PWI Eclipse changes

jasty · 06/03/2015, 18:21

This last PWI update (6/3) has no changes in the player structure / action / inventory / NPC / quests / items that I noticed. Only thing that changed is the base addresses.

Here are the ones I use.

Code:

Global $ADDRESS_BASE = 0xd3a8ec
Global $ADDRESS_SENDPACKET = 0x78f760
Global $ADDRESS_AUTOPATH = 0x456c80
Global $ADDRESS_ACTION1 = 0x4a22f0
Global $ADDRESS_ACTION2 = 0x4a8660
Global $ADDRESS_ACTION3 = 0x4a28e0
Global $ADDRESS_GATHER = 0x497af0
Global $ADDRESS_CASTSKILL = 0x48fed0
Global $ADDRESS_REGATTACK = 0x4979b0
Global $ADDRESS_INSTANCE_BASE = 0xd3b08c
Global $ADDRESS_MACRO_BASE = 0xD3B9AE
Global $ADDRESS_PARTYINV = 0xD45190

Sᴡoosh · 06/03/2015, 20:53

Additionally to what jasty posted, here's Unfreeze: 0x00D3B55C

Also, jasty, skillcast is 0x004789F0. I'm surprised your address works for you. Did you find a cooler function or did you typo?

Cheers

jasty · 06/03/2015, 21:40

Quote:

Originally Posted by Sᴡoosh

Additionally to what jasty posted, here's Unfreeze: 0x00D3B55C

Also, jasty, skillcast is 0x004789F0. I'm surprised your address works for you. Did you find a cooler function or did you typo?

Cheers

It's what I use in this function. It works fine for normal skills, for genie skills I still just send packets (which is alright since those don't make you walk to range first).

Code:

Func CastSkillWithPointer($SKILL_POINTER, $SKILL_ID)
	$OPcode = "60"                   			;60             PUSHAD
	$OPcode &= "B8" & _Hex($ADDRESS_BASE)       ;B8 00000000    MOV EAX,#Baseadr
	$OPcode &= "8B00"            				;8B00           MOV EAX,DWORD PTR DS:[EAX]
	$OPcode &= "8B401C"          				;8B40 1C        MOV EAX,DWORD PTR DS:[EAX+1C]
	$OPcode &= "8B70" & _Hex($Player_Offset, 2)	;8B70 28        MOV ESI,DWORD PTR DS:[EAX+28]
	$OPcode &= "B8" & _Hex($SKILL_POINTER)     	;B8 00000000    MOV EAX, $SKILL POINTER
	$OPcode &= "6AFF"            				;6A FF          PUSH -1
	$OPcode &= "6A00"            				;6A 00          PUSH 0
	$OPcode &= "6A00"            				;6A 00          PUSH 0
	$OPcode &= "B9" & _Hex($SKILL_ID) 	    	;B9 00000000    MOV ECX, $SKILL ID
	$OPcode &= "51"              				;51             PUSH ECX
	$OPcode &= "8BCE"            				;8BCE           MOV ECX,ESI
	$OPcode &= "BA" & _Hex($ADDRESS_CASTSKILL)	;BA 00000000    MOV EDX, $ADDRESS_CASTSKILL
	$OPcode &= "FFD2"            				;FFD2           CALL EDX
	$OPcode &= "61"              				;61             POPAD
	$OPcode &= "C3"              				;C3             RETN

	InjectCode($OPcode)
 EndFunc

Stark77 · 06/03/2015, 22:51

UnfreezOffset = 0x4EC
partyInviteOffset = 0xD45190
chatBase_offset = 0xD405E0

hmm my partyinvite offset seems to be different but its working for me.

BTW whats your instance offset used for?

jasty · 06/03/2015, 23:11

Quote:

Originally Posted by Stark77

UnfreezOffset = 0x4EC
partyInviteOffset = 0xD45190
chatBase_offset = 0xD405E0

hmm my partyinvite offset seems to be different but its working for me.

BTW whats your instance offset used for?

Ahh ya forgot to check partyinv. Yours is right.
I use the instance address to tell me current instance ID. It's useful for scripting things where you go in and out of instances.

Code:

Func getInstanceId()
	Return _MemoryRead(_MemoryRead(_MemoryRead($ADDRESS_INSTANCE_BASE, $GAME_PROCESS) + 0x14, $GAME_PROCESS) + 0x90, $GAME_PROCESS)
EndFunc

sasukezero · 06/30/2015, 15:22

Does anyone actually know how to trash quests ?
Its annoying how much quests pop up which are not needed and i wanted a automated way to delete them. I tried already the way of sending packages but wasn't successful. Right now im using image search to Trash quests, but thats just inefficient.
Maybe someone of you guys knows a way how to achieve that. Would be awesome

Stark77 · 07/01/2015, 00:49

Code:

Func trashQuest($QuestId, $pid)
    local $packet, $packetSize
    
    $packet = '31000300000002'
    $packet &= _hex($QuestId, 4)
    $packetSize = 9
    
    sendPacket($packet, $packetSize, $pid)
EndFunc

example:
QuestID =26830
=> packet = 31000300000002CE68

hope this helps. if not feel free to ask again

sasukezero · 07/01/2015, 01:53

Quote:

Originally Posted by jasty

I finally figured out how to read quests!

QuestList = [[[[BA+0x1C]+0x28]+0x13F4]+0x8]
Quest Count = QuestList+0x0 (1 Byte) includes invisible quests
Visible Quest Count = QuestList+0x4 (1 Byte)
QuestID = QuestList + 0x8 + 0x20*i (2 bytes, i = 0 to Count)
Monster Kill Count = QuestList + 0x8 + 0x20*i + 0x15

I'm sure there are more fields inside the 32 byte quest struct but I really needed Mob kill count for my daily bot.

I have another question to this actually. I was trying the chains out and got to read out the Quest List. The offset 0x13F4 is now 0x13F8 which is the only difference.
Now the Problem that i have, is that i cannot find the QuestID. To quest list i add 0x8 and search...then another 0x20 and it should show me the first QuestID but i always find 0...
Does anyone know what I'm doing wrong ?

I'm searching like this:

Spoiler

Quote:
Originally Posted by Stark77
Code:
Func trashQuest($QuestId, $pid)
    local $packet, $packetSize
    
    $packet = '31000300000002'
    $packet &= _hex($QuestId, 4)
    $packetSize = 9
    
    sendPacket($packet, $packetSize, $pid)
EndFunc
example:
QuestID =26830
=> packet = 31000300000002CE68

hope this helps. if not feel free to ask again

It works! Thank you very much

Edit 2:

I just found it out

Silly me lol. I had to directly read and not make a extra step.
So it has to be like this:

Spoiler

Only thing is, that yeah it shows every quest i have lol. But it works

sasukezero · 07/01/2015, 02:56

Edit 3:

to actually make a use of the found Value, it is needed to convert it like this:

$QuestOffset2= _MemoryRead($QuestList + 0x8 + 0x20*i,$GAME_PROCESS)
$QuestCutHex = Hex($QuestOffset2,4)
$QuestConverDec = Dec($QuestCutHex)

QuestConverDec is then the ID of the quest.

Edit 3:

to actually make a use of the found Value, it is needed to convert it like this:

$QuestOffset2= _MemoryRead($QuestList + 0x8 + 0x20*i,$GAME_PROCESS)
$QuestCutHex = Hex($QuestOffset2,4)
$QuestConverDec = Dec($QuestCutHex)

QuestConverDec is then the ID of the quest.

Smurfin · 07/01/2015, 03:52

Does anyone know how to find $ADDRESS_FOLLOW like in denzjh's followplayer() function, PW Indo is currently v.1.5.2 build 2439 or the same as PWI 841.

Spoiler

Code:

#include <NomadMemory.au3>

Global $GAME_CLIENT = "elementclient.exe"
Global $GAME_PID = ProcessExists($GAME_CLIENT)
Global $GAME_PROCESS = _MemoryOpen($GAME_PID)
Global $ADDRESS_BASE = 0xD22C74
Global $OFFSET_ACTIONBASE = 0x13EC
	
Func FollowPlayer()
	$ADDRESS_ACTION1 = 0x49FF80
	$ADDRESS_FOLLOW = 0x6820C0
	$ADDRESS_ACTION3 = 0x4A0590

	;Construct the OpCode for calling the 'FollowPlayer' function
	$OPcode = "60"                   			;60             PUSHAD

	$OPcode &= "B9" & _Hex($ADDRESS_BASE)       ;B8 00000000    MOV ECX, $ADDRESS_BASE
	$OPcode &= "8B09"            				;8B009          MOV ECX,DWORD PTR DS:[ECX]
	$OPcode &= "8B491C"          				;8B49 1C        MOV ECX,DWORD PTR DS:[ECX+1C]
	$OPcode &= "8B7128"          				;8B71 28        MOV ESI,DWORD PTR DS:[ECX+28]            ; |
	$OPcode &= "8B8E" & _Hex($OFFSET_ACTIONBASE);8B8E EC130000  MOV ECX,DWORD PTR DS:[ESI+13EC]
	$OPcode &= "57"   	         				;57             PUSH EDI (EDI=0x26)
	$OPcode &= "6A07"   	         			;6A 07          PUSH 7
	$OPcode &= "BA" & _Hex($ADDRESS_ACTION1) 	;BA 00000000    MOV EDX, $ADDRESS_ACTION1
	$OPcode &= "FFD2"            				;FFD2           CALL EDX

	$OPcode &= "8BF8"            				;8BF8           MOV EDI,EAX
	$OPcode &= "BB" & _Hex($TARGET)	  	     	;B8 00000000    MOV EBX, Target ID
	$OPcode &= "53"   	         				;53             PUSH EBX (PLAYER ID)
	$OPcode &= "8BCF"            				;8BCF           MOV ECX,EDI
	$OPcode &= "BA" & _Hex($ADDRESS_FOLLOW) 	;BA 00000000    MOV EDX, $ADDRESS_FOLLOW
	$OPcode &= "FFD2"            				;FFD2           CALL EDX

	$OPcode &= "B9" & _Hex($ADDRESS_BASE)       ;B8 00000000    MOV ECX, $ADDRESS_BASE
	$OPcode &= "8B09"            				;8B009          MOV ECX,DWORD PTR DS:[ECX]
	$OPcode &= "8B491C"          				;8B49 1C        MOV ECX,DWORD PTR DS:[ECX+1C]
	$OPcode &= "8B7128"          				;8B71 28        MOV ESI,DWORD PTR DS:[ECX+28]            ; |
	$OPcode &= "8B8E" & _Hex($OFFSET_ACTIONBASE);8B8E EC130000  MOV ECX,DWORD PTR DS:[ESI+13EC]
	$OPcode &= "6A00"   	         			;6A 00          PUSH 0
	$OPcode &= "57"   	         				;57             PUSH EDI
	$OPcode &= "6A01"   	         			;6A 01          PUSH 1
	$OPcode &= "BA" & _Hex($ADDRESS_ACTION3) 	;BA 00000000    MOV EDX, $ADDRESS_ACTION3
	$OPcode &= "FFD2"            				;FFD2           CALL EDX

	$OPcode &= "61"              				;61             POPAD
	$OPcode &= "C3"              				;C3             RETN

	InjectCode($OPcode)
EndFunc

Func InjectCode($OPcode)
	;Declare local variables

	;Open process for given processId
	$processHandle = $GAME_PROCESS[1]

	;Allocate memory for the OpCode and retrieve address for this
	$functionAddress = DllCall('kernel32.dll', 'int', 'VirtualAllocEx', 'int', $processHandle, 'ptr', 0, 'int', 100, 'int', 0x1000, 'int', 0x40)

	;Construct the OpCode for calling the function

	;Put the OpCode into a struct for later memory writing
	$vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
	For $loop = 1 To DllStructGetSize($vBuffer)
		DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
	Next

	;Write the OpCode to previously allocated memory
	DllCall('kernel32.dll', 'int', 'WriteProcessMemory', 'int', $processHandle, 'int', $functionAddress[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)


	;Create a remote thread in order to run the OpCode
	$hRemoteThread = DllCall('kernel32.dll', 'int', 'CreateRemoteThread', 'int', $processHandle, 'int', 0, 'int', 0, 'int', $functionAddress[0], 'ptr', 0, 'int', 0, 'int', 0)

	;Wait for the remote thread to finish
	Do
		$result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
	Until $result[0] <> 258

	;Close the handle to the previously created remote thread
	DllCall('kernel32.dll', 'int', 'CloseHandle', 'int', $hRemoteThread[0])

	;Free the previously allocated memory
	DllCall('kernel32.dll', 'ptr', 'VirtualFreeEx', 'hwnd', $processHandle, 'int', $functionAddress[0], 'int', 0, 'int', 0x8000)

	Return True
EndFunc

sasukezero · 07/01/2015, 04:20

I'm just going to bed but did you try to just follow different persons and search via cheat engine for changed value ?
Like follow one and search for unknown first. Then follow another and search for changed...For not changed...then change again and so on.
The Follow is a cool thing. Maybe i find it tomorrow if i have time

But for now gn8

Smurfin · 07/01/2015, 11:38

I did but I'm not quite familiar with how that works.

After I searched using that method, it gave me an address, then I used 'find what writes to this address' , I got ESI + 0F4, then I should start a new search using ESI value with hex checked, right ? The result would then be a multilevel pointer, but this is one address/pointer from denzjh's example -> $ADDRESS_FOLLOW = 0x6820C0, I have no idea how to relate to that

Stark77 · 07/01/2015, 14:40

could imagine ppl find those addresses and opcodes via breakpoints with Olly.
but sadly nobody ever wanted to explain how that works

i would be very interested in this aswell just to know how it works^^
nothing new but ofc the follow u could also do by reading the position and simply move there and repeat this every second.

Edit: well actually denzjh tried to give some hints on that in this post

. but i cant really manage to do it correctly.

sasukezero · 07/01/2015, 19:54

Didnt see yesterday that its only one address without offsets. If you have the Opcode, then you can usually search with olly and Sigs plugin for the address, l tried it myself for the send package Function.
denzjh is using this method in his Adress retriever. He searches for the OP Codes via Regex to retrieve the address.
Something else, that would come into my mind is, that you set in Olly a breakpoint at action1 and then trace to the follow. Like when you take a look at the OpCode, then you see how the call of the Function is performed.
But yeah OpCode RegEx search would be the easiest

I don't have the time right now to try this myself, cause of finals and a side project, but maybe you can use like Stark said Autopath. The function works(Also in dungeons). Just read and auto path every few seconds.

jasty · 07/02/2015, 18:55

Here's how I would find the follow function offset. The current ACTION3 offset is 0x4a28e0 which seems to be called after most game actions.

I use Cheat Engine -> Browse memory region -> right click in the instruction list on top -> go to address -> 0x4a28e0.

This puts me at the beginning of the function and I toggle a breakpoint there.
Then back in game I follow on someone to trip the breakpoint.

In the bottom window I right click and choose "Show full stack trace"
The address at the top of the list is the return address from ACTION3.

Double click that and you jump to the code that called Action3.
Scroll up a little bit from that call you see a call to 0x4A5B50

That is probably the follow command.

To save you the trouble from doing this again you can build a regex to find this automatically. Go to 0x4A5B50 and make a regex to auto find it by copying the first 40 or so bytes but inserting wild cards in any of the bytes that look like offsets.

You can also build a regex from the bytes around the call to the function by capturing the offset and adding 0x400000.