Site n00b.. (A leecher if I've been here for more than a month and can't earn 5 rep)
Rep Power: 0
Reputation: 1
Posts: 1
Join Date: Jul 2006
Great stuff! -
06-23-2008
I've been lurking these forums for quite some time now, without posting anything, but this deserves a reply!
I've been tinkering with the same things you are now for some time now, and I must say, this is ace : ) You are really contributing with a lot of great stuff, in an easy to understand and with a sound and humble approach.
Oh, and that sounded like a great weekend ^_^
Keep up the great work, I hope to see a lot of posts in the future. I would love to be able to comment on the blog itself, but it seems as if I have to log in to do so?
Yeah, I disabled anonymous comments because I cannot stand getting spammed by random people. Anyone with anything important to say will register to say it.
Journal updated: [Only registered and activated users can see links. ]
Kynox, bobbysing, anyone else: How detectable would the above method be by Warden? I've heard Warden executes every ~15 seconds, does it iterate through all memory blocks and scan them and, if so, what does it scan them for? Relative calls to the client memory space? Would one be better off to leave the code injected and just disguise it until it needs to be called, then suspend all threads, patch the correct code back in, call it, and patch it out? I'm really in the dark as to what Warden will and won't detect. I'm operating on the assumption that it has blacklist hashes that it compares memory to, but I'm not sure and not willing to bet my account on it =p
Site n00b.. (A leecher if I've been here for more than a month and can't earn 5 rep)
Rep Power: 1
Reputation: 3
Posts: 12
Join Date: Jun 2008
06-27-2008
Quote:
Originally Posted by blizzo
* Credit kynox for this info *
At ObjectBase + 0014h there is a DWORD of the type of object that you are looking at:
Code:
enum ObjectType { ITEM = 1, CONTAINER, UNIT, PLAYER, GAMEOBJ, DYNOBJ, CORPSE };
Some objects, items, etc. won't have a real world location.
I'm wonderd that Corpse, DynObj, and GameObjs don't have a x, y and z position,
Corpse is the Corpse of a player, right ? But they must have coordinates... I think they have only other Offsets. Could you agree me ? =)
Journal updated: [Only registered and activated users can see links. ]
Kynox, bobbysing, anyone else: How detectable would the above method be by Warden? I've heard Warden executes every ~15 seconds, does it iterate through all memory blocks and scan them and, if so, what does it scan them for? Relative calls to the client memory space? Would one be better off to leave the code injected and just disguise it until it needs to be called, then suspend all threads, patch the correct code back in, call it, and patch it out? I'm really in the dark as to what Warden will and won't detect. I'm operating on the assumption that it has blacklist hashes that it compares memory to, but I'm not sure and not willing to bet my account on it =p
Warden's main plan of attack is hashing bytes at relative offsets to modules and each page, and comparing them to "bad" hashes.
Seeing as VirtualAllocEx is giving you a different address each time, i would say your detection levels are quite low.
Do not PM me about the ME fix or other ME questions
I'm wonderd that Corpse, DynObj, and GameObjs don't have a x, y and z position,
Corpse is the Corpse of a player, right ? But they must have coordinates... I think they have only other Offsets. Could you agree me ? =)
Sorry for my Bad English =)
Corpse, DynObj, and GameObjs have coordinates, yes. They're held within the object_flags struct.
For a Corpse, you read [baseaddress + 0x120] + 0x0C] for coordinates. A GameObject is [[baseaddress + 0x120] + 0x24]. A DynamicObject is [[baseaddress + 0x120] + 0x14]. Hope it helps.
Quote:
Originally Posted by Kynox
Warden's main plan of attack is hashing bytes at relative offsets to modules and each page, and comparing them to "bad" hashes.
Seeing as VirtualAllocEx is giving you a different address each time, i would say your detection levels are quite low.
That's kinda what I figured. Soon as I get it polished a little bit more, I'll give it a go on retail and see what happens.
By the way, tomorrow I'll teach you all how to call the class method Object.Interact(). Whereas Select(..) allowed you to simulate a left-click on an object, Object.Interact() allows you to simulate a right-click on an object, allowing for attacking, looting, node mining, herb gathering, etc. I don't know much about virtual tables, but I figured out how to do it using CreateRemoteThread anyway. Tomorrow
Site n00b.. (A leecher if I've been here for more than a month and can't earn 5 rep)
Rep Power: 1
Reputation: 3
Posts: 12
Join Date: Jun 2008
06-28-2008
Quote:
Originally Posted by Shynd
Corpse, DynObj, and GameObjs have coordinates, yes. They're held within the object_flags struct.
For a Corpse, you read [baseaddress + 0x120] + 0x0C] for coordinates. A GameObject is [[baseaddress + 0x120] + 0x24]. A DynamicObject is [[baseaddress + 0x120] + 0x14]. Hope it helps.
Journal updated: [Only registered and activated users can see links. ]
Cool. However, the SelectUnit function uses TLS so you have to update that address in the new thread you have created otherwise when you run it you'll get a useful popup from Wow.exe
Cool. However, the SelectUnit function uses TLS so you have to update that address in the new thread you have created otherwise when you run it you'll get a useful popup from Wow.exe
Seemed to work fine for me, though you're right, it does seem to update the CurMgr right at the start of the subroutine. Don't know what to tell you, I never had a problem.
Object.Interact() definitely does, however, so I'll definitely get into that today.
Last edited by Shynd; 06-28-2008 at 11:41 AM.
Reason: clarified
@Shynd: oh well, hehe
There are plenty of useful, interesting functions that can be run using this method. And it is something I have been looking to a little bit As you have suggested, this might be a better method than moving the mouse to target/attack/loot - if not for any other reason than it's easier hehe. I dunno if you downloaded or looked at my tool for injecting code, assembled on the fly using NASM, in to Wow - but it is quite useful for testing these functions. Easier than op-codes in a byte array, anyway
Yeah, I had that thought earlier today and have decided to figure out how to use it maybe later today, maybe tomorrow, for whenever I find anything else I want to use.
Site n00b.. (A leecher if I've been here for more than a month and can't earn 5 rep)
Rep Power: 1
Reputation: 2
Posts: 7
Join Date: Jun 2008
06-28-2008
Great post Shynd.. I've been looking up this stuff for the past few days, trying to get my head around some of it (it's been a number of years since I've used C++ and had to deal with anything more complex than relational databases) - I was in the process of attempting to translate Kynox's library to C# when I stumbled across this thread, glad to see someone had done the work for me!
Just wanted to make a post in here and let you all know that I'm leeching for the time being, but I appreciate your work and I hope to be able to contribute in the future - By the way, I don't see a very comprehensive list of offsets and locations anywhere on here. I see threads with bits and pieces of stuff here and there (a lot of it out of date), or am I missing something?
Perhaps I'll make a post with offsets here in the near future. You're definitely right, that kind of thing isn't really made terribly clear at the moment.
As promised: [Only registered and activated users can see links. ] and with only 5 minutes left in the day, EST! After promising to post about it today, I sure did cut it close.
Great stuff!
