[AH Bot] HappyAuction

[Dixi5Price]

One of the more badass AH bots around, if I only knew how to script the damn thing!

[Sehae]

We don't know anything for sure, regarding Chinese methods.

Cheers

[Exclide]

One of the more badass AH bots around, if I only knew how to script the damn thing!

Is this guy "stealth-spamming" us with a sniffer?

P.S. You guys should probably disable "show images" in your settings.
P.P.S. Btw, what do you think about the gold prices going up? What would be the cause?

[ChuiChu]

ChuiChu, please don't listen to these dissatisfied people, because HA is enough fast to snipe the best items.

I don't know what worth of item is good for you. If I can sell an item for 50-200EUR what I bought <100 million gold, I think it's a good deal. I don't know what are you doing or searching but I'm very happy with this bot.

If your computer or ISP is crap, please don't cry here.

My only problem is the bug with HA V52 because it buys items with wrong stats while V51 worked perfectly in this side.

Thank you ChuiChu, this bot is great and your work is simply wonderfull.

need details... also see new readme section :P

[code]BUG SUBMISSIONS
------------------------------------------------------------------------------
- If you find a bug PM me a small script AND/OR detailed steps+conditions that
reproduce the problem within a short time (under 10minutes).
- I cannot do anything with vague reports like 'hey chui HA crash wtfff?!!1'
- if you have xSetMouseLock(false) or VSYNC OFF don't bug me![/co

[quadfan75]

Hello,

how can I search for Example that Item?
haFilterUnique("Slorak's Madness")

Because I get a Lua Error in this Line because the ---> ' <--- is in the Name Slorak's Madness

[BlizzPaysMyBills]

Hello,

how can I search for Example that Item?
haFilterUnique("Slorak's Madness")

Because I get a Lua Error in this Line because the ---> ' <--- is in the Name Slorak's Madness

learn how to use special characters in lua script , google will help you for sure

[Orendy]

Can any1 share a script or just a basic script so i can make my own one?
Pm me here or post it here or contact me on skype: kanatixl
would greatly apprecaite that

[ChuiChu]

update to the cheatengine bnet sniffer for ingress(recv). few notes:

- the receive is not perfect for large messages. seems to cap off at 512 bytes and not sure where the rest is. but it gets the first 3 items of a search result.
- when you do a search d3 does the following:
1. client send request+filters to bnet
2. bnet reply basic search list result
3. client ask for details about search list
4. bnet reply with details (for each item i guess)
- if you want to make a fast snipe bot... intercept the OUT in #3 and replace with a buyout request... unless you need whatever is in #4.

anyway i'll let you guys take over from here




D3 Bnet Unencrypted Packet Sniffer v2


TUTORIAL
1. Have D3 running at the main lobby
2. Open CheatEngine ( Cheat Engine )
- 2.1. <File/Open Process/Diablo III.exe>
- 2.2. Hit [Memory View] button
- 2.3. <Tools/Lua Engine>
- 2.4. Pasted the code below into the lower section and hit [Execute]
- 2.5. uncheck: <view/show on print>
3. In D3 open chat window and say something.
- 3.1. You will see that packet in the CheatEngine LUA window.
- 3.2. Now explore the AH!

NOTES
- Bnet packets are split into multiple messages. These are seperated out by this sniffer
- Each message is displayed in character then byte format. Paste into a fixed width editor like notepad to see it aligned.
- Each message is in the format
id: 1 bytes
length: 1 or 2 bytes
content: <length> bytes
- If you guys find this useful I'll find the recv version next
- WARNING: Warden may detect this!


SNIFFER (CheatEngine LUA)

Code:

local _in_address = getAddress('battle.net.dll') + 0x158c02
local _out_address = getAddress('battle.net.dll') + 0x158c72

function _PrintPacket(packet)
    print('SIZE:' .. #packet .. '\n')

    local offset = 0

    while offset < (#packet - 2) do
        local length
        local p1, p2 = packet[offset + 2], packet[offset + 3]
        if p1 >= 0x80 then
             length = (p1 % 0x80) + (p2 * 0x80) + 3
        else
             length = p1 + 2
        end

        local bytes  = ''
        local chars = ''
        for i=1, length do
            local value = packet[offset+i] or 0 -- if this is nil the message length was read wrong
            bytes = bytes .. string.format('%0.2X ', value)
            if value >= 0x20 and value <= 0x7e then
                chars = chars .. string.format('%c  ', value)
            else
                chars = chars .. '.  '
            end
        end
        print(chars)
        print(bytes)

        offset = offset + length
    end

    print('')
end

function debugger_onBreakpoint()
	if EIP == _in_address then
		print('__ IN __')
		_PrintPacket(readBytes(EAX, readInteger(ESP-4), true))
		debug_continueFromBreakpoint(co_run)
		return 1
	end
	if EIP == _out_address then
		print('__ OUT __')
        _PrintPacket(readBytes(EBX, EDI, true))
        debug_continueFromBreakpoint(co_run)
        return 1
	end
end

debug_setBreakpoint(_in_address)
debug_setBreakpoint(_out_address)

DISCOVERY NOTES
- these are the steps I took to discover IN.
- sorry I didnt write it down for OUT but its fairly similar
- i have attached at the end the assembly + bytes surrounding both the IN and OUT address. the actually assembly should not change between patches, however the actual location will. you can use this to memsearch the new location between patches in a few seconds without having to rediscover everything frpm scratch

Code:

wireshark (to assist)
1. start capture
2. send some chat in d3/lobby/chat
3. note the "bnetgame" in captured info. use the source ip to add a source filter. example: ip.src == 1.2.3.4

cheat engine
1. memory view -> assembly view (top panel) -> right click -> goto address:WS2_32.WSARecv
2. f5 to set breakpoint
3. send some chat in d3/lobby/chat to trigger
4. step out (shift+f8). set another breakpoint 1 line above. this should be the actual call to ws2_32.WSARecv by battle.net.dll.
5. remove old breakpoint (view/breakpoint list/right click/remove).
6. repeat #3 to trigger new breakpoint
7. in data view (bottom panel) rclick/goto address/[ecx+4]. this is param2 of WSARecv at WSABUF.buf. (see http://msdn.microsoft.com/en-us/library/windows/desktop/ms741688(v=vs.85).aspx ).
	NOTE: [ecx+4] is buggy for me with latest cheat engine. instead i goto:ecx+4 then goto the value (display type/4byte hex) you see
8. step over your break point (allow wsarecv to complete/return) and you should see the data change to match that of the same packet recieved in wireshark. this is encrypted data.
9. in data view right click first byte/data breakpoint/break on access
10. run (f9) until data breakpoint hit.
11. step repeatedly (hold f8) and you will see the encrypted data being decrypted. step out (shift+f8) and it will be all decrypted.
12. this is the address you want. EAX points to the data. [ESP-4] contains the length.

OUT: battle.net.dll+158c72

Code:

battle.net.dll+158C62 - 74 44                 - je battle.net.dll+158CA8
battle.net.dll+158C64 - 8B 7D 08              - mov edi,[ebp+08]
battle.net.dll+158C67 - 8B 5D 0C              - mov ebx,[ebp+0C]
battle.net.dll+158C6A - 8B 8E CC010000        - mov ecx,[esi+000001CC]
battle.net.dll+158C70 - 57                    - push edi
battle.net.dll+158C71 - 53                    - push ebx
>>>> battle.net.dll+158C72 - E8 29D82200      - call battle.net.dll+3864A0
battle.net.dll+158C77 - 83 7E 60 00           - cmp dword ptr [esi+60],00
battle.net.dll+158C7B - 75 18                 - jne battle.net.dll+158C95
battle.net.dll+158C7D - 68 A6000000           - push 000000A6
battle.net.dll+158C82 - 68 80B83659           - push battle.net.dll+55B880
battle.net.dll+158C87 - 68 F0AA3659           - push battle.net.dll+55AAF0
battle.net.dll+158C8C - FF 15 48463659        - call dword ptr [battle.net.dll+554648]
battle.net.dll+158C92 - 83 C4 0C              - add esp,0C

IN: battle.net.dll+158c02

Code:

battle.net.dll+158BF6 - 74 0A                 - je battle.net.dll+158C02
battle.net.dll+158BF8 - 8B 57 08              - mov edx,[edi+08]
battle.net.dll+158BFB - 52                    - push edx
battle.net.dll+158BFC - 53                    - push ebx
battle.net.dll+158BFD - E8 9ED82200           - call battle.net.dll+3864A0
>>>> battle.net.dll+158C02 - 8B C7            - mov eax,edi
battle.net.dll+158C04 - 5F                    - pop edi
battle.net.dll+158C05 - 5E                    - pop esi
battle.net.dll+158C06 - 5B                    - pop ebx
battle.net.dll+158C07 - 5D                    - pop ebp
battle.net.dll+158C08 - C2 1000               - ret 0010

[RodeoRaider]

Thanks for the work Chuichu! This is absolutely FANTASTIC!

[BlizzPaysMyBills]

so if someone has 3x lower ping than someone else he is still unbeatable even with this , cool ... so no way to be outsniped by chinese, it is from the same side of the world

[Orendy]

LF tutor for gold making

[Sehae]

Anyone using just HA having a major reduction in success rate these last 1-2 weeks? Because it is indeed severe, as if there is a new public bot...?

[Zoort]

Im encountering a wierd problem. my Scripts run fine however xBuyout() always fails even the sample included does not work for me.
Same thing happens on xBid on every sample script i tested. Vsync is turned on 800x600 windowed everything else reseted to default.

not sure whats going on. Alright managed to get the samples to work. However the following seems to be messed up:

function Test()

buyout = 100000
if buyout <= 0 then
xMessage('Set some filters and a low buyout')
else
while true do
-- update buyout with randomize
xSetBuyout(buyout, true)

-- search and buyout first item
if xSearch() then
-- do buyout
xBuyout(1)
end
end
end
end


function Money()
xConsole()
while true do
if xGetAccount () == 'xxx' then
--Skorn()
--ImmortalKingsIrons()
Test()
end

hmpf it used to be possible to call functions within the mainloop and have them buyout sucessfully. i guess something is messed up there. do i really have to work soley with the main function? would take away alot of flexibility...

Geez no that cant be it either. Just tested with a sample and no problems there.. i have absolutely no clue where the problem is

function ImmortalKingsEternalReignT()
local buyOut = 5000000
if xSetUnique('Immortal King\'s Eternal Reign',2) and xSetStat(1,'Strength',177) and xSetStat(2,'Vitality',90) and xSetBuyout(buyOut,true) then
if xSearch() then
if not test then
if xBuyout(1) then
print('buyout successful') else
print('something went wrong')
end
else
xMessage('test')
end
end
end
end

xBuyout in that function on the other hand always returns zero

[Exclide]

Anyone using just HA having a major reduction in success rate these last 1-2 weeks? Because it is indeed severe, as if there is a new public bot...?

By success rate do you mean the lack of failed transactions or just the amount of items bought? I've been botting just for a week so I can't tell if there was a reduction, but I think it could be explained with many people leaving due to the addon announcement thus devaluation of the farming and the items. Also, it seems that recently a lot of chinese farming bots got banned, so this should count too.

[BlizzPaysMyBills]

some bots banned = not so many items ... because the only one stupid enough to post underpriced items on AH in large amounts and still playing are the chinese botters imo

but it is always better when they resurerct their farms after a few days