Page 1 of 2 12 LastLast
Results 1 to 15 of 26

Thread: World of Warcraft "reversing" / bot programming

  1. #1
    n00bster
    Guest

    World of Warcraft "reversing" / bot programming

    Hello all,


    I'm looking for a bit of information on how I would go about writing an automated "bot" for the online game, World of Warcraft.

    My idea first:

    I'm planning to just use ReadProcessMemory and search for "monsters"(Not sure how I will identify them in memory yet) and when found, I'll use MouseEvent() api to send the appropriate mouse clicks to do the attacking, etc, it'll be very cheesy, but it's just a start, i guess.

    My problem is, I don't know where to start reading in memory inside of the WoW.exe process? How can I find out approximately where "monster" data is kept, or, my "health" is kept. I thought I could just search for my health to give me a start, but should I start a address 0 in the programns memory ? when using ReadProcessMemory? I'm guessing no..

    Anyways, if anyone can shed some light for me, it'd be much appreciated.

    I apologize in advance if this is too off-topic, I figured since it consisted of the use of debugging apis/messing with another process it couldn't be that far off-topic, plz delete if it is.

    thanks
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Extrarius
    Guest
    I expect that you'll be quickly banned if you start randomly poking and prodding the WoW process, but the functions you want are:
    GetModuleHandle
    VirtualQueryEx
    CreateToolhelp32Snapshot
    Process32First / Process32Next
    Heap32ListFirst / Heap32ListNext
    Heap32First / Heap32Next
    Toolhelp32ReadProcessMemory
    Last edited by Extrarius; April 8th, 2006 at 07:43.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    This sounds like quite a challenge. Locating monster objects in memory and extracting their positions isn't inconceivable, but forging input events to bring your character to the location, face the right direction and attack a moving target sounds pretty tricky.

    In order to find the sensitive spots in memory, you'll have to take a few guesses as to how the game was written (I'll assume it's C++) and how the data are stored in memory. It's likely that each actor in the game is represented by some class or other. The monster and player classes are probably the same or similar (perhaps derived from the same base), and all characters (including yourself) are likely to be instances of the same class.
    Considering that the world is so dynamic, the characters and monsters are probably stored in a resizable array.
    More specifically, I'd guess that you're dealing with a std::vector of some class CPlayer, with your own character at index 0. Of course, this is just a guess, but the facts shouldn't be too different.

    A good way to try to locate where you are stored in memory would be to note down your vitals (try to make them as 'unique' as you can - if you have a high level character this will be easier) and perform a binary search over the process heap for your character's name (almost certainly ASCII). You are likely to find it in several places but with enough probing and a bit of luck, you may find it sitting next to some other recognisable figures (health, magic etc.). Note that the integral variables (e.g. health) should be long/short ints, whereas your position is probably stored with floats. If you get this far, working out the struct definition is a matter of trial-and-error. Once you've worked out how player data are managed, advancing to monsters will be a little easier.

    Bear in mind that this is the best-case scenario. You're likely to find a lot of red herrings and encounter problems that didn't occur to you. Be prepared to deal with the situation where names are stored as std::string (and so you won't have an ASCII string in the struct but a pointer). If you have a good debugger, using a tool to decode STL structures can save you a lot of effort.

    You should probably try to get this sussed before even thinking about your feedback system. Let us know how you get on.

    Regards
    Admiral

  4. #4

    As Above

    1. Go to Google.

    2. Search for "Cheat Engine v5"

    3. IMPORTANT: Go through the Cheat engine tutorials after installation.

    4. WARNING: This is not a simple memory reader. It is VERY complicated piece of software, I sometimes use to break heavy time/number protected software.

    5. Rest all should be OK

    Have Phun

    PS: Hope the WOW servers do not check the WOW process in memory for anything like their data etc.
    Blame Microsoft, get l337 !!

  5. #5
    Using ReadProcessMemory may be ok, but it seems anything that alters memory used by WoW.exe is certainly out of bounds. I was a little interested on the checks, and changed a single byte (part of what seemed like a name). Tried it twice, and got disconnected from the server between 1 - 3 minutes afterwards each time

    Now this could be a coincidence, but considering the number of times a disconnection happens normally (very rarely), I think not...

    I'd imagine therefore that after this happens X amount of times in Y amount of time, you'll get banned. So be warned!

  6. #6
    Quote Originally Posted by squidge
    I'd imagine therefore that after this happens X amount of times in Y amount of time, you'll get banned. So be warned!
    Many games have such protections... watch out for hooked system calls and constantly-checked memory. No doubt some more reversing can disable those checks

  7. #7
    The problem with hacking online games is that the developers are wise to all the tricks. That doesn't mean they are competent to prevent them, but it does generally mean that data is validated at the server as well as by the client game software. You're always better off with "local" hacks (eg: wallhack in Halflife) than "global" hacks (eg: give your character $1000 in some MMORPG, where the stats of each player are stored on the server).
    Still here...

  8. #8
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    You shouldn't need anything more than ReadProcessMemory since you can send fake input to the game (in the case of a bot) and you can draw on top of the screen with DirectX (in the case of a trainer). No need to overwrite the process's memory anywhere.

  9. #9
    Note that drawing on the screen with DX is a good solution but it has some risks. Example, some of the Valve cheater-protection admin software takes screenshots of clients as they play the game, and sends those screenshots to the server. The server admin can then see exactly what you're seeing making any visual cheats very obvious. So don't just inject some DX drawing code, make sure you check out any suspicious code that might snapshot your screen or similar.
    Still here...

  10. #10
    This article may be a bit helpful for avoiding WoW self-checks
    http://rootkit.com/blog.php?newsid=358
    Vulnerant omnes, ultima necat.

  11. #11
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by Silver
    some of the Valve cheater-protection admin software takes screenshots of clients as they play the game, and sends those screenshots to the server. The server admin can then see exactly what you're seeing making any visual cheats very obvious.
    That's awesome!

    Assuming that's true, you could create a networked trainer and have it display its information on another computer's screen.

  12. #12
    I prefer this one myself:

    h**p://w*w.wowsharp.net/forums/viewtopic.php?t=7024

    Much more informative.

  13. #13
    Quote Originally Posted by disavowed
    That's awesome!

    Assuming that's true, you could create a networked trainer and have it display its information on another computer's screen.
    Nice, huh! The anticheat system is called PunkBuster, here's some info:

    http://users.pandora.be/z/suggested/screen.html

    My mistake, it's not by Valve it's by Even Balance Software but it was made for Valve products etc.

    The networked trainer idea is nice actually, it wouldn't be hard to hook DX Present calls, grab the backbuffer and send it elsewhere.
    Still here...

  14. #14
    I didn't think the anti-cheat in WoW was as bad as punk buster? As in, Punk Buster requires administrative priviledges before it'll run, for example.

  15. #15
    Quote Originally Posted by Silver
    it wouldn't be hard to hook DX Present calls, grab the backbuffer and send it elsewhere.
    True, but then it would be all too easy to sidestep this method by drawing directly to the front-buffer. Nevertheless, the principle stands - it's just as easy to capture the contents of the screen buffer.

Similar Threads

  1. Replies: 0
    Last Post: February 13th, 2014, 07:42
  2. how to generat "1" instead of "uncounted" license
    By joyung in forum The Newbie Forum
    Replies: 38
    Last Post: April 10th, 2012, 03:57
  3. Replies: 0
    Last Post: September 4th, 2011, 23:37
  4. Replies: 1
    Last Post: December 14th, 2007, 13:35
  5. reversing "system tools" under w98
    By mike in forum Mini Project Area
    Replies: 11
    Last Post: June 6th, 2002, 18:17

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •