|
You last visited: Today at 06:41
Advertisement
PWI Hack Sourcecodes Blog
Discussion on PWI Hack Sourcecodes Blog within the PW Hacks, Bots, Cheats, Exploits forum part of the Perfect World category.
07/17/2010, 01:29
|
#1
|
elite*gold: 0
Join Date: Apr 2007
Posts: 68
Received Thanks: 59
|
PWI Hack Sourcecodes Blog
Hey guys!
I opened a new blog at wordpress, because i think PW is such a great game and got such a small coding community.
I release tools, offsets, memory stuff, loader and lots of stuff there, but ONLY AutoIT sourcecodes.
If you like .exe files you can take my sourcecodes and create one on your own with AutoIT.
Feel free and take a look, if you like PW and AutoIT. I will update as often i can!
I'll keep new Memory Adresses and Offsets for PWI up2date as good as i can.
Hope to see you in comments, or feel free to discuss the stuff in this thread.
|
|
|
07/17/2010, 02:21
|
#2
|
elite*gold: 0
Join Date: Jan 2009
Posts: 175
Received Thanks: 162
|
:P lol
|
|
|
07/18/2010, 01:43
|
#3
|
elite*gold: 0
Join Date: Apr 2007
Posts: 68
Received Thanks: 59
|
Added adresses and offsets for Venomancer pets with AutoIT example script!
Coming next: Target names and positions.
Stay tuned!
|
|
|
07/18/2010, 04:16
|
#4
|
elite*gold: 0
Join Date: Aug 2008
Posts: 7
Received Thanks: 1
|
book marked
|
|
|
07/20/2010, 04:14
|
#5
|
elite*gold: 0
Join Date: Apr 2007
Posts: 68
Received Thanks: 59
|
Added a Perfect World map supporting multiclient. (you can see where your characters are, while being on desktop)
|
|
|
07/21/2010, 11:26
|
#6
|
elite*gold: 280
Join Date: May 2007
Posts: 2,818
Received Thanks: 3,483
|
well those are just the very basics.
the more interesting stuff would be how to use autoit to do higher level stuff =)
for example gettin the list of all mobs close to you and save them with some info in an array:
Code:
Func GetMobList($pid)
Local $array[769][3], $mid, $base, $pointer1, $pointer2, $pointer3, $pointer4, $mob_base, $mob_id, $mob_name, $mob_lvl
$mid = memopen($pid)
$base = memread($mid, 0x9F450C)
$pointer1 = memread($mid, $base + 0x8)
$pointer2 = memread($mid, $pointer1 + 0x24)
$pointer3 = memread($mid, $pointer2 + 0x18)
For $i=0 To 768
$pointer4 = memread($mid, $pointer3 + $i*0x4)
$mob_base = memread($mid, $pointer4 + 0x4)
$array[$i][0] = memread($mid, $mob_base + 0x11C) ;Mob ID
$array[$i][1] = memread($mid, memread($mid, $mob_base + 0x254), 'wchar[30]') ;Mob Name
$array[$i][2] = memread($mid, $mob_base + 0x124) ; Mob Level
Next
memclose($mid)
Return $array
EndFunc
Func memopen($pid)
Local $mid = DllCall('kernel32.dll', 'int', 'OpenProcess', 'int', 0x1F0FFF, 'int', 1, 'int', $pid)
Return $mid[0]
EndFunc ;==>memopen
Func memread($mid, $adress, $type = 'dword')
Local $struct = DllStructCreate($type)
DllCall('kernel32.dll', 'int', 'ReadProcessMemory', 'int', $mid, 'int', $adress, 'ptr', DllStructGetPtr($struct), 'int', DllStructGetSize($struct), 'int', '')
Return DllStructGetData($struct, 1)
EndFunc ;==>memread
Func memclose($mid)
DllCall('kernel32.dll', 'int', 'CloseHandle', 'int', $mid)
EndFunc ;==>memclose
and a function to select the mobs we've just collected, using the id:
Code:
Func Int2Hex($Value)
Local $tmp1, $tmp2, $i
$tmp1 = StringRight("0000000" & Hex($Value), 8)
For $i = 0 To StringLen($tmp1) / 2 - 1
$tmp2 = $tmp2 & StringMid($tmp1, StringLen($tmp1) - 1 - 2 * $i, 2)
Next
Return $tmp2
EndFunc
Func SelectMob($pid, $mob_id)
Local $kernel32, $pRemoteThread, $vBuffer, $loop, $result, $OPcode
$kernel32 = DllOpen("kernel32.dll")
; --- open the process ---
$mid = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1F0FFF, 'int', 1, 'int', $pid)
; --- save the position of the allocated memory ---
$pRemoteMem = DllCall($kernel32, "ptr", "VirtualAllocEx", "int", $mid[0], "ptr", 0, "int", 0x46, "int", 0x1000, "int", 0x40)
$pRemoteMem = $pRemoteMem[0]
; --- build up the asm code ---
$OPcode = "608B156C3E9F0068"&Int2Hex($mob_id)&"8B4A2081C1EC000000BAC09C5E00FFD261C3"
; --- enter the asm code to to a dllstruct, which can be used with WriteProcessMemory ---
$vBuffer = DllStructCreate("byte[" & StringLen($OPcode) / 2 & "]")
For $loop = 1 To DllStructGetSize($vBuffer)
DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
Next
; --- now letz write the code from our dllstruct ---
DllCall($kernel32, "int", "WriteProcessMemory", "int", $mid[0], "ptr", $pRemoteMem, "ptr", DllStructGetPtr($vBuffer), "int", DllStructGetSize($vBuffer), "int", 0)
; --- now we run the asm code we've just written ---
$hRemoteThread = DllCall($kernel32, "int", "CreateRemoteThread", "int", $mid[0], "ptr", 0, "int", 0, "int", $pRemoteMem, "ptr", 0, "int", 0, "int", 0)
; --- wait till the thread did his job ---
Do
$result = DllCall("kernel32.dll", "int", "WaitForSingleObject", "int", $hRemoteThread[0], "int", 50)
Until $result[0] <> 258
; --- close everything we've opened ---
DllCall($kernel32, "int", "CloseHandle", "int", $hRemoteThread[0])
DllCall($kernel32, "ptr", "VirtualFreeEx", "hwnd", $mid[0], "ptr", $pRemoteMem, "int", 0, "int", 0x8000)
DllCall("kernel32.dll", 'int', 'CloseHandle', 'int', $mid[0])
DllClose($kernel32)
Return True
EndFunc
Well those Functions are made to work for PWI they had to be edited to work for other clients too =) (could easily be automated, using the stringregexp functions)
same could be done with items on the ground, to pick them up.
guess explaining of the codecave i've used for selecting mobs is not needed. there's allready a stickied thread about it.
|
|
|
07/22/2010, 13:41
|
#7
|
elite*gold: 0
Join Date: Oct 2008
Posts: 32
Received Thanks: 13
|
Quote:
Originally Posted by chakjii
Added a Perfect World map supporting multiclient. (you can see where your characters are, while being on desktop)
|
The only use for now what I can see for that map is if you attach Herb/Monster/NPC/Resource locations to it (like ) and make it so clicking in the external map autopaths your character ingame there.
|
|
|
07/22/2010, 14:01
|
#8
|
elite*gold: 280
Join Date: May 2007
Posts: 2,818
Received Thanks: 3,483
|
or just display the positions of all your chars while the client is minimized...
if u're using bots that can be exremely helpful.
|
|
|
07/27/2010, 17:07
|
#9
|
elite*gold: 0
Join Date: Jun 2010
Posts: 16
Received Thanks: 4
|
Hey lolkop thanks for your post, I edit the code for c# - I will try to use your Mob Select Function too, the Moblist is ready thanks
|
|
|
07/28/2010, 03:31
|
#10
|
elite*gold: 280
Join Date: May 2007
Posts: 2,818
Received Thanks: 3,483
|
well the functions are simple winapis. the hard stuff is not to use this, but to find the functions in the client...
if you know how to find those functions you can easily use them... that way you're able to do what ever you like in the client, without needing to send any keys or clicks...
for example you could even produce mouseclicks ingame...
this is an example function for mouseclicks ingame, without using real mouse commands.
Code:
; $mid (memory handle returned by openprocess) must be predefined as global (used this way cuz its more efficient)
Func Click($x, $y)
Local $pRemoteThread, $vBuffer, $loop, $result, $OPcode
; --- save the position of the allocated memory ---
$pRemoteMem = DllCall($kernel32, 'int', 'VirtualAllocEx', 'int', $mid, 'ptr', 0, 'int', 0x46, 'int', 0x1000, 'int', 0x40)
; --- build up the asm code ---
;~ 00404856 |. 6A 00 PUSH 0 ; /Arg7 = 00000000
;~ 00404858 |. 52 PUSH EDX ; |Arg6 = 00000000
;~ 00404859 |. 51 PUSH ECX ; |Arg5 = y
;~ 0040485A |. 50 PUSH EAX ; |Arg4 = x
;~ 0040485B |. A1 6C3E9F00 MOV EAX,DWORD PTR DS:[9F3E6C] ; |
;~ 00404860 |. 6A 00 PUSH 0 ; |Arg3 = 00000000
;~ 00404862 |. 6A 00 PUSH 0 ; |Arg2 = 00000000
;~ 00404864 |. 8B48 1C MOV ECX,DWORD PTR DS:[EAX+1C] ; |
;~ 00404867 |. 68 E0000000 PUSH 0E0 ; |Arg1 = 000000E0
;~ 0040486C |. E8 8F5A0300 CALL elementc.0043A300 ; \elementc.0043A300
$OPcode &= '60' ; pushad
$OPcode &= '6A00' ; push 0
$OPcode &= '6A00' ; push Z (allways 0 :P)
$OPcode &= '68'&_hex($y) ; push y
$OPcode &= '68'&_hex($x) ; push x
$OPcode &= 'A1'&_hex($base) ; mov eax, [base]
$OPcode &= '6A00' ; push 0
$OPcode &= '6A00' ; push 0
$OPcode &= '8B481C' ; mov ecx, [eax+0x1C]
$OPcode &= '68'&_hex(0xE0) ; push 0xE0
$OPcode &= 'E8'&_hex($move_call-$pRemoteMem[0]-5-StringLen($OPcode)/2) ; call move_call
$OPcode &= '61' ; popad
$OPcode &= 'C3' ; retn
; --- enter the asm code to to a dllstruct, which can be used with WriteProcessMemory ---
$vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
For $loop = 1 To DllStructGetSize($vBuffer)
DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
Next
; --- now letz write the code from our dllstruct ---
DllCall($kernel32, 'int', 'WriteProcessMemory', 'int', $mid, 'int', $pRemoteMem[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)
; --- now we run the asm code we've just written ---
$hRemoteThread = DllCall($kernel32, 'int', 'CreateRemoteThread', 'int', $mid, 'int', 0, 'int', 0, 'int', $pRemoteMem[0], 'ptr', 0, 'int', 0, 'int', 0)
; --- wait till the thread did his job ---
Do
$result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
Until $result[0] <> 258
; --- close everything we've opened ---
DllCall($kernel32, 'int', 'CloseHandle', 'int', $hRemoteThread[0])
DllCall($kernel32, 'ptr', 'VirtualFreeEx', 'hwnd', $mid, 'int', $pRemoteMem[0], 'int', 0, 'int', 0x8000)
Return True
EndFunc
as you can see i realy used the original function from the client.
so if you ask yourself, why would i do this if i could also use postmessage or sendmessage, here's the answer....
you can even chat while using this... it doesn't simulate anything. it just directly accesses the function the client uses, if you click somewhere.
another reason would be that you can work control-based ingame. the function i have posted will directly click @ the gameworld. it it won't access anything else, like the chatwindow or the minimap. its working behind those controls =)
|
|
|
07/28/2010, 12:17
|
#11
|
elite*gold: 0
Join Date: Jun 2010
Posts: 16
Received Thanks: 4
|
Quote:
Originally Posted by lolkop
but to find the functions in the client...
|
Do you know a Tutorial, how to find them?^^
Which programs do I need to get them?
I rly dont want always to use the TAB key to select Mobs :P
|
|
|
07/28/2010, 13:03
|
#12
|
elite*gold: 280
Join Date: May 2007
Posts: 2,818
Received Thanks: 3,483
|
i'm using tsearch and odbg as debuggers.
odbg is awesome if u're looking for functions. functions are allways getting called by the main programm.
so you could set breakpoints on each single call using parameters (olly shows you the arguements the calls use), and u'll see where the client breaks on actions.
so if you do something and the client breaks @ the breakpoint, u've found the function.
|
|
|
07/28/2010, 13:39
|
#13
|
elite*gold: 0
Join Date: Jun 2010
Posts: 16
Received Thanks: 4
|
Okay I'll try to find some functions when I'm home.
But one question to your 1. code:
You Wrote a Struct with WriteProcessMemory in the mem, but why do you need a struct for that?
I tried to get the code in c#, but the client crashs always (or It gives some stupid error messages).
Now I wrote the byte[] array directly with WriteProcessMemory, but than the Client always give me the Message::
Server Error. Please log off and try again.
|
|
|
07/28/2010, 14:17
|
#14
|
elite*gold: 280
Join Date: May 2007
Posts: 2,818
Received Thanks: 3,483
|
well autoit isn't able to handle pointers, with external dll calls.
writeprocessmemory needs a pointer to the code, that gets written. since i'm not able to create pointers in autoit, i have to use the dllstruct command
|
|
|
07/29/2010, 00:55
|
#15
|
elite*gold: 0
Join Date: Jan 2009
Posts: 175
Received Thanks: 162
|
hey lolkop ^^
i failed to translate "608B156C3E9F0068(mob_id)8B4A2081C1EC000000BAC09C5 E00FFD261C3"
to clear asm text -.- can you pls post it... ^^"
...
or is this right ?
pushad
mov edx,[0x009F3E6C]
push (mob_id)
mov ecx,[edx+0x20]
add ecx,0x000000ec
mov edx,[0x005E9CC0]
call edx
popad
ret
|
|
|
|
|
Similar Threads
|
[Stolen]Sourcecodes
03/10/2010 - CrossFire - 4 Replies
hi habe ein paar Sourcecodes für die coder vllt hilft euch das ja.
Credits gehen an:dodo4876(****.net)
{
public:
float fMoveMentWalkRate; //0000
float fMovementDuckRate; //0004
float fMovementSideRate; //0008
float fMoveMentAcceleration; //000C
float fMoveMentFriction; //0010
|
SourceCodes: SmurfIT, AutoPotv1.95 and ZcPWBotv1.2
10/23/2009 - Perfect World - 45 Replies
I am in open source feeling, so im spreading the sources of this Bots. Partwise its crappy code, but nevertheless enjoy it!
SmurfIT:
cl1p.net
AutoPotv1.95:
cl1p.net
ZcPWBotv1.2:
cl1p.net
|
Suche SourceCodes
10/06/2009 - Flyff Private Server - 4 Replies
Hi
ich suche ein paar source von verschiedenen Flyff hacks. Habe auch schon via google gesucht, aber noch nichts gefunden. Soweit ich weiß kann mann aus diesen SourceCodes einen Neuen UNDETECTEN hack basteln oder?
Alle hilfreichen posts werden mit einem dicken DaumenHoch und einem Thanks bedankt ;)
|
Suche SourceCodes von Hacks
04/12/2008 - General Coding - 0 Replies
Moin ich mal wieder...
bin auf der suche nach sourcecodes von hacks favorisiert aber css... ist egal ob detectet oder nicht oder wieviele funktionen er hat. bin einfach nur interessiert wie genau den sowas funktioniert und wie man das mit dem d3d ingame menu anstellt
wäre für ein paar links hier oder per pm sehr dankbar
|
All times are GMT +2. The time now is 06:41.
|
|