White Paper : Memory reading

[tttommeke]

--
Memory Reading in World of Warcraft

This white paper includes some subjects to read into the memory of World of Warcraft.
All stuff are done on Live EU servers.

tttommeke
--

Introduction

1.0 Memory Reading ?
1.1 Why would you do it ?
1.2 Warden and Ban ?
1.3 Used programs
1.4 Terms
1.5 Value types
1.6 WoW servers and client
2.0 How to find a certain address
2.1 How to find a certain offset
3.0 AutoIT programming
3.1 Why finding Player address ?
3.2 Finding Player address method 1
3.3 Finding Player address method 2
5.0 Author

-- 1.0 Memory Reading ? --

Memory reading ? What's that ? Memory reading is looking into the memory of a specific program. The use of it ?
Find out stuff that aren't displayed and sometimes that aren't allowed to be even seen. In some programs you can find out how the keygen
has been put in together and fake this then. You can find out stuff that can lead you to a specific point. Like in Warcraft 3 you could
use a sort of fog hack by giving the value were their was fog a true (1) so it would become visible. Also the memory of a program is also viewed
as sorta of RAM from the program. allot of dynamical codes are storied and changing in here.

-- 1.1 Why would you do it ? --

Memory reading in WoW can be sorta seen as hacking WoW. Not just with changing stuff etc but also seeing were everything is. Let's take an example :
A rogue is in stealth, even with modelediting you wouldn't see him, but with memory reading you would because the player still exist in an area around you
so when you have his main address you would also find his X Y Z and can find out with that were his location exactly is. Also you can teleport stuff
in-game away from one place to another place with memory editing. Doodads etc have a specific address because they are also loaded by the game.
When you have found out their offsets to their X Y Z you can change these and the doodad will be ported away and you can walk trough it because the
game doesn't see anything their and it isn't solid anymore. So their are really many reasons why you would memory read/edit

-- 1.2 Warden and Ban ? --

Warden is the anti-cheat of Blizzard. Nobody knows for 100% sure what warden does. But the best hypotheses are that warden scans your progress list
and looks for any programs that aren't allowed. Also warden would look into the memory of WoW and do a sort of checkup when something changes. When
this change doesn't look valid he will DC or Ban you. Programs like Cheat Engine, Tsearch are on their not allowed list so be carefully with it.

-- 1.3 Used programs --

The only program I use is Cheat Engine 5.3, no it wouldn't ban you, you just need to set it correctly up. Here is my settings and until today I
wasn't banned. So I think it is safe. But you can never know 100% sure.
Settings : 1. Click on Settings and go to the tab Code Finder. In this tab you will find an option : []Prevent the detection of your debugger. Checks this
so it will be[*]Prevent the detection of your debugger. Then you go to the tab Extra and again their are 2 options [] Stealth Mode (User mode)
and [] Stealth Mode (Kernel mode). Also check these 2 functions. This will set up a rootkit. At some PC's rootkit causes Deadscreens(Bluescreens) so
thinks twice before checking it. Why I use Cheat Engine ? Because it contains enough. It scans fast and for most types + you can easily do a memory view.

-- 1.4 Terms --

Offcours their are some terms in memory reading/editing. These are the most know and most used.
Dynamic addresses => These addresses will change every time you reload your program. Like when a restart of it or like in WoW : changing worlds, login, logout
Static addresses => These addresses are for that version static. It doesn't matter if you restart that program, the address will stay the same
Pointers => Pointers are addresses that will point out (their value) to another address that contains always a certain subject.
(Like a static pointer can always point to a dynamic address)
Offsets => Offsets are numbers (mostly writing in HEX) that have always a value when they are extracted or added from an address. Like when you
have the player address their is always a same offset to the player his HP.
CE => Cheat Engine
Signature => A signature is a sort of pointer, just recalled. Like the mob signature is the address that points to the first mob in memory.

-- 1.5 Value Types --

Some addresses are best readed in a different value type. This can be :
Binary => Maybe you already seen it somewhere but a binary value only contains 1 and 0, most of the time WoW isn't using this value.
A binary number contains bits.
Byte => On the computers of this age a Byte always contains 8 bits. But just like binary WoW isn't really using it.
2 Byte => Yhea, the double of a byte... WoW doesn't use this allot
4 Byte => 4 times a Byte and WoW is using this allot. This is also the standard type in this white paper
8 Byte => 8 times a Byte, WoW is only using this to identify a chunk/mob/player/...
Float => Float is a decimal number like : 5465,454 or -10,598 . It is used for X Y Z and some other stuff.
Double => A double is like a float, except it is a double precision floating point number rather than a single precision one.(Chazwazza)
Text => A text is a searchvalue for like playername.
Array of Byte => Not really using it but it seems like you can see a array of values with this.

-- 1.6 WoW servers and client --

Now you would say that when you have found your HP address you could freeze it so you cannot die. But think again, would Blizzard even not think about
this ? Offcours they do. Some stuff aren't just editable in the client because they do a sort of checkup. So let's take an example :

Client data -----> WoW servers -----> WoW check -----> Return of Data to client.
So when you are changing your HP it will be like :
Client Data --HP--> WoW servers --Possible?--> WoW check --Mob is attacking him and did damage but his HP didn't go down--SEND DC--> Client receives a DC code.
This is a sort of hypothese and can be different then explained it here.
So I will say some values you cannot change : PlayerHP/PlayerMana/PlayerAgi,str,.../MobHp/Mobagi,str,...,location,../GMStatus/Spellsdmg/...
But that doesn't mean you can't do anything ? You can teleport, move doodads, move chunks, edit chunks, edit doodads,...

-- 2.0 How to find a certain address --

addresses contain values, so when you want to know a certain address that will always point to a specific value you will need to scan for it !
Let's say you want to know the mapnumber were the player is currently in. For your AFKBot or LevelingBot or so. Before we can scan we need to
do some research, what locations are what numbers. You would think only blizzard would know but to bad for blizzard they have also storied in
their MPQ files. (The DBC files with Areazone or Mapzone I think it was). But when searching on the internet I didn't really saw any updated list.
The last list was from 1.9.3 so... I fast started up some modelediting tools, and remembered it was storied in engb-local.MPQ.
I extracted a list :
0,Azeroth
1,Kalimdor
13,test
25,ScottTest
29,Test
30,PVPZone01
33,Shadowfang
34,StormwindJail
35,StormwindPrison
36,DeadminesInstance
37,PVPZone02
42,Collin
43,WailingCaverns
44,Monastery
47,RazorfenKraulInstance
48,Blackfathom
70,Uldaman
90,GnomeragonInstance
109,SunkenTemple
129,RazorfenDowns
169,EmeraldDream
189,MonasteryInstances
209,TanarisInstance
229,BlackRockSpire
230,BlackrockDepths
249,OnyxiaLairInstance
269,CavernsOfTime
289,SchoolofNecromancy
309,Zul'gurub
329,Stratholme
349,Mauradon
369,DeeprunTram
389,OrgrimmarInstance
409,MoltenCore
429,DireMaul
449,AlliancePVPBarracks
450,HordePVPBarracks
451,development
469,BlackwingLair
489,PVPZone03
509,AhnQiraj
529,PVPZone04
530,Expansion01
531,AhnQirajTemple
532,Karazahn
533,Stratholme Raid
534,HyjalPast
540,HellfireMilitary
542,HellfireDemon
543,HellfireRampart
544,HellfireRaid
545,CoilfangPumping
546,CoilfangMarsh
547,CoilfangDraenei
548,CoilfangRaid
550,TempestKeepRaid
552,TempestKeepArcane
553,TempestKeepAtrium
554,TempestKeepFactory
555,AuchindounShadow
556,AuchindounDemon
557,AuchindounEthereal
558,AuchindounDraenei
559,PVPZone05
560,HillsbradPast
562,bladesedgearena
564,BlackTemple
565,GruulsLair
566,NetherstormBG
568,ZulAman

Ok, now we know the mapnumbers we can find easily what the address is. You could choose offcours Kalimdor - Eastern Kingdoms but these are 1 - 0 and
really allot of numbers change constantly from 1 to 0 and 0 to 1 so we better choose a instance id. I used OrgrimmarInstance because I was really close to
it. First I scanned for 389, runned back to kalimdor, scanned for 1, then back into Orgrimmarinstance etc until I found out like +- 10 addresses.
You got a 99% chance that the map address will be in one of these. Now, which one is a static ? Easily, CE has a function that when a static address
will turn green in the list. But what when you have no CE and just a fast, nostaticfunction scanner ? Scan for the addresses you suspect and the
address that will give zero results back (so no other address points to it) is a static address. So most addresses are find on this way.

-- 2.1 How to find an offset --

Offsets are a total other matter then addresses. Mostly of the time they only occure with dynamic addresses.
So let's think, we have found the dynamic playeraddress at : 0x0A568008 and we want to know the offset to his HP. First off all, when you find
out a playeraddress trough the playersignature you need to extract 0x8. So the 'basic' address will be 0x0A568000. Now we search for our HP but
their is no static address for a player address. So let's say we have found out that the HP is storied at : 0x0A56824D. So to find the offset we do
the hp address - the basic address. In mine example it will be 0x24D as end result and that will be then the offset for player hp.

-- 3.0 AutoIT programming --

As some of you maybe allready know I program in AutoIT. No, AutoIT isn't a new scriptinglanguage but one based on another one.
I use the version AutoIT v3.2.10 which already has allot of features. The AutoIT homepage is AutoIt Script Home Page and for the last
version you will need to go to : AutoIt v3 - Automate and Script Windows Tasks - For Free!

-- 3.1 Why finding Player address ? --

For having a good memory bot you will need to know some stuff like the player his HP,mana. This are like the 2 crucialst things in WoW because
when you are going to attack a same level mob with only 5% hp and 5% mana then you can speak to me back soon ;-) also from that you can
find his movement state and 'abuse' this for sorta float hacks or swimming in the air,...

-- 3.2 Finding Player address method 1 --

This method is most used by the scripters and it actually very easy. The day now all WoW versions had a static address for the current player
his location. But their was also still an offset for the dynamic player address. So to find out the player address you would need to do this :
You know the static address and his value. This is the same value as the offset from the player address contains. So when you are scanning for the
value of the static Z you will surely find the dynamic address of the player. Here you got a little code :

Code:

#Include <nomadmemory.au3>						;Includes the features of Nomadmemory			
SetPrivilege("SeDebugPrivilege", 1) 			;Makes the program allow to look into other program's their memory

Const $StaticPlayerZ = 0xDBBCDC					;The static Z address for WoW 2.3
Dim $Playerstart = 0x07000BF0					;Because the offset for Z is in 2.3 0xBF0 we will do it easier by this.
Const $Plus = 0x2000							;Normally this is called $Offset but to make it easier to understand I name it $Plus.
												;We will always do $Plus when the values aren't correct to the static Z. I do 0x2000 instead of 0x1000
												;because a player his address is always 0xxxx8000 or 0xxxx0000.
Const $Handle = _memoryopen(WinGetProcess("World of Warcraft"))		;Will open the memory and enable access to it.
While _memoryread($Playerstart,$Handle,'dword')<>_memoryread($StaticPlayerZ,$Handle,'dword')		;Start the while loop and the <> means different from eachother
$Playerstart += $Plus																				;They were different so we will need to look to the next one
Wend																								;End of the while
Msgbox(0,"Player address found at :",hex($Playerstart - 0xBF0))		;End result with the -0xBF0

so we will get the basic address and not the dynamic Z address.

So this is one way to find it.

-- 3.3 Finding Player address method 2 --

This is not really a popular method but it also works. As we know all players have one signature (Path 2.3 : 0x8A22B0) This signature always shows up
with the Basic address + 0x8 . So when we think twice you will get a result not only from you but also the other players. But here is my personal code :

Code:

#Include <nomadmemory.au3>						;Includes the features of Nomadmemory			
SetPrivilege("SeDebugPrivilege", 1) 			;Makes the program allow to look into other program's their memory
Const $StaticPlayerZ = 0xDBBCDC					;The static Z address for WoW 2.3(for the ceckup)
Const $Handle = _memoryopen(WinGetProcess("World of Warcraft"))		;Will open the memory and enable access to it.
Const $PlayerSignature = 0x8A22B0				;Defining $Playersignature
Const $Plus = 0x2000							;Same as method 1
Dim $Playersstart = 0x07000008					;Same as method 1 +-

While _memoryread($PlayersStart,$handle,'dword') <> $Playersignature		;Starting the while loop
$Playerstart += $Plus														;Next address
Wend
If _memoryread((Playersstart -0x8) + 0xBF0,$handle,'float') <> _memoryread($StaticPlayerZ,$handle,'float') then $Playersstart += 0x8000
Msgbox(0,"Player address found at :",hex($Playerstart - 0x8))

Why did i do that If...Then after the Wend ? and Why with 0x8000 ? Because these days the current player address always ends with 000 or 8000 and never with 4000 or so. So this is just for faster pleasure.


-- 5.0 Author --

The whole white paper has been written by tttommeke and if you want to use it give a credit to him.
This was my first and not last white paper ! You can always check Frostmourne.be for latest news etc.

For the .txt version go to http://www.frostmourne.be

(Mod or Admin, could you remove the White paper in Bots and programs ?)

[Remahlól]

Code:

Thanks. +7

[suicidity]

Good post. +2

[saltysalami52]

Nice, +Rep.

[Froogle]

Did any of you actually read the entire White Paper? we need more memory editors....

[suicidity]

i do memory editing

[Ping]

me too ;D
by the way, your tracking-features are stored as BYTE, just in case anybody wants to build a tracker (it's easy, trust me!)

[sleepybilly]

I would if someone made a good step by step guide...then i could go on from there like I was doing with model editing...til it got patched

[Ermok]

Amazing Work from God, =O
+rep - for being amazingly good at what you do :P
------------
I must spread rep before i give to you, remind me

[Matis02]

thanks again. I knew most of it, just some bits you cleared up.

+1 sorry i suck with rep.

Should you really have this public?

[Froogle]

Why not have it public? Memory editing is something we want more of....

[Demonshade]

i started sort of memory editing. i finally did something more then changing my Z coordinate. yesterday i changed my characters animation state. and changed a couple of my items thx to tttommeke

[Satchmo]

I need to read this whole thing i will rep you as soon as i can almost elite

[localhostage]

tttommeke: how long does the scan normally take? i've been working on some C# code but i don't think i'm scanning correctly as each time i try to scan it never finds it. or is it normall to take a while?

[localhostage]

ttt: here is a piece of my C# code that i cobbled together from your sample script. as you can see i have my z, start, and offset (plus). i have verified that the z address pulls a proper float number back (it works).

just like your while loop i scan while the result byte[] (array) doesn't equal (!=) the known z byte[]. can you see anything i'm doing wrong? this loop runs for like a minute and i stop it (never found), i don't think it's supposed to take that long.

if anyone else has some insights or some code help that would be great!

thanks!

Code:

            int z = 0xDBBCDC;
            int start = 0x07000BF0;
            int offset = 0x2000;

            ProcessMemoryReader procMemReader = new ProcessMemoryReader();
            procMemReader.ReadProcess = GetProcess();
            procMemReader.OpenProcess();

            int bytesRead = 0;
            byte[] staticZbuff = procMemReader.ReadProcessMemory((IntPtr) z, 4, out bytesRead);
            float knownZ = BitConverter.ToSingle(staticZbuff, 0);

            float dynamicZ;
            do
            {
                // read
                byte[] playerStart = procMemReader.ReadProcessMemory((IntPtr) start, 4, out bytesRead);
                dynamicZ = BitConverter.ToSingle(playerStart, 0);

                // increment
                start += offset;
            } while (dynamicZ != knownZ);

            procMemReader.CloseHandle();

            Console.WriteLine("found player address @ {0}", start - 0xBF0);
            Console.ReadKey();