Register for your free account! | Forgot your password?

You last visited: Today at 17:15

  • Please register to post and access all features, it's quick, easy and FREE!

 

WoW Pointer finden...

Reply
 
Old   #1
 
elite*gold: 0
Join Date: Dec 2007
Posts: 37
Received Thanks: 1
WoW Pointer finden...

habe den einen Beitrag wo es auch im Pointer und wow geht gelesen bloss kam da am ende nix gescheites raus, neamlich pointer den das wollte der treatstarter....

Als Programm die cheat engine 5.4 Mir geht es darum den pointer für die hps eines charakters rauszubekommen. Habe natürlich einen test account verwenden um zu probieren... die dynamische adresse in der die Hps gespeichert sind habe ich relativ schnell gefunden.. ab dann war mein latein am ende

leider habe ich Probleme den offset einzugeben. Bei seinem Beispiel war es eine reine Zahl, 00000110 bei mir ist der offset edx * 4 und da er nur zahlen schluckt hab ich einfach 16 mal 4 = 58 ( in hex gerechnet ) trotzdem zeigt mein Pointer dann nicht die hps von meinem wow charakter an...



wäre nett wenn mir einer hilft... will wenigstens 1 mal einen pointer rausfinden.... dann hab ich eh viel zu tun, mana etc etc



Bullz is offline  
Old   #2
 
elite*gold: 0
Join Date: Apr 2006
Posts: 2,524
Received Thanks: 74
erm, dein woW is nich an? Oo


4C1D^ is offline  
Old   #3
 
elite*gold: 0
Join Date: Dec 2007
Posts: 38
Received Thanks: 1
can someone translate original post into english plz
linkinsg is offline  
Old   #4
 
elite*gold: 0
Join Date: Dec 2007
Posts: 37
Received Thanks: 1
ja ich weiss der screenshot macht ein blödes bild, wollte die kiste schon ausschalten und hatte wow beenden. Glaubt mir auch als WoW noch an war konnte er die Hps nicht finden... wäre echt nett wenn einer der wow zockt und ein wenig ahnung von pointer suchen hat mir helfen könnte, wenn ich einen mal selber finde, werd ich auch den Rest suchen und hier posten...

Quote:
can someone translate original post into english plz
i will tell you if something intereset, now at this time i am not able to find a pointer in wow... i hope it will chance soon


Bullz is offline  
Old   #5
 
elite*gold: 20
Join Date: Jan 2006
Posts: 539
Received Thanks: 225
Da das hier ein level-x pointer ist reicht es nicht aus dir nur eine instruction anzugucken, du musst auch die instructions darueber beachten:

Code:
00617AB0  /$ 55             PUSH EBP
00617AB1  |. 8BEC           MOV EBP,ESP
00617AB3  |. 8B41 08        MOV [COLOR="Red"]EAX[/COLOR],DWORD PTR DS:[[COLOR="Purple"]ECX[/COLOR]+8]
00617AB6  |. 8B4D 0C        MOV ECX,[ARG.2]
00617AB9  |. 8B55 08        MOV [COLOR="Lime"]EDX[/COLOR],[ARG.1]
00617ABC  |. 890C90         MOV DWORD PTR DS:[[COLOR="Red"]EAX[/COLOR]+[COLOR="Lime"]EDX[/COLOR]*4],ECX
00617ABF  |. B8 01000000    MOV EAX,1
00617AC4  |. 5D             POP EBP
00617AC5  . C2 0800        RETN 8
Wenn du das alles zurueckrechnest bekommst du den vorletzen pointer, der letze steht in ECX den musst du noch auf eine statische addresse zurueckfuehren. fertg.
rEdoX is offline  
Old   #6
 
elite*gold: 0
Join Date: Dec 2007
Posts: 37
Received Thanks: 1
ehm verdammt ich verstehe genau Bahnhof... liegt daran das ich wirklich nur wenig Assemler habe... kannst du mir schon jetzt den statischen Pointer nennen ? Oder kannst du das nicht weil das ECX noch nicht genau bestimmt ist ?

Wennst ein Ergebniss hast post es bitte, mit einem Ergebniss kommt man immer schneller ans Ziel beim lernen...
Bullz is offline  
Old   #7
 
elite*gold: 0
Join Date: Apr 2005
Posts: 745
Received Thanks: 668
Mal ne Frage...

Was bringt es dir den Pointer zu den HP in DEINEM Speicher zu finden?

Die gesamte Schadensberechnung und HP / MP usw sind Serverseitig gespeichert und der Speicherbereich in deinem Heap dient nur dazu dir das ganze in deinem Client richtig anzuzeigen.

Du kannst also dort eh nix verändern. Es würde dir nur was falsches anzeigen aber sterben würdest du trozdem.
Sordi is offline  
Old   #8
 
elite*gold: 0
Join Date: Dec 2007
Posts: 37
Received Thanks: 1
Quote:
Originally Posted by Sordi View Post
Mal ne Frage...

Was bringt es dir den Pointer zu den HP in DEINEM Speicher zu finden?

Die gesamte Schadensberechnung und HP / MP usw sind Serverseitig gespeichert und der Speicherbereich in deinem Heap dient nur dazu dir das ganze in deinem Client richtig anzuzeigen.

Du kannst also dort eh nix verändern. Es würde dir nur was falsches anzeigen aber sterben würdest du trozdem.
ich baue wie gesagt einen bot der die hps auslesen soll, das mache ich zur Zeit mit pixelfarben... ( wenn balken grün heist das das er voll ist, nicht grün ist " z.b essen ) und ich will endlich mal gescheit richtig im Speicher rumwecken...

wäre echt nett wenn mir wer helfen könnte sitze vor wow und probiere rum finde aber nix gescheites
Bullz is offline  
Old   #9
 
elite*gold: 0
Join Date: Apr 2005
Posts: 745
Received Thanks: 668
Alles klar aber warum liest du dann net im source von nem anderen tool nach wo sich die hp befinden?

Gibt doch genug oder net? Man muss ja das Rad net neu erfinden.
Sordi is offline  
Old   #10
 
elite*gold: 105
Join Date: Mar 2007
Posts: 5,073
Received Thanks: 557
Hallo,
Hier findest du den SourceCode zu einem aktuellen WoW Bot.

Geschrieben ist er in VB.net.

Hier ist noch ein SEHR intressanter Beitrag von tttommeke aus dem Mmo-wned Forum.



Introduction

1.0 Memory Reading ?
1.1 Why would you do it ?
1.2 Warden and Ban ?
1.3 Used programs
1.4 Terms
1.5 Value types
1.6 WoW servers and client
2.0 How to find a certain address
2.1 How to find a certain offset
3.0 AutoIT programming
3.1 Why finding Player address ?
3.2 Finding Player address method 1
3.3 Finding Player address method 2
5.0 Author

-- 1.0 Memory Reading ? --

Memory reading ? What's that ? Memory reading is looking into the memory of a specific program. The use of it ?
Find out stuff that aren't displayed and sometimes that aren't allowed to be even seen. In some programs you can find out how the keygen
has been put in together and fake this then. You can find out stuff that can lead you to a specific point. Like in Warcraft 3 you could
use a sort of fog hack by giving the value were their was fog a true (1) so it would become visible. Also the memory of a program is also viewed
as sorta of RAM from the program. allot of dynamical codes are storied and changing in here.

-- 1.1 Why would you do it ? --

Memory reading in WoW can be sorta seen as hacking WoW. Not just with changing stuff etc but also seeing were everything is. Let's take an example :
A rogue is in stealth, even with modelediting you wouldn't see him, but with memory reading you would because the player still exist in an area around you
so when you have his main address you would also find his X Y Z and can find out with that were his location exactly is. Also you can teleport stuff
in-game away from one place to another place with memory editing. Doodads etc have a specific address because they are also loaded by the game.
When you have found out their offsets to their X Y Z you can change these and the doodad will be ported away and you can walk trough it because the
game doesn't see anything their and it isn't solid anymore. So their are really many reasons why you would memory read/edit

-- 1.2 Warden and Ban ? --

Warden is the anti-cheat of Blizzard. Nobody knows for 100% sure what warden does. But the best hypotheses are that warden scans your progress list
and looks for any programs that aren't allowed. Also warden would look into the memory of WoW and do a sort of checkup when something changes. When
this change doesn't look valid he will DC or Ban you. Programs like Cheat Engine, Tsearch are on their not allowed list so be carefully with it.

-- 1.3 Used programs --

The only program I use is Cheat Engine 5.3, no it wouldn't ban you, you just need to set it correctly up. Here is my settings and until today I
wasn't banned. So I think it is safe. But you can never know 100% sure.
Settings : 1. Click on Settings and go to the tab Code Finder. In this tab you will find an option : []Prevent the detection of your debugger. Checks this
so it will be[*]Prevent the detection of your debugger. Then you go to the tab Extra and again their are 2 options [] Stealth Mode (User mode)
and [] Stealth Mode (Kernel mode). Also check these 2 functions. This will set up a rootkit. At some PC's rootkit causes Deadscreens(Bluescreens) so
thinks twice before checking it. Why I use Cheat Engine ? Because it contains enough. It scans fast and for most types + you can easily do a memory view.

-- 1.4 Terms --

Offcours their are some terms in memory reading/editing. These are the most know and most used.
Dynamic addresses => These addresses will change every time you reload your program. Like when a restart of it or like in WoW : changing worlds, login, logout
Static addresses => These addresses are for that version static. It doesn't matter if you restart that program, the address will stay the same
Pointers => Pointers are addresses that will point out (their value) to another address that contains always a certain subject.
(Like a static pointer can always point to a dynamic address)
Offsets => Offsets are numbers (mostly writing in HEX) that have always a value when they are extracted or added from an address. Like when you
have the player address their is always a same offset to the player his HP.
CE => Cheat Engine
Signature => A signature is a sort of pointer, just recalled. Like the mob signature is the address that points to the first mob in memory.

-- 1.5 Value Types --

Some addresses are best readed in a different value type. This can be :
Binary => Maybe you already seen it somewhere but a binary value only contains 1 and 0, most of the time WoW isn't using this value.
A binary number contains bits.
Byte => On the computers of this age a Byte always contains 8 bits. But just like binary WoW isn't really using it.
2 Byte => Yhea, the double of a byte... WoW doesn't use this allot
4 Byte => 4 times a Byte and WoW is using this allot. This is also the standard type in this white paper
8 Byte => 8 times a Byte, WoW is only using this to identify a chunk/mob/player/...
Float => Float is a decimal number like : 5465,454 or -10,598 . It is used for X Y Z and some other stuff.
Double => A double is like a float, except it is a double precision floating point number rather than a single precision one.(Chazwazza)
Text => A text is a searchvalue for like playername.
Array of Byte => Not really using it but it seems like you can see a array of values with this.

-- 1.6 WoW servers and client --

Now you would say that when you have found your HP address you could freeze it so you cannot die. But think again, would Blizzard even not think about
this ? Offcours they do. Some stuff aren't just editable in the client because they do a sort of checkup. So let's take an example :

Client data -----> WoW servers -----> WoW check -----> Return of Data to client.
So when you are changing your HP it will be like :
Client Data --HP--> WoW servers --Possible?--> WoW check --Mob is attacking him and did damage but his HP didn't go down--SEND DC--> Client receives a DC code.
This is a sort of hypothese and can be different then explained it here.
So I will say some values you cannot change : PlayerHP/PlayerMana/PlayerAgi,str,.../MobHp/Mobagi,str,...,location,../GMStatus/Spellsdmg/...
But that doesn't mean you can't do anything ? You can teleport, move doodads, move chunks, edit chunks, edit doodads,...

-- 2.0 How to find a certain address --

addresses contain values, so when you want to know a certain address that will always point to a specific value you will need to scan for it !
Let's say you want to know the mapnumber were the player is currently in. For your AFKBot or LevelingBot or so. Before we can scan we need to
do some research, what locations are what numbers. You would think only blizzard would know but to bad for blizzard they have also storied in
their MPQ files. (The DBC files with Areazone or Mapzone I think it was). But when searching on the internet I didn't really saw any updated list.
The last list was from 1.9.3 so... I fast started up some modelediting tools, and remembered it was storied in engb-local.MPQ.
I extracted a list :
0,Azeroth
1,Kalimdor
13,test
25,ScottTest
29,Test
30,PVPZone01
33,Shadowfang
34,StormwindJail
35,StormwindPrison
36,DeadminesInstance
37,PVPZone02
42,Collin
43,WailingCaverns
44,Monastery
47,RazorfenKraulInstance
48,Blackfathom
70,Uldaman
90,GnomeragonInstance
109,SunkenTemple
129,RazorfenDowns
169,EmeraldDream
189,MonasteryInstances
209,TanarisInstance
229,BlackRockSpire
230,BlackrockDepths
249,OnyxiaLairInstance
269,CavernsOfTime
289,SchoolofNecromancy
309,Zul'gurub
329,Stratholme
349,Mauradon
369,DeeprunTram
389,OrgrimmarInstance
409,MoltenCore
429,DireMaul
449,AlliancePVPBarracks
450,HordePVPBarracks
451,development
469,BlackwingLair
489,PVPZone03
509,AhnQiraj
529,PVPZone04
530,Expansion01
531,AhnQirajTemple
532,Karazahn
533,Stratholme Raid
534,HyjalPast
540,HellfireMilitary
542,HellfireDemon
543,HellfireRampart
544,HellfireRaid
545,CoilfangPumping
546,CoilfangMarsh
547,CoilfangDraenei
548,CoilfangRaid
550,TempestKeepRaid
552,TempestKeepArcane
553,TempestKeepAtrium
554,TempestKeepFactory
555,AuchindounShadow
556,AuchindounDemon
557,AuchindounEthereal
558,AuchindounDraenei
559,PVPZone05
560,HillsbradPast
562,bladesedgearena
564,BlackTemple
565,GruulsLair
566,NetherstormBG
568,ZulAman

Ok, now we know the mapnumbers we can find easily what the address is. You could choose offcours Kalimdor - Eastern Kingdoms but these are 1 - 0 and
really allot of numbers change constantly from 1 to 0 and 0 to 1 so we better choose a instance id. I used OrgrimmarInstance because I was really close to
it. First I scanned for 389, runned back to kalimdor, scanned for 1, then back into Orgrimmarinstance etc until I found out like +- 10 addresses.
You got a 99% chance that the map address will be in one of these. Now, which one is a static ? Easily, CE has a function that when a static address
will turn green in the list. But what when you have no CE and just a fast, nostaticfunction scanner ? Scan for the addresses you suspect and the
address that will give zero results back (so no other address points to it) is a static address. So most addresses are find on this way.

-- 2.1 How to find an offset --

Offsets are a total other matter then addresses. Mostly of the time they only occure with dynamic addresses.
So let's think, we have found the dynamic playeraddress at : 0x0A568008 and we want to know the offset to his HP. First off all, when you find
out a playeraddress trough the playersignature you need to extract 0x8. So the 'basic' address will be 0x0A568000. Now we search for our HP but
their is no static address for a player address. So let's say we have found out that the HP is storied at : 0x0A56824D. So to find the offset we do
the hp address - the basic address. In mine example it will be 0x24D as end result and that will be then the offset for player hp.

-- 3.0 AutoIT programming --

As some of you maybe allready know I program in AutoIT. No, AutoIT isn't a new scriptinglanguage but one based on another one.
I use the version AutoIT v3.2.10 which already has allot of features. The AutoIT homepage is AutoIt Script Home Page and for the last
version you will need to go to : AutoIt v3 - Automate and Script Windows Tasks - For Free!

-- 3.1 Why finding Player address ? --

For having a good memory bot you will need to know some stuff like the player his HP,mana. This are like the 2 crucialst things in WoW because
when you are going to attack a same level mob with only 5% hp and 5% mana then you can speak to me back soon ;-) also from that you can
find his movement state and 'abuse' this for sorta float hacks or swimming in the air,...

-- 3.2 Finding Player address method 1 --

This method is most used by the scripters and it actually very easy. The day now all WoW versions had a static address for the current player
his location. But their was also still an offset for the dynamic player address. So to find out the player address you would need to do this :
You know the static address and his value. This is the same value as the offset from the player address contains. So when you are scanning for the
value of the static Z you will surely find the dynamic address of the player. Here you got a little code :

Code:
Code:
#Include <nomadmemory.au3>						;Includes the features of Nomadmemory			
SetPrivilege("SeDebugPrivilege", 1) 			;Makes the program allow to look into other program's their memory

Const  = 0xDBBCDC					;The static Z address for WoW 2.3
Dim  = 0x07000BF0					;Because the offset for Z is in 2.3 0xBF0 we will do it easier by this.
Const  = 0x2000							;Normally this is called  but to make it easier to understand I name it .
												;We will always do  when the values aren't correct to the static Z. I do 0x2000 instead of 0x1000
												;because a player his address is always 0xxxx8000 or 0xxxx0000.
Const  = _memoryopen(WinGetProcess("World of Warcraft"))		;Will open the memory and enable access to it.
While _memoryread(,,'dword')<>_memoryread(,,'dword')		;Start the while loop and the <> means different from eachother
 += 																				;They were different so we will need to look to the next one
Wend																								;End of the while
Msgbox(0,"Player address found at :",hex( - 0xBF0))		;End result with the -0xBF0
so we will get the basic address and not the dynamic Z address.

So this is one way to find it.

-- 3.3 Finding Player address method 2 --

This is not really a popular method but it also works. As we know all players have one signature (Path 2.3 : 0x8A22B0) This signature always shows up
with the Basic address + 0x8 . So when we think twice you will get a result not only from you but also the other players. But here is my personal code :

Code:
Code:
#Include <nomadmemory.au3>						;Includes the features of Nomadmemory			
SetPrivilege("SeDebugPrivilege", 1) 			;Makes the program allow to look into other program's their memory
Const  = 0xDBBCDC					;The static Z address for WoW 2.3(for the ceckup)
Const  = _memoryopen(WinGetProcess("World of Warcraft"))		;Will open the memory and enable access to it.
Const  = 0x8A22B0				;Defining 
Const  = 0x2000							;Same as method 1
Dim  = 0x07000008					;Same as method 1 +-

While _memoryread(,,'dword') <> 		;Starting the while loop
 += 														;Next address
Wend
If _memoryread((Playersstart -0x8) + 0xBF0,,'float') <> _memoryread(,,'float') then  += 0x8000
Msgbox(0,"Player address found at :",hex( - 0x8))
Why did i do that If...Then after the Wend ? and Why with 0x8000 ? Because these days the current player address always ends with 000 or 8000 and never with 4000 or so. So this is just for faster pleasure.


-- 5.0 Author --

The whole white paper has been written by tttommeke and if you want to use it give a credit to him.
This was my first and not last white paper ! You can always check Frostmourne.be for latest news etc.


BlackFog is offline  
Reply



« Previous Thread | Next Thread »

Similar Threads
Pointer finden!
Hey Leute.... Wie finde ich daraus die Pointer Adresse? http://www5.pic-upload.de/16.08.10/q7xtw1icrrsa.jpg Wenn ich über "Find out what...
6 Replies - General Coding
Pointer finden
Hi Für alle die das hacken mit CE besser lernen wollen bis jetzt aber noch nichts gelernt haben^^.Hab ich ein sehr gute tut rausgesucht:...
3 Replies - 4Story
Pointer finden..
Macht einen Rechtsklick auf die Variable, „Find out what accesses this address” und bestätigt die Meldung mit „Yes”. Jetzt öffnet sich der...
7 Replies - 4Story
Pointer Finden mit androx tut
Hallo, Danke an androxx für seine Tolle tut erstmal. Nun zum Pointer ich scanne die adresse also dies wird rot angezeigt. >>008bac9a - fmul...
18 Replies - S4 League



All times are GMT +1. The time now is 17:15.


Powered by vBulletin®
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy
Copyright ©2016 elitepvpers All Rights Reserved.