[Help] Movement

[cenron]

Ok I got all the pieces I need to be able to follow something but I don't know the math behind doing it.


I was reading Movement « Shynd’s WoW Modification Journal and he has some nice tips in there but my problem is for what ever reason its not very accurate and if WoW window has focus my program stops doing the corrections and sometimes it will run past the person other times it will spin around in a circle around him until I give my program focus.

I am using postmessage() to send the commands

Here is the code i got so far. I am just learnig how to interact with WoW right now so the code might be a little messy...

Code:

		while(true){
			Sleep(60);

			dwObjMgr = GetObjManager(dwPid);

			if(!dwObjMgr) { printf("Waiting to attach..."); continue; }

			ReadProcessMemory( hProcess, (LPVOID)(dwObjMgr + 0xC0), (LPVOID)&PlayerGUID, 8, &dwReadBytes );
			dwPlayerObj = GetObjectByGUID(hProcess,dwObjMgr,PlayerGUID);

			ReadProcessMemory(hProcess,(LPVOID)(dwPlayerObj + 0x120), (LPVOID)&temp,4,&dwReadBytes);
			ReadProcessMemory(hProcess,(LPVOID)(temp + 0x28), (LPVOID)&TargetGUID,8,&dwReadBytes);
			dwTargetObj = GetObjectByGUID(hProcess,dwObjMgr,TargetGUID);

			ReadProcessMemory( hProcess, (LPVOID)(dwObjMgr + 0xAC), (LPVOID)&dwCurObj, 4, &dwReadBytes );

			dwNextObj = dwCurObj;

			memset(&pPS,0,sizeof(Unit_Info));
			memset(&tTarget,0,sizeof(Mob_Info));
			ReadProcessMemory( hProcess, (LPVOID)(dwPlayerObj),	(LPVOID)&pPS, sizeof(Unit_Info), &dwReadBytes );
			ReadProcessMemory( hProcess, (LPVOID)(dwTargetObj),	(LPVOID)&tTarget, sizeof(Mob_Info), &dwReadBytes );

					//if we've found our target id, walk to it!
					if (dwTargetObj)
					{
						float dist = (float)GetDistance(pPS.x,pPS.y,tTarget.x,tTarget.y);
						float rotate = (float)atan2((tTarget.y - pPS.y),(tTarget.x - pPS.x));
						
						if(rotate < 0) 
							rotate +=(float)(PI * 2);

						//printf("Distance: %f\nFacing: %f\n",dis,rotate);

						
						if(pPS.h < ( rotate + turnaccuracy) && pPS.h > ( rotate - turnaccuracy )) {
											
							if (isTurning)
							{
								isTurning = false;
								ArrowKeyUp(hWoW, turnkey);
							}

							//if we're close to the target
							if (dist < walkaccuracy)
							{
								//if we're walking, stop walking
								if (isWalking)
								{
									ArrowKeyUp(hWoW, UP);
									isWalking = false;
								}
				
							}

							//we're not close, so we're walking
							isWalking = true;
							//hold down the up button
							ArrowKeyDown(hWoW, UP);
					
						} else {
					

							//if we're already turning, no need to turn again
							//if (isTurning)		//no need to have this enabled
							//	break;				//while debugging

							//we're turning
							isTurning = true;

							//variable definition
							double r, l;

							//if our current facing angle, in radians, is greater than
							//the angle which we desire to face
							if (pPS.h > rotate)
							{
								//we'd have to turn past North if we're turning left
								l = ((2 * PI) - pPS.h) + rotate;
								//we don't have to turn past North if we're turning right
								r = pPS.h - rotate;
							}
							else
							{
								//we don't have to turn past North if we're turning left
								l = rotate - pPS.h;
								//we have to turn past North if we're turning right
								r = pPS.h + ((2 * PI) - rotate);
							}

							//let's please turn in the direction where we have to spend
							//the least amount of time turning
							if (l < r)
								turnkey = LEFT;
							else
								turnkey = RIGHT;

							//hold down the arrow key in the direction we've determined
							//we should be turning
							ArrowKeyDown(hWoW, turnkey);
						}
					}



			//printf("Player Obj: 0x%X\n",dwPlayerObj);
			//printf("Target Obj: 0x%X\n",dwTargetObj);
			//printf("Target GUID: 0x%X\n\n",TargetGUID);
			//printf("Player Info:\nX: %f, Y: %f, Z: %f - Facing: %f\nHealth: %d of %d\nRage: %d of %d\n\n",pPS.x,pPS.y,pPS.z,pPS.h,pPS.HP,pPS.max_health,pPS.rage,pPS.max_rage);
			//printf("TargetInfo:\nX: %f, Y: %f, Z: %f - Facing: %f\nHealth: %d of %d\n\n\n",tTarget.x,tTarget.y,tTarget.z,tTarget.h,tTarget.HP,tTarget.max_health);
			//Sleep(1000);
			//system("cls");
			
			

		}

[Nesox]

Ok I got all the pieces I need to be able to follow something but I don't know the math behind doing it.


I was reading Movement « Shynd’s WoW Modification Journal and he has some nice tips in there but my problem is for what ever reason its not very accurate and if WoW window has focus my program stops doing the corrections and sometimes it will run past the person other times it will spin around in a circle around him until I give my program focus.

I am using postmessage() to send the commands

Here is the code i got so far. I am just learnig how to interact with WoW right now so the code might be a little messy...

Code:

		while(true){
			Sleep(60);

			dwObjMgr = GetObjManager(dwPid);

			if(!dwObjMgr) { printf("Waiting to attach..."); continue; }

			ReadProcessMemory( hProcess, (LPVOID)(dwObjMgr + 0xC0), (LPVOID)&PlayerGUID, 8, &dwReadBytes );
			dwPlayerObj = GetObjectByGUID(hProcess,dwObjMgr,PlayerGUID);

			ReadProcessMemory(hProcess,(LPVOID)(dwPlayerObj + 0x120), (LPVOID)&temp,4,&dwReadBytes);
			ReadProcessMemory(hProcess,(LPVOID)(temp + 0x28), (LPVOID)&TargetGUID,8,&dwReadBytes);
			dwTargetObj = GetObjectByGUID(hProcess,dwObjMgr,TargetGUID);

			ReadProcessMemory( hProcess, (LPVOID)(dwObjMgr + 0xAC), (LPVOID)&dwCurObj, 4, &dwReadBytes );

			dwNextObj = dwCurObj;

			memset(&pPS,0,sizeof(Unit_Info));
			memset(&tTarget,0,sizeof(Mob_Info));
			ReadProcessMemory( hProcess, (LPVOID)(dwPlayerObj),	(LPVOID)&pPS, sizeof(Unit_Info), &dwReadBytes );
			ReadProcessMemory( hProcess, (LPVOID)(dwTargetObj),	(LPVOID)&tTarget, sizeof(Mob_Info), &dwReadBytes );

					//if we've found our target id, walk to it!
					if (dwTargetObj)
					{
						float dist = (float)GetDistance(pPS.x,pPS.y,tTarget.x,tTarget.y);
						float rotate = (float)atan2((tTarget.y - pPS.y),(tTarget.x - pPS.x));
						
						if(rotate < 0) 
							rotate +=(float)(PI * 2);

						//printf("Distance: %fnFacing: %fn",dis,rotate);

						
						if(pPS.h < ( rotate + turnaccuracy) && pPS.h > ( rotate - turnaccuracy )) {
											
							if (isTurning)
							{
								isTurning = false;
								ArrowKeyUp(hWoW, turnkey);
							}

							//if we're close to the target
							if (dist < walkaccuracy)
							{
								//if we're walking, stop walking
								if (isWalking)
								{
									ArrowKeyUp(hWoW, UP);
									isWalking = false;
								}
				
							}

							//we're not close, so we're walking
							isWalking = true;
							//hold down the up button
							ArrowKeyDown(hWoW, UP);
					
						} else {
					

							//if we're already turning, no need to turn again
							//if (isTurning)		//no need to have this enabled
							//	break;				//while debugging

							//we're turning
							isTurning = true;

							//variable definition
							double r, l;

							//if our current facing angle, in radians, is greater than
							//the angle which we desire to face
							if (pPS.h > rotate)
							{
								//we'd have to turn past North if we're turning left
								l = ((2 * PI) - pPS.h) + rotate;
								//we don't have to turn past North if we're turning right
								r = pPS.h - rotate;
							}
							else
							{
								//we don't have to turn past North if we're turning left
								l = rotate - pPS.h;
								//we have to turn past North if we're turning right
								r = pPS.h + ((2 * PI) - rotate);
							}

							//let's please turn in the direction where we have to spend
							//the least amount of time turning
							if (l < r)
								turnkey = LEFT;
							else
								turnkey = RIGHT;

							//hold down the arrow key in the direction we've determined
							//we should be turning
							ArrowKeyDown(hWoW, turnkey);
						}
					}



			//printf("Player Obj: 0x%Xn",dwPlayerObj);
			//printf("Target Obj: 0x%Xn",dwTargetObj);
			//printf("Target GUID: 0x%Xnn",TargetGUID);
			//printf("Player Info:nX: %f, Y: %f, Z: %f - Facing: %fnHealth: %d of %dnRage: %d of %dnn",pPS.x,pPS.y,pPS.z,pPS.h,pPS.HP,pPS.max_health,pPS.rage,pPS.max_rage);
			//printf("TargetInfo:nX: %f, Y: %f, Z: %f - Facing: %fnHealth: %d of %dnnn",tTarget.x,tTarget.y,tTarget.z,tTarget.h,tTarget.HP,tTarget.max_health);
			//Sleep(1000);
			//system("cls");
			
			

		}

actually u can overwrite the Facing value and ure char will turn 100% accurateley instantley altho u have to be standing still for it to work otherwise u can use wow's cInputControl to make ure char move altho i dun rly know how to call it.
btw i released my fishbot if u wanna try it

[Cypher]

Christ that's ugly. I'd use CInputControl if I were you. I posted a thread with information on it.

[cenron]

Christ that's ugly. I'd use CInputControl if I were you. I posted a thread with information on it.

I KNOW! I am so embarrassed lol. I have been coding forever and this is a totally new concept to me so Ill try to tighten up my code more as I understand the concept more.

Thats a cool idea on the CInputControl but correct me if I am wrong but aren't you over writing memory in WoW? Would that be EZ to detect? I really don't want my bot to be that aggressive. The other part of it is. I have no idea how to implement that into an out of process program, I relatively new to this whole memory modification thing.

Is there a way to do this without having to over write the memory addresses?

EDIT: I tried moving the char 0.136f and I kept getting dc'ed even at 0.1f i got kicked.

[Nesox]

try make a Wrapper for ReadProcessMemory/WriteProcessMemory with different return types etc. and ure code would be alot "cleaner" maybe some other classes for getting pointers to ObjectManager etc...

good luck

[Cypher]

No you're not overwriting memory, you're just "hijacking" a class and calling its functions.

Either way, as long as you don't overwrite any of the offsets on the page I linked below you'll be fine.
Warden - WoW.Dev Wiki

Warden doesn't do a stack trace so you're safe to call functions.

To implement into an out-of-process program, you want to inject code to call the functions then create a thread for it.

PS. You're not using it for nudge hacks like my thread is explaining, you want to use it to move. Check the SetFlags or w/e it's called function and pass it the forward/back values instead.

[cenron]

No you're not overwriting memory, you're just "hijacking" a class and calling its functions.

Either way, as long as you don't overwrite any of the offsets on the page I linked below you'll be fine.
Warden - WoW.Dev Wiki

Warden doesn't do a stack trace so you're safe to call functions.

To implement into an out-of-process program, you want to inject code to call the functions then create a thread for it.

PS. You're not using it for nudge hacks like my thread is explaining, you want to use it to move. Check the SetFlags or w/e it's called function and pass it the forward/back values instead.

When you say inject code and make a thread are you talking about

Code:

VirtualAllocEx(blah...);

Then write the info to the allocated area then

Code:

CreateRemoteThread();

Is that what you mean? I use to do that all the time back in the day. Is that really still not detected? I read somewhere that WOW hook CreateRemoteThread();

[Shynd]

I read that a long time ago, too, but it isn't true. Besides, if you want to avoid using CreateRemoteThread, you can OpenThread, SuspendThread, GetThreadContext, change ctx.Eip, SetThreadContext, and ResumeThread... though that's an awful lot of trouble to get around something that isn't detected or even checked in the first place.

[Nesox]

I read that a long time ago, too, but it isn't true. Besides, if you want to avoid using CreateRemoteThread, you can OpenThread, SuspendThread, GetThreadContext, change ctx.Eip, SetThreadContext, and ResumeThread... though that's an awful lot of trouble to get around something that isn't detected or even checked in the first place.

hi got a question about CreateRemoteThread, ive tried just spawning one into wow first wrote 3 push, 0 to a codecave but it just chrashes wow the thread is really bad it continues even after the 3 pushes and therefore chrashes wow :weepy:

Code:

//allocate memory for codecave
uint cc = Memory.AllocateMemory(hProcess, 0x1000);

//Opcodes in raw hex to inject
bInject[] = {0x6A, 0x00,  //push, 0
                    0x6A, 0x00,  //push, 0
                    0x6A, 0x00   //push, 0
                    };

//Write the opcodes to the codeCave
Memory.WriteMemory(hProcess, cc, bInject);

//create the thread
IntPtr hThread = Memory.CreateRemoteThread(hProcess, cc, 0);

Memory.WaitForSingleObject(hThread);

//close handle
Memory.CloseHandle(hThread);

[Cypher]

It's not being checked, you won't get banned, go nuts.

[cenron]

hi got a question about CreateRemoteThread, ive tried just spawning one into wow first wrote 3 push, 0 to a codecave but it just chrashes wow the thread is really bad it continues even after the 3 pushes and therefore chrashes wow :weepy:

Code:

//allocate memory for codecave
uint cc = Memory.AllocateMemory(hProcess, 0x1000);

//Opcodes in raw hex to inject
bInject[] = {0x6A, 0x00,  //push, 0
                    0x6A, 0x00,  //push, 0
                    0x6A, 0x00   //push, 0
                    };

//Write the opcodes to the codeCave
Memory.WriteMemory(hProcess, cc, bInject);

//create the thread
IntPtr hThread = Memory.CreateRemoteThread(hProcess, cc, 0);

Memory.WaitForSingleObject(hThread);

//close handle
Memory.CloseHandle(hThread);

I think what you have to do is find the main thread for WoW then

Code:

OpenThread();

Then

Code:

CreateRemoteThread()

Into that. I could be wrong but its worth a try.

[Shynd]

No, that's not it. The reason it crashes is that you need to append a RETN (0xC3) after your two pushes. Maybe even SUB ESP, 8 \ RETN. Threads that you create need to return after execution is finished (or be terminated, of course).

[cenron]

Ok so here is another question. How do you get the return value of a function, like GetObjectByGUID, once you have done this type of injection?

[Shynd]

There's a few different ways. You can either go all-out and write and inject a DLL that sends information back and forth between processes--sockets, named pipes, shared memory, Windows messages--or, if you're only going to be needing the return value every so often, as with GetNumLootItems or something, you can put what you want to be returned into the EAX register, RETN, and then call kernel32.GetExitCodeThread(hThread);.

For instance, say you inject code that does something like:

Code:

CALL wow.GetNumLootItems ;return value will be in EAX
RETN

and execute it using CreateRemoteThread. Your code might look like:

Code:

//do whatever injection up here somewhere
HANDLE hThread = CreateRemoteThread(..whatever);
WaitForSingleObject(hThread, INFINITE);
DWORD dwNumLootItems = GetExitCodeThread(hThread);
CloseHandle(hThread);

Now dwNumLootItems holds the exit code, or value of EAX upon RETN, of your injected thread. Make sense?

[Nesox]

There's a few different ways. You can either go all-out and write and inject a DLL that sends information back and forth between processes--sockets, named pipes, shared memory, Windows messages--or, if you're only going to be needing the return value every so often, as with GetNumLootItems or something, you can put what you want to be returned into the EAX register, RETN, and then call kernel32.GetExitCodeThread(hThread);.

For instance, say you inject code that does something like:

Code:

CALL wow.GetNumLootItems ;return value will be in EAX
RETN

and execute it using CreateRemoteThread. Your code might look like:

Code:

//do whatever injection up here somewhere
HANDLE hThread = CreateRemoteThread(..whatever);
WaitForSingleObject(hThread, INFINITE);
DWORD dwNumLootItems = GetExitCodeThread(hThread);
CloseHandle(hThread);

Now dwNumLootItems holds the exit code, or value of EAX upon RETN, of your injected thread. Make sense?

yea, i get it now ill fool around some with it try get some stuff work thx.