We write a bot for MMORPG with assembler and draenei. Part 4.5

Hi% username%! We will make a small stop to dot the “and”, understand what's what and how it works. Recently, I received a lot of questions related to offset for various versions of World of Warcraft, many suggestions on how to implement the injection of third-party instructions in the gameplay and now it's time to discuss it all. If you have any questions or suggestions, welcome under the cat!

Disclaimer: The author is not responsible for your use of the knowledge gained in this article or damage as a result of their use. All information here is for educational purposes only. Especially for companies developing MMORPG, that would help them to fight with the bot. And, of course, the author of the article is not a botmaster, not a cheater, and never was.

---

Content

1. Part 0 - Search for a code injection point
2. Part 1 - Implementing and executing third-party code
3. Part 2 - Hide the code from prying eyes
4. Part 3 - Under the gun World of Warcraft 5.4.x (Structures)
5. Part 4 - Under the gun World of Warcraft 5.4.x (Moving)
6. Part 5 - Under the gun World of Warcraft 5.4.x (Casting Fireball)

1. Questions and Answers
The most frequently asked question is “why assembler?”. It seems that people with a word assembler starts a panic attack, lays their ears and turns off the brain. No need to be afraid of him so much, he is not so scary. After all, what could be simpler than asking the program itself to perform its own function and result put at the index that you know? No need to reinvent the wheel, I use what I have. See how easy it is to call the internal function DoAnythingFunction with the pointer DoAnythingFunctionPointer on it in assembler

"call " + GetAnyGameObjectFunctionPointer, "push " + argument3Pointer, "push " + argument2Pointer, "push " + argument1Pointer, "push " + argument0Pointer, "mov ecx, eax", "call " + DoAnythingFunctionPointer, "retn" 

GetAnyGameObjectFunctionPointer - returns us any object, a pointer to it will be placed in eax
argument [N] Pointer - a pointer to the Nth argument for DoAnythingFunction .

Then comes the question of DLL injection. On a battle.net server, this is a potentially dangerous method, since Your DLL may go to the security department. After all, this is the most common approach both in cheating and in bot breeding to implement its DLL. And remember, the popularity of the approach is directly proportional to the probability of being caught.
')
The next question is “why not c ++?”. This is a matter of taste. If you can do better and faster in c ++ - do it, but at the moment, I have not seen anything other than unconstructive criticism of the approach. Not a single implementation example in c ++. After all, it is strange when everyone can and no one does.

Another interesting question is “why not x64?”. If you raise 4 virtuals from win7 x86 and run the bot on each one, they will consume less resources from the host machine than win7 x64. Well, in general, I indifferent on what platform the bot runs, and he too. This question will be relevant when writing cheats, when you play.

For all other questions, the answer will be: "Over the past 4 years on the battle.net server, I have never received a ban or warning"

Concerning errors in the code and posts. Yes, I have typos and errors, like all of you, and if you notice them, you should not wave them like a flag on the red square in the parade, just send me a personal message and I will definitely correct it. This will demonstrate not only your attentiveness and knowledge, but also politeness and good manners. It’s as if, during a meal, a man’s beard has a sauce or the food itself. Do you think it is right at the table to discuss how conceptually it hung?

2. Offset search
To search for offsets, I prefer to search by mask. Naturally, the best way to find a pointer to a function is debugging and only it will give a 100% guarantee that you have found exactly what you need. But this process can be very tedious and time consuming, and how for newbies in 5 articles to explain about debugging, breakpoint and disassembler, when almost nothing is clear, as I noticed. Therefore, I use the search mask in the article. Let's look at everything with an example. To start, download 2 different Wow.exe files, one major version (I took 5.4.7 17898 and the WowCircle-32.exe client 5.4.7 18019). Our task is to find the offsets for Morpher with the offsets for 17898 known to us:

 CGUnit_C__UpdateDisplayInfo = 0x42E3A8, CGUnit_C__OnMountDisplayChanged = 0x42E193, CGUnit_C__UpdateScale = 0x424AE3, 

Open in IDA Wow.17898.exe, wait until it loads, scroll to the very top, look at Imagebase = 400000 and remember this value.

Then press G and go to the address CGUnit_C__UpdateDisplayInfo + Imagebase = 0x82E3A8

Open it in Hex-View by pressing Alt + 3, copy the first 15 bytes - these are the first 8 instructions in the function that will not change when compiled, i.e. avoid commands like jxx xxxx, push offset xxxx, call xxxx, xxx dword_xxxx, etc.

After all, launch the new IDA instance already for the file being examined, press Alt + B, enter the copied byte sequence and look for Ctrl + B, if anything is found, then you need to compare it with the original.

As you can see, these functions are identical, except for pointers to them. For accuracy, press Ctrl + B again and if nothing is issued, then an offset is found. Everything can be much more complicated when the first 15-20 bytes in the function changed during compilation. In this case, you can search in it a static piece that does not contain labels and transitions, or you will have to replace some bytes with questions in the search pattern. Here is an excerpt from the IDA Search Help:

CD 21 - bytes 0xCD, 0x21
21CD - bytes 0xCD, 0x21 (the order depends on the endiannes)
"Hello", 0 - the null terminated string "Hello"
L “Hello” - 'H', 0, 'e', ​​0, 'l', 0, 'l', 0, 'o', 0
B8 ???? 90 - byte 0xB8,4 bytes with any value, byte 0x90

For example, to search for CGUnit_C__UpdateScale, I will take not the first 15 bytes, but from the 21st to the 35th, since there are no unwanted instructions. You can also use the IDA plugin MakeSig for these purposes.

PS If someone has the strength and desire to write an article about how to look for debugging function addresses, I would be grateful
PPS Errors and typos in a private message