tehmarto

Hi, Very nice thread, I've done wall climb cheat detection. But I am wondering how offi detects if movement speed value been edited. I looked at persed sniffs that tom_rus posted and looks like it scans only offsets with start with 0x0 or 0x00. From this I see that it scans only static offset - movement speed offset is not static, when i scan with memory scanner, speed is located at different place always. So to find what address is speed located at through warden so I can scan that offset, I need to do the following: Send packet that scans the static offset - player base (0x00CD87A8 at 3.3.5a) Handle the response packet and send another offset check that is the "playerBase" offset response + 0x34 Handle the response packet again and send the value from response + 0x24 Handle again packet and send the response value + the movement speed offset And now I got the movement speed offset and check the movement speed value. From what I see offi got faster way to scan for speed hacks. Can anyone give me a hint how they do it? Thanks again.

But how it loads maiev.mod? I putted breakpoints on every loadlibrary and I didn't see it loading maiev.mod.

Seem to got it right after all except when I send the cheat checks that way: buffer_add_int8(buf, CHEAT_CHECKS); buffer_add_int8(buf, 0); buffer_add_int8(buf, warden_str->MEM_CHECK ^ warden_str->out_key[0]); buffer_add_int8(buf, 0); buffer_add_int32(buf, 0x00ADA378); buffer_add_int8(buf, 4); buffer_add_int8(buf, warden_str->out_key[0]); It responds the same value no matter what offset I send and after that it stops responding to my memory cheat checks.

That is very good idea about getting the rc4 keys from memory, but that way I would have to use only one module with sending the same seed in 0x05. Defenetly gonna try that. Anyways I find maiev.mod string in battle.net.dll but wow runs and responses to warden packets without battle.net.dll, and I deleted cache too. Anyone can tell me how to get maiev.mod? Thanks. I looked in wow.exe by searching for strings maiev.mod and also putted breakpoints on every loadlibrary functions and didn't see it loading maiev.mod or battle.net.dll.

I don't seem to find any maiev.mod. Is it removed on 3.3.5? Perhaps its replaced with scan.dll in wow folder, scan.dll does some cheat scanning too from what I see. Edit: Well now I see that scan.dll is not related to warden.

Hi, I'm back at this interesting code with more knowledge about this thing than i had last time . I am stuck at the 0x05 opcode and its response. Can someone please help me? How the client generates the hash? What is this module specific hash? How can I get it? I'm completely stuck at this 0x05 and 0x04 opcode. Thanks.

Did it print the error? In fact i looked at the code using AddSpellAuraHolder and didn't see anywhere adding aura in m_modAuras.

Revision is old yes. No custom patches related to this crash

Here some crash dumps related to this: http://pastebin.com/D5UUZb33 http://pastebin.com/bmrfmiYW http://pastebin.com/dJR1b4r6 http://pastebin.com/p3iZN4ts http://pastebin.com/B4kZnhXk This type of crashes have repeated many times. I don't think this crashes can be caused by something other than a invalid pointer into m_modAuras.

for(int i=0; i < MAX_EFFECT_INDEX; ++i) { if(holder->m_auras[i]) { AuraList const& auras = GetAurasByType(holder->m_auras[i]->GetModifier()->m_auraname); for(AuraList::const_iterator itr = auras.begin(); itr != auras.end(); ++itr) { if(holder->m_auras[i] == *itr) { sLog.outError("deleting aura witch otherwise would stay in auralist and cause crash later"); m_modAuras[(*itr)->GetModifier()->m_auraname].remove(*itr); itr = auras.begin(); } } } } This can be placed before delete holder; everywhere where in code is delete holder; to test if pointer in auralist when delete pointer.

Recently I seen many crashes where auras are get by GetAurasByType(type) and looping them after that cause segmental fault (access violation) crashes. I think reason for that is because, when delete holder it deletes its auras too, but invalid pointer to auras still stored in m_modAuras[]. For example here. bool Unit::AddSpellAuraHolder(SpellAuraHolder *holder) { SpellEntry const* aurSpellInfo = holder->GetSpellProto(); // ghost spell check, allow apply any auras at player loading in ghost mode (will be cleanup after load) if( !isAlive() && !IsDeathPersistentSpell(aurSpellInfo) && !IsDeathOnlySpell(aurSpellInfo) && (GetTypeId()!=TYPEID_PLAYER || !((Player*)this)->GetSession()->PlayerLoading()) ) { delete holder; return false; } Before delete holder, there should be: for(int i=0; i < MAX_EFFECT_INDEX; ++i) if(holder->m_auras[i]) m_modAuras[holder->m_auras[i]->GetModifier()->m_auraname].remove(*itr); And everywhere where we delete holder should happen the same. I don't know how to reproduce the crash actually so i can test it with and without this thing and thats the reason why i post it here, and not sure if it fixes something actually - that needs to be tested when put on a server with many people where it crash more often and see if the crashes with getAurasbyType loops stop. I have no place to test that now. Thanks.

in SpellMgr.cpp What bug does the patch fix? What features does the patch add? It fixes mistaken J with I. For which repository revision was the patch created? Should work with any. Who has been writing this patch? Please include either forum user names or email addresses. Me. @@ -298,11 +298,11 @@ bool IsNoStackAuraDueToAura(uint32 spellId_1, uint32 spellId_2) if(!spellInfo_1 || !spellInfo_2) return false; if(spellInfo_1->Id == spellId_2) return false; for (int32 i = 0; i < MAX_EFFECT_INDEX; ++i) { - for (int32 j = 0; i < MAX_EFFECT_INDEX; ++j) + for (int32 j = 0; j < MAX_EFFECT_INDEX; ++j) { if (spellInfo_1->Effect[i] == spellInfo_2->Effect[j] && spellInfo_1->EffectApplyAuraName[i] == spellInfo_2->EffectApplyAuraName[j] && spellInfo_1->EffectMiscValue[i] == spellInfo_2->EffectMiscValue[j] && spellInfo_1->EffectItemType[i] == spellInfo_2->EffectItemType[j])

What up, Well for now the best thing I come up against it is this diff --git a/src/game/Player.cpp b/src/game/Player.cpp index 8456e39..825a304 100644 --- a/src/game/Player.cpp +++ b/src/game/Player.cpp @@ -464,10 +469,12 @@ Player::Player (WorldSession *session): Unit(), m_achievementMgr(this), m_reputa // group is initialized in the reference constructor SetGroupInvite(NULL); m_groupUpdateMask = 0; m_auraUpdateMask = 0; + + GlobalCDEnd = 0; duel = NULL; m_GuildIdInvited = 0; m_ArenaTeamIdInvited = 0; @@ -18785,10 +18856,13 @@ void Player::AddSpellAndCategoryCooldowns(SpellEntry const* spellInfo, uint32 it cat = spellInfo->Category; rec = spellInfo->RecoveryTime; catrec = spellInfo->CategoryRecoveryTime; } + if(spellInfo->StartRecoveryTime) + SetGlobalCD(clock()+spellInfo->StartRecoveryTime); + time_t curTime = time(NULL); time_t catrecTime; time_t recTime; diff --git a/src/game/Player.h b/src/game/Player.h index 8456e39..825a304 100644 --- a/src/game/Player.h +++ b/src/game/Player.h @@ -1662,10 +1666,12 @@ class MANGOS_DLL_SPEC Player : public Unit PlayerSpellMap const& GetSpellMap() const { return m_spells; } PlayerSpellMap & GetSpellMap() { return m_spells; } SpellCooldowns const& GetSpellCooldownMap() const { return m_spellCooldowns; } + void SetGlobalCD(clock_t newCD) {GlobalCDEnd = newCD;} + bool HasGlobalCD() {return GlobalCDEnd > clock();} PlayerTalent const* GetKnownTalentById(int32 talentId) const; SpellEntry const* GetKnownTalentRankById(int32 talentId) const; void AddSpellMod(SpellModifier* mod, bool apply); @@ -2485,10 +2504,11 @@ class MANGOS_DLL_SPEC Player : public Unit PlayerMails m_mail; PlayerSpellMap m_spells; PlayerTalentMap m_talents[MAX_TALENT_SPEC_COUNT]; SpellCooldowns m_spellCooldowns; + clock_t GlobalCDEnd; uint32 m_lastPotionId; // last used health/mana potion in combat, that block next potion use uint8 m_activeSpec; uint8 m_specsCount; diff --git a/src/game/Spell.cpp b/src/game/Spell.cpp index c1723f7..1cf75b4 100644 --- a/src/game/Spell.cpp +++ b/src/game/Spell.cpp @@ -4221,10 +4277,14 @@ SpellCastResult Spell::CheckCast(bool strict) } else if(m_caster->HasAura(m_spellInfo->excludeCasterAuraSpell)) return SPELL_FAILED_CASTER_AURASTATE; } + if( m_caster->GetTypeId()==TYPEID_PLAYER && !m_triggeredByAuraSpell && m_spellInfo->StartRecoveryTime && + ((Player*)m_caster)->HasGlobalCD()) + return SPELL_FAILED_NOT_READY; + // cancel autorepeat spells if cast start when moving // (not wand currently autorepeat cast delayed to moving stop anyway in spell update code) if( m_caster->GetTypeId() == TYPEID_PLAYER && ((Player*)m_caster)->isMoving() ) { // skip stuck spell to allow use it in falling case and apply spell limitations at movement But, some spells have global cd and some don't, some spells are affected by global cd and some are not. Global cd are on client side only right now and that allow cheating. What I am wondering about is, how client decides what spells are affected by global cd and whitch are not affected, for example gift of the naaru don't put global cd but is affected by global cd and it has 0 on StartRecoveryTime. I didn't find an attribute that defines the spell to not be affected by the global cd. So anyone got idea how the client checks if it should put a global cd on a spell or not so we can make the same check on client-side to prevent cheating? Thanks.

diff --git a/src/game/SpellAuras.cpp b/src/game/SpellAuras.cpp index e71b630..b0d9908 100644 --- a/src/game/SpellAuras.cpp +++ b/src/game/SpellAuras.cpp @@ -4022,11 +4080,11 @@ void Aura::HandleModStealth(bool apply, bool Real) m_target->CastCustomSpell(m_target,31665,&bp,NULL,NULL,true); } // Overkill else if ((*i)->GetId() == 58426 && GetSpellProto()->SpellFamilyFlags & UI64LIT(0x0000000000400000)) { - m_target->RemoveAurasDueToSpell(58428); + (*i)->m_isPeriodic = false; m_target->CastSpell(m_target, 58427, true); } } } } @@ -4061,11 +4119,14 @@ void Aura::HandleModStealth(bool apply, bool Real) // Master of Subtlety if ((*i)->GetSpellProto()->SpellIconID == 2114) m_target->CastSpell(m_target, 31666, true); // Overkill else if ((*i)->GetId() == 58426 && GetSpellProto()->SpellFamilyFlags & UI64LIT(0x0000000000400000)) - m_target->CastSpell(m_target, 58428, true); + { + (*i)->m_periodicTimer = 20000; + (*i)->m_isPeriodic = true; + } } } } } @@ -7848,10 +8013,14 @@ void Aura::PeriodicDummyTick() case 0: m_target->CastSpell(m_target, 55731, true); break; case 1: m_target->CastSpell(m_target, 55738, true); break; case 2: m_target->CastSpell(m_target, 55739, true); break; } return; + case 58426: + m_target->RemoveAurasDueToSpell(58427); + m_isPeriodic = false; + return; // Exist more after, need add later default: break; } // Prey on the Weak Best way I can think of, but still i think it's hacky. Btw it not proc from vanish I think due to GetSpellProto()->SpellFamilyFlags & UI64LIT(0x0000000000400000) , Is this needed and should it proc from vanish?

What bug does the patch fix? What features does the patch add? When i debugged i saw spells to have SPELL_DIRECT_DAMAGE but not DIRECT_DAMAGE. So when i changed it spell deflection started working For which repository revision was the patch created? Works with 9842. Is there a thread in the bug report section or at lighthouse? If yes, please add a link to the thread. Don't find. Who has been writing this patch? Please include either forum user names or email addresses. Me. diff --git a/src/game/Unit.cpp b/src/game/Unit.cpp index f510fc0..6cced83 100644 --- a/src/game/Unit.cpp +++ b/src/game/Unit.cpp @@ -1931,11 +1934,11 @@ void Unit::CalculateAbsorbAndResist(Unit *pCaster, SpellSchoolMask schoolMask, D } // Spell Deflection if (spellProto->SpellIconID == 3006) { // You have a chance equal to your Parry chance - if (damagetype == DIRECT_DAMAGE && // Only for direct damage + if (damagetype == SPELL_DIRECT_DAMAGE && // Only for direct damage roll_chance_f(GetUnitParryChance())) // Roll chance RemainingDamage -= RemainingDamage * currentAbsorb / 100; continue; } // Reflective Shield (Lady Malande boss)