Hi! My name is Devon and I’m an alcoholic.
Actually I have about 10 days off work and my choices of entertainment was drinking my life away or writing an guide for complete newbs on how to make a bot. So I decided to do both.
Moving on…
--Pre Introduction:--
I have spent a long time hopelessly searching the internet to learn everything I needed to know to make a bot. Well I failed miserably. But to my rescue came a kind person and helped me in my adventure to the stars (or at least the addresses of world of warcraft). He not only spent his time helping me by showing me stuff in the code I knew best but he also gave me great direction in where/what to search on the forums . Because of him I have this knowledge. Thank you ^_^
(I do not know if he wants to be named or not.)
--Introduction:--
Okay so many of you newbies (such as myself) are probably wondering “How the **** do I make a bot”. Well let me start out by saying, you need to know at least some sort of computer language, whether it be C++, C#, Java, or the shit language I use Autoit (yeah, yeah …Scripting blah, blah, blah… Its shitty blah, blah, blah…Learn a real language blah, blah, blah. All in due time). If you do not know a language then you will not understand this at all. So please go learn a language.
On top of needing to know a language, you need to have a function that can read memory addresses. Whether you make it yourself or not is up to you.
One last thing, I personally do not know everything as I have just started out. For example, I do not know very much about dlls, therefore I copy the memory function (from nomadmemory.au3) and a “getwowbase” function provided by my dear ol’ champ I spoke about in the Pre Introduction.
Also, I will be using Autoit seeing as it is the code I am currently most skilled in and it is a fairly simple language so it should be simple enough to translate into your preferred code, but I will explain what is happening when necessary.
So let’s get down to it.
--Analogy (sounds like a good time to me)/Terms:--
So …*Deep Breath*… We can compare how we get info from World of Warcraft to our real world. Just like in real life, where there are many objects and creatures, there are many objects and creatures in Wow. We call these (because programmers aren’t creative) “WowObjects”.
So we say to ourselves we want something from this world and we want to know a characteristic of this “something”. I would first need to know what kind of thing this something is. For example, is it a person or is it a table? Is it human or is it a dog or a cat? Similar concept applies to Wow. We call this an “ObjectType”. There are 7 types of objects in Wow, listed below:
Code:
1 - Items
2 - Contains
3 - NPC's
4 - Players
5 - GameObjects (Nodes etc)
6 - DynamicObjects (Spells and stuff)
7 - Corpses
From: http://www.mmowned.com/forums/world-...e-objects.html (Excellent guide. After you’re done, go check it out)
After we find out our type of world object (say for example a human) how would we know which human it is seeing as there are billions in the world. Well, as I’m sure you already know, this is the reason people have names. So this means if we know a person’s name we can find even more details about that person. Names in Wow memory are called “GUIDs” (Globally Unique Id) which is in sense a tag to identify an object.
After this we have “Descriptors” which Describe (man these programmers are so clever) a WowObject. They kind of act like adjectives in the real world. For example in the real world if you asked someone how they’re health was they would say “good” or “bad”. Well in the programming world we don’t use adjectives, we use numbers. So if we had a Descriptor offset for our health it would tell us “health = 100%” or “health = 0% (you dead!)”
So for good measure and a little over kill I bring you another example analogy.
WorldObject - Rick is describing an “object” that he says is a part of this world.
ObjectType - He says it’s a dog.
Guid - The dog’s name is Alfred
Descriptor – Alfred is happy
(I will go into further detail about these things later)
So now that you get the idea behind it let’s see how they actually work in programming.
--Memory:--
Now to be thorough, I’m going to explain a little bit about how memory works. Memory or RAM (Random Access Memory) or the little stick you shove into your motherboard to make your computer run, acts as a way to store information from running programs. Think of it as like little cubby holes that stores 1byte of information (generally an regular int is 4 bytes) that your program might need later.
Well, each little cubby hole has an address so that the program can find that information. This address is called a hexadecimal (or hex for short) and it looks something like this “ 0x000000”. This address uses 16 symbols for each digit (0-9 and A-F), so if we increment 0x000009 by 1 it would be 0x00000A.
Memory Cubby Hole picture:
ImageShack® - Online Photo and Video Hosting
Example math:
1. 0xF + 0xF = 0x1E
2. 0x5 * 0x5 = 0x19
3. 0xBEAD – 0x4321 = 0x7B8C
4. 0xBEAD + 0x4321 = 0x101CE
5. 0x10000 – 0x1 = 0xFFFF
--Offsets:--
Offsets in Wow memory reading are used to take an address, change it, and get a new address with (possibly) more information. For example, say I found my player at a dynamic address (the address changes each time the game loads) and I had a function called “GetPlayersAddress()” that returned the dynamic address to me. I could then use a static offset (always stays the same) to get an address that contains the value of, say, my health.
For Example, say my dynamic address (remember this changes) was 0x000001 and my offset was 0x5. My new address would be 0x000006.
Now the nice thing about this forum is they have a little area called the dump thread which we will be using since I will not be going into how to actually get these offsets for yourself by reverse engineering Wow. It’s a little too complicate for me at this time.
--GettingWowBase:—
Now for any bot reading the memory that Wow uses, you will need to know the base address. This is done (from what I’ve seen) by calling a function that uses a couple of dlls to check the memory for wow.exe. I do understand how this works, I just don’t know enough about dlls to be able to code it myself. ^_^
So my recommendation would be to search google for a function to get base address of wow in your language of choice.
This is the code in Autoit:
(created by IceFire32 (unless refuted XD))
Code:
Func GETWOWBASEADDRESS($PID)
$HSNAP = DllCall("Kernel32.dll", "HANDLE", "CreateToolhelp32Snapshot", "DWORD", 8, "DWORD", $PID)
$STMODULE = DllStructCreate("DWORD dwSize;DWORD th32ModuleID;DWORD th32ProcessID;" & "DWORD GlblcntUsage;DWORD ProccntUsage;ptr modBaseAddr;" & "DWORD modBaseSize;HANDLE hModule;WCHAR szModule[256];" & "WCHAR szExePath[260]")
DllStructSetData($STMODULE, "dwSize", DllStructGetSize($STMODULE))
$RET = DllCall("Kernel32.dll", "BOOLEAN", "Module32FirstW", "HANDLE", $HSNAP[0], "ptr", DllStructGetPtr($STMODULE))
IF ($RET[0] = False) Then
DllCall("Kernel32.dll", "BOOLEAN", "CloseHandle", "HANDLE", $HSNAP[0])
Return 0
Else
$RET[0] = True
Do
If DllStructGetData($STMODULE, "szModule") = "Wow.exe" Then
DllCall("Kernel32.dll", "BOOLEAN", "CloseHandle", "HANDLE", $HSNAP[0])
Return DllStructGetData($STMODULE, "modBaseAddr")
EndIf
$RET = DllCall("Kernel32.dll", "BOOLEAN", "Module32NextW", "HANDLE", $HSNAP[0], "ptr", DllStructGetPtr($STMODULE))
Until $RET[0] = False
EndIf
EndFunc ;==>GETWOWBASEADDRESS
--ObjectManager:—
This is where we get into the juicy stuff. With an object manager, it will search through the memory to find a player memory location. And using some offsets, we can find most things we want to know about our player or any other object for that matter.
So first thing we need to do is get a couple of addresses and offsets from the latest patch dump thread that the mmowned community was nice enough to share with us.
http://www.mmowned.com/forums/world-...mp-thread.html
Code:
; We make them Global so that every function can access them and Constant so they cannot be changed by the program
;The first 2 are you create you manager from the baseaddress wow
Global Const $ClientConnection = 0x8BF1A8
Global Const $CurMgrOffset = 0x462C
;The next one is to get the address of your first object ONLY
Global Const $FirstObjectOffset = 0xB4
;To cycle through the object you need this offset
Global Const $NextObjectOffset = 0x3C
Global Const $PlayerGUID = 0xB8
;This next one is to find the objects type : 1 to 7
Global Const $GameObjTypeOffset = 0x14
;And this one is to find the objects GUID
Global Const $GameObjGUIDOffset = 0x30
With these and the WowBase we can create our GetObject Function.
- We start by getting the Process ID (or PID) from Wow.
- And then getting the BaseAddress from wow.exe using the PID
(dots are there to show that there is code above it)
Code:
…
$PID = WinGetProcess("World of Warcraft")
Global $WowBase = GetWoWBaseAddress($PID)
Next we will get a handle from a function in nomadmemory.au3
(Which allows us to use the _MemoryRead function):
Code:
…
$hWow = _MemoryOpen($PID)
Now that that is done, we can start adding our offsets and addresses together to create our Object Function using the memoryread function provided by Nomad.
But first we need to add the offsets to our base and add an offset to that to get the manager. After that, to get the PlayerGUID (which we will need to find our LocalPlayer) we add the PlayerGUID offset to the current manager:
Code:
Global Const $ClientConnection = 0x8BF1A8
Global Const $CurMgrOffset = 0x462C
Global Const $FirstObjectOffset = 0xB4
Global Const $NextObjectOffset = 0x3C
;even though this says $playerGUID it is actually the offset to get the player GUID (offsetting the manager and not the object)
Global Const $PlayerGUID = 0xB8
Global Const $GameObjTypeOffset = 0x14
Global Const $GameObjGUIDOffset = 0x30
$PID = WinGetProcess("World of Warcraft")
Global $WowBase = GetWoWBaseAddress($PID)
$hWow = _MemoryOpen($PID)
; Starting Here
; Params for our memoryread func is: _MemoryRead(Address,Handle,Type)
$currMgr_pre = _MemoryRead("0x" & Hex($WowBase + $ClientConnection), $hWow , "dword")
$currMgr = _MemoryRead("0x" & Hex($currMgr_pre + $CurMgrOffset), $hWow , "dword")
$pGUID = _MemoryRead("0x" & Hex($currMgr + $PlayerGUID), $hWow , "UINT64")
; The reason we use hex is to because the _memoryread function needs that value to be in hex format.
; To be honest I don’t think we need to use it but I do it anyways XD
For the type param; these are the many different types in programming:’
(From Autoit help)
Code:
Type Details
none no value (only valid for return type - equivalent to void in C)
BYTE an unsigned 8 bit integer
BOOLEAN an unsigned 8 bit integer
short a 16 bit integer
USHORT an unsigned 16 bit integer
WORD an unsigned 16 bit integer
int a 32 bit integer
long a 32 bit integer
BOOL a 32 bit integer
UINT an unsigned 32 bit integer
ULONG an unsigned 32 bit integer
DWORD an unsigned 32 bit integer
INT64 a 64 bit integer
UINT64 an unsigned 64 bit integer
ptr a general pointer (void *)
HWND a window handle (pointer)
HANDLE an handle (pointer)
float a single precision floating point number
double a double precision floating point number
INT_PTR, LONG_PTR, LRESULT, LPARAM an integer big enough to hold a pointer when running on x86 or x64 versions of AutoIt.
UINT_PTR, ULONG_PTR, DWORD_PTR, WPARAM an unsigned integer big enough to hold a pointer when running on x86 or x64 versions of AutoIt.
str an ANSI string (a minimum of 65536 chars is allocated).
wstr a UNICODE wide character string (a minimum of 65536 chars is allocated).
* Add * to the end of another type to pass it by reference. For example "int*" passes a pointer to an "int" type.
Finally we can get to our Object Function. Now the Idea behind this is to start at our first address and check it to see if what is in that address = the GUID given. (in this example, the LocalPlayer’s GUID)
Thanks unnamed user that, after posting this, I’ll ask if it’s alright to mention him.
Code:
Func GetMemLocByGUID($guid)
;Read the first wow object by adding our current manager address and our first object offset together
$NextObject = _MemoryRead("0x" & Hex($currMgr + $FirstObjectOffset), $hWow , "dword")
;next get the object type buy adding our first object and our Objtype offset together and reading that
$ObjType = _MemoryRead("0x" & Hex($NextObject + $GameObjTypeOffset), $hWow , "dword")
;If the return of object type is less than or equal to 7 (which it should always be) and more than 0 in the case that we do have an object in the list than do a while loop.
while (($ObjType <= 7) And ($ObjType > 0))
;NOTE: if there is an object in the list, objType will have to be = 1 to 7
; If our object plus the GUIDoffset = the GUID we are looking for (example our localplayer GUID) …
IF (_MemoryRead("0x" & Hex($NextObject + $GameObjGUIDOffset), $hWow , "UINT64") = $guid) Then ; …then return our object
Return $NextObject ;found what we wanted.
EndIf
;if no return happens (stays in the function) then cycle through the objects using our next object offset on our next object (might also be called current object)
$NextObject = _MemoryRead("0x" & Hex($NextObject + $NextObjectOffset), $hWow , "dword")
;We will also need to see the type
$ObjType = _MemoryRead("0x" & Hex($NextObject + $GameObjTypeOffset), $hWow , "dword")
Wend
;if we find nothing Return 0 (address are probably wrong or you messed up code)
Return 0;
EndFunc
Excitingly enough, we can actually get the XYZ cords and rotation (in rad) of our player just from the return of this function and a few offsets. Back in the dump thread we can see that:
Code:
Under :
internal enum WowObject
X = 0x898,
Y = X + 0x4,
Z = X + 0x8,
RotationOffset = X + 0x10
(Posted by Arutha532)
So…
Code:
…
Global Const $UnitPosXOffset = 0x898
Global Const $UnitPosYOffset = 0x898 + 0x4
Global Const $UnitPosZOffset = 0x898 + 0x8
Global Const $UnitRotationOffset = 0x8A8
…
$pObjectMemLoc = GetMemLocByGUID($pGUID)
; if we add
$pXPos = _MemoryRead("0x" & Hex($pObjectMemLoc + $UnitPosXOffset), $hWow , "float")
$pYPos = _MemoryRead("0x" & Hex($pObjectMemLoc + $UnitPosYOffset), $hWow , "float")
$pZPos = _MemoryRead("0x" & Hex($pObjectMemLoc + $UnitPosZOffset), $hWow , "float")
$pRotation = _MemoryRead("0x" & Hex($pObjectMemLoc + $UnitRotationOffset), $hWow , "float")
…
But I’ll go further into details about the XYZ and Rotation later.
--Descriptors:—
Now it is time for our descriptors (as you could probably tell). Remember our descriptors explain to us our object. This would mean that, assuming we have the offsets, it could tell us the health of the object, mana, rage, energy, stats, who it’s targeting (if unit), if it’s being attacked and so much more (check out the dump.) So let us look at a few of the simpler ones such as health.
Let us, for now, get rid of the XYZR of our object and bring back to focus our Memloc function and its addresses.
Code:
Global Const $ClientConnection = 0x8BF1A8
Global Const $CurMgrOffset = 0x462C
Global Const $FirstObjectOffset = 0xB4
Global Const $NextObjectOffset = 0x3C
Global Const $PlayerGUID = 0xB8
$PID = WinGetProcess("World of Warcraft")
Global $WowBase = GetWoWBaseAddress($PID)
$hWow = _MemoryOpen($PID)
; Params for our memoryread func is: _MemoryRead(Address,Handle,Type)
$currMgr_pre = _MemoryRead("0x" & Hex($WowBase + $ClientConnection), $hWow , "dword")
$currMgr = _MemoryRead("0x" & Hex($currMgr_pre + $CurMgrOffset), $hWow , "dword")
$pGUID = _MemoryRead("0x" & Hex($currMgr + $PlayerGUID), $hWow , "UINT64")
$pObjectMemLoc = GetMemLocByGUID($pGUID)
…
Okay now that we have our code a little cleaned up, let’s look at the descriptor offset. The descriptor offset is essentially telling the memory that we want to look at its descriptors now, so adding the descriptor offsets to this address will return us an address (if I am correct) and then we will be able to add our offsets to that address.
This address right now is: 0x8
And the address for our health (from the dump thread)is :
So now we can add this to our code :
Code:
…
Global Const $PlayerHealthOffset = 0x68
Global Const $DescriptorOffset = 0x8
…
$pDescriptor = _MemoryRead("0x" & Hex($pObjectMemLoc + $DescriptorOffset), $hWow , "dword")
$pHealth = _MemoryRead("0x" & Hex($pDescriptor + $PlayerHealthOffset), $hWow ,"dword")
…
That should be enough for descriptors.
Now there is only one last thing I would like to show to all the little newbs that might be reading this.
And this is…..
--XYZR Manipulation:—
Back to this:
Code:
…
Global Const $UnitPosXOffset = 0x898
Global Const $UnitPosYOffset = 0x898 + 0x4
Global Const $UnitPosZOffset = 0x898 + 0x8
Global Const $UnitRotationOffset = 0x8A8
…
$pObjectMemLoc = GetMemLocByGUID($pGUID)
; if we add
$pXPos = _MemoryRead("0x" & Hex($pObjectMemLoc + $UnitPosXOffset), $hWow , "float")
$pYPos = _MemoryRead("0x" & Hex($pObjectMemLoc + $UnitPosYOffset), $hWow , "float")
$pZPos = _MemoryRead("0x" & Hex($pObjectMemLoc + $UnitPosZOffset), $hWow , "float")
$pRotation = _MemoryRead("0x" & Hex($pObjectMemLoc + $UnitRotationOffset), $hWow , "float")
…
This is mostly for people who do not know trigonometry. I’m not going to go into math because your programming language should have a function like this or at least the function to create this function.
This is of course, the ATan2 function. (of course…XD). In order to create this function we will at the very least need the ATan (Arc Tangent) function. But I do not feel like going into math so im going to keep it like this. If your language doesn’t have an ATan func (or ATan2) then go search up the math on google (for the ATan func) and then come meet me back here.
In Autoit, we have an ATan function not an ATan2 function. With this ATan2 function we will be able to calculate the angle from one point to the other. After that if we use our player rotation and compare it to the angle from ATan2 we will then be able to rotate our player and run to our target point.
This is done by doing:_ATan2($targetY - $pYPos, $targetX - $pXPos)
I present to you ATan2:
Code:
Func _ATAN2(Const $NY, Const $NX)
Const $NPI = 3.14159265358979 ;Pi
Local $NRESULT
If IsNumber($NY) = 0 Then ; Makes sure Y value is a number
SetError(1)
Return 0
ElseIf IsNumber($NX) = 0 Then ; Makes sure X value is a number
SetError(1)
Return 0
EndIf
If $NX = 0 Then ; we would only need to turn 180 degrees or ½ pi (rad)
If $NY > 0 Then
$NRESULT = $NPI / 2
ElseIf $NY < 0 Then
$NRESULT = 3 * $NPI / 2
Else ;if both x and y = 0 it would mean we were standing on our target spot
SetError(2)
Return 0
EndIf
ElseIf $NX < 0 Then
$NRESULT = ATan($NY / $NX) + $NPI
Else
$NRESULT = ATan($NY / $NX)
EndIf
While $NRESULT < 0 ;we don’t like negative angles
$NRESULT += 2 * $NPI
WEnd
Return $NRESULT
EndFunc ;==>_ATAN2
(From(because I was too lazy to make it myself): Atan2 Player Rotation - WoW Development 3.0.9)
After this you could the use a temp variable to store the difference between the player rotation and the angle returned and use it like so:
Code:
If $tempangle < $pi then
(Turn Left)
Else
(Turn right)
endif
The last little function I would like to share with you (it is very simple) is a function used to make sure your program is not comparing variables to closely. For example, the player x coord is a super long float so you would have to be too accurate to be dead on the target x position. This is a simple solution to that.
Code:
Func Around($sVal, $eVal, $bNum)
If $sVal - $eVal < $bNum And $sVal - $eVal > (-$bNum) Then
Return True
Else
Return False
EndIf
EndFunc ;==>Around
So when comparing Player x and y to Target x and y, you would go:
Code:
If Not Around($pXPos, $targetXY[0], 0.8) Or Not Around($pYPos, $targetXY[1], 0.8) Then
(blah blah bah)
endif
--Names (NEW!):—
Getting names from the World of Warcraft memory is relatively simple depending on what type of object you are trying to get it from. For example, getting the names from NPCs and object is pretty simple where as getting it from a player is complicated. In this portion i am not going to go into detail on how to get a players name but i will post code (to be honest i just copied and pasted code and changed things depending on what google and the forum said...porting from one language to another)
So lets start with NPCS.
First id like to say that the dump unitname is not a descriptor address. I have made this mistake =D. Also id like you to note that instead of 1 offset, there are 2. This is different from all the other offsets we have seen so far but it is not anymore complicated than what we have previously seen.
Now, you will start by adding your first offset (unitname1) to your objects memory location (returned by ur memloc function). Memory read this to get back an address (preferably store it in a variable maybe called $name1) and then add your 2nd offset to the memory address returned. This will also return an address. If you memory read that 1 more time (read it as a char) then you should get the name of that wow object (NPC)
Code:
;Declaring our Global Const variables
Global Const $UnitName1 = 0xA24
Global Const $UnitName2 = 0x60
Func _GetUnitName($fGUID)
; adding first name offset to memloc returned by memloc function
$Name1 = _Memoryread(_GetObjectMemLocByGUID($fGUID) + $UnitName1, $wow, "dword")
;We get an address from this
;Next we add our second offset to our returned address
$Name2 = _Memoryread($Name1 + $UnitName2, $wow, "dword")
;This again returns us an address
;Memory read that again and set the type as char [and an amount of characters]
Return _MemoryRead($Name2, $wow, "char[20]")
EndFunc ;==>_GetUnitName
;And you get the npcs name
For objects, it is pretty much the same code with different addresses.
Code:
Global Const $ObjName1 = 0x1CC
Global Const $ObjName2 = 0xB4
Func _GetObjectName($fGUID)
$Name1 = _Memoryread(_GetObjectMemLocByGUID($fGUID) + $ObjName1, $wow, "dword")
$Name2 = _Memoryread($Name1 + $ObjName2, $wow, "dword")
Return _MemoryRead($Name2, $wow, "char[20]")
EndFunc ;==>_GetObjectName
And lastly to get a players name, here is some copy-pasta:
Code:
;So you know what the hell the offsets are...
;BASE_STATIC_POINTER = 0x89ACC0 + 0x8;
; MASK_OFFSET = 0x024;
;BASE_OFFSET = 0x01c;
;STRING_OFFSET = 0x020
;...below
Func _GetPlayerName($fGUID = $pGUID)
$mask = _MemoryRead($WowBase + 0x89ACC0 + 0x8 + 0x024, $wow)
$base = _MemoryRead($WowBase + 0x89ACC0 + 0x8 + 0x01c, $wow)
$shortGUID = BitAND($fGUID, 0xffffffff)
if ($mask = 0xffffffff) Then
Return ""
EndIf
$offset = 12 * BitAND($mask, $shortGUID)
$current = _MemoryRead($base + $offset + 8, $wow)
$offset = _MemoryRead($base + $offset, $wow)
if (BitAND($current, 0x1) = 0x1) Then
Return ""
EndIf
$testGUID = _MemoryRead($current, $wow)
while ($testGUID <> $shortGUID)
$current = _MemoryRead($current + $offset + 4, $wow)
if (BitAND($current, 0x1) = 0x1) Then
Return ""
EndIf
$testGUID = _MemoryRead($current, $wow)
WEnd
Return _MemoryRead($current + 0x020, $wow, "char[20]")
EndFunc ;==>_GetPlayerName
--Conclusion:—
I hope this has helped at least a few people in their journey to making bots. This took me a few days to make (switching between watching awesome movies/ tv shows to working on this). If you actually took the time to read all this, you are amazing and should have a pretty good idea of whats going on … unless I suck at making guides.
Um… Remember to do some searching on your own and to play around with this stuff. Practice makes perfect and I’m sure we would all like some awesome bots to play this game for us because we are too damn lazy to do it ourselves. Thanks for reading and goodluck! ^_^
If there is anything wrong with any of the information, you have something to add or you need something better explained please let me know and I will correct.
And if I'm totally wrong, laugh and ridicule me until i cry myself to sleep because i could use a good nights rest.
One last thing!... The mystery man that helped me figure all this out is Megamike55. Thanks again man i really appreciate it! Purple just for you!