Fly/NoClip Hack + Water Disconnects

[weber7655]

I've searched around and tried to figure this out myself for quite some time, but haven't been successful. My fly/noclip hack is working perfectly when just flying around underground, but it disconnects me every time when I fly underneath water (only when under the world though). Since it works correctly when I'm swimming with the hacks on, but above the game world (in a place that players can typically go), I assume that I'm being disconnected because of some kind of server-side check.

From what I assume, the server sees that I'm swimming, but in an area that I shouldn't be able to be, and disconnects me as protection against swimfly hacks.

How can I avoid this?

[Sychotix]

Either that, or its because you have a change in playerstate which causes you to disconnect.

[weber7655]

There is no problem if I fly into water while in the gameworld where regular players can swim - only if I'm underneath the gameworld, below the ground am I disconnected.

I've been looking at the CMovement__OnStartSwim() function and may patch it to simply return without calling any of the functions - which, I assume, change the player state to swimming. I'm thinking that this will render my toon unable to swim and thus will just fly through water. I'm relatively new at reversing though, so what I just said may be completely retarded, I'm trying though .

Any ideas on a solution to this disconnect issue?

[jjaa]

Check the movement flags that are being sent to the server when you disconnect. They are most likely the issue.

[-Ryuk-]

Look at the swimming movement flag,

There is a JMP you can change, and then you can walk in water. This will stop your DC

[weber7655]

I've been looking through IDA around the movement flag areas, and also searched through every occurrence of 2000000h (The swimming movement flag) that is being pushed or moved, have tried several things such as nopping the mov/push functions on all swim movement flags, and nopped several functions around CMovement_OnStartSwim but nothing has worked. At least 15 hours of work has gone into this and it still doesn't work. I've spent a ton of time reading and attempting things, but I'm new and inexperienced at reversing. What part of WoW do you suggest I look at, or how should I go about doing this?

[jjaa]

0x2000000 is not the swimming flag. Its the air swimming flag (why WoW has it? i have nfi). Also the flags are rarely referenced individually like that. Use regular expressions to do a search.
Out of arcemu

Code:

// MovementFlags Contribution by Tenshi
enum MovementFlags
{
    // Byte 1 (Resets on Movement Key Press)
    MOVEFLAG_MOVE_STOP                  = 0x00,            //verified
    MOVEFLAG_MOVE_FORWARD                = 0x01,            //verified
    MOVEFLAG_MOVE_BACKWARD                = 0x02,            //verified
    MOVEFLAG_STRAFE_LEFT                = 0x04,            //verified
    MOVEFLAG_STRAFE_RIGHT                = 0x08,            //verified
    MOVEFLAG_TURN_LEFT                    = 0x10,            //verified
    MOVEFLAG_TURN_RIGHT                    = 0x20,            //verified
    MOVEFLAG_PITCH_DOWN                    = 0x40,            //Unconfirmed
    MOVEFLAG_PITCH_UP                    = 0x80,            //Unconfirmed

    // Byte 2 (Resets on Situation Change)
    MOVEFLAG_WALK                        = 0x100,        //verified
    MOVEFLAG_TAXI                        = 0x200,        
    MOVEFLAG_NO_COLLISION                = 0x400,
    MOVEFLAG_FLYING                        = 0x800,        //verified
    MOVEFLAG_JUMPING                    = 0x1000,        //Unconfirmed
    MOVEFLAG_FALLING                    = 0x2000,       //verified
    MOVEFLAG_FALLING_FAR                = 0x4000,        //verified
    MOVEFLAG_FREE_FALLING                = 0x8000,        //half verified

    // Byte 3 (Set by server. TB = Third Byte. Completely unconfirmed.)
    MOVEFLAG_TB_PENDING_STOP            = 0x10000,        // (MOVEFLAG_PENDING_STOP)
    MOVEFLAG_TB_PENDING_UNSTRAFE        = 0x20000,        // (MOVEFLAG_PENDING_UNSTRAFE)
    MOVEFLAG_TB_PENDING_FALL            = 0x40000,        // (MOVEFLAG_PENDING_FALL)
    MOVEFLAG_TB_PENDING_FORWARD            = 0x80000,        // (MOVEFLAG_PENDING_FORWARD)
    MOVEFLAG_TB_PENDING_BACKWARD        = 0x100000,        // (MOVEFLAG_PENDING_BACKWARD)
    MOVEFLAG_SWIMMING                      = 0x200000,        //  verified
    MOVEFLAG_FLYING_PITCH_UP            = 0x400000,        // (half confirmed)(MOVEFLAG_PENDING_STR_RGHT)
    MOVEFLAG_CAN_FLY                    = 0x800000,        // (half confirmed) gets called when landing (MOVEFLAG_MOVED)

    // Byte 4 (Script Based Flags. Never reset, only turned on or off.)
    MOVEFLAG_AIR_SUSPENSION                    = 0x1000000,    // confirmed allow body air suspension(good name? lol).
    MOVEFLAG_AIR_SWIMMING                = 0x2000000,    // confirmed while flying.
    MOVEFLAG_SPLINE_MOVER                = 0x4000000,    // Unconfirmed
    MOVEFLAG_IMMOBILIZED                = 0x8000000,
    MOVEFLAG_WATER_WALK                    = 0x10000000,
    MOVEFLAG_FEATHER_FALL                = 0x20000000,    // Does not negate fall damage.
    MOVEFLAG_LEVITATE                    = 0x40000000,
    MOVEFLAG_LOCAL                        = 0x80000000,    // This flag defaults to on. (Assumption)

    // Masks
    MOVEFLAG_MOVING_MASK                = 0x03,
    MOVEFLAG_STRAFING_MASK                = 0x0C,
    MOVEFLAG_TURNING_MASK                = 0x30,
    MOVEFLAG_FALLING_MASK                = 0x6000,
    MOVEFLAG_MOTION_MASK                = 0xE00F,        // Forwards, Backwards, Strafing, Falling
    MOVEFLAG_PENDING_MASK                = 0x7F0000,
    MOVEFLAG_PENDING_STRAFE_MASK        = 0x600000,
    MOVEFLAG_PENDING_MOVE_MASK            = 0x180000,
    MOVEFLAG_FULL_FALLING_MASK            = 0xE000,
};

[weber7655]

Ah, you're right that the swimming flag is actually 0x200000 - Apoc's Constant data sticky misled me on that one. I spent the majority of the day today again trying to disable the 0x200000 flag, but had no luck. I found a function that pushes 0x200000, then calls GetActive, ToggleControlBit, and then GetActive again. I had read that CInputControl_ToggleControlBit had something to do with movement flags, so attempted to NOP its calls such as SetControlBit and UnsetControlBit, only to learn that those handle user input rather than in-game movement flags - so it simply rendered me unable to move or interact with WoW. I've literally spent two days going through IDA for this and haven't yet figured it out - I even tried NOPing all references to 0x200000 which involve a push or mov with no luck (even though jjaa advised against it, I thought it was worth a shot). At this point I'm at a loss as to how I can disable the swimming movement flag.

To be sure that the method works, I set up a simple program that spamwrites the walking movement flag any time that it reads I'm in water - and it didn't disconnect me when I was entering/exiting water. So this will work once I can figure out how to disable the swimming movement flag. What function should I be looking at? (The only function names I have are those in the IDC file in the current infodump thread).

[namreeb]

Have you tried doing a conditional on-write breakpoint in the location of the movement flags which will trigger when the flag you're looking for is set?

[weber7655]

Have you tried doing a conditional on-write breakpoint in the location of the movement flags which will trigger when the flag you're looking for is set?

I'm not actually sure how to go about doing that, since the location of the movement flags varies based on BaseAddress (BaseAddress + (0x888 + 0x44)).

[namreeb]

Right so obviously each time you run WoW its in a different position. However, if you dump the address before moving over the water or whatever, insert the break point, then go ahead and move over the water.. that should work right?

[JuJuBoSc]

I did what namreed said and that lead me to this function : 0x001C70E0, you can simply disable swimming by modifying this function

[weber7655]

I've been looking at this function and trying to modify it correctly, but everything I've tried thus far (such as changing JMPs, nopping a few things, etc) has resulted in either a WoW crash or no effect on swimming, which part of the function should I be looking at?

[namreeb]

We're getting to the point of you should be able to figure this out yourself, but assuming that is the correct function you should modify it to skip the actual setting of the flag. Note that this may also stop other flags from being set so you may want to look at which function is calling it in the specific case of setting the flag you're trying to avoid and prevent this function from being called altogether.

[weber7655]

I've been setting a breakpoint while standing and following the control flow as it goes through the function in a standing state. I've then been trying to edit jumps (such as editing a JNZ to JMP, if while standing that JNZ was taken) to force the same control flow when my toon is in water. It's not working so far, but shouldn't it?