[3.1.3] AUTOIT - Teleport Mining/Herbalism BOT - MMOwned - World of Warcraft Exploits, Hacks, Bots and Guides

satia · #1 07-23-2009

I was searching this forum like crazy for two days and this is the outcome.
Shows how to use DoString and GetLocalizedText from autoit.

Code:

; (x) Z0MBiE '09
; WOW TELEPORT MINING/HERBALISM BOT

#include <Asm.au3>
#include <Misc.au3>
#include <Array.au3>
#include <Memory.au3>
#include <_Distorm.au3>
#include <NomadMemory.au3>

#requireadmin

;
; WOW 3.1.3 MEMORY OFFSET CONSTANTS
;
Global Const $PLAYER_BASE  = 0x010BD5F4
Global Const $PLAYER_BPTR1 = 0x34
Global Const $PLAYER_BPTR2 = 0x24

Global Const $PLAYER_MAPID = 0x00A1E77C
Global Const $Lua_Dostring = 0x0049AAB0
Global Const $GetLocalizedText = 0x005A82F0 

Global Const $pX = 0x798
Global Const $pY = 0x79C
Global Const $pZ = 0x7A0
Global Const $pR = 0x7A8

; Setting privilege 
SetPrivilege( "SeDebugPrivilege", 1 )

; Open wow process to hook endscene
$wow = _MemoryOpen(WinGetProcess("World of Warcraft"))

; Makes sure WoW is open
If @error == 1 then
  MsgBox( 0x1010, "Error", "World of Warcraft Process not found!")
  Exit
EndIf

; Gets player base address
$base = _MemoryRead("0x" & hex($PLAYER_BASE), $wow, "dword")
$base_2 = _MemoryRead("0x" & hex($base + $PLAYER_BPTR1), $wow, "dword")
$base_3 = _MemoryRead("0x" & hex($base_2 + $PLAYER_BPTR2), $wow, "dword")

if $base_3 = 0 Then
  MsgBox( 0x1010, "Error", "Login to your World of Warcraft account first!")
  Exit	
endif

; get address of EndScene
$pDevice = _MemoryRead("0x" & hex(0x0113C290), $wow, "dword")
$pEnd = _MemoryRead("0x" & hex($pDevice + 0x38A8), $wow, "dword")
$pScene = _MemoryRead("0x" & hex($pEnd), $wow, "dword")
$pEndScene = _MemoryRead("0x" & hex($pScene + 0xA8), $wow, "dword") 
  
; allocate memory to store injected code
Global $injected_code = _MemVirtualAllocEx( $wow[1], 0, 2048, $MEM_COMMIT, $PAGE_EXECUTE_READWRITE )

; Generate the STUB to be injected
$Asm = AsmInit()
AsmReset($Asm)
; save regs
AsmAdd($Asm, "pushad")
AsmAdd($Asm, "pushfd")
; check if theres something to be run
AsmAdd($Asm, "mov esi, " & hex( $injected_code + 256 ) & "h")
AsmAdd($Asm, "cmp dword [esi], 0" )
AsmAdd($Asm, "jz $+73" ) ; label exit:
; UpdateCurMgr
AsmAdd($Asm, "mov edx, [" & hex(0x01139f80) & "h]")
AsmAdd($Asm, "mov edx, [ edx + " & hex( 0x2C34 ) & "h]")
AsmAdd($Asm, "mov eax, fs:[2Ch]")
AsmAdd($Asm, "mov eax, [eax]")
AsmAdd($Asm, "add eax, 0x10")
AsmAdd($Asm, "mov [eax], edx")
; DoString
AsmAdd($Asm, "mov esi, " & hex( $injected_code + 1024 ) & "h")
AsmAdd($Asm, "push 0" )
AsmAdd($Asm, "push esi" )
AsmAdd($Asm, "push esi" )
AsmAdd($Asm, "mov eax, " & hex( $Lua_Dostring ) & "h" )
AsmAdd($Asm, "call eax" )
AsmAdd($Asm, "add esp, 0Ch" )
; check if theres something to be returned on
AsmAdd($Asm, "mov esi, " & hex( $injected_code + 512 ) & "h")
AsmAdd($Asm, "cmp dword [esi], 0" )
AsmAdd($Asm, "jz $+2D" ) ; label exit: 
; GetLocalizedText
AsmAdd($Asm, "mov ecx, " & hex( $base_3 ) & "h") ; must be made dynamic
AsmAdd($Asm, "push -1")
AsmAdd($Asm, "push esi")
AsmAdd($Asm, "mov eax, " & hex( $GetLocalizedText ) & "h" )
AsmAdd($Asm, "call eax")
AsmAdd($Asm, "cmp eax, 0" )
AsmAdd($Asm, "jz $+11" ) ; label exit:
; copy return string
AsmAdd($Asm, "mov esi, eax")
AsmAdd($Asm, "mov edi, " & hex( $injected_code + 768 ) & "h")
AsmAdd($Asm, "copy:")
AsmAdd($Asm, "lodsb")
AsmAdd($Asm, "stosb")
AsmAdd($Asm, "cmp al, 0")
AsmAdd($Asm, "jnz @copy")
; clean state busy flag
AsmAdd($Asm, "exit:")
AsmAdd($Asm, "xor eax, eax")
AsmAdd($Asm, "mov edi, " & hex( $injected_code + 256 ) & "h")
AsmAdd($Asm, "stosd")
AsmAdd($Asm, "mov edi, " & hex( $injected_code + 512 ) & "h")
AsmAdd($Asm, "stosd")
; restore regs
AsmAdd($Asm, "popfd")
AsmAdd($Asm, "popad")

; copy injected code
_MemoryWrite( "0x" & hex( $injected_code ), $wow, AsmGetBinary($Asm), "byte[" & $Asm[2] & "]" )

; create hook jump
$jmpto = AsmInit()
AsmReset( $jmpto )
AsmAdd( $jmpto, "push " & hex( $injected_code ) & "h" )
AsmAdd( $jmpto, "ret")
AsmAdd( $jmpto, "nop")

; save original instructions
$orig = _MemoryRead( "0x" & hex($pEndScene), $wow, "byte[64]" )
_MemoryWrite( "0x" & hex($injected_code + $Asm[2]), $wow, $orig, "byte[64]" )

; autoit is garbage
$orig_ptr = DllStructCreate("byte[64]")
DllStructSetData( $orig_ptr, 1, $orig )
  
; disasm original bytes
$DecodeArray = DllStructCreate("byte[" & $sizeofDecodedInst * 64 & "]")
$ret = distorm_decode(0,  DllStructGetPtr($orig_ptr), 64, $Decode32Bits, DllStructGetPtr($DecodeArray), 64)

; parse until we can jump back
$sumsize = 0
If $ret[0] == $DECRES_SUCCESS Then
  For $i = 0 To $ret[1] ; number of decoded instructions
    ; get size of 1 instruction
    $instr = DllStructCreate($tagDecodedInst, DllStructGetPtr($DecodeArray) + ($i * $sizeofDecodedInst))
    $sumsize += DllStructGetData($instr, "size")

    ; check if we copied enough instructions
    if $sumsize >= $jmpto[2] Then
    
      ; create jump back stub
      $jmpback = AsmInit()
      AsmReset( $jmpback )
      AsmAdd( $jmpback, "push " & hex($pEndScene + $sumsize) & "h" )
      AsmAdd( $jmpback, "ret")
      AsmAdd( $jmpback, "nop")

      ; write jump back 
      _MemoryWrite( "0x" & hex($injected_code + $Asm[2] + $sumsize), $wow, AsmGetBinary($jmpback), "byte[" & $jmpback[2] & "]" )
    ExitLoop
  Endif	
  Next
Endif
  
; write jump hook
_MemoryWrite( "0x" & hex($pEndScene), $wow, AsmGetBinary($jmpto), "byte[" & $jmpto[2] & "]" )

; close memory wow
_MemoryClose( $wow )

; set use hotkeys
HotKeySet("{MEDIA_PLAY_PAUSE}", "SaveWay")
HotKeySet("{VOLUME_MUTE}", "WalkWay")
HotKeySet("{MEDIA_STOP}", "ExitWay")

; cuz once there was man and for a time it was good.
Sleep( 666 * 60 * 1000 )

Exit

;
; Execute Lua code in WOW main thread
;
Func WowLuaDoString( $wow, $desc, $cmd )

  _MemoryWrite( "0x" & hex($injected_code + 512), $wow, $desc, "char[" & StringLen( $desc )+1 & "]" )
  _MemoryWrite( "0x" & hex($injected_code + 1024), $wow, $cmd, "char[" & StringLen( $cmd )+1 & "]" )

  ; change status
  $stat = 1
  _MemoryWrite( "0x" & hex($injected_code + 256), $wow, $stat, "dword" )
  
  ; wait execution
  do   
  Sleep( 5 )
    $stat = _MemoryRead( "0x" & hex($injected_code + 256), $wow, "dword" )
  Until $stat = 0
  
  ; read answer  
  $ret = _MemoryRead( "0x" & hex($injected_code + 768), $wow, "char[256]" )
  
  Return $ret
  
EndFunc
  
Func ExitWay()
  Exit
EndFunc

Func WalkWay()
  
  ; check if wow is foreground
  If not WinActive("World of Warcraft") Then
    MsgBox( 0x1010, "Error", "World of Warcraft window is not foreground!" )  
    Return
  Endif
  
  ; Opens WoW process for memory reading/editing.
  $wow = _memoryopen(WinGetProcess("World of Warcraft"))

  ; Makes sure WoW is open - if not, you get an error message.
  If @error == 1 then
    MsgBox( 0x1010, "Error", "World of Warcraft Process not found!")
    Return
  EndIf

  ; Gets base addresses.
  $base = _MemoryRead("0x" & hex($PLAYER_BASE), $wow, "uint")
  $base_2 = _MemoryRead("0x" & hex($base + $PLAYER_BPTR1), $wow, "uint")
  $base_3 = _MemoryRead("0x" & hex($base_2 + $PLAYER_BPTR2), $wow, "uint")

  ; read map id
  $curMapId = _MemoryRead("0x" & hex($PLAYER_MAPID), $wow, "dword")
  
  ; build ini path
  $IniFile = @SCRIPTDIR & '\TeleHack.ini'
  
  ; read count of entries in ini file
  $count = IniRead($IniFile, 'General', 'Count', '0')
    
  ; tele the list
  For $i = 0 to $count
        
  ; check if bot is on the same map of the waypoint
  $bot_mapid = IniRead ( $IniFile, 'Location' & $i, 'p_mapid', '0' )
  if $bot_mapid <> $curMapId Then
    ContinueLoop
  endif
  
  ; get x, y, z, mouse_x, mouse_y and rotation
  $bot_x = IniRead($IniFile, 'Location' & $i, 'p_x', "0")
  $bot_y = IniRead($IniFile, 'Location' & $i, 'p_y', "0")
  $bot_z = IniRead($IniFile, 'Location' & $i, 'p_z', "0")
  $bot_r = IniRead($IniFile, 'Location' & $i, 'p_r', "0")		
  $bot_mx = IniRead($IniFile, 'Location' & $i, 'm_x', "0")
  $bot_my = IniRead($IniFile, 'Location' & $i, 'm_y', "0")
  
  ; if couldnt read	
  if $bot_x = 0 or $bot_y = 0 or $bot_z = 0 then
    ContinueLoop 
  endif
    
    ; wait if user suspended
  while not WinActive("World of Warcraft") 
    Sleep( 5000 );
  Wend
    
  ; use the sharingan
  _MemoryWrite("0x" & hex($base_3 + $pX), $wow, $bot_x, 'float')
  _MemoryWrite("0x" & hex($base_3 + $pY), $wow, $bot_y, 'float')
  _MemoryWrite("0x" & hex($base_3 + $pZ), $wow, $bot_z, 'float') ; -2.0
  _MemoryWrite("0x" & hex($base_3 + $pR), $wow, $bot_r, 'float')

  ; reappear
  Send( 'w' )
  Sleep( 250 )
  Send( 's' )
  
  ; set mouse base loot point
  MouseMove( $bot_mx, $bot_my )
  Sleep( 2000 )
  
  ; check if mouse is pointing at something
  $n_name = WowLuaDoString( $wow, "ptext", "ptext = getglobal(""GameTooltipTextLeft1""):GetText();" )
  
  ; clockwise spiral search
  $found = false
  if StringLen($n_name) = 0 Then
    For $k = 1 To 10 step 0.1
      $X = $bot_mx + Cos( $k * 2 * 3.14 * 0.95 ) * ( 95 ^ ($k/10) )
      $Y = $bot_my + Sin( $k * 2 * 3.14 * 0.95 ) * ( 95 ^ ($k/10) )
    
      MouseMove( $X, $Y )	
      Sleep( 5 )
      $n_name = WowLuaDoString( $wow, "ptext", "ptext = getglobal(""GameTooltipTextLeft1""):GetText();" )		
      if StringLen($n_name) <> 0 then
        $bot_mx = $X
        $bot_my = $Y
        $found = true
        ExitLoop
      endif
    Next	
  Else
    $found = true
  Endif
  
  ;
  ; loot and optimize bags
  ;
  if $found = true then
    
    ; update location so its gonna be easier to find Next
    IniWrite( $IniFile, 'Location' & $i, 'm_x', $bot_mx )
    IniWrite( $IniFile, 'Location' & $i, 'm_y', $bot_my )
    
    ; send shift+click to mine
    Send('{SHIFTDOWN}')
    MouseClick( 'right', $bot_mx, $bot_my, 1 )	
      Send('{SHIFTUP}')
    
    ; warn user
    WowLuaDoString( $wow, "", "DEFAULT_CHAT_FRAME:AddMessage(""NODE: " & $i & """, 1, 0, 0);")
    
    ; stack all Crystallized
    Dim $stack_names[5] = [ "Crystallized Shadow",  "Crystallized Earth", "Crystallized Water", "Crystallized Fire", "Crystallized Air" ]	 	  
      For $k = 0 to Ubound( $stack_names ) - 1
      WowLuaDoString( $wow, "",  "for bag = 0,4 do for slot = 1,GetContainerNumSlots(bag) do local item = GetContainerItemLink(bag,slot); if item and item:find(""" & $stack_names[ $k ] & """) then UseContainerItem(bag,slot); end; end; end;" )
    Next			

    ; wait loot 
    Sleep( 7000 )
    
    Else
      ; log how many times we couldnt find
      $nfc = IniRead($IniFile, 'Location' & $i, 'nfc', '0')
      IniWrite($IniFile, 'Location' & $i, 'nfc', $nfc + 1 )
    EndIf
  Next
  
  ; close wow process
  _MemoryClose( $wow )

  ; wait 1 minute
  Sleep( 1 * 60 * 1000 )
  
  ; and repeat
  WalkWay()
  
EndFunc

;
; SAVES A WAYPOINT FOR LATER TELEPORT
;
Func SaveWay()
  
  ; check if wow is foreground
  If not WinActive("World of Warcraft") Then
    MsgBox( 0x1010, "Error", "World of Warcraft window is not foreground!" )  
    Return
  Endif
  
  ; opens WoW process for memory reading/editing.
  $wow = _memoryopen(WinGetProcess("World of Warcraft"))

  ; Makes sure WoW is open - if not, you get an error message.
  If @error = 1 then
    MsgBox( 0x1010, "Error", "World of Warcraft process is not found!" )
    Return
  EndIf

  ; check if the user is really pointing at something  
  $n_name = WowLuaDoString( $wow, "ptext", "ptext = getglobal(""GameTooltipTextLeft1""):GetText();" )
  If StringLen($n_name) = 0 then
    WowLuaDoString( $wow, "", "DEFAULT_CHAT_FRAME:AddMessage(""ERROR: You must point at something !!!"", 1, 0, 0);")
    _MemoryClose( $wow )
    Return
  EndIf

  ; Gets base addresses.
  $base = _MemoryRead("0x" & hex($PLAYER_BASE), $wow, "uint")
  $base_2 = _MemoryRead("0x" & hex($base + $PLAYER_BPTR1), $wow, "uint")
  $base_3 = _MemoryRead("0x" & hex($base_2 + $PLAYER_BPTR2), $wow, "uint")

  ; Get mapid, x, y, z and rotation
  $curMapId = _MemoryRead("0x" & hex($PLAYER_MAPID), $wow, "dword")

  $curX = _MemoryRead("0x" & hex($base_3 + $pX), $wow, "float")
  $curY = _MemoryRead("0x" & hex($base_3 + $pY), $wow, "float")
  $curZ = _MemoryRead("0x" & hex($base_3 + $pZ), $wow, "float")
  $curR = _MemoryRead("0x" & hex($base_3 + $pR), $wow, "float")
  
  ; Get mouse position
  $mpos = MouseGetPos()

  ; Build path to Inifile
  $IniFile = @SCRIPTDIR & '\TeleHack.ini'
  
  ; Get current number of entries in file
  $count = IniRead($IniFile, 'General', 'Count', '-1') + 1
  
  ; and add another
  IniWrite( $IniFile, 'General', 'Count', $count )		
  
  ; save new entries
  IniWrite( $IniFile, 'Location' & $count, 'p_x', $curX )
  IniWrite( $IniFile, 'Location' & $count, 'p_y', $curY )  
  IniWrite( $IniFile, 'Location' & $count, 'p_z', $curZ )
  IniWrite( $IniFile, 'Location' & $count, 'p_r', $curR )
  IniWrite( $IniFile, 'Location' & $count, 'p_mapid', $curMapId )
  IniWrite( $IniFile, 'Location' & $count, 'm_x', $mpos[0] )
  IniWrite( $IniFile, 'Location' & $count, 'm_y', $mpos[1] )  
  IniWrite( $IniFile, 'Location' & $count, 'n_name', $n_name )

  ; alert the user
  WowLuaDoString( $wow, "", "DEFAULT_CHAT_FRAME:AddMessage(""SUCCESS: Added Waypoint !!!"", 0, 0, 1);" )

  ; Loot something - shift+click
  Send('{SHIFTDOWN}')
  MouseClick( 'right', $mpos[0], $mpos[1], 1 )	
  Send('{SHIFTUP}')

  ; close process
  _MemoryClose( $wow )
  
EndFunc

byez,
z

vulcanaoc · #2 07-23-2009

Just to make this clear,

this thread's title is just about the scariest thing evar.

satia · #3 07-23-2009

lol, this bot is only for priv servers
Use this on retail if you want insta BAN.

Emuchild · #4 07-23-2009

Wow, who knew a leecher (soon to be not) can be so contributive? +REP x2.

Gili · #5 07-23-2009

Can anyone confirm this actually working on retail?

satia · #6 07-23-2009

Quote:

Originally Posted by Gili

Can anyone confirm this actually working on retail?

AGAIN, DONT USE THIS ON RETAIL !

Teleport on retail = disconnect

This code is here for learning purposes only.

namreeb · #7 07-23-2009

Doesn't this belong somewhere else?

Cursed · #8 07-23-2009

Wasn't there a private server programs section? I think it should be moved to there :>

Jadd · #9 07-23-2009

Yep, this is great

I good way to use protected LUA commands for any people wanting to develop an AutoIt bot this should be used at all costs!

~~ashleyww~~ · #10 07-23-2009

Awesome. Wrong section though. Never mind. Its still good.

satia · #11 07-23-2009

@ashleyww
i couldnt answer your pvt msg because my number of posted messages are below 10
but i can help you finding the nodes
did u already wrote something?
dealing with the object manager and doing radar stuff to find the nodes is easy.
are u using autoit?
why dont u simple set a file that will store the node locations and go walking to them? are u able to do smooth movement?

Apoc · #12 07-24-2009

Quote:

Originally Posted by satia

@ashleyww
i couldnt answer your pvt msg because my number of posted messages are below 10
but i can help you finding the nodes
did u already wrote something?
dealing with the object manager and doing radar stuff to find the nodes is easy.
are u using autoit?
why dont u simple set a file that will store the node locations and go walking to them? are u able to do smooth movement?

Don't bother helping ashleyww, he/she has no idea what they're doing. We're constantly inundated with incredibly beginner questions from him/her.

Jadd · #13 07-24-2009

Quote:

Originally Posted by Apoc

Don't bother helping ashleyww, he/she has no idea what they're doing. We're constantly inundated with incredibly beginner questions from him/her.

I lol'd :P

voron23 · #14 07-24-2009

Hi there) I writing func to gather mine\herb. What flags are telling us, that object is mine or herb(mem reading)?

Code:

If $CurrentObjectType=5 Then
   $ptrF = _MemoryRead($CurrentObject+0x8,$handle,'ptr')
   $flag = _MemoryRead($ptrF + $GAMEOBJECT_FLAGS*4,$handle,'int')
   If $flag = "" Then ;mining
   $Gather=$CurrentObject
   Return 1
EndIf

GAMEOBJECT_FLAGS=0x9 gives 0 =\

lanman92 · #15 07-24-2009

I would check the display id, since you'll probably want to do that later anyway. Each object type has a different offset for displayid, look it up in descriptors. The display id is the same one you see on wowhead after the wowhead.com/?object=XXXX. XXXX is the id in decimal.