|
You last visited: Today at 08:48
Advertisement
Sending Packets
Discussion on Sending Packets within the PW Hacks, Bots, Cheats, Exploits forum part of the Perfect World category.
06/19/2011, 01:15
|
#211
|
elite*gold: 0 
Join Date: Jan 2010
Posts: 26
Received Thanks: 2
|
Quote:
Originally Posted by Interest07
Check the post in this thread where I explained how to send packets with C#. The moveAddress is just an address with enough memory allocated in the client to store your packet. You don't need to find this address as it is returned by the MemFunctions.AllocateMemory function.
|
Thanks for clarifying this  .
|
|
|
|
06/21/2011, 13:39
|
#212
|
elite*gold: 0
Join Date: Oct 2007
Posts: 10
Received Thanks: 1
|
Hi mister interest07 , how do you find this ?
Code:
//Harvest resource
private int harvestResourceAddress;
private byte[] harvestResourceAddressRev;
private byte[] harvestResourcePkt = new byte[]
{
0x36, 0x00, //Header
0x00, 0x00, 0x00, 0x00, //uniqueId
0x00, 0x00, 0x1E, 0x00,
0x01, 0x0C, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00
};
public void harvestResource(int uniqueId)
{
//Get size of the packet
int packetSize = harvestResourcePkt.Length;
if (harvestResourceAddress == 0)
{
//load packet in memory
loadPacket(harvestResourcePkt, ref harvestResourceAddress, ref harvestResourceAddressRev);
}
byte[] uniqueIdRev = BitConverter.GetBytes(uniqueId);
uniqueIdRev.Reverse();
MemFunctions.MemWriteBytes(pr_processHandle, harvestResourceAddress + 2, uniqueIdRev);
sendPacket(harvestResourceAddressRev, packetSize);
}
|
|
|
|
|
06/21/2011, 17:51
|
#213
|
elite*gold: 0
Join Date: Mar 2010
Posts: 862
Received Thanks: 576
|
Attach a debugger to the client, then set a breakpoint on the sendPacket function. When the breakpoint is triggered there will be several values on the stack:
[ESP + 0] = Address where the function has to jump back to after it is done. You can use this to figure out what function sent this particular packet.
[ESP + 4] = Packetsize, number of bytes contained in the packet
[ESP + 8] = Pointer to the packet. You can use this to find out what the packet is as follows (in semi code):
Code:
size = [ESP + 4]
pPacket = [ESP + 8]
for(int i = 0; i < size; i++)
{
bValue(i) = [pPacket + i * 1]
}
Use this to figure out what packets are sent whenever you perform an action.
Quote:
Originally Posted by unfaceguy
Hi mister interest07 , how do you find this ?
Code:
//Harvest resource
private int harvestResourceAddress;
private byte[] harvestResourceAddressRev;
private byte[] harvestResourcePkt = new byte[]
{
0x36, 0x00, //Header
0x00, 0x00, 0x00, 0x00, //uniqueId
0x00, 0x00, 0x1E, 0x00,
0x01, 0x0C, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00
};
public void harvestResource(int uniqueId)
{
//Get size of the packet
int packetSize = harvestResourcePkt.Length;
if (harvestResourceAddress == 0)
{
//load packet in memory
loadPacket(harvestResourcePkt, ref harvestResourceAddress, ref harvestResourceAddressRev);
}
byte[] uniqueIdRev = BitConverter.GetBytes(uniqueId);
uniqueIdRev.Reverse();
MemFunctions.MemWriteBytes(pr_processHandle, harvestResourceAddress + 2, uniqueIdRev);
sendPacket(harvestResourceAddressRev, packetSize);
}
|
|
|
|
|
|
06/22/2011, 03:28
|
#214
|
elite*gold: 0
Join Date: Apr 2010
Posts: 99
Received Thanks: 136
|
I see the code example you provided and understand how to read the values using a debugger. However I would like to read the values from my program. Is there a way to read (and show) the contents of the stack in my bot (btw it's autoit, but I can still translate as I get the idea). I have seen it, but don't have a clue how to do it.
Quote:
Originally Posted by Interest07
You can use this to find out what the packet is as follows (in semi code):
Code:
size = [ESP + 4]
pPacket = [ESP + 8]
for(int i = 0; i < size; i++)
{
bValue(i) = [pPacket + i * 1]
}
Use this to figure out what packets are sent whenever you perform an action. |
|
|
|
|
|
06/22/2011, 08:40
|
#215
|
elite*gold: 0
Join Date: Mar 2010
Posts: 862
Received Thanks: 576
|
Why would you want to read those values during botting? You only need to know what a packet looks like once and then hardcode that. I use MHS to execute a script that reads out the stack values everytime the breakpoint is hit instead of pausing the game. It works nicely for figuring out the parameters for other functions as well.
I wouldn't know how to do something like that from scratch though I'm afraid, although I did see some tool that looks up what packets are sent somewhere. You might wanna try track the creator of that down
|
|
|
|
|
06/22/2011, 22:20
|
#216
|
elite*gold: 0
Join Date: Apr 2009
Posts: 3
Received Thanks: 1
|
hi interest07,
there is a packet for sending mail? 
thanks for the code
|
|
|
|
|
06/29/2011, 10:25
|
#217
|
elite*gold: 0
Join Date: Mar 2011
Posts: 33
Received Thanks: 16
|
hello interest07
I have a problem with the function sendpacket
what is wrong in my code
Code:
Public Function SendPacket(ByVal Packet As String, ByVal Size As Integer, ByVal hProcess As Integer)
Dim vBuffer As Byte() = Nothing, result = Nothing, OPcode As String = Nothing
Dim functionAddress As IntPtr = VirtualAllocEx(hProcess, Nothing, &H46, &H1000, &H40)
Dim packetAddress As IntPtr = VirtualAllocEx(hProcess, Nothing, Size, &H1000, &H40)
Dim hRemoteThread As IntPtr = Nothing
OPcode &= "60" ';//PUSHAD
OPcode &= "B8" & _Hex(sendPacketFunction) ';//MOV EAX, sendPacketAddress
OPcode &= "8B0D" & _Hex(realBaseAddress) ';//MOV ECX, DWORD PTR [revBaseAddress]
OPcode &= "8B4920" ';//MOV ECX, DWORD PTR [ECX+20]
OPcode &= "BF" & _Hex(packetAddress) ';//MOV EDI, packetAddress //src pointer
OPcode &= "6A" & _Hex(Size, 2) ';//PUSH packetSize //size
OPcode &= "57" ';//PUSH EDI
OPcode &= "FFD0" ';//CALL EAX
OPcode &= "61" ';//POPAD
OPcode &= "C3" ';//RET
ReDim vBuffer((OPcode.Length / 2) - 1)
Dim a As Integer = 0
For i = 1 To UBound(vBuffer) Step 2
vBuffer(a) = Int("&H" & Mid(OPcode, i, 2))
a += 1
Next
WriteProcessMemory(hProcess, functionAddress, vBuffer, UBound(vBuffer), Nothing)
hRemoteThread = CreateRemoteThread(hProcess, Nothing, Nothing, functionAddress, Nothing, Nothing, Nothing)
Do
result = WaitForSingleObject(hRemoteThread, 50)
Loop Until (result <> 258)
CloseHandle(hRemoteThread)
VirtualFreeEx(hProcess, functionAddress, Nothing, &H8000)
VirtualFreeEx(hProcess, packetAddress, Nothing, &H8000)
Return True
End Function
there is a problem here:
Code:
hRemoteThread = CreateRemoteThread(hProcess, Nothing, Nothing, functionAddress, Nothing, Nothing, Nothing)
WinAPI
Code:
Public Declare Function CreateRemoteThread Lib "Kernel32.dll" (
ByVal hProcess As IntPtr,
ByVal lpThreadAttributes As IntPtr,
ByVal dwStackSize As Integer,
ByVal lpStartAddress As IntPtr,
ByVal lpParameter As IntPtr,
ByVal dwCreationFlags As Integer,
ByRef lpThreadId As IntPtr
) As IntPtr
Please help me how to use sendpacket with vb express
|
|
|
|
|
06/29/2011, 14:22
|
#218
|
elite*gold: 0
Join Date: Mar 2010
Posts: 862
Received Thanks: 576
|
Did you check if it properly wrote the function to that address?
On first sight things seem to be alright.
|
|
|
|
|
06/30/2011, 06:43
|
#219
|
elite*gold: 0
Join Date: Mar 2011
Posts: 33
Received Thanks: 16
|
I get the function address using 'findWQbotOffsets.exe'
(copy 'elementclient.exe' to 'findWQbotOffsets.exe' directory > run 'findWQbotOffsets.exe')
this result (pwindo)
Code:
[main]
logActivities=0
[offsets]
realBaseAddress=0xA5B90C
SendPacketAddress=0x0060E310
playerCounterOffset=0x000008E4
playerIntervalOffset=0x00000898
questFunctionOffset=0xFFC
questFunctionAddress=0x006C98E0
playerNameOffset=0x618
playerTransportModeOffset=0x62C
playerFlySpdOffset=0x4D0
playerFlyMountOffset=0x00000570
playerXposOffset=0x3C
playerYposOffset=0x40
playerZposOffset=0x44
playerActionStructOffset=0xFF4
baseOffset=0x1C
playerOffSet=0x20
nameLengthOffset=0xFFFFFFF8
playerTargetIdOffset=0xB0C
npcIdOffset=0x11C
sortedNpcListOffset=0x50
baseListsOffset=0x8
npcListOffset=0x24
|
|
|
|
|
06/30/2011, 09:31
|
#220
|
elite*gold: 0
Join Date: Mar 2010
Posts: 862
Received Thanks: 576
|
I mean, did you check whether it wrote the opcode to memory correctly?
|
|
|
|
|
07/01/2011, 09:42
|
#221
|
elite*gold: 0
Join Date: Mar 2011
Posts: 33
Received Thanks: 16
|
I have been able to use sendpacket in vb
Wow, that really helped me. thanks Interest07
btw,Do you have a function to move x, y, z?
|
|
|
|
|
07/24/2011, 14:47
|
#222
|
elite*gold: 0
Join Date: Jan 2009
Posts: 23
Received Thanks: 3
|
Moving with packets problem
Hi all!
I have tried with sending packages to make my character to fly up or down, but have failed.
I've tried to follow Interest07s guides:
 and
The result so far is that the camera moves in steps of the flight speed every time interval (ie. not smooth) and ends up where it should be but the character stays where it was from the start.
I paste some code (autoit) and hope you guys can help me out:
Code:
Dim $oposx = 0x3c, $oposy = 0x44, $oposz = 0x40
Dim $oposx2 = 0x7c, $oposy2 = 0x84, $oposz2 = 0x80
Dim $oposx3 = 0x7e8, $oposy3 = 0x7f0, $oposz3 = 0x7ec
Dim $oposx4 = 0x828, $oposy4 = 0x830, $oposz4 = 0x82c
Fly(20) ;fly 20 units up
Func Fly($zfly)
local $packedaddress, $packetSize, $speed, $dX, $dY, $dZ, $destZ, $curX, $curY, $curZ
GetCharInfo($pid)
$speed = $charinfo[$IFlyspeed]
$curX = $charinfo[$IX]
$curY = $charinfo[$IY]
$curZ = $charinfo[$IZ]
$pchar = _MemoryRead(_MemoryRead($base, $pid) + 0x34, $pid)
$c = _MemoryRead($pchar + 0x928, $pid, 'word')
$destZ = $curZ + $zfly
$timeinterval = 1000
$timeneeded = DistanceFromMe($curX, $curY, $curZ + $zfly) / $speed
$dZ = (($destZ - $curZ) / $timeneeded) * $timeinterval / 1000
If $speed > 0 Then
While $timeneeded > ($timeinterval / 1000)
$curZ += $dZ
$packetAddress = DllCall($pid[0], 'int', 'VirtualAllocEx', 'int', $pid[1], 'ptr', 0, 'int', 0x21, 'int', 0x1000, 'int', 0x40)
_MemoryWrite($packetAddress[0], $pid, 0, 'word')
_MemoryWrite($packetAddress[0] + 2, $pid, $curX, 'float')
_MemoryWrite($packetAddress[0] + 6, $pid, $curY, 'float')
_MemoryWrite($packetAddress[0] + 10, $pid, $curZ, 'float')
_MemoryWrite($packetAddress[0] + 14, $pid, $curX, 'float')
_MemoryWrite($packetAddress[0] + 18, $pid, $curY, 'float')
_MemoryWrite($packetAddress[0] + 22, $pid, $curZ, 'float')
_MemoryWrite($packetAddress[0] + 26, $pid, $timeinterval, 'word')
_MemoryWrite($packetAddress[0] + 28, $pid, Round($speed * 256 + 0.5), 'word')
_MemoryWrite($packetAddress[0] + 30, $pid, 0x61, 'byte')
_MemoryWrite($packetAddress[0] + 31, $pid, $c, 'word')
sendPacket2($packetAddress, 0x21, $pid)
DllCall($pid[0], 'ptr', 'VirtualFreeEx', 'hwnd', $pid[1], 'int', $packetAddress[0], 'int', 0, 'int', 0x8000)
_MemoryWrite($pchar + $oposx, $pid, $curX, 'float')
_MemoryWrite($pchar + $oposy, $pid, $curY, 'float')
_MemoryWrite($pchar + $oposz, $pid, $curZ, 'float')
_MemoryWrite($pchar + $oposx2, $pid, $curX, 'float')
_MemoryWrite($pchar + $oposy2, $pid, $curY, 'float')
_MemoryWrite($pchar + $oposz2, $pid, $curZ, 'float')
_MemoryWrite($pchar + $oposx3, $pid, $curX, 'float')
_MemoryWrite($pchar + $oposy3, $pid, $curY, 'float')
_MemoryWrite($pchar + $oposz3, $pid, $curZ, 'float')
_MemoryWrite($pchar + $oposx4, $pid, $curX, 'float')
_MemoryWrite($pchar + $oposy4, $pid, $curY, 'float')
_MemoryWrite($pchar + $oposz4, $pid, $curZ, 'float')
$c += 1
_MemoryWrite($pchar + 0x928, $pid, $c, 'word') ;Update counter
$timeneeded -= $timeinterval / 1000
Sleep($timeinterval)
WEnd
EndIf
If ($timeneeded > 0) Then
$curZ += $dZ * $timeneeded
$packetAddress = DllCall($pid[0], 'int', 'VirtualAllocEx', 'int', $pid[1], 'ptr', 0, 'int', 0x16, 'int', 0x1000, 'int', 0x40)
_MemoryWrite($packetAddress[0], $pid, 7, 'word')
_MemoryWrite($packetAddress[0] + 2, $pid, $curX, 'float')
_MemoryWrite($packetAddress[0] + 6, $pid, $curY, 'float')
_MemoryWrite($packetAddress[0] + 10, $pid, $curZ, 'float')
_MemoryWrite($packetAddress[0] + 14, $pid, Round($speed * 256 + 0.5), 'word')
_MemoryWrite($packetAddress[0] + 16, $pid, 0, 'byte')
_MemoryWrite($packetAddress[0] + 17, $pid, 0x61, 'byte')
_MemoryWrite($packetAddress[0] + 18, $pid, $c, 'word')
_MemoryWrite($packetAddress[0] + 20, $pid, $timeneeded * 1000, 'word')
sendPacket2($packetAddress, 0x21, $pid)
DllCall($pid[0], 'ptr', 'VirtualFreeEx', 'hwnd', $pid[1], 'int', $packetAddress[0], 'int', 0, 'int', 0x8000)
_MemoryWrite($pchar + $oposx, $pid, $curX, 'float')
_MemoryWrite($pchar + $oposy, $pid, $curY, 'float')
_MemoryWrite($pchar + $oposz, $pid, $curZ, 'float')
_MemoryWrite($pchar + $oposx2, $pid, $curX, 'float')
_MemoryWrite($pchar + $oposy2, $pid, $curY, 'float')
_MemoryWrite($pchar + $oposz2, $pid, $curZ, 'float')
_MemoryWrite($pchar + $oposx3, $pid, $curX, 'float')
_MemoryWrite($pchar + $oposy3, $pid, $curY, 'float')
_MemoryWrite($pchar + $oposz3, $pid, $curZ, 'float')
_MemoryWrite($pchar + $oposx4, $pid, $curX, 'float')
_MemoryWrite($pchar + $oposy4, $pid, $curY, 'float')
_MemoryWrite($pchar + $oposz4, $pid, $curZ, 'float')
$c += 1
_MemoryWrite($pchar + 0x928, $pid, $c, 'word') ;Update counter
EndIf
EndFunc
Code:
Func sendPacket2($packetAddress, $packetSize, $pid)
Local $pRemoteThread, $vBuffer, $loop, $result, $OPcode, $processHandle, $functionAddress
$processHandle = $pid[1]
;//Allocate memory for the OpCode and retrieve address for this
$functionAddress = DllCall($pid[0], 'int', 'VirtualAllocEx', 'int', $processHandle, 'ptr', 0, 'int', 0x46, 'int', 0x1000, 'int', 0x40)
;//Construct the OpCode for calling the 'SendPacket' function
$OPcode &= '60' ;//PUSHAD
$OPcode &= 'B8'&_hex($sendPacketFunction) ;//MOV EAX, sendPacketAddress
$OPcode &= '8B0D'&_hex($realBaseAddress) ;//MOV ECX, DWORD PTR [revBaseAddress]
$OPcode &= '8B4920' ;//MOV ECX, DWORD PTR [ECX+20]
$OPcode &= 'BF'&_hex($packetAddress[0]) ;//MOV EDI, packetAddress //src pointer
$OPcode &= '6A'&_hex($packetSize,2) ;//PUSH packetSize //size
$OPcode &= '57' ;//PUSH EDI
$OPcode &= 'FFD0' ;//CALL EAX
$OPcode &= '61' ;//POPAD
$OPcode &= 'C3' ;//RET
;//Put the OpCode into a struct for later memory writing
$vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
For $loop = 1 To DllStructGetSize($vBuffer)
DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
Next
;//Write the OpCode to previously allocated memory
DllCall($pid[0], 'int', 'WriteProcessMemory', 'int', $processHandle, 'int', $functionAddress[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)
;//Create a remote thread in order to run the OpCode
$hRemoteThread = DllCall($pid[0], 'int', 'CreateRemoteThread', 'int', $processHandle, 'int', 0, 'int', 0, 'int', $functionAddress[0], 'ptr', 0, 'int', 0, 'int', 0)
;//Wait for the remote thread to finish
Do
$result = DllCall($pid[0], 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
Until $result[0] <> 258
;//Close the handle to the previously created remote thread
DllCall($pid[0], 'int', 'CloseHandle', 'int', $hRemoteThread[0])
;//Free the previously allocated memory
DllCall($pid[0], 'ptr', 'VirtualFreeEx', 'hwnd', $processHandle, 'int', $functionAddress[0], 'int', 0, 'int', 0x8000)
Return True
EndFunc
The offsets for coords2, 3 and 4 is something I'm not sure of if it's correct.
To target an npc with its id is something I've gotten to work with help of the send packets guide:
Have fun all! /Sturolv
|
|
|
|
|
07/24/2011, 16:12
|
#223
|
elite*gold: 0
Join Date: Mar 2010
Posts: 862
Received Thanks: 576
|
Quote:
|
The offsets for coords2, 3 and 4 is something I'm not sure of if it's correct.
|
Those don't really matter, they're more for yourself to see what's happening (and whether you have the correct coords being sent), and also to make it a bit smoother to change from packet movement to regular movement. They won't influence the actual result though.
On first sight your function appears to work correctly. Which server do you play on? You might want to verify it's the correct packet structure if you're not playing on PWI, as some packets are known to differ slightly from PWI server on for example the Russian server.
|
|
|
|
|
07/24/2011, 19:33
|
#224
|
elite*gold: 0
Join Date: Jan 2009
Posts: 23
Received Thanks: 3
|
Hi!
I'm on pwi.
I could read the complete message into a hex string and paste here if you wanna have a peak on them. I think it's about 4 or 5 messages including the stop-message.
Btw. I forgotten to mention what my purpose with this is:
To make a program that automates a cleric to follow me around healing and buffing when needed eventually also assisting. I started with this more then a year ago but putted everything on ice, now I'm back again.
I do think it's so fun to make this and I don't know if I really want to play the game when it's done
|
|
|
|
|
07/24/2011, 21:19
|
#225
|
elite*gold: 0
Join Date: Mar 2010
Posts: 862
Received Thanks: 576
|
Quote:
Originally Posted by Sturolv
Hi!
I'm on pwi.
I could read the complete message into a hex string and paste here if you wanna have a peak on them. I think it's about 4 or 5 messages including the stop-message.
Btw. I forgotten to mention what my purpose with this is:
To make a program that automates a cleric to follow me around healing and buffing when needed eventually also assisting. I started with this more then a year ago but putted everything on ice, now I'm back again.
I do think it's so fun to make this and I don't know if I really want to play the game when it's done |
Yeah, sure post the hex stuff That should help
Ahh yes, a cleric assistant is great 
|
|
|
|
 |
|
Similar Threads
|
Help with sending packets in autoit
08/16/2010 - AutoIt - 1 Replies
ive been lookin around different sites for ways to send packets to the game server. the only examples i see is to create a server and a client which i dont need, i think. well to the point now, can someone lead me in a direction or tell me how to send packets to a game? also if i send packets then that means i dont need the game to be active, correct? Because in autoit when u use keys u need to have the game active, and control send does not work. ty
|
Sending Packets !!!
09/07/2008 - Kal Online - 14 Replies
now i know how to sniff / analyse packets ... but what then ? :)
how can i send packets ?? to pimp or mix weapon for example
i just need the way to send , and then i can depend on myself :D
|
Sending Packets (need advice)
03/20/2008 - Conquer Online 2 - 7 Replies
OK well im finaly trying to stop leaching off of everybodys work its been great n all download n play :D But im tired of being a begger n the past couple months ive been learning as much as i can about macros memery add blah blah you know ...
After playing around with ce and ahk the past couple months i stumbled across wpe pro, theres not alot of tuturals and its hard to find good help.
Well heres what ive been doing so far, open my CO then i attach it to my sniffer.
I change my...
|
Scamming by sending packets???
04/15/2006 - Conquer Online 2 - 1 Replies
Well my friend and i came up with the idea to send packets to the server to show a certain item in the trade window. We want to use this as a type of scam. I didnt see this in any other threads and was wondering if anyone knew if this is possible and if they could point use in the right direction. My friend was pretty good with packets in CO 1.0 but we arent really sure to go about doing it. If anyone one could please lend a helping hand?
P.S.- Before I get flamed for this because i know i...
|
Sending packets
10/12/2005 - Conquer Online 2 - 10 Replies
I've a question. Is it possible to send 1 packet multiple times at the exact same time?
|
All times are GMT +1. The time now is 08:50.
|
|
