Hello & Need somewhere to start.

[bhpushnslide]

Hey all,

First of all.. Hello! :wave:

Sorry to make a first post all about ME but I as of yet haven't got anything to contribute.

Basicly i am new to programming (well apart from very simple VBA for work... but that's it) .. Well by new I mean I installed Microsoft Visual C# (Express edition) a week ago.

In that week iv managed (though trial and error) to make myself a working fishing bot. But it doesn't read anything from memory. It basicly works though screenshots and getting pixel colours. But to be fair to me.. A week with no real prior programming knowledge.. And it works pretty damn well... left it running all day and it missed about 30 fish. (it auto lures and other stuff's too)

Ok lets start with that... The way its programmed is i can use it remotely(ie.. use ultra VNC or what ever) so there is no direct link between the program and wow. But i have been using it directly. So my first real question is.. Can warden detect. Keys.Send() or the following API calls: Mouse_events or setForgroundWindow sent to its window?

Next thing was..... Really the kinda person i am i cant just sit and read though loads of articles and then sit at a workstation and code... Iv noticed i really need to do a little bit, then test it, then do a little bit more, then test it etc etc.. I know this cos im new but with most things i do i really need to get stuck into it to understand what im doing.

So what iv decided to do is try and write a basic radar system. That show mobs, mine nodes etc etc etc. So really what im looking for is just a place to start.

I've been reading the forum most of the day so im starting to get to grips with how things work in memory but until i really get to play about with some data im not going to fully understand.

I have a million questions to ask.. But maybe i should save them for when i come upto really needing to know them...

I'm sure alot of people are going to say go learn to program some more.. But this is what iv chosen to teach me.. I needed something that i would feel like i achieved something.. I.E like with the fishing bot. I felt like it was useful and there for worth spending the time on and the learning was a bonus.

arg.... So much text there... Sorry!

Ok to shorten..... Where should i go as a noob to getting the information out of memory? (Also.. i know warden picks up things like cheat engine.. But is that cos its a known program or because it can tell when something is reading it's memory?Just trying to keep accounts safe.. Not looking at editing any memory or doing any DLL injections.. Just looking to view the information)

Thanks very much to anyone who can help with anything... I would love to contribute to this area as the people here seem really helpful. But to do that i need to know what im doing!

[jjaa]

1. Read Books - http://www.mmowned.com/forums/wow-me...ogramming.html and http://www.mmowned.com/forums/wow-me...ml#post1376286
2. Practice practice practice

[RiseAndShine]

Warden could detect lots of stuff, but I think currently it just looks for blacklisted apps, so I wouldn't worry that much.

The first thing you wanna do is read the ObjectManager, goto Shynd's Blog at Shynd’s WoW Modification Journal and read his entries. That should give you enough info to get you started. After that you can check this forum to do some other cool stuff, like reading mob/player names or implementing waypoints and some movement math.

[arigity]

warden scans for blacklisted modules in wow, not running applications. CE is detected because of the dll it injects for various features.

[kynox]

warden scans for blacklisted modules in wow, not running applications. CE is detected because of the dll it injects for various features.

Additionally, it scans for modifications to specific regions of the .text/.rdata sections, one .data offset.

[bhpushnslide]

Hey thanks for the replys! +Rep

Additionally, it scans for modifications to specific regions of the .text section, one .rdata offset.

By modifications to .text, .rdata (which i have no idea what they are) do you mean editing the memory (speed hacks etc etc) Not just "looking" at the data

thanks again all, will have a few more questions im sure after i have read all the info iv been linked :-)

[Cypher]

Additionally, it scans for modifications to specific regions of the .text section, one .rdata offset.

Obviously a typo but just to be clear. Warden scans the .text and .rdata sections for multiple offsets, and the .data for one offset.

To the person above who didn't know what this is referring to, they're sections of PE files.

.text = code
.rdata = read-only data
.data = data

(Heavily over-simplified of course but a simple explanation will do for this)

Examples of crap scanned in rdata is physics related stuff like gravity/velocity/angles/etc.

EDIT: Sif ninja-edit you jew. Leave a message.

[bhpushnslide]

Obviously a typo but just to be clear. Warden scans the .text and .rdata sections for multiple offsets, and the .data for one offset.

To the person above who didn't know what this is referring to, they're sections of PE files.

.text = code
.rdata = read-only data
.data = data

(Heavily over-simplified of course but a simple explanation will do for this)

Examples of crap scanned in rdata is physics related stuff like gravity/velocity/angles/etc.

EDIT: Sif ninja-edit you jew. Leave a message.

Ok just read up on all that.. Got a bit of a better understanding.. Just one thing that im still getting confused on and i apricate that it makes me sound like a tard... BUT better to ask a stupid question than to make a stupid mistake.....

Do you have to use any form of code injection for reading i.e player location? Or is code injection for accessing / using built in functions in the wow client?

What i mean is in my original post i stated that i wanted to start by building a simple radar type app. Does this need to inject any code or can it all be done by reading memory?

Still a bit confused to if warden can detect that your reading wow info from memory.. Does this

"Warden scans the .text and .rdata sections for multiple offsets"

Mean that warden is just looking for extra data injected the wow client.. So say an extra pointer pointing towards your injected code...

man i sound like a dick.. But gotta learn!!!

[Cypher]

No, you do not need code injection to read data from a process. That functionality is provided by the Windows API in the form of ReadProcessMemory.

Code injection is useful when calling engine functions, hooking functions, etc. An example would be for 'advanced' functionality such as drawing an ingame UI for your bot/hack (which is a combination of calling and hooking functions -- though at the D3D layer, not at the engine layer).

If your radar app renders in its own window there is no need to inject code. If you want to overlay your radar directly onto the game then you WILL need to inject code. Its obviously not necessary to do that but it's quite a nice touch (and warden won't ban you if all you're doing is hooking D3D and reading memory, Fraps for example hooks D3D, and reading memory from an injected dll is invisible to the target process).

No, warden can't detect memory reading, it doesn't reside at a high enough level. To do that it would need to run from the kernel.

As far as pointers to injected code, no. The .text segment holds all of WoW's compiled code, and the .rdata segment most of WoW's hardcoded constants that can't be inlined into the code.

Code injection is not bannable under WoW if you resist the urge to call engine functions (which could technically be detectable, but the chances of that happening are relatively small), which for your radar project is quite reasonable.

At any rate. Just because you have to learn doesn't mean we should spoonfeed you every step of the way.

Before returning please do some research on the topics you're curious about.
As far as injection goes, the book "Windows via C/C++" has an excellent chapter solely devoted to DLL injection.
As for the layout of a PE file and what all the sections are for you'll probably find the best resources online, just do a google search.
You'll also want to research ways for interacting with another process. Again, the book "Windows via C/C++" is excellent for that.

Obviously the lack of knowledge stems from a much deeper lack of research overall, but if you want to pinpoint the specifics currently in your way those are the things you need to look at.

Be forewarned though, I can guarantee you a lot of the content will confuse you unless you go back and start at the beginning.

[bhpushnslide]

No, you do not need code injection to read data from a process. That functionality is provided by the Windows API in the form of ReadProcessMemory.

Code injection is useful when calling engine functions, hooking functions, etc. An example would be for 'advanced' functionality such as drawing an ingame UI for your bot/hack (which is a combination of calling and hooking functions -- though at the D3D layer, not at the engine layer).

If your radar app renders in its own window there is no need to inject code. If you want to overlay your radar directly onto the game then you WILL need to inject code. Its obviously not necessary to do that but it's quite a nice touch (and warden won't ban you if all you're doing is hooking D3D and reading memory, Fraps for example hooks D3D, and reading memory from an injected dll is invisible to the target process).

No, warden can't detect memory reading, it doesn't reside at a high enough level. To do that it would need to run from the kernel.

As far as pointers to injected code, no. The .text segment holds all of WoW's compiled code, and the .rdata segment most of WoW's hardcoded constants that can't be inlined into the code.

Code injection is not bannable under WoW if you resist the urge to call engine functions (which could technically be detectable, but the chances of that happening are relatively small), which for your radar project is quite reasonable.

At any rate. Just because you have to learn doesn't mean we should spoonfeed you every step of the way.

Before returning please do some research on the topics you're curious about.
As far as injection goes, the book "Windows via C/C++" has an excellent chapter solely devoted to DLL injection.
As for the layout of a PE file and what all the sections are for you'll probably find the best resources online, just do a google search.
You'll also want to research ways for interacting with another process. Again, the book "Windows via C/C++" is excellent for that.

Obviously the lack of knowledge stems from a much deeper lack of research overall, but if you want to pinpoint the specifics currently in your way those are the things you need to look at.

Be forewarned though, I can guarantee you a lot of the content will confuse you unless you go back and start at the beginning.

Thanks very much.. this answered alot of questions.. Just for the records the code injection side of things is what i'm trying to avoid untill iv read and understood all the all the material iv collected on ASM, hooking, PE files and reverse engineering.

i did have one last thing....

If i was going to start from scratch, where should my first point of focus be? Bearing in mind im interested in the reading of memory for external applications and will move onto more advanced stuff like code injection later on.

I guess really my first port of call should be learning how memory is stored... As TBH i don't even know how memory address are always the same each time you start a program.... << Would learning the basics of how ASM works help me with this?

I think maybe a few weeks of research is needed before I come here asking for help again! I just got overly excited about the idea of it before i really looked into starting at the bottom and working my way up.


Thanks for all the help everyone!

[Nesox]

So if you wanna overwrite a value in the .rdata section you need to change the Acess type or change the pointer in the function?
ie. for 'jump velocity' 0x009a9a80 & 0x009a9a7c, instead of changing the value in the .rdata section you write the value u want to a codecave and then change the pointer in the function that would normally point to w/e it takes from the .rdata section?

[Robske]

Out of curiosity... Which values does Warden monitor? Both the pointer and the value in the .rdata section? (talking about the interesting constants here... velocities, angles...)

[kynox]

Out of curiosity... Which values does Warden monitor? Both the pointer and the value in the .rdata section? (talking about the interesting constants here... velocities, angles...)

Read my wiki page. The offsets are outdated, but the descriptions are still in tact.

[divmaster]

Hi,

i am also new here and interested in the stuff discussed here.

I tryed some things with the visual Studio yesterday and i can say that reading and writing to another process´s memory is realy easy... you can found everything you need in microsofts msdn library.

I took me about 5 hours to write a patch/hack i dont know how to call it, but it reads the minesweeper process id. Binds on that, read the game timer and the set it to zero for unlimited time. Hmmm is it a cheat? :confused:

But in conclusion i can say.... the guys above me are right. Read the books posted here and learn from scratch. When you have the knowledge, reading with ida pro in the wow.exe like you do in you diary you can easily pick up some code for reading in the momory and do what you want. For example writeing a radar system.....

And when you have finished rendering your own radar ingame by usind d3d funktions... let me know.

[Cypher]

So if you wanna overwrite a value in the .rdata section you need to change the Acess type or change the pointer in the function?
ie. for 'jump velocity' 0x009a9a80 & 0x009a9a7c, instead of changing the value in the .rdata section you write the value u want to a codecave and then change the pointer in the function that would normally point to w/e it takes from the .rdata section?

Either way you're going to have to change the page protections. Both .text and .rdata are generally marked as readexecute/readonly. Even if they aren't they both should be so you should be making sure you have write access before attempting to write to them.