV ECX, $ADDRESS_BASE
	$OPcode &= "8B09"            				;8B009          MOV ECX,DWORD PTR DS:[ECX]
	$OPcode &= "8B491C"          				;8B49 1C        MOV ECX,DWORD PTR DS:[ECX+1C]
	$OPcode &= "8B7128"          				;8B71 28        MOV ESI,DWORD PTR DS:[ECX+28]            ; |
	$OPcode &= "8B8E" & _Hex($OFFSET_ACTIONBASE);8B8E EC130000  MOV ECX,DWORD PTR DS:[ESI+13EC]
	$OPcode &= "57"   	         				;57             PUSH EDI (EDI=0x26)
	$OPcode &= "6A07"   	         			;6A 07          PUSH 7
	$OPcode &= "BA" & _Hex($ADDRESS_ACTION1) 	;BA 00000000    MOV EDX, $ADDRESS_ACTION1
	$OPcode &= "FFD2"            				;FFD2           CALL EDX

	$OPcode &= "8BF8"            				;8BF8           MOV EDI,EAX
	$OPcode &= "BB" & _Hex($TARGET)	  	     	;B8 00000000    MOV EBX, Target ID
	$OPcode &= "53"   	         				;53             PUSH EBX (PLAYER ID)
	$OPcode &= "8BCF"            				;8BCF           MOV ECX,EDI
	$OPcode &= "BA" & _Hex($ADDRESS_FOLLOW) 	;BA 00000000    MOV EDX, $ADDRESS_FOLLOW
	$OPcode &= "FFD2"            				;FFD2           CALL EDX

	$OPcode &= "B9" & _Hex($ADDRESS_BASE)       ;B8 00000000    MOV ECX, $ADDRESS_BASE
	$OPcode &= "8B09"            				;8B009          MOV ECX,DWORD PTR DS:[ECX]
	$OPcode &= "8B491C"          				;8B49 1C        MOV ECX,DWORD PTR DS:[ECX+1C]
	$OPcode &= "8B7128"          				;8B71 28        MOV ESI,DWORD PTR DS:[ECX+28]            ; |
	$OPcode &= "8B8E" & _Hex($OFFSET_ACTIONBASE);8B8E EC130000  MOV ECX,DWORD PTR DS:[ESI+13EC]
	$OPcode &= "6A00"   	         			;6A 00          PUSH 0
	$OPcode &= "57"   	         				;57             PUSH EDI
	$OPcode &= "6A01"   	         			;6A 01          PUSH 1
	$OPcode &= "BA" & _Hex($ADDRESS_ACTION3) 	;BA 00000000    MOV EDX, $ADDRESS_ACTION3
	$OPcode &= "FFD2"            				;FFD2           CALL EDX

	$OPcode &= "61"              				;61             POPAD
	$OPcode &= "C3"              				;C3             RETN

	InjectCode($OPcode)
EndFunc

Func InjectCode($OPcode)
	;Declare local variables

	;Open process for given processId
	$processHandle = $GAME_PROCESS[1]

	;Allocate memory for the OpCode and retrieve address for this
	$functionAddress = DllCall('kernel32.dll', 'int', 'VirtualAllocEx', 'int', $processHandle, 'ptr', 0, 'int', 100, 'int', 0x1000, 'int', 0x40)

	;Construct the OpCode for calling the function

	;Put the OpCode into a struct for later memory writing
	$vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
	For $loop = 1 To DllStructGetSize($vBuffer)
		DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
	Next

	;Write the OpCode to previously allocated memory
	DllCall('kernel32.dll', 'int', 'WriteProcessMemory', 'int', $processHandle, 'int', $functionAddress[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)


	;Create a remote thread in order to run the OpCode
	$hRemoteThread = DllCall('kernel32.dll', 'int', 'CreateRemoteThread', 'int', $processHandle, 'int', 0, 'int', 0, 'int', $functionAddress[0], 'ptr', 0, 'int', 0, 'int', 0)

	;Wait for the remote thread to finish
	Do
		$result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
	Until $result[0] <> 258

	;Close the handle to the previously created remote thread
	DllCall('kernel32.dll', 'int', 'CloseHandle', 'int', $hRemoteThread[0])

	;Free the previously allocated memory
	DllCall('kernel32.dll', 'ptr', 'VirtualFreeEx', 'hwnd', $processHandle, 'int', $functionAddress[0], 'int', 0, 'int', 0x8000)

	Return True
EndFunc

Already posted earlier about these Action Function Addresses in

Address Action 1 = Start Action Function (At the moment this is 0x49FF80)
Address Action 2 = Perform Action Function (Varies. Depends on the action)
Address Action 3 = Finish Action Function (At the moment this is 0x4A0590)

To trace the [Address Action 2], I check all the addresses that calls the [Address Action 1] and make break point to each. I perform some actions in the game client and wait for the breakpoint. In the breakpoint, the [Address Action 2] is called a few lines after the [Address Action 1].

For CastSkill and RegAttack functions, I did some further tracing (before and after the [Address Action 1]) to get some addresses for functions that will simplify the OpCodes.

These are the Current Addresses that is calling [Address Action 1]:

 Spoiler

Code:

ADDRESS	PUSH	REMARKS
47A3C0	1	
47A580	1	
47A707	1	KEYBOARD MOVE
47E21E	3	
481E3C	C	
48292B	A	MEDITATE
482976	0	CANCEL MEDITATE
482A17	8	FLYON
482A96	9	FREE FALL
482C01	4	CASTING SPELL
483191	E	
48343A	4	
483918	10	
4839BA	5	
483A20	B	GATHER
483ADB	B	PICK
484688	5	USE ITEM CHANNEL
485772	11	
48A112	Unknown	
48A13D	6	
48A160	A	
48E561	2	INTERACT TO SKILL
4907AA	1	MOUSE CLICK MOVE
49091C	1	
490A1A	2	INTERACT TO TALK TO NPC
490C9D	D	
490D64	7	FOLLOW
495BE1	2	INTERACT TO REG ATK
495D77	2	INTERACT TO GATHER
4978A1	6	
4986F6	F	
49CEC6	12	
4A04A6	2	
4A0BE7	0	
4A5136	13	
4A5D5C	2	
4A9A64	Unknown	
4A9EAD	9

The PUSH Column determines the type of Action. You will find them before the Address Action 1 is called.

Also if you trace down MoveTo Function through KEYBOARD MOVE, you will notice the 'Switch function' in the code which will give you this list of Case Index and corresponding Directions:

 Spoiler

Code:

0 = Forward (W)
1 = Forward + Left (W+A)
2 = Left (A)
3 = Backward + Left (S+A)
4 = Backward (S)
5 = Backward + Right (S+D)
6 = Right (D)
7 = Forward + Right (W+D)
8 = Up (SPACE)
9 = Down (Z)

This is how I repeatedly crash the PW Client.
So far I am getting results so I think my theory is somewhat correct

And yes ollydbg is a cool debugging tool!

[jasty]

This thread is ridiculously useful! I'm finally getting around to automating all these **** dailies.

So far I'm able to accept quests, move around, dig items, and kill mobs. Does anyone have some code that is able to examine the quest list? I want to be able to check to see which quests / subquests are still active and how many additional mobs / items are required to complete the quest. I want to be able to check my current quest directly rather than trying to track quest completion on my own due to how many things can go wrong with that (like it's not guaranteed you're going to be credited with a kill). It would be nice to add some error handling should quests not be completed as expected.

The only reference I've been able to find on examining quests is the offset

PlayerQuestList=0x13F4

Also what's the clean way to close NPC dialogs?

[denzjh]

Quote:

Originally Posted by jasty

Also what's the clean way to close NPC dialogs?

I don't know about clean ways to close but I there's a way to start npc talks without dialogs.

Before using this function:

Code:

Func startNpcDialogue($npcId)
  local $packet, $packetSize

  $packet = '2300'
  $packet &= _hex($npcId)
  $packetSize = 6

  sendPacket($packet, $packetSize, $pid)
EndFunc

Make sure that the slope distance between your bot and the NPC has a floor value of 5. I mean Distance value like 5.1 to 5.9 units.

That's what I did in my auto world quest bot.

[Remmm]

close NPC dialog

Code:

Procedure WinStruct(WinName.s)
  hProcess=OpenProcess_(#PROCESS_ALL_ACCESS, #False, Fid(GetGadgetText(#ComboBox_NamePers)))
  ReadProcessMemory_(hProcess,(#GA),@ibuf,SizeOf(ibuf),NoB)
  ReadProcessMemory_(hProcess,(ibuf+$10),@ibuf,SizeOf(ibuf),NoB)
  ReadProcessMemory_(hProcess,(ibuf+$08),@Gui,SizeOf(gui),NoB)
  ReadProcessMemory_(hProcess,(Gui+$AC),@WinDown,SizeOf(WinDown),NoB)
  While WinDown<>0
    ReadProcessMemory_(hProcess,(WinDown),@NextWin,SizeOf(NextWin),NoB)
    ReadProcessMemory_(hProcess,(WinDown+$8),@WinStr,SizeOf(WinStr),NoB)
    ReadProcessMemory_(hProcess,(WinStr+$4c),@WinNameadr,SizeOf(WinNameadr),NoB)
    ReadProcessMemory_(hProcess,(WinNameadr+0),@Name,20,NoB)
    If name = WinName
      CloseHandle_(hProcess)
      ProcedureReturn WinStr
    EndIf
    WinDown=NextWin 
  Wend
  
  ReadProcessMemory_(hProcess,(Gui+$8C),@WinDown,SizeOf(WinDown),NoB)
  While WinDown<>0
    ReadProcessMemory_(hProcess,(WinDown),@NextWin,SizeOf(NextWin),NoB)
    ReadProcessMemory_(hProcess,(WinDown+$8),@WinStr,SizeOf(WinStr),NoB)
    ReadProcessMemory_(hProcess,(WinStr+$4c),@WinNameadr,SizeOf(WinNameadr),NoB)
    ReadProcessMemory_(hProcess,(WinNameadr+0),@Name,20,NoB)
    If name = WinName
      CloseHandle_(hProcess)
      FreeMemory(*mem)
      ProcedureReturn WinStr
    EndIf
    WinDown=NextWin
  Wend
  CloseHandle_(hProcess)
  ProcedureReturn #False
EndProcedure

Code:

Procedure CloseWin(winname.s,)
  GUIFunkt=$97A3C0
  Param1= WinStruct(winname)
  Param2 = $cb115c
  If param1<>#False
    opcode.s="60"+"B9"+Reverse(Param1)+"68"+Reverse($cb115c)+"BA"+Reverse(GUIFunkt)+"FFD2"+"61"+"C3"
    Inject(opcode) 
  EndIf
EndProcedure

Code:

CloseWin("Win_NPC")

[WhoMoi]

I'm trying to figure out the buff list. I found the buff counter at 0x398. According to and , I believe the buff list is at 0x3A0 but I'm not making any sense of it. I did try both 2 bytes and 4 bytes.

Is the buff list like the worlditemlist? I know the worlditemlist is not sorted and have to go through all 768 entries.

Also, I did find the buff ids in config.pck and tried to do search for id with CE but I get nothing.

I'm at a lost here. Any help please?

[denzjh]

Quote:

Originally Posted by WhoMoi

I'm trying to figure out the buff list. I found the buff counter at 0x398. According to and , I believe the buff list is at 0x3A0 but I'm not making any sense of it. I did try both 2 bytes and 4 bytes.

Is the buff list like the worlditemlist? I know the worlditemlist is not sorted and have to go through all 768 entries.

Also, I did find the buff ids in config.pck and tried to do search for id with CE but I get nothing.

I'm at a lost here. Any help please?

Try this:

 Spoiler

Code:

Func Array_Buffs_Char()
	Local $GAME_PROCESS = _MemoryOpen(ProcessExists("elementclient.exe"))
	Local $BASE_CHARACTER = _MemoryRead(_MemoryRead(_MemoryRead($ADDRESS_BASE, $GAME_PROCESS) + 0x1C, $GAME_PROCESS) + 0x28, $GAME_PROCESS)
	Local $LIST = _MemoryRead($BASE_CHARACTER + 0x390, $GAME_PROCESS)
	Local $COUNT = _MemoryRead($BASE_CHARACTER + 0x398, $GAME_PROCESS)
	If $COUNT = 0 Then Return
	Local $ARRAY[$COUNT][2]
	For $i = 0 To $COUNT - 1
		$ID = _MemoryRead($LIST + $i*18, $GAME_PROCESS, 'word')
		$ARRAY[$i][0] = $ID
		$ARRAY[$i][1] = IniRead("buffs_str.ini", "Buffs", "BUFFS_DESC_" & $ID, "Unknown")
	Next
;~ 	_ArrayDisplay($ARRAY)
	Return $ARRAY
EndFunc

buffs_str.ini

 Spoiler

Code:

[Buffs]
BUFFS_DESC_1=Stun
BUFFS_DESC_2=Sleep
BUFFS_DESC_3=Slow
BUFFS_DESC_4=Physical Reflect
BUFFS_DESC_5=Plume Shield
BUFFS_DESC_6=Flame Shield
BUFFS_DESC_7=Ice Shield
BUFFS_DESC_8=Frozen
BUFFS_DESC_9=Total Intervention
BUFFS_DESC_10=SEDUCE targeted monster alter to passive attack mode
BUFFS_DESC_12=Thunder
BUFFS_DESC_13=Poison
BUFFS_DESC_14=Burn
BUFFS_DESC_15=Sandstorm
BUFFS_DESC_16=Manaleak
BUFFS_DESC_17=Bleed
BUFFS_DESC_18=Weaken
BUFFS_DESC_19=Distract
BUFFS_DESC_20=Fright
BUFFS_DESC_21=Curse
BUFFS_DESC_22=Slow
BUFFS_DESC_23=Stupefy
BUFFS_DESC_24=Blind
BUFFS_DESC_27=Increased MP recovery
BUFFS_DESC_28=Maximum HP increased
BUFFS_DESC_29=Maximum MP increased
BUFFS_DESC_30=Fortified Armor
BUFFS_DESC_31=Concentrate
BUFFS_DESC_32=Sharpen
BUFFS_DESC_33=Quicken
BUFFS_DESC_34=Dodge
BUFFS_DESC_35=Bless
BUFFS_DESC_36=Nimble
BUFFS_DESC_37=Focus
BUFFS_DESC_38=Water damage added to attack
BUFFS_DESC_39=Fire damage added to attack
BUFFS_DESC_40=Wood damage added to attack
BUFFS_DESC_41=Recovering HP
BUFFS_DESC_42=Recovering MP
BUFFS_DESC_43=Muddle
BUFFS_DESC_44=Increased movement speed
BUFFS_DESC_45=Maximum HP decreased
BUFFS_DESC_46=Intuition
BUFFS_DESC_47=Untamed Transform
BUFFS_DESC_48=Metal resistance increased
BUFFS_DESC_49=Wood resistance increased
BUFFS_DESC_50=Water resistance increased
BUFFS_DESC_51=Fire resistance increased
BUFFS_DESC_52=Earth resistance increased
BUFFS_DESC_53=Metal resistance decreased
BUFFS_DESC_54=Wood resistance decreased
BUFFS_DESC_55=Water resistance decreased
BUFFS_DESC_56=Fire resistance decreased
BUFFS_DESC_57=Earth resistance decreased
BUFFS_DESC_58=Merbreath
BUFFS_DESC_59=Essential Sutra
BUFFS_DESC_60=Spark Eruption
BUFFS_DESC_61=Alter Marrow Physical
BUFFS_DESC_62=Alter Marrow Magical
BUFFS_DESC_63=Bestial Rage
BUFFS_DESC_64=Fortified Armor
BUFFS_DESC_65=Aura of the Golden Bell
BUFFS_DESC_66=Strength of the Titans
BUFFS_DESC_67=Blood Bath
BUFFS_DESC_68=Intuition
BUFFS_DESC_69=Winged Shell
BUFFS_DESC_70=Blazing Arrow
BUFFS_DESC_71=Stormrage Eagleon
BUFFS_DESC_72=Immune to movement debuffs
BUFFS_DESC_73=Taking Water damage over time
BUFFS_DESC_74=Increased Critical Hit rate
BUFFS_DESC_75=Venomancer Transform
BUFFS_DESC_76=Invincible
BUFFS_DESC_77=Bramble Hood
BUFFS_DESC_78=Soul Degeneration
BUFFS_DESC_79=Amplify Damage
BUFFS_DESC_80=Crush Vigor
BUFFS_DESC_81=Summer Sprint
BUFFS_DESC_82=Riding speed increased
BUFFS_DESC_83=Physical attack increased
BUFFS_DESC_84=Concentration
BUFFS_DESC_85=Stimulation
BUFFS_DESC_86=Freedom
BUFFS_DESC_87=Fortitude
BUFFS_DESC_88=Holiness
BUFFS_DESC_89=Petrifaction
BUFFS_DESC_90=Immune to Fire
BUFFS_DESC_91=Immune to Water
BUFFS_DESC_92=Immune to Metal
BUFFS_DESC_93=Immune to Wood
BUFFS_DESC_94=Immune to Earth
BUFFS_DESC_95=Immune to Elements
BUFFS_DESC_96=Rampage
BUFFS_DESC_97=Subaqueous Deceleration
BUFFS_DESC_98=Subaqueous Acceleration
BUFFS_DESC_99=Aerial Deceleration
BUFFS_DESC_100=Aerial Acceleration
BUFFS_DESC_101=Land Deceleration
BUFFS_DESC_102=Explosion
BUFFS_DESC_103=Exhaust
BUFFS_DESC_104=Power of Fairy
BUFFS_DESC_105=Dexterity of Fairy
BUFFS_DESC_106=Air Blade
BUFFS_DESC_107=Element Weakness
BUFFS_DESC_108=Deep Poison
BUFFS_DESC_109=Rooting
BUFFS_DESC_110=Guardians of Earth
BUFFS_DESC_111=Frenzy
BUFFS_DESC_112=Blinding Sand
BUFFS_DESC_113=Longing for Home
BUFFS_DESC_114=Oblivion
BUFFS_DESC_115=Luck
BUFFS_DESC_116=Impact
BUFFS_DESC_117=Flame
BUFFS_DESC_118=Anger in Heart
BUFFS_DESC_119=Kindling
BUFFS_DESC_120=Burning Feet
BUFFS_DESC_121=Hard Wall
BUFFS_DESC_122=Cutting Edge
BUFFS_DESC_123=Dancing Leaf
BUFFS_DESC_124=Scorch
BUFFS_DESC_125=Vacuum
BUFFS_DESC_126=Hardened Veins
BUFFS_DESC_127=Force Field
BUFFS_DESC_128=Magic Shell
BUFFS_DESC_129=Eye for an Eye
BUFFS_DESC_130=Wind Shield
BUFFS_DESC_131=Air Lock
BUFFS_DESC_132=Enclosure
BUFFS_DESC_133=Martial Trance
BUFFS_DESC_134=Freeze
BUFFS_DESC_135=Attack Level increased
BUFFS_DESC_136=Attack Level decreased
BUFFS_DESC_137=Defense Level increased
BUFFS_DESC_138=Defense Level decreased
BUFFS_DESC_139=Recieves a Earth damage constantly.
BUFFS_DESC_140=Total Intervention
BUFFS_DESC_141=Frozen
BUFFS_DESC_142=Bless
BUFFS_DESC_143=Curse
BUFFS_DESC_144=Maximum HP increased
BUFFS_DESC_145=Sharpen
BUFFS_DESC_146=Intuition
BUFFS_DESC_147=Focus
BUFFS_DESC_148=Increased movement speed
BUFFS_DESC_149=Stealth
BUFFS_DESC_150=Super Sight
BUFFS_DESC_151=Bloodpaint
BUFFS_DESC_152=Wolf Emblem
BUFFS_DESC_153=Has a chance to evade the damage of all attacking skills.
BUFFS_DESC_154=Has a chance to evade the status of all attacking skills.
BUFFS_DESC_155=Blocks one attack that would deal lethal damage, and recovers some HP.
BUFFS_DESC_156=Soul of Vengeance
BUFFS_DESC_157=Soul of Silence
BUFFS_DESC_158=Soul of Retaliation
BUFFS_DESC_159=Soul of Stunning
BUFFS_DESC_160=Increases the healing potency from spells and potions, and reduces the cooldown of healing charms.
BUFFS_DESC_161=Decreases the healing potency from spells and potions, and increases the cooldown of healing charms.
BUFFS_DESC_162=Receives damage while attacking or spellcasting
BUFFS_DESC_163=Interrupt
BUFFS_DESC_164=Tide Form
BUFFS_DESC_165=Chill of the Deep
BUFFS_DESC_166=Voodoo
BUFFS_DESC_167=Heart Shatter
BUFFS_DESC_168=Mind Shatter
BUFFS_DESC_169=Soul Shatter
BUFFS_DESC_170=Northern Sky Waltz
BUFFS_DESC_171=Parchedblade Dance
BUFFS_DESC_172=Soulsever Minuet
BUFFS_DESC_173=Eye of the Northern Sky
BUFFS_DESC_174=Bloodletting
BUFFS_DESC_175=Spirit Bore
BUFFS_DESC_176=Edged Blur
BUFFS_DESC_177=Mist's Grasp
BUFFS_DESC_178=Falling Petals
BUFFS_DESC_179=Verdant Shell
BUFFS_DESC_180=Slows the target
BUFFS_DESC_181=Energy of Beasts
BUFFS_DESC_182=Energy of Light
BUFFS_DESC_183=Transference
BUFFS_DESC_184=Shield of Flowers
BUFFS_DESC_185=Twin Flowers
BUFFS_DESC_186=Rapid Growth
BUFFS_DESC_187=Bloody Sun
BUFFS_DESC_188=Sacrifice
BUFFS_DESC_189=Resurrect
BUFFS_DESC_190=Take x2 damage from Absorb Soul attack
BUFFS_DESC_191=Enhanced Critical Strike
BUFFS_DESC_192=Duelist's Glee
BUFFS_DESC_193=Disarmed
BUFFS_DESC_194=Weapon Disabled
BUFFS_DESC_195=Hatred Increased
BUFFS_DESC_196=Divine Bless
BUFFS_DESC_197=Awareness
BUFFS_DESC_198=Improves the MP recovery speed greatly
BUFFS_DESC_199=Will be teleported to you previous location after a short time
BUFFS_DESC_200=HP will revert to it's previous value after a short time
BUFFS_DESC_201=Unable to fly
BUFFS_DESC_202=Targets are selected at random
BUFFS_DESC_203=Aurora Blast
BUFFS_DESC_204=Arcane Defense
BUFFS_DESC_205=Reduces the chance of receiving critical hits
BUFFS_DESC_206=Increases the chance of receiving critical hits
BUFFS_DESC_207=Psionic Link
BUFFS_DESC_208=A portion of healing received will be redirected to the caster.
BUFFS_DESC_209=Death Link
BUFFS_DESC_210=HP will revert to it's previous value after a short time
BUFFS_DESC_211=Cannot be selected
BUFFS_DESC_212=Invigorate
BUFFS_DESC_213=An earth-based attack that charges up and deals damage later
BUFFS_DESC_214=Ice Prison
BUFFS_DESC_215=Spirit Fire
BUFFS_DESC_216=When attacked, may have a chance of stunning the attacker
BUFFS_DESC_218=Taking damage increases your Attack
BUFFS_DESC_219=Taking damage from enemies increase your Attack for a short time
BUFFS_DESC_220=Cornered Beast
BUFFS_DESC_221=A portion of a healing effect will be transferred to another player
BUFFS_DESC_222=Spoils of War
BUFFS_DESC_223=Attack Range Increased
BUFFS_DESC_224=Spirit Phalanx
BUFFS_DESC_225=Violet Dance
BUFFS_DESC_226=Sword Cyclone
BUFFS_DESC_227=Natural Synergy
BUFFS_DESC_229=Triggers when receiving melee damage.
BUFFS_DESC_230=Attributes Increased
BUFFS_DESC_231=Increases HP and MP recovery speed when out of battle
BUFFS_DESC_232=Increases HP and MP recovery
BUFFS_DESC_233=All damage taken is increased. This effect can stack.
BUFFS_DESC_234=You will not gain infany from engaging in PvP in this mode.
BUFFS_DESC_235=Increases Magic Resistance
BUFFS_DESC_236=Carrying the Flag
BUFFS_DESC_237=Defense Level reduced.
BUFFS_DESC_238=Increasing character's Health and Mana.
BUFFS_DESC_239=Critical Hit Rate increased.
BUFFS_DESC_240=Defense Level and Slaying Level increased.
BUFFS_DESC_241=Increases Health, Attack, and Defense Level
BUFFS_DESC_242=Increases Attack Level and Defense Level by 3
BUFFS_DESC_243=Increases character's Attack Level and Defense Level
BUFFS_DESC_244=Damage from players is reduced
BUFFS_DESC_245=Has a chance to cast a buff on yourself when attacking
BUFFS_DESC_246=Has a chance to cast a debuff on yourself when attacking
BUFFS_DESC_247=Immune to Physical damage
BUFFS_DESC_248=Immune to Metal damage
BUFFS_DESC_249=Immune to Wood damage
BUFFS_DESC_250=Immune to Water damage
BUFFS_DESC_251=Immune to Fire damage
BUFFS_DESC_252=Immune to Earth damage
BUFFS_DESC_253=Physical Reflect
BUFFS_DESC_254=Combat capability is improved.
BUFFS_DESC_255=Paralyzed
BUFFS_DESC_256=Skill damage taken is increased.
BUFFS_DESC_257=Skill Critstrike Rate taken is increased.
BUFFS_DESC_258=Specific skill''s Channelling Time is reduced.
BUFFS_DESC_259=Specific skill's damage is increased.
BUFFS_DESC_260=Glacial Embrace
BUFFS_DESC_261=Pyroshell
BUFFS_DESC_262=Absorbs most damage and constantly regenerates Health.
BUFFS_DESC_263=Increase the speed of flying
BUFFS_DESC_264=Spirit increased
BUFFS_DESC_265=Increase your Spirit, and reduce Critical Strike damage dealt to you.
BUFFS_DESC_266=Lose health upon movement
BUFFS_DESC_267=Dealt damage if distance moved is lower than the default value.
BUFFS_DESC_268=Gain special abilities if distance moved is lower than the default value.
BUFFS_DESC_269=Become invulnerable to interrupt skills while Shield is in effect.
BUFFS_DESC_270=Suffer from a periodic paralysis effect
BUFFS_DESC_271=Internal Injury
BUFFS_DESC_272=Protection of Coldness
BUFFS_DESC_273=Finishes the cooldown of Relentless Drift upon target's death
BUFFS_DESC_274=The specific skill has increased effect
BUFFS_DESC_275=Normal attacks cause additional damage
BUFFS_DESC_276=The specific skill has no cooldown
BUFFS_DESC_277=Destiny Hunter
BUFFS_DESC_278=Shadow Awakening
BUFFS_DESC_279=Luna Awakening
BUFFS_DESC_280=Dealt metal & water damage over time, stacks up to 5 times.
BUFFS_DESC_281=Lunar Physique
BUFFS_DESC_282=Increase direct damage inflicted on foes, can be used with Divine Bless.
BUFFS_DESC_283=Reduces damage taken from critical attacks
BUFFS_DESC_284=Increases physical damage dealt
BUFFS_DESC_285=Increases spell damage dealt
BUFFS_DESC_286=Increases damage taken from skills

buffs_str.ini is updated.

And please press the thanks button if this helped you. I would appreciate it.

[WhoMoi]

The 0x390 got me closer. Only difference is the counter (or $i) is in multiples of 12. Thanks.

Also, here is my buff list. I noticed both yours and mine is missing 217 and 228.

 Spoiler

1=Stun
2=Sleep
3=Slow
4=Physical Reflect
5=Plume Shield
6=Flame Shield
7=Ice Shield
8=Frozen
9=Total Intervention
10=SEDUCE targeted monster alter to passive attack mode
11=Rock Shield
12=Thunder
13=Poison
14=Burn
15=Sandstorm
16=Manaleak
17=Bleed
18=Weaken
19=Distract
20=Fright
21=Curse
22=Slow
23=Stupefy
24=Blind
25=Daze
26=Increased HP recovery
27=Increased MP recovery
28=Maximum HP increased
29=Maximum MP increased
30=Fortified Armor
31=Concentrate
32=Sharpen
33=Quicken
34=Dodge
35=Bless
36=Nimble
37=Focus
38=Water damage added to attack
39=Fire damage added to attack
40=Wood damage added to attack
41=Recovering HP
42=Recovering MP
43=Muddle
44=Increased movement speed
45=Maximum HP decreased
46=Intuition
47=Untamed Transform
48=Metal resistance increased
49=Wood resistance increased
50=Water resistance increased
51=Fire resistance increased
52=Earth resistance increased
53=Metal resistance decreased
54=Wood resistance decreased
55=Water resistance decreased
56=Fire resistance decreased
57=Earth resistance decreased
58=Merbreath
59=Essential Sutra
60=Spark Eruption
61=Alter Marrow Physical
62=Alter Marrow Magical
63=Bestial Rage
64=Fortified Armor
65=Aura of the Golden Bell
66=Strength of the Titans
67=Blood Bath
68=Intuition
69=Winged Shell
70=Blazing Arrow
71=Stormrage Eagleon
72=Immune to movement debuffs
73=Taking Water damage over time
74=Increased Critical Hit rate
75=Venomancer Transform
76=Invincible
77=Bramble Hood
78=Soul Degeneration
79=Amplify Damage
80=Crush Vigor
81=Summer Sprint
82=Riding speed increased
83=Physical attack increased
84=Concentration
85=Stimulation
86=Freedom
87=Fortitude
88=Holiness
89=Petrifaction
90=Immune to Fire
91=Immune to Water
92=Immune to Metal
93=Immune to Wood
94=Immune to Earth
95=Immune to Elements
96=Rampage
97=Subaqueous Deceleration
98=Subaqueous Acceleration
99=Aerial Deceleration
100=Aerial Acceleration
101=Land Deceleration
102=Explosion
103=Exhaust
104=Power of Fairy
105=Dexterity of Fairy
106=Air Blade
107=Element Weakness
108=Deep Poison
109=Rooting
110=Guardians of Earth
111=Frenzy
112=Blinding Sand
113=Longing for Home
114=Oblivion
115=Luck
116=Impact
117=Flame
118=Anger in Heart
119=Kindling
120=Burning Feet
121=Hard Wall
122=Cutting Edge
123=Dancing Leaf
124=Scorch
125=Vacuum
126=Hardened Veins
127=Force Field
128=Magic Shell
129=Eye for an Eye
130=Wind Shield
131=Air Lock
132=Enclosure
133=Martial Trance
134=Freeze
135=Attack Level increased
136=Attack Level decreased
137=Defense Level increased
138=Defense Level decreased
139=Recieves a Earth damage constantly
140=Total Intervention
141=Frozen
142=Bless
143=Curse
144=Maximum HP increased
145=Sharpen
146=Intuition
147=Focus
148=Increased movement speed
149=Stealth
150=Super Sight
151=Bloodpaint
152=Wolf Emblem
153=Has a chance to evade the damage of all attacking skills
154=Has a chance to evade the status of all attacking skills
155=Blocks one attack that would deal lethal damage, and recovers some HP
156=Soul of Vengeance
157=Soul of Silence
158=Soul of Retaliation
159=Soul of Stunning
160=Increases the healing potency from spells and potions, and reduces the cooldown of healing charms
161=Decreases the healing potency from spells and potions, and increases the cooldown of healing charms
162=Receives damage while attacking or spellcasting
163=Interrupt
164=Tide Form
165=Chill of the Deep
166=Voodoo
167=Heart Shatter
168=Mind Shatter
169=Soul Shatter
170=Northern Sky Waltz
171=Parchedblade Dance
172=Soulsever Minuet
173=Eye of the Northern Sky
174=Bloodletting
175=Spirit Bore
176=Edged Blur
177=Mist's Grasp
178=Falling Petals
179=Verdant Shell
180=Slows the target
181=Energy of Beasts
182=Energy of Light
183=Transference
184=Shield of Flowers
185=Twin Flowers
186=Rapid Growth
187=Bloody Sun
188=Sacrifice
189=Resurrect
190=Take x2 damage from Absorb Soul attack
191=Enhanced Critical Strike
192=Duelist's Glee
193=Disarmed
194=Weapon Disabled
195=Hatred Increased
196=Divine Bless
197=Awareness
198=Improves the MP recovery speed greatly
199=Will be teleported to you previous location after a short time
200=HP will revert to it's previous value after a short time
201=Unable to fly
202=Targets are selected at random
203=Aurora Blast
204=Arcane Defense
205=Reduces the chance of receiving critical hits
206=Increases the chance of receiving critical hits
207=Psionic Link
208=A portion of healing received will be redirected to the caster
209=Death Link
210=HP will revert to it's previous value after a short time
211=Cannot be selected
212=Invigorate
213=An earth-based attack that charges up and deals damage later
214=Ice Prison
215=Spirit Fire
216=When attacked, may have a chance of stunning the attacker
218=Taking damage increases your Attack
219=Taking damage from enemies increase your Attack for a short time
220=Cornered Beast
221=A portion of a healing effect will be transferred to another player
222=Spoils of War
223=Attack Range Increased
224=Spirit Phalanx
225=Violet Dance
226=Sword Cyclone
227=Natural Synergy
229=Triggers when receiving melee damage
230=Attributes Increased
231=Increases HP and MP recovery speed when out of battle
232=Increases HP and MP recovery
233=All damage taken is increased This effect can stack
234=You will not gain infany from engaging in PvP in this mode
235=Increases Magic Resistance
236=Carrying the Flag
237=Defense Level reduced
238=Increasing character's Health and Mana
239=Critical Hit Rate increased
240=Defense Level and Slaying Level increased
241=Increases Health, Attack, and Defense Level
242=Increases Attack Level and Defense Level by 3
243=Increases character's Attack Level and Defense Level
244=Damage from players is reduced
245=Has a chance to cast a buff on yourself when attacking
246=Has a chance to cast a debuff on yourself when attacking
247=Immune to Physical damage
248=Immune to Metal damage
249=Immune to Wood damage
250=Immune to Water damage
251=Immune to Fire damage
252=Immune to Earth damage
253=Physical Reflect
254=Combat capability is improved
255=Paralyzed
256=Skill damage taken is increased
257=Skill Critstrike Rate taken is increased
258=Specific skill''s Channelling Time is reduced
259=Specific skill's damage is increased
260=Glacial Embrace
261=Pyroshell
262=Absorbs most damage and constantly regenerates Health
263=Increase the speed of flying
264=Spirit increased
265=Increase your Spirit, and reduce Critical Strike damage dealt to you
266=Lose health upon movement
267=Dealt damage if distance moved is lower than the default value
268=Gain special abilities if distance moved is lower than the default value
269=Become invulnerable to interrupt skills while Shield is in effect
270=Suffer from a periodic paralysis effect
271=Internal Injury
272=Protection of Coldness
273=Finishes the cooldown of Relentless Drift upon target's death
274=The specific skill has increased effect
275=Normal attacks cause additional damage
276=The specific skill has no cooldown
277=Destiny Hunter
278=Shadow Awakening
279=Luna Awakening
280=Dealt metal & water damage over time, stacks up to 5 times
281=Lunar Physique
282=Increase direct damage inflicted on foes, can be used with Divine Bless
283=Reduces damage taken from critical attacks
284=Increases physical damage dealt
285=Increases spell damage dealt
286=Increases damage taken from skills

[Smurfin]

Quote:

Originally Posted by Stark77

i do it exactly like this:


follow has no packet... it will just create a sequence of move packets so dont even try. easy way is just make a loop that reads your mains (x,y) and use the autopath every 1 (or 2) seconds to it.

wow another method for sniffing packets, dumbfck is really a lot of things, despite the name

Btw I already did that, the 'autofollow' by scripting, it's very useful and even more useful with the vertical movement using flytoZ function you gave earlier, I use a hotkey to toggle it on or off and another hotkeys for manual 'go here' operations, but still..the ingame autofollow is useful in its own way. Like when I solo FSP and at the slopes going to Toad Boss, using autofollow by scripting sometimes read my main's x,y exactly at the pit coordinate between the slopes as my main passes by and cause one or two of the other chars to die falling in the pit.

Quote:

Originally Posted by Remmm

sniff packets - "PW PacketListener"

Thanks, I'll put this into my notes as well for backup.

Quote:

Originally Posted by denzjh

I don't use FollowPlayer Function since mine's a herbs-farmer bot but here it is anyways...

...snip...

This is how I repeatedly crash the PW Client.
So far I am getting results so I think my theory is somewhat correct

And yes ollydbg is a cool debugging tool!

Thanks another ton for it, and someone who shares everything is as cool as the debugging tool he's using

====
I won't be able to try all of these until a few more months when we have the Eclipse patch, but thanks in advance for any discovery for fixing whatever we once had before eclipse

[WhoMoi]

I tried Ollydbg since I'd like to learn how to find what to send and such. But client keeps saying username and password is incorrect every single time I try to login with Ollydbg attached. How do ya'll get pass that?

[WhoMoi]

Here is CastSkill in C# if anybody wants.

 Spoiler

//CastSkill
private int CastSkillAddress;
private byte[] CastSkillAddressRev;
private byte[] CastSkillPkt = new byte[]
{
0x60,
0xB8, 0x00, 0x00, 0x00, 0x00, //ADDRESS_BASE
0x8B, 0x00,
0x8B, 0x40, 0x1C,
0x8B, 0x70, 0x28,
0xB8, 0x00, 0x00, 0x00, 0x00, //$SKILL_POINTER
0x6A, 0xFF,
0x6A, 0x00,
0x6A, 0x00,
0xB9, 0x00, 0x00, 0x00, 0x00, //$SKILL_ID
0x51,
0x8B, 0xCE,
0xBA, 0x00, 0x00, 0x00, 0x00, //ADDRESS_CASTSKILL
0xFF, 0xD2,
0x61,
0xC3
};

public void CastSkill(int SkillPointer, int SkillID)
{
//Get size of the packet
int packetSize = CastSkillPkt.Length;

if (CastSkillAddress == 0)
{
//load packet in memory
loadPacket(CastSkillPkt, ref CastSkillAddress, ref CastSkillAddressRev);
}
byte[] realBaseAddress = BitConverter.GetBytes(REAL_BASE_ADDRESS);
realBaseAddress.Reverse();
MemFunctions.MemWriteBytes(pr_processHandle, CastSkillAddress + 2, realBaseAddress);

byte[] SkillPointerRev = BitConverter.GetBytes(SkillPointer);
SkillPointerRev.Reverse();
MemFunctions.MemWriteBytes(pr_processHandle, CastSkillAddress + 15, SkillPointerRev);

byte[] SkillIDRev = BitConverter.GetBytes(SkillID);
SkillIDRev.Reverse();
MemFunctions.MemWriteBytes(pr_processHandle, CastSkillAddress + 26, SkillIDRev);

byte[] CastSkill_Address = BitConverter.GetBytes(0x48DF40);
CastSkill_Address.Reverse();
MemFunctions.MemWriteBytes(pr_processHandle, CastSkillAddress + 34, CastSkill_Address);

//Run the opcode
IntPtr threadHandle = MemFunctions.CreateRemoteThread(pr_processHandle, CastSkillAddress);

//Wait for opcode to be done
MemFunctions.WaitForSingleObject(threadHandle);

//Close the thread
MemFunctions.CloseProcess(threadHandle);
}

[jasty]

So I'm trying to port this checkQuestPreset function from the WQ bot to autoit.

 Spoiler

Code:

checkQuestPresent(questId, client)
{
	global

	;Get the process Id from the given client title
	winget, pid, PID, %client%

	;Get the process handle from the given client title
	If ProcessHandle%PID% = 
	{
		ProcessHandle%PID% 	:= 	DllCall("OpenProcess", "int", 2035711, "char", 1, "UInt", PID, "UInt")
		logThis("ProcessHandle: " . ProcessHandle%PID%, "main")
	}
	
	functionSize := 100
	
	;Allocate memory to store the packet to be sent, and the method to call the send packet function
	If returnAddress%PID% = 
	{
		returnAddress%PID% 	:=   	DllCall("VirtualAllocEx", "Uint", ProcessHandle%PID%, "Uint", 0, "Uint", 0x4, "Uint", 0x1000, "Uint", 0x40)
		logThis("returnAddress: " . returnAddress%PID%, "main")
	}
	If functionAddress%PID% = 
	{
		functionAddress%PID% :=   	DllCall("VirtualAllocEx", "Uint", ProcessHandle%PID%, "Uint", 0, "Uint", functionSize, "Uint", 0x1000, "Uint", 0x40)
		logThis("functionAddress: " . functionAddress%PID%, "main")
	}


	revHex(revReturnAddress, returnAddress%PID%)	
	revHex(revQuestId, questId)
	revHex(revQuestFunctionAddress, questFunctionAddress)
	revHex(revBaseAddress, realBaseAddress)
	revHex(revQuestFunctionOffset, questFunctionOffset)
	revHex(revPlayerOffSet, playerOffSet, 2)


	;60 			PUSHAD
	;B8 80 45 66 00 	MOV     EAX, 00664580
	;8B 0D 7C 65 98 00 	MOV     ECX, DWORD PTR [98657C]
	;8B 49 1C 		MOV     ECX, DWORD PTR [ECX+1C]
	;8B 49 30 		MOV     ECX, DWORD PTR [ECX+34]
	
	;8B 89 DC 0D 		MOV     ECX, DWORD PTR [ECX+DDC]
	;68 DD 06 		PUSH    6DD
	;FF D0 			CALL    NEAR EAX
	;A3 32 54 76 98 	MOV     DWORD PTR [98765432], EAX
	;61 			POPAD
	;C3			RET


	func =					
	func = %func%60					;PUSHAD
	func = %func%B8%revQuestFunctionAddress%	;MOV     EAX, questFunction
	func = %func%8B0D%revBaseAddress%		;MOV     ECX, DWORD PTR [baseAddress]
	func = %func%8B491C				;MOV     ECX, DWORD PTR [ECX+1C]
	func = %func%8B49%revPlayerOffSet%				;MOV     ECX, DWORD PTR [ECX+playerOffSet]
	func = %func%8B89%revQuestFunctionOffset%	;MOV     ECX, DWORD PTR [ECX+questFuncOffset]
	func = %func%68%revQuestId%			;PUSH    questId
	func = %func%FFD0				;CALL    NEAR EAX
	func = %func%A3%revReturnAddress%		;MOV     DWORD PTR [returnAddress], EAX
	func = %func%61					;POPAD
	func = %func%C3					;RET


	MCode(checkQuestFunction, func)
	
	
	DllCall("WriteProcessMemory", "UInt", ProcessHandle%PID%, "UInt", functionAddress%PID%, "Uint", &checkQuestFunction, "Uint", functionSize, "Uint *", 0)
	
	
	
	
	SetFormat, IntegerFast, d
	
	hThrd := DllCall("CreateRemoteThread", "Uint", ProcessHandle%PID%, "Uint", 0, "Uint", 0, "Uint", functionAddress%PID%, "Uint", 0, "Uint", 0, "Uint", 0)
	loop
	{
		result := DllCall( "WaitForSingleObject", UInt,hThrd, UInt,50 ) 
		if(result <> 258)
		{
			break
		}
		sleep 50
		if(A_Index > 100)
		{
			break
		}
	}
	
	
	local returnValue := readMemory(returnAddress%PID%, client)
	
	DllCall( "CloseHandle", UInt,hThrd )
	
	;DllCall("VirtualFreeEx", "Uint", ProcessHandle, "Uint", functionAddress, "Uint", 0, "Uint", 0x8000)
	
	;DllCall("VirtualFreeEx", "Uint", ProcessHandle, "Uint", returnAddress, "Uint", 0, "Uint", 0x8000)
	
	;DllCall( "CloseHandle", UInt,ProcessHandle ) 
	
	return returnValue
	
}

Here's what I have:

 Spoiler

Code:

Global $ADDRESS_BASE = 0xD22C74
Global $ADDRESS_QUESTAVAILABLE = 0x89E040
Global $QuestList_Offset = 0x13F4
global $Player_Offset = 0x28

Func IsQuestAvailable($questId)
	$processHandle = $GAME_PROCESS[1]
	;Allocate memory for the return address
	$returnAddress = DllCall('kernel32.dll', 'int', 'VirtualAllocEx', 'int', $processHandle, 'ptr', 0, 'int', 0x4, 'int', 0x1000, 'int', 0x40)
	$OPcode = "60"                   			;60             PUSHAD
	$OPcode &= "B8" & _Hex($ADDRESS_QUESTAVAILABLE)       ;MOV     EAX, questFunction
	$OPcode &= "8B0D" & _Hex($ADDRESS_BASE)          				;MOV     ECX, DWORD PTR [baseAddress]
	$OPcode &= "8B491C"          				;MOV     ECX, DWORD PTR [ECX+1C]
	$OPcode &= "8B49" & _Hex($Player_Offset, 2)          				;MOV     ECX, DWORD PTR [ECX+playerOffSet]
	$OPcode &= "8B89" & _Hex($QuestList_Offset, 4) ;MOV     ECX, DWORD PTR [ECX+questFuncOffset]
	$OPcode &= "68" & _Hex($questId, 4)           	;PUSH    questId
	$OPcode &= "FFD0"            				;CALL    NEAR EAX
	$OPcode &= "A3" & _Hex($returnAddress[0]) 		;MOV     DWORD PTR [returnAddress], EAX
	$OPcode &= "61"  				 	    	;POPAD
	$OPcode &= "C3"              				;RET

	InjectCode($OPcode)
	$retVal = _MemoryRead($returnAddress[0], $GAME_PROCESS)
	   
    ;Free the previously allocated memory
	DllCall('kernel32.dll', 'ptr', 'VirtualFreeEx', 'hwnd', $processHandle, 'int', $returnAddress[0], 'int', 0, 'int', 0x8000)
	Return $retVal
EndFunc

All it does is crash
This is the OPcode it generates...
60B840E089008B0D742CD2008B491C8B49288B89F41368DD67 FFD0A30000C90861C3
and while I'm no ASM expert it looks pretty similar to the sample provided in the source
60B8804566008B0D7C6598008B491C8B49308B89DC0D68DD06 FFD0A33254769861C3

Anyone can see where I am screwing up? Been stuck at this for a while. Also if anyone has any Quest related knowledge to drop here I'd be grateful. I'm trying to make a bot to take care of Morai / Primal / Faction Base dailies. While I can talk to NPCs fine I don't know how to examine quests yet.

EDIT:
OK I rewrote the ASM it and can now get back a value... but all it seems to do is give me a pointer to the quest struct.. I guess that's kinda useful but it doesn't have any progress or availability info it. maybe this can be of use to someone smarter than me.

 Spoiler

Code:

Global $ADDRESS_BASE = 0xD22C74
Global $ADDRESS_QUESTAVAILABLE = 0x89E040
Global $QUEST_LIST_POINTER = 0xD23624
global $Player_Offset = 0x28
Func IsQuestAvailable($questId)
	$processHandle = $GAME_PROCESS[1]
	;Allocate memory for the return address
	$returnAddress = DllCall('kernel32.dll', 'int', 'VirtualAllocEx', 'int', $processHandle, 'ptr', 0, 'int', 0x4, 'int', 0x1000, 'int', 0x40)
	
	$questList = _MemoryRead($QUEST_LIST_POINTER, $GAME_PROCESS)
	
	$OPcode = "60"											;60      PUSHAD
	$OPcode &= "B9" & _Hex($questList)						;MOV     ECX, questList   
	$OPcode &= "68" & _Hex($questId)						;PUSH    questId
	$OPcode &= "B8" & _Hex($ADDRESS_QUESTAVAILABLE)			;MOV     EAX, questFunction
	$OPcode &= "FFD0"										;CALL    NEAR EAX
	$OPcode &= "A3" & _Hex($returnAddress[0])				;MOV     DWORD PTR [returnAddress], EAX
	$OPcode &= "61"											;POPAD
	$OPcode &= "C3"											;RET

	InjectCode($OPcode)
	$retVal = _MemoryRead($returnAddress[0], $GAME_PROCESS)
			
	;Free the previously allocated memory
	DllCall('kernel32.dll', 'ptr', 'VirtualFreeEx', 'hwnd', $processHandle, 'int', $returnAddress[0], 'int', 0, 'int', 0x8000)
	Return $retVal
EndFunc

Maybe this is the wrong function I got the 0x89E040 offset from the Jawq thread.
Again if anyone has questing knowledge feel free to point me at somewhere. Thanks.

[WhoMoi]

My client keeps getting crashing with CastSkill. Sometimes few minutes, sometimes few hours.

I'm wondering if I'm using the correct thing for SkillPointer. I used 0x1418 that points to my skill structure. Then I tried 0x1418+skillindex.

I'm surprised they both worked but both will eventually crash the client.

Help?

I keep getting this if I debug it.

 Spoiler

__decode_pointer:
75CDC174 8B FF mov edi,edi
75CDC176 55 push ebp
75CDC177 8B EC mov ebp,esp
75CDC179 FF 75 08 push dword ptr [ebp+8]
75CDC17C FF 15 B4 12 CD 75 call dword ptr ds:[75CD12B4h]
75CDC182 5D pop ebp
75CDC183 C3 ret
75CDC184 8B C7 mov eax,edi
75CDC186 BA 03 00 00 00 mov edx,3
75CDC18B 83 E9 04 sub ecx,4
75CDC18E 73 07 jae _memmove+233Dh (75CDC197h)
75CDC190 FF 24 8D F8 9E CD 75 jmp dword ptr [ecx*4+75CD9EF8h]
75CDC197 83 E0 03 and eax,3
75CDC19A 03 C8 add ecx,eax
75CDC19C FF 24 85 B4 9E CD 75 jmp dword ptr [eax*4+75CD9EB4h]
75CDC1A3 23 D1 and edx,ecx
75CDC1A5 8A 06 mov al,byte ptr [esi]
75CDC1A7 88 07 mov byte ptr [edi],al
75CDC1A9 8A 46 01 mov al,byte ptr [esi+1]
75CDC1AC C1 E9 02 shr ecx,2
75CDC1AF 88 47 01 mov byte ptr [edi+1],al
75CDC1B2 83 C6 02 add esi,2
75CDC1B5 83 C7 02 add edi,2
75CDC1B8 83 F9 08 cmp ecx,8
75CDC1BB 0F 82 E0 DC FF FF jb _memmove+47h (75CD9EA1h)
75CDC1C1 F3 A5 rep movs dword ptr es:[edi],dword ptr [esi]
75CDC1C3 FF 24 95 E8 9E CD 75 jmp dword ptr [edx*4+75CD9EE8h]
75CDC1CA 8A 06 mov al,byte ptr [esi]
75CDC1CC 88 07 mov byte ptr [edi],al
75CDC1CE 8B 45 08 mov eax,dword ptr [ebp+8]
75CDC1D1 5E pop esi
75CDC1D2 5F pop edi
75CDC1D3 C9 leave
75CDC1D4 C3 ret
75CDC1D5 8A 06 mov al,byte ptr [esi] *********** Arrow points to here *************
75CDC1D7 88 07 mov byte ptr [edi],al
75CDC1D9 8A 46 01 mov al,byte ptr [esi+1]
75CDC1DC 88 47 01 mov byte ptr [edi+1],al
75CDC1DF 8A 46 02 mov al,byte ptr [esi+2]
75CDC1E2 88 47 02 mov byte ptr [edi+2],al
75CDC1E5 8B 45 08 mov eax,dword ptr [ebp+8]
75CDC1E8 5E pop esi
75CDC1E9 5F pop edi
75CDC1EA C9 leave
75CDC1EB C3 ret
75CDC1EC 8B C7 mov eax,edi
75CDC1EE BA 03 00 00 00 mov edx,3
75CDC1F3 83 F9 04 cmp ecx,4
75CDC1F6 0F 82 CF 9D 01 00 jb _memmove+1C171h (75CF5FCBh)
75CDC1FC 83 E0 03 and eax,3
75CDC1FF 2B C8 sub ecx,eax
75CDC201 FF 24 85 F4 9E CD 75 jmp dword ptr [eax*4+75CD9EF4h]
75CDC208 8A 46 03 mov al,byte ptr [esi+3]
75CDC20B 23 D1 and edx,ecx
75CDC20D 88 47 03 mov byte ptr [edi+3],al
75CDC210 8A 46 02 mov al,byte ptr [esi+2]
75CDC213 C1 E9 02 shr ecx,2
75CDC216 88 47 02 mov byte ptr [edi+2],al
75CDC219 83 EE 02 sub esi,2
75CDC21C 83 EF 02 sub edi,2
75CDC21F 83 F9 08 cmp ecx,8
75CDC222 0F 82 EC 00 00 00 jb _memmove+24BAh (75CDC314h)
75CDC228 FD std
75CDC229 F3 A5 rep movs dword ptr es:[edi],dword ptr [esi]
75CDC22B FC cld
75CDC22C FF 24 95 30 9F CD 75 jmp dword ptr [edx*4+75CD9F30h]
75CDC233 8A 46 03 mov al,byte ptr [esi+3]
75CDC236 88 47 03 mov byte ptr [edi+3],al
75CDC239 8A 46 02 mov al,byte ptr [esi+2]
75CDC23C 88 47 02 mov byte ptr [edi+2],al
75CDC23F 8B 45 08 mov eax,dword ptr [ebp+8]
75CDC242 5E pop esi
75CDC243 5F pop edi
75CDC244 C9 leave
75CDC245 C3 ret
75CDC246 90 nop
75CDC247 90 nop
75CDC248 90 nop
75CDC249 90 nop
75CDC24A 90 nop

[jasty]

Here's my cast skill function that also checks cooldown before calling the version takes a pointer. I've had no problems with it.

 Spoiler

Code:

global $PlayerGenieSkill_Offset = 0x1448 ;from player, skill count is this +0x4
global $PlayerSkill_Offset = 0x1418

global $SkillID_Offset=8
global $SkillLVL_Offset=12
global $SkillCurCooldown_Offset=16
global $SkillCD_Offset=20

Func CastSkill($SKILL_ID, $type=0)
	$Player = _MemoryRead(_MemoryRead(_MemoryRead($ADDRESS_BASE, $GAME_PROCESS) + 0x1C, $GAME_PROCESS) + $Player_Offset, $GAME_PROCESS)
	$skillOffset = $PlayerSkill_Offset
	$SkillBase = _MemoryRead($Player + $skillOffset, $GAME_PROCESS)
	$skillCount = _MemoryRead($Player + $skillOffset + 0x4, $GAME_PROCESS)
	For $i = 0 To $skillCount - 1
		$skill = _MemoryRead($SkillBase + 4*$i, $GAME_PROCESS)
		$id = _MemoryRead($skill + $SkillID_Offset, $GAME_PROCESS)
		if $id == $SKILL_ID Then ExitLoop
	Next
	$cooldown = _MemoryRead($skill + $SkillCurCooldown_Offset, $GAME_PROCESS)
	if $cooldown > 0 Then Return 0
	CastSkillWithPointer($skill, $id)
	Return 1
EndFunc

Anyone has the opcode to inject for jump? Some instances require a little jumping in spots to get through.

[Asprin]

Hi guys. Can anyone tell me offsets for friend list structure? Thanks

[jasty]

I finally figured out how to read quests!

QuestList = [[[[BA+0x1C]+0x28]+0x13F4]+0x8]
Quest Count = QuestList+0x0 (1 Byte) includes invisible quests
Visible Quest Count = QuestList+0x4 (1 Byte)
QuestID = QuestList + 0x8 + 0x20*i (2 bytes, i = 0 to Count)
Monster Kill Count = QuestList + 0x8 + 0x20*i + 0x15

I'm sure there are more fields inside the 32 byte quest struct but I really needed Mob kill count for my daily bot.