guide: debug pwi, find function addresses and offsets, write a bot(c++ code included)
Discussion on guide: debug pwi, find function addresses and offsets, write a bot(c++ code included) within the PW Hacks, Bots, Cheats, Exploits forum part of the Perfect World category.
@AlexGD:
ya, i know that this function doesnt work on regular button clicks. if you want to trace what you wanna do, you could check sub_7387f0. this is (part of) the "dialog proc". it handles "messages" when something happens in a dialog (e.g. move the mouse, click something, etc.). everything you need will probably be found inside this func.
@FunkU:
its hard to tell how to call a func, if i dont know, what pw your using and how to resolve your objects. but the way you call the "back to town" func is pretty strange. the object must be stored inside ecx. if the address of the pointer to the object, that your func is using, was really 0x98addc and the address of the function really was 0x5da8f0, then you would do something like this:
@Toxic
Yeap, I found this proc, but I must make one more step and try to learn asm. For now principles of injecting (calling) of this funсs is elude my understanding...
the question is, does your "teleport to town" function work or not? if it does work, then either your client is compiled with a compiler that uses strange calling conventions that i dont know of or this function uses some strange custom calling convention.
@Alexhomp:
what exactly is the problem you have? if i understood right, all you need to know, is how to find the object (ecx) this function is using? if so, is your problem, that you dont have any code xrefs, but only a data xref for this function? thats because this function is a virtual function, so the address of this function is retrieved by looking it up inside the vtable for the corresponding object (the data xref is the address (inside the vtable) of the pointer to this function).
if you dont know about virtual functions, here is a quick tut:
the vtable itself is a sequential array of pointers to virtual functions. the address of the vtable for each object is stored in the first 4 bytes of the object itself.
let's say, ecx was a pointer to the object, and the function would be the 5. function in the vtable, then, the function call in your disassembly would probably look somewhat like this:
mov edx, [ecx]; // edx = pointer to vtable
call dword ptr [edx+0x10]; // call the 5. virtual function ((5-1)*4 = 0x10)
if you want to trace the object (ecx), you will have to trace it via debugging or mem search for pointers. so the "real" way would be to set a bp on this function, trace over it to the caller and find out how to get ecx. but since this function seems to be some kind of a gui function, it is very likely, that the object will be found inside p_base0->p_base1->p_guibase0->p_guibase1. so you could also try this: bp on this function, write down ecx. enter the ecx value into ce search field. the address range should start at p_guibase1. search it. if you find it, just subtract p_guibase1 from the found address and you have the offset into p_guibase1.
please try this out yourself first. if it doesnt help, i need to know what exactly this function does and when it is being called. what exactly do i have to do ingame that this function is being called. it has something to do with the auction house? if so, where can i find the auction house? seriously, i never used the auction house ;x
btw:
is wallhacking on the current pwi version supposed to still (fully) work without any pushbacks? i managed to create a wallhack that works on some objects (without any pushbacks) but on big stuff it doesnt work (i always get pushbacks). i'm asking because i need to know if it would be worth the effort to look deeper and try to make it work for all objects, if possible at all.
Both your and mine "teleport to town" function work fine in my clinet. I made my teleport function from full target function, maybe that's why it looks strange? But it works. ) So I don't think Russian client is strange compiled... Can you share "pet attack" function that works on PWI? )
i never called the pet attack func directly, i just sent the "attack" command to the petbar gui object via "GuiCommand" as described at the end of my first post. this would be something like this on the current pwi version:
char *p = "attack"; // needs to be in target process, if you use code injection, you need to find this string inside the target process, which isnt very hard
i never called the pet attack func directly, i just sent the "attack" command to the petbar gui object via "GuiCommand" as described at the end of my first post. this would be something like this on the current pwi version:
char *p = "attack"; // needs to be in target process, if you use code injection, you need to find this string inside the target process, which isnt very hard
char *p = "attack"; // needs to be in target process, if you use code injection, you need to find this string inside the target process, which isnt very hard
I don't understand this. What is "target process"? And how do "p" must look like? It can't be just word "attack"? Or it's some kind of pointer to something?
Btw, I've found my GuiCommand function, it's address is 0057fa20. My PetBar offset is BA + $4 + $8 + $298 and base address is 0098b47c.
Here's what ollydbg showed when I breakpoint this function:
Do you understand that 129C70DC and 139EC3C4 each time different, because this values is memory addresses? And each time it is different. So. You need to write not exactly this values, but pointers values.
Exactly this try to say toxic:
this pointer
Quote:
needs to be in target process, if you use code injection, you need to find this string inside the target process, which isnt very hard
So I've found this: 0093e6c0. Though it doesn't look like 129C70DC or 139EC3C4 and it's static. But it works! Is this what toxic6666 had in mind? Anyway thanks you both, Alex and Toxic. )
although you already managed to do it yourself, just to clarify this real quick:
the first param to GuiCommand is a pointer to a command string. this pointer must point to a string inside the elementclient process. so if your using your code from within an injected dll (which will be inside the elementclient process), you could just declare the string yourself like char *p = "attack" and pass a pointer to it. but if your using code injection, this wouldnt work because you would be passing a pointer to a string which is inside your programs process space. this pointer would point to some random stuff inside the elementclient process, and - might - crash it. so when using code injection, you would either have to find a static address for the "attack" string inside the elementclient process (which you did) or manually write the string into the elementclient process via WriteProcessMemory and pass a pointer to this string. but the second method would make this unneccessarily more complicated for an actually pretty simple task. you can find a static address for the "attack" string (and all other similar strings related to gui command) via your disassembler. just open the string ref window and look for the string and you will find a static address in the data section of elementclient.exe
oh and btw. maybe you will try to summon pets via GuiCommand in the near future. the command string would be "summonx" whereas x is the pet index + 1 of your pet to summon. so, if you want to summon the pet with the pet index 0 (your first pet), the command would be "summon1". in this case, you will not be able to find a static address for the string inside elementclient. pw creates the string somewhat like this:
and then passes sz_cmd to GuiCommand. so if you wanted to use GuiCommand for this via code injection, you would have to create the string yourself like above inside your own programs process space and then write it to the elementclients process space either via VirtualAllocEx + WriteProcessMemory and pass a pointer to this string (this would require runtime patching your injected code to pass the correct pointer) or you could find a static cave and write in into the cave via WriteProcessMemory, in this case, the pointer could be static, which again, wouldnt require runtime patching your injected code. or you could as well define this string inside the code that your injecting, but this would also either require your injected code to be shellcode (position independent code) or runtime patching your injected code.
Now I need direct injection codes for selling items to NPC and activating trade window (select the point in dialogue window)... Can you give me some advice in that? I'll try to search it myself soon, using the knowledge I got in this thread.
Anyone tried find addresses for a.... 08/21/2009 - 12Sky2 - 2 Replies hey for now we have speed hack taken from phurba, atack speed hack phurba as well, but did anyone tried to take atack damage from dmg weapon ? and def from def weapon ?.
As well did anyone tried to hack the time from buffs like let say max is 180 second and did anyone try change it to 999 second ?
Cant find addresses 07/24/2009 - Grand Chase - 9 Replies Hey im new here and im trying to get the 1 hit kill hack to work on MLE 1348 but for some reason when i scan 16256 in practice mode no addresses appear on the side.
Any1 have a solution to this problem?
Why my UCE cannot find the addresses? 06/02/2009 - Grand Chase Philippines - 5 Replies This is how the problem goes.
One scenario: I have tried following the procedures on how to do the damage hack.
And so in practice mode. I have tried using MK Ronan and scan the value 16256 in exact value on 4 bytes.
The time I scan it, I see 3 addresses and one of those 3 has the exact value of what I input.
the second one, I casted Holy Bless. And find the value of 16281.
The next scan doesn't prompted any address.
So I thought the first address I scan from 16256 is the one.
I rescan...
Warrock Addresses/Offsets 10/20/2008 - WarRock - 11 Replies Scope: B76DC6
Fast Ammo: B76DD0
Fast Health: B76DD4
Fast Repair: B76DD8
Fast Flag: B76DDC
Crosshair: B76DF4
Circles: FFFFFFFF
Boxes: 0
Nospread: B76E1C
Nearfog: B91E64
