guide: debug pwi, find function addresses and offsets, write a bot(c++ code included)

[toxic6666]

@AlexGD:
ya, i know that this function doesnt work on regular button clicks. if you want to trace what you wanna do, you could check sub_7387f0. this is (part of) the "dialog proc". it handles "messages" when something happens in a dialog (e.g. move the mouse, click something, etc.). everything you need will probably be found inside this func.

@FunkU:
its hard to tell how to call a func, if i dont know, what pw your using and how to resolve your objects. but the way you call the "back to town" func is pretty strange. the object must be stored inside ecx. if the address of the pointer to the object, that your func is using, was really 0x98addc and the address of the function really was 0x5da8f0, then you would do something like this:


mov ecx, dword ptr [0x98addc];
mov eax, 0x5da8f0;
call eax;

[AlexGD]

@Toxic
Yeap, I found this proc, but I must make one more step and try to learn asm. For now principles of injecting (calling) of this funсs is elude my understanding...

[FunkU]

Maybe it's strange because I'm using AutoIt? Btw I play on Russian official server. Our client says that it's version is 1.4.1 build 2273.

[Alexhomp]

Hi, all

Any time ago I wanted get offers of gold -> ingame money on auction. By dissambling ElementClient.exe in IDA I found this function:

Code:

.text:004EB1E0 ; =============== S U B R O U T I N E =======================================
.text:004EB1E0
.text:004EB1E0
.text:004EB1E0 sub_4EB1E0      proc near               ; DATA XREF: .rdata:008BAF48o
.text:004EB1E0                 push    esi
.text:004EB1E1                 mov     esi, ecx
.text:004EB1E3                 push    offset aLst_sell ; "Lst_Sell"
.text:004EB1E8                 call    sub_714690
.text:004EB1ED                 push    offset aLst_buy ; "Lst_Buy"
.text:004EB1F2                 mov     ecx, esi
.text:004EB1F4                 mov     [esi+174h], eax
.text:004EB1FA                 call    sub_714690
.text:004EB1FF                 push    offset aTxt_num ; "Txt_Num"
.text:004EB204                 mov     ecx, esi
.text:004EB206                 mov     [esi+178h], eax
.text:004EB20C                 call    sub_714690
.text:004EB211                 push    1
.text:004EB213                 mov     ecx, eax
.text:004EB215                 mov     [esi+17Ch], eax
.text:004EB21B                 call    sub_721D10
.text:004EB220                 push    offset aTxt_gold ; "Txt_Gold"
.text:004EB225                 mov     ecx, esi
.text:004EB227                 call    sub_714690
.text:004EB22C                 push    offset aTxt_gold1 ; "Txt_Gold1"
.text:004EB231                 mov     ecx, esi
.text:004EB233                 mov     [esi+180h], eax
.text:004EB239                 call    sub_714690
.text:004EB23E                 push    offset aTxt_money1 ; "Txt_Money1"
.text:004EB243                 mov     ecx, esi
.text:004EB245                 mov     [esi+184h], eax
.text:004EB24B                 call    sub_714690
.text:004EB250                 push    offset aTxt_money2 ; "Txt_Money2"
.text:004EB255                 mov     ecx, esi
.text:004EB257                 mov     [esi+188h], eax
.text:004EB25D                 call    sub_714690
.text:004EB262                 push    offset aTxt_money4 ; "Txt_Money4"
.text:004EB267                 mov     ecx, esi
.text:004EB269                 mov     [esi+18Ch], eax
.text:004EB26F                 call    sub_714690
.text:004EB274                 push    offset aTxt_money5 ; "Txt_Money5"
.text:004EB279                 mov     ecx, esi
.text:004EB27B                 mov     [esi+190h], eax
.text:004EB281                 call    sub_714690
.text:004EB286                 push    offset aTxt_poundage ; "Txt_Poundage"
.text:004EB28B                 mov     ecx, esi
.text:004EB28D                 mov     [esi+194h], eax
.text:004EB293                 call    sub_714690
.text:004EB298                 mov     [esi+198h], eax
.text:004EB29E                 mov     al, 1
.text:004EB2A0                 pop     esi
.text:004EB2A1                 retn
.text:004EB2A1 sub_4EB1E0      endp
.text:004EB2A1
.text:004EB2A1 ; ---------------------------------------------------------------------------

But I don't found offset's and BA(((
Thanks in advance for any help.

P.S. Sorry for my English

[toxic6666]

@FunkU:

the question is, does your "teleport to town" function work or not? if it does work, then either your client is compiled with a compiler that uses strange calling conventions that i dont know of or this function uses some strange custom calling convention.


@Alexhomp:

what exactly is the problem you have? if i understood right, all you need to know, is how to find the object (ecx) this function is using? if so, is your problem, that you dont have any code xrefs, but only a data xref for this function? thats because this function is a virtual function, so the address of this function is retrieved by looking it up inside the vtable for the corresponding object (the data xref is the address (inside the vtable) of the pointer to this function).

if you dont know about virtual functions, here is a quick tut:
the vtable itself is a sequential array of pointers to virtual functions. the address of the vtable for each object is stored in the first 4 bytes of the object itself.
let's say, ecx was a pointer to the object, and the function would be the 5. function in the vtable, then, the function call in your disassembly would probably look somewhat like this:

mov edx, [ecx]; // edx = pointer to vtable
call dword ptr [edx+0x10]; // call the 5. virtual function ((5-1)*4 = 0x10)

if you want to trace the object (ecx), you will have to trace it via debugging or mem search for pointers. so the "real" way would be to set a bp on this function, trace over it to the caller and find out how to get ecx. but since this function seems to be some kind of a gui function, it is very likely, that the object will be found inside p_base0->p_base1->p_guibase0->p_guibase1. so you could also try this: bp on this function, write down ecx. enter the ecx value into ce search field. the address range should start at p_guibase1. search it. if you find it, just subtract p_guibase1 from the found address and you have the offset into p_guibase1.

please try this out yourself first. if it doesnt help, i need to know what exactly this function does and when it is being called. what exactly do i have to do ingame that this function is being called. it has something to do with the auction house? if so, where can i find the auction house? seriously, i never used the auction house ;x



btw:
is wallhacking on the current pwi version supposed to still (fully) work without any pushbacks? i managed to create a wallhack that works on some objects (without any pushbacks) but on big stuff it doesnt work (i always get pushbacks). i'm asking because i need to know if it would be worth the effort to look deeper and try to make it work for all objects, if possible at all.

[FunkU]

Both your and mine "teleport to town" function work fine in my clinet. I made my teleport function from full target function, maybe that's why it looks strange? But it works. ) So I don't think Russian client is strange compiled... Can you share "pet attack" function that works on PWI? )

[toxic6666]

i never called the pet attack func directly, i just sent the "attack" command to the petbar gui object via "GuiCommand" as described at the end of my first post. this would be something like this on the current pwi version:


char *p = "attack"; // needs to be in target process, if you use code injection, you need to find this string inside the target process, which isnt very hard


mov eax, dword ptr [0x9baad4];
mov eax, dword ptr [eax+0x04];
mov eax, dword ptr [eax+0x08];
mov eax, dword ptr [eax+0x2b8];
push eax; // p_petbar
push p; // p_cmd
mov eax, 0x592710; // addr of GuiCommand
call eax;

[muchenberg]

Quote:

Originally Posted by toxic6666

i never called the pet attack func directly, i just sent the "attack" command to the petbar gui object via "GuiCommand" as described at the end of my first post. this would be something like this on the current pwi version:


char *p = "attack"; // needs to be in target process, if you use code injection, you need to find this string inside the target process, which isnt very hard


mov eax, dword ptr [0x9baad4];
mov eax, dword ptr [eax+0x04];
mov eax, dword ptr [eax+0x08];
mov eax, dword ptr [eax+0x2b8];
push eax; // p_petbar
push p; // p_cmd
mov eax, 0x592710; // addr of GuiCommand
call eax;

I'm using just like the same stuff. Works perfect for me.

[FunkU]

Quote:

Originally Posted by toxic6666

char *p = "attack"; // needs to be in target process, if you use code injection, you need to find this string inside the target process, which isnt very hard

I don't understand this. What is "target process"? And how do "p" must look like? It can't be just word "attack"? Or it's some kind of pointer to something?

Btw, I've found my GuiCommand function, it's address is 0057fa20. My PetBar offset is BA + $4 + $8 + $298 and base address is 0098b47c.

Here's what ollydbg showed when I breakpoint this function:

First time:

EAX 00000000
ECX 052CF720
EDX 008BFB20 elementc.008BFB20
EBX 139EC3C4 ASCII "attack"
ESP 0012ECB8
EBP 139EC3C4 ASCII "attack"
ESI 05324B08
EDI 00000001
EIP 0057FA2A elementc.0057FA2A

And second:

EAX 00000000
ECX 0A5B99C0
EDX 008BFB20 elementc.008BFB20
EBX 129C70DC ASCII "attack"
ESP 0012ECB8
EBP 129C70DC ASCII "attack"
ESI 0533E918
EDI 00000001
EIP 0057FA2A elementc.0057FA2A

EBX isn't the same. I tried to send 129C70DC and 139EC3C4 but nothing happend. However the game didn't crash. )


GuiCommand Function:

.text:0057FA20 ; int __stdcall sub_57FA20(char *Str1, int)
.text:0057FA20 sub_57FA20 proc near
.text:0057FA20
.text:0057FA20 Str1= dword ptr 4
.text:0057FA20 arg_4= dword ptr 8
.text:0057FA20
.text:0057FA20 push ebx
.text:0057FA21 mov ebx, [esp+4+Str1]
.text:0057FA25 push esi
.text:0057FA26 mov esi, [esp+8+arg_4]
.text:0057FA2A push edi
.text:0057FA2B push esi
.text:0057FA2C push ebx
.text:0057FA2D call sub_7184E0
.text:0057FA32 test al, al
.text:0057FA34 jz short loc_

[AlexGD]

@FunkU

Do you understand that 129C70DC and 139EC3C4 each time different, because this values is memory addresses? And each time it is different. So. You need to write not exactly this values, but pointers values.

Exactly this try to say toxic:
this pointer

Quote:

needs to be in target process, if you use code injection, you need to find this string inside the target process, which isnt very hard

[FunkU]

So I've found this: 0093e6c0. Though it doesn't look like 129C70DC or 139EC3C4 and it's static. But it works! Is this what toxic6666 had in mind? Anyway thanks you both, Alex and Toxic. )

My PetAttack function looks like this now:

mov eax, dword ptr [0x98b47c];
mov eax, dword ptr [eax+0x04];
mov eax, dword ptr [eax+0x08];
mov eax, dword ptr [eax+0x298];
push eax;
push 93e6c0;
mov eax, 0x57fa20;
call eax;

[toxic6666]

@FunkU:

although you already managed to do it yourself, just to clarify this real quick:
the first param to GuiCommand is a pointer to a command string. this pointer must point to a string inside the elementclient process. so if your using your code from within an injected dll (which will be inside the elementclient process), you could just declare the string yourself like char *p = "attack" and pass a pointer to it. but if your using code injection, this wouldnt work because you would be passing a pointer to a string which is inside your programs process space. this pointer would point to some random stuff inside the elementclient process, and - might - crash it. so when using code injection, you would either have to find a static address for the "attack" string inside the elementclient process (which you did) or manually write the string into the elementclient process via WriteProcessMemory and pass a pointer to this string. but the second method would make this unneccessarily more complicated for an actually pretty simple task. you can find a static address for the "attack" string (and all other similar strings related to gui command) via your disassembler. just open the string ref window and look for the string and you will find a static address in the data section of elementclient.exe

oh and btw. maybe you will try to summon pets via GuiCommand in the near future. the command string would be "summonx" whereas x is the pet index + 1 of your pet to summon. so, if you want to summon the pet with the pet index 0 (your first pet), the command would be "summon1". in this case, you will not be able to find a static address for the string inside elementclient. pw creates the string somewhat like this:

wsprintf(sz_cmd, "%s%d", "summon", dwPetIndex + 1);

and then passes sz_cmd to GuiCommand. so if you wanted to use GuiCommand for this via code injection, you would have to create the string yourself like above inside your own programs process space and then write it to the elementclients process space either via VirtualAllocEx + WriteProcessMemory and pass a pointer to this string (this would require runtime patching your injected code to pass the correct pointer) or you could find a static cave and write in into the cave via WriteProcessMemory, in this case, the pointer could be static, which again, wouldnt require runtime patching your injected code. or you could as well define this string inside the code that your injecting, but this would also either require your injected code to be shellcode (position independent code) or runtime patching your injected code.

[FunkU]

Well, thanks. I'll keep in mind that in future. )

Now I need direct injection codes for selling items to NPC and activating trade window (select the point in dialogue window)... Can you give me some advice in that? I'll try to search it myself soon, using the knowledge I got in this thread.

[toxic6666]

@FunkU:

no sry, i havent looked into this myself yet. but AlexGD said that he knows how to do it

[AlexGD]

Sorry, Toxic. Probably you don't understand... I only found the function, but I can't to create inject. I'm really weak in asm...