3.3.5a offset patterns

[nerdtopia]

New problem.

[11:37:30 AM] ReadUInt failed. - From: BlackMagic.

I have done research on this error and it seems that it's caused by not adding the base address. I'm pretty darn sure I am adding the base address.

Code:

static void Main(string[] args)
        {
            int pid = SProcess.GetProcessFromWindowTitle("World of Warcraft");
            BlackMagic wow = new BlackMagic();
            Console.WriteLine(wow.OpenProcessAndThread(pid));

            uint WowBaseAddress = (uint)wow.MainModule.BaseAddress;
            uint CurrentManager = wow.ReadUInt(wow.ReadUInt(WowBaseAddress + 0x00C79CE0) + 0x2ED0);
        }

[DarkLinux]

I dont think you understand at all...

http://www.ownedcore.com/forums/worl...5-offsets.html

+

http://www.ownedcore.com/forums/worl...ase-ptr-2.html

+

IDA

+

http://www.ownedcore.com/forums/worl...-patterns.html

= Profit?



And a example...
http://www.ownedcore.com/forums/worl...earch-ida.html

Srry no handouts, must do it all your self... You will have more luck in the emu part of the forums I think...

[nerdtopia]

I've already tried taking two old WoW binaries and comparing them for patterns.

As it turns out, BlackMagic isn't working properly because the call to ReadProcessMemory is failing. I originally thought that it was failing because I gave bad offsets but I've figured out this is not the case. I'm a Java guru, I don't know to much about C# so any assistance will be greatly appreciated.

Invocation:

Code:

if (!Imports.ReadProcessMemory(hProcess, dwAddress, lpBuffer, nSize, out lpBytesRead))
	throw new Exception("ReadProcessMemory failed");

Declaration:

Code:

[DllImport("kernel32", EntryPoint = "ReadProcessMemory")]
public static extern bool ReadProcessMemory(
	IntPtr hProcess,
	uint dwAddress,
	IntPtr lpBuffer,
	int nSize,
	out int lpBytesRead);

Stack trace:

Code:

Unhandled Exception: System.Exception: ReadProcessMemory failed
   at Magic.SMemory.ReadBytes(IntPtr hProcess, UInt32 dwAddress, Int32 nSize) in c:\Users\Admin\Desktop\BlackMagic\Source\BlackMagic\Static Classes\SMemory.cs:line 78
   at Magic.SMemory.ReadUInt(IntPtr hProcess, UInt32 dwAddress, Boolean bReverse) in c:\Users\Admin\Desktop\BlackMagic\Source\BlackMagic\Static Classes\SMemory.cs:line 226
   at Magic.BlackMagic.ReadUInt(UInt32 dwAddress, Boolean bReverse) in c:\Users\Admin\Desktop\BlackMagic\Source\BlackMagic\BMMemory.cs:line 309
   at Magic.BlackMagic.ReadUInt(UInt32 dwAddress) in c:\Users\Admin\Desktop\BlackMagic\Source\BlackMagic\BMMemory.cs:line 293

Exact same problem as this person ((Tutorial) Starting WoW-Memory Reading/Writing). Except mine hasn't randomly gone away yet.

[Frosttall]

It makes no sense to create patterns for 3.3.5a since the client will never chang

Patterns are used to find things again if the binary changes, but 3.3.5a stays always the same and you only have to reverse the functions - nothing else!

I'll leave you alone with http://www.ownedcore.com/forums/worl...ple-stuff.html ([Tutorial] How to find simple stuff)

[Empted]

@nerdtopia, wow, seems like your problems are not in the function but in parameters that you pass to it. You can't just read any memory address you like, set breakpoint and see what's wrong. Also DarkLinux gave you already just anything you need. Those threads contain even code snippets that work for sure.

[nerdtopia]

I've set breakpoints. That's how I determined that ReadProcessMemory isn't working for whatever reason. I've read up on "ReadUInt failed" but it appears it's because the base address wasn't factored in. Here is the code:

Code:

static void Main(string[] args)
        {
            int pid = SProcess.GetProcessFromWindowTitle("World of Warcraft");
            BlackMagic wow = new BlackMagic();
            Console.WriteLine(wow.OpenProcessAndThread(pid)); //prints True

            uint WowBaseAddress = (uint)wow.MainModule.BaseAddress; //Could this be wrong? It's the way BlackRain gets the base address...
            uint CurrentManager = wow.ReadUInt(wow.ReadUInt(WowBaseAddress + 0x00C79CE0) + 0x2ED0); //Offsets found here: http://www.ownedcore.com/forums/world-of-warcraft/world-of-warcraft-bots-programs/wow-memory-editing/300463-wow-3-3-5-12340-info-dump-thread.html#post1917706
        }

I got the offsets here: http://www.ownedcore.com/forums/worl...ml#post1917706 ([WoW][3.3.5.12340] Info Dump Thread)

Code:

public enum ObjectManager
{
                CurMgrPointer = 0x00C79CE0,                 // 3.3.5a 12340
                CurMgrOffset = 0x2ED0,                      // 3.3.5a 12340
                NextObject = 0x3C,                          // 3.3.5a 12340
                FirstObject = 0xAC,                         // 3.3.5a 12340
                LocalGUID = 0xC0                            // 3.3.5a 12340
}

[TOM_RUS]

Check last win32 error code (+SetLastError), it will tell you why ReadProcessMemory fails.

[nerdtopia]

Check last win32 error code (+SetLastError), it will tell you why ReadProcessMemory fails.

[Empted]

As almighty Google says you have to run you app (or visual studio) as admin!
P.S. never understood why they say "UNIX is cool for it's safety", while crying "disable UAC, it sucks".

[Bananenbrot]

FYI: Using Win32Exception Class (System.ComponentModel) would be the way to go.

[DarkLinux]

Just use C++ like a real man or woman... XD But really... code something your self even if its in C#... Try not to use libs at the start, it helps to know what is going on in the background.. thats why I like C++

[nerdtopia]

As almighty Google says you have to run you app (or visual studio) as admin!
P.S. never understood why they say "UNIX is cool for it's safety", while crying "disable UAC, it sucks".

I ran Visual Studio AND WoW as admin. -_-

Just use C++ like a real man or woman... XD But really... code something your self even if its in C#... Try not to use libs at the start, it helps to know what is going on in the background.. thats why I like C++

I know how memory works. I'm an experienced Java programmer. I know the CS, I just don't know C# syntax and API. I plan to use JNI and use Java for the logic of the bot anyways. :P

[Bananenbrot]

Since C# is mostly a superset of Java nowadays, I would stick to C# if platform independency isn't an issue (in which case you could even use Mono). And come on, if you are an experienced developer then why are you scared off by C#s syntax? Regarding your errors it's mostly a matter of doing interop with win32 correctly, which has nothing to do with C# as a language. Don't expect JNI to be any better than PInvoke by some magic jvm-coffee-bean trick.
Also, you are using the offsets the wrong way. If you ever find offsets in the info dump, they are most probably relative to 0x400000, which means you have to subtract that value when adding it to the baseaddress (simple math). Now of course that may seem like a pitfall for noobs, but then again this is an error in every third thread. Look into ASLR if you haven't already.

[Empted]

I know how memory works. I'm an experienced Java programmer. I know the CS, I just don't know C# syntax and API. I plan to use JNI and use Java for the logic of the bot anyways. :P

No offense, but an experienced programmer should know all the thing you've been told here.

[nerdtopia]

And come on, if you are an experienced developer then why are you scared off by C#s syntax?

I'm not scared off by C# syntax. It's actually very similar to Java. Yes, it has it's differences which I will learn. I don't know the API though, that's the biggest problem. For example: you mentioned

Win32Exception Class (System.ComponentModel)

I did not know about that. Does that mean I don't know how to program? That's like saying you don't know how to program because you don't know that the class you obtained an instance of a java.lang.reflect.Method object can be used as the first parameter of this method after calling newInstance. java.lang.reflect.Methodl#invoke(java.lang.Object, java.lang.Object...)

For example:

Code:

final Class<?> c = classLoader.loadClass(min.owner);
final Object o = c.newInstance();
System.out.println("\t" + c.getDeclaredMethod(min.name, String.class).invoke(o, ldc.cst));

Also, you are using the offsets the wrong way. If you ever find offsets in the info dump, they are most probably relative to 0x400000, which means you have to subtract that value when adding it to the baseaddress (simple math). Now of course that may seem like a pitfall for noobs, but then again this is an error in every third thread. Look into ASLR if you haven't already.

So I should either disable ASLR and rebase the pointers found in the info dump threads to 0x0 or subtract 0x400000 from the pointers (CurMgrPointer)? How is a newcomer even supposed to know the tradition behind the info dump threads? I didn't know that they were all rebased to 0x400000.

No offense, but an experienced programmer should know all the thing you've been told here.

Are you saying that you're not an experienced programmer because you didn't know what I said above to Bananenbrot?? Let's thoroughly examine what I've been told here.

It makes no sense to create patterns for 3.3.5a since the client will never chang

Patterns are used to find things again if the binary changes, but 3.3.5a stays always the same and you only have to reverse the functions - nothing else!

I definitely did not know this because the client I'm using is a download provided by Molten-WoW.com. It stated

Pre-installed and includes all patches.

so I figured that they would be using a slightly modified version. Was that really so wrong of me?

Check last win32 error code (+SetLastError), it will tell you why ReadProcessMemory fails.

So what you're saying, Empted, is that every experienced programmer knows this? Does that mean that you, assuming you're an experienced programmer, know how to catch and print the stack trace of both checked AND unchecked exceptions in Java? Interesting...

FYI: Using Win32Exception Class (System.ComponentModel) would be the way to go.

Same thing applies.

I hope this cleared up some confusion we were having.