World Of Warcraft Development

[FrozenLight]

Memoryreading is 100% safe.

I think its some kind of old myth that memory reading is the same as memory writing.

If you are paranoid use process guard, but imo i would be more or less waste of CPU etc.

Just keep away from apps that does alter the memory locations, inject code into mainapp, or inject code into dll's used by the mainapp.

Thanks, and whats about the Packet Sniffing?

And i need an advise on which program to use for memory reading! TSearch, Cheatengine...? I used to use tsearch but im not sure if it changes the memory in any way.

[JRSmile]

I have created the forum for further development, please register with your autoit username or send me an autoit forum pm with your new username, so we can validate each person.

BeHEAD.de

Edited May 30, 2007 by JRSmile

[Periklis]

World Of Warcraft Memory Scanner

This program finds the NonStatic Changeable value of X, Y, Z and Rotation of your char.

This scanner is ALOT faster then the previous versions, and as said above also finds the rotation of the player.

This is 100% harmless since it only scans for the values (it is not detectable)

As you can see there is a timer in this version.

If you guys would be so kind as to try the sciprt and see what your "time" is, and post your "time" here or send a pm to me.

Mine is between 4.5 - 6.7

Made the program in C#. Time to retrieve values is .... Drumroll ........ between 4.2 and 5.5 million nanoseconds

Just to understand ... 1 nanosecond is 1/1000000000 second so it something between 0,0042 and 0,0055 seconds.

Much faster imho.

BR

/P

.

Edited May 30, 2007 by Periklis

[Snarg]

Periklis - If you wish to be the program group manager (I couldn't think of a better term) and would like to provide me a list of people working on the project, I would be happy to give you a forum on http://www.edgeofnowhere.cc. It could be a public or private forum, your choice. Please let me know...

Edited May 30, 2007 by Snarg

[malu05]

I have created the forum for further development, please register with your autoit username or send me an autoit forum pm with your new username, so we can validate each person.

BeHEAD.de

Cool...

Im registred, just waiting for a confirmation mail.

Made the program in C#. Time to retrieve values is .... Drumroll ........ between 4.2 and 5.5 million nanoseconds

Just to understand ... 1 nanosecond is 1/1000000000 second so it something between 0,0042 and 0,0055 seconds.

Much faster imho.

BR

/P

.

Uhh! Najs!

Btw, a new Youtube movie is comming up as we speak.... ^^ some fun stuff...

Edited May 30, 2007 by malu05

[malu05]

http://www.youtube.com/watch?v=c6b-VZDDbc4

Muhahaha

[JRSmile]

already validated and assigned to the correct group

http://www.youtube.com/watch?v=c6b-VZDDbc4

Muhahaha

WUHOOOOOOOOOOOOO NAICE i love u you are my hero REALY GREAT...

Edited May 30, 2007 by JRSmile

[Periklis]

http://www.youtube.com/watch?v=c6b-VZDDbc4

Muhahaha

I knew you're an Evil, evil man

I almost peed on me ... woke upp the kids in the process because of my ROFL.

BR

/P

.

[Periklis]

$valueSS = _MemoryRead($StartMemory , $DllInformation, 'float')
while hex($EndMemory) <> $valueSS
$StartMemory = $StartMemory+$value
$valueSS = hex(_MemoryRead( $StartMemory+0x8, $DllInformation, 'int'))
;if $StartMemory > 0x18700000 then ConsoleWrite(" " & hex($StartMemory+0x8) & " " & $valueSS)
WEndoÝ÷ ØÞu©§yØj,¶Øk{  ²r©¢{a{¥«­¢+ØÀÌØíÙ±ÕMLô}5µ½ÉåI ÀÌØíMÑÉÑ5µ½Éä°ÀÌØí±±%¹½ÉµÑ¥½¸°Ìäí±½ÐÌäì¤oÝ÷ Ú·­º¹ìiùhjØ^­è­Á«¢jZ­çpØZ)íz«jëh×6while hex($EndMemory) <> $valueSSoÝ÷ Ù»­¬¶)ݶzØZ¶)íì!W¥¢r¢èZ½ëaz¸ ×Zµ«r¥ëºÚ"µÍÌÍÝ[YTÔÈH^
ÓY[[ÜTXY
    ÌÍÔÝY[[ÜJÌ    ÌÍÑ[ÜX][Û  ÌÎNÚ[    ÌÎNÊJ

But still ... what if the first try is the correct one what will happen then ?

BR

/P

.

[Periklis]

And while im at it ... thinking of dumping the memory area into a file to read binary if i wanna work offline (while at work) ...

Will post links to the C# code for the ppl that are hungry for knowledge

BR

/P

.

[Skrip]

Can we get the code for the object manager?

[testbot]

@malu05..

there is another set of player info/data struct inside the wow memory, that contains more/easily read information on spawns..

the game has it's own tracking built in (for hunters and miners and those professions)... if you read the memory from those data blocks,

you can easily.. populate it with names.. race.. and if you REALLY wanted to go further into development.. just look at the wow emu sources..

all the packet structures and spawn struct is written and documented there.. client stores the data the same way.. just look at the wow!map stuff

where it would draw spawns (in range that server sends) and draws it real time onto maps..

and as far as warden goes.. warden can be updated anytime to read/detect anything.. including reading/scanning of wow.exe process.. if you read

the actual papers on warden.. you would know it attaches itself globally into your kernal.. and has access to read/scan anything on your pc.. including

running apps.. or anything.. hence there EULA is so.. long and well worded.. they have open access to scan anything they want as long as you

clicked that agree button..

malu05.. if you want more info on the tracking stuff, send me a pm..

[Periklis]

I hate living in the dark, so i'd like to ask a few things.

Its all about Memory Addresses.

Seeing the adresses used by malu05 im getting a little bit confused ... not on the actual addreses but most on where they come from. I believe i have a pretty good idea on what is happening.

Variables declared by malu05

dim $knownX = 0x00CD6760
dim $startsearchX = 0x00400B88

Global $offset = 0x1000
oÝ÷ Ù°¨uëh~)ݶ¦zj+ɧ]­ë,¶­ríj)춦"¶*'¡ûazZÉêÿm«­¢+Ø(ÀÌØí
ÕÉɹÑ1½`ô}5µ½ÉåI ÀÌØí­¹½Ý¹`°ÀÌØí±±%¹½ÉµÑ¥½¸°Ìäí±½ÐÌäì¤(ìM½µ½Ñ¡È½¹Ñ¡¸¸¸¸(ÀÌØíÙ±ÕMLô}5µ½ÉåI ÀÌØíÍÑÉÑÍÉ¡`°ÀÌØí±±%¹½ÉµÑ¥½¸°Ìäí±½ÐÌäì¤)Ý¡¥±ÀÌØí
ÕÉɹÑ1½`±ÐìÐìÀÌØíÙ±ÕML(ÀÌØíÍÑÉÑÍÉ¡`ôÀÌØíÍÑÉÑÍÉ¡`¬ÀÌØí½ÍÐ(ÀÌØíÙ±ÕMLô}5µ½ÉåI ÀÌØíÍÑÉÑÍÉ¡`°ÀÌØí±±%¹½ÉµÑ¥½¸°Ìäí±½ÐÌäì¤)]¹

I can understand that because of DMA this procedure must be executed since the memory addresses change with every relog.

What i don't get is $knownX, $startsearchX and $offset.

Why is the X position in the memory address of $knownX?

Why are we start searching for $startSearchX with an initial value of 0x00400B88?

Why is our offset jump 0x1000 (4096 in decimal)?

That's the first bunch of questions.

Imagine this is the memory and we found $startSearchX.

1   Position X
2   (Position X)
3   (Position X)
4   (Position X)    
5   Position Y
6
7
8
9   Position Z
10
11
12
13  Rotation
14

So far so good. IIRC from a post made by malu05 the addresses in between contain the value for the same attribute (in parenthesis).

Checking the Mob Scanner code one Wow Object is 0x1788 (6024 Decimal) long. So does that mean that it spans over 6024 consecutive addresses in memory ? For example from address 0 to 6023.

malu05 claims it is 1788 bytes long. Am i missing something here ? 0x1788 is not 1788.

Next question must sound stupid to some of you.

Is every address containing 1 Byte ? And how many Words long is this Byte ?

Are all Objects identical in how they are stored in memory ?

Explaination.

Base Memory address = X position.

Add 0x4 = Y Position

Add 0x8 = Z Position

Add 0xC = Rotation

And so on.

If an attribute in the Object structure is not applicable like speed for a Chest, what value does the memory address contain? 0?

Why i ask all this is because id like to create a library for offset handling.

Would anyone mind clarifying a procedure for looking for offsets ? And what were look for as inittial memory address?

BR

/P

.

[Periklis]

I have used the same variable names that malu05 is using in his code so you will recognise things.

First Create a class file in C# and insert the following code. Name the file MemoryReader.cs

expandcollapse popup

//------------------------------------------------------------------------------
//  <copyright from='2004' to='2005' company='WoWSharp.NET'>
//  Copyright (c) WoWSharp.NET. All Rights Reserved.
//
//  Please look in the accompanying license.htm file for the license that 
//  applies to this source code. (a copy can also be found at: 
//  http://www.wowsharp.net/license.htm)
//  </copyright>
//-------------------------------------------------------------------------------
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.IO;
using System.Collections;
using System.Text;

// Changed namespace name.
namespace Hermes
{
    /// <summary>
    /// Summary description for MemoryReader.
    /// </summary>
    public class MemoryReader
    {
        /// <summary>
        /// Constants information can be found in [winnt.h]
        /// </summary>
        private const uint PROCESS_TERMINATE = 0x0001;
        private const uint PROCESS_CREATE_THREAD = 0x0002;
        private const uint PROCESS_SET_SESSIONID = 0x0004;
        private const uint PROCESS_VM_OPERATION = 0x0008;
        private const uint PROCESS_VM_READ = 0x0010;
        private const uint PROCESS_VM_WRITE = 0x0020;
        private const uint PROCESS_DUP_HANDLE = 0x0040;
        private const uint PROCESS_CREATE_PROCESS = 0x0080;
        private const uint PROCESS_SET_QUOTA = 0x0100;
        private const uint PROCESS_SET_INFORMATION = 0x0200;
        private const uint PROCESS_QUERY_INFORMATION = 0x0400;

        private const uint TH32CS_SNAPHEAPLIST = 0x00000001;
        private const uint TH32CS_SNAPPROCESS = 0x00000002;
        private const uint TH32CS_SNAPTHREAD = 0x00000004;
        private const uint TH32CS_SNAPMODULE = 0x00000008;
        private const uint TH32CS_SNAPMODULE32 = 0x00000010;
        private const uint TH32CS_SNAPALL = (TH32CS_SNAPHEAPLIST | TH32CS_SNAPPROCESS | TH32CS_SNAPTHREAD | TH32CS_SNAPMODULE);
        private const uint TH32CS_INHERIT = 0x80000000;

        private const int SE_PRIVILEGE_ENABLED = 0x00000002;
        private const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
        private const int TOKEN_QUERY = 0x00000008;

        [StructLayout(LayoutKind.Sequential)]
        private struct PROCESSENTRY32
        {
            public uint dwSize;
            public uint cntUsage;
            public uint th32ProcessID;        // this process
            public IntPtr th32DefaultHeapID;
            public uint th32ModuleID;          // associated exe
            public uint cntThreads;
            public uint th32ParentProcessID;    // this process's parent process
            public uint pcPriClassBase;     // Base priority of process's threads
            public uint dwFlags;

            [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 260)]
            public string szExeFile;   // Path
        }

        /// <summary>
        /// Open a process
        /// </summary>
        /// <param name="dwDesiredAccess">Access flag</param>
        /// <param name="bInheritHandle">Handle inheritance options</param>
        /// <param name="dwProcessId">Process identifier</param>
        /// <returns>Success</returns>
        [DllImport("kernel32.dll")]
        private static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Int32 bInheritHandle, UInt32 dwProcessId);

        /// <summary>
        /// Terminate a (open) process
        /// </summary>
        /// <param name="dwProcessId">Handle</param>
        /// <param name="dwExitCode">Exit code</param>
        /// <returns>Success</returns>
        [DllImport("kernel32.dll")]
        private static extern Int32 TerminateProcess(UInt32 dwProcessId, UInt32 dwExitCode);

        /// <summary>
        /// Close a handle
        /// </summary>
        /// <param name="hObject">Handle to object</param>
        /// <returns>Success</returns>
        [DllImport("kernel32.dll")]
        private static extern Int32 CloseHandle(IntPtr hObject);

        /// <summary>
        /// Read from the memory of a process 
        /// </summary>
        /// <param name="hProcess">Handle to the process</param>
        /// <param name="lpBaseAddress">Base of memory area</param>
        /// <param name="buffer">Data buffer</param>
        /// <param name="size">Number of bytes to read</param>
        /// <param name="lpNumberOfBytesRead">Number of bytes read</param>
        /// <returns>Success</returns>
        [DllImport("kernel32.dll")]
        private static extern Int32 ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr buffer, int size, ref IntPtr lpNumberOfBytesRead);

        /// <summary>
        /// Write to the memory of a process
        /// </summary>
        /// <param name="hProcess">Handle to the process</param>
        /// <param name="lpBaseAddress">Base of memory area</param>
        /// <param name="buffer">Data buffer</param>
        /// <param name="size">Number of bytes to read</param>
        /// <param name="lpNumberOfBytesWritten">Number of bytes read</param>
        /// <returns>Success</returns>
        [DllImport("kernel32.dll")]
        private static extern Int32 WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr buffer, int size, ref IntPtr lpNumberOfBytesWritten);

        [DllImport("kernel32.dll")]
        private static extern IntPtr CreateToolhelp32Snapshot(uint dwFlags, uint th32ProcessID);

        [DllImport("kernel32.dll")]
        private static extern Int32 Process32First(IntPtr hSnapshot, ref PROCESSENTRY32 lppe);

        [DllImport("kernel32.dll")]
        private static extern Int32 Process32Next(IntPtr hSnapshot, ref PROCESSENTRY32 lppe);

        [StructLayout(LayoutKind.Sequential, Pack = 1)]
        private struct TOKEN_PRIVILEGES
        {
            public int PrivilegeCount;
            public long Luid;
            public int Attributes;
        }

        [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
        private static extern int OpenProcessToken(int ProcessHandle, int DesiredAccess, ref int tokenhandle);

        [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
        private static extern int GetCurrentProcess();

        [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
        private static extern int LookupPrivilegeValue(string lpsystemname, string lpname, ref long lpLuid);

        [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
        private static extern int AdjustTokenPrivileges(int tokenhandle, int disableprivs, ref TOKEN_PRIVILEGES Newstate, int bufferlength, int PreivousState, int Returnlength);

        [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
        private static extern int GetSecurityInfo(int HANDLE, int SE_OBJECT_TYPE, int SECURITY_INFORMATION, int psidOwner, int psidGroup, out IntPtr pDACL, IntPtr pSACL, out IntPtr pSecurityDescriptor);

        [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
        private static extern int SetSecurityInfo(int HANDLE, int SE_OBJECT_TYPE, int SECURITY_INFORMATION, int psidOwner, int psidGroup, IntPtr pDACL, IntPtr pSACL);

        private bool isOpen = false;
        private IntPtr eightBytes = IntPtr.Zero;
        private IntPtr hProcess = IntPtr.Zero;
        private Process readProcess = null;
        private EventHandler ExitedEvent = null;
        private Hashtable _parentids = new Hashtable();

        /// <summary>
        /// Returns the process handle of the open process
        /// </summary>
        public IntPtr Handle
        {
            get
            {
                return hProcess;
            }
        }

        /// <summary>
        /// A hashtable containing the process id's as key and the parent process id's as value
        /// </summary>
        public Hashtable ParentIds
        {
            get
            {
                return _parentids;
            }
        }

        /// <summary>
        /// Gets a list of processes by executable name
        /// </summary>
        /// <param name="ExeName">ExeName</param>
        /// <returns>List of processes</returns>
        public Process[] GetProcessesByExe(string ExeName)
        {
            ArrayList procs = new ArrayList();

            IntPtr hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
            if (hSnapshot == IntPtr.Zero)
                return null;

            PROCESSENTRY32 pe = new PROCESSENTRY32();
            pe.dwSize = 296;// sizeof( pe);

            // Clear the parent id's
            _parentids.Clear();

            int retval = Process32First(hSnapshot, ref pe);
            while (retval != 0)
            {
                if (pe.szExeFile.ToLower() == ExeName.ToLower())
                {
                    try
                    {
                        Process proc = Process.GetProcessById((int)pe.th32ProcessID);
                        procs.Add(proc);
                    }
                    catch
                    {
                    }
                }

                _parentids.Add(pe.th32ProcessID, pe.th32ParentProcessID);
                retval = Process32Next(hSnapshot, ref pe);
            }

            CloseHandle(hSnapshot);

            return (Process[])procs.ToArray(typeof(Process));
        }

        /// <summary>
        /// This closes a process using TerminateProcess (this is immediate!)
        /// </summary>
        public void CloseProcess()
        {
            TerminateProcess((uint)hProcess, 0);
            Close();
        }

        /// <summary>   
        /// Process from which to read      
        /// </summary>
        public Process ReadProcess
        {
            get
            {
                return readProcess;
            }
        }

        /// <summary>
        /// Is the current process opened
        /// </summary>
        public bool IsOpen
        {
            get
            {
                return isOpen;
            }
        }

        internal void EnableDebuggerPrivileges()
        {
            int token = 0;
            TOKEN_PRIVILEGES tp = new TOKEN_PRIVILEGES();
            tp.PrivilegeCount = 1;
            tp.Luid = 0;
            tp.Attributes = SE_PRIVILEGE_ENABLED;

            // We just assume this works
            if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref token) == 0)
                throw (new Exception("OpenProcessToken failed"));

            if (LookupPrivilegeValue(null, "SeDebugPrivilege", ref tp.Luid) == 0)
                throw (new Exception("LookupPrivilegeValue failed"));

            if (AdjustTokenPrivileges(token, 0, ref tp, Marshal.SizeOf(tp), 0, 0) == 0)
                throw (new Exception("AdjustTokenPrivileges failed"));
        }

        /// <summary>
        /// Open a process
        /// </summary>
        /// <remarks>
        /// Only use this for special occasions, normally use 'Start' from the WoW object
        /// </remarks>
        public void Open(Process process)
        {
            if (isOpen)
                throw (new Exception("Process already opened"));

            readProcess = process;

            hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_TERMINATE, 0, (uint)readProcess.Id);
            if (hProcess == IntPtr.Zero)
            {
                IntPtr pDACL, pSecDesc;

                GetSecurityInfo((int)Process.GetCurrentProcess().Handle, /*SE_KERNEL_OBJECT*/ 6, /*DACL_SECURITY_INFORMATION*/ 4, 0, 0, out pDACL, IntPtr.Zero, out pSecDesc);
                hProcess = OpenProcess(0x40000, 0, (uint)process.Id);
                SetSecurityInfo((int)hProcess, /*SE_KERNEL_OBJECT*/ 6, /*DACL_SECURITY_INFORMATION*/ 4 | /*UNPROTECTED_DACL_SECURITY_INFORMATION*/ 0x20000000, 0, 0, pDACL, IntPtr.Zero);
                CloseHandle(hProcess);

                hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_TERMINATE, 0, (uint)readProcess.Id);
            }

            isOpen = (hProcess != IntPtr.Zero);
            if (isOpen) readProcess.Exited += (ExitedEvent = new EventHandler(ProcessExited));
        }

        /// <summary>
        /// Close the process
        /// </summary>
        /// <remarks>
        /// Only use this for special occasions, normally use 'Stop' from the WoW object
        /// </remarks>
        public void Close()
        {
            if (hProcess == IntPtr.Zero)
                throw (new Exception("Process already closed"));

            int iRetValue;
            iRetValue = CloseHandle(hProcess);
            if (iRetValue == 0)
                throw new Exception("CloseHandle failed");

            hProcess = IntPtr.Zero;
            isOpen = false;

            readProcess.Exited -= ExitedEvent;
        }

        /// <summary>
        /// Initialize the memory reader class
        /// </summary>
        internal MemoryReader()
        {
            eightBytes = Marshal.AllocHGlobal(8);
        }

        /// <summary>
        /// Free the memory reader class
        /// </summary>
        ~MemoryReader()
        {
            if (isOpen)
                Close();

            Marshal.FreeHGlobal(eightBytes);
        }

        /// <summary>
        /// Read an integer from the currently opened process
        /// </summary>
        /// <param name="Address">Address to read from</param>
        /// <returns>Integer read</returns>
        public int ReadInteger(int Address)
        {
            IntPtr readedBytes = IntPtr.Zero;
            ReadProcessMemory(hProcess, new IntPtr(Address), eightBytes, 4, ref readedBytes);

            return Marshal.ReadInt32(eightBytes);
        }

        /// <summary>
        /// Read a long from the currently opened process
        /// </summary>
        /// <param name="Address">Address to read from</param>
        /// <returns>Long read</returns>
        public long ReadLong(int Address)
        {
            IntPtr readedBytes = IntPtr.Zero;
            ReadProcessMemory(hProcess, new IntPtr(Address), eightBytes, 8, ref readedBytes);

            return Marshal.ReadInt64(eightBytes);
        }

        /// <summary>
        /// Read a float from the currently opened process
        /// </summary>
        /// <param name="Address">Address to read from</param>
        /// <returns>Float read</returns>
        public float ReadFloat(int Address)
        {
            IntPtr readedBytes = IntPtr.Zero;
            ReadProcessMemory(hProcess, new IntPtr(Address), eightBytes, 4, ref readedBytes);
            byte[] buffer = new byte[4];
            Marshal.Copy(eightBytes, buffer, 0, 4);

            return BitConverter.ToSingle(buffer, 0);
        }

        /// <summary>
        /// Read a buffer from the currently opened process
        /// </summary>
        /// <param name="Address">Address to read from</param>
        /// <param name="bytes">Number of bytes to read</param>
        /// <returns>Buffer read</returns>
        public byte[] ReadBuffer(int Address, int bytes)
        {
            IntPtr ptr = Marshal.AllocHGlobal(bytes);
            IntPtr readedBytes = IntPtr.Zero;
            ReadProcessMemory(hProcess, new IntPtr(Address), ptr, bytes, ref readedBytes);
            byte[] ret = new byte[bytes];
            Marshal.Copy(ptr, ret, 0, bytes);
            Marshal.FreeHGlobal(ptr);

            return ret;
        }

        /// <summary>
        /// Read a [null-terminated] string from the currently opened process
        /// </summary>
        /// <param name="Address">Address to read from</param>
        /// <param name="bytes">Maximum size</param>
        /// <returns>String read</returns>
        public string ReadString(int Address, int bytes)
        {
            IntPtr ptr = Marshal.AllocHGlobal(bytes);
            IntPtr readedBytes = IntPtr.Zero;
            ReadProcessMemory(hProcess, new IntPtr(Address), ptr, bytes, ref readedBytes);
            byte[] buffer = new byte[bytes];
            Marshal.Copy(ptr, buffer, 0, bytes);
            Marshal.FreeHGlobal(ptr);

            UTF8Encoding utf8 = new UTF8Encoding();
            string result = utf8.GetString(buffer);
            int nullpos = result.IndexOf("");
            if (nullpos != -1)
                result = result.Remove(nullpos, result.Length - nullpos);
            return result;
        }

        /// <summary>
        /// Write an float to the currently opened process
        /// </summary>
        /// <param name="Address">Address to write to</param>
        /// <param name="value">Value to write</param>
        public void WriteFloat(int Address, float value)
        {
            byte[] buffer = BitConverter.GetBytes(value);
            IntPtr writtenBytes = IntPtr.Zero;
            Marshal.Copy(buffer, 0, eightBytes, 4);
            WriteProcessMemory(hProcess, new IntPtr(Address), eightBytes, 4, ref writtenBytes);
        }

        /// <summary>
        /// Write an integer to the currently opened process
        /// </summary>
        /// <param name="Address">Address to write to</param>
        /// <param name="value">Value to write</param>
        public void WriteInteger(int Address, int value)
        {
            byte[] buffer = BitConverter.GetBytes(value);
            IntPtr writtenBytes = IntPtr.Zero;
            Marshal.Copy(buffer, 0, eightBytes, 4);
            WriteProcessMemory(hProcess, new IntPtr(Address), eightBytes, 4, ref writtenBytes);
        }

        /// <summary>
        /// Write a long to the currently opened process
        /// </summary>
        /// <param name="Address">Address to write to</param>
        /// <param name="value">Value to write</param>
        public void WriteLong(int Address, long value)
        {
            byte[] buffer = BitConverter.GetBytes(value);
            IntPtr writtenBytes = IntPtr.Zero;
            Marshal.Copy(buffer, 0, eightBytes, 8);
            WriteProcessMemory(hProcess, new IntPtr(Address), eightBytes, 8, ref writtenBytes);
        }

        /// <summary>
        /// Write a string to the currently opened process
        /// </summary>
        /// <param name="Address">Address to write to</param>
        /// <param name="value">Value to write</param>
        public void WriteString(int Address, string value)
        {
            byte[] buffer = System.Text.ASCIIEncoding.Default.GetBytes(value + '');
            IntPtr writtenBytes = IntPtr.Zero;
            IntPtr mBuffer = Marshal.AllocHGlobal(buffer.Length);
            Marshal.Copy(buffer, 0, mBuffer, buffer.Length);
            WriteProcessMemory(hProcess, new IntPtr(Address), mBuffer, buffer.Length, ref writtenBytes);
            Marshal.FreeHGlobal(mBuffer);
        }

        private void ProcessExited(object sender, EventArgs e)
        {
            if (sender == ReadProcess)
                isOpen = false;
        }
    }
}

Create a another class in C# and insert the code below. Name it whatever you want.

expandcollapse popup

using System;
using System.Diagnostics;


namespace Hermes
{
    public class MundusBellatorius
    {
        private MemoryReader m_Memory;
        private Process[] m_Process;
        private int m_Interval = 125;
        private bool m_IsStarted = false;

        public int Interval
        {
            get { return m_Interval; }
            set { m_Interval = value; }
        }

        public MemoryReader MBMemory
        {
            get { return m_Memory; }
        }

        public MundusBellatorius()
        {
            m_Memory = new MemoryReader();
        }

        ~MundusBellatorius()
        {
            if (m_IsStarted)
                Stop();
        }

        public bool IsStarted
        {
            get { return m_IsStarted; }
        }
        public bool Start()
        {
            if (m_IsStarted)
                Stop();

            try
            {
                m_Process = m_Memory.GetProcessesByExe("wow.exe");
                if (m_Process.Length == 0)
                    throw new Exception("Unable to locate Mundus Bellatorius.");
            }
            catch (Exception E)
            {
                throw E;
            }
            try
            {
                if (m_Memory.IsOpen)
                    m_Memory.Close();
                m_Memory.Open(m_Process[0]);
                if ((int)m_Memory.Handle == 0)
                    throw new Exception("Unknown");
            }
            catch (Exception E)
            {
                throw E;
            }

            m_IsStarted = true;
            return true;
        }

        public void Stop()
        {
            if (!m_IsStarted)
                return;
            if (m_Memory.IsOpen)
                m_Memory.Close();
            m_IsStarted = false;
        }
    }
}

In a form within the same namespace add .

MundusBellatorius MB = new MundusBellatorius();

For player position create a button in a form and add the following code in the On_Clik event.

DateTime timer = DateTime.Now;
            
            int startsearchX = 0x00400B88;
            int startsearchY, startsearchZ, startsearchRot; // NOT USED
            int offset = 0x1000;

            int knownX = 0x00CD6760;

            if (!MB.IsStarted)
                MB.Start();


            float CurrentLocationX = MB.MBMemory.ReadFloat(knownX);
            float valueSS = MB.MBMemory.ReadFloat(startsearchX);
            while (CurrentLocationX != valueSS)
            {
                startsearchX = startsearchX + offset;
                valueSS = MB.MBMemory.ReadFloat(startsearchX);
            }

            startsearchY = startsearchX + 0x4;
            startsearchZ = startsearchX + 0x8;
            startsearchRot = startsearchX + 0xC;
            int type = MB.MBMemory.ReadInteger(startsearchX + 0x10);

            float x = MB.MBMemory.ReadFloat(startsearchX);
            float y = MB.MBMemory.ReadFloat(startsearchY);
            float z = MB.MBMemory.ReadFloat(startsearchZ);
            float rot = (MB.MBMemory.ReadFloat(startsearchRot) / (float)(Math.PI / 180));
            DateTime end = DateTime.Now;
            long diff = end.Ticks - timer.Ticks;
            
            MessageBox.Show("Player X,Y,Z,Rot found in " + diff.ToString() + " nanoseconds !!!!!!");
            if (MB.IsStarted)
                MB.Stop();

For the mob search

Add a datagridview control to your Form and another button.

In the new button On_Click event method add the following code.

System.Windows.Forms.Timer UT = new System.Windows.Forms.Timer();

            if (!MB.IsStarted)
                MB.Start();
            int valueSS = MB.MBMemory.ReadInteger(StartMemory);
            while (EndMemory != valueSS)
            {
                StartMemory = StartMemory + value;
                valueSS = MB.MBMemory.ReadInteger(StartMemory + 0x8);
            }

            UT.Interval = MB.Interval;
            UT.Tick += new EventHandler(UT_Tick);
            UT.Start();

In the event UT_Tick add the following code.

dataGridView1.Rows.Clear();
            mobcount = -1;
            searchAddress = StartMemory + 0x8;
            Extcho = MB.MBMemory.ReadInteger(searchAddress);
            while (Extcho != 0x00)
            {
                mobcount++;
                searchAddress += 0x001788;
                Extcho = MB.MBMemory.ReadInteger(searchAddress);
            }

            KnownX = StartMemory + 0xB88;
            for (int i = 0; i <= mobcount; i++)
            {
                dataGridView1.Rows.Add(Math.Floor(MB.MBMemory.ReadFloat(KnownX)), Math.Floor(MB.MBMemory.ReadFloat(KnownX + 0x4)), Math.Floor(MB.MBMemory.ReadFloat(KnownX + 0x8)), Math.Floor(MB.MBMemory.ReadFloat(KnownX + 0xC) / (float)(Math.PI / 180)));
                KnownX = KnownX + 0x1788;
            }

Ofc dont forget to have variables declared

int startsearchX = 0x00400B88;
        int startsearchY, startsearchZ, startsearchRot;
        int offset = 0x1000;
        int knownX = 0x00CD6760;
        int searchAddress = 0;
        int Extcho = 0;
        int KnownX = 0;
        int mobcount = -1;
        int StartMemory = 0x00400000;
        int EndMemory = 0x007CF4A8;
        int value = 0x010000;

[JRSmile]

I have used the same variable names that malu05 is using in his code so you will recognise things.

would you be so kind and zip the Project and upload it this would make much faster process possible.

[Periklis]

would you be so kind and zip the Project and upload it this would make much faster process possible.

Ofc i could.

BR

/P

.

[JRSmile]

Ofc i could.

BR

/P

.

thank you very much

[malu05]

I hate living in the dark, so i'd like to ask a few things.

Its all about Memory Addresses.

Seeing the adresses used by malu05 im getting a little bit confused ... not on the actual addreses but most on where they come from. I believe i have a pretty good idea on what is happening.

What i don't get is $knownX, $startsearchX and $offset.

Why is the X position in the memory address of $knownX?

Why are we start searching for $startSearchX with an initial value of 0x00400B88?

Why is our offset jump 0x1000 (4096 in decimal)?

Checking the Mob Scanner code one Wow Object is 0x1788 (6024 Decimal) long. So does that mean that it spans over 6024 consecutive addresses in memory ? For example from address 0 to 6023.

malu05 claims it is 1788 bytes long. Am i missing something here ? 0x1788 is not 1788.

Next question must sound stupid to some of you.

Is every address containing 1 Byte ? And how many Words long is this Byte ?

Are all Objects identical in how they are stored in memory ?

Hehe.. i thought noone really would understand how my scanner works.

Let me make things clear.

How does the Mob Scanner Works?

What i need to declare is;

dim $value = 0x010000 ; This value is the offset used in the scanner (so i dont have to scan each byte, i scan every 10000 (HEX) bytes
dim $StartMemory = 0x00400000 ; There is nothing below 0x00400000 in the memory so we can exclude that from the start. Some locations are stored in +0x10000000 so i can always change this value up to make the scanner faster.
$EndMemory = 0x007CF4A8 ; This is the thing we are scanning for. This is the same on every mob and npc so when and is located +0x8 (hex) bytes after the mainoffset.

while hex($EndMemory) <> $valueSS ; While 0x007CF4A8 is bigger or smaller then the adress scanned, the scanner will continue scanning. If found the scanner will stop.
$StartMemory = $StartMemory+$value ; 0x010000 is added to the seach adress 0x00400000 to define the next area to scan.
$valueSS = hex(_MemoryRead( $StartMemory+0x8, $DllInformation, 'int')) ; The new area is scanned so it can be compared in the WhileStart
WEnd

The same goes for the adress scanner, however note that this scanner is not for finding some readable pointers since there are a few static ones in the adress and i really think you should use them enstead of putting the adress scanner into the app making it take quite some time to find the values on start. (i can send the values to you if you want

I am sory about the "0x1788 is not 1788" thing. What i ment was HexBytes and not Bytes.

And No... the objects are not all indentical when you have the Rotation in there.

All objects use the same X/Y combination. All 3D objects use the same X/Y/Z combination. And some objects have the rotation just after the Z position. And some the scale just after that.

I got the wow!sharp source but i don't understand C code.

One thing i did understand tho is the http://trac.dasm.org/trac/WoWSharp/browser/offsets?rev=102 i found yesterday.

It does give some hints on the memory structure.

[malu05]

@malu05..

there is another set of player info/data struct inside the wow memory, that contains more/easily read information on spawns..

the game has it's own tracking built in (for hunters and miners and those professions)... if you read the memory from those data blocks,

you can easily.. populate it with names.. race.. and if you REALLY wanted to go further into development.. just look at the wow emu sources..

all the packet structures and spawn struct is written and documented there.. client stores the data the same way.. just look at the wow!map stuff

where it would draw spawns (in range that server sends) and draws it real time onto maps..

I initially tried that but failed due to my poor knowledge to C C# and C++

I have not found any amy srouce with documentation, can you send me one (link)? If the structure is the same it should be easy to find.

and as far as warden goes.. warden can be updated anytime to read/detect anything.. including reading/scanning of wow.exe process.. if you read

the actual papers on warden.. you would know it attaches itself globally into your kernal.. and has access to read/scan anything on your pc.. including

running apps.. or anything.. hence there EULA is so.. long and well worded.. they have open access to scan anything they want as long as you

clicked that agree button..

malu05.. if you want more info on the tracking stuff, send me a pm..

I know it can be updated any time, but i dont know any way that i process can figure if another unknown process is reading the process memory and not just slipping like antiVirus does. So aslong as you keep it close warden is no threath i guess.

Edited May 31, 2007 by malu05

[JRSmile]

Like already stated in the main post of this topic the discussion has moved to BeHEAD.de, feel free to join the community its free and more structured then this post.

so long, JRSmile.

Edited May 31, 2007 by JRSmile