|
You last visited: Today at 17:42
Advertisement
Sending Packets
Discussion on Sending Packets within the PW Hacks, Bots, Cheats, Exploits forum part of the Perfect World category.
04/27/2012, 17:48
|
#316
|
elite*gold: 0 
Join Date: Feb 2011
Posts: 75
Received Thanks: 34
|
PHP Code:
Func cek_rep($PROCESS_ID)
;Declare local variables
Local $pRemoteThread, $vBuffer, $loop, $result, $OPcode, $processHandle, $packetAddress, $functionSize, $QuestFunctionAddress, $PlayerOffSet, $QuestFunctionOffset, $QuestId, $returnValue
$functionSize = '100'
$QuestFunctionAddress = '0x0073D780'
$QuestFunctionOffset = '0x1058'
$PlayerOffSet = '0x34'
$QuestId = '53762'
;Open process for given processId
$processHandle = $PROCESS_INFORMATION[1]
;Allocate memory for the OpCode and retrieve address for this
$functionAddress = DllCall($KERNEL32, 'int', 'VirtualAllocEx', 'int', $processHandle, 'int', 0, 'int', 0x4, 'int', 0x1000, 'int', 0x40)
;Allocate memory for the packet to be sent and retrieve the address for this
$packetAddress = DllCall($KERNEL32, 'VirtualAllocEx', 'int', $processHandle, 'int', 0, 'int', $functionSize, 'int', 0x1000, 'int', 0x40)
$OPcode &= '60' ;PUSHAD
$OPcode &= 'B8'&_hex($QuestFunctionAddress) ;MOV EAX, questFunction
$OPcode &= '8B0D'&_hex($APP_BASE_ADDRESS) ;MOV ECX, DWORD PTR [baseAddress]
$OPcode &= '8B491C' ;MOV ECX, DWORD PTR [ECX+1C]
$OPcode &= '8B49'&_hex($PlayerOffSet) ;MOV ECX, DWORD PTR [ECX+playerOffSet]
$OPcode &= '8B89'&_hex($QuestFunctionOffset) ;MOV ECX, DWORD PTR [ECX+questFuncOffset]
$OPcode &= '68'&_hex($QuestId) ;PUSH questId
$OPcode &= 'FFD0' ;CALL NEAR EAX
$OPcode &= 'A3'&_hex($functionAddress) ;MOV DWORD PTR [returnAddress], EAX
$OPcode &= '61' ;POPAD
$OPcode &= 'C3' ;RET
;Put the OpCode into a struct for later memory writing
$vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
For $loop = 1 To DllStructGetSize($vBuffer)
DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
Next
;Write the OpCode to previously allocated memory
DllCall($KERNEL32, 'int', 'WriteProcessMemory', 'int', $processHandle, 'int', $functionAddress[0], 'int', DllStructGetPtr($vBuffer), 'int', $functionSize, 'int *', 0)
;Create a remote thread in order to run the OpCode
$hRemoteThread = DllCall($KERNEL32, 'int', 'CreateRemoteThread', 'int', $processHandle, 'int', 0, 'int', 0, 'int', $functionAddress, 'int', 0, 'int', 0, 'int', 0)
;Wait for the remote thread to finish
Do
$result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
;"WaitForSingleObject", int,hThrd, int,50
Until $result[0] <> 258
;Close the handle to the previously created remote thread
DllCall($KERNEL32, 'int', 'CloseHandle', 'int', $hRemoteThread[0])
;Free the previously allocated memory
DllCall($KERNEL32, 'ptr', "VirtualFreeEx", "int", $processHandle, "int", $functionAddress, "int", 0, "int", 0x8000)
$returnValue = _MemoryRead($functionAddress, $PROCESS_ID)
Return $returnValue
EndFunc
_________
These functions using procedures adopted from checkQuestPresentWQBOT function. I tried to check whether the quest with id:53762 active or not. But when I try to run the function that happens is elementclient going crash.
Did I forget something.?
Btw, that quest id is only in private servers (ko2w-Ultimate and h2w-Revo)  .
|
|
|
|
04/27/2012, 19:06
|
#317
|
elite*gold: 0
Join Date: Mar 2010
Posts: 862
Received Thanks: 576
|
Quote:
Originally Posted by ntldr32
PHP Code:
Func cek_rep($PROCESS_ID)
;Declare local variables
Local $pRemoteThread, $vBuffer, $loop, $result, $OPcode, $processHandle, $packetAddress, $functionSize, $QuestFunctionAddress, $PlayerOffSet, $QuestFunctionOffset, $QuestId, $returnValue
$functionSize = '100'
$QuestFunctionAddress = '0x0073D780'
$QuestFunctionOffset = '0x1058'
$PlayerOffSet = '0x34'
$QuestId = '53762'
;Open process for given processId
$processHandle = $PROCESS_INFORMATION[1]
;Allocate memory for the OpCode and retrieve address for this
$functionAddress = DllCall($KERNEL32, 'int', 'VirtualAllocEx', 'int', $processHandle, 'int', 0, 'int', 0x4, 'int', 0x1000, 'int', 0x40)
;Allocate memory for the packet to be sent and retrieve the address for this
$packetAddress = DllCall($KERNEL32, 'VirtualAllocEx', 'int', $processHandle, 'int', 0, 'int', $functionSize, 'int', 0x1000, 'int', 0x40)
$OPcode &= '60' ;PUSHAD
$OPcode &= 'B8'&_hex($QuestFunctionAddress) ;MOV EAX, questFunction
$OPcode &= '8B0D'&_hex($APP_BASE_ADDRESS) ;MOV ECX, DWORD PTR [baseAddress]
$OPcode &= '8B491C' ;MOV ECX, DWORD PTR [ECX+1C]
$OPcode &= '8B49'&_hex($PlayerOffSet) ;MOV ECX, DWORD PTR [ECX+playerOffSet]
$OPcode &= '8B89'&_hex($QuestFunctionOffset) ;MOV ECX, DWORD PTR [ECX+questFuncOffset]
$OPcode &= '68'&_hex($QuestId) ;PUSH questId
$OPcode &= 'FFD0' ;CALL NEAR EAX
$OPcode &= 'A3'&_hex($functionAddress) ;MOV DWORD PTR [returnAddress], EAX
$OPcode &= '61' ;POPAD
$OPcode &= 'C3' ;RET
;Put the OpCode into a struct for later memory writing
$vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
For $loop = 1 To DllStructGetSize($vBuffer)
DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
Next
;Write the OpCode to previously allocated memory
DllCall($KERNEL32, 'int', 'WriteProcessMemory', 'int', $processHandle, 'int', $functionAddress[0], 'int', DllStructGetPtr($vBuffer), 'int', $functionSize, 'int *', 0)
;Create a remote thread in order to run the OpCode
$hRemoteThread = DllCall($KERNEL32, 'int', 'CreateRemoteThread', 'int', $processHandle, 'int', 0, 'int', 0, 'int', $functionAddress, 'int', 0, 'int', 0, 'int', 0)
;Wait for the remote thread to finish
Do
$result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
;"WaitForSingleObject", int,hThrd, int,50
Until $result[0] <> 258
;Close the handle to the previously created remote thread
DllCall($KERNEL32, 'int', 'CloseHandle', 'int', $hRemoteThread[0])
;Free the previously allocated memory
DllCall($KERNEL32, 'ptr', "VirtualFreeEx", "int", $processHandle, "int", $functionAddress, "int", 0, "int", 0x8000)
$returnValue = _MemoryRead($functionAddress, $PROCESS_ID)
Return $returnValue
EndFunc
_________
These functions using procedures adopted from checkQuestPresentWQBOT function. I tried to check whether the quest with id:53762 active or not. But when I try to run the function that happens is elementclient going crash.
Did I forget something.?
Btw, that quest id is only in private servers (ko2w-Ultimate and h2w-Revo) . |
You appear to be passing strings instead of numbers here:
Code:
$functionSize = '100'
$QuestFunctionAddress = '0x0073D780'
$QuestFunctionOffset = '0x1058'
$PlayerOffSet = '0x34'
$QuestId = '53762'
Not sure if those are the correct values either.
|
|
|
|
|
04/27/2012, 23:36
|
#318
|
elite*gold: 0
Join Date: Feb 2011
Posts: 75
Received Thanks: 34
|
Quote:
Originally Posted by Interest07
You appear to be passing strings instead of numbers here:
Code:
$functionSize = '100'
$QuestFunctionAddress = '0x0073D780'
$QuestFunctionOffset = '0x1058'
$PlayerOffSet = '0x34'
$QuestId = '53762'
Not sure if those are the correct values either. |
Its value is correct, a function to handle the NPC and take the quest goes well. I took it directly from the offset wqbot "FlyWQ 2.7" is going well on private server ("ko2w-utimate" and "h2w-Revo"). The bottom line is I want to take a few functions to create a bot that take a quest that has a certain time limit, while waiting for the timeout, the bot will do the hunting. Initially I used a timer but it becomes a problem because I often start the bot while the deadline is already running. That is why I try to use the functionality that the bot will only take a new quest if the quest is complete length of the deadline.  .
|
|
|
|
|
05/28/2012, 09:49
|
#319
|
elite*gold: 0
Join Date: Jan 2010
Posts: 21
Received Thanks: 10
|
Hi Interest07,
I need your help.
I have problem with buyitem function.It can't buy anything from NPC.
I read at page 7 that buyitem function have something wrong? Can you check this func again?
This is function, copy from your #1 post
PHP Code:
Func buyItem($itemTypeId,$shopIndex,$amount, $pid)
;//Buy $amount of items of type itemTypeId, located at shopIndex
;//shopIndex is calculated as follows:
;//Each tab in the shop has 32 available spaces, index of each space
;//starts at 0, index of each tab starts at 0. $shopIndex would then be
;//shopIndex = tabIndex * 32 + spaceIndex
;//This function could be expanded to include buying multiple items
;//simultaneously. This would require setting nBytes equal to
;//8 + 12 * nDifferent items. Add the extra items on the same way
;//as the first item.
local $packet, $packetSize
$packet = '2500'
$packet &= '01000000'
$packet &= '14000000' ;//nBytes following
$packet &= '00000000'
$packet &= '01000000' ;//nDifferent items being bought
$packet &= _hex($itemTypeId)
$packet &= _hex($shopIndex)
$packet &= _hex($amount)
$packetSize = 30
sendPacket($packet, $packetSize, $pid)
EndFunc
If it still work for you then maybe my PW version is diffirent from your -> our packet diffirent ?
I try to find packet before encrypt like you said there.
Quote:
Originally Posted by Interest07
The packets are encrypted before sent to the server as far as I know, so WPE pro won't help. I view the packets by settings a breakpoint at the sendPacket function (so before encryption) using MHS and displaying whats in the stack. YOu can automatically edit the packets here if you wish, but the above methods shouldn't be possible though, as you send a packet to the server saying "Please refine this n that item" instead of "I refined this item, update it please"
|
This is result for buying a sword with $itemTypeId=41, $shopIndex = 0, $amount=1
I'm not familiar with MHS , i can't see what look like packet in these stack 
Please help me, Thanks you !
Sr for my poor English
|
|
|
|
|
05/28/2012, 14:26
|
#320
|
elite*gold: 20
Join Date: May 2009
Posts: 1,290
Received Thanks: 326
|
Would help knowing "your" version...
PWI version is 12 bytes longer then older 1.4.4 ones.
I posted the buy packet before, so if you search, you will find it, it was even posted in Tresure map post...
Seriously.
|
|
|
|
|
05/28/2012, 15:01
|
#321
|
elite*gold: 0
Join Date: Jan 2010
Posts: 21
Received Thanks: 10
|
Thks 4 ur reply,
I'm from PW Vietnam and i think we use diffirent version number, my version is 191.
That not mean much so i think this will help us:
Quote:
global $realBaseAddress = 0xB28AC4
global $sendPacketFunction = 0x6734C0
|
I searched for buy packet, but 2 method i use is google and Ctrl + F in alot of page seem not working. Will try again with your name Sᴡoosh
Thanks again!
|
|
|
|
|
05/28/2012, 15:10
|
#322
|
elite*gold: 20
Join Date: May 2009
Posts: 1,290
Received Thanks: 326
|
That's your game specific version number. I am talking about the Client/Server version, which is a constant accross all servers/frenchises.
PWI runs 1.4.6 (or 1.4.5 still? did they change version with latest expansion?), Indo/mylasia 1.4.4, Brazil 1.4.5, And most private servers are now 1.4.4 , with the exception of the rich ones which can afford 1.4.5.
1.4.5 server version's buy packet is 12 bytes longer then the older ones. I hate this packet, it seems they change it for fun with every new version. The 12 new bytes are 00 .... so I think the chinese are laughing at bot creators.
|
|
|
|
|
05/28/2012, 15:25
|
#323
|
elite*gold: 0
Join Date: Jan 2010
Posts: 21
Received Thanks: 10
|
My client is 1.4.4.
I use your buy packet (with packet size = 50) and still not working.
PHP Code:
Func buyItem($itemTypeId,$shopIndex,$amount, $pid)
local $packet, $packetSize
$packet = '2500' ;1
$packet &= '01000000' ;5
$packet &= '28000000' ;9;//nBytes following
$packet &= '00000000' ;13
$packet &= '00000000' ;17
$packet &= '00000000' ;21
$packet &= '00000000' ;25
$packet &= '00000000' ;29
$packet &= '00000000' ;33
$packet &= '01000000' ;//nDifferent items being bought
$packet &= _hex($itemTypeId)
$packet &= _hex($shopIndex)
$packet &= _hex($amount)
$packetSize = 50
ClipPut($packet)
sendPacket($packet, $packetSize, $pid)
EndFunc
Number after each row is my counting for compare with your code
PHP Code:
lPacket.len := 50;
lPacket.buf[0] := $25;
lPacket.buf[1] := $00;
lPacket.buf[2] := $01;
lPacket.buf[3] := $00;
lPacket.buf[4] := $00;
lPacket.buf[5] := $00;
lPacket.buf[6] := $28;
lPacket.buf[7] := $00;
lPacket.buf[8] := $00;
lPacket.buf[9] := $00;
Fillmemory(@lPacket.buf[10], 24, $00);
lPacket.buf[34] := $01;
lPacket.buf[35] := $00;
lPacket.buf[36] := $00;
lPacket.buf[37] := $00;
copymemory(@lPacket.buf[38], @ID, sizeof(Cardinal));
copymemory(@lPacket.buf[42], @Shopindex, sizeof(Cardinal));
copymemory(@lPacket.buf[46], @Number, sizeof(Cardinal));
Edit: I found it, Buy packet of Interest07 is 30 bytes, Sᴡoosh is 50 bytes, and according to your word: "12 bytes longer". I guess that there is a packet with 38 bytes. And yes, it's working 
Thanks a lot with your help!!!
|
|
|
|
|
05/28/2012, 15:42
|
#324
|
elite*gold: 20
Join Date: May 2009
Posts: 1,290
Received Thanks: 326
|
Yeah, that was what I was talking about - 12 bytes difference. This was the difference 1.4.4 -> 1.4.5.
Cool that you got it working.
Cheers
|
|
|
|
|
05/28/2012, 15:47
|
#325
|
elite*gold: 0
Join Date: Jan 2010
Posts: 21
Received Thanks: 10
|
Quote:
|
1.4.5 server version's buy packet is 12 bytes longer then the older ones. I hate this packet, it seems they change it for fun with every new version. The 12 new bytes are 00 .... so I think the chinese are laughing at bot creators.
|
I just know what does those longer bytes mean.
It use to store Merit points for Guild (from 30-38 bytes), and 3 merit points of 3 Orders (from 38-50) when you buy item need merit point
I hope this help buy packet get away from your "hate" , Swoosh!
Again, thanks you a lot for your help 
|
|
|
|
|
05/28/2012, 18:16
|
#326
|
elite*gold: 20
Join Date: May 2009
Posts: 1,290
Received Thanks: 326
|
Ahh, thanks for that info. It's nothing I use though, so I guess i'll leave it at 0
I dislike Buy packet only because it changes often, and I need to maintain stuff accross several versions.
|
|
|
|
|
05/29/2012, 10:33
|
#327
|
elite*gold: 0
Join Date: Mar 2010
Posts: 862
Received Thanks: 576
|
It kind of worries me that they require the client to send how much merit you're spending... Perhaps you can leave it at 0 even then swoosh 
|
|
|
|
|
05/29/2012, 11:25
|
#328
|
elite*gold: 20
Join Date: May 2009
Posts: 1,290
Received Thanks: 326
|
Hmm, none of PWI users had problems with buying, so I think that it doesn't really matter if I send them with 0
|
|
|
|
|
08/01/2012, 23:30
|
#329
|
elite*gold: 10
Join Date: Sep 2010
Posts: 400
Received Thanks: 234
|
Hi all,
I'm not back, just popping in briefly :P
Anyone know if they've fixed the charm dropping glitch? Just updated my dropper tool and now it comes up "unable to discard item". It would make sense that they have, but just wondering lol.
Cheers.
Edit: Nevermind, just found it in the cabbage patch notes lol.
"Fixed an exploit to drop bound-equipment/items"
|
|
|
|
|
08/02/2012, 00:13
|
#330
|
elite*gold: 20
Join Date: May 2009
Posts: 1,290
Received Thanks: 326
|
Yes. Fixed
|
|
|
|
 |
|
Similar Threads
|
Help with sending packets in autoit
08/16/2010 - AutoIt - 1 Replies
ive been lookin around different sites for ways to send packets to the game server. the only examples i see is to create a server and a client which i dont need, i think. well to the point now, can someone lead me in a direction or tell me how to send packets to a game? also if i send packets then that means i dont need the game to be active, correct? Because in autoit when u use keys u need to have the game active, and control send does not work. ty
|
Sending Packets !!!
09/07/2008 - Kal Online - 14 Replies
now i know how to sniff / analyse packets ... but what then ? :)
how can i send packets ?? to pimp or mix weapon for example
i just need the way to send , and then i can depend on myself :D
|
Sending Packets (need advice)
03/20/2008 - Conquer Online 2 - 7 Replies
OK well im finaly trying to stop leaching off of everybodys work its been great n all download n play :D But im tired of being a begger n the past couple months ive been learning as much as i can about macros memery add blah blah you know ...
After playing around with ce and ahk the past couple months i stumbled across wpe pro, theres not alot of tuturals and its hard to find good help.
Well heres what ive been doing so far, open my CO then i attach it to my sniffer.
I change my...
|
Scamming by sending packets???
04/15/2006 - Conquer Online 2 - 1 Replies
Well my friend and i came up with the idea to send packets to the server to show a certain item in the trade window. We want to use this as a type of scam. I didnt see this in any other threads and was wondering if anyone knew if this is possible and if they could point use in the right direction. My friend was pretty good with packets in CO 1.0 but we arent really sure to go about doing it. If anyone one could please lend a helping hand?
P.S.- Before I get flamed for this because i know i...
|
Sending packets
10/12/2005 - Conquer Online 2 - 10 Replies
I've a question. Is it possible to send 1 packet multiple times at the exact same time?
|
All times are GMT +1. The time now is 17:45.
|
|
