WoW Modification Journal

[haavis]

I've been lurking these forums for quite some time now, without posting anything, but this deserves a reply!

I've been tinkering with the same things you are now for some time now, and I must say, this is ace : ) You are really contributing with a lot of great stuff, in an easy to understand and with a sound and humble approach.

Oh, and that sounded like a great weekend ^_^

Keep up the great work, I hope to see a lot of posts in the future. I would love to be able to comment on the blog itself, but it seems as if I have to log in to do so?

Anyway, all praise

[Shynd]

Yeah, I disabled anonymous comments because I cannot stand getting spammed by random people. Anyone with anything important to say will register to say it.

And I thank you for your appreciation.

[Shynd]

Journal updated: SelectUnit « Shynd’s WoW Modification Journal


Kynox, bobbysing, anyone else: How detectable would the above method be by Warden? I've heard Warden executes every ~15 seconds, does it iterate through all memory blocks and scan them and, if so, what does it scan them for? Relative calls to the client memory space? Would one be better off to leave the code injected and just disguise it until it needs to be called, then suspend all threads, patch the correct code back in, call it, and patch it out? I'm really in the dark as to what Warden will and won't detect. I'm operating on the assumption that it has blacklist hashes that it compares memory to, but I'm not sure and not willing to bet my account on it =p

[Thybhalt]

* Credit kynox for this info *

At ObjectBase + 0014h there is a DWORD of the type of object that you are looking at:

Code:

enum ObjectType { ITEM = 1, CONTAINER, UNIT, PLAYER, GAMEOBJ, DYNOBJ, CORPSE };

Some objects, items, etc. won't have a real world location.

I'm wonderd that Corpse, DynObj, and GameObjs don't have a x, y and z position,
Corpse is the Corpse of a player, right ? But they must have coordinates... I think they have only other Offsets. Could you agree me ? =)

Sorry for my Bad English =)

[kynox]

Journal updated: SelectUnit « Shynd’s WoW Modification Journal


Kynox, bobbysing, anyone else: How detectable would the above method be by Warden? I've heard Warden executes every ~15 seconds, does it iterate through all memory blocks and scan them and, if so, what does it scan them for? Relative calls to the client memory space? Would one be better off to leave the code injected and just disguise it until it needs to be called, then suspend all threads, patch the correct code back in, call it, and patch it out? I'm really in the dark as to what Warden will and won't detect. I'm operating on the assumption that it has blacklist hashes that it compares memory to, but I'm not sure and not willing to bet my account on it =p

Warden's main plan of attack is hashing bytes at relative offsets to modules and each page, and comparing them to "bad" hashes.

Seeing as VirtualAllocEx is giving you a different address each time, i would say your detection levels are quite low.

[Shynd]

I'm wonderd that Corpse, DynObj, and GameObjs don't have a x, y and z position,
Corpse is the Corpse of a player, right ? But they must have coordinates... I think they have only other Offsets. Could you agree me ? =)

Sorry for my Bad English =)

Corpse, DynObj, and GameObjs have coordinates, yes. They're held within the object_flags struct.

For a Corpse, you read [baseaddress + 0x120] + 0x0C] for coordinates. A GameObject is [[baseaddress + 0x120] + 0x24]. A DynamicObject is [[baseaddress + 0x120] + 0x14]. Hope it helps.

Warden's main plan of attack is hashing bytes at relative offsets to modules and each page, and comparing them to "bad" hashes.

Seeing as VirtualAllocEx is giving you a different address each time, i would say your detection levels are quite low.

That's kinda what I figured. Soon as I get it polished a little bit more, I'll give it a go on retail and see what happens.



By the way, tomorrow I'll teach you all how to call the class method Object.Interact(). Whereas Select(..) allowed you to simulate a left-click on an object, Object.Interact() allows you to simulate a right-click on an object, allowing for attacking, looting, node mining, herb gathering, etc. I don't know much about virtual tables, but I figured out how to do it using CreateRemoteThread anyway. Tomorrow

[Thybhalt]

Corpse, DynObj, and GameObjs have coordinates, yes. They're held within the object_flags struct.

For a Corpse, you read [baseaddress + 0x120] + 0x0C] for coordinates. A GameObject is [[baseaddress + 0x120] + 0x24]. A DynamicObject is [[baseaddress + 0x120] + 0x14]. Hope it helps.

Oh yes =) Your blog is awesome =)

[blizzo]

Journal updated: SelectUnit « Shynd’s WoW Modification Journal

Cool. However, the SelectUnit function uses TLS so you have to update that address in the new thread you have created otherwise when you run it you'll get a useful popup from Wow.exe

Code:

push dword [fs:2Ch]
mov [fs:2Ch], dword TLSAddress
push dword GUID-MSByte
push dword GUID-LSByte
mov ebx, dword 0x006D8760
call ebx
add esp, 8
pop dword [fs:2Ch]
ret

That worked for me

[Shynd]

Cool. However, the SelectUnit function uses TLS so you have to update that address in the new thread you have created otherwise when you run it you'll get a useful popup from Wow.exe

Code:

push dword [fs:2Ch]
mov [fs:2Ch], dword TLSAddress
push dword GUID-MSByte
push dword GUID-LSByte
mov ebx, dword 0x006D8760
call ebx
add esp, 8
pop dword [fs:2Ch]
ret

That worked for me

Seemed to work fine for me, though you're right, it does seem to update the CurMgr right at the start of the subroutine. Don't know what to tell you, I never had a problem.

Object.Interact() definitely does, however, so I'll definitely get into that today.

[sweeper18]

Excellent journal you have started here, I like it a lot

[blizzo]

@Shynd: oh well, hehe
There are plenty of useful, interesting functions that can be run using this method. And it is something I have been looking to a little bit As you have suggested, this might be a better method than moving the mouse to target/attack/loot - if not for any other reason than it's easier hehe. I dunno if you downloaded or looked at my tool for injecting code, assembled on the fly using NASM, in to Wow - but it is quite useful for testing these functions. Easier than op-codes in a byte array, anyway

[Shynd]

Yeah, I had that thought earlier today and have decided to figure out how to use it maybe later today, maybe tomorrow, for whenever I find anything else I want to use.

[Bobnovak]

Great post Shynd.. I've been looking up this stuff for the past few days, trying to get my head around some of it (it's been a number of years since I've used C++ and had to deal with anything more complex than relational databases) - I was in the process of attempting to translate Kynox's library to C# when I stumbled across this thread, glad to see someone had done the work for me!

Just wanted to make a post in here and let you all know that I'm leeching for the time being, but I appreciate your work and I hope to be able to contribute in the future - By the way, I don't see a very comprehensive list of offsets and locations anywhere on here. I see threads with bits and pieces of stuff here and there (a lot of it out of date), or am I missing something?

Thanks again guys.

[Shynd]

Perhaps I'll make a post with offsets here in the near future. You're definitely right, that kind of thing isn't really made terribly clear at the moment.

[Shynd]

As promised: Object.Interact() « Shynd’s WoW Modification Journal and with only 5 minutes left in the day, EST! After promising to post about it today, I sure did cut it close.

Enjoy.