PWI Hack Sourcecodes Blog

chakjii · 07/17/2010, 01:29

Hey guys!

I opened a new blog at wordpress, because i think PW is such a great game and got such a small coding community.

I release tools, offsets, memory stuff, loader and lots of stuff there, but ONLY AutoIT sourcecodes.
If you like .exe files you can take my sourcecodes and create one on your own with AutoIT.

Feel free and take a look, if you like PW and AutoIT. I will update as often i can!
I'll keep new Memory Adresses and Offsets for PWI up2date as good as i can.

Hope to see you in comments, or feel free to discuss the stuff in this thread.

No0oB · 07/17/2010, 02:21

:P lol

chakjii · 07/18/2010, 01:43

Added adresses and offsets for Venomancer pets with AutoIT example script!
Coming next: Target names and positions.

Stay tuned!

elitepvpiscool · 07/18/2010, 04:16

book marked

chakjii · 07/20/2010, 04:14

Added a Perfect World map supporting multiclient. (you can see where your characters are, while being on desktop)

lolkop · 07/21/2010, 11:26

well those are just the very basics.
the more interesting stuff would be how to use autoit to do higher level stuff =)

for example gettin the list of all mobs close to you and save them with some info in an array:

Code:

Func GetMobList($pid)
	Local $array[769][3], $mid, $base, $pointer1, $pointer2, $pointer3, $pointer4, $mob_base, $mob_id, $mob_name, $mob_lvl
	$mid = memopen($pid)
	$base = memread($mid, 0x9F450C)
	$pointer1 = memread($mid, $base + 0x8)
	$pointer2 = memread($mid, $pointer1 + 0x24)
	$pointer3 = memread($mid, $pointer2 + 0x18)
	For $i=0 To 768
		$pointer4 = memread($mid, $pointer3 + $i*0x4)
		$mob_base = memread($mid, $pointer4 + 0x4)
		$array[$i][0] = memread($mid, $mob_base + 0x11C) ;Mob ID
		$array[$i][1] = memread($mid, memread($mid, $mob_base + 0x254), 'wchar[30]') ;Mob Name
		$array[$i][2] = memread($mid, $mob_base + 0x124) ; Mob Level
	Next
	memclose($mid)
	Return $array
EndFunc

Func memopen($pid)
	Local $mid = DllCall('kernel32.dll', 'int', 'OpenProcess', 'int', 0x1F0FFF, 'int', 1, 'int', $pid)
	Return $mid[0]
EndFunc   ;==>memopen

Func memread($mid, $adress, $type = 'dword')
	Local $struct = DllStructCreate($type)
	DllCall('kernel32.dll', 'int', 'ReadProcessMemory', 'int', $mid, 'int', $adress, 'ptr', DllStructGetPtr($struct), 'int', DllStructGetSize($struct), 'int', '')
	Return DllStructGetData($struct, 1)
EndFunc   ;==>memread

Func memclose($mid)
	DllCall('kernel32.dll', 'int', 'CloseHandle', 'int', $mid)
EndFunc   ;==>memclose

and a function to select the mobs we've just collected, using the id:

Code:

Func Int2Hex($Value)
	Local $tmp1, $tmp2, $i 
	$tmp1 = StringRight("0000000" & Hex($Value), 8) 
	For $i = 0 To StringLen($tmp1) / 2 - 1 
		$tmp2 = $tmp2 & StringMid($tmp1, StringLen($tmp1) - 1 - 2 * $i, 2)
	Next
	Return $tmp2
EndFunc

Func SelectMob($pid, $mob_id)
	Local $kernel32, $pRemoteThread, $vBuffer, $loop, $result, $OPcode
	$kernel32 = DllOpen("kernel32.dll")
	; --- open the process ---
	$mid = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1F0FFF, 'int', 1, 'int', $pid)
	; --- save the position of the allocated memory ---
	$pRemoteMem = DllCall($kernel32, "ptr", "VirtualAllocEx", "int", $mid[0], "ptr", 0, "int", 0x46, "int", 0x1000, "int", 0x40)
	$pRemoteMem = $pRemoteMem[0]
	; --- build up the asm code ---
	$OPcode = "608B156C3E9F0068"&Int2Hex($mob_id)&"8B4A2081C1EC000000BAC09C5E00FFD261C3"
	; --- enter the asm code to to a dllstruct, which can be used with WriteProcessMemory ---
	$vBuffer = DllStructCreate("byte[" & StringLen($OPcode) / 2 & "]")
	For $loop = 1 To DllStructGetSize($vBuffer)
		DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
	Next
	; --- now letz write the code from our dllstruct ---
	DllCall($kernel32, "int", "WriteProcessMemory", "int", $mid[0], "ptr", $pRemoteMem, "ptr", DllStructGetPtr($vBuffer), "int", DllStructGetSize($vBuffer), "int", 0)
	; --- now we run the asm code we've just written ---
	$hRemoteThread = DllCall($kernel32, "int", "CreateRemoteThread", "int", $mid[0], "ptr", 0, "int", 0, "int", $pRemoteMem, "ptr", 0, "int", 0, "int", 0)
	; --- wait till the thread did his job ---
	Do
		$result = DllCall("kernel32.dll", "int", "WaitForSingleObject", "int", $hRemoteThread[0], "int", 50)
	Until $result[0] <> 258
	; --- close everything we've opened ---
	DllCall($kernel32, "int", "CloseHandle", "int", $hRemoteThread[0])
	DllCall($kernel32, "ptr", "VirtualFreeEx", "hwnd", $mid[0], "ptr", $pRemoteMem, "int", 0, "int", 0x8000)
	DllCall("kernel32.dll", 'int', 'CloseHandle', 'int', $mid[0])
	DllClose($kernel32)
	Return True
EndFunc

Well those Functions are made to work for PWI they had to be edited to work for other clients too =) (could easily be automated, using the stringregexp functions)

same could be done with items on the ground, to pick them up.
guess explaining of the codecave i've used for selecting mobs is not needed. there's allready a stickied thread about it.

zeroreport · 07/22/2010, 13:41

Quote:

Originally Posted by chakjii

Added a Perfect World map supporting multiclient. (you can see where your characters are, while being on desktop)

The only use for now what I can see for that map is if you attach Herb/Monster/NPC/Resource locations to it (like

) and make it so clicking in the external map autopaths your character ingame there.

lolkop · 07/22/2010, 14:01

or just display the positions of all your chars while the client is minimized...
if u're using bots that can be exremely helpful.

Brows · 07/27/2010, 17:07

Hey lolkop thanks for your post, I edit the code for c# - I will try to use your Mob Select Function too, the Moblist is ready

thanks

lolkop · 07/28/2010, 03:31

well the functions are simple winapis. the hard stuff is not to use this, but to find the functions in the client...

if you know how to find those functions you can easily use them... that way you're able to do what ever you like in the client, without needing to send any keys or clicks...

for example you could even produce mouseclicks ingame...

this is an example function for mouseclicks ingame, without using real mouse commands.

Code:

; $mid (memory handle returned by openprocess) must be predefined as global (used this way cuz its more efficient)
Func Click($x, $y)
	Local $pRemoteThread, $vBuffer, $loop, $result, $OPcode
	; --- save the position of the allocated memory ---
	$pRemoteMem = DllCall($kernel32, 'int', 'VirtualAllocEx', 'int', $mid, 'ptr', 0, 'int', 0x46, 'int', 0x1000, 'int', 0x40)
	; --- build up the asm code ---
	;~ 00404856  |. 6A 00          PUSH 0                                   ; /Arg7 = 00000000
	;~ 00404858  |. 52             PUSH EDX                                 ; |Arg6 = 00000000
	;~ 00404859  |. 51             PUSH ECX                                 ; |Arg5 = y
	;~ 0040485A  |. 50             PUSH EAX                                 ; |Arg4 = x
	;~ 0040485B  |. A1 6C3E9F00    MOV EAX,DWORD PTR DS:[9F3E6C]            ; |
	;~ 00404860  |. 6A 00          PUSH 0                                   ; |Arg3 = 00000000
	;~ 00404862  |. 6A 00          PUSH 0                                   ; |Arg2 = 00000000
	;~ 00404864  |. 8B48 1C        MOV ECX,DWORD PTR DS:[EAX+1C]            ; |
	;~ 00404867  |. 68 E0000000    PUSH 0E0                                 ; |Arg1 = 000000E0
	;~ 0040486C  |. E8 8F5A0300    CALL elementc.0043A300                   ; \elementc.0043A300
	$OPcode &= '60'                                                         ; pushad
	$OPcode &= '6A00'                                                       ; push 0
	$OPcode &= '6A00'                                                       ; push Z (allways 0 :P)
	$OPcode &= '68'&_hex($y)                                                ; push y
	$OPcode &= '68'&_hex($x)                                                ; push x
	$OPcode &= 'A1'&_hex($base)                                             ; mov eax, [base]
	$OPcode &= '6A00'                                                       ; push 0
	$OPcode &= '6A00'                                                       ; push 0
	$OPcode &= '8B481C'                                                     ; mov ecx, [eax+0x1C]
	$OPcode &= '68'&_hex(0xE0)                                              ; push 0xE0
	$OPcode &= 'E8'&_hex($move_call-$pRemoteMem[0]-5-StringLen($OPcode)/2)  ; call move_call
	$OPcode &= '61'                                                         ; popad
	$OPcode &= 'C3'                                                         ; retn
	; --- enter the asm code to to a dllstruct, which can be used with WriteProcessMemory ---
	$vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
	For $loop = 1 To DllStructGetSize($vBuffer)
		DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
	Next
	; --- now letz write the code from our dllstruct ---
	DllCall($kernel32, 'int', 'WriteProcessMemory', 'int', $mid, 'int', $pRemoteMem[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)
	; --- now we run the asm code we've just written ---
	$hRemoteThread = DllCall($kernel32, 'int', 'CreateRemoteThread', 'int', $mid, 'int', 0, 'int', 0, 'int', $pRemoteMem[0], 'ptr', 0, 'int', 0, 'int', 0)
	; --- wait till the thread did his job ---
	Do
		$result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
	Until $result[0] <> 258
	; --- close everything we've opened ---
	DllCall($kernel32, 'int', 'CloseHandle', 'int', $hRemoteThread[0])
	DllCall($kernel32, 'ptr', 'VirtualFreeEx', 'hwnd', $mid, 'int', $pRemoteMem[0], 'int', 0, 'int', 0x8000)
	Return True
EndFunc

as you can see i realy used the original function from the client.

so if you ask yourself, why would i do this if i could also use postmessage or sendmessage, here's the answer....
you can even chat while using this... it doesn't simulate anything. it just directly accesses the function the client uses, if you click somewhere.

another reason would be that you can work control-based ingame. the function i have posted will directly click @ the gameworld. it it won't access anything else, like the chatwindow or the minimap. its working behind those controls =)

Brows · 07/28/2010, 12:17

Quote:

Originally Posted by lolkop

but to find the functions in the client...

Do you know a Tutorial, how to find them?^^
Which programs do I need to get them?

I rly dont want always to use the TAB key to select Mobs :P

lolkop · 07/28/2010, 13:03

i'm using tsearch and odbg as debuggers.

odbg is awesome if u're looking for functions. functions are allways getting called by the main programm.

so you could set breakpoints on each single call using parameters (olly shows you the arguements the calls use), and u'll see where the client breaks on actions.

so if you do something and the client breaks @ the breakpoint, u've found the function.

Brows · 07/28/2010, 13:39

Okay I'll try to find some functions when I'm home.
But one question to your 1. code:
You Wrote a Struct with WriteProcessMemory in the mem, but why do you need a struct for that?

I tried to get the code in c#, but the client crashs always (or It gives some stupid error messages).
Now I wrote the byte[] array directly with WriteProcessMemory, but than the Client always give me the Message::
Server Error. Please log off and try again.

lolkop · 07/28/2010, 14:17

well autoit isn't able to handle pointers, with external dll calls.

writeprocessmemory needs a pointer to the code, that gets written. since i'm not able to create pointers in autoit, i have to use the dllstruct command

No0oB · 07/29/2010, 00:55

hey lolkop ^^
i failed to translate "608B156C3E9F0068(mob_id)8B4A2081C1EC000000BAC09C5 E00FFD261C3"
to clear asm text -.- can you pls post it... ^^"
...
or is this right ?
pushad
mov edx,[0x009F3E6C]
push (mob_id)
mov ecx,[edx+0x20]
add ecx,0x000000ec
mov edx,[0x005E9CC0]
call edx
popad
ret