[GUIDE] How to set up a simple jump and speed hack using CE *moved*

[Sychotix]

He made the point he was trying to make, and there was nothing factually inaccurate in his remarks. There you go again with calling people stupid or retarded. Let's not be so quick to judge.

I agree with Chazwazza. If you view it as an int, you are viewing it completely wrong (although it does work). You should view it how it was defined in the code so you get a more accurate measure of it and how you can increase it. For example, if the value was 5 as float but 324324324 as an integer, which one is easier to tell how to double it? I am sure that if you double 324324324, you would instantly hit the roof of the game while if you changed the 5 to a 10, you would jump twice as high.

The only thing I agree with the other guy is that if it works, it works. However inaccurate and noobish it may be.

The fact that he is not reading it as a float value means that he probably got it from another source other than scanning the memory manually as he should have.

EDIT: oh yeah and kynox, isnt the value stored in another location in the memory as well? Couldn't you edit the value on there instead of where Warden scans or is it just scanning to see if the value changes or not?

[kynox]

EDIT: oh yeah and kynox, isnt the value stored in another location in the memory as well? Couldn't you edit the value on there instead of where Warden scans or is it just scanning to see if the value changes or not?

If thats the case, then yes. I'm not sure if it is stored anywhere else though.

One thing i can say, is that i havn't seen warden reading any code which reads from the address, so you could hijack each read from it and replace it with your own address.

Or, you could use the better method, and put a onread memory breakpoint on it, and send back bogus results. Both methods would be warden proof, the latter being the long term solution.

[Sychotix]

yeah, I'm sure warden runs via CRC which people use the "find what reads from" method to figure out where its at. OR, I could use the header that I downloaded from "someone's" site =P I might have lost that though durring my reformatting but idc.... i dont even have WoW atm. I'm thinking about waiting till after OB.NET comes out and botting up a few chars before WOTLK comes out.

EDIT: nope still got it.

[kynox]

*blank* Uh, what?

I don't understand a word you just said

[Sychotix]

A cyclic redundancy check (CRC) is a type of function that takes as input a data stream of any length, and produces as output a value of a certain space, commonly a 32-bit integer. The term CRC is often used to denote either the function or the function's output. A CRC can be used as a checksum to detect alteration of data during transmission or storage.

GameGuard uses this as well (if the buyer of the program activates it). People use the method of putting a breakpoint (Find what reads from) on the function and sees what reads from it. Once they find out that, they go to another address which they know is under the CRC and they do the same thing. They then normally compare the two and see if anything is similar and if there is, they have found where the CRC function is. Now they just need to disable it/trick it to think it always returns true. =P

[Cypher]

I agree with Chazwazza. If you view it as an int, you are viewing it completely wrong (although it does work). You should view it how it was defined in the code so you get a more accurate measure of it and how you can increase it. For example, if the value was 5 as float but 324324324 as an integer, which one is easier to tell how to double it? I am sure that if you double 324324324, you would instantly hit the roof of the game while if you changed the 5 to a 10, you would jump twice as high.

The only thing I agree with the other guy is that if it works, it works. However inaccurate and noobish it may be.

The fact that he is not reading it as a float value means that he probably got it from another source other than scanning the memory manually as he should have.

EDIT: oh yeah and kynox, isnt the value stored in another location in the memory as well? Couldn't you edit the value on there instead of where Warden scans or is it just scanning to see if the value changes or not?

The value isn't stored anywhere else, only references to it in the text segment. Like kynox said you can just hijack all reads to it and point the code to a new value in memory somewhere (tested and working as warden-proof), or hook the value itself in the data seg and send back the value you want (untested but will work).

Also, kynox know's what a CRC is, trust me, I think he was just confused by the general rambling in the post as opposed to the terminology.

[Sychotix]

The value isn't stored anywhere else, only references to it in the text segment. Like kynox said you can just hijack all reads to it and point the code to a new value in memory somewhere (tested and working as warden-proof), or hook the value itself in the data seg and send back the value you want (untested but will work).

Also, kynox know's what a CRC is, trust me, I think he was just confused by the general rambling in the post as opposed to the terminology.

aww but i never got into code caving =P. Instead of doing all that, why not simply bypass Warden's CRC where it will not be reading anything? or even if it does, it always returns that the function hasnt changed?

[kynox]

aww but i never got into code caving =P. Instead of doing all that, why not simply bypass Warden's CRC where it will not be reading anything? or even if it does, it always returns that the function hasnt changed?

It's not CRCing, the WoW server sends a request to read from certain addresses, warden complies by sending back the resulting bytes to the server.

Server checks if they're abnormal, if so - ban.

[Sychotix]

ahh... well either it is sending "yes its abnormal" or it is sending the value back. If it is sending the value back, you cant really mess with the function itself but if it is jusaying "no its not abnormal", there is probably a conditional jump that can simply be changed to make it always say that.

[kynox]

No, it sends back the raw bytes read. You need to hook the internal function which is called to scan memory and add it to the output buffer.

[Sychotix]

hm... so does the server send the value that it wants it to be to the function? if so, its probably stored in one of the registers and can be completely bypassed by doing (for example)
mov edi,eax //eax being the value it wants and edi being the value it sends back
jmp 8675309 //the jump leading to where the end of the function is where it actually sends the data back (or somewhere close... depending on how the function is)

I will have to poke at it some when this damn AoC raid stops -.- havnt had a chance to even finish patching WoW.

EDIT: alright. I poked at it some. I have NOP'ed quite a few addresses and tried to get warden to detect me yet nothing. Are you sure warden reads from the jump address (and some other addresses I have been provided with). If it does (which i think it does since i found a common section which reads them and the area is dynamic so ima have to do a pointer search to try and find it tomorrow)...

it cant be an instant ban though unless warden only reads from them like every hour or so -.-

[kynox]

I've found that warden won't ban me on my trial account, the only time i've had one banned is when my Warden Emulator was returning bad results and packet hashes.

[Cypher]

hm... so does the server send the value that it wants it to be to the function? if so, its probably stored in one of the registers and can be completely bypassed by doing (for example)
mov edi,eax //eax being the value it wants and edi being the value it sends back
jmp 8675309 //the jump leading to where the end of the function is where it actually sends the data back (or somewhere close... depending on how the function is)

I will have to poke at it some when this damn AoC raid stops -.- havnt had a chance to even finish patching WoW.

EDIT: alright. I poked at it some. I have NOP'ed quite a few addresses and tried to get warden to detect me yet nothing. Are you sure warden reads from the jump address (and some other addresses I have been provided with). If it does (which i think it does since i found a common section which reads them and the area is dynamic so ima have to do a pointer search to try and find it tomorrow)...

it cant be an instant ban though unless warden only reads from them like every hour or so -.-

You can't NOP random crap in the hope you get banned, Warden is quite specific. Also, warden scans occur every 15-20 seconds or something along those lines.

If you want to get banned just change your jump height or climb angle, that SHOULD work, unsure if it will work on trials. If you want to find warden you can probably put an on-read breakpoint on the address and find the function that warden is scanning the value with (untested).

[Sychotix]

You can't NOP random crap in the hope you get banned, Warden is quite specific. Also, warden scans occur every 15-20 seconds or something along those lines.

If you want to get banned just change your jump height or climb angle, that SHOULD work, unsure if it will work on trials. If you want to find warden you can probably put an on-read breakpoint on the address and find the function that warden is scanning the value with (untested).

Yeah i have already done that. I changed my jump height to -30 and was jumping around to hell hoping to get a ban. And also, I have a list of things that Warden scans thanks to a little someone. I put a breakpoint on it last night and i came to a function in the 0F494B48 region. I am going to do some scanning to see if i can find a pointer for it.

EDIT: is it because i changed the value via debugger and not a memory editor? lol

[kynox]

I put a breakpoint on it last night and i came to a function in the 0F494B48 region.

The function thats reading from it is inside of Warden.

It reads offsets (yes, you could hook this , but it also reads other data)..
Though Warden is dynamically allocated, so that address is quite useless once its unloaded .