PWI Elysium Changes

[louco89]

DurianMontong, I think that is only way to do so, is using game movements, and not the auto follow, because auto follow is only make the others follow the leader and not make a formation, what you can do is read leader position and use movement function to make the other to "run along". Now I curios why you want to do this?

[jasty]

autoit is really bad for squad level control due to a lack of multi threading. I have to cycle through each client process and issue commands individually (usually have to move on to next client before the command has finished executing). If its something complicated I have to write totally separate bot for each character.

[DurianMontong]

Quote:

Originally Posted by louco89

DurianMontong, I think that is only way to do so, is using game movements, and not the auto follow, because auto follow is only make the others follow the leader and not make a formation, what you can do is read leader position and use movement function to make the other to "run along". Now I curios why you want to do this?

its for fun formation , did you know Smurfin already use that formation
i hope he read this post n share the autoit code

i not luck use movexyz it always force close in windows 10, but auto path work

hi need help Func that check $GAME_TITLE = "2" / $GAME_TITLE = "3" if nof not avaliable skip the Roll2() n Roll3() in Roll3X() because autoit force close if $GAME_TITLE = "2" / $GAME_TITLE = "3" not login

Func Roll3X()
Roll1()
Roll2()
Roll3()
EndFunc

Func Roll1()
$GAME_TITLE = "1"
$pid = WinGetProcess($GAME_TITLE)
Rool($pid)
EndFunc

Func Roll2()
$GAME_TITLE = "2"
$pid = WinGetProcess($GAME_TITLE)
Roll($pid)
EndFunc

Func Roll3()
$GAME_TITLE = "3"
$pid = WinGetProcess($GAME_TITLE)
Roll($pid)
EndFunc

Func Roll($pid)
local $packet, $packetSize
$packet = '9C00'
$packetSize = 2
sendPacket($packet, $packetSize, $pid)
EndFunc

[louco89]

DurianMontong, I don't use autoit(i use delphi ), but I think is like others languages and I search a little and found this:

PHP Code:

If WinExists($hWnd) Then.... 
or
; Test if the window was found and display the results.
If IsHWnd($hWnd) Then... 


Hope someone can help if this is not the correct way

And game do not support movexyz with write memory only, because the game change that a time ago, now just autopatch.

[sasukezero]

I use infiniteCore to solve the issue of multi threading. It works perfectly fine and i don't have any issues with it. Just has its own rules and you gotta have to look into it. Keep in mind to not use any global variables if you use it. I read all offsets etc in over a File or send values to the processes.

Here is a link:

[sasukezero]

So that i don't have to change 2 posts

Quote:

Originally Posted by sasukezero

Here are the changed offsets for the last patch(v955) which i've found yet:

 Spoiler

ADDRESS_BASE=0xE77C24
ADDRESS_SENDPACKET=0x832170
ADDRESS_AUTOPATH=0x459520
ADDRESS_ACTION1=0x004C9290
ADDRESS_ACTION2=0x004CF790
ADDRESS_ACTION3=0x004C9880
ADDRESS_GATHER=0x4BE8D0
ADDRESS_CASTSKILL=0x4B6950
PARTYINV_ADDRESS=0xE84760
ADDRESS_INSTANCE_BASE=0xE783CC
OFFSET_ACTIONBASE=0x1514
PlayerParty_Offset=0x7D0
PlayerNameOffset=0x700
NpcNameOffset=0x260
PlayerNpcWindow=0xEB6
$QuestList_Offset = 0x151C

For those who used krueger's Charchoose offset chain, to check for $var > 10 so that you know
when the char is logged into the game doesn't work anymore. Now in 955 it will simply switch to 0, which is no change to when first char is selected others you'll see.

Quote:

Originally Posted by Kruger2001

Charchoose = E5B2E4 + 0x1c|0x18|0x8|0xc4|0x124|0x34|0xA44 ;@LoginScreen = 4294967295

As i leave my char most of the time in a city etc. i scan simply for npc's around me. If Ubound($npcarray) <> 0 then....that way you know. That's how i do it tho

Edit1: If you use as last offset 0xA54 then you can check for 4294967295 as a login trigger. It will have this variable whenever you're ingame. You'll get the number of chars you have while in char select

[sasukezero]

I have checked out the package listener which jasty has shared here:

Quote:

Originally Posted by jasty

For packet stuff I use this decent packet listener tool. It's in Russian but it's not hard to figure out what does what. You can also edit packets and resend them to test things quickly.

However, I would be more interested in incoming packages and read them myself. Like work with the stream of information that pwi is providing. Has anyone yet taken a look at that?

[Sᴡoosh]

Quote:

Originally Posted by sasukezero

I have checked out the package listener which jasty has shared here:



However, I would be more interested in incoming packages and read them myself. Like work with the stream of information that pwi is providing. Has anyone yet taken a look at that?

I have, a long time ago :



Patched executable in memory, detoured call, read packet, jumped back. The address finding probably doesn't work anymore, but this was the function :

Quote:

00779F70 . 8B5424 04 MOV EDX, DWORD PTR SS:[ESP+4] ; mswsock.703E17CD
00779F74 . 56 PUSH ESI
00779F75 . 8BF1 MOV ESI, ECX
00779F77 . 52 PUSH EDX
00779F78 . 8B46 08 MOV EAX, DWORD PTR DS:[ESI+8]
00779F7B . 8D4E 08 LEA ECX, DWORD PTR DS:[ESI+8]
00779F7E . FF50 0C CALL DWORD PTR DS:[EAX+C]
00779F81 . 50 PUSH EAX ; /Arg1 = 00000000
00779F82 . 8D8E 14010000 LEA ECX, DWORD PTR DS:[ESI+114] ; |
00779F88 . E8 13000000 CALL ELEMENTC.00779FA0 ; \ELEMENTC.00779FA0
00779F8D . 5E POP ESI ; ntdll_18.7764F8D1
00779F8E . C2 0400 RETN 4

This hook captured every packet recieved that is encrypted - so it does not include initial handshake before RC4 key negotiation, since the function I hooked is part of the decryption process.

Some screenshots of what's possible :

[sasukezero]

That looks really good! Thank you for sharing!

I was worried about the encrypted packages as you cannot just sniff them. I'm not familiar with delphi. However, I stumbled upon the missing xorMembridge.pas.
Seems to be a library or a source that I cannot find. Have you created it yourself?

I found the function itself, which is at 0x821EB0 now. So, I guess it should still be working as it's still the same:

Quote:

.text:00821EB0 mov edx, [esp+arg_0]
.text:00821EB4 push esi
.text:00821EB5 mov esi, ecx
.text:00821EB7 push edx
.text:00821EB8 mov eax, [esi+8]
.text:00821EBB lea ecx, [esi+8]
.text:00821EBE call dword ptr [eax+0Ch]
.text:00821EC1 push eax
.text:00821EC2 lea ecx, [esi+114h]
.text:00821EC8 call sub_821EE0
.text:00821ECD pop esi
.text:00821ECE retn 4

[Sᴡoosh]

Yeah, I wrote that. Not needed for basic idea.

Just rip out what you need and compile yourself, if you found the address it should work same way. What I did was create a shared memoory section, and have bot read that. Shared memory was implemented in a ringbuffer fashion.

[sasukezero]

Ahhh ok, that's what it was for. Could have known that by the name Membridge, but was confused by the xor as that is also used for decryption/encryption.

I'll dig into it and see what I can make out of it. Like you wrote before, it gives you all the advantages of a clientless bot. Overall really interesting.

Thank you very much again for sharing! Now I have some work in front of me

[DurianMontong]

need help why some time i got reverse hex

_RevHex not working is same as _Hex the value

$packet &= _Hex($factionid)

DD CC BB AA

after revhex still

$packet &= _RevHex($factionid)

DD CC BB AA

[jasty]

Quote:

Originally Posted by DurianMontong

need help why some time i got reverse hex

_RevHex not working is same as _Hex the value

$packet &= _Hex($factionid)

DD CC BB AA

after revhex still

$packet &= _RevHex($factionid)

DD CC BB AA

Hex() is forward (default function) and _Hex() is reverse byte order.

[DurianMontong]

hi can someone give me sample func for read position realtime in GUI, like when i move

i use this but it not real time i must change one to another position x y z

Func PlayerPos1()

$GAME_TITLE = "1"
$GAME_PID = WinGetProcess($GAME_TITLE)
$GAME_PROCESS = _MemoryOpen($GAME_PID)
$Player = _MemoryRead(_MemoryRead(_MemoryRead($ADDRESS_BASE, $GAME_PROCESS) + 0x1C, $GAME_PROCESS) + $Player_Offset, $GAME_PROCESS)
Dim $pos[3]
$pos[0] = _MemoryRead($Player + 0x3C, $GAME_PROCESS, 'float')
$pos[1] = _MemoryRead($Player + 0x44, $GAME_PROCESS, 'float')
$pos[2] = _MemoryRead($Player + 0x40, $GAME_PROCESS, 'float')

_MemoryClose($GAME_PID)

MsgBox("", "", $pos[0])

EndFunc

[denzjh]

Quote:

Originally Posted by DurianMontong

hi can someone give me sample func for read position realtime in GUI, like when i move

i use this but it not real time i must change one to another position x y z

Func PlayerPos1()

$GAME_TITLE = "1"
$GAME_PID = WinGetProcess($GAME_TITLE)
$GAME_PROCESS = _MemoryOpen($GAME_PID)
$Player = _MemoryRead(_MemoryRead(_MemoryRead($ADDRESS_BASE, $GAME_PROCESS) + 0x1C, $GAME_PROCESS) + $Player_Offset, $GAME_PROCESS)
Dim $pos[3]
$pos[0] = _MemoryRead($Player + 0x3C, $GAME_PROCESS, 'float')
$pos[1] = _MemoryRead($Player + 0x44, $GAME_PROCESS, 'float')
$pos[2] = _MemoryRead($Player + 0x40, $GAME_PROCESS, 'float')

_MemoryClose($GAME_PID)

MsgBox("", "", $pos[0])

EndFunc

Try the code below or see the Test2.au3 inside the attached file. NomadMemory.au3 is included in the zip file. If you want the function to be called outside the main loop, you can also use AdlibRegister.
I hope this is what you are looking for.

 Spoiler

Code:

#include <NomadMemory.au3>
#include <GuiConstantsEx.au3>

Opt("GUICloseOnESC", 0)
Opt("GUIOnEventMode", 1)

$CLIENT = "Perfect World International: Elysium"
$ADDRESS_BASE = 0x00E78F64
$OFFSET_BASE = 0x1C
$OFFSET_CHAR_BASE = 0x34
$OFFSET_X = 0x3C
$OFFSET_Y = 0x44
$OFFSET_Z = 0x40

$GUI = GUICreate("Test", 250, 200, 0, 0)
GUICtrlCreateLabel("Float:", 15, 15)
$FLOAT_LABEL = GUICtrlCreateLabel("0.0/0.0/0.0", 70, 15, 100, 20)
GUICtrlCreateLabel("In-Game:", 15, 45)
$INGAME_LABEL = GUICtrlCreateLabel("0.0/0.0/0.0", 70, 45, 100, 20)
GUISetOnEvent($GUI_EVENT_CLOSE, "_Exit")
GUISetState()

While 1
	Update_Coords()
	Sleep(250)
WEnd

Func _Exit()
	Exit
EndFunc

Func Update_Coords()
	$GAME_PID = WinGetProcess($CLIENT)
	If $GAME_PID <> -1 Then
		$GAME_PROCESS = _MemoryOpen($GAME_PID)
		$POINTER_BASE = _MemoryRead(_MemoryRead($ADDRESS_BASE, $GAME_PROCESS) + $OFFSET_BASE, $GAME_PROCESS)
		$POINTER_CHAR = _MemoryRead($POINTER_BASE + $OFFSET_CHAR_BASE, $GAME_PROCESS)
		$CHAR_FLOAT_X = _MemoryRead($POINTER_CHAR + $OFFSET_X, $GAME_PROCESS, 'float')
		$CHAR_FLOAT_Y = _MemoryRead($POINTER_CHAR + $OFFSET_Y, $GAME_PROCESS, 'float')
		$CHAR_FLOAT_Z = _MemoryRead($POINTER_CHAR + $OFFSET_Z, $GAME_PROCESS, 'float')
		_MemoryClose($GAME_PROCESS)
		$CHAR_INGAME_X = $CHAR_FLOAT_X / 10 + 400
		$CHAR_INGAME_Y = $CHAR_FLOAT_Y / 10 + 550
		$CHAR_INGAME_Z = $CHAR_FLOAT_Z / 10
		GUICtrlSetData($FLOAT_LABEL, Round($CHAR_FLOAT_X, 1) & "/" & Round($CHAR_FLOAT_Y, 1) & "/" &  Round($CHAR_FLOAT_Z, 1))
		GUICtrlSetData($INGAME_LABEL, Round($CHAR_INGAME_X, 1) & "/" & Round($CHAR_INGAME_Y, 1) & "/" &  Round($CHAR_INGAME_Z, 1))
	EndIf
EndFunc