Freitag, 26. Juni 2015

[C# / 1.12.1 WoW] Sending packets

We are writing a program for WoW 1.12.1 which should simply kill and loot NPCs. To accomplish that we need to take care that our tool can interact with the WoW client to do everything from targeting a unit to casting attacks.

There are many ways to achieve that

  1. Read the memory and simulate clicks / keypresses 
  2. Write bytes representing ASM instructions to the WoW address space either to modify already existing instructions (ex: Jump from an existing function like EndScene to your own Code) or inject new code to unused memory. This method is used by the old bot I previously released.
  3. Execute your tool as a part of WoW: Jump from a WoW functions to code written in your desired language which is part of your program. Wonder whats the difference to method 2? Read More Updates from this post.

Method 2 & 3 are offering once again different approaches to make something happen inside the game
  1. The easiest: Use DoString to execute Lua functions provided by the WoW api. Most tasks like buff checking can be done with more or less complex scripts.
  2. The time intensive (atleast in my opinion): Find the function which triggers the action you want. This can be very annoying aswell complicated. Just imagine what your bot need to be able to do for a moment: Target units, Interact with units, cast spells, check cooldowns to name only 4. For every functionality you need to find a function inside the WoW address space, reverse it (is it thread-safe? Which calling convention is used? Which parameters are passed? How are the parameters used inside the function?) and implement it.
  3. The most awesome: Find the function responsible for sending packets to the server. Reverse the packet structure and send your own ones.

You asking why I write this post? After being a bit unmotivated lately a discussion started by R4zyel inside the OwnedCore Memory Editing section gave me new ideas. Thanks to namreeb by the way for this epic response (+REP!!!!).

First of all let me tell you why I think that sending packets is the best of the 3 previously mentioned: The client has checks for all kind of stuff to decide if an action is valid before it happens. Incase of sending packets you "ignore" every check and just send your bytes to the server. 
Two little example:
  • Calling a cast function the packet which tells the server that we are casting is only send when all conditions are met: The spell isnt on cooldown. We arent casting anything else right now. We have enough mana and so on. Sending a packet all previous checks are ignored. That doesnt mean that we can cast thousand spells at once by spaming packets: The emulator / server will also validate packets and check if the requested action is possible.
  • Talking about serverside check I have another example: On well known project you could learn more than 2 professions by sending the responsible packets.

So can we also find exploits like this? Indeed! Every packet has a number which tells the server what kind of packet it is. Depending on this number the data attached to the packet is processed by a handler function.
As we send our own packets we dont have to stick to "rules". We can send whatever we want and in conclusion also trigger actions unwanted by the server administration. If only one information inside the packet isnt validated and checked for integrity we may have found a working exploit (example for the profession exploit: The server didnt check if we already had two professions)

## slightly offtopic ##

Now this may be a bit offtopic and not interesting for people who dont care about 1.12.1 WoW projects but above paragraph describes exactly why I chose Kronos over Nostalrius.
The log posted here shows the packets being send in the process of logging into an account to entering the world:
I dont believe that a single project double checked every single packet for possible exploits and even if they did none could guarantee that every possible weakness is found. Having "the ultimate anticheat" and detection of every kind of movement hack is impossible and shouldnt be promised. For example even Nostalrius stil got atleast one teleport exploit which I know of (keep in mind I am also very new to packet related stuff).
It is nice to see how easy people believe everything and dont care to look for an opinion from an experienced person (are people to easy to manipulate?)

## slightly offtopic ##

How do we build our packet? Basically we have a DataStore struct which holds a pointer to a buffer at byte 4 and some other information which we care about later.
The buffer starts with a integer holding the opcode of the packet followed by information depending on the type of packet. A pointer to the struct is then passed to netclient::send which will process it further.

Waiting for code?

Before I go deeper and start to post code I will wait for feedback and correct possible mistakes. I hope everything is clear so far.

Freitag, 12. Juni 2015

Another bot for 1.12.1

When I started this blog I thought I would be one of those bloggers writing a post every second day. Well .... atleast the blog is stil living :)

Since the summer finally arrived at germany I rather spend time working on freerunning instead of programming:

Speaking about programming I have made a few decisions:
The current 1.12.1 bot I work on is getting better everytime I find a minute to work on it and even tho I enjoy playing around with the WoW client this will probably be my last project for WoW since I feel like its time for something new.
The code for the bot will go public but at the moment I am not completely sure how and when. Maybe I will release a closed source version first of all (can be expected within a month).

The custom class used in the video:
Since the video is very short it doesnt show the full potential and all features of the bot but as a first teaser this should be enough.

Also I am open for people who want to help extending the bot. Currently I struggle a lot with path generation between two points with a distance about half of elwynn forest and bigger: