Making a WoW Bot [Mac]

[enteleky]

Hello everyone I know I am sure this has been asked about 4000 times and no ones ever gotten anywhere but I hope to change that.

Essentially I saw Pocket Gnome, which is a World of Warcraft Bot for Mac, and I think I can make a better bot. I just need a little help getting started down the trail.

Currently, I have just some simple source for reading and writing memory along with injecting code for Mac OS X. I am in the process of learning how the injecting code works but I can read and write memory without a problem. Right now I am trying to figure out how WoW's memory is laid out and how to detect where the Player Object is etc...

I was wondering just over a couple of minutes I found what I believe to be the player Object at least for this instance of WoW...

Memory Locations:
Health, 2D1BC6F0
Level, 2D1BC768
Armor, 2D1BC820
Exp, 2D1BD65C

What I was wondering is what is the base address for the player object? Is it 0x2D1BC or is it 0x2D1BD? I sort of figured it was the latter because the Exp was outside the C range but I was maybe thinking that experience might be kept outside the player object. If someone could just give me a hand I would greatly appreciate it. Thanks.

[Wilkey]

I don't really have experience with programing bots, but I have a mac and I could probably help you out, but sorry I doubt you can make a better bot that gnome pocket if you don't really what to do. But that might be me just being skeptical.

msn me at [email protected]

[enteleky]

Well I have about 9 years of programming experience(Java, Website(XHTML,CSS,Javascript), C, C++) and the drive to learn which is why I posted here because I want to learn to I can reach my goal. I added you on MSN by the way.

[Wilkey]

I knew basic Java, forgot it all But yeah I have an extremely good working knowledge of the mac system and can probably help ya out. Just gotta get msn fixed!

[argh44z]

IDA Pro will handle disassembling the Mac binary fine, I suggest using it to find g_clientConnection and s_objMgr, and enumerating the object list for the player.

The OSX and Windows binaries are very similar, and I'd imagine that they share a common codebase, with the platform specific parts in discrete source files. The main differences in the two binaries at an assembly level stem from the fact that they're built with different compilers, different calling conventions etc.

On the plus side, the last time I looked, the MacOSX binary had all assert stuff still in the binary (like a Windows PTR build), which makes it easier to find stuff.

[suicidity]

The player base is not static, it's dynamic. Read more on the forums and get familiar with what your getting yourself into.

[enteleky]

At the current time I am trying to debug with GDB and I need a symbol file which I don't think I can just go ask for... And I can't get the PTR client right now because I haven't been able to find it and blizzard took it down.

Suicidity: Yeah I know... I have found the locations inside the struct. Now I just have to figure out how to find it on load efficiently. But I think thats what the currentConnection and ObjectManager will help me do.

Also a question... To find the CurrentConnection and ObjectManager do I need to be in a debugging session?

Also I am guessing that for detection of both those objects above another good way would to be to inject code to ask for the thread local storage address and search there?

[Cypher]

1. You have no idea what you're talking about in terms of memory addresses and allocation. I suggest you acquaint yourself with pointers and the structure of memory on your target architecture.
2. Neither release nor ptr builds have a PDB available, theres no ****ing way blizzard would just hand those out with every release. PTRs and Betas have assertions enabled, but thats it.
3. Start with object enumeration, if you can't get that working your bot is a lost cause anyway.

[enteleky]

1. You have no idea what you're talking about in terms of memory addresses and allocation. I suggest you acquaint yourself with pointers and the structure of memory on your target architecture.
2. Neither release nor ptr builds have a PDB available, theres no ****ing way blizzard would just hand those out with every release. PTRs and Betas have assertions enabled, but thats it.
3. Start with object enumeration, if you can't get that working your bot is a lost cause anyway.

1. Alright well if you say so could you point me in the direction of things I need to know?

2. Alright, I mean another dude said I could get the symbols from the PTR build

3. I was asking what the best way to do object enumeration is. For finding the ObjManager should I inject code and ask for the TLS and then find the object manager after that? Or is there an easier way?

[Xarg0]

1. Alright well if you say so could you point me in the direction of things I need to know?

2. Alright, I mean another dude said I could get the symbols from the PTR build

3. I was asking what the best way to do object enumeration is. For finding the ObjManager should I inject code and ask for the TLS and then find the object manager after that? Or is there an easier way?

1. You should know about memory management from cpp coding
2. Cypher already answered this ^^
3. Take a look at all xrefs of the tls_index with a debugger of your choice, you should find the gclient_connection stuff very fast if you've got an idea how it's going to look like

[enteleky]

Xarg0: Do you mind explaining number 3 to me a little bit? I understand you want me to look for the tls_index and then get all the external references but I can't figure out how to do that with gdb. Do you have any advice?

[argh44z]

2. Alright, I mean another dude said I could get the symbols from the PTR build

Assertion info != debugging symbols. And I said that the Mac client has the same info as the Windows PTR builds, so I'm not sure where you got the idea of getting a PTR client. The last time I checked, they didn't turn assertions off in the Mac non-PTR builds.

And as Cypher noted, they'd be stupid to leave full debugging symbols in anything.

3. I was asking what the best way to do object enumeration is. For finding the ObjManager should I inject code and ask for the TLS and then find the object manager after that? Or is there an easier way?

No, easy enough to find through static disassembly.

[enteleky]

No, easy enough to find through static disassemble.

Could you point me on the path of this easy find through static disassembly... I have IDA Pro which disassembled the whole file and I of course can't find objMgr or anything like it. What I am asking is what should I be looking for?

[Shynd]

You're looking for something that looks vaguely like this: http://img80.imageshack.us/img80/7945/objmgrox9.jpg

Note: "ObjectMgrClient.cpp" is a string that you can search for. Look for all of the places that reference it until you see one that looks exactly like the above. You're interested in two lines:

Code:

mov ecx, dword ptr ds:[11C8248]
mov dword ptr ds:[ecx+2854], eax

The first value, 11C8248, is a pointer to g_ClientConnection. The second value, 2854, is the offset for s_CurMgr inside g_ClientConnection. Your hand has now been held.

[enteleky]

Alright I will take a look at that in a second... While looking around during a debugging session I found these lines in pthread_getspecific which is getting the TLS storage...

0x93616da4 <pthread_getspecific+0>: mov 0x4(%esp),%eax
0x93616da8 <pthread_getspecific+4>: mov %gs:0x48(,%eax,4),%eax

Scratch that... I have a feeling that that code above I could call from within the program and potentially get the address every time even if WoW is patched because its the TLS?


Thanks for holding my hand Shynd that should help a lot.

Shynd: I found this...

mov [esp+68h+var_5C], offset aG_clientconnec ; "g_clientConnection != __null"
mov [esp+68h+var_60], 6A4h

and

mov [esp+28h+var_1C], offset aS_curmgr ; "s_curMgr"
mov [esp+28h+var_20], 7DAh

but I have a feeling that not what I am looking for... And also that looks like it leads no where.

Also trying to find ObjectMgrClient give me this with no places its referenced in code...

__cstring:00832394 db './ObjectMgrClient/ObjectMgrClient.cpp',0
__cstring:008323FB align 4

Update: Screw all that above... Using a debugger I was able to grab the pointer to what I think is the TLS store...
(gdb) x/x 0x68bc9e
0x68bc9e: 0x202404c7 and if I understand correctly 0x202404c7 is the pointer to the CurrentConnection object

So if I am correct through all this so far you can grab that static pointer(0x68bc9e) from this function which comes right after a thread asks for pthread_getspecific...

0x0068bc2b: mov %eax,%esi
0x0068bc2d: test %eax,%eax
-0x0068bc2f: je 0x68bc9e
0x0068bc31: lea 0x8(%eax),%edi
0x0068bc34: mov 0x8(%ebp),%eax
0x0068bc37: cmp %eax,0x8(%edi)
-0x0068bc3a: jbe 0x68bc14
0x0068bc3c: mov 0x8(%edi),%ebx
0x0068bc3f: cmp %ebx,%eax
-0x0068bc41: jae 0x68bc4e
0x0068bc43: mov 0xc(%edi),%eax
0x0068bc46: mov 0x8(%ebp),%edx
0x0068bc49: mov (%eax,%edx,4),%eax

There are three lines that I have put dashes by and I was guessing that one of those is the CurrentConnection object....

I just realized that those are other functions and not the actual pointers to the currentconnection object... Blah

I am just lost again...