PWI Elysium Changes

[Kruger2001]

yes i only miss instance base, macro adress and gamerun, are not as important to me. btw the forcelog offset not up to date anymore, had no time to find it again, it takes always too much time.
how actually does the macro address, only read?

[jasty]

Macro address points to a struct that contains like 8 arrays of 18ish bytes each where each 2 bytes is a skill ID of skills in the corresponding in game macro. It's easy to tell whats going on by viewing the memory.

I use it to customize the behavior of the bot across different classes. Like I put the aoe skills I want the bot to use in macro 7 and buff skills in macro 6 and attack skills in macro 8. Stuff like that. It means I dont have to hard code the skill ids and its easy to change the behavior while the bot is running. I don't actually directly run the macros due to how easy macros break for no reason. I just cast the skills.

I'm not really sure if this address is of general importance but my stuff uses it.

Gamerun was used by some packet logger tool I found and I don't know what it does or if it does anything. I use my own now and it doesn't use it.

Instance Address I also stopped using... there are other ways to tell what instance you are in like examining nearby NPCs and quests that I found more reliable.

It might also be broken by now... I have to generate some of the RegExes I use by searching the code for the nearest referenced address and adding back an offset from there. If the struct that holds the address changes then this way can break.

I really should clean up the unused ****... did I mention how messy my code is? I really don't like AutoIt at all due to how ugly a language it is so I'm unmotivated to clean up.

[msxgames]

I have a question about the buttonID structure. At offset 0xAF4280 there is kind of check function for buttons. In the case it's for the Auctionhall window. It's using a reference to (ButtonID-0xC). Can someone explain this buttonstructure? I am especially interesed at the value on 0x03D417E0

I found that:
0x03D417D8 = 00 01 04 00 ????
0x03D417DC = 00 00 00 00 ????
0x03D417E0 = ???? what is this ????
0x03D417E4 = Size of ButtonID
0x03D417E8 = Max Size of ButtonID ????
0x03D417EC = ButtonID (=IDCANCEL)

Code:

CPU Dump
Address   Hex dump                                         ASCII
03D417CC  00 00 00 00|00 00 00 00|00 00 00 00|00 01 04 00| .............
.
03D417DC  00 00 00 00|01 00 00 00|08 00 00 00|3F 00 00 00| ....
......?...
03D417EC  49 44 43 41|4E 43 45 4C|00 00 00 00|00 00 00 00| IDCANCEL........
03D417FC  00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
03D4180C  00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
03D4181C  00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
03D4182C  00 00 00 00|00 01 04 00|00 00 00 00|01 00 00 00| .....
.....
...
03D4183C  0E 00 00 00|3F 00 00 00|61 75 63 74|69 6F 6E 62| ...?...auctionb
03D4184C  75 79 6C 69|73 74 00 00|00 00 00 00|00 00 00 00| uylist..........
03D4185C  00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
03D4186C  00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
03D4187C  00 00 00 00|00 00 00 00|00 00 00 00|00 01 04 00| .............
.
03D4188C  00 00 00 00|01 00 00 00|0B 00 00 00|3F 00 00 00| ....
......?...
03D4189C  61 75 63 74|69 6F 6E 6C|69 73 74 00|00 00 00 00| auctionlist.....

[haikiri]

Guys, make a video of how you guys are finding those offsets, I tried more than once go through the tutorials here but either I can't make sense of some parts or the screen shots got deleted etc.
I believe once we had a good way to learn how to do that, you guys could end up benefiting too by seeing the new offsets posted here by new people like me, making it easy for you too.
Like, right now I wish I could use the RefineCenter Start77 shared last year but I don't have nor can list the offsets for last expansion.

edit: I gave another try yesterday on those tutorials and what really surprised me is that newer CE has a self tutorial in which you actually have to do the steps in order to the "next" button appear, this way I finnally understood how to get some of the offsets. The easy ones with numbers are in the pocket now, maxhp, currenthp, maxmana, etc... anything that you can see the number and change it either removing a piece of gear or selecting a target.
The problem now is those other offsets that I have no clue how you find them, like itemid, playerid, playername, inventorylist, etc...
Maybe someone could explain in a different way this

[Stark77]

well finding those lists isnt as easy as finding values like hp. the basic idea i used is to always search for the length of a list and then use a loop to find the list offsets.

step 0:
so for the itemID u can teleport to an instance without any drops on the ground (e.g. HH). u drop 2 items... search for 2... u drop another search for 3 (next scan button) till u find this value (dont use only coins, use also items like potions or whatever). this value would be the ItemCounter:



step 1:
the next step would be to get the pointer and the offset to this ItemCounter (see picture below):
ItemCounter := ReadMemoryUint(ItemBase_Pointer + ItemCounterOffset, processID)



red = e.g. the EDI value in hex, green the ItemCounterOffset (ItemCounter = EDI + green)

step 2:
to get the other offsets search for the ItemBase_Pointer (make sure the use hexa) and u get:
ItemBase_Pointer := ReadMemoryUint(SortedList_Pointer + ItemListOffset, processID)



step 3:
search for the SortedList_Pointer and u get:
SortedList_Pointer := ReadMemoryUint(structurePointer + ListOffset, processID)



step 4:
search for the structurePointer and so on till u reach the base (or skip this if u know the offsets already)

step 5:
now u already know the ItemBase_Pointer ... for the next two offsets (green) i simply search with a double loop. ofc u can name those offsets and pointer however u want^^

ItemList_Pointer := ReadMemoryUint(ItemBase_Pointer + sortedItemListOffset, processID)
ItemBase := ReadMemoryUint(ReadMemoryUint(ItemList_Pointer + (A_Index-1)*0x4, processID) + 0x4, processID)

ItemID := ReadMemoryUint(ItemBase + ItemIDOffset, processID)

script could look like this - drop an item with known itemID (search in database) and use the loop to find the offsets - 3044 is a coin:

 Spoiler

Code:

   BaseAddress := ReadMemoryUint(realBaseAddress, processID) ; 0xE5B2A4 version 938
   structurePointer := ReadMemoryUint(BaseAddress + baseOffset, processID) ; + 0x1C
   SortedList_Pointer := ReadMemoryUint(structurePointer + ListOffset, processID) ; + 0x1C
   ItemBase_Pointer := ReadMemoryUint(SortedList_Pointer + ItemListOffset, processID) ; + 0x24
   ItemCounter := ReadMemoryUint(ItemBase_Pointer + ItemCounterOffset, processID) ; + 0x14
   
   ;~ search unknown offsets: sortedItemListOffset for the ItemList_Pointer (to get the ItemBase) and ItemIDOffset for the itemID
   
   SetFormat, IntegerFast, hex
   sortedItemListOffset := 0
   
   Loop, 300
   {
      ItemIDOffset := 0
      sortedItemListOffset := sortedItemListOffset + 0x2
      ItemList_Pointer := ReadMemoryUint(ItemBase_Pointer + sortedItemListOffset, processID)
      
      ;~ loop to 1000 till ItemBase > 0 because it doesnt start at A_index = 1
      Loop, 1000
      {
         ItemBase := ReadMemoryUint(ReadMemoryUint(ItemList_Pointer + (A_index-1)*0x4, processID) + 0x4, processID)
         if !(ItemBase = 0)
            break
      }
      
      Loop, 500
      {
         ItemIDOffset := ItemIDOffset + 0x2
         ItemID := ReadMemoryUint(ItemBase + ItemIDOffset, processID)
         if (ItemID = 3044)
            MsgBox % "sortedItemListOffset: " . sortedItemListOffset . " , ItemIDOffset: " . ItemIDOffset
      }
   }
   MsgBox , end of script
   return

u would get for v.938:
sortedItemListOffset = 0x1C
ItemIDOffset = 0x114

not sure if this helps... but u can find prety much every list this way... and to save time for upcoming updates try to make a script to search them for u via RegExp -> i myself never understood how Jasty made this awesome offset retriever but there is a way to get thos opcodes (if anyone knows how to get e.g. the opcode A1(.{8})5332DB8B48.{2} to search for the base, i would love to learn about it :P)

also once u have the ItemBase its nice to use ReClass and search for this address... near it u can find other offsets like the UID or Name and stuff like this very easy

[haikiri]

First I read it all even tho I couldn't register in my mind words that I'm not used to yet, so far I noticed many things I've seen around and makes me feel like given some effort I can digest this one.
Yesterday I decided to check the easy offsets and compare with the list you posted and easy ones were matching results so I got the idea of comparing with the old offsets.ini from the refinecenter and I realized the last list you posted were all declared global.
So obviously the list was probably all updated and I just had to remove the global and save as offsets.ini and voilá, its alive! refined 2 pieces of gear.
But that ain't the main objective here, now that I feel like I'm closer than ever in learning all about offsets I gotta chew on this tutorial.
and again, thank you so much Stark77

[jasty]

Is there a way to find offsets for objects allocated on the heap? I'm trying to get access to the terrain data in the homestead so that I can back up and restore the heightmap but I think the data might be on the heap. I can tell that the data is broken up into 16 squares of 64x64 floating points each with a bit of extra data per row. There are also a lot of copies of this data which I assume are undo states.

It would be nice to be able to use normal heightmap editors like this one: since I can't stand the ingame tools.

[haikiri]

YES! I understood something! \o/
I see now when you guys say things like
"ItemList_Pointer := ReadMemoryUint(ItemBase_Pointer + sortedItemListOffset, processID)"
that means in other words, the "ItemList_Pointer" equals "A" memory in which the content is filled obeying the rule (ItemBase_Pointer "plus" SortedItemOffset) So! if you look into that "A" memory, you will see that whatever is adding to "ItemBase_Pointer" must be the "SortedItemOffset".
I zipped it as, drop/pick items reveals "Item_Counter"
Look into "Item_Counter" and you find "ItemBase_Pointer" and "ItemCounterOffset" of it.
Look into "ItemBase_Pointer" and you get "SortedList_Pointer" and "ItemBaseOffset" of it
Look into "SortedList_Pointer" and you get "Structure_Pointer" and "SortedListOffset"
Look into "Structure_Pointer" and you get "x" and "x"
If you keep doing every step you end in "the base".
oright
by now you can see that I don't quite know what all means, specially because the only thing I could know for sure was the item_counter because I could see the counting happening. Anyway, its a chewing for anther day.
Since I'm still not used to program language, whenever I see something different like "ItemBase := ReadMemoryUint(ReadMemoryUint(ItemList_Pointer + (A_Index-1)*0x4, processID) + 0x4, processID)"
I wonder, how did you end-up knowing that itembase is a result of more rules than the other ones we been seeing right now...Anyway, my concentration spam ended and I gotta continue later...
For now I can't go after regex because that would also required learning more about language and hours of head steaming.
My preliminary conclusion is that I can at least continue that sequence of pointers and write it down to know the entire list of pointers according to the current set of names used here, this way even tho I can't see me making a script to search them, at least if I need to update by my self I have the map for those specific offsets.
Maybe later I find the road to the writing of a script.

[msxgames]

By the way it's easy to calculate the offset of a Player or NPC in those sortedLists. Here are 3 of those lists:

PlayerSortedList
[[[[[BaseAddress]+0x1C]+0x1C]+0x1C]+0x20]

NPCSortedList
[[[[[BaseAddress]+0x1C]+0x1C]+0x20]+0x20]

ItemSortedList
[[[[[BaseAddress]+0x1C]+0x1C]+0x24]+0x1C]

Let's take the PlayerList as an example. So 0x20 contains the offset of the sorted playerlist, 0x1C contains the size of sorted list 0x301 equals 769 DWORDS.

The formula for calculating the offset of a specific player is to divide the playerID by the size of the sortedPlayerList and multiply the remainder by the size of a DWORD:
(PlayerID mod 769) * 4

For example a player with a PlayerID of 23759600, when selected ingame the PlayerID is the TargetID:



23759600 mod 769 = 576. So the offset within the list is 576 DWORDS = 2304 decimal = 0x900 hex.

When looking at position 0x900 in the PlayerSortedList you will find that player. The PlayerID is at offset 0x8.

[DurianMontong]

hi, i realy newbie but i real want to learn, i have some basic auto it but not to good, i read and read again but you guys just talk about something, but i just want to know and if you please can tell me, is the offset in front page is just to modified into propethbot or you gust write code difrent from propeth bot thank before

[msxgames]

I learned from . Just read and try to understand.

[DurianMontong]

Quote:

Originally Posted by msxgames

I learned from . Just read and try to understand.

yes, but i am late the sample picture is already dead link

[sasukezero]

Has anyone gotten the Moveto function to work?
My client crashes the whole time. Autopath works tho.

Quote:

Originally Posted by Stark77

i am facing another problem aswell:
after starting the game i cannot press ESC to close the server list.
i need to activate the list with a mouse click first... so the offset chain to choose the server is also not helping cos this is sadly not activating it.

i hate updates

I fixed the problem via a simulated click to the wanted hwnd.
Like this:

 Spoiler

$pid = ProcessExists("elementclient.exe")


$RightHWND = _GetHwndFromPID($pid)


$SIZE = WinGetPos($RightHWND, "")

Local $y = (@DesktopHeight / 2) - ($SIZE[0] / 2)
Local $x = (@DesktopWidth / 2) - ($SIZE[1] / 2)
ControlClick($RightHWND,"","","",1,$x,$y)

Here the "_GetHwndFromPID" function:

 Spoiler

Func _GetHwndFromPID($iPID)
$hWnd = 0
$pwiname = "Perfect World International: Elysium"
Do
$winlist2 = WinList($pwiname)

For $i = 1 To $winlist2[0][0]
If $winlist2[$i][0] <> "" Then
If WinGetProcess($winlist2[$i][0]) = $iPID Then

$hWnd = $winlist2[$i][1]
ExitLoop



EndIf
EndIf
Next
Sleep(100)
Until $hWnd <> 0
Return $hWnd
EndFunc ;==>_GetHwndFromPID

[Stark77]

totally forgot to check this controlclick lol - thanks for this hint

[jasty]

Quote:

Originally Posted by sasukezero

Has anyone gotten the Moveto function to work?
My client crashes the whole time. Autopath works tho.

You need to replace a "28" in there with _Hex($Player_Offset, 2), the 28 was hard coded when it should not have been.