guide: debug pwi, find function addresses and offsets, write a bot(c++ code included)

monotone23 · 01/17/2012, 06:24

Hello I have a question in customizing Prophet bot offsets for our server. Can I get all the offsets just by using CE or I need to use other programs as well? I'm a noob in programming but is willing to learn.

Below are the offsets of prophetbot for PWI but i'd like to change the offsets for our server.

[Perfect_World_Base_Address_In_Decimal]
Application_Title=Perfect World International
Base_Address=11498596
Base_AddressFZ=11499732
Base_AddressEXP=11501520

[Custom_32_Offsets_In_Decimal]
Casting_Offset=1780
Name_offset=1592
LVL_Offset=1160
Class_offset=1600
HP_OffSet=1168
MaxHP_OffSet=1232
EXP_OffSet=1176
MP_OffSet=1172
CHARID_Offset=1132
MaxMP_OffSet=1236
STR_offset=1224
DEX_offset=1228
VIT_offset=1216
MAG_offset=1220
Spirit_offset=1180
Gold_offset=1364
FlySpeed_Offset=1260
FlyCounter_Offset=2344
MoveMode_OffSet=1612
CHI_Offset=1188
MAXCHI_Offset=1360
Jump_Offset=3164
CastID_Offset=1780
CharState_Offset=1688
Reputation_Offset=1480
Culti_Offset=1164
X_Offset=60
Y_Offset=68
Z_Offset=64

Target_OffSet=2912
PetBase_Offset=4192
PetHP_OffSet=56
PetHunger_OffSet=8

ActionFlag_Offset=24
ActionRead_Offset=4
ActionRead2_Offset=8
ActionRead3_Offset=28
ActionWrite_Offset=12
ActionWrite2_Offset=20
ActionSkill_Offset=80
ActionMoveX_Offset=32
ActionMoveY_Offset=40
ActionMoveZ_Offset=36
ActionHeight_OffSet=104
ActionHeightFlag_OffSet=100
ActionHeightFlag2_OffSet=108
ActionDoneFlag_Offset=8
ActionValue_Offset=44
ActionValue2_Offset=64
ActionSetError_Offset=76
ActionFinished_Offset=8
ActionStart_Offset=20
ActionNotStart_Offset=36
ActionObject_Offset=32
ObjectAction_Offset=56

PlayerBase_Offset=136
PlayerCount_Offset=20
PlayerID_Offset=1120
PlayerLVL_Offset=1132
PlayerName_Offset=1560
PlayerHP_Offset=1140
PlayerMAXHP_Offset=1204
PlayerClass_Offset=1568

NPCBase_Offset=80
NPCPAI_Offset=732
NPCCount_Offset=20
NPCID_Offset=284
NPCName_Offset=596
NPCLVL_Offset=292
NPCHP_Offset=300
NPCMAXHP_Offset=364
NPCSpecial_Offset=584

ItemBase_Offset=24
ItemID_Offset=268
ItemSN_Offset=272
ItemName_Offset=356

InventoryBase_Offset=12
InventoryID_Offset=8
InventoryStackAmount_Offset=16
InventoryMAXStackAmount_Offset=20
InventorySellPrice_Offset=24
InventoryBuyPrice_Offset=28
InventoryDescription_Offset=64

~~dumbfck~~ · 01/18/2012, 03:58

I'm afraid if you want to get those offsets it's not really straightforward to find them all. If you're really willing to learn though, there is ample information on these forums to find pretty much all of them. First step of learning is learning how to search for stuff

I don't mean to sound like a ****, but it's kinda gone quiet around here since the majority of new posts are like

Please and thank you go a long way too.

monotone23 · 01/21/2012, 05:07

No worries and thank you for the reply. I did find the base address of our server and got the other addresses as well. The bot is now working.

Sturolv · 04/13/2012, 22:54

Hi all! I hope there is some ppl still around. This great thread has helped me to find some functions. I have a little problem with the DoAction function. It doesn't longer take a pointer to local character as far as I can figure out, but an other pointer which I can't figure out what it is for. But it points somewhere (in the case of meditation) on some struct that at the offset 8 contains a pointer to some other place which at +0x34 contains a pointer to the local character.

The do action param struct from the first page:

typedef struct __tagDOACTIONPARAM // param passed to DoAction
{
DWORD uk0; // 0x00
DWORD uk1; // 0x04
DWORD uk2; // 0x08
void *p_data; // 0x0c might be a pointer to some data
DWORD dwAction; // 0x10 check DA_ constants
} DOACTIONPARAM, *LPDOACTIONPARAM;

The first word must be set, and in the case of meditation it's 0x171. This first word is used to calculate where to jump through a jumptable.
The *p_data must point to something also (at least regarding meditation) but I do think I can just let it point to my own characters id. Later on if I wanna use actions that involves an other player like trade I must look more into how this pointer and id is used.
The action dword should still be 0x6f.

My main concern is this pointer that is passed through ecx. Since this thread is quite old, the version of the game back then used a pointer to the local character but now its an other pointer that is used to find the local player address, as far as I can see.

The address for DoAction is now at 62A7C0 in PWI.

I'm hoping someone can please enlighten me.

/Sturolv

Sᴡoosh · 04/14/2012, 12:06

Quote:

Originally Posted by Sturolv

Hi all! I hope there is some ppl still around. This great thread has helped me to find some functions. I have a little problem with the DoAction function. It doesn't longer take a pointer to local character as far as I can figure out, but an other pointer which I can't figure out what it is for. But it points somewhere (in the case of meditation) on some struct that at the offset 8 contains a pointer to some other place which at +0x34 contains a pointer to the local character.

The do action param struct from the first page:

typedef struct __tagDOACTIONPARAM // param passed to DoAction
{
DWORD uk0; // 0x00
DWORD uk1; // 0x04
DWORD uk2; // 0x08
void *p_data; // 0x0c might be a pointer to some data
DWORD dwAction; // 0x10 check DA_ constants
} DOACTIONPARAM, *LPDOACTIONPARAM;

The first word must be set, and in the case of meditation it's 0x171. This first word is used to calculate where to jump through a jumptable.
The *p_data must point to something also (at least regarding meditation) but I do think I can just let it point to my own characters id. Later on if I wanna use actions that involves an other player like trade I must look more into how this pointer and id is used.
The action dword should still be 0x6f.

My main concern is this pointer that is passed through ecx. Since this thread is quite old, the version of the game back then used a pointer to the local character but now its an other pointer that is used to find the local player address, as far as I can see.

The address for DoAction is now at 62A7C0 in PWI.

I'm hoping someone can please enlighten me.

/Sturolv

I have personally never used this function - are you talking about the one which uses that huge switch statement in client with meditate/jump/roll calls? Or are you talking about injecting action struct? Or the one which allows pressing of buttons in dialogs?

If it's the second, then you actually don't need to make life so hard, you can write directly into it and change parameters and flags to your likings.

Code directly from my bot :

Code:

 type
  TStates = record
    Resting : Boolean;
    Gathering : Boolean;
    RunToMatState : Boolean;
    RunState : Boolean;
    PickUp : Boolean;
    SkillCast : Boolean;
    FlyState : Cardinal;
  end;

Function THostChar.States : TStates;
var
  eax, written, Base,StateBase: cardinal;
  CurrentState,RestState,PickUpState,SkillState,RunState,RunToMatState : Cardinal;
begin
  ReadProcessMemory(Self.Handle, ptr(self.Offsets.BaseAddress), @eax, 4, written);
  ReadProcessMemory(Self.Handle, ptr(eax + $1C), @eax, 4, written);
  ReadProcessMemory(Self.Handle, ptr(eax + self.Offsets.CharStruct), @eax, 4, written);

  ReadProcessMemory(Self.Handle, ptr(eax + self.Offsets.Flystate), @Result.FlyState, 4, written);

  ReadProcessMemory(Self.Handle, ptr(eax + self.Offsets.Action), @Base, 4, written);

  ReadProcessMemory(Self.Handle, ptr(Base + $30), @StateBase, 4, written);

  ReadProcessMemory(Self.Handle, ptr(StateBase + $28), @RestState, 4, written);
  ReadProcessMemory(Self.Handle, ptr(StateBase + $2C), @PickUpState, 4, written);
  ReadProcessMemory(Self.Handle, ptr(StateBase + $10), @SkillState, 4, written);
  ReadProcessMemory(Self.Handle, ptr(StateBase + $4), @RunState, 4, written);
  ReadProcessMemory(Self.Handle, ptr(StateBase + $8), @RunToMatState, 4, written);


  ReadProcessMemory(Self.Handle, ptr(Base + $14), @CurrentState, 4, written);

  Result.Resting := (CurrentState = RestState);
  Result.Gathering := (CurrentState = PickUpState);
  Result.RunToMatState := (CurrentState = RunToMatState);
  Result.SkillCast := (CurrentState = SkillState);
  Result.RunState := (CurrentState = RunState);
end;

In case it's the first, that you want to access that huge switch statement, you can call that directly :

Code:

procedure JumpCallfunc(aParams: PParams); stdcall;
var
  CA: dword;
  BA: dword;
  CST: dword;
begin
  CA := aParams^.JumpCall;
  BA := aParams^.BaseAddress;
  CST := aParams^.Charstruct;
  asm
    pushad
    mov ecx, [BA]
    mov ecx, dword ptr [ecx]
    mov edx, [CST]
    mov ecx, dword ptr [ecx+edx]
    push 0 {interesting : You can push whatever you want, but you must push something to stack...}
    mov eax,[CA]
    call eax
    popad
  end;
end;

If you want to press buttons : Sending packets is tze much better alternative to that mate, no need to do that. Only thing where it would come in handy is closing merchant dialog after you did stuff there.

Hope this helped

Sturolv · 04/14/2012, 18:53

Swoosh: Thanks for your answer! My first goal was to be able to do meditate and stop meditate, and later to be able to trigger other actions. I thought I found the doaction function that Toxic is mention on his tutorial, but I might have found something else. I have looked into so many functions now I just feel dizzy

The function I've found starts with finding the charstruct address from a pointer that is passed in ecx. Then it gets the pointer to the doactionparam-struct from the stack and through a jumptable it switches between 57 cases.

I try to avoid sending packets, but for why I don't really know.

I'm trying to figure out Jumpcall function you're showing, but I don't quite understand the parameters. Is it baseaddress or realbaseaddress? the [ecx+edx] I'm not sure what that is suppose to point at. Is the jumpfunction a own function for just jump or is it a switch kind of multi function like the doaction.

Sorry for all these questions. Looking around on this game in IDA/Ollydbg is quite hard for me. I'm not so used with assembler on pc, I mostly coded 68000-family processors and that was many years ago, sigh that was good old days

Sᴡoosh · 04/14/2012, 22:21

Well, for meditate/stop packets are the best solution in my opinion. I have never tried doing that via action struct (is it possible? I would guess so if you write the right flags?). Yeah, that huge switch statement you're talking about is what I meant. It is part of the function jumptable, one of those cases is the jump function. For my code :

Code:

procedure JumpCallfunc(aParams: PParams); stdcall;
var
  CA: dword;
  BA: dword;
  CST: dword;
begin
//This reads pointers to addresses from injected parameter struct
  CA := aParams^.JumpCall;
  BA := aParams^.BaseAddress;
  CST := aParams^.Charstruct;
  asm
    pushad //preserve stack
    mov ecx, [BA] //read baseaddress (not real one) into ecx
    mov ecx, dword ptr [ecx] //read first level (data of baseaddress pointer)
    mov edx, [CST] //read char struct offset (+0x34) into edx
    mov ecx, dword ptr [ecx+edx] //baseaddr + char struct offset = charstruct
    push 0 //push random int data, doesn't matter which but you MUST push
    mov eax,[CA] //get call address, move to eax
    call eax //call call address with char struct pointer in ecx
    popad //pop stack back to original
  end;
end;

Basically I resolve pointer to char struct from injected params data, write it into ecx, push 0 onto stack and call the function address (which I read from injected parameters to).

But seriously : Packets are the way to go for static things like meditation. It saves you from needing function address after each update for every little function. Just find sendpacket - opcode very rarely changes, and if so, only in more complex and bigger packets(Sell/buy)

Cheers

Sturolv · 04/15/2012, 10:01

Thanks Swoosh! I will try the jumpfunction out and go for send packets regarding meditate and similar

Do you or anyone else have a hint about how I could get information about obstacles like trees, rocks etc.? That information must be somewhere, maybe it's in some data-file and could be parsed out with coordinates and perhaps a radius? Would be sweet to make some logic for moving to avoid getting stuck on obstacles.

Sᴡoosh · 04/15/2012, 14:15

Obstacles are in ecwld if I remember correctly - a friend of mine did very good research regarding this, i'll leave it to him if he wants to answer, he lurks these forums actively

Sturolv · 04/15/2012, 16:41

Cool, I hope he lurks by here and feel about giving a hint or two

Shareen · 04/15/2012, 17:08

Quote:

Originally Posted by Sturolv

Cool, I hope he lurks by here and feel about giving a hint or two

He does, but normally doesn't make it a habit of referring to himself in third person

** Obstacles in general **
Obstacles like buildings, rocks, walls, paved roads, etc,... are located inside litmodels.pck file (but not trees, see below).

Once unpacked, you are looking for .bmd files which contain definitions of obstacle items noted above.
Files are structured in folders, firstly on a map type level ("world" for your basic map, axx for various dungeons, etc,..).
Next folder defines a block on a map (aka quadrant). Maps are divided into several of these blocks (number of block varies depending on a map), world map for example is divided into 88 blocks, for use with obstacle files.

Blocks are arranged into rows and columns. Archosaur, for example, is located in block 38.

Each block folder contains .bmd files that describes models of obstacles in that block. Each .bmd file can contain data on one or more models.

Among the data you'll find model vertices, polygons, colours and textures that are used to render the model in game. Additionally, each model contains data that is used to transform the model with, for example, transformation matrix. Stuff like location (or translation as used in matrix terms), scale and rotation.

Combine all of these, throw in your own coordinates and you'll know exactly where the object is in relation to you.

** Trees **
Trees are located in <mapName>.ecwld file, which can be found in /element/maps/.
As before, first map is map name for example "world", inside you'll find <mapName>.ecwld, for example "world.ecwld".

This files contain location of trees for sure and probably other data associated with them. I didn't delve into other data, since I was only after locations of trees, most are similarly sized so taking an average should work with avoidance algorithms.

Go trough this, experiment and if you need anything else, ask a more directed question. Also note that it has been a while since I played with this, so some info may be off, take it with a grain of salt. I did after all write it all of the top of my head.

Sturolv · 04/15/2012, 18:30

Wow, thanks very much! I will dig into this very soon. I think I should make a tool to extract the information I need and put into a sqlite db.

crackingz · 06/30/2013, 07:43

can i have a video tut xD

Interest07 · 06/30/2013, 08:27

Quote:

Originally Posted by crackingz

can i have a video tut xD

Text is much clearer than a video

latsgamer81 · 10/19/2014, 08:12

Is this still valid? i had some troublem trying with all images off, and how does he get the first string to search for in the first page?