PWI Hack Sourcecodes Blog

[lolkop]

that one was outdated.
i've rewritten the function, to use the original client function.

Code:

Func SelectMob($id)
	Local $pRemoteThread, $vBuffer, $loop, $result, $OPcode
	; --- save the position of the allocated memory ---
	$pRemoteMem = DllCall($kernel32, 'int', 'VirtualAllocEx', 'int', $mid, 'ptr', 0, 'int', 0x46, 'int', 0x1000, 'int', 0x40)
	; --- build up the asm code ---
	; 0046061D  A1 6C3E9F00       MOV EAX,DWORD PTR DS:[9F3E6C]
	; 00460622  57                PUSH EDI                        <---- EDI Contains Mob-ID
	; 00460623  8B48 20           MOV ECX,DWORD PTR DS:[EAX+20]
	; 00460626  81C1 EC000000     ADD ECX,0EC
	; 0046062C  E8 8F961800       CALL elementc.005E9CC0
	$OPcode &= '60'                                                           ; pushad (Save registers)
	$OPcode &= 'A1'&_hex($base)                                               ; mov eax, [base]
	$OPcode &= '68'&_hex($id)                                                 ; push mob-id
	$OPcode &= '8B4820'                                                       ; mov ecx, [eax+0x20]
	$OPcode &= '81C1'&_hex(0xEC)                                              ; add ecx, 0xEC
	$OPcode &= 'E8'&_hex($select_call-$pRemoteMem[0]-5-StringLen($OPcode)/2)  ; call select_call
	$OPcode &= '61'                                                           ; popad (Reload presaved registers)
	$OPcode &= 'C3'                                                           ; retn (Back to the Maintool)
	; --- enter the asm code to to a dllstruct, which can be used with WriteProcessMemory ---
	$vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
	For $loop = 1 To DllStructGetSize($vBuffer)
		DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
	Next
	; --- now letz write the code from our dllstruct ---
	DllCall($kernel32, 'int', 'WriteProcessMemory', 'int', $mid, 'int', $pRemoteMem[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)
	; --- now we run the asm code we've just written ---
	$hRemoteThread = DllCall($kernel32, 'int', 'CreateRemoteThread', 'int', $mid, 'int', 0, 'int', 0, 'int', $pRemoteMem[0], 'ptr', 0, 'int', 0, 'int', 0)
	; --- wait till the thread did his job ---
	Do
		$result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
	Until $result[0] <> 258
	; --- close everything we've opened ---
	DllCall($kernel32, 'int', 'CloseHandle', 'int', $hRemoteThread[0])
	DllCall($kernel32, 'ptr', 'VirtualFreeEx', 'hwnd', $mid, 'int', $pRemoteMem[0], 'int', 0, 'int', 0x8000)
	Return True
EndFunc

[No0oB]

ah thx ^^ i need the asm code cause i want to make a dll for some stuff like mob selecting item pickup aso.

[lolkop]

building dll files is useless for such easy tasks... that can be done in every single language, since its based on winapis only.

[Brows]

Hi I found the Function with ollydbg, but now I have a few questions to your code:

A1 6C3E9F00 MOV EAX,DWORD PTR DS:[9F3E6C]
-> 'A1'&_hex($base) Is $base = 6C3E9F00 ?

; 0046062C E8 8F961800 CALL elementc.005E9CC0
-> $OPcode &= 'E8'&_hex($select_call-$pRemoteMem[0]-5-StringLen($OPcode)/2) ; call select_call

Couldn't you write:$OPcode &= 'E88F961800' ?

[lolkop]

Quote:

Originally Posted by Brows

Hi I found the Function with ollydbg, but now I have a few questions to your code:

A1 6C3E9F00 MOV EAX,DWORD PTR DS:[9F3E6C]
-> 'A1'&_hex($base) Is $base = 6C3E9F00 ?

; 0046062C E8 8F961800 CALL elementc.005E9CC0
-> $OPcode &= 'E8'&_hex($select_call-$pRemoteMem[0]-5-StringLen($OPcode)/2) ; call select_call

Couldn't you write:$OPcode &= 'E88F961800' ?

_hex automaticaly turns 0x9F3E6C into the reversed 6C3E9F00, which can be used by the cpu.

so the $base = 0x9F3E6C

now to get to the call. calls ain't that easy to realize. to explain it check the string in odbg.

Code:

0046062C  E8 8F961800       CALL elementc.005E9CC0

as you can see the adress that gets called is 0x5E9CC0
the call string is 8F 96 18 00. reversed we get the real hex value: 0x0018968F.
and the call command is placed @ 0x0046062C

we know we want to call 0x5E9CC0, but how can we get the hex string to call that adress? all we have is the inline position and the call adress.
0x46062C and 0x5E9CC0, and we need to get 0x18968F as result.

if we substract 0x46062C from 0x5E9CC0, we get 0x189694 as result. as you can see its still to high. we need to substrct 5 from that to get the real string we're looking for: 0x18968F

so we've found the formula of how to get the call string we need:

Code:

$call_string = $call_adress - $position - 5

so whats the $position in our code?
we know the allocated memory is placed @ $pRemoteMem[0]. thats where we place all of our asm code.
but thats still not where we place our call.
first we add '60' (1byte), then 'A1'&_hex($base) (5 byte), then '68'&_hex($id) (5byte), then '8B4820' (3byte) and now we're writing our call.
so the position is $pRemoteMem[0] + 1 + 5 + 5 + 3 (thats equal to $pRemoteMem[0] + 14 or $pRemoteMem[0]+StringLen($OPcode)/2).

so now we've got our $position = $pRemoteMem[0]+StringLen($OPcode)/2
the $call_adress is 0x5E9CC0.
so our formula is:

Code:

$call_adress = 0x5E9CC0
$position = $pRemoteMem[0]+StringLen($OPcode)/2
$call_string = $call_adress - $position - 5

and thats exactly what i've written right there =)
for example, if the allocated memory is placed @ 0xB1000000, $pRemoteMem[0] would be 0xB1000000. the call would be placed @ 0xB1000000 + 14 and the call string would be 0x4F5E9CAD.
now the _hex function is used to reverse those hex patterns and we get the call string: AD9C5E4F. so we can use the call with "E8 AD9C5E4F".

as you can see thats totally different from E88F961800. using the original string would call a totally different adress, and your client would crash.

[Brows]

Hmm thanks for your explanation.
But the Program give always this stupid error message :/


Here some debug data:

pRemoteMem = 0x1bc60000
MobID = 0x8010722d
baseadress = 0x009f3e6c
calladress = 0x005e9cc0

position=0x1bc60014
Lenght/2 = 14


callstring = 0xe4989ca7

OPCode:
"60A16C3E9F00682D7210808B482081C1EC000000E8E4989CA 761C3"

"60A1 6C3E9F00 68 2D721080 8B482081C1EC000000E8 E4989CA7 61C3"


Could that be the right String?

[lolkop]

you didn't use the _hex function on that call.

Code:

	$OPcode &= '60'                                                           ; pushad
	$OPcode &= 'A1'&_hex($base)                                               ; mov eax, [base]
	$OPcode &= '68'&_hex($id)                                                 ; push mob-id
	$OPcode &= '8B4820'                                                       ; mov ecx, [eax+0x20]
	$OPcode &= '81C1'&_hex(0xEC)                                              ; add ecx, 0xEC
	$OPcode &= 'E8'&_hex($select_call-$pRemoteMem[0]-5-StringLen($OPcode)/2)  ; call select_call
	$OPcode &= '61'                                                           ; popad
	$OPcode &= 'C3'                                                           ; retn

ur call string is wrong.

Quote:

pRemoteMem = 0x1bc60000
MobID = 0x8010722d
baseadress = 0x009f3e6c
calladress = 0x005e9cc0

position=0x1bc60014
Lenght/2 = 14
callstring = 0xe4989ca7

the string is correctly calculated, but it needs to be reversed. the cpu allways reads the data reversed.

the correct string would be A79C98E4 in this case.

so ur opcode would look like this:

Code:

60 A1 6C3E9F00 68 2D721080 8B48 20 81C1 EC000000 E8 A79C98E4 61 C3

Edit:
btw here's my _hex function:

Code:

Func _hex($Value)
	Local $tmp1, $tmp2, $i 
	$tmp1 = StringRight("0000000" & Hex($Value), 8) 
	For $i = 0 To StringLen($tmp1) / 2 - 1 
		$tmp2 = $tmp2 & StringMid($tmp1, StringLen($tmp1) - 1 - 2 * $i, 2)
	Next
	Return $tmp2
EndFunc

it will turn all numbers into the correct form for codecaves =)

[Brows]

I found that error one second ago

My function:
public String _ResHex(int hexValue)
{
String mHexValue = hexValue.ToString("X8");
String mResHex = "";

for (int i = 0; i < mHexValue.Length / 2 ; i++)
{
mResHex += mHexValue.Substring(mHexValue.Length - (i*2 + 2), 2);
}


return mResHex;
}


But the error Message is still there


New Datas:
pRemoteMem_int: 0x1b680000
position:0x1b680014
call_string: 0xe4f69ca7


60 A1 6C3E9F00 68 3C721080 8B48 20 81C1 EC000000 E8 A79CF6E4 61 C3

[lolkop]

did you check the process of injection?

the asm code looks good so far.
you should make the tool pause after writing the asm data and check the written data with an hexeditor ingame.

if something is wrong with that process, ur memwrite doesn't work correctly.

[Smurfin]

@chakjii : hi, nice blog u'r having there, I just visited and noticed there is a $vCharBase to read char name, how do you find a base address for char ? Usually it's global base address and then use offsets to point to other memory location to read some values like hp mp maxhp etc.

I tried to subtract your PW version's $vCharBase with $vBase, the result is 1516, then add it to PW Indo's $vBase which is 10007676 and still can't read char name.

[chakjii]

Quote:

Originally Posted by Smurfin

@chakjii : hi, nice blog u'r having there, I just visited and noticed there is a $vCharBase to read char name, how do you find a base address for char ? Usually it's global base address and then use offsets to point to other memory location to read some values like hp mp maxhp etc.

I tried to subtract your PW version's $vCharBase with $vBase, the result is 1516, then add it to PW Indo's $vBase which is 10007676 and still can't read char name.

well charnames and some other names are often static in games, but i dont know why.

you need to read the name with wchar, not with dword

[Smurfin]

I copy-pasted your whole codes and tried your default $vCharBase, still didn't display the correct char name, the char coordinate tool works though.

[lolkop]

Quote:

Originally Posted by Smurfin

I copy-pasted your whole codes and tried your default $vCharBase, still didn't display the correct char name, the char coordinate tool works though.

charname is clientbase + 0x1C + 0x610 + 0

[Brows]

Quote:

Originally Posted by lolkop

did you check the process of injection?

the asm code looks good so far.
you should make the tool pause after writing the asm data and check the written data with an hexeditor ingame.

if something is wrong with that process, ur memwrite doesn't work correctly.

Ahh thank you
That is the Problem :/

I use
WriteProcessMemory(handle, pRemoteMem, out var1, new UIntPtr((uint)var1.Length), out rw);

[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, out byte[] lpBuffer, UIntPtr nSize, out IntPtr lpNumberOfBytesWritten);



but he writes a 0 into the address :/
If I edit it by mysel with the OPcode the programm select the Mob/Npc





Yeah allright:
[DllImport("kernel32.dll")]
private static unsafe extern Boolean WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, IntPtr lpNumberOfBytesWritten);

Thank you for your help

[ntKid]

Quote:

Originally Posted by Smurfin

@chakjii : hi, nice blog u'r having there, I just visited and noticed there is a $vCharBase to read char name, how do you find a base address for char ? Usually it's global base address and then use offsets to point to other memory location to read some values like hp mp maxhp etc.

I tried to subtract your PW version's $vCharBase with $vBase, the result is 1516, then add it to PW Indo's $vBase which is 10007676 and still can't read char name.

Hey Smurf the name strings are unicode, probably u might need to convert them to ansi charset according to the printing api's ur using, use WideCharToMultiByte api for this conversion. cheers