Making a WoW Bot [Mac]

[Cypher]

Well instead of just laughing at me could you help me understand whats going on here?

If I sat down and explained in full everything you were getting wrong I'd be here for weeks. Then you'd still come back 5 minutes after the explanation and have more questions.

We're not here to tutor you, we'll answer questions sure, but you have to do most of the work yourself. If you don't know ASM, your platforms low-level specifics, have a decent grasp on C/C++ and how it translates to ASM, etc then why the hell are you trying to reverse WoW? Thats just stupid. You're going to get nowhere trying to reverse stuff from scratch if you don't understand what you're doing.

[enteleky]

Alright I understand what you are saying. But I am starting to get what is going on, and also everything looks different on the Mac so I can't use preexisting knowledge to help me understand. I found that GetObjectFromGUID and I know that that offset is related to the object manager because if I set a breaking point later in the function...

This is later in the same function and on load it gets called and at line 000a7bc2 eax is the beginning of my player object. So I know I am close.

000A7BB9 lea eax, [ebx+ebx*2]
000A7BBC mov edx, [ebp+var_30]
000A7BBF mov ecx, [edx+0Ch]
000A7BC2 mov eax, [ecx+eax*4+8]

A question I have is what does this actually mean:

when there is a line like this mov eax, ds:[121D5ACh] and I read that the ds register isn't really used anymore and it is just statically set to 0x1f so I was wondering what exactly does that line move into eax?

[Shynd]

Your question is proof that you really, really, really need to learn assembly and disassembly.

[Cypher]

Alright I understand what you are saying. But I am starting to get what is going on, and also everything looks different on the Mac so I can't use preexisting knowledge to help me understand. I found that GetObjectFromGUID and I know that that offset is related to the object manager because if I set a breaking point later in the function...

This is later in the same function and on load it gets called and at line 000a7bc2 eax is the beginning of my player object. So I know I am close.

000A7BB9 lea eax, [ebx+ebx*2]
000A7BBC mov edx, [ebp+var_30]
000A7BBF mov ecx, [edx+0Ch]
000A7BC2 mov eax, [ecx+eax*4+8]

A question I have is what does this actually mean:

when there is a line like this mov eax, ds:[121D5ACh] and I read that the ds register isn't really used anymore and it is just statically set to 0x1f so I was wondering what exactly does that line move into eax?

/facepalm

The point is, you don't have any prexisting knowledge (bar the stuff you copy-pasted from kynox/shynd/myself/etc).

You really are totally ****ing clueless, either learn ASM/RCE/etc or don't bother coming here with your questions.

Your question is proof that you really, really, really need to learn assembly and disassembly.

QFT.

I got 5 bucks that says his next question is "is disassembly another language I have to learn like assembly".

[ReppzYouTube]

Alright I will take a look at that in a second... While looking around during a debugging session I found these lines in pthread_getspecific which is getting the TLS storage...

0x93616da4 <pthread_getspecific+0>: mov 0x4(%esp),%eax
0x93616da8 <pthread_getspecific+4>: mov %gs:0x48(,%eax,4),%eax

Scratch that... I have a feeling that that code above I could call from within the program and potentially get the address every time even if WoW is patched because its the TLS?


Thanks for holding my hand Shynd that should help a lot.

Shynd: I found this...

mov [esp+68h+var_5C], offset aG_clientconnec ; "g_clientConnection != __null"
mov [esp+68h+var_60], 6A4h

and

mov [esp+28h+var_1C], offset aS_curmgr ; "s_curMgr"
mov [esp+28h+var_20], 7DAh

but I have a feeling that not what I am looking for... And also that looks like it leads no where.

Also trying to find ObjectMgrClient give me this with no places its referenced in code...

__cstring:00832394 db './ObjectMgrClient/ObjectMgrClient.cpp',0
__cstring:008323FB align 4

Update: Screw all that above... Using a debugger I was able to grab the pointer to what I think is the TLS store...
(gdb) x/x 0x68bc9e
0x68bc9e: 0x202404c7 and if I understand correctly 0x202404c7 is the pointer to the CurrentConnection object

So if I am correct through all this so far you can grab that static pointer(0x68bc9e) from this function which comes right after a thread asks for pthread_getspecific...

0x0068bc2b: mov %eax,%esi
0x0068bc2d: test %eax,%eax
-0x0068bc2f: je 0x68bc9e
0x0068bc31: lea 0x8(%eax),%edi
0x0068bc34: mov 0x8(%ebp),%eax
0x0068bc37: cmp %eax,0x8(%edi)
-0x0068bc3a: jbe 0x68bc14
0x0068bc3c: mov 0x8(%edi),%ebx
0x0068bc3f: cmp %ebx,%eax
-0x0068bc41: jae 0x68bc4e
0x0068bc43: mov 0xc(%edi),%eax
0x0068bc46: mov 0x8(%ebp),%edx
0x0068bc49: mov (%eax,%edx,4),%eax

There are three lines that I have put dashes by and I was guessing that one of those is the CurrentConnection object....

I just realized that those are other functions and not the actual pointers to the currentconnection object... Blah

I am just lost again...

I got no idea if this will work but if you use a windows computer and open emuhacker maybe you could use emuhacker to get the addresses for you and then change them on your mac? or just try to change wowemuhacker into applescript? This is just a suggestion. goodluck btw!

[Cypher]

I got no idea if this will work but if you use a windows computer and open emuhacker maybe you could use emuhacker to get the addresses for you and then change them on your mac? or just try to change wowemuhacker into applescript? This is just a suggestion. goodluck btw!

.....

Please never post here again.. EVER!

[Gamer]

I got no idea if this will work but if you use a windows computer and open emuhacker maybe you could use emuhacker to get the addresses for you and then change them on your mac? or just try to change wowemuhacker into applescript? This is just a suggestion. goodluck btw!

Address in memory != Offset.

The address changes every time you zone, values won't have the same address on another instance of Wow on the same computer, let alone on a different CPU architecture.

[argh44z]

Ok I think I have found the objMgr... This snippet of ASM code comes from the GetObjectFromGUID()


│__text:000A7B4D mov ebp, esp
│__text:000A7B4F push edi
│__text:000A7B50 push esi
│__text:000A7B51 push ebx
│__text:000A7B52 sub esp, 4Ch
│__text:000A7B55 mov esi, [ebp+arg_0]
│__text:000A7B58 mov edi, [ebp+arg_4]
│__text:000A7B5B mov eax, ds:dword_121D5AC
│__text:000A7B60 mov [ebp+var_38], eax
│__text:000A7B63 test eax, eax
│__text:000A7B65 jz loc_A7C33
│__text:000A7B6B mov ecx, [eax+0C4h]
│__text:000A7B71 mov ebx, [eax+0C8h]
│__text:000A7B77 mov eax, ebx <---- I think this is the line in which the objMgr offset is put into eax.
│__text:000A7B79 or eax, ecx
│__text:000A7B7B jnz loc_A7C45
│__text:000A7B81 mov ebx, edi
│__text:000A7B83 or ebx, esi
│__text:000A7B85 jz loc_A7C33

Is the object manager at 0x0121d5ac+c8h?

The problem is when ever I set IDAs debugger to break on this line WoW spinlocks and IDA doesn't show its broken yet... Could anyone help me?

Only had a old mac client to use as reference (I don't have 3.0.3), but it looks like in that above snippet that dword_121D5AC is probably a pointer to the object manager.

Comparing equivalent code from the Mac client and a Windows PTR client from around the same time (checking to see if s_curMgr->m_movement is NULL or not):

Code:

mov     ecx, ds:dword_121944C
mov     [ebp+var_94], ecx
mov     eax, [ecx+0E0h]
test    eax, eax
jz      short loc_B0164
mov     [esp+0C8h+var_B4], 1
mov     [esp+0C8h+var_B8], 0
mov     [esp+0C8h+var_BC], offset aS_curmgrM_move ; "s_curMgr->m_movement == __null"
mov     [esp+0C8h+var_C0], 6B4h
mov     [esp+0C8h+var_C4], offset aVolumesF2Us_83 ; "/Volumes/F2/usrbuild/xb/build/WoW_9056p"...
mov     [esp+0C8h+var_C8], 85100000h
call    wow_assert_fail

Code:

mov     eax, TlsIndex
mov     ecx, large fs:2Ch
push    esi
mov     esi, [ecx+eax*4]
cmp     dword ptr [esi+8], 0
jz      short loc_47C036
call    sub_47B070
mov     edx, [esi+8]
cmp     dword ptr [edx+0E4h], 0
jz      short loc_47C00A
push    1               ; uExitCode
push    0               ; int
push    offset aS_curmgrM_move ; "s_curMgr->m_movement == 0"
push    6B4h            ; ExitCode
push    offset a_Objectmgrclie ; ".\\ObjectMgrClient.cpp"
push    85100000h       ; dwMessageId
call    wow_assert_fail

The windows client gets it from the TLS, the mac client gets it from a global variable (uninitialized global variables are stored in the bss section by gcc). The mac client is checking for 0xE0, and the windows client is checking for 0xE4; might be some sort of padding that's being added.

I would poke around the structure and find the pointer to the first object (my bet is that it is 4 off from the windows client).

[dethknightslave]

i am astonished this is the first time i have ever heard someone talking about how they are making a bot. i envy you becouse this is the first time somone has talked about this subject.