The 'better' way of doing 'nudge hacks'

[Cypher]

I noticed that all of the current 'nudge hacks' (awwes etc) are out of process and use sendkeys to turn the character after nudging them.

Using CInputControl you can turn without sending keystrokes etc. The advantage being that the turning is practically instant and you don't even notice your character move at all.

Heres some sample code:
CInputControl.h

Code:

#pragma once

class CInputControl
{
public:
    void SetMovementFlag( int iFlag, int Enable, unsigned long dwTime = 0 );
    unsigned long GetMovementFlag();
};

CInputControl.cpp

Code:

void CInputControl::SetMovementFlag( int iFlag, int Enable, DWORD dwTime )
{
    DWORD SetFlags = 0x005343A0;
    DWORD GetTickCount = 0x00BE10FC;
    _asm
    {
        mov eax,GetTickCount 
        mov ecx, this
        push dwTime
        push eax
        push Enable
        push iFlag
        call SetFlags
    }
}

unsigned long CInputControl::GetMovementFlag()
{
    return *reinterpret_cast<unsigned long*>( this + 4 );
}

Quick hacked together example.

Code:

CInputControl * gpInputControl = reinterpret_cast<CInputControl*>( *reinterpret_cast<DWORD*>(0x00CF31E4) );

int __cdecl NudgeXPos(void * )
{
    float * Ptr2 = (float*)(*reinterpret_cast<unsigned long*>(0x00E29D28) + 0xBF0);
    *Ptr2 = *Ptr2 + 0.1f;
    gpInputControl->SetMovementFlag(MOVEMENT_FLAG_TURN_LEFT,1,0);
    gpInputControl->SetMovementFlag(MOVEMENT_FLAG_TURN_LEFT,0,0);
    return 0;
}

EDIT:

Whoops, you'll need this too

Code:

enum eMovementFlag
{
    MOVEMENT_FLAG_MOVE_FORWARD = 0x10,
    MOVEMENT_FLAG_MOVE_BACKWARD = 0x20,
    MOVEMENT_FLAG_STRAFE_LEFT = 0x40,
    MOVEMENT_FLAG_STRAFE_RIGHT = 0x80,
    MOVEMENT_FLAG_TURN_LEFT = 0x100,
    MOVEMENT_FLAG_TURN_RIGHT = 0x200,
    MOVEMENT_FLAG_PITCH_UP = 0x400,
    MOVEMENT_FLAG_PITCH_DOWN = 0x800,
    MOVEMENT_FLAG_AUTO_RUN = 0x1000,

    MOVEMENT_FLAG_ALL = 0x1FF0
};

[hfs]

I was under the impression that fiddling with the coords/rotation via any of the memory techniques would kick you... is that what you mean by 'nudge'?

[Cypher]

Yes, its possible to change your coords by a tiny bit then turn, and repeat that. Effectively 'nudging' your character across, through objects/walls/etc.

[hfs]

Great, cheers!

Care to elaborate on that a bit though?

I read somewhere that you can move something like 0.0012 units without he game kicking up a fuss?

And, err.. one last question (bearing in mind i've not cracked wow open yet)... why have you crammed eax in the middle there?

Now the direct call makes a whole lot more sense anyway, cheers again! =)

[Cypher]

Great, cheers!

Care to elaborate on that a bit though?

I read somewhere that you can move something like 0.0012 units without he game kicking up a fuss?

And, err.. one last question (bearing in mind i've not cracked wow open yet)... why have you crammed eax in the middle there?

Now the direct call makes a whole lot more sense anyway, cheers again! =)

You can move about 0.1-0.5 units, I forget the exact amount. Just start at 0.1 and get bigger and bigger until you get dced. Also, what do you mean? GetTickCount is moved into EAX and then pushed, so obviously thats whats in the register, I don't get your question. If you're asking why its moved into EAX and then pushed instead of pushed directly it's because that's how all the code inside WoW that calls the function does it so I basically copied the function call method directly from inside a LUA api.

[hfs]

Cool cheers again =)


One more rep for being super helpful when the board lets me again!

[Sychotix]

.136 is the most you can change your coords.

[hfs]

thanks! .

[Cypher]

.136 is the most you can change your coords.

Yeah, just checked that and it works well. Thanks.

[UnknOwned]

I took a little look at the wowAPI's command table, and surprisingly found that the functions for movement are not debricated just "deactivated", so i guess there must be a "switch" somewhere to enable them again.
Not that it would help this particular approach but funny anyway... could be used to make a "LUA" based bot or something.

[Cypher]

I took a little look at the wowAPI's command table, and surprisingly found that the functions for movement are not debricated just "deactivated", so i guess there must be a "switch" somewhere to enable them again.
Not that it would help this particular approach but funny anyway... could be used to make a "LUA" based bot or something.

Already knew that.

Yeah, thats how I found CInputControl to begin with.

Code:

.text:005345F0 sub_5345F0      proc near               ; DATA XREF: .data:00B9E95Co
.text:005345F0                 push    esi
.text:005345F1                 call    sub_5330B0
.text:005345F6                 push    0
.text:005345F8                 mov     esi, eax
.text:005345FA                 call    ProtectedLuaCheck
.text:005345FF                 add     esp, 4
.text:00534602                 test    eax, eax
.text:00534604                 jz      short loc_534619
.text:00534606                 mov     eax, GetTickCountVal
.text:0053460B                 push    0
.text:0053460D                 push    eax
.text:0053460E                 push    1
.text:00534610                 push    10h
.text:00534612                 mov     ecx, esi
.text:00534614                 call    CInputControl__SetFlags
.text:00534619
.text:00534619 loc_534619:                             ; CODE XREF: sub_5345F0+14j
.text:00534619                 xor     eax, eax
.text:0053461B                 pop     esi
.text:0053461C                 retn
.text:0053461C sub_5345F0      endp
.text:0053461C

Just patch ProtectedLuaCheck.

Code:

.text:0049DBA0 ProtectedLuaCheck proc near             ; CODE XREF: Lua_SendChatMessage+1Fp
.text:0049DBA0                                         ; sub_49E900+2p ...
.text:0049DBA0
.text:0049DBA0 arg_0           = dword ptr  8
.text:0049DBA0
.text:0049DBA0                 push    ebp
.text:0049DBA1                 mov     ebp, esp
.text:0049DBA3                 cmp     dword_E1F640, 0
.text:0049DBAA                 mov     ecx, [ebp+arg_0]
.text:0049DBAD                 mov     eax, dword_C6E820
.text:0049DBB2
.text:0049DBB2 Lua_Protection_Patch:                   ; default
.text:0049DBB2                 jz      short loc_49DC19 ; jumptable 0049DBC0 case 10
.text:0049DBB4                 cmp     ecx, 12h        ; switch 19 cases
.text:0049DBB7                 ja      short loc_49DC19 ; default
.text:0049DBB7                                         ; jumptable 0049DBC0 case 10
.text:0049DBB9                 movzx   edx, byte ptr ds:unk_49DC40[ecx]
.text:0049DBC0                 jmp     ds:off_49DC30[edx*4] ; switch jump
.text:0049DBC7
.text:0049DBC7 loc_49DBC7:                             ; DATA XREF: .text:off_49DC30o
.text:0049DBC7                 xor     eax, eax        ; jumptable 0049DBC0 cases 0-5,16,17
.text:0049DBC9                 push    eax
.text:0049DBCA                 push    eax
.text:0049DBCB                 call    sub_498100      ; <"%s%s">
.text:0049DBD0                 add     esp, 8
.text:0049DBD3                 xor     eax, eax
.text:0049DBD5                 pop     ebp
.text:0049DBD6                 retn
.text:0049DBD7 ; ---------------------------------------------------------------------------
.text:0049DBD7
.text:0049DBD7 loc_49DBD7:                             ; CODE XREF: ProtectedLuaCheck+20j
.text:0049DBD7                                         ; DATA XREF: .text:off_49DC30o
.text:0049DBD7                 test    eax, eax        ; jumptable 0049DBC0 cases 11-14
.text:0049DBD9                 jz      short loc_49DC27
.text:0049DBDB                 cmp     dword ptr [eax+114Ch], 0
.text:0049DBE2                 jnz     short loc_49DC19 ; default
.text:0049DBE2                                         ; jumptable 0049DBC0 case 10
.text:0049DBE4                 mov     eax, 2
.text:0049DBE9                 push    eax
.text:0049DBEA                 push    0
.text:0049DBEC                 call    sub_498100      ; <"%s%s">
.text:0049DBF1                 add     esp, 8
.text:0049DBF4                 xor     eax, eax
.text:0049DBF6                 pop     ebp
.text:0049DBF7                 retn
.text:0049DBF8 ; ---------------------------------------------------------------------------
.text:0049DBF8
.text:0049DBF8 loc_49DBF8:                             ; CODE XREF: ProtectedLuaCheck+20j
.text:0049DBF8                                         ; DATA XREF: .text:off_49DC30o
.text:0049DBF8                 test    eax, eax        ; jumptable 0049DBC0 cases 6-9,15,18
.text:0049DBFA                 jz      short loc_49DC27
.text:0049DBFC                 cmp     dword ptr [eax+1150h], 0
.text:0049DC03                 jnz     short loc_49DC19 ; default
.text:0049DC03                                         ; jumptable 0049DBC0 case 10
.text:0049DC05                 mov     eax, 1
.text:0049DC0A                 push    eax
.text:0049DC0B                 push    0
.text:0049DC0D                 call    sub_498100      ; <"%s%s">
.text:0049DC12                 add     esp, 8
.text:0049DC15                 xor     eax, eax
.text:0049DC17                 pop     ebp
.text:0049DC18                 retn
.text:0049DC19 ; ---------------------------------------------------------------------------
.text:0049DC19
.text:0049DC19 loc_49DC19:                             ; CODE XREF: ProtectedLuaCheck:Lua_Protection_Patchj
.text:0049DC19                                         ; ProtectedLuaCheck+17j ...
.text:0049DC19                 test    eax, eax        ; default
.text:0049DC19                                         ; jumptable 0049DBC0 case 10
.text:0049DC1B                 jz      short loc_49DC27
.text:0049DC1D                 test    ecx, ecx
.text:0049DC1F                 jnz     short loc_49DC27
.text:0049DC21                 mov     [eax+1150h], ecx
.text:0049DC27
.text:0049DC27 loc_49DC27:                             ; CODE XREF: ProtectedLuaCheck+39j
.text:0049DC27                                         ; ProtectedLuaCheck+5Aj ...
.text:0049DC27                 mov     eax, 1
.text:0049DC2C                 pop     ebp
.text:0049DC2D                 retn
.text:0049DC2D ProtectedLuaCheck endp

Patch the section I've annotated as Lua_Protection_Patch to enable running of all Blizz-only functions.

IMPORTANT: Warden hashes parts that function so you need to be careful what you change. I personally use a warden patch to stop warden picking up any client mods but if you feel that's too much work you can probably mod the function near the top (away from the jmp/cmp) to get the same effect.

[Sychotix]

yeah... one thing about Warden that is stupid... it only scans certain offsets. For example... if it scans the "jne" of a function in order to make sure you dont change it to do a hack... how about you simply codecave above it and make sure the "jne" always does what you want?

pwnt much? =P

ex.

1 pop edi
2 cmp eax,1337 /* start scanning
3 je 6
4 call 8675309 //limit your jump
5 jmp 007734101 */end scanning
6 retn

would be changed to

1 call 911
2 cmp eax,1337 /* start scanning
3 je 6
4 call 8675309 //limit your jump
5 jmp 007734101 */end scanning
6 retn

911 pop edi //maybe needed so you might as well include it =P
912 mov eax,1337 //make sure it jumps
914 retn //return back to the original function

[Cypher]

yeah... one thing about Warden that is stupid... it only scans certain offsets. For example... if it scans the "jne" of a function in order to make sure you dont change it to do a hack... how about you simply codecave above it and make sure the "jne" always does what you want?

pwnt much? =P

ex.

1 pop edi
2 cmp eax,1337 /* start scanning
3 je 6
4 call 8675309 //limit your jump
5 jmp 007734101 */end scanning
6 retn

would be changed to

1 call 911
2 cmp eax,1337 /* start scanning
3 je 6
4 call 8675309 //limit your jump
5 jmp 007734101 */end scanning
6 retn

911 pop edi //maybe needed so you might as well include it =P
912 mov eax,1337 //make sure it jumps
914 retn //return back to the original function

Err, thats exactly what I said in my post.

Also, You don't need a code cave, you can bypass the scan with just a couple of bytes of patching.

[dffrntdnl]

man I wish I knew this kind of stuff... where can I learn things like this?


<cowers, knowing how close the flames could be....>

[kynox]

By reverse engineering WoW.