[C#][Source][Copy/Pasta] Getting started with out of process botting

[Apoc]

Understood.



People are crazy and insist on re-inventing the wheel. Re-invent to understand, re-invent because you will do a better job. Re-invent just because? That's (mostly) crazy talk.



And that I can understand too. When it screws up, it screws up royally! The simple cases, such as three floats, is usually pretty safe though.

Browsing your code did cause me to go back and re-examine the assumptions about my own object enumeration though. We do it almost the same way.

The main difference is that I don't pulse my objects. I keep a TimeSpan and enumerate again if the last time the object list was enumerated is greater than the desired TimeSpan, in this case 30 millseconds.

My Enumerate went from about 50 lines to the code below. I was over-complicating my tests in the dictionary for valid objects. Making sure the object type was valid, the memory address had not changed, etc.

Code:

        private void EnumerateVisibleObjects()
        {
            Dictionary<GameGUID, WowObject> newObjectCache = new Dictionary<GameGUID, WowObject>();
            ObjectMemoryAddresses objectMemory = new ObjectMemoryAddresses(m_gameClient);
            foreach (uint memoryAddress in objectMemory)
            {
                GameGUID clientGUID = GetGUID(memoryAddress);
                Descriptor.WoWObjectType clientObjectType = GetType(memoryAddress);
                WowObject obj = null;
                try
                {
                    obj = m_objectCache[clientGUID];
                    obj.BaseAddress = memoryAddress;
                }

                catch
                {
                    obj = GetGameObject(memoryAddress);
                }

                if (obj != null)
                {
                    newObjectCache.Add(clientGUID, obj);
                }


            }

            m_objectCache = newObjectCache;
            m_lastEnumerationTime = DateTime.Now;
        }

If you check the code in Pulsator.cs, I did pretty much the same thing. (I have a thread that 'sleeps' for 33ms, same idea really)

Ideally, you want to update your object list every frame. Since you're OOP, and can't really determine the actual framerate, you have to make certain assumptions (hence the 33ms sleep [or roughly 30FPS]) to accomplish the same thing.

[amadmonk]

I have a sort of compromise between the two. My in-process bot pulses the "real" object list every frame. My out-of-process group AI pulls the object list every 100ms.

Since the group AI doesn't need to be as rapidly reactive as the in-process bot, this is working fairly well.

[skiiippp]

I'm starting a new toy project and want to use your code, so first of all thanks for sharing! I intend to first make a simple monitoring app that shows some info about the player and mob he's targetting and take it from there.

However, when I run the WoWStarterTester program (after I've started WoW and logged in) no output is shown. I figured that may be because ObjectManager.ObjectList.ToArray() is called before the Pulsater can fetch the data from memory, and thus this list is empty. So I added a Thread.Sleep(1000) after the creation of the pulsator, and now something is happening...

Code:

System.AccessViolationException was unhandled
  Message="Attempted to read or write protected memory. This is often an indication that other memory is corrupt."
  Source="mscorlib"
  StackTrace:
       at System.Runtime.InteropServices.Marshal.ReadInt64(IntPtr ptr, Int32 ofs)
       at System.Runtime.InteropServices.Marshal.ReadIntPtr(IntPtr ptr)
       at WoWStarter.Memory.ReadInternal[T](IntPtr address) in C:\temp\WoWStarter\WoWStarter\WoWStarter\Memory.cs:line 18
       at WoWStarter.Memory.Read[T](IntPtr[] addresses) in C:\temp\WoWStarter\WoWStarter\WoWStarter\Memory.cs:line 107
       at WoWStarter.ObjectManager.ReadObjectList() in C:\temp\WoWStarter\WoWStarter\WoWStarter\ObjectManager.cs:line 71
       at WoWStarter.ObjectManager.Pulse() in C:\temp\WoWStarter\WoWStarter\WoWStarter\ObjectManager.cs:line 43
       at WoWStarter.Pulsator.Pulse() in C:\temp\WoWStarter\WoWStarter\WoWStarter\Pulsator.cs:line 55
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
       at System.Threading.ThreadHelper.ThreadStart()
  InnerException:

It seems the reading of wow data from memory is failing somehow. Unfortunately my background as a programmer is mainly in Java, so I am not very familiar with the memory reading stuff (I'm here to learn though). Could anyone give me some clue, what's wrong?

[!@^^@!]

did you remeber to update the offsets?

[skiiippp]

Think I did update those xD
got the new codes from this awesome topic.

I replaced all stuff in Descriptors.cs and changed the ClientConnection to 0x00C93410.

[SinnerG]

Same issue here.

I changed it to this:

public static readonly IntPtr ClientConnection = new IntPtr(0x00C93410);
public static readonly IntPtr ObjectManager = new IntPtr(0x2E04);

It throws the error on:

ObjectManagerAddress = Memory.Read<IntPtr>(Addresses.ClientConnection, Addresses.ObjectManager);

skiiippp, what OS do you use?

edit: lol need to refresh more often ^^

[skiiippp]

I'm at windows7 64bit

[SinnerG]

Yeah, me too, maybe it is related to that :/ (the 64bit part)

[amadmonk]

WoW client is 32 bit. OS bit width doesn't matter. That ain't it

[skiiippp]

Thanks for looking into it mate, I was just about to fire up a winxp 32bit install. Do you have any other suggestions (fishy bits in the code, or perhaps a link to another code example) on what we should check? Because we are, somehow, not doing the "read stuff from wow process memory" right and all I have learned so far was from apoc's topics and code.


Edit: just made a test project and ran this really basic console application to check out those ReadIntPtr calls.
I try to mimic the function that failed us from the test project, "ObjectManagerAddress = Memory.Read<IntPtr>(Addresses.ClientConnection, Addresses.ObjectManager);", based on the Memory.read/readinternal functions from the sample project;

Code:

    class Program
    {
        public static readonly IntPtr ClientConnection = new IntPtr(0x00C93410); //old=0xC923C0 //new=0x00C93410
        public static readonly IntPtr ObjectManager = new IntPtr(0x2E04);

        static void Main(string[] args)
        {
            IntPtr p1 = Marshal.ReadIntPtr(ClientConnection);
            Console.WriteLine(p1); //always prints: 0

            IntPtr pTEMP = (IntPtr)(p1.ToInt64() + ObjectManager.ToInt64());
            Console.WriteLine(pTEMP);
            IntPtr p2 = Marshal.ReadIntPtr(pTEMP); //wtf?
            Console.WriteLine(p2);

            Console.ReadLine();
        }
    }

and it crashes on "IntPtr p2 = ..." from this snippet, just like it does in its equivalent in the sample project.

I'm still puzzled about the pointer magic that's taking place, or should be taking place, here. From what I can tell, we should first find the clientconnection pointer in memory and then we should get the pointer at that address plus some offset. Would anyone care to explain what (pointers) we are exactly adding here and why? That may give me some insight on what's going wrong.

[SinnerG]

Yeah, I tried couple of things but failing as well :/

I also tried the babbot (or how is it called?) and found a 'hole' for the lua callback. Everything hooks right, but it just doesn't do anything after that :P

[SinnerG]

I might have found the cause! Stand by while I test further

skiiipp: I can make your example work by adding:

[SecurityPermission(SecurityAction.Demand, ControlPrincipal = true)]

Yet trying to figure out how to make this work on wowstarter

If you find the solution, be so kind to share it, I will as well if I find it

edit: gaah now it won't work anymore pfff (I do get 2 non-0 results though)

edit 2 : Switching to other methods of reading memory. I can get 3 values BUT how can I confirm that I get something valid? :P

[amadmonk]

Well clearly the problem lies in:

Code:

            IntPtr p1 = Marshal.ReadIntPtr(ClientConnection);
            Console.WriteLine(p1); //always prints: 0

If you're offsetting one pointer from another, and the base is always 0, that's the error you should be troubleshooting.

Does the app behave differently if you RunAs Administrator? That would let you rule out security issues.

Also, almost all of the Marshal.ReadXXX functions have a Read(IntPtr base, int offset) version so that you don't have to do your own pointer math. Don't do pointer math, if you can avoid it

Edit: of course, I hope you've verified your offsets. If your offsets are wrong, this ain't gonna work, ever. I run in-process, so I never touch these offsets, but the info thread should allow you to verify them easily.

Edit2: wait. You're out of process? And you're using Marshal.ReadXXX? This will *never* work.

[SinnerG]

Yes, that I found out already :P

But then I ask this : can ANYONE run this app? (the one attached to the 1st post)

I'm using ReadProcessMemory now - is this valid for this kind of usage?

edit: Sure worked for IsInGame (byte '0' if not, byte '1' if so)

[amadmonk]

Yes, for out of process memory reading, you *must* use ReadProcessMemory and (optionally) WriteProcessMemory. If you use Marshal.ReadXXX/Marshal.WriteXXX all you're doing is reading/writing your OWN (not WoW's) process memory.