guide: debug pwi, find function addresses and offsets, write a bot(c++ code included)
Discussion on guide: debug pwi, find function addresses and offsets, write a bot(c++ code included) within the PW Hacks, Bots, Cheats, Exploits forum part of the Perfect World category.
Hello I have a question in customizing Prophet bot offsets for our server. Can I get all the offsets just by using CE or I need to use other programs as well? I'm a noob in programming but is willing to learn.
Below are the offsets of prophetbot for PWI but i'd like to change the offsets for our server.
[Perfect_World_Base_Address_In_Decimal]
Application_Title=Perfect World International
Base_Address=11498596
Base_AddressFZ=11499732
Base_AddressEXP=11501520
I'm afraid if you want to get those offsets it's not really straightforward to find them all. If you're really willing to learn though, there is ample information on these forums to find pretty much all of them. First step of learning is learning how to search for stuff
I don't mean to sound like a ****, but it's kinda gone quiet around here since the majority of new posts are like
Hi all! I hope there is some ppl still around. This great thread has helped me to find some functions. I have a little problem with the DoAction function. It doesn't longer take a pointer to local character as far as I can figure out, but an other pointer which I can't figure out what it is for. But it points somewhere (in the case of meditation) on some struct that at the offset 8 contains a pointer to some other place which at +0x34 contains a pointer to the local character.
The do action param struct from the first page:
typedef struct __tagDOACTIONPARAM // param passed to DoAction
{
DWORD uk0; // 0x00
DWORD uk1; // 0x04
DWORD uk2; // 0x08
void *p_data; // 0x0c might be a pointer to some data
DWORD dwAction; // 0x10 check DA_ constants
} DOACTIONPARAM, *LPDOACTIONPARAM;
The first word must be set, and in the case of meditation it's 0x171. This first word is used to calculate where to jump through a jumptable.
The *p_data must point to something also (at least regarding meditation) but I do think I can just let it point to my own characters id. Later on if I wanna use actions that involves an other player like trade I must look more into how this pointer and id is used.
The action dword should still be 0x6f.
My main concern is this pointer that is passed through ecx. Since this thread is quite old, the version of the game back then used a pointer to the local character but now its an other pointer that is used to find the local player address, as far as I can see.
Hi all! I hope there is some ppl still around. This great thread has helped me to find some functions. I have a little problem with the DoAction function. It doesn't longer take a pointer to local character as far as I can figure out, but an other pointer which I can't figure out what it is for. But it points somewhere (in the case of meditation) on some struct that at the offset 8 contains a pointer to some other place which at +0x34 contains a pointer to the local character.
The do action param struct from the first page:
typedef struct __tagDOACTIONPARAM // param passed to DoAction
{
DWORD uk0; // 0x00
DWORD uk1; // 0x04
DWORD uk2; // 0x08
void *p_data; // 0x0c might be a pointer to some data
DWORD dwAction; // 0x10 check DA_ constants
} DOACTIONPARAM, *LPDOACTIONPARAM;
The first word must be set, and in the case of meditation it's 0x171. This first word is used to calculate where to jump through a jumptable.
The *p_data must point to something also (at least regarding meditation) but I do think I can just let it point to my own characters id. Later on if I wanna use actions that involves an other player like trade I must look more into how this pointer and id is used.
The action dword should still be 0x6f.
My main concern is this pointer that is passed through ecx. Since this thread is quite old, the version of the game back then used a pointer to the local character but now its an other pointer that is used to find the local player address, as far as I can see.
The address for DoAction is now at 62A7C0 in PWI.
I'm hoping someone can please enlighten me.
/Sturolv
I have personally never used this function - are you talking about the one which uses that huge switch statement in client with meditate/jump/roll calls? Or are you talking about injecting action struct? Or the one which allows pressing of buttons in dialogs?
If it's the second, then you actually don't need to make life so hard, you can write directly into it and change parameters and flags to your likings.
In case it's the first, that you want to access that huge switch statement, you can call that directly :
Code:
procedure JumpCallfunc(aParams: PParams); stdcall;
var
CA: dword;
BA: dword;
CST: dword;
begin
CA := aParams^.JumpCall;
BA := aParams^.BaseAddress;
CST := aParams^.Charstruct;
asm
pushad
mov ecx, [BA]
mov ecx, dword ptr [ecx]
mov edx, [CST]
mov ecx, dword ptr [ecx+edx]
push 0 {interesting : You can push whatever you want, but you must push something to stack...}
mov eax,[CA]
call eax
popad
end;
end;
If you want to press buttons : Sending packets is tze much better alternative to that mate, no need to do that. Only thing where it would come in handy is closing merchant dialog after you did stuff there.
Swoosh: Thanks for your answer! My first goal was to be able to do meditate and stop meditate, and later to be able to trigger other actions. I thought I found the doaction function that Toxic is mention on his tutorial, but I might have found something else. I have looked into so many functions now I just feel dizzy
The function I've found starts with finding the charstruct address from a pointer that is passed in ecx. Then it gets the pointer to the doactionparam-struct from the stack and through a jumptable it switches between 57 cases.
I try to avoid sending packets, but for why I don't really know.
I'm trying to figure out Jumpcall function you're showing, but I don't quite understand the parameters. Is it baseaddress or realbaseaddress? the [ecx+edx] I'm not sure what that is suppose to point at. Is the jumpfunction a own function for just jump or is it a switch kind of multi function like the doaction.
Sorry for all these questions. Looking around on this game in IDA/Ollydbg is quite hard for me. I'm not so used with assembler on pc, I mostly coded 68000-family processors and that was many years ago, sigh that was good old days
Well, for meditate/stop packets are the best solution in my opinion. I have never tried doing that via action struct (is it possible? I would guess so if you write the right flags?). Yeah, that huge switch statement you're talking about is what I meant. It is part of the function jumptable, one of those cases is the jump function. For my code :
Code:
procedure JumpCallfunc(aParams: PParams); stdcall;
var
CA: dword;
BA: dword;
CST: dword;
begin
//This reads pointers to addresses from injected parameter struct
CA := aParams^.JumpCall;
BA := aParams^.BaseAddress;
CST := aParams^.Charstruct;
asm
pushad //preserve stack
mov ecx, [BA] //read baseaddress (not real one) into ecx
mov ecx, dword ptr [ecx] //read first level (data of baseaddress pointer)
mov edx, [CST] //read char struct offset (+0x34) into edx
mov ecx, dword ptr [ecx+edx] //baseaddr + char struct offset = charstruct
push 0 //push random int data, doesn't matter which but you MUST push
mov eax,[CA] //get call address, move to eax
call eax //call call address with char struct pointer in ecx
popad //pop stack back to original
end;
end;
Basically I resolve pointer to char struct from injected params data, write it into ecx, push 0 onto stack and call the function address (which I read from injected parameters to).
But seriously : Packets are the way to go for static things like meditation. It saves you from needing function address after each update for every little function. Just find sendpacket - opcode very rarely changes, and if so, only in more complex and bigger packets(Sell/buy)
Thanks Swoosh! I will try the jumpfunction out and go for send packets regarding meditate and similar
Do you or anyone else have a hint about how I could get information about obstacles like trees, rocks etc.? That information must be somewhere, maybe it's in some data-file and could be parsed out with coordinates and perhaps a radius? Would be sweet to make some logic for moving to avoid getting stuck on obstacles.
Obstacles are in ecwld if I remember correctly - a friend of mine did very good research regarding this, i'll leave it to him if he wants to answer, he lurks these forums actively
Cool, I hope he lurks by here and feel about giving a hint or two
He does, but normally doesn't make it a habit of referring to himself in third person
** Obstacles in general **
Obstacles like buildings, rocks, walls, paved roads, etc,... are located inside litmodels.pck file (but not trees, see below).
Once unpacked, you are looking for .bmd files which contain definitions of obstacle items noted above.
Files are structured in folders, firstly on a map type level ("world" for your basic map, axx for various dungeons, etc,..).
Next folder defines a block on a map (aka quadrant). Maps are divided into several of these blocks (number of block varies depending on a map), world map for example is divided into 88 blocks, for use with obstacle files.
Blocks are arranged into rows and columns. Archosaur, for example, is located in block 38.
Each block folder contains .bmd files that describes models of obstacles in that block. Each .bmd file can contain data on one or more models.
Among the data you'll find model vertices, polygons, colours and textures that are used to render the model in game. Additionally, each model contains data that is used to transform the model with, for example, transformation matrix. Stuff like location (or translation as used in matrix terms), scale and rotation.
Combine all of these, throw in your own coordinates and you'll know exactly where the object is in relation to you.
** Trees **
Trees are located in <mapName>.ecwld file, which can be found in /element/maps/.
As before, first map is map name for example "world", inside you'll find <mapName>.ecwld, for example "world.ecwld".
This files contain location of trees for sure and probably other data associated with them. I didn't delve into other data, since I was only after locations of trees, most are similarly sized so taking an average should work with avoidance algorithms.
Go trough this, experiment and if you need anything else, ask a more directed question. Also note that it has been a while since I played with this, so some info may be off, take it with a grain of salt. I did after all write it all of the top of my head.
Anyone tried find addresses for a.... 08/21/2009 - 12Sky2 - 2 Replies hey for now we have speed hack taken from phurba, atack speed hack phurba as well, but did anyone tried to take atack damage from dmg weapon ? and def from def weapon ?.
As well did anyone tried to hack the time from buffs like let say max is 180 second and did anyone try change it to 999 second ?
Cant find addresses 07/24/2009 - Grand Chase - 9 Replies Hey im new here and im trying to get the 1 hit kill hack to work on MLE 1348 but for some reason when i scan 16256 in practice mode no addresses appear on the side.
Any1 have a solution to this problem?
Why my UCE cannot find the addresses? 06/02/2009 - Grand Chase Philippines - 5 Replies This is how the problem goes.
One scenario: I have tried following the procedures on how to do the damage hack.
And so in practice mode. I have tried using MK Ronan and scan the value 16256 in exact value on 4 bytes.
The time I scan it, I see 3 addresses and one of those 3 has the exact value of what I input.
the second one, I casted Holy Bless. And find the value of 16281.
The next scan doesn't prompted any address.
So I thought the first address I scan from 16256 is the one.
I rescan...
Warrock Addresses/Offsets 10/20/2008 - WarRock - 11 Replies Scope: B76DC6
Fast Ammo: B76DD0
Fast Health: B76DD4
Fast Repair: B76DD8
Fast Flag: B76DDC
Crosshair: B76DF4
Circles: FFFFFFFF
Boxes: 0
Nospread: B76E1C
Nearfog: B91E64
