|
You last visited: Today at 15:04
Advertisement
guide: debug pwi, find function addresses and offsets, write a bot(c++ code included)
Discussion on guide: debug pwi, find function addresses and offsets, write a bot(c++ code included) within the PW Hacks, Bots, Cheats, Exploits forum part of the Perfect World category.
01/30/2010, 12:04
|
#46
|
elite*gold: 0
Join Date: Jan 2009
Posts: 137
Received Thanks: 19
|
@diablokoaiua
What do you mean? Founding of offsets by program? I do it.
@toxic
Yeah, you right understand my way.
Quote:
what kind of exception occurs when your client crashes
|
Can't determine. Maybe I simply don't know how to determine it.
So, you think that crash due to I do it being pos update. Looks logic... I will try to check it...
|
|
|
01/30/2010, 12:17
|
#47
|
elite*gold: 0
Join Date: Jan 2009
Posts: 137
Received Thanks: 19
|
@Vuduy
Your way is very interesting, but I simply don't know how can I find function "prepare packet to send"...
|
|
|
01/30/2010, 12:22
|
#48
|
elite*gold: 0
Join Date: Apr 2008
Posts: 31
Received Thanks: 3
|
Quote:
Originally Posted by AlexGD
@diablokoaiua
What do you mean? Founding of offsets by program? I do it.
@toxic
Yeah, you right understand my way.
Can't determine. Maybe I simply don't know how to determine it.
So, you think that crash due to I do it being pos update. Looks logic... I will try to check it...
|
There is a program what can find offsets with second
|
|
|
01/30/2010, 13:19
|
#49
|
elite*gold: 0
Join Date: Mar 2007
Posts: 26
Received Thanks: 38
|
@AlexGD:
try this, this should work on any version:
if you have ida pro, open up your imports window. search for __imp_send (ws2_32.dll). double click it. now make sure that you display more than the std amount of xrefs. you should see an xref from send|r. double click it. you should now see 3 xrefs. check the xrefs. one of them should be something like
mov ecx, s
push 0 <----
push 1
push offset buf
push ecx
call send
it should be the second xref. double click it. jump up to the func start. there should be 2 xrefs. one of the xrefs should be inside a func with 2 params, the other one should be a func with 1 param. take the xref which is inside the func with 2 params (for me its the first one). jump of to the func start to get the func address. set a bp on this address. now move somewhere, your bp should hit after about 1 sec. trace to the caller. write down the addr. open this addr in ida pro. jump up to the func start. this is the func that queues a decrypted packet into the decrypted send buffer (it should have 2 params: void *p_data, DWORD dwSize).
|
|
|
01/30/2010, 18:06
|
#50
|
elite*gold: 0
Join Date: Mar 2008
Posts: 109
Received Thanks: 64
|
Quote:
Originally Posted by diablokoaiua
There is a program what can find offsets with second
|
Is there a program to make money in seconds too?
Another tip with the "send" function. Once you get it, use MHS (from L. Spiro - a lot more powerful than CE). Set a break point and use script to print out the raw unencrypted data before sending to the server.
Now you will be able to see every single server opcodes in the game. Then when you need to do something, make your own opcodes, and call it through the "send" function.
|
|
|
02/05/2010, 02:22
|
#51
|
elite*gold: 0
Join Date: Sep 2008
Posts: 84
Received Thanks: 15
|
toxic or anyone can help me how to find EXP_ARRAY ?
|
|
|
02/05/2010, 02:24
|
#52
|
elite*gold: 0
Join Date: Sep 2008
Posts: 84
Received Thanks: 15
|
Quote:
Originally Posted by diablokoaiua
There is a program what can find offsets with second
|
lol, there's. but it's just some basic offset for MHS bot. above that noone would public it.
|
|
|
02/05/2010, 20:24
|
#53
|
elite*gold: 0
Join Date: Sep 2008
Posts: 5
Received Thanks: 0
|
awesome guide! and thanks a mil for sharing this! i think this will be able to answer most of my questions
i tried doing your steps and i just stumbled on a thought...
how did you come up with "^^C8FF64" in DrawStatusText?
|
|
|
02/06/2010, 13:50
|
#54
|
elite*gold: 0
Join Date: Mar 2007
Posts: 26
Received Thanks: 38
|
@wildwinter:
whats the EXP_ARRAY supposed to be? seriously, i dont know what u mean here :X
@neverasunset:
thanks, your welcome man. this is a good question. as you might already think, this is not the way i found this function the first time. when i found this function the first time, i checked the whole function for something else to find it more easily and quicker, and this string ref is what i came up with. this string is only referenced inside this function and hasnt changed over a thousand updates. finding this func the "real" way is harder than finding any other func i explained in the tut and since this tut started out with this func, i didnt wanna go the "hard" way on this func. if you wanna know how to find this func the real way for the very first time, i'll try to explain real quick here:
restart your client and log on to the game (this will make the search for the "real" string easier). chose an error msg you desire (e.g. action still on cooldown). search for the string via ce. tab unicode and case sensitive. you might find more than 1 address. now for every address you found, do the following: add 2 to the address and add it to the addr list (this might reduce the results in the following steps). now find out what accesses this address. now make the error msg appear in game by executing the corresponding actions in game. if ce pops up some instructions that accessed your address, you probably found the right string. the instruction should be inside some scanf function. now open your debugger. if you want to, you can just set a bp on the address you found. your bp will hit even if you dont generate the error msg. thats because scanf is used by many other functions as well. so we will have to make a conditional bp. (you could probably as well use a memory bp on the string, but it might break on something else we dont want). so make a conditional bp on this address, which accesses the "real" string you found. generate the error msg again. your bp should hit. now you have to trace (use trace over) through all these scanf (sub)functions until your back inside elementclient.exe. once your back inside elementclient.exe, write down the addr your at right now. open this addr in ida pro. scroll up to the func start. thats your DrawStatusText func,
|
|
|
02/08/2010, 06:26
|
#55
|
elite*gold: 0
Join Date: Sep 2008
Posts: 84
Received Thanks: 15
|
as i know exp_array is an Array store address of current exp and exp max (of that lvl)
p/s: thank you for all your hard work about finding function in the first page. IT IS REALLY HELPFUL.
|
|
|
02/08/2010, 20:28
|
#56
|
elite*gold: 0
Join Date: Jan 2009
Posts: 137
Received Thanks: 19
|
@wild
It seems strange, but AFAIK client do not store EXP as array - you can get only current EXP. EXP needed to next level you can calculate yourself.
|
|
|
02/09/2010, 06:56
|
#57
|
elite*gold: 0
Join Date: Sep 2008
Posts: 84
Received Thanks: 15
|
Quote:
Originally Posted by AlexGD
@wild
It seems strange, but AFAIK client do not store EXP as array - you can get only current EXP. EXP needed to next level you can calculate yourself.
|
thank you.
this is a function I have
Quote:
Func GETEXPM()
Return _MEMORYREAD($EXP_ARRAY + ($LEVELNOW * 4), $MEMID)
EndFunc
|
GETEXPM is expmax I think.
|
|
|
02/15/2010, 11:54
|
#58
|
elite*gold: 0
Join Date: Jan 2009
Posts: 69
Received Thanks: 13
|
Toxic, can you help me some more?
I've found sell item function, it's address is 005DC430, and here's the function itself:
005DC430 sub_5DC430 proc near ; CODE XREF: sub_5C7FF0+33p
005DC430
005DC430 arg_0= dword ptr 4
005DC430 arg_4= dword ptr 8
005DC430
005DC430 push ebx
005DC431 push ebp
005DC432 push esi
005DC433 mov esi, [esp+0Ch+arg_0]
005DC437 test esi, esi
005DC439 push edi
005DC43A jz short loc_5DC4A4
005DC43C mov eax, [esp+10h+arg_4]
005DC440 test eax, eax
005DC442 jz short loc_5DC4A4
005DC444 lea edi, [esi+esi*2]
005DC447 shl edi, 2
005DC44A lea ebp, [edi+0Eh]
005DC44D push ebp
005DC44E call sub_743810
005DC453 mov ebx, eax
005DC455 add esp, 4
005DC458 test ebx, ebx
005DC45A jz short loc_5DC4A4
005DC45C lea eax, [ebx+2]
005DC45F lea ecx, [edi+4]
005DC462 mov word ptr [ebx], 25h
005DC467 push ebp ; Size
005DC468 mov dword ptr [eax], 2
005DC46E mov [eax+4], ecx
005DC471 add eax, 8
005DC474 mov ecx, edi
005DC476 mov edx, ecx
005DC478 push ebx ; Src
005DC479 mov [eax], esi
005DC47B mov esi, [esp+18h+arg_4]
005DC47F lea edi, [eax+4]
005DC482 shr ecx, 2
005DC485 rep movsd
005DC487 mov ecx, edx
005DC489 and ecx, 3
005DC48C rep movsb
005DC48E mov eax, dword_98ADDC
005DC493 mov ecx, [eax+20h]
005DC496 call sub_5BD9A0
005DC49B push ebx
005DC49C call sub_743820
005DC4A1 add esp, 4
005DC4A4
005DC4A4 loc_5DC4A4: ; CODE XREF: sub_5DC430+Aj
005DC4A4 ; sub_5DC430+12j ...
005DC4A4 pop edi
005DC4A5 pop esi
005DC4A6 pop ebp
005DC4A7 pop ebx
005DC4A8 retn
005DC4A8 sub_5DC430 endp
Can you help me find correct direct injection code? I really need it. But I can't figure out how to make it work. (
I've also found injection code for it, but it doesn't work for me:
(translated from Chineese)
// Trading CALL. Kind of the base address can be replaced
pushad
sub esp, $c
mov eax, p1 // item ID (refer to the type or system ID)
mov dword ptr [esp], eax
mov eax, p2 // where the number of grid
mov dword ptr [esp+4], eax
mov eax, p3 // the number of transactions
mov dword ptr [esp+8], eax
push esp // Push data structure
push 1
call Address
add esp, 8
add esp, $c
popad
|
|
|
06/06/2010, 05:35
|
#59
|
elite*gold: 0
Join Date: Sep 2008
Posts: 35
Received Thanks: 0
|
Hi Toxic,
Are you still following this thread ? I got almost all the point in your tutorial but when i go to the code with assembly, I cant make it run.
Perfect World window crash every time i try to inject the function ! Maybe because my inject function is not correct !
Here is that code :
DWORD CallAddress = 0x5D19A0;
DWORD MonsterID = (DWORD)lpParam;
__try
{
_asm
{
mov edx, 009C0E6Ch;
push MonsterID;
mov ecx, DWORD PTR [edx+0x20];
add ecx, 0xEC;
mov edx, CallAddress;
call edx;
}
}
__except(1)
{
}
return 0;
|
|
|
06/13/2010, 09:32
|
#60
|
elite*gold: 0
Join Date: Feb 2008
Posts: 188
Received Thanks: 17
|
thx alot im gonna read thru this now. ;o
|
|
|
|
|
Similar Threads
|
Anyone tried find addresses for a....
08/21/2009 - 12Sky2 - 2 Replies
hey for now we have speed hack taken from phurba, atack speed hack phurba as well, but did anyone tried to take atack damage from dmg weapon ? and def from def weapon ?.
As well did anyone tried to hack the time from buffs like let say max is 180 second and did anyone try change it to 999 second ?
|
Cant find addresses
07/24/2009 - Grand Chase - 9 Replies
Hey im new here and im trying to get the 1 hit kill hack to work on MLE 1348 but for some reason when i scan 16256 in practice mode no addresses appear on the side.
Any1 have a solution to this problem?
|
Why my UCE cannot find the addresses?
06/02/2009 - Grand Chase Philippines - 5 Replies
This is how the problem goes.
One scenario: I have tried following the procedures on how to do the damage hack.
And so in practice mode. I have tried using MK Ronan and scan the value 16256 in exact value on 4 bytes.
The time I scan it, I see 3 addresses and one of those 3 has the exact value of what I input.
the second one, I casted Holy Bless. And find the value of 16281.
The next scan doesn't prompted any address.
So I thought the first address I scan from 16256 is the one.
I rescan...
|
Warrock Addresses/Offsets
10/20/2008 - WarRock - 11 Replies
Scope: B76DC6
Fast Ammo: B76DD0
Fast Health: B76DD4
Fast Repair: B76DD8
Fast Flag: B76DDC
Crosshair: B76DF4
Circles: FFFFFFFF
Boxes: 0
Nospread: B76E1C
Nearfog: B91E64
|
All times are GMT +2. The time now is 15:04.
|
|