Flyhack + ClickToMove?

[jarjar1]

How can one get flyhack to work with click-to-move? By that I mean to climb and lower on the Z axis without having to patch the camera angle + angle the camera up and down.

Is there a certain byte you need to patch to have the game treat you as if you are flying / swimming, thus allowing click-to-move with flyhack to climb/drop on the Z axis?

[DarkLinux]

Read current location, then read the ctm location and do the math.. Then set the pitch.. Really easy Google it b/c I know that someone has coded a simple function to do this.

[jarjar1]

Bah is there a way to patch JMPs into your coding using GreyMagic in C#? Like warden is scanning like crazy around these offsets. But all GreyMagic seems to offer is detouring the entire func. All I want is to have wow.exe jump into my code like 10-20 bytes after the funcs entry, then modify 1 register and jump back to the function executing.

I am assuming it would be GreyMagic.MemoryIn.CreatePatch(xxx, new byte[] {Jump to my func} ?? How would you get the correct JMP address I guess/

[_Mike]

You could use one of

Code:

EB cb	 JMP rel8	 Jump short, relative, displacement relative to next instruction
E9 cd	 JMP rel32	 Jump near, relative, displacement relative to next instruction

Where displacement is (target_address - (source_address + source_length))

For example, to jump 20 bytes forward relative to the address of the jmp
0xEB 0x12 (18 bytes because the opcode itself is 2 bytes long)

[JuJuBoSc]

What _Mike said is the best way, I don't think you can you GreyMagic to do that, I don't know how it work but if it's as WhiteMagic I think it use push and retn method to detour, I don't think it will work inside the function, will probably crash when the CallOriginal will be called.

[jarjar1]

How can you make it JMP to public static void JMPtoMyFunc() ?

You could use one of

Code:

EB cb	 JMP rel8	 Jump short, relative, displacement relative to next instruction
E9 cd	 JMP rel32	 Jump near, relative, displacement relative to next instruction

Where displacement is (target_address - (source_address + source_length))

For example, to jump 20 bytes forward relative to the address of the jmp
0xEB 0x12 (18 bytes because the opcode itself is 2 bytes long)

Maybe I can use the WhiteMagic / GreyMagic Detour and set the return to void and no params? with inline ASM jmping back to origin func under the hook? Or would that mess up the stack/registers using the Detours in White/Grey?



I googled around quite abit espicially site:WoW Memory Editing

Could not find anything on point, some vaguely related stuff tho. A link would be greatly appreciated. So far looking at some older opensource projects but they involve JMP patching into injected code + changing registers that seem difficult to replicate in C#.

Read current location, then read the ctm location and do the math.. Then set the pitch.. Really easy Google it b/c I know that someone has coded a simple function to do this.

This is from OHack for 4.x.x WoW. But I am not quite sure how to hook this way 10 bytes down from entry (as warden is scanning the first 10 bytes of this func now) using C# and White/Grey magic. It seems you need to set the Movement flags as flying then call CalcDirection then reset the movement flags back to normal.

Code:

__declspec(naked) void __fastcall CalcDirectionHook ()
{
static unsigned int This = 0;
__asm
{
mov This, ecx
}

get<unsigned int>(get<unsigned int>(WoW::GetPlayer() + CMovement) + 0x38) |= MovementFlags::Flying;
reinterpret_cast<void (__thiscall*)(unsigned int)>(WoWBase + CMovement__CalcDirection)(This);
get<unsigned int>(get<unsigned int>(WoW::GetPlayer() + CMovement) + 0x38) &= ~MovementFlags::Flying;

__asm
{
retn
}
}

[DarkLinux]

Take a look at my crap function called hook in the helper.cpp file,

http://www.ownedcore.com/forums/worl...n-scanner.html (EverScan - An Open Source Warden Scanner)

You send it the address you want to hook and the address of your cave.

If you want to call your own function and then call the original use Microsoft Detours. I use it b/c its simple and it works... Well more b/c Im lazzy..

I dont know if you can do detours in C# unless they are fully in asm. I dont think you can inject a C# dll and detour it your function.. Just use c++ if your going to be inprocess

[jarjar1]

Bummer. Now looking at it in retrospect I think the best solution is to C++ injected DLL /w injected / side by side C# calling the funcs. C++ is not so 'quick to develop' for multiple tcp/ip connections + pipes + server and DB queries + proxy + bot logic + integration with http etc (using C# you can have everything working together and smoothly in under a week, if that). But it would definitely be better at being the core vs having a core in C#. Too late now to redo everything.

Hum.. only project I know that does that 'was' D3A. Loading C# assemblies at run-time. Did Rolle just use C# script, or more to it then that?

I dont know if you can do detours in C# unless they are fully in asm. I dont think you can inject a C# dll and detour it your function.. Just use c++ if your going to be inprocess