 Now, see, these guys were bugging me last night at the conference. We were having this party over a purer, and they said I had to tape a 40-oz to my hand. Duck tape it. But see, I didn't get home until about 6 in the morning, and I went to bed, and I woke up at 10, and I was still drunk. So what I decided to do is I slammed a couple of Bloody Marys before I got here, and I'm feeling kind of jiggy. So I don't think I want to tempt fate by having a 40-oz or a tape to my hand. So for all you guys that knew that was the deal, I'm sorry, I'm not going to do it. Alright, so now that we got that out of the way, welcome to my talk, Exploding Online Games for Cash. I've been doing some World of Warcraft hacking, so we're going to pick on Blizzard software, but these techniques could be used for all kinds of different things. I have 125 slides, there's no way in hell I'm going to get through them all, so I'm going to go really fucking fast. So I hope you don't mind. I have one video of a PvP bot that I will show you towards the end. So let's get started. Why am I hacking games? Well, because it's really fun, that's why people are way more interested in games than they are in firewalls. As I found out when my book completely sold out in pre-orders into September, and that was the first printing. So I was realizing, wow, this gaming is really cool. They're really complex. World of Warcraft, for example, is probably one of the most complex targets I've ever had to reverse engineer in my life. There's a healthy community of game hackers that are not the same community as the security community, but they're equally as skilled in reverse engineering, probably more so in some ways. And the real reason we're having this talk today is because computer gaming is a big business. There's some kind of tracking by Moore's Law almost going on with MMOs at this time. Microsoft reports that gaming is the third most common activity on the platform right behind web and e-mails. That's a pretty big deal. It's measured in billions. Why do we cheat? Why do I cheat? I cheat because I suck at games. That's why I cheat. I like having an unfair advantage over people, and I especially like doing that with a six pack of beer. Cheating makes it more fun for me to play the game, and with games like World of Warcraft, there's a lot of grinding involved, a lot of repetitious things. And what I discovered is I can't compete with 15-year-old kids when their moms make them dinner and bring it into them. I have a real job, and I can't have my level 70 guy leveled up in 15 days like they can, so hey, I want to do something to kind of give me a little bit of an edge. There's another reason you might be considering doing this, so you can actually make money. So this is sort of like a miniature business plan. What I'm going to show you is how to farm gold in World of Warcraft and make $350,000 a year. I'm going to show you the numbers. We already know what MMOs are. I don't need to talk about that. MMOs and money, most of you probably know this, but there's actually an exchange rate between in-game currency, play money, and real money. Right now, that's about three cents per hundred gold in a wholesale market if you're going through an affiliate program. If you're on a retail site like IGE.com, that's about ten cents a gold. They're charging you. You can actually go retail if you want to, but then you've got to deal with all the marketing of your site and stuff. So it's actually just easier to wholesale your gold through a reseller or affiliate program. The secondary market and virtual items is probably close to a billion dollars. It was 600 million in 2005, so I assume it's only getting larger. That's an aftermarket traded in virtual items that don't exist anywhere except in a SQL database. Here's a screenshot, and I have a link here for a YouTube video that you can watch talking about Chinese farming. It's just a little documentary showing the sweatshops in China and the Philippines and how they basically slave all day long, but you take this as a bad job. No, these guys like doing this. They're more to have this job than to work in the Nike factory down the road. They make about six dollars a day doing this job. Now, if you make a bot, this is current standards. I'm familiar with several bots that are currently being used commercially. These are not bots that Blizzard is aware of. Otherwise, the warden would have already banned them. These bots are private, and they're sold commercially to Chinese farmers. They farm about 400 gold per character in every eight-hour shift. They run two shifts a day. Each admin, that's the guy making six bucks an hour, can manage about 15 of these bots. The better the bot, the more you can manage. It scales your operation. Two shifts a day, two bots per computer, usually running Windows 2000, because Windows 2000 runs better than Windows XP. It doesn't take up as much memory, and they can use these cheap old computers and get two WoW accounts running at a time. At any given time, some of the largest farmers in China have 1,000 simultaneous WoW accounts logged in at that moment in time to give you an idea of the scale of the operation. Four admins, 30 computers, 60 bots, that's 1,600 gold per day per computer. That means that your farming operation on 30 computers is generating 48,000 WoW gold per day output. That is a standard, and that's normal. Wholesale that for $3 for every 100 gold. That's approximately $1,400 a day in gross income. You pay your expenses. You can see I have a little breakout there, rent, bandwidth, et cetera. Assume basically you got $1,000 a day in profit. Times that by 365, and now you know how you're making $365,000 a year of farming gold and WoW. Now I haven't counted something in here that's really important. There is an attrition rate due to banning. If your bot is undetected, which it needs to be even do this business, then hopefully that attrition rate's not too much of a problem, but it does happen, and I actually don't know what the figures are on the attrition rate. Now let's talk about the current design of the farming bots. Everything is way point driven. You put it in record mode, and you run your character through what's called a patrol path. Then you connect that patrol path to the vendors through a vendor path, and you also go to the graveyard and you record one path that goes from the graveyard out to your patrol path. So if you die, your ghost will run back, find the body, and resurrect. The bot will actually run all the way back into town, and it will automatically repair all the items when it needs to be repaired. It'll dump off all the loot. It has a loot filter. Gray items, for example, won't be picked up unless you want them to. Greener above goes to a mule account. Those get muled in the mailbox. This is all occurring completely and totally automatically. The mule account picks up the green items, and the admin goes and dumps those on the auction house. Total output, 400 gold per day. Now, most of these farming bots are private variants of systems like Wowshark. Has anybody ever seen or heard of Wowshark before? Okay, you know the guy that wrote this, open sourced it and released it. So a bunch of guys went out and made private versions of this thing, compiled differently that the warden couldn't detect, and they're still in operation. That's one of the ways that the Chinese farmers work. Here's some different features. I already talked about this. Oh, auto detection. This is kind of cool. It can detect if somebody's following your character. So this is one of the admin's jobs. He has to watch not only the bot's fouling, he's getting stuck on something, but also make sure that it's not alerting him that there's a GM present in the chat channel or there's a particular NPC that's been following him for a given amount of time. So these features built in to help you from being called out and detected. It takes a lot of money to make a level 70 character in World of Warcraft. It's over $100 in investment per level 70. So it costs a lot to lose them. Plus it takes about 15 days of leveling with the bot to reach level 70 in the first place. So the nice thing about that is you can buy the game and use the free first month that comes with the game to level up to 70. The next thing you do is you drop that level 70 character on something like eBay and try to sell it for $500 and then you use it as a farming account until you sell it. That's the basic idea. Oops, I went up and stood it down. All right, here's some things not to do. Don't use ISX Wow. A whole bunch of people in the botting industry over the last three months have been banned, banned and banned again. We're talking like really hardcore hits. Their business is probably going to go down. Bans are so bad. All of them based on ISX Wow. Don't believe anything you read on their websites about how it's stealthy. It's not because I'm seeing it. They're getting banned over and over again. That is not a private bot. Don't use Wild Glider. How many people here have had a Wild Glider account? How many people have been banned? How many people have been banned at least once? Come on, two. That's it? I've lost over $400 in banned Wow accounts at this point in time. Don't use Wow Sharp, even though I just mentioned it is being used. It's being used with a lot of changes. So unless you're prepared to make those changes yourself, you'll probably get caught. Don't transfer 1,000 gold of your own to some level one IGE Mule account. Guaranteed banning next day. And don't do what I did and accidentally realize, forget that you're not supposed to be an old iron forge. Ask and chat. How do I get out of here? GM comes online and bans you. So I'm basically making the point that public body is dead. Even hardcore ring zero tricks like I was presenting last year in my hacking World of Warcraft talk at Black Hat, that's a lot of money, basically money and time that you can invest. If you release that as a public tool, even if Warden isn't going to ring zero, there's probably something we missed and they'll figure out a way to detect you. God knows how, but then boom, all your investments lost. The other thing is Blizzard doesn't always use Warden to detect people. It uses accounting forensics to detect people, too. Those are very simple SQL queries being taken place in their database and they just go through there and they can find all kinds of interesting things, things that are very unnatural about a normal player. So every public bot so far has been detected. History has shown this. Mass bannings have occurred. Learn and don't do it. So what is forensics accounting? Just ask Darius Kazemi and give him a copy of GraphViz and he'll tell you how it works. He will go in there and tell you who transacts with who. If there's an IGE account, level of one, he knows it's a mule and you talk to that account or move some gold to it, he knows that. Same quest completed 150 times in four days. Okay, that's probably a problem. Large numbers of accounts all to the same credit card. Bad idea. And everything's really about gold. You transfer a large amount of gold between accounts that's going to stick out. If you have a large amount of gold above the median average for that character class and level that you're at, that's going to stick out. You might be a guild leader and you get by because you're supposed to be the accountant and you have all the gold. That's fine. But if you hold on to gold for a very short time, you move it between accounts, those are the things that are going to stick out. And those things you can't hide from with warden tricks, those are things that are just going to be in their database no matter what. You can pull off some interesting tricks. You can try to move things through the auction house, sell a really dumb item like a piece of linen for 10,000 gold and try to move it across the auction house. But that stuff's all tracked, too. Gold acquisition records mark where every piece of gold comes from and where it goes and those are stored. They do not throw it out. Now, why doesn't Blizzard actually ban people? They say they ban people. That's like a public image. They actually like body. If they ban people, they would lose 6 million of their 10 million accounts because their 10 million players is kind of a big lie. Something like 6 million of those are in China. In China, the game is played by the hour. You pay for every hour you're logged in. It's unlike the way they do it here in the West. So they want to keep people logged in as much as possible. There are only about 2 million people here in the U.S. that play. Wow, according to the records that I have. There's a link to the article in case you want to check it out. Now, what is a ban all about? A ban isn't done because they want to get rid of players. A ban is done because they want to make more money in the next couple of weeks for their balance sheet. When they ban people, everyone they ban goes out and buys new accounts. There's a direct, measurable influx of cash immediately after every ban. If you don't believe me, look at how come they don't ask yourself, why don't they ban by IP address range? I've been banned so many times that they've never used my credit card as a banning tool. Every time I make a new account, I use the same credit card. Why don't they just immediately ban me? Oh, there's Greg again. Kill him. No, they want my money. Here's what a ban does. Approximately 50% of the banned accounts are repurchased shortly afterwards. You can measure that at about a half million to two million dollars in income. When they need the money on the balance sheet, time to do a ban. Boom. Now think about that. Public image and what really happens in the boardroom behind the scenes. Alright, so that's that. There's a little influx there about how the gaming thing came to be. Let's talk about some DMCA stuff. Hey, when is my talk over, by the way? Ten of. Ten of? Okay, I'm going to go pretty fast here. Now, I don't like the DMCA. Most of you probably don't like it either. Let's talk about this because it has legal ramifications for our business plan. You know that Blizzard likes to sue people. Alright, they go on, they threaten people all the time. So that would probably happen if you had a public bot and they were aware of it. If you do this kind of business, you will be violating the end user license agreement in terms of service. You need to avoid getting hit with the DMCA bat. Even though botting has nothing to do with copyright violations, Son and Shine, Rathen, Rosenfall, or whatever their hell their name is, is going to try to figure out how to make the DMCA apply to your bot because they do it. That's their job. They're doing it right now to Michael Donnelly and they'll do it to you. ULAs are not laws. So breaking a ULA does not mean you're breaking the law. It might be a misconception that you have. A ULA is only a contract. The best they can do is take you to court and try to sue you for violation of that contract. Now, Son and Shine, we've become experts of trying to make copyrights apply to pretty much everything. Their latest trick, I'm aware of, is they're trying to make the launching of the wow.exe executable a violation of the DMCA because launching wow is the same to them as making a copy of the CD because it's the same bits. So launching the program is a violation of the DMCA. And that's what they're pulled on Michael Donnelly. You're going to have to actually do some reverse engineering in order to make a bot. For example, you'll have to locate the XYZ coordinates in memory, maximum hit points, what spell is currently active, the structure of the player character, class, et cetera, yada, yada, yada. All right, so you are going to break the ULA when you do that. But nothing about XYZ coordinates has anything to do with making an illegal copy of wow. But they're going to try to make that stick somehow. It's really ridiculous. So with the wow glider case in Michael Donnelly, they're trying to protect RAM as if it were actually a copy of the CD. And there's a link to the RU Kit article that talks more about that. And we just talked about that too. Oh, but there's an interesting side note. How does Microsoft not violate the DMCA when Explorer.exe launches wow when you double click it on the desktop then? They call this the copyrighted wow gaming environment. You can read that in the documentation and they have that. Here's some common stuff that ULas will throw out to you. Don't criticize the public in the public about this product. Don't reverse engineer, obviously. If you use this product, you will be remotely monitored, hence warden. Don't use this product with other vendors' products. By signing this contract, you also agree to every future version of it. That's my personal favorite. They're going to send new versions of the ULA that you're not even aware of yet and you've already agreed to it just because you agreed to the first one. And of course, they're never responsible if anything bad happens to your computer. So here's Blizzard's ULA. Your computer's RAM is monitored and will communicate information back to Blizzard. Here's Gator Corporation's ULA. Gator is a piece of spyware, by the way, and they have a 63-page ULA in their spyware. And it says that it is illegal for you to uninstall it. This is also on their Gator ULA. It's also illegal for you to sniff the traffic going back to its server. In other words, it's illegal for you to run ethereal to determine what it's stealing from you. Microsoft FrontPage has a funny one. You can use FrontPage, but you can't use FrontPage to build a website that talks bad about Microsoft. This one's funny because this is a virus and the virus came with a ULA that you actually would pop up and you know how typically a user doesn't pay attention, they just click through. If you said yes, it would actually go through your email contacts and mail a copy of itself to all your friends. And the ULA specifically allowed that if you had hit OK so they didn't break the law. And this is my personal favorite iTunes. At any time we may modify this agreement and it will be effective immediately and incorporated into this agreement and your continued use of iTunes will be deemed your agreement and acceptance of the new ULA that you didn't yet agree to. Yeah, I really don't like Apple. So here's some ideas. First of all, obviously, don't release your public bot. Don't make a public bot. Put yourself downstream of a DMCA lawsuit. And then here's some other crazy ideas. Make sure that you add to your bot some sort of strange packing system that does a challenge response with an authentication of some kind so that in order to unpack the software you have to have an authenticated account with some server that you control. So if Blizzard's engineers grab it and reverse engineer it, they're not going to have an account and they're going to have to bypass an authentication scheme therefore directly violating the DMCA in order to reverse engineer your bot and put them downstream of your own lawsuit. This one's kind of an obvious one probably but if someone in China's got this bot and they're working for six dollars a day, don't you think Blizzard would pay them a thousand bucks to get a copy of the bot so they could just go and ban everybody? I don't know if these guys have figured out they can walk out the front door and probably sell this thing on the black market. So you want to probably try to protect your bot in some way in your farming organization so that your employees don't basically do some insider threat on you. All right, let's change subjects here and talk about some technology. How are bots built? There's different ways we build bots. There's kind of schools of thought here and I'm going to go through the various ones. There's first and foremost the GUI-based macro-ing system. This is the most popular because it's the easiest for people to do. You sample pixels at defined XY coordinates. For example, when you're at maximum health you know there's going to be red right here on the screen. When you're not and you're at half health, it won't be red but it will be red there. You can do sampling like that where you are. Works really well and it's really easy. I could build a bot like this in a couple of hours because it's just so easy to interact with it. And there's a couple of programs out there for you that will do it, make it very easy. I've used something called AC Tool before that works pretty well. It's essentially a QA Tool designed to interact with the GUI. Another way to do it is the DLL injection that is convenient because when you grab a structure in memory you can directly de-reference the pointers because you are in the memory space of the game. You're not outside of it so you don't have to do any translations. Making it very convenient and therefore the most popular form of botting technology. Another one is debugger based. You connect as a debugger and you can use read and write process memory and break points. It's just a different way to do it. It's slightly more of a pain in the ass though because you have to actually translate all the memory to the remote process space address coordinates. You can't just get a copy of something and then follow the pointer because in your local bot that's not going to point to anything. And then finally, client replacement. That's an interesting one where you actually don't even use wow.exe. You make your own gaming client from scratch that interacts with the target. That one's slightly hard though because when the warden comes down to do a check it's going to fail all over the place. So you have to proxy the warden calls out to an actual running copy of wow just for the warden so that it finds the right hashes and memory at the right locations. Here's a screenshot of a GUI based macro in bot. This is my character Zaneer shortly before he got banned. I'll show you how this is working. He's actually backed up into a tent. He doesn't move. The tent protects him from someone coming in from behind which as you know from playing wow you can't attack somebody who's behind you. So that's why he stands this way. He can't be killed from behind. And these guys, these deafiest messengers or whatever the hell they are they run up there and they're within the aggro radius of where he stands and he just swings over and over and over again the bodies just pile up. And I also added a feature where it would click on the screen within a matrix and it would auto-loot everything that was down there in front of them. This could run for hours, no problem. So this took almost no time to build. This shows you the kinds of things you can do for botting that don't require a lot of reverse engineering skill or programming skill. They just take a little bit of your time and testing, you know, you got to get the kinks worked out and you got to also find a good spot to do it. Like here, I got this nice tent. Not everywhere is going to work well. You got to find a spot in the world where this type of bot would work really well. Here's some snippets of code to show you how this works if you wanted to write your own macro system. Here's how to get a color or pixel on the screen. All this, by the way, is in my book. I'm just throwing these on the slides just so I have some source code to show. So you can get the color or the pixel and determine if it's like red or blue. I have mana. I have energy, whatever. Here's how to post a left mouse click to the screen. Now, it's worth noting that if you're... this is a normal mouse click that would go as if you had done it right off the mouse and you could do this for keystrokes. If you're using direct input, some games might. You can just do a Google search for D-I-K left and D-I-K right, and you'll find the same equivalent code but for direct input as opposed to the way I'm showing here. It's all the same stuff. You can also use send message and post a Windows message right into the target. That works really well with, like, Lord of the Rings Online, which I just made a bot for, by the way. And so you can actually minimize the window in that case and not even have it up on the screen, which is kind of nice. Here's an old, old hacking program, which you wouldn't use anymore, but back in the day, this is actually an injected DOL that had its own Lua script associated with it. So it had a UI component called Bubba's Warcraft Hack. And these are all the locations that I have hotkeyed in there. This was a telehack. I could actually go directly to any of these locations just by clicking it and would just change my XYZ coordinates, and I was instantly there. It worked really well. There's a real good exploit in Gadgetazern, and there's a guy, a goblin, will give you this quest for going and collecting hippogriff eggs. And I had all the XYZ coordinates for all the nests already in there, and I would go to the hem. It's a repeatable quest. Go to the eggs, pick it up, go back. I was making 1,500 experience every 30 seconds. My guild had me as a level 40. Three days later, I was level 55. I'm sitting here like this. You know, it's like, you know, over and over again. But, you know, here I am, level 55, and they're like, how did you do that? So it was really easy, just going around all the egg baskets, essentially. I gotta take a snippet of source code from this thing. This is kind of cool. It's template-based scanning. What the guy did is he wrote this. He actually, instead of reverse engineering in a particular location in WoW, he found a location in WoW and then made the op codes for it and then masked out some of them, so whenever they patch, he would actually scan the binary and find the new location. So with every patch, even though the stuff was moving around, he didn't need to release a new version of the bot. It works pretty well. Here's a complete client replacement. This is a standalone program that logs directly into the WoW server and plays. It's got a number of interesting features. Complete reverse engineering of everything around you. These are the data structures being showed. I've redacted some of the data here. And here's a map. It's two-dimensional overhead. The black square represents you. And then characters are shown in the other colors. And so this is directly communicating with the server and so it's own standalone client. This is another type of approach. This is actually called WoW Sniffer that you're seeing a screenshot of. It actually proxies or sniffs the packet stream going in and out. It's actually, in my book, I've had to redact all the decryption routines. But if you just go out and look for WoW Sniffer on the net, you get a nice, clean copy of source code that will show all the decryption routines for WoW. And you can build your own sniffer of this type. And that could be used as a proxy system, perhaps, to control your character in the network stream. Here's another type of bot. I'm just putting this in because it is a common trick. It's not used with World of Warcraft type of botting, but it is used for aim botting. You have a direct 3D library, OpenGL. You stand in front of that and you hook it and you can do all kinds of interesting things with the stream as it goes out to the video card. Some of you may have played Counter-Strike and used aim bots in the past. This is a similar technique used there. You may recognize this screenshot. This is called a wall hack. And what's happening is the information being streamed to the video card is being modified on the fly. So the video card renders it differently. Very simple to do, out at the video card layer. And now you can see through the walls and actually see here there's a guy who's bisected by a wall. It makes it very easy to aim at the blue part and shoot him where he'll hit him. Here's the proxy system in a little more detail. The game client runs normally, but you pass it through the proxy that's doing the encrypted and decrypted packets. And only when you need to grab data, such as the positions of characters around your character, you grab it out of the network stream. And you can also forge or inject messages into the network stream when you need to in order to automate the movement of your character to interact with the environment. This is very superior to the other ones because the proxy can't be detected by the warden client. Because it's not even running on the same machine as well. So this is actually a superior system. I don't have a working one, but this is a nice idea. And I think this is... I hope somebody actually works on this and comes up with something. Even though I've told you not to release it to the public, if you do come up with one, can you give me a copy? This is the case for the proxy. It allows the client to handle all the state. So you don't have to reorganize and reimplement any of the state management, which is very expensive. It lessens your chance from detection because we're not coexisting on the same machine as the warden client. There's less chance of change. Now, this is an interesting one. Because the network stream requires changes, anything in that protocol requires changes in both the client and the server, it's much less likely that Blizzard will perform a patch on that protocol. It's much more likely that the class structures within the game itself will change. So the amount of overhead you have to reverse engineer patches should go down if you're using a proxy system. All right, let's talk about the ultimate farming bot and what my ideal design would be. First of all, you probably don't have contacts in China and you can't afford to go over there and find somebody in Shanghai to work for $6 an hour. So what you'd like to do is go and put this in your garage. Now, to do it in your garage, you're going to need to scale the operation a bit better. Your farming bot is going to have to be able to handle at least 100 simultaneous running accounts without fouling up. You have to also be able to handle the auction house, preferably automatically, because you just don't have the time to manage all those green items up there on the auction house. It'll swamp you. You also have to be able to quest. The reason you have to be able to quest is because you also need to use this bot to auto-level all your characters. Grinding isn't enough. In order to get from level 1 to 70 in such a short time, you have to quest. And you have to prescript the entire system so you don't have any setup required. The current botting technology, there's a lot of time where the admin is just dinking around trying to get everything running. You want to eliminate all that overhead as well. So that's the ideal. The screen that manages it will have a series of postage stamps. These things are actually using a VNC-style protocol to give you a remote desktop view of each of the running while instances. This is a mock-up, by the way. This is not real. I just made this for the slide. The games run on slave machines within VMware. You have a bunch of those running in your garage on the farm. And then you have all these little postage stamps on your monitoring app, and you can click on any one of those and bring up a UI where you can configure and control the bot itself, like which script it's running, etc. What account it's using. And you could also interact directly with the particular while if you want to at that time. How the system works is pre-recorded way paths again. We're not doing anything weird, like trying to figure out the 3D world and do A-star pathfinding and none of that. What we do is we simply record way paths, so you're going to spend a lot of time on the 3D world. It's a skeleton and branch approach, and you're going to need several things on your skeleton and branch way paths. Here's how it looks. We'll have a way path between every major town center. That's the black line. Notice these are labeled. Now, every single spawning location for your corpse and the graveyard will have to be connected from the graveyard down to the main black way path. Now, even if you're not connected to the black way path, then traverse that, and then traverse one of the branches that comes off that to get back to your body. Now, you also have a patrol path. That's the little gray one on the bottom. That's where you're going to go hunt for different things. And then, finally, you have a link to every NPC that matters, and all these paths are stored in your small database. Proximity hunting is how you kill things. You're on the way path. In your proximity, you detect a target that you can kill, but all the bots work that way now, so this is not a problem. Now, here's something that bots don't do that they should. They need to record everything they do when they come off the way path, because otherwise, when they run into something like a cave chasing after things, they're not going to be able to get back, and they stick on walls. So if you record every step you take as you leave the primary way path, you just retract your steps, and you can get back to the main way path with a mocked up screenshot here. The tune goes back through the red dots to the main way path. Now, questing, what you need to do is go pick up these two guides. I shall say they are available on P2P networks. If you are a scooge and don't want to pay the $30, but these things are excellent. I've looked at, not Jonas, but I've looked at the other one, and it works really well. So what you want to do is build scripts to do the questing. You can completely solo. So throughout all the stuff you can't solo. But what they do is they say, pick up this drop quest, pick up this kill quest, run to this area, and it optimizes the positions that you're in in the games so you don't spend a lot of time running back and forth. Works pretty well. So you can pre-script all your leveling, and some of the things that you can do, for example, is a collection or drop or kill quest. You would pick it up from the NPC, pre-recorded path, and you go out on the main, do the patrol, come back, and finish that quest. Delivery quest, similar deal. We just go from one NPC to another. Everything's connected, so that's not a problem. The bot, a farming bot, runs as a state machine. Here we see a small state diagram. So essentially at any given time, your bot will be in one of these states, and the transitions are marked by edges here. So for example, if I have a target mob, I move to a new state where I'm attacking. If I'm low on health, I move to a state where I'm healing. So, level 70 in about 20 days, you get gold while you're leveling. As soon as the account hits level 70, you put it up for auction at $500 an account, and until it's sold, you use it as a farming account. All right, let's talk about some technical stuff. Player position. Everything in the world has an XYZ coordinate. If it's instantiated, that's part of its data structure. You can find that in memory, go to the proper offsets, and you have the XYZ floats for its location. You have that for yourself. You have that for the target. You have the XYZ strokes and move to the target. Until recently, you could also telehack, so you just put yourself anywhere you wanted to be. That doesn't work in WoW anymore. They made a change recently. It's a client-side integrity check. I have yet to crack that one, so I haven't been able to telehack for a while. But once you've reverse engineered one of these data structures, all the other ones are derivations of that type, and so it becomes very easy to figure out the rest of the structures. Player movement can be injected via Windows Messages, or player movement, that you can just call directly from the main thread if you've hijacked the main thread. You can also use KBD event, etc., in order to inject the mouse or keyboard input. The world database can be captured directly from the video card. If you want to do it that way, you could actually catch the structures as they're put out to the card for rendering. You could also look on... There's what is that called? WowMapView, I think. There's a project on SourceForge, which is our path mining if you were so inclined. The database of all the things in the world are collected at runtime in MyBots, and I just simply put them up in a hash table, and I actually can reference them from the hash table. Detecting mobs and NPCs. We go through the world... Okay, so here I'll explain this. There's something they changed recently. They used thread local storage, the TLS value, to store an object pointer. That object is called the object manager. From the object manager is a linked list. There's a series of hash buckets to the source code for how that works in just a moment here. Once you have all that, you have the position of every single object that's relative to your character in the visible world around you. Behind you, behind walls, doesn't make any difference. All the data comes down from the server. Here's the code. On the top, we actually have the hash bucket, and on the bottom, we have the object manager. The object manager has a pointer at 1c to the hash bucket array. You go to that... First of all, you get the object manager out of the TLS value. From that, you go down to the hash bucket, and you parse through the hash bucket, and you follow each of those hash buckets through an array of linked list... I'm sorry, a linked list, and here's the linked list. That's not the linked list, hold on. TLS index, D8, 7F38, that's actually the last patch of WoW. You probably don't need this TLS index. In my experience, it's always been zero, so you can just hard-code it to zero. Here's the assembly language to grab the list, so you move that up, and you can see it into ebx. We call off the FS register, offset2c. Offset2c is the object manager. We have that now, and we can begin parsing through the hash buckets and the linked lists. Here's some more screenshots of code. Here we have the object manager. We get the array base, the size of the bucket array, and we go through them one at a time as a linked list. There's actually this funny little line on purpose. They'll actually make an odd address on the last object in the linked list. I think it's actually like an end sentinel. It actually is there to indicate the end of the list. That's what I've witnessed in the assembly language when I reverse engineered this thing in Ida Pro, so I just go ahead and put it here. If you don't, you walk right off the end of the list. That's how they do it, that's how I do it. There's probably some kind of macro in their source code they use for that. Every object that we grab has a 64-bit good that identifies it uniquely in the world. It has a type. It has a position. What I'm doing here is I'm just putting all of the objects into a good to unit hash table in my local bot. What is this a screenshot of? We're going through all the linked lists here. The linked list going through each one one at a time. I'm using assembly language to do that. It's essentially a list entry pointer. We go through that and then go next. It's like from one to the next to the next to the next to the next until we hit the zero one. Again, you can see that at the bottom in the while loop. When we get the one on the end, we know we hit the end sentinel. Here's the structure for a wow object. 30 and 34 hex offsets are the good. We also have a type. The type is actually very important because the type tells us what it is. Container, item, unit, game object, corpse. This is how we can detect if we're looking at an enemy that we can kill. Here's also a nice picture of how it works. The next pointer points to the beginning of the next object. Oddly enough, the previous pointer doesn't point to the beginning of the previous object. The previous pointer points to the last list entry record in the previous object. You can see how the arrow actually points into the middle there. That was a little thing that got me at first. Once I figure that out, it makes sense. Here's the coordinates. These are the current offsets that are working as of the last patch. There you have XYZ and heading. That's enough to do all your vectoring in the game. Point towards the target, run towards the target, kill the target, measure your distance from the target, etc. I'm going to go a little faster. I'm running behind. We parse the database of the nearer objects. We get the player position. We find a suitable target. We set the PC's target good. There's actually a target field. You set it to the good of the thing you want to kill. Immediately on the screen, a wow, boom. You have that target. Then if you hit one or something, you're going to attack that target. You find a suitable target and you set that good. Then you have the target position and you use some geometry to vector towards the target. You know your range. Once you're within 30 yards, you start slamming on your dots or whatever you're doing. Sicken your pet on the target and you're going. One of the things that's really cool is the facing value. You can actually set that directly. You don't have to use arrow keys to force the target, so that helps out a lot. You can use a macro-based system with read and write process memory. Like I said before, we could read screen pixels and then post stuff into the target. We could use an injected DOL. We talked about that's one of the schools and we can directly post keystrokes or use the send message function. Actually post windows messages in there to drive the character. We can inject a DOL and use thread hijacking off of the render world call so that we can actually make internal game function calls for safety issues. That's actually a really cool trick. Here's a screenshot of how that works. Main thread of the application is running. We hit render world. There's a detour patch there. It jumps into our injected DOL. Once we're in the injected DOL, we can make calls directly into Wow. Cast spell by ID, for example, is a call we can make and just instantly cast a spell. When we're done, we're back at render world and we continually loop around. Render world gets called hundreds of times a second and I did make a kernel mode version of that and it has the benefit of not having any of these problems which expose it to warden. I'll show you how that works. We're going to use a trick called shadow branching. Let me see if I have a good screenshot of that. The main thread runs. We hit a break point and then the supervisor code which is running in the kernel unclokes a page of memory into the user mode space jumps to it directly by hijacking the main payload or the main thread using the context structure for that thread changes the EIP right in the context structure in the kernel so when it comes back into user mode it's hyperspaced right into our code. It executes that code once the code is complete it freezes the thread again reclokes the memory, removes it out of the user mode process space and changes the EIP back to what it was hyperspacing it directly back to render world and because warden executes in the main thread it will never be exposed. to a warden query. We actually do release some of this source code by the way in our Rukit training class so here's kind of a different picture of that. We allocate memory in the supervisor we then have that over in user mode we inject code into that we branch to it when it's done we cloak it by cloaking we fill the original memory with capital A characters and move what was there up into kernel mode into a non-page pool area and then when we want it back again when the hook fires we uncloke we branch to it again and this process just repeats over and over and over again so yes this is code right here in ollie debug in ollie debug you can actually if you drag the window fast enough for a split second sometimes you can actually see the code appear before the A has come back this is the injected code right here it's actually much like a shell code for a buffer overflow payload it's positioned independent it jumps to itself to find its location in memory it does a fix up on a little data it has a function calls in kernel 32 it's very very similar to shell code except in this case it's a little miniature virtual machine executing in the wow environment now how do we set hardware breakpoints we're not going to detour render world directly rather we're going to use hardware breakpoints doing that from the kernel is a real pain in the ass I found out you can't just set context on the thread I had to hunt down some structures but here's how we're going to do it we set DR breakpoint on render world if the warden tries to detect that the DR breakpoint is set we will hijack that and give it a false answer so we can actually control that from the kernel so it has very little visibility to warden in this case and then we pull off the trick I just described where we jump to the injected code page whenever we hit the render world call now in T set context thread does not work with the context debug registers enumerated type that is our blue screen we don't want to go there so I had to figure out a new way let me show you how that works we go to the kernel trap frame for the thread so here's the structure in the kernel FS0 points to the KPCR structure you go to that follow PRCB down to the current thread that points to an E thread once you're in the E thread you follow the initial stack pointer to the top of the kernel trap kernel stack you go down to the bottom and subtract off the size of the K trap frame within that K trap frame structure are the DR breakpoint register values you set them directly and as soon as that thread goes back into user mode the DR breakpoints are set everybody get that? alright okay so we control the DR from there in order to do that we have to schedule a kernel mode APC so this will run in the context of the target thread but in kernel mode there are different kinds of APCs so just suffice it to say this is a documented method you schedule a kernel mode APC for the target and then once you're in the target thread you perform the following you go through that little diagram that I just showed now if you want to know those data structures go up on the net and look for React OS Google for React OS the guy that wrote React OS clearly stole the source code to Windows so now you can read the source code to Windows without reading the source code to Windows by using React OS and he'll have all those structures up there it's a very valuable resource multiprocessor safe interrupt hooking is another problem we have to solve that dual core systems anything like that we'll have to deal with that so how many interrupt tables are on a dual CPU system? come on guys oh come on, someone knows how many interrupt tables on a two CPU system? two, thank you, one for every processor so we have to schedule a deferred procedure call for each processor the deferred procedure calls allow us to specify which processor the code should run on so by doing that a callback will be fired on the processor in question we disable interrupts, patch interrupt table and then re-enable interrupts object, we do that one for each processor and we now have multi CPU safe interrupt hooking there's code for that on rootkit.com by the way now, I only have a couple minutes left and I want to cover PvP botting it doesn't have anything to do with the farming stuff I was just talking about but it is a new area I've been exploring who here likes to play PvP? who here has an undead warlock that melts people's faces? yeah let's talk about the idea every single thing you can do in PvP can be counter biological phrase or sequence of attacks or dots or buffs or debuffs it's set up that way and wow to be played that way and if you're a really good player you already have muscle memory figured out for a lot of your targets but every single target is different they may be wearing a different kind of armor set for example that you have to counter or they may be carrying certain buffs you can't think of all the things but you can build a bot that knows everything to do you prescript every possible scenario into the bot and it knows what to cast on yourself and your target to maximize your DPS and kill your target as quickly as possible that's the idea of a PvP in a wow type universe now unlike the farming bot this is not, I actually struggled with this I tried to make a PvP bot that was based on a state machine it doesn't work the state machine takes too much time to pick up and carry the events so I made this event based on any kind you immediately respond to it so the PvP script I'm going to show you is a pseudo code designed for level 60 plus on dud borlock and wow there's an on event handler there's many different types of events one of the types for example is hostile event that would be if someone tried to come up and punk you or some rogue came up and zapped you or something like that so you immediately get an event hostile type there's also a timer event the timer event I had to throw in a state based approach that we can get but it's not actually state based in the timer event we just check for things like mana and health eat food, drink water, all that stuff if we have a target we'll then call into the combat handler and hostile events I'll give you an example if we just got charmed or feared we immediately called the break fear etcetera subroutine just to give you an example one thing we would be responding to and our fear breaker simply casts will of the forsaken and if that doesn't work it uses the insignia of the horrid trinket pretty simple so now the guy that just tried to fear me or sheet me whatever I've now countered immediately and I'm ready to attack then the combat script runs sticks my pet on the target I'll cast death coil in order to prevent myself from being interrupted on my next fear spell the fear will then fire so your target is now feared and running away if I have the void walker I'll immediately sacrifice him giving myself a nice bubble and then I'll call fell domination which reduced the casting time for my fell guard to almost nil and I basically get instant fell guard so the guy that just came up to try to sap me just got me, I countered his sap instantly got a bubble and now there's a fell guard chasing around and beating on him and by the way I'm slapping a couple dots on him as well managed dots gets called so we call our friend cursive agony we're checking our mana percentage so we're doing some amount of management here hoping to notice about this though we actually pause in this script at this point in time until the casting is complete we don't queue them and run them my first version was queuing but it turns out I had a lot of like multi-threading kind of overlapping issues occurring so what we do is we actually halt on there until cursive agony is finished then corruption is finished and then finally if we can pull one off we'll cast enamelate as well we have to stop moving temporarily while we cast enamelate that's what the code is doing at the bottom yeah so here's just a summary of how it works timer events don't queue if you're already in the timer taking your time and another timer event fires it just gets thrown in the trash bucket because you don't want to get cascaded of those happening all the time any kind of status update our hostile event all queues up because you want to process all of those no matter what because they change the state of your script multiple callbacks do not occur at the same time they queue up this is a single threaded system now I want to show you back sticking this is one trick that I've been working on you know that if you're facing your target you can hit them but a lot of times if you're not facing your target you can't hit the target so my trick is to move my character behind the target at all times so no matter which way he turns he can't face me that would be really good for a backstabbing rogue and now telehacking would be the best way to do that but since they patched telehacking until I get that working again I actually have to use keystrokes I'm going to show you a short movie of a pvp bot using back sticking here's a diagram of how it works my target is in red blue runs up blue guy runs up faces the same direction as the red guy and then backs up a couple of steps red guy tries to move I do it again and there's sort of this humping action going on so let me go ahead and show the movie for that because we're out of time here's the star of our show now I'm clicking on targets you can see she immediately faces NPCs, players and pets notice the immediate heading changes that's just illustrating the heading control let me show that on NPC this dude here walking you can see she's auto-correcting her heading I'll click on her now instantly fixes on her as she walks by now let's pick on a target that actually moves and we'll turn on the movement this guy is walking around and now we have the humping action although it doesn't actually show up too well here because he's actually moving you can see it a lot more clearly so he's turning a corner and you can see she's tracking right behind him so the tracking works quite well okay here's a player he's going to try to turn around in a minute because I'm really annoying him now she notice she keeps running up and backing up now he's going to try to turn and face me sorry the movie's a little choppy now there he goes he tried to turn and now I immediately corrected he's going to turn again and he still can't face me and he's going to turn again and again I auto-corrected there he goes again I know you want to look at me but you can't look at me so this shows you how the back sticking kind of works now this guy I picked on him for a while he actually kind of gets a little pissed off and runs away but he can't get away that's the problem so he actually is going to run into a building here shortly and he goes he's going to go into the weapon vendor now I actually cut the film here to save time she's running and just backing up now this actually I cut the film here this goes on for about I got to finish this video two more minutes he's actually talking to me down there and he's getting really mad so he's going to run out of the building and try to get away and again I'm still following him and right here he finally has it look at how that works here's another guy I'm following around he's running around inside of one of the buildings and you can see the tracking is working very well up the stairs around the stairs and there's no problem she follows him all the way around he's going to stand here for a moment this movie is only about one minute more so it's almost done she's doing this backup thing again and he's not really paying attention to me at the time but now I've been following him for like 20 minutes okay and he's about had it the tracking shows off really well here he's going to run around the tree and she'll follow him very nicely around the tree he's going to run try to jump over the fence and we're going to follow him there he goes he's going to run around a pillar again he's not able to get away no matter all these obstacles and things so the trick works pretty well I think I have one more example very short in here he's going to run away let me see action here I actually let him get away oh yeah this is the end of the movie just wanted to show you you can also click on animals and so she's going to eat horse butt thank you there's some Q&A you can come talk to me more about this stuff