Perfect World Bot PWI-Prophet Bot Recoded

soryel · 08/20/2010, 16:38

new offset for pw ph pls

PW-Prophets · 08/20/2010, 17:29

The download has been taken down due to some minor issues. We will fix this and reupload it later today. Thank you for your understanding in this matter.
Prophet 2

Interest07 · 08/20/2010, 19:24

Quote:
Originally Posted by Smurfin
what is 'Player' ? is it Playername base address ?

let me borrow these lines from prophet bot :
Code:
$CHAR_DATA_BASE = memread(memread($APP_BASE_ADDRESS) + 0x20), 
$NAME = memread(memread($CHAR_DATA_BASE + $OFFSET_NAME), 'wchar[30]')
so if you gave me 0x5C0 from playername, then it would be :
Code:
$Guild=memread(memread($NAME + 0x5C0), 'wchar[30]')
is that it ?

sorry I'm still having a hard time understanding pointer/baseadd/offset, although I know a bit on how to use them in autoit. Calculating Base address and an offset of something will get me a Pointer, right ? and that pointer can be used as a starting base address if there is other memory location that's read from there so we can call it like $Charname_Base ?

$CHAR_DATA_BASE = memread(memread($APP_BASE_ADDRESS) + 0x20),
$NAME = memread(memread($CHAR_DATA_BASE + 0x5F4, 'wchar[30]')
$Guild=memread($CHAR_DATA_BASE + 0x5C0)
$GuildRank=memread($CHAR_DATA_BASE + 0x5C4)

I just meant that for PW MS the name offset is 0x5F4, so if the one for your version is almost the same, then your guild offset should be around the same place as mine.

PLease note that the offset for guild i gave is the guild Id, not the guild name. THe first guild created on your server would be 1, second guild 2, and so on. Didn't find how to get the actual guildname. The easiest way to find offsets is to simply loop through a bunch of offsets and throw them out in a tooltip so you can just browse through the different values in the "character data base". I have never used AutoIt before but I imagine it would look something like this:

Code:

Hotkeyset("{numpadAdd}", "increaseOffset")
Hotkeyset("{numpadSub}", "decreaseOffset")

$baseOffset = 0x0
$offset = 0x0
while 1
	$outPut = ""
	For $i = 1 to 40 Step 1
		$offset = $offset + 0x4
		$outPut = $OutPut + "`n" + memread($CHAR_DATA_BASE + $Offset)
	next
	tooltip($OutPut)
Wend


func increaseOffset()

	baseOffset = baseOffset + 0xA0


endfunc

func increaseOffset()

	baseOffset = baseOffset - 0xA0


endfunc

edit: sorry to prophets for throwing this into your thread. Keep up the good work on the bot, seems to be working for people

Smurfin · 08/20/2010, 19:31

oh ok, thanks for the info and the script, should be useful ^^) , I'll try again later.
There should be many many guilds created since day one.

Tralalelo · 08/20/2010, 21:28

Hello, since the last update i noticed that after some times, it stops... i'll explain better: the bot says it is finding target but if i look into pw, i don't see targets switching.. so it just stops grind... why?
And another thing, really cool the new function "ress on die"

)

PW-Prophets · 08/21/2010, 02:31

Quote:
Originally Posted by Interest07
$CHAR_DATA_BASE = memread(memread($APP_BASE_ADDRESS) + 0x20),
$NAME = memread(memread($CHAR_DATA_BASE + 0x5F4, 'wchar[30]')
$Guild=memread($CHAR_DATA_BASE + 0x5C0)
$GuildRank=memread($CHAR_DATA_BASE + 0x5C4)

I just meant that for PW MS the name offset is 0x5F4, so if the one for your version is almost the same, then your guild offset should be around the same place as mine.

PLease note that the offset for guild i gave is the guild Id, not the guild name. THe first guild created on your server would be 1, second guild 2, and so on. Didn't find how to get the actual guildname. The easiest way to find offsets is to simply loop through a bunch of offsets and throw them out in a tooltip so you can just browse through the different values in the "character data base". I have never used AutoIt before but I imagine it would look something like this:
Code:
Hotkeyset("{numpadAdd}", "increaseOffset")
Hotkeyset("{numpadSub}", "decreaseOffset")

$baseOffset = 0x0
$offset = 0x0
while 1
	$outPut = ""
	For $i = 1 to 40 Step 1
		$offset = $offset + 0x4
		$outPut = $OutPut + "`n" + memread($CHAR_DATA_BASE + $Offset)
	next
	tooltip($OutPut)
Wend


func increaseOffset()

	baseOffset = baseOffset + 0xA0


endfunc

func increaseOffset()

	baseOffset = baseOffset - 0xA0


endfunc
edit: sorry to prophets for throwing this into your thread. Keep up the good work on the bot, seems to be working for people

Dont be sorry man helps us ALOT THX!!!!

chakjii · 08/21/2010, 03:16

i did something to see if the guildname adress might be hiding there like the charname but it isnt

this is the script i used

Code:

For $i = 0 To 4000 Step 4
	For $i2 = 0 To 4000 Step 4
		$result = memread(memread(memread(memread(0xA5BFCC) + 0x20) + $i) + $i2, 'wchar[30]')
		If $result = "GUILDNAME" Then MsgBox(0,"",$i & @CRLF & $i2)
	Next
Next

u can test if it works if you just put in your charname instead of "GUILDNAME" ;-)

i traced the guildname though in tsearch but i couldnt find any static pointer yet >.> well i guess i go on searching that the next days =)

Interest07 · 08/21/2010, 09:35

Quote:
Originally Posted by chakjii
i did something to see if the guildname adress might be hiding there like the charname but it isnt

this is the script i used
Code:
For $i = 0 To 4000 Step 4
	For $i2 = 0 To 4000 Step 4
		$result = memread(memread(memread(memread(0xA5BFCC) + 0x20) + $i) + $i2, 'wchar[30]')
		If $result = "GUILDNAME" Then MsgBox(0,"",$i & @CRLF & $i2)
	Next
Next
u can test if it works if you just put in your charname instead of "GUILDNAME" ;-)

i traced the guildname though in tsearch but i couldnt find any static pointer yet >.> well i guess i go on searching that the next days =)

Yeah I tried something similar, just looking for any strings hiding somewhere near your character pointer. Did find the name of the cat shop though

(bloody useless :P).

Prophets, did you find the function for sending packets yet for pwi? if not I'll have a go at it.

edit:
Ah there we go: function address for sending packets (like move, talk to NPC, sell items, etc) is:
0x0060E310

use it as follows:

Code:

PUSHAD
MOV     EAX, 0060E310
MOV     ECX, DWORD PTR [BaseAddress]
MOV     ECX, DWORD PTR [ECX+20]
MOV     EDI, packetAddress	
PUSH    packetSize		
PUSH    EDI
CALL    EAX
POPAD
RET

You'd first have to use VirtualAllocEx dllcall to make some space for your own packet, then store the packet you want to send there, and pass the address to EDI as in the code above.

Interest07 · 08/21/2010, 10:44

some stuff on packets:

Example for moving would be:

packets will look like this when sending:
0000<X><Y><Z><X><Y><Z><interval><speed><moveType>< counter>
500 ms later
0000<X><Y><Z><X><Y><Z><interval><speed><moveType>< counter>
500 ms later
0000<X><Y><Z><X><Y><Z><interval><speed><moveType>< counter>
500 ms later
0700<X><Y><Z><speed><direction><moveType><counter> <interval>

id = 0000 this is the id for a moving packet
destX = X coord where you wanna go (in reverse byte order, so if the X coord you want to go = 00F323A5, this would become A523F300)
destY = Y coord where you wanna go (in reverse byte order, so if the Y coord you want to go = 00F323A5, this would become A523F300)
destZ = Z coord where you wanna go (in reverse byte order, so if the Z coord you want to go = 00F323A5, this would become A523F300)
interval = This has something to do with time between movement packets, since you send a packet every 500 ms, best to set this to F401 (reverse bytes of 01F4)
speed = your movement speed, but, as the packet wants to cram it into 2 bytes, you have to make some adjustments:
read your movement speed from your 'character database' (pick the right one, i.e. flyspeed, runspeed, swimspeed)
this will give you a float with your speed, multiply this by 256.0, then add 0.5. Convert this to a long. Then take the last two bytes and they will
form your speed (in reverse byte order again)
moveType = the type of movement (running, falling, flying, jumping etc) (this value is only 1 byte)
counter = this is a counter which says how manyth movement packet this is. (2 bytes long, reverse order as usual)

id = 0700 this is the id for a stop moving packet
destX, destY, destZ as usual
speed as usual
direction = This is the direction you are facing after the movement, simply set this to 00 for simplicity
movetype as above
counter as above (this is the same counter)
interval

packets will look like this when sending:
0000<X><Y><Z><X><Y><Z><interval><speed><moveType>< counter>
500 ms later
0000<X><Y><Z><X><Y><Z><interval><speed><moveType>< counter>
500 ms later
0000<X><Y><Z><X><Y><Z><interval><speed><moveType>< counter>
500 ms later
0700<X><Y><Z><speed><direction><moveType><counter> <interval>

in between you update the counter and the coords you want to move to.

So now how do you use this to move?

If you wanted to fly up for 2 seconds for example:
-get your current X, Y, Z coords
-get your speed
You only want to fly up, so X and Z will stay the same during this whole thing.
you will add speed * 0.5 to your Y coord every 500 ms. (as this is how far you can fly in the amount of time, yes this is checked by the server :P)
your speed is 5.5 for example for flying, so you'd add 2.75 to Y every packet you send.
then do 5.5* 256 + 0.5 = 1408.5
truncate it to 1408 (its a long now)
convert to hex = 00000580
cut off the first two bytes and reverse the remaining bytes = 8005

the interval value is set to F401

the moveType for flying = 61

the counter (2 bytes) you can find on pwi at "PLAYER_DATABASE" + 0x8E4

so if this value = 0145, youd send in the packet 4501.

so youd be sending packets as follows:

0000<oldX><oldY + 2.75><oldZ><oldX><oldY + 2.75><oldZ>F4018005614501
increase counter value at [PLAYER_DATABASE + 0x8E4] by 1
sleep 500 ms
0000<oldX><oldY + 5.5><oldZ><oldX><oldY + 5.5><oldZ>F4018005614601
increase counter value at [PLAYER_DATABASE + 0x8E4] by 1
sleep 500 ms
0000<oldX><oldY + 8.25><oldZ><oldX><oldY + 8.25><oldZ>F4018005614701
increase counter value at [PLAYER_DATABASE + 0x8E4] by 1
sleep 500 ms
0700<oldX><oldY + 11.0><oldZ>800500614801F401
increase counter value at [PLAYER_DATABASE + 0x8E4] by 1

packetsize for moving is 0x21
packetsize for stop moving is 0x16

THese are by far the most annoying packets to send. Usually you'll prefer using the action struct for moving. It can however be good to know it's possible in certain situations.

easier packets would be these, usually just add the ids etc, but you can figure those out easily most likely.:
packet id function
02 00 Select Target (target id in reverse bytes)
06 00 Pick up
0E 00 Drop item
29 00 use skill on targetId
2A 00 Stop attacking/using skill/talking with npc
08 00 Deselect
11 00 Equip/UnEquip
15 00 refresh char screen
14 00 Drop gold
55 00 Switch fashion/regular appearance

28 00 Use item (also for flying)
65 00 Unsummon Pet
64 00 Start Summon Pet
67 00 Pet settings
01 00 Log out

50 00 Use SKill No Cast Time, FoxForm/Petals/etc
74 00 Use genie skill
23 00 Open NPC dialogue
24 00 Open cat shop
25 00 Interact With NPC (bank/mail/sell/buy/quest)
0C 00 move Item in inv
38 00 move item in bank
39 00 SPlit stack in bank

Example:
Selecting a player/mob/npc:
0200<id>
so selecting a mob with id 80105292 would mean sending a packet as follows:
020092521080

Using a skill on a mob:
2900<skill id>0001<target id>
so using for example envenom parasite (skill Id 0000012B) on the previously selected target:
Packet: 29002B010000000192521080

or using Ironrock parasite (skill Id 0000012C) on that target:
packet: 29002C010000000192521080

Using a skill such as bramble (skill Id 00000132) on ourself (our Id is 00051F70)
Packet: 2900320100000001701F0500

Use Skill with no cast time (the faster run skill for wf, skill Id 000002FA
Packet: 50 00 FA 02 00 00 00 01 70 1F 05 00

Best way to find out how the packets are constructed is by setting a breakpoint at the function call and displaying the values on the stack (they'll have been pushed onto the stack just before calling the function) at ESP + 8 (packetsize) and ESP+4 (pointer to the packet)

Elucas · 08/21/2010, 12:07

As I said i will keep informing for this.
well....

1. Look at line 61 :
-Global $APP_TITLE = IniRead($SOFTWARE_OFFSET_CONFIG, $CFG_BASEADDRESS_ROOT_KEY, $CFG_BASEADDRESS_APP_KEY, "Element Client"), $PROCESS_ID = WinGetProcess($APP_TITLE), $PROCESS_INFORMATION = _MemoryOpen($PROCESS_ID), $HANDLE = ControlGetHandle($APP_TITLE, "", "")

And i add a same line as above to line 62 but add 2 at end of Element Client :

Global $APP_TITLE = IniRead($SOFTWARE_OFFSET_CONFIG, $CFG_BASEADDRESS_ROOT_KEY, $CFG_BASEADDRESS_APP_KEY, "Element Client2]"), $PROCESS_ID = WinGetProcess($APP_TITLE), $PROCESS_INFORMATION = _MemoryOpen($PROCESS_ID), $HANDLE = ControlGetHandle($APP_TITLE, "", "")
*Add as much as you need for this case*

2. We need add this to Global $pid at line 70++(line 74 in my case)

Code : Global $PID = ProcessExists("elementclient.exe")
$list = ProcessList("elementclient.exe")
For $i = 1 to $list[0][0]
if $APP_TITLE = "Element Client" Then
$pid = $list[1][1]
ElseIf $APP_TITLE = "Element Client2" Then <<<Add more line like this if you need (!same as above.)the third process may $list[3][1],etc
$pid = $list[2][1]
EndIf
Next

and then we need to edit the Application_Title at Custom Offsets.ini to Element Client2 (rever to what we edit above).
Take a look at mine.
i edited some ^^.
############

############
the file above is just for Indonesian PW. cause i edited the movement thing but i forgot where it's.
but if you want to try it out, then change this line to PWI's :

I changed some and it's work better for me here, so
the line would be not correct anymore, find it yourself*

On Line 110 we had to add 8 to the old $OFFSET_MOVEX[2] = 4072.
This is how your new $OFFSET_MOVEX[2] should look after you have changed it $OFFSET_MOVEX[2] = 4080
On Line 115 we had to add 8 to the old $OFFSET_MOVEY[2] = 4072.
This is how your new $OFFSET_MOVEY[2] should look after you have changed it $OFFSET_MOVEY[2] = 4080
On Line 120 we had to add 8 to the old $OFFSET_MOVEZ[2] = 4072.
This is how your new $OFFSET_MOVEZ[2] should look after you have changed it $OFFSET_MOVEZ[2] = 4080

*Note : I am NOT A PROGRAMMER AND MY TEACHER IS The F1(Help)

asaky · 08/21/2010, 12:09

[QUOTE=Elucas;6495107]

As I said i will keep informing for this.
well....

1. Look at line 61 :
-Global $APP_TITLE = IniRead($SOFTWARE_OFFSET_CONFIG, $CFG_BASEADDRESS_ROOT_KEY, $CFG_BASEADDRESS_APP_KEY, "Element Client"), $PROCESS_ID = WinGetProcess($APP_TITLE), $PROCESS_INFORMATION = _MemoryOpen($PROCESS_ID), $HANDLE = ControlGetHandle($APP_TITLE, "", "")

And i add a same line as above to line 62 but add 2 at end of Element Client :
QUOTE]

And what is this edited bot ment to do exactly?

Elucas · 08/21/2010, 13:34

[quote=asaky;6495145]

Quote:

Originally Posted by Elucas

As I said i will keep informing for this.
well....

1. Look at line 61 :
-Global $APP_TITLE = IniRead($SOFTWARE_OFFSET_CONFIG, $CFG_BASEADDRESS_ROOT_KEY, $CFG_BASEADDRESS_APP_KEY, "Element Client"), $PROCESS_ID = WinGetProcess($APP_TITLE), $PROCESS_INFORMATION = _MemoryOpen($PROCESS_ID), $HANDLE = ControlGetHandle($APP_TITLE, "", "")

And i add a same line as above to line 62 but add 2 at end of Element Client :
QUOTE]

And what is this edited bot ment to do exactly?

look,
ElseIf $APP_TITLE = "Element Client2" Then
$pid = $list[2][1]

So the bot will pick up the $pid from the second same process name.
this is my way to divide the memread process
As i said i will Keep Informing, it's not done yet.
I am show that for someone can help me out with the memwrite process.???

asaky · 08/21/2010, 13:46

*nods and pretends he can understand* yes, yes I seeee....

Interest07 · 08/21/2010, 15:21

Elucas, wouldn't it be easier to simply have a second copy of the bot in a separate folder, do a search and replace for "Element Client" -> "Element Client2" and run that bot for your second window? Or am I missing something here

It is going to be quite a task to transform a semi-regularly updated program into one that handles two clients. Unless of course Prophets decide to support multi clienting, but I believe that isn't the case thusfar.

asaky · 08/21/2010, 15:23

Quote:

Originally Posted by Interest07

Elucas, wouldn't it be easier to simply have a second copy of the bot in a separate folder, do a search and replace for "Element Client" -> "Element Client2" and run that bot for your second window? Or am I missing something here

It is going to be quite a task to transform a semi-regularly updated program into one that handles two clients. Unless of course Prophets decide to support multi clienting, but I believe that isn't the case thusfar.

Tried it but no. It still does not work that way.