PWI Neverfall changes

Stark77 · 04/14/2017, 02:38

Below you can find my updated offset list.
I tested the (dark) green highlighted offsets while for those without a color I was to lazy so far.

However, I struggle a lot to get the red marked offsets be course the awesome

by denzjh
is not working anymore for me

Does anyone know why it is not working anymore? Maybe it is also just a mistake on my side.

---------------

global realBaseAddress := 0xE4BAB0
global SendPacketAddress := 0x875D70
global AutoPathAddress := 0x4596D0
global ADDRESS_ACTION1 := 0x4CF440
global ADDRESS_ACTION2 := 0x4D59C0
global ADDRESS_ACTION3 := 0x4CFA50
global ADDRESS_GATHER := 0x4C4CA0
global CastAddress := 0x4BC950
global ADDRESS_FOLLOW := 0x0070BD00
global partyInviteOffset := 0xF06C60
global UnfreezOffset := 0x4F0
global chatBase_offset := 0xDAA3D8
global baseOffset:= 0x1C
global ListOffset := 0x1C
global XposOffset := 0x3C
global YposOffset := 0x44
global ZposOffset := 0x40
;~ #--------- Player ------------#
global PlayerListOffset := 0x1C
global sortedPlayerListOffset := 0x98
global PlayerCounterOffset := 0x18
global playerOffSet := 0x34
global playerNameOffset := 0x750
global playerIDOffset := 0x4B8
global PlayerHPOffset := 0x4CC
global PlayerHPmaxOffset := 0x520
global PlayerMPOffset := 0x4D0
global PlayerMPmaxOffset := 0x524
global playerLvlOffset := 0x4F8
global PlayerChiOffset := 0x4E0
global PlayerCoins_Offset := 0x5A8
global PlayerClass_Offset := 0x754
global PlayerTarget_Offset := 0x5A4
global PlayerEarningTime_Offset := 0x1730
global PlayerParty_Offset := 0x7D0
global PlayerEventGold := 0x1608
global PlayerNpcWindow := 0xF62
;~ #-------- NPC ----------------#
global NpcListOffset := 0x20
global sortedNpcListOffset := 0x5c
global NpcCounterOffset := 0x18
global NpcUIDOffset := 0x114
global NpcIDOffset := 0x118
global NpcNameOffset := 0x260
global NpcLVLOffset := 0x120
global NpcHPOffset := 0x128
global NpcHPmaxOffset := 0x17C
global NpcSpecialOffset := 0x24C
;~ #-------- Item ---------------#
global ItemListOffset := 0x24
global sortedItemListOffset := 0x1C
global ItemCounterOffset := 0x14
global ItemNameOffset := 0x168
global ItemUIDOffset := 0x110
global ItemIDOffset := 0x114
;~ #----- Inventory -------------#
global InventoryListOffset := 0x1160
global sortedInventoryListOffset := 0xC
global InventorySizeOffset := 0x10
global InvName_Offset := 0x4C
global InvID_Offset := 0xC
global InvStackAmount_Offset := 0x14
global InvMAXStackAmount_Offset := 0x18
global InvDurability_Offset := 0x74
global InvMaxDurability_Offset := 0x78
global refineLevelOffset := 0x90
global InvSellPrice_Offset := 0x1C
global FlyerID_Offset := 0x5F8
;~ #---------- actions ----------#
global MoveMode_Offset := 0x760
global playerActionStructOffset := 0x15C4
global SkillsBase_Offset := 0x15F0
global SkillsCount_Offset := 0x15F4

Since many of us use different names, here the old list for comparison:

Spoiler

jasty · 04/14/2017, 03:00

Thanks for this. My python Address Retriever script also stopped working. Every single **** regex broke. It still works fine on the PWCN client of this expansion. They must have changed compilers I guess?

So the red addresses are broken right? I don't know how to breakpoint that so I'm lost without a decent regex for the basic things. Anyone got a clue?

Actually I think sendpacket is pretty easy to get if you put a breakpoint in WS_32.dll>send or something. The others I dunno.

EDIT: OK I think I have a debug strategy for the action stuff. You should be able to breakpoint on any update to the action flag which is actually in the player struct. From there you can examine up the call stack until you see parameters that resemble what happens in our inject code. From there you can examine the calling function to see the other function addresses. Will try this later.

Kruger2001 · 04/14/2017, 09:39

so far:

CharChoose:
"elementclient.exe"+00A514CC + 34 + a4c
Forcelog
"elementclient.exe"+00A87784 + 4 + 1c0 + 268

global SendPacketAddress := 0x7EDB30

Spoiler

jasty · 04/14/2017, 21:15

Global $ADDRESS_BASE = 0xE4BAB0
Global $ADDRESS_SENDPACKET = 0x7edb30
Global $ADDRESS_CASTSKILL = 0x4E07A0
Global $OFFSET_ACTIONBASE = 0x15c4
Global $ADDRESS_GATHER = 0x4D19B0
Global $ADDRESS_REGATTACK = 0x4CCE80

I'm struggling hard with figuring out the walk / autopath stuff they might have changed it up I think.

I can set a breakpoint fine by setting a breakpoint condition on when it writes a 1 to the action flag in the player struct. Then I examine the full stack trace to find the call (the return address on the stack points to the instruction after the call) but I think maybe the parameters are different?

Global $ADDRESS_AUTOPATH = ???
Global $ADDRESS_ACTION1 = ???
Global $ADDRESS_ACTION2 = ???
Global $ADDRESS_ACTION3 = ???

Like this is me trying to do autopath:

Maybe there are are more parameters now?

Kruger2001 · 04/15/2017, 08:39

global AutoPathAddress := 0x40A6D0

Code:

0040A6D0  /$ 6A FF          PUSH -1
0040A6D2  |. 68 F872B900    PUSH elementc.00B972F8
0040A6D7  |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0040A6DD  |. 50             PUSH EAX
0040A6DE  |. 83EC 20        SUB ESP,20
0040A6E1  |. 53             PUSH EBX
0040A6E2  |. 56             PUSH ESI
0040A6E3  |. A1 4864E400    MOV EAX,DWORD PTR DS:[E46448]
0040A6E8  |. 33C4           XOR EAX,ESP
0040A6EA  |. 50             PUSH EAX
0040A6EB  |. 8D4424 2C      LEA EAX,DWORD PTR SS:[ESP+2C]
0040A6EF  |. 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
0040A6F5  |. 8BF1           MOV ESI,ECX
0040A6F7  |. 8D4C24 0C      LEA ECX,DWORD PTR SS:[ESP+C]
0040A6FB  |. E8 709A0000    CALL elementc.00414170
0040A700  |. 8B4C24 40      MOV ECX,DWORD PTR SS:[ESP+40]
0040A704  |. 8B5424 44      MOV EDX,DWORD PTR SS:[ESP+44]
0040A708  |. 8B4424 3C      MOV EAX,DWORD PTR SS:[ESP+3C]
0040A70C  |. 894C24 10      MOV DWORD PTR SS:[ESP+10],ECX
0040A710  |. 8B4C24 4C      MOV ECX,DWORD PTR SS:[ESP+4C]
0040A714  |. 895424 14      MOV DWORD PTR SS:[ESP+14],EDX
0040A718  |. 8B5424 50      MOV EDX,DWORD PTR SS:[ESP+50]
0040A71C  |. 894424 0C      MOV DWORD PTR SS:[ESP+C],EAX
0040A720  |. 8B4424 48      MOV EAX,DWORD PTR SS:[ESP+48]
0040A724  |. 894C24 1C      MOV DWORD PTR SS:[ESP+1C],ECX
0040A728  |. 8B4C24 58      MOV ECX,DWORD PTR SS:[ESP+58]
0040A72C  |. 895424 20      MOV DWORD PTR SS:[ESP+20],EDX
0040A730  |. 894424 18      MOV DWORD PTR SS:[ESP+18],EAX
0040A734  |. 8B4424 54      MOV EAX,DWORD PTR SS:[ESP+54]
0040A738  |. 8D5424 0C      LEA EDX,DWORD PTR SS:[ESP+C]
0040A73C  |. 894C24 28      MOV DWORD PTR SS:[ESP+28],ECX
0040A740  |. 52             PUSH EDX
0040A741  |. 8BCE           MOV ECX,ESI
0040A743  |. C74424 38 0000>MOV DWORD PTR SS:[ESP+38],0
0040A74B  |. 894424 28      MOV DWORD PTR SS:[ESP+28],EAX
0040A74F  |. E8 ECD9FFFF    CALL elementc.00408140
0040A754  |. 8D4C24 0C      LEA ECX,DWORD PTR SS:[ESP+C]
0040A758  |. 8AD8           MOV BL,AL
0040A75A  |. C74424 34 FFFF>MOV DWORD PTR SS:[ESP+34],-1
0040A762  |. E8 199A0000    CALL elementc.00414180
0040A767  |. 8AC3           MOV AL,BL
0040A769  |. 8B4C24 2C      MOV ECX,DWORD PTR SS:[ESP+2C]
0040A76D  |. 64:890D 000000>MOV DWORD PTR FS:[0],ECX
0040A774  |. 59             POP ECX
0040A775  |. 5E             POP ESI
0040A776  |. 5B             POP EBX
0040A777  |. 83C4 2C        ADD ESP,2C
0040A77A  \. C2 2000        RETN 20

jasty · 04/15/2017, 10:25

I wonder why I couldnt find it... How about Move? The current version we are using is broken into ACTION1-ACTION3 but it seems silly that Autopath has a simple function to call directly but move doesn't. If it was one address it would be easier to maintain.

Kruger2001 · 04/15/2017, 12:14

Action address so far:

snippets from our moveto command:
normalMoveTo(p,X,Y,Z=0,flyflag=0)
func = %func%8B8F%OFFSET_ACTIONBASE% ;MOV ECX,DWORD PTR DS:[EDI+playerActionStructOffset]
func = %func%8B401C ;MOV EAX,DWORD PTR DS:[EAX+1C]
func = %func%8D4C241C ;LEA ECX,[ESP+1C]

So I searched in olly for the line OFFSET_ACTIONBASE (8B8F C4150000) MOV ECX,DWORD PTR DS:[EDI+15C4]
Sort the functions in which also [EXA+1C] and [ESP+1C] are contained.

One of the following addresses would probably have the main moveto function:

004C1AF0 /$ 6A FF PUSH -1

004CCE80 /$ 55 PUSH EBP

004D19B0 /$ 55 PUSH EBP

004D6CB0 /$ 81EC F0010000 SUB ESP,1F0

004E02C0 /$ 57 PUSH EDI

006AC480 /$ 81EC A4000000 SUB ESP,0A4

00930A90 /$ 6A 08 PUSH 8

Actually only breakpoint and look if they are triggered if one clicks in the client, if you can take the action addresses from it.

I'm almost sure that action 3 0xA41E00 is and action 1 maybe 0xAB28F0, Action 2 could be anywhere at 0xA4DEA0.

I have unfortunately not so much time and can only later search.

bmurji · 04/16/2017, 10:44

Anyone managed to update the offset files for Primal quests?

jasty · 04/16/2017, 22:14

Quote:

Originally Posted by Kruger2001

Action address so far:

snippets from our moveto command:
normalMoveTo(p,X,Y,Z=0,flyflag=0)
func = %func%8B8F%OFFSET_ACTIONBASE% ;MOV ECX,DWORD PTR DS:[EDI+playerActionStructOffset]
func = %func%8B401C ;MOV EAX,DWORD PTR DS:[EAX+1C]
func = %func%8D4C241C ;LEA ECX,[ESP+1C]

So I searched in olly for the line OFFSET_ACTIONBASE (8B8F C4150000) MOV ECX,DWORD PTR DS:[EDI+15C4]
Sort the functions in which also [EXA+1C] and [ESP+1C] are contained.

One of the following addresses would probably have the main moveto function:

004C1AF0 /$ 6A FF PUSH -1

004CCE80 /$ 55 PUSH EBP

004D19B0 /$ 55 PUSH EBP

004D6CB0 /$ 81EC F0010000 SUB ESP,1F0

004E02C0 /$ 57 PUSH EDI

006AC480 /$ 81EC A4000000 SUB ESP,0A4

00930A90 /$ 6A 08 PUSH 8

Actually only breakpoint and look if they are triggered if one clicks in the client, if you can take the action addresses from it.

I'm almost sure that action 3 0xA41E00 is and action 1 maybe 0xAB28F0, Action 2 could be anywhere at 0xA4DEA0.

I have unfortunately not so much time and can only later search.

I tried all of those but none triggered specifically on click (though one was triggered constantly on idle).

This is what I think the candidates might be but I'm not really proficient enough in this area to make progress.

These are the candidates:
4E3070
4E3120
4E24D0
4ECCA0
4ECB60
4E35F0

I've got a good feeling 4E35F0 is ACTION3 because that push 0,edi,1 pattern is familiar but I'm not too sure about ACTION1 and ACTION2. 4E3070 might be ACTION1 since I see it near the beginning of a few functions that use the action struct offset. That leaves a lot of other calls in the middle for ACTION2...

Anyone have any guidance from here?

Kruger2001 · 04/17/2017, 13:29

Finally

global ADDRESS_ACTION1 := 0x4E24D0
global ADDRESS_ACTION2 := 0x4E7C90
global ADDRESS_ACTION3 := 0x4E35F0

Main moveto:

Spoiler

How to find with olly:

Attach and make sure that you are on module elementc.

Search for - Sequence of commands, enter the two assembly instructions:
PUSH 3
MOV ECX,EDI

At every hit compare the bottom section of the mainmoveto, after a few unusable hits comes the searched function.

Stark77 · 04/18/2017, 01:37

That's so awesome. Thank you a lot for your effort and help!

bmurji · 04/23/2017, 16:34

Is the first post the correct list with the updates people have provided?

breakupp · 04/25/2017, 18:29

i believed they provided a working offset.. now you just need to find a way to convert it so denzjh program can read it.. i do not know how.. but good luck

bmurji · 04/26/2017, 13:01

Quote:

Originally Posted by breakupp

i believed they provided a working offset.. now you just need to find a way to convert it so denzjh program can read it.. i do not know how.. but good luck

I figured that xD; But can anyone help me do so?

Stark77 · 04/26/2017, 23:17

My first post does not include the missing offsets (red highlighted) but you can find these in the posts of jasty and kruger.

To get this other bot to work simply compare the old offsets (check the end of my first post) with those of that other bot and replace them with the new offsets.