[Help] My concept of botting and reverse engineering

[reliasn]

I'll go straight to the point.

A couple months ago I decided to learn more about memory editing, focused mainly on developing bots to WoW. After reading many tutorials, not only in Ownedcore but in other websites aswell, I managed to develop my first WoW fishing bot in C++. As I was learning, the more complex stuff I wanted to develop. So I created a "Profile Maker" that just records a file with a bunch of coordinates (x, y, z). Then I made a function to run the "profile" by using CTM. Everything worked great and I even managed to get a 3-day ban using my own bot!

As I've been developing more complex stuff, my interest in learning all these things is just growing. I've been really reluctant to ask something here on the forums, mainly because I'm afraid of asking something that has been asked tons of other times or even something that would be completely trivial for most of you guys. Anyways, in this post, I just would like to share the concept of botting that I currently have and the problems that I'm facing. Probably, this question was asked somewhere deep in the Ownedcore forums or some other website, but, damn, all I've read so far wasn't enough clear for me to understand. So here we go...

I was quite proud when I made my first WoW bot. Damn, putting all those offsets there, reading and editing the memory, automating WoW, etc... Everything felt great (and is still feeling, otherwise I wouldn't be making this post)! But then I reached a point where I started to ask myself "What's up with these offsets?", "What will I do if another patch is released and Ownedcore is taken down? Where will I get my offsets?" and more important "How do these people know that reading value X in address Y, then reading the value W in the address X+Z (where Z is an offset), will actually give me the famous ObjectManager that contains all the objects that my character can interact with?". With these questions coming up, my concept of botting started to change. So, now, this is what I have in mind, if you plan to start from the scratch (real scratch):

1 - First of all, you need to debug WoW. You need to learn how the executable works, where certain functions are called and what their structures are. In a few words, you need to "disassemble" WoW. IDA is indeed a powerful tool at this point and quite complex at the start for those not familiar with it, especially if you have no idea about Assembly (I don't, by the way).
2 - You need to know where the information you want is. These are the offsets. You need to discover which address will contain that variable that you are looking for. This, from what I understood, is done with IDA, by looking at certain functions and seeing where variables are created or values returned from functions. But you could also make a simple software that scans the memory for something that you want, in other words, do just like Cheat Engine, which in my opinion is the best for this kind of scan. However, many times that I didn't understand how to use the offsets posted on the dump thread, I just scanned them in WoW and gg, there they were, for example, finding the Model ID of an object and its CreatedBy field.
3 - Knowing how WoW works and having your offsets in your hands, it's time to code! This is the time where you choose your preferred language and apply all the algorithms needed.

The problem here is that, when I decided to make my WoW bot, I started with the number 3, the last part, which is what most of the people do nowadays in these forums. You just go there on that dump thread, grab the offsets you need and voilà, go straight to coding. But behind that, you basically depended on other "smart guys" who put all those cute offsets there for you to use. So now we enter on the part where I'm struggling to learn number 2 and 1.

Finding offsets... You have this, this one and the post of this guy who said that in 15 minutes he got all 15 offsets that he needed, while I'm here dying to learn how to find the ones I use. Well, so here you have a list with the offsets I'm currently using:

Code:

#define CurMgrPointer  0x9BE7E0
#define CurrMgrOffset  0x463C
#define FirstObjectOffset  0xC0 		
#define NextObjectOffset  0x3C 	
#define localPlayerGUIDOffset  0xC8
#define GameObjGUIDOffset  0x30	
#define GameObjTypeOffset  0x14	
#define DescriptorOffset  0x8   //not using
#define UnitPosXOffset  0x790
#define UnitPosYOffset  UnitPosXOffset + 0x4
#define UnitPosZOffset  UnitPosXOffset + 0x8
#define UnitRotationOffset  UnitPosXOffset + 0x10
#define PlayerNameOffset 0x9BE820
#define UnitName1 0x91C     //not using
#define UnitName2 0x64      //not using
#define ObjectName1 0x1CC    //not using
#define ObjectName2 0xB4     //not using
#define CGGameObject_Animation 0xD4
#define OBJECT_END 0x8   //not using
#define PlayerHealthOffset OBJECT_END + 0x12   //not using
#define PHealthOffset 0x11CC //its the PlayerHealthOffset but oh well... since I couldnt use the above
#define ObjCreatedBy 0x358
#define ObjDisplayID 0x360
#define UNIT_FIELD_CREATEDBY OBJECT_END + 0xA    //not using
#define UNIT_FIELD_MAXHEALTH_offset 0x11CC  //not using
#define FishModelID 668
#define CTM_Base 0x9D61B8
#define CTM_Push 0x1C
#define CTM_X 0x8C
#define CTM_Y CTM_X + 0x4
#define CTM_Z CTM_X + 0x8
#define CurTarGUID 0xAD7448
#define MouseOverGUID 0xAD7438

So on my "journey" to find where these values are and how I get them, this is what I've accomplished so far.
CurMgrPointer - On IDA, I take a look at the function ClntObjMgrInitializeStd, or in case you don't use TOM_RUS binaries and disassemble by yourself, I just search for the string "ObjectMgrClient.cpp" and try to find a function that contains the correct "structure", which I compare with previous versions. See the image below? DBE7E0. That's the address, but with IDA's "base". So, just reduce 0x400000 and voila, 9BE7E0.
Attachment 7823
CurrMgrOffset - Look at the image above... found the 0x463C value?
CurTarGUID and MouseOverGUID - I will be honest. I find these with Cheat Engine. I use the /script UnitGUID on 2 NPC's and search their GUIDs in the memory. For example, I target one, search his GUID. Then target another, put the new value on Cheat Engine and search again.
ObjCreatedBy and ObjDisplayID - I sadly didn't understand how to use those offsets in the dump thread that refer to these fields. So, to find them, I made a simple loop to scan the memory. In this Fishing bot case, I found the bobber object, then searched the memory for a GUID similar to my player's GUID. When I found the GUID, that corresponded to the CreatedBy field address! Same thing for DisplayID, I just searched the Model ID of the Fishing Bobber when I found the Fishing Bobber object.

All right, so these are a couple "techniques" that I use to find what I want. But as you guys can see, the idea behind locating these offsets, especially on IDA, is not very clear for me. The offsets I mentioned in bold are "fine", but my list is larger and for most of the offsets I use I just have no idea on how I could find them, turning me completely dependent on the offsets released by the Ownedcore experts, which have indeed a lot of experience with this. Therefore, for this "number 2", I'd appreciate if anyone could help me out. And by help, I mean for example, "Sir, this offset, look at the function ClntDoSomeShit in IDA" or "Find the assembly code that contains XXX" or "Debug WoW with Ollydbg and put a break point on XXX" and other stuff like that. Also, if you have other techniques to find these offsets besides the ones I mentioned, I'd appreciate if you could share them with me. Other than that, this is what I'm looking forward to learn nowadays... And after this point is cleared, I will enter in the "number 1"...

In my opinion, debugging WoW and understanding how certain functions work, where they are called and what values are stored in each address is the hardest thing. IDA does something crazy by disassembling the entire WoW executable which helps a lot. But this part is quite complex... I disassembled a simple software I made and couldn't understand most of the code generated. Fine, I saw where the loops were, where certain functions were being called, but damn, what a crazy way to view it. But well, what could you expect from reverse engineering? Anyways, the idea I have for this "number 1" is even more unclear. You disassemble, fine, you see all the functions. Then what? Ah, ok, you have the Strings Window with a bunch of functions from the WoW API. Hey, that helps! But... there are tons of other undocumented stuff that are not in WoWAPI, but still, these crazy dudes here in the Ownedcore community manage to debug and discover them. So anyways, if I ask for any help at this part it would be the same as asking "Hey, how do I make a bot?" which you guys love, so I prefer to just shut up and try it by myself here, experimenting reverse engineering with other simpler stuff. But again, if you guys have any tips that could ease my learning, I'd appreciate it! Also, if you could just answer me how someone discovered that WoW stores a list with all the objects that your character can interact, I'd be more than happy.

Anyways guys, I apologize for the long post and if a "learning post" like this is not allowed on these forums or that I should just shut up and keep on googling what I need, please, just report this post to make sure a mod deletes it. And well, I'm pretty sure most of you learned by yourselves a bunch of these things I posted and that "sharing for free" your knowledge is against your principles (which I kind of agree), but if any of you are able to give me a hand on any of the topics I cited, I'd be more than thankful. Actually, if you are reading this post up to this point, thank you a lot for your time and patience

And finally, I would like to reiterate that all of these things I'm asking are for learning purposes only. And to "merge" all the knowledge I gathered so far, I'm currently making a "WoW Toolbox" that will contain some cool stuff. So far:
1 - Fishing bot
2 - Record and run a profile - Character runs by the coordinates with Click To Move, kills and loots mobs. Also works to find rare mobs
3 - A "click spammer" - I basically play with 200ms+ and that affects my performance in Rated Battlegrounds especially. As a Protection Warrior, if I lag at any point, a druid can easily cap a flag from me. However, if I'm able to reduce my "reaction time" to like 100clicks per second, then my chances of being affected by latency will be reduced. It is also great to do certain flag swaps. I just press F3, and it starts spamming. Press F4, stops spamming.

But for now, since I still need to test some stuff, I haven't released this "toolbox" yet for the community. But it is almost ready =)

Once again, thank you if you read up to this point!

Regards

PS: I'm really afraid of posting this long thing...

[Jens]

I quite enjoyed reading this post .

As for how I usually do stuff, I just start somewhere simple, finding your characters health / energy and such are trivial, once you find those, is it very useful to fire up a debugger and see where things go from there, just stare at the surrounding memory regions and see what kind of structure it has, for wow realizing the character structure also allows you to see where and in which context it is used, thereby discovering all the other constructs (objects), one thing really leads to another.

The number 1 thing though: learn assembly

[Frosttall]

The number 1 thing though: learn assembly

Well the basics of ASM are learned pretty fast, but to reverse who function to I recomment HEX-Rays (even if it messes some offsets up :P ). You should have a look of that Plug-In for IDA.

P.S. A really helpful tutorial was http://www.ownedcore.com/forums/worl...ple-stuff.html ([Tutorial] How to find simple stuff)

[Bananenbrot]

What you describe with finding your object manager offset is exactly what is needed in this section. But ffs, use static const DWORD/DWORD_PTR/uint_ptr_t/w/e instead of macros.
If, for example, you would compile code like Memory.Read<DWORD>(CurMgrPointer);

with your definitions like above, you get a compilation error because of your comment. Now I know, you most probably added them for us, but you would look for that error a long time if you decdided to add that comment in your #define.