guide: debug pwi, find function addresses and offsets, write a bot(c++ code included)

AlexGD · 01/30/2010, 12:04

@diablokoaiua
What do you mean? Founding of offsets by program? I do it.

@toxic
Yeah, you right understand my way.

Quote:

what kind of exception occurs when your client crashes

Can't determine. Maybe I simply don't know how to determine it.

So, you think that crash due to I do it being pos update. Looks logic... I will try to check it...

AlexGD · 01/30/2010, 12:17

@Vuduy
Your way is very interesting, but I simply don't know how can I find function "prepare packet to send"...

diablokoaiua · 01/30/2010, 12:22

Quote:

Originally Posted by AlexGD

@diablokoaiua
What do you mean? Founding of offsets by program? I do it.

@toxic
Yeah, you right understand my way.

Can't determine. Maybe I simply don't know how to determine it.

So, you think that crash due to I do it being pos update. Looks logic... I will try to check it...

There is a program what can find offsets with second

toxic6666 · 01/30/2010, 13:19

@AlexGD:

try this, this should work on any version:

if you have ida pro, open up your imports window. search for __imp_send (ws2_32.dll). double click it. now make sure that you display more than the std amount of xrefs. you should see an xref from send|r. double click it. you should now see 3 xrefs. check the xrefs. one of them should be something like

mov ecx, s
push 0 <----
push 1
push offset buf
push ecx
call send

it should be the second xref. double click it. jump up to the func start. there should be 2 xrefs. one of the xrefs should be inside a func with 2 params, the other one should be a func with 1 param. take the xref which is inside the func with 2 params (for me its the first one). jump of to the func start to get the func address. set a bp on this address. now move somewhere, your bp should hit after about 1 sec. trace to the caller. write down the addr. open this addr in ida pro. jump up to the func start. this is the func that queues a decrypted packet into the decrypted send buffer (it should have 2 params: void *p_data, DWORD dwSize).

vuduy · 01/30/2010, 18:06

Quote:

Originally Posted by diablokoaiua

There is a program what can find offsets with second

Is there a program to make money in seconds too?

Another tip with the "send" function. Once you get it, use MHS (from L. Spiro - a lot more powerful than CE). Set a break point and use script to print out the raw unencrypted data before sending to the server.

Now you will be able to see every single server opcodes in the game. Then when you need to do something, make your own opcodes, and call it through the "send" function.

wildwinter · 02/05/2010, 02:22

toxic or anyone can help me how to find EXP_ARRAY ?

wildwinter · 02/05/2010, 02:24

Quote:

Originally Posted by diablokoaiua

There is a program what can find offsets with second

lol, there's. but it's just some basic offset for MHS bot. above that noone would public it.

neverasunset · 02/05/2010, 20:24

awesome guide! and thanks a mil for sharing this! i think this will be able to answer most of my questions

i tried doing your steps and i just stumbled on a thought...

how did you come up with "^^C8FF64" in DrawStatusText?

toxic6666 · 02/06/2010, 13:50

@wildwinter:

whats the EXP_ARRAY supposed to be? seriously, i dont know what u mean here :X

@neverasunset:

thanks, your welcome man. this is a good question. as you might already think, this is not the way i found this function the first time. when i found this function the first time, i checked the whole function for something else to find it more easily and quicker, and this string ref is what i came up with. this string is only referenced inside this function and hasnt changed over a thousand updates. finding this func the "real" way is harder than finding any other func i explained in the tut and since this tut started out with this func, i didnt wanna go the "hard" way on this func. if you wanna know how to find this func the real way for the very first time, i'll try to explain real quick here:

restart your client and log on to the game (this will make the search for the "real" string easier). chose an error msg you desire (e.g. action still on cooldown). search for the string via ce. tab unicode and case sensitive. you might find more than 1 address. now for every address you found, do the following: add 2 to the address and add it to the addr list (this might reduce the results in the following steps). now find out what accesses this address. now make the error msg appear in game by executing the corresponding actions in game. if ce pops up some instructions that accessed your address, you probably found the right string. the instruction should be inside some scanf function. now open your debugger. if you want to, you can just set a bp on the address you found. your bp will hit even if you dont generate the error msg. thats because scanf is used by many other functions as well. so we will have to make a conditional bp. (you could probably as well use a memory bp on the string, but it might break on something else we dont want). so make a conditional bp on this address, which accesses the "real" string you found. generate the error msg again. your bp should hit. now you have to trace (use trace over) through all these scanf (sub)functions until your back inside elementclient.exe. once your back inside elementclient.exe, write down the addr your at right now. open this addr in ida pro. scroll up to the func start. thats your DrawStatusText func,

wildwinter · 02/08/2010, 06:26

as i know exp_array is an Array store address of current exp and exp max (of that lvl)

p/s: thank you for all your hard work about finding function in the first page. IT IS REALLY HELPFUL.

AlexGD · 02/08/2010, 20:28

@wild
It seems strange, but AFAIK client do not store EXP as array - you can get only current EXP. EXP needed to next level you can calculate yourself.

wildwinter · 02/09/2010, 06:56

Quote:

Originally Posted by AlexGD

@wild
It seems strange, but AFAIK client do not store EXP as array - you can get only current EXP. EXP needed to next level you can calculate yourself.

thank you.

this is a function I have

Quote:

Func GETEXPM()
Return _MEMORYREAD($EXP_ARRAY + ($LEVELNOW * 4), $MEMID)
EndFunc

GETEXPM is expmax I think.

FunkU · 02/15/2010, 11:54

Toxic, can you help me some more?
I've found sell item function, it's address is 005DC430, and here's the function itself:

Spoiler

Can you help me find correct direct injection code? I really need it. But I can't figure out how to make it work. (

I've also found injection code for it, but it doesn't work for me:

(translated from Chineese)
// Trading CALL. Kind of the base address can be replaced
pushad
sub esp, $c
mov eax, p1 // item ID (refer to the type or system ID)
mov dword ptr [esp], eax
mov eax, p2 // where the number of grid
mov dword ptr [esp+4], eax
mov eax, p3 // the number of transactions
mov dword ptr [esp+8], eax
push esp // Push data structure
push 1
call Address
add esp, 8
add esp, $c
popad

SunB · 06/06/2010, 05:35

Hi Toxic,
Are you still following this thread ? I got almost all the point in your tutorial but when i go to the code with assembly, I cant make it run.
Perfect World window crash every time i try to inject the function ! Maybe because my inject function is not correct !

Here is that code :

DWORD CallAddress = 0x5D19A0;
DWORD MonsterID = (DWORD)lpParam;
__try
{
_asm
{
mov edx, 009C0E6Ch;
push MonsterID;
mov ecx, DWORD PTR [edx+0x20];
add ecx, 0xEC;
mov edx, CallAddress;
call edx;

}
}
__except(1)
{
}
return 0;

dudio · 06/13/2010, 09:32

thx alot im gonna read thru this now. ;o