hello how to you run the file?

[srhn16]

do u mind telling me pls how to use it

[DefaultO]

The released code was never meant to be ready to use and looks ugly if I am honest with you. I just released it as some sort of PoC.

To compile this project you will need the Visual Studio IDE with the C#/.NET Add-on (which you can select in the installer). Then you can open the Project Solution File (.sln) inside the 'scr' folder. Now comes the hard part. Understanding the Code and updating everything to work with the latest version of the game client.

You need to update the Pointers which you probably can't on your own: https://github.com/DefaultO/Warspear-Online-Follow-Bot/blob/92a636e7cf945e6278b63fa2627e2aa77f796219/src/Warspear-Online-Follow-Bot-Test/Program.cs#L687 Then use the other code parts of the Program.cs Class to build on top of, or just start building your own small logic.

What I had already is interesting though if I look back at it. I might start working on this project again with scripting support, so someone can actually create scripts for quests and farming if he wants to. Thanks for opening this issue. I won't be able to spoonfeed you as I have other projects to work on right now. But if you got questions, just ask them.

[davidfox15]

how do you identify enemies ?

[srhn16]

Theres a red mark on their name

On Thu, 10 Jun 2021 at 4:40 AM, davidfox15 @.***> wrote:

how do you identify enemies ?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/DefaultO/Warspear-Online-Follow-Bot/issues/1#issuecomment-858084999, or unsubscribe https://github.com/notifications/unsubscribe-auth/AT2MKN4GNG7MJIHNLDZK2SLTR7GS3ANCNFSM43QZNSHA .

[DefaultO]

When I made some small Bot on top of that base, I used the Cursor Icon ID. Then moved the cursor through memory over the whole map (or rather around the player), and when the Sword Icon appeared, send an enter. And started some loop that checks for my stats (health, MP, cool down,..) to effectively attack the enemy and run when you are out of mana and or health.

To find the cursor ID, I suggest you attach Cheat Engine to the Game and check for some changed value whenever you move your cursor (so it shows another icon). You can use interaction, blocked areas, interchange sections, pickup, attacking and stuff like that for it. Pointer scan for that. Repeat steps until you are left with a few pointers. They should work until the next big update.

Then I'd suggest you look for player data, health, position, etc. Pointer scan for it. Repeat as you have done with the Cursor Icon ID. You should see that the pointer for cursor icon ID and player stuff related things might have the same offsets at the beginning.

When the offsets change, pick the offset before it, right click the address next to it and copy the address. Then go to memory view > tools > dissect data/structures and paste the address into the text box you should see now. Change the structure size to something big, add a few 0's. You should be able to find a lot of useful stuff in the list you see now. Which all correspondent to the pointer you got.

If you need further help with it, don't hesitate to ask me.

[davidfox15]

I find my hero's x y mana hp and cursor position, but I can't find the flag. (attack, loot, cross) What is the value in this cell. How to find a cheat engine ? Sorry for my english.

[DefaultO]

@davidfox15 I added an updated Cheat Engine Table to the Repository. Uploading a Video right now that is me recording, how I found them. If you watch it precisely, you probably will figure it out. I will update this Issue once it's uploaded and finished encoding. Also will recode this project to be easier to understand. Maybe even add some simple bot logic to it.

The video is rushed, hope you won't mind it. It's 35 Minutes long but shows everything you have to do to find all the in this project used things. That way it probably is also easier to understand how to patch the memory of the game so your cursor doesn't move back when you change its position using memory. When I will have time today, I will add time points to the video description, so you can skip to the parts that are interesting to you.

I found some time for this project after finishing and updating my Growtopia Bot.

[DefaultO]

https://github.com/DefaultO/Warspear-Online-Follow-Bot/blob/main/Warspear-Online-9.3.3.CT

[davidfox15]

Ok I watch, thank you. Can you tell me about yourself ? (I begin learn programming 3 years ago in university)

[DefaultO]

Ok I watch, thank you. Can you tell me about yourself ? (I begin learn programming 3 years ago in university)

Me? Turning 20 this year, September. Been coding since I was 11. I am currently in my 3 years which I get my certificates afterward for being an IT Specialist if I pass the test then. Done this to have an easy job entry in case I want to ever work for someone else 5 days a week, 8 hours a day.

[DefaultO]

Makes sense @glxftw. Never heard of this sort of tree. Probably one of the reasons, I haven't figured it out yet. What I thought it is, is a nested list, that self-referencing was a sign for that (after the 3rd or 4th index). Because I had to work with such in Growtopia already I was sure I could manage to find the right offsets. But based on the black-red tree structure, what I did till now is just following one branch towards the right side till it didn't read any interesting values anymore.

But because of the logic to keep the tree size as short as possible and the "self-balancing", I only get like 10% of the whole tree (considering I got 3 entities out of 1 room that potentially holds 30 entities) using the current method I use.

Looks exactly what it outputs me right now (filtering out all the reads that have an empty name -> invalid path)

[DefaultO]

Yea I figured, I hardcode it for now, as the weather today is terribly warm and I can't think straight. Seems to work now. Thanks for pointing it out. Once I feel less sick/tired I will try to code a function that follows the tree till the end, and switches between the Offsets (HEX)4 and (HEX)8. Again, reading through it all, but once the Unicode string located at the offset (HEX)58 is empty, I skip it.

For everyone else who doesn't have it: You can find the entity List at warspear.exe+5F0330 10 38 0 The structure is as follows: Here, important, that every entry splits into 2, thus having those 2 offsets (HEX)4 & (HEX)8. And when you are in a "node" adding the offset (HEX)14 will get you into the entity info/player info structure.

Player/Entity List Offsets:
(hex)4          next entity
(hex)8                  next entity
(hex)14         entity data
---------------------------------------------
Player/Entity Structure Offsets:
        (hex)54         entity name length
    (hex)58     entity name
    (hex)F4     health
    (hex)F8     max health
    (hex)FC     mana
    (hex)100    max mana
    (hex)108    pos x
    (hex)10A    pos y
    (hex)10C    des x
    (hex)10E    des y

Will look more into that structure pretty soon as I'd love to know if the Entity is a player. For that I suppose, there can be a flag somewhere, most likely a bool (0 or 1). Edit: Now that I think that I have to divide it into at least 3 factions, NPC, players, and monsters (there must be one for objects too, dummies, etc.), I don't think anymore that it must be a bool, as it can't represent 4+ values.

[davidfox15]

I code this, but address by "warspear.exe" i cant find. Im dont know why, not all addresses read correctly (cursorX not work). Can help me ? Sometimes cursorX work, when cursorY=13.

[DefaultO]

"warspear.exe" is not a static address @davidfox15. The library I use loops through all modules and gets the base address of it. "warspear.exe" in this case would be the base address of the game itself. Since I don't code in C++ and therefore obviously never coded some rpm/wpm in it, you are on your own. This might help you though: https://stackoverflow.com/questions/26572459/c-get-module-base-address-for-64bit-application

[DefaultO]

Since it reads "something" I assume the way you read it out of memory is not how it's stored in memory. World Position is stored in 2 Bytes as they don't have to display any value above 28, because the map size is 28x28. You are probably reading out 4 Bytes right now because of that int you got there. If you change the type in the Cheat Engine Table for cursor x to 4 bytes, you should get the same value. So try to read 2 bytes out of memory and cast it into an int, I guess like so: int number = buf[0] | buf[1] << 8; Source: https://stackoverflow.com/questions/17071458/convert-2-bytes-into-an-integer

In C# it's as easy as using BitConverter.

[DefaultO]

When your problem got solved. Remove your Screenshot please, as people can see your name in it. If it's some newly created alt account, no problem, keep it up there if you want. If it's your main, you should remove it to not get punished one day when you don't even expect it.

[davidfox15]

Ooo, I solved the problem with cursorX. Interesting, if i point 4bytes in cursorY value not change (i think its not work right), but in CursorX 4bytes change value to big another number. I take short int (short int size 2 bytes) and it work corectly. I know "warspear.exe" not static, i change manually.

[DefaultO]

You shouldn't hardcode a dynamic address @davidfox15. Get the base address from the modules. Hope you're making progress. o/

[davidfox15]

Hello, can you help me again ?

[rippedya]

Bruh

On Thu, Dec 22, 2022, 8:19 p.m. Duardo Kazelfin @.***> wrote:

Worry for the cuestion but , what are is (using Memory;)

— Reply to this email directly, view it on GitHub https://github.com/DefaultO/Warspear-Online-Follow-Bot/issues/1#issuecomment-1363547443, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMZQLSGUFA4QBPVWNHFLUU3WOUDZXANCNFSM43QZNSHA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[davidfox15]

How to find struct of map, with enemys ? How you find this pointer warspear.exe+5F0330 10 38 0 ? How can i do this in new version ?

[rippedya]

Hey I appreciate the message. Unfortunately I have no idea how to do any of that shit

On Fri, Dec 23, 2022, 6:15 a.m. David @.***> wrote:

How to find struct of map, with enemys ? How you find this pointer warspear.exe+5F0330 10 38 0 ? How can i do this in new version ?

— Reply to this email directly, view it on GitHub https://github.com/DefaultO/Warspear-Online-Follow-Bot/issues/1#issuecomment-1363905754, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMZQLSCFS74DM7RTSRKXQUDWOWJWVANCNFSM43QZNSHA . You are receiving this because you commented.Message ID: @.***>

[DefaultO]

How to find struct of map, with enemys ? How you find this pointer warspear.exe+5F0330 10 38 0 ? How can i do this in new version ?

Figure out your own position first. Then once you know your own X and Y coordinate. Combine them by using the 4 bytes type (coords are stored in 2 bytes). Hope this makes sense. Why do we do this? To find fewer results because you provide more information you are looking for (exact coords of the enemy). Not only can multiple entities be on the same axis, but you will find a lot more garbage with low numbers than with huge more unique ones.

Get into a rather empty room with moving entities. Preferably some that don't attack you.

Note down somewhere the coordinates of each tile you know the monster will move on. Once it is on one of the tiles, scan for the coordinate. You will still get a couple of thousand results. But when the enemy moves again, rescan for changed value. Profit. Now you got a hand full of addresses. One or a few of them are for the current position of the entity, and a few of the other ones are for the destination position (but this is common sense).

Pick any address of those two variants. They should be addressed pretty close to each other. Right-click one of them and pick the browse this memory region feature. The text you see on the right side of the hexadecimal bytes located at those address entries should include the entity names. Now you got two options. You do this step for every entity in this room. So you have got all addresses in the address list so that you can sort them from lowest to highest. The lowest one is the first entry of the entity list in this case. Or you do it the smart way and scroll up to the first entity you can find in the memory viewer. You should be able to spot them because you will see their actual names and values changing.

Once you have found the first Entity you can pointer scan for it.

[DefaultO]

You can also look for the entity name. This actually is faster I have to assume. Make sure you have ticked UTF-16 or else it won't find any results. Once you have found your entity name, make sure you pick the one right after the huge address jump. The previous stuff is uninteresting.

Notice the 1239CA18 followed by 1402BFC0 in the image below - that's a huge gap in between. That's at least how I was able to tell that the information above it is not interesting after only checking one address.

[davidfox15]

I can find my position and postion of enemy, and enemy srtruct adress. How i can find list or struct tree with all enemys ?

[davidfox15]

Yea I figured, I hardcode it for now, as the weather today is terribly warm and I can't think straight. Seems to work now. Thanks for pointing it out. Once I feel less sick/tired I will try to code a function that follows the tree till the end, and switches between the Offsets (HEX)4 and (HEX)8. Again, reading through it all, but once the Unicode string located at the offset (HEX)58 is empty, I skip it.

For everyone else who doesn't have it: You can find the entity List at warspear.exe+5F0330 10 38 0 The structure is as follows: Here, important, that every entry splits into 2, thus having those 2 offsets (HEX)4 & (HEX)8. And when you are in a "node" adding the offset (HEX)14 will get you into the entity info/player info structure.

Player/Entity List Offsets:
(hex)4            next entity
(hex)8                  next entity
(hex)14       entity data
---------------------------------------------
Player/Entity Structure Offsets:
        (hex)54         entity name length
  (hex)58     entity name
  (hex)F4     health
  (hex)F8     max health
  (hex)FC     mana
  (hex)100    max mana
  (hex)108    pos x
  (hex)10A    pos y
  (hex)10C    des x
  (hex)10E    des y

Will look more into that structure pretty soon as I'd love to know if the Entity is a player. For that I suppose, there can be a flag somewhere, most likely a bool (0 or 1). Edit: Now that I think that I have to divide it into at least 3 factions, NPC, players, and monsters (there must be one for objects too, dummies, etc.), I don't think anymore that it must be a bool, as it can't represent 4+ values.

How I can find begin of this Entity list (Tree) ? I think will use BFS algorithme to go by every enemy in this struct. By pointer (hex)14 we can drop in enemy struct from tree node, but how we can go back to Tree node from enemy struct with cheat engne ?

[davidfox15]

Now I have an idea to improve. Use the Python program to obtain the information from the NPCs, mapping the area and assigning it some coordinates which would move the cursor with the C# program. The advantages would be that the C# code is simplified in theory, avoiding dumping the memory in search of the Monsters (NPC). It would free up the keyboard and mouse as this can be injected into program memory. Thus being able to use several accounts, opening multiple tabs.

I'm sorry, there's a lot of your code that I don't understand. I think it's because I learned a little bit of C# to understand your code but it's hard for me, let's say I know what each thing does, but I don't know why or what path it uses to achieve it. I'm talking about theory. Here are some videos on how to find pointers, etc. https://www.youtube.com/watch?v=VJx7MzlTr28&t=10s

No speak good english xd

Maybe its good idea. I tryed to use Python cv, but is it very slow, and bad work (not stability), maybe its because im bad in python cv.

[DefaultO]

I can find my position and postion of enemy, and enemy srtruct adress. How i can find list or struct tree with all enemys ?

Already included that in my reply @davidfox15. Nothing comes from not even trying. If you are too lazy to use Cheat Engine I will ignore further questions for offsets. I don't get paid to do this after all. I do this out of concern that I forgot how to find it myself. Here are the steps again (oversimplified):

Get into an empty room. Mountain Clans usually is good for that. I went with this room. Because you can attack all mobs in it.

Then find the values for every mob in the room. Feel free to go with HP. Add the address to your table. CTRL+B the health (for example) that you have found for every mob. Scroll up a little bit and find the name of the mob (for easier recognition). Add it to the list as well. Group the health to the name. Your list should look something like this by now:

Sort the table by address. Do a pointer scan for the lowest one. Profit. When I look at the old offset table I posted here months ago I can tell that I will want to pick a pointer that ends with 0x58 out of my pointer scan (because I pointer scanned for the entity name). But I can only pick a pointer once I have repeated the same process repeatedly. Most if not all pointers in that list are bad ones and will die the moment I restart the game.

[DefaultO]

look this, i make litle scrip with python, and opencv. sorry don´t speak or write good english xd https://youtu.be/dylha4ApKzQ

Open cv works like my eyes, I can see the npc and select them and using python's auto click function and keypress simulation, I can make a basic Bot to kill and pick up certain monsters.

but it is not infallible, it is a bot based on the graphic, this causes a problem if the monster moves too much or if I end up at a point where my eyes (Open cv) are not familiar with the code, it can be corrected, but that would do consume a lot of memory since I am making constant screenshots to verify if the monster has already died or not, if it can be picked up or to return to a specific point on the map. In addition to using your keyboard and mouse, disabling the machine and cutting off the possibility of using more accounts.

Cool stuff @Cif3r. But it wouldn't be an improvement to move to optical recognition instead of memory reading. Memory reading is faster. It also can be used to avoid enemy players entering the room or attacking them. Optical recognition also needs more work (screenshotting every new NPC you want to farm). The only benefit your optical recognition brings is that everyone can do it. And it doesn't break each game update. For memory reading, you have to be able to find the pointer to the entity list for each update. Which sounds harder than it really is. You guys just never hacked a game before.

I wanted to make a good project out of this one but lost motivation somewhere in the last months.

[davidfox15]

Sorry, i do not it before) I don't understand many things well, but i have motivation, after 1 year pause i got more knowledge in programming and growed up in this. Im not playing warspear now, i play him when i am been in school, but now im work in fronted) Now i try to do this, thank you for your help bro)

[davidfox15]

I can find my position and postion of enemy, and enemy srtruct adress. How i can find list or struct tree with all enemys ?

Already included that in my reply @davidfox15. Nothing comes from not even trying. If you are too lazy to use Cheat Engine I will ignore further questions for offsets. I don't get paid to do this after all. I do this out of concern that I forgot how to find it myself. Here are the steps again (oversimplified):

Get into an empty room. Mountain Clans usually is good for that. I went with this room. Because you can attack all mobs in it.

Then find the values for every mob in the room. Feel free to go with HP. Add the address to your table. CTRL+B the health (for example) that you have found for every mob. Scroll up a little bit and find the name of the mob (for easier recognition). Add it to the list as well. Group the health to the name. Your list should look something like this by now:

Sort the table by address. Do a pointer scan for the lowest one. Profit. When I look at the old offset table I posted here months ago I can tell that I will want to pick a pointer that ends with 0x58 out of my pointer scan (because I pointer scanned for the entity name). But I can only pick a pointer once I have repeated the same process repeatedly. Most if not all pointers in that list are bad ones and will die the moment I restart the game.

Aaah, i try, but it doesn't work. I use Pointer scan on lowest enemy HP address (with last offset F4 and 14), save, then restart game an do this again. When i try compare result find zero matches

[davidfox15]

Ok, he oprogresado usando mi puntero estatico y la lista de ofsets que suministro Default.

Oh, yes, i got it. Its hard but i can. I found all entitys on map. Try to to use BFS algorithm to go down in tree struct and get all entitys. I got all when print 100 entitys, but 80 is empty and others is walk on map.

[davidfox15]

@Cif3r I said you, find begin of struct and use BFS to go down from tree struct.

[Cif3r]

@DefaultO Bro

I'm trying to use it in Warspear but the Mutant is persistent, generating a reopening as soon as the previous one is closed. Now I'm not sure if the multiclient lock is on this same Mutant.

[DefaultO]

@DefaultO Bro

I'm trying to use it in Warspear but the Mutant is persistent, generating a reopening as soon as the previous one is closed. Now I'm not sure if the multiclient lock is on this same Mutant.

This is new. They are now doing extra stuff at the start of the program. They must have figured out that it's easy to run multiple game clients at the same time.

Feel free to have a look at it yourself using IDA Free. It's inside the WinMain function (the start of the program, can be found in the exports, but IDA should put you in there on its own when it is done analyzing). Specifically the line in it with the function that uses the hInstance. It takes too much time to patch this in the morning at 5:30. Not calling the function at all won't create the Window.

So you have to get around the 2 "jz" checking for the error codes 183 (ERROR_ALREADY_EXISTS) and 5 (ERROR_ACCESS_DENIED). And then there are even more death traps lying around if you get into the "else" branch.

It probably is easier to get rid of the CreateMutex calls as a whole.

For that, you can AoB scan in Cheat Engine for this: A3 B8 AD BC 00. And I think the one that creates the Mutex again after you close it is sitting at warspear.exe+6378DA or warspear.exe+638081. I forgot already. This game isn't interesting to me anymore. Sorry. This probably will be all I can help you with. I will let you know if I have a look at this again. But I am busy with my life atm. And I found new games to hack and I like to make music.

[DefaultO]

If you need help. Open a thread here: https://www.unknowncheats.me/forum/general-programming-and-reversing/

Take in mind that if your thread is bad quality. People will ignore you and won't help you. So try to do something yourself first. And document what you have done, and how you think the game works after having a look at it using something like IDA.

I wouldn't recommend it. But you can give the assembly or pseudo code to ChatGPT, and it can explain it to you to some extent.