Sonntag, 21. September 2014

[WoW v1.12.1 / C#] The first memory manipulation

If you havnt read my last tutorial I would advice you to read it:

Today we want to write a simple anti-Afk tool for the WoW version 1.12.1. Like in the previous post the whole source will be attached to the end of the post.

What is required?

  • Basic C#
  • WoW v1.12.1
  • Cheat Engine
What we should know?
Every state and change in the game is also a change in the memory.
Environment.TickCount holds the value in milliseconds the PC is running since last start (
Everytime we press a key or do something with our mouse the "LastHardwareAction" is set to our current TickCount
When the TickCount stored in "LastHardwareAction" is older than 5 minutes we are flagged as AFK

How we find the Address for "LastHardwareAction"?
First of all we launch WoW and attach Cheat Engine to it.
Since we know that an int / uint has the size of 4 byte we will scan for 4 byte values.
Every time we move our mouse in the boundaries of the WoW window the TickCount in LastHardwareAction is also updated.
The solution is scanning for changed / unchanged / increased values

Lets go then

  1. We get our current TickCount with help of Environment.TickCount
  2. After obtaining it we make the LastHardwareAction in WoW update by moving our mouse inside the window boundaries
  3. Since the TickCount in LastHardwareAction is bigger than the TickCount we previously copied we do a first Scan with the Scan Type: "Bigger than ..." and the value of our copied TickCount.
  4. After the first scan we will stil have a lot of address.
  5. To reduce those we do the following: Do a Next Scan with the Scan Type: Unchanged value if you havnt changed the LastHardwareAction for the moment (No keypress or mouse move inside the WoW boundaries)
  6. If you have changed the LastHardwareAction we do a Next Scan with the Scan Type: Increased value

After reducing the found addresses to a good minimum we will find many values storing the TickCount of the players last hardware action however we will stick to this one: 0x00CF0BC8

Since we found the address we need a way to update its value from another process. Usually one would use WriteProcessMemory ( and ReadProcessMemory ( however I will stick to a library called BlackMagic.

In my sample project I do the following:
  1. Get all processes with the Name "WoW"
  2. Iterate over the process list
  3. Check if the current WoW process is version 1.12.1
  4. If it is write our current TickCount (obtained using Environment.TickCount) into LastHardwareAction
The procedure will be repeated every 10 seconds. Every open WoW 1.12.1 is prevented from flagging us as AFK now.

The full source code can be viewed here: (a pre-compiled binary is also included)

If you have problems, questions or suggestions for further posts I would be glad to have a chat over skype (cmwts9) or IRC (#FeenixED on quakenet).

When I am at home again I will prolly extend this a bit and also upload the source of BlackMagic (credits to Shynd obviously)

Keine Kommentare:

Kommentar veröffentlichen