[Guide] How to make a Wow bot for complete newbs!

[Guide] How to make a Wow bot for complete newbs! 


Hi! My name is Devon and I’m an alcoholic.
Actually I have about 10 days off work and my choices of entertainment was drinking my life away or writing an guide for complete newbs on how to make a bot. So I decided to do both. 

Moving on… 
--Pre Introduction:--

I have spent a long time hopelessly searching the internet to learn everything I needed to know to make a bot. Well I failed miserably. But to my rescue came a kind person and helped me in my adventure to the stars (or at least the addresses of world of warcraft). He not only spent his time helping me by showing me stuff in the code I knew best but he also gave me great direction in where/what to search on the forums . Because of him I have this knowledge. Thank you ^_^ 

(I do not know if he wants to be named or not.)
Okay so many of you newbies (such as myself) are probably wondering “How the **** do I make a bot”. Well let me start out by saying, you need to know at least some sort of computer language, whether it be C++, C#, Java, or the shit language I use Autoit (yeah, yeah …Scripting blah, blah, blah… Its shitty blah, blah, blah…Learn a real language blah, blah, blah. All in due time). If you do not know a language then you will not understand this at all. So please go learn a language. 


Okay, 很多新手(比如我)都曾经疑惑过“怎么他奶奶个甜甜圈的才能做一个游戏机器人呢?”。现在我来告诉你,你至少要懂一种计算机语言,不论哪种语言,C++JAVAC#或者我用的狗屎语言Autoit#此处为人们对这个脚本语言的轻蔑# 作者:老子没空学别的)。如果你一门语言都不会,那你肯定不会理解这篇文章。所以,赶快死开去补课。

On top of needing to know a language, you need to have a function that can read memory addresses. Whether you make it yourself or not is up to you.



One last thing, I personally do not know everything as I have just started out. For example, I do not know very much about dlls, therefore I copy the memory function (from nomadmemory.au3) and a “getwowbase” function provided by my dear ol’ champ I spoke about in the Pre Introduction.
Also, I will be using Autoit seeing as it is the code I am currently most skilled in and it is a fairly simple language so it should be simple enough to translate into your preferred code, but I will explain what is happening when necessary.
So let’s get down to it.

--Analogy (sounds like a good time to me)/Terms:--

So …*Deep Breath*… We can compare how we get info from World of Warcraft to our real world. Just like in real life, where there are many objects and creatures, there are many objects and creatures in Wow. We call these (because programmers aren’t creative) “WowObjects”. 
So…*深呼吸*… 我们可以比较一下魔兽世界和我们真实的世界。就如我们真实的生活中一样,在魔兽世界中同样有许多物体和生物。我们权且统称为(程序员通常都是没想像力的)“WowObjects.

So we say to ourselves we want something from this world and we want to know a characteristic of this “something”. I would first need to know what kind of thing this something is. For example, is it a person or is it a table? Is it human or is it a dog or a cat? Similar concept applies to Wow. We call this an “ObjectType”. There are 7 types of objects in Wow, listed below:


1 - Items

2 - Contains

3 - NPC's

4 - Players

5 - GameObjects (Nodes etc)

6 - DynamicObjects (Spells and stuff)

7 - Corpses

From: http://www.mmowned.com/forums/world-...e-objects.html (Excellent guide. After you’re done, go check it out)


After we find out our type of world object (say for example a human) how would we know which human it is seeing as there are billions in the world. Well, as I’m sure you already know, this is the reason people have names. So this means if we know a person’s name we can find even more details about that person. Names in Wowmemory are called “GUIDs” (Globally Unique Id) which is in sense a tag to identify an object. 
当我们知道了一个对象的类型后(比如类型是人类),但世界上有几十亿人,我得到的这个神马人类到底是谁?这就是为什么我们每个人都要有一个名字。这个名字在wowMemory中被称作“GUIDs(Globally Unique ID, 全局唯一标识),用于唯一标识一个对象。

After this we have “Descriptors” which Describe (man these programmers are so clever) a WowObject. They kind of act like adjectives in the real world. For example in the real world if you asked someone how they’re health was they would say “good” or “bad”. Well in the programming world we don’t use adjectives, we use numbers. So if we had a Descriptor offset for our health it would tell us “health = 100%” or “health = 0% (you dead!)”


接着我们有了另一个概念“描述符(Descriptors)”,用于描述(这些程序员们太特么聪明勒)一个对象的状态。它有点象我们真实生活中的形容词。比如真实世界中你问某人的健康情况,他通常会回答你“很好”或“不怎么样”。但在程序的世界我们不用形容词,而是用数字。所以如果你有一个标识符去描述你的健康(血量),它通常会告诉你“血量=100% 血量=0%(挂了)”。

So for good measure and a little over kill I bring you another example analogy.


WorldObject - Rick is describing an “object” that he says is a part of this world. 
ObjectType - He says it’s a dog.
Guid - The dog’s name is Alfred
Descriptor – Alfred is happy

世界对象 WorldObject -瑞克在描述一个对象,它是这个世界的一部分。

对象类型 ObjectType -他说这个对象是狗狗。

全局唯一标识 Guid -狗狗的名字叫Alfred。

描述符 Descriptor -Alfred很快乐。

(I will go into further detail about these things later)


So now that you get the idea behind it let’s see how they actually work in programming. 



Now to be thorough, I’m going to explain a little bit about how memory works. Memory or RAM (Random Access Memory) or the little stick you shove into your motherboard to make your computer run, acts as a way to store information from running programs. Think of it as like little cubby holes that stores 1byte of information (generally an regular int is 4 bytes) that your program might need later. 



Well, each little cubby hole has an address so that the program can find that information. This address is called a hexadecimal (or hex for short) and it looks something like this “ 0x000000”. This address uses 16 symbols for each digit (0-9 and A-F), so if we increment 0x000009 by 1 it would be 0x00000A. 


每一个小房间都有一个唯一的地址,你的程序可以通过这个地址访问这个小房间里的数据。这个地址被称为“hexadecimal”,简称为hex。看上去象这样:0x000000。就是十六进制数啦,用16个字符表示(09 AF),所以0x000000 + 1 = 0x00000A

Memory Cubby Hole picture:

<!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f"> <v:stroke joinstyle="miter" /> <v:formulas> <v:f eqn="if lineDrawn pixelLineWidth 0" /> <v:f eqn="sum @0 1 0" /> <v:f eqn="sum 0 0 @1" /> <v:f eqn="prod @2 1 2" /> <v:f eqn="prod @3 21600 pixelWidth" /> <v:f eqn="prod @3 21600 pixelHeight" /> <v:f eqn="sum @0 0 1" /> <v:f eqn="prod @6 1 2" /> <v:f eqn="prod @7 21600 pixelWidth" /> <v:f eqn="sum @8 21600 0" /> <v:f eqn="prod @7 21600 pixelHeight" /> <v:f eqn="sum @10 21600 0" /> </v:formulas> <v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect" /> <o:lock v:ext="edit" aspectratio="t" /> </v:shapetype><v:shape id="图片_x0020_0" o:spid="_x0000_i1025" type="#_x0000_t75" alt="memorycubbyholes.jpg" style="width:396.75pt;height:186pt;visibility:visible; mso-wrap-style:square" mce_style="width:396.75pt;height:186pt;visibility:visible; mso-wrap-style:square"> <v:imagedata src="file:///C:\DOCUME~1\qwang\LOCALS~1\Temp\msohtmlclip1\01\clip_image001.jpg" mce_src="file:///C:\DOCUME~1\qwang\LOCALS~1\Temp\msohtmlclip1\01\clip_image001.jpg" o:title="memorycubbyholes" /> </v:shape><![endif]--><!--[if !vml]-->memorycubbyholes.jpg<!--[endif]-->

Example math: 


1. 0xF + 0xF = 0x1E

2. 0x5 * 0x5 = 0x19

3. 0xBEAD – 0x4321 = 0x7B8C

4. 0xBEAD + 0x4321 = 0x101CE

5. 0x10000 – 0x1 = 0xFFFF


Offsets in Wow memory reading are used to take an address, change it, and get a new address with (possibly) more information. For example, say I found my player at a dynamic address (the address changes each time the game loads) and I had a function called “GetPlayersAddress()” that returned the dynamic address to me. I could then use a static offset (always stays the same) to get an address that contains the value of, say, my health. 



For Example, say my dynamic address (remember this changes) was 0x000001 and my offset was 0x5. My new address would be 0x000006.
比如:如果我得到一个动态地址:0x000001 和一个偏移量0x5,那么新址就是0x000001+0x5=0x000006

Now the nice thing about this forum is they have a little area called the dump thread which we will be using since I will not be going into how to actually get these offsets for yourself by reverse engineering Wow. It’s a little too complicate for me at this time.
在作者发贴的这个论坛,有个专门的版块叫dump thread专门罗列了这些偏移值。

Now for any bot reading the memory that Wow uses, you will need to know the base address. This is done (from what I’ve seen) by calling a function that uses a couple of dlls to check the memory for wow.exe. I do understand how this works, I just don’t know enough about dlls to be able to code it myself. ^_^
<!--[if !supportLineBreakNewLine]-->


So my recommendation would be to search google for a function to get base address of wow in your language of choice.
<!--[if !supportLineBreakNewLine]-->


This is the code in Autoit:

(created by IceFire32 (unless refuted XD))





         $HSNAP = DllCall("Kernel32.dll", "HANDLE", "CreateToolhelp32Snapshot", "DWORD", 8, "DWORD", $PID)


         $STMODULE = DllStructCreate("DWORD dwSize;DWORD th32ModuleID;DWORD th32ProcessID;" & "DWORD GlblcntUsage;DWORD ProccntUsage;ptr modBaseAddr;" & "DWORD modBaseSize;HANDLE hModule;WCHAR szModule[256];" & "WCHAR szExePath[260]")


         DllStructSetData($STMODULE, "dwSize", DllStructGetSize($STMODULE))


         $RET = DllCall("Kernel32.dll", "BOOLEAN", "Module32FirstW", "HANDLE", $HSNAP[0], "ptr", DllStructGetPtr($STMODULE))


         IF ($RET[0] = False) Then

                 DllCall("Kernel32.dll", "BOOLEAN", "CloseHandle", "HANDLE", $HSNAP[0])

                 Return 0


                 $RET[0] = True


                          If DllStructGetData($STMODULE, "szModule") = "Wow.exe" Then


                                   DllCall("Kernel32.dll", "BOOLEAN", "CloseHandle", "HANDLE", $HSNAP[0])


                                   Return DllStructGetData($STMODULE, "modBaseAddr")


                          $RET = DllCall("Kernel32.dll", "BOOLEAN", "Module32NextW", "HANDLE", $HSNAP[0], "ptr", DllStructGetPtr($STMODULE))

                 Until $RET[0] = False




This is where we get into the juicy stuff. With an object manager, it will search through the memory to find a player memory location. And using some offsets, we can find most things we want to know about our player or any other object for that matter.
<!--[if !supportLineBreakNewLine]-->


So first thing we need to do is get a couple of addresses and offsets from the latest patch dump thread that the mmowned community was nice enough to share with us.
<!--[if !supportLineBreakNewLine]-->

那么我们首先要做的就是得到几个地址和偏移量从最新的patch dump thread,这是mmowned这个社区分享给我们的。

<!--[if !supportLineBreakNewLine]-->


; We make them Global so that every function can access them and Constant so they cannot be changed by the program



;The first 2 are you create you manager from the baseaddress wow

;注释: 用下面两个变量(wow起始地址)去创建管理器

Global Const $ClientConnection = 0x8BF1A8

Global Const $CurMgrOffset = 0x462C

;The next one is to get the address of your first object ONLY


Global Const $FirstObjectOffset = 0xB4

