Cypherjb

"Its basically windows XP with the interface features of Vista and some of the security features." Your ignorance astounds me... On another note, I currently have the x64 Beta installed in VMWare and am relatively impressed with it though I will likely be using Windows Server 2008 R2 when it comes out (which should be at the same time as W7). If you're interested in a dedicated Windows box for Mangos I highly recommend the Windows Server family of OS's, I'm using Server 2008 on my desktop, laptop, and server and am highly impressed with it. I wouldn't suggest installing Windows 7 as a primary OS currently though. Dual booting is fine, but the beta build is way too unstable to be considered usable as a primary OS. The x64 build is worse than the x86 one in terms of stability (for the beta that is.. in general I've found x64 to be much more stable than x86 on my 3 PCs).

You're totally clueless, please do some research before throwing around information you pulled from your ass. I cite 'Sega v. Accolade': "Where disassembly is the only way to gain access to the ideas and functional elements embodied in a copyrighted computer program and where there is a legitimate reason for seeking such access, disassembly is a fair use of the copyrighted work, as a matter of law" Reverse engineering for the purposes of interoperability is considered lawful in most (if not all) US states/regions/etc. Because none of the Mangos project infringes on patent/copyright/trademark laws there is no issue with the legality of the project. Distributing map/dbc/etc files would be illegal, the legality of distributing SQL dumps with quest/npc/etc spawns is highly questionable. The legality of the mangos project itself though is perfectly clear, no rights of Blizzard are being infringed upon, and reverse engineering the World of Warcraft client is a perfectly legal process because it is being done to discover information about proprietary file formats or network protocols. As a side note, here are some quotes from the Chilling Effects FAQ on Reverse Engineering (site seems to be down currently): Disclaimer: I am NOTE a lawyer and none of the above constitutes legal advice. I am a student and casual freelance software developer. One thing to note is that although I am NOT a lawyer by trade I have consulted a lawyer for multiple projects that required reverse engineering, if you are doubtful about the legality of your specific project I suggest you do the same.

Thanks. This one isn't just a sniffer though, I have the ability to craft my own packets and send them to the server too. Dunno how useful that kind of functionality is to server devs. Also, I'm currently adding XML support so I can describe packets and dump them out in a nicer format. EDIT: Forgot to add, this runs inside WoW.exe because I like being able to use a D3D UI when testing stuff.

Do you listen? The client doesn't read the DBC files from the server, it uses local ones that CANNOT BE OVERRIDDEN FROM THE SERVER, there are client side restrictions, so doing what you want is impossible.

I believe faction info is stored in DBC files, so you're require an MPQ edit to modify stuff like that. You can add custom reputations and spoof stuff like that on the client side with DBC edits.With a "modified client" (DBC files) you could add modified reputation functionality, but otherwise you will be limited by the static data in the DBCs.

Hey, I just finished my packet logger (HUUUGE thanks to you guys for your work, I snagged your Opcode enum ) and was wondering if the logs are useful at all to the devs? Or any opcodes in particular for that matter. Sample output: [20:15:20]: CNetClient::SendMessage: (Opcode - 0x0391 CMSG_TIME_SYNC_RESP) (Size - 12). [20:15:20]: CNetClient::SendMessage: (Data - Hex) 91 03 00 00 08 00 00 00 FB BF [20:15:20]: CNetClient::SendMessage: (Data - Hex) D8 06 [20:15:20]: CNetClient::SendMessage: (Data - ASCII) .......... [20:15:20]: CNetClient::SendMessage: (Data - ASCII) .. [20:15:23]: CNetClient::GetNetStats: (BandwidthIn - 1.24015) (BandwidthOut - 0.0193766) (Latency - 909). [20:15:25]: CNetClient::ProcessMessage: (Timestamp - 114873202) (Opcode - 0x00DD SMSG_MONSTER_MOVE) (Size - 58). [20:15:25]: CNetClient::ProcessMessage: (Data - Hex) DD 00 DB B6 6F F7 76 30 F1 BB [20:15:25]: CNetClient::ProcessMessage: (Data - Hex) C2 E1 45 11 06 28 C5 79 38 3B [20:15:25]: CNetClient::ProcessMessage: (Data - Hex) 44 31 FF 17 07 00 00 01 00 00 [20:15:25]: CNetClient::ProcessMessage: (Data - Hex) 08 06 00 00 03 00 00 00 90 A5 [20:15:25]: CNetClient::ProcessMessage: (Data - Hex) E1 45 8A E5 26 C5 79 A0 3B 44 [20:15:25]: CNetClient::ProcessMessage: (Data - Hex) FE 27 80 FF 02 80 FF FE [20:15:25]: CNetClient::ProcessMessage: (Data - ASCII) ....o.v0.. [20:15:25]: CNetClient::ProcessMessage: (Data - ASCII) ..E..(.y8; [20:15:25]: CNetClient::ProcessMessage: (Data - ASCII) D1........ [20:15:25]: CNetClient::ProcessMessage: (Data - ASCII) .......... [20:15:25]: CNetClient::ProcessMessage: (Data - ASCII) .E..&.y.;D [20:15:25]: CNetClient::ProcessMessage: (Data - ASCII) .'...... [20:15:26]: CNetClient::ProcessMessage: (Timestamp - 114873565) (Opcode - 0x0496 SMSG_AURA_UPDATE) (Size - 17). [20:15:26]: CNetClient::ProcessMessage: (Data - Hex) 96 04 DB 4D 44 AF 75 30 F1 00 [20:15:26]: CNetClient::ProcessMessage: (Data - Hex) C0 DD 00 00 19 50 00 [20:15:26]: CNetClient::ProcessMessage: (Data - ASCII) ...MD.u0.. [20:15:26]: CNetClient::ProcessMessage: (Data - ASCII) .....P. Obviously I could change the formatting or filter to just specific opcodes if needed. I get both incoming and outgoing data so thats not a problem either. Just curious if there is any use for any of the data. If not, no worries, I wrote it for one of my own projects anyway. P.S. I realize the team is probably already using packet loggers, what I'm saying is that I can provide quite a lot of data from real-world play on 'retail' servers. I play WoW (retail) a lot so I get craploads of data.

Mind detailing the client restrictions? You've got me curious.

What you're referring to is a format specifier for c-style strings. Its used in the standard C library io functions such as printf/sprintf/etc. The C++ way to add an int/float/whatever to a 'string' (a C++ style string) would be using stringstreams.

WINNER!!!!111oneoneone

Some pointers for you: [14:45:20]: 0x011CA274 -> CNetClient__ClassPtr [14:45:20]: 0x011779A4 -> CInputControl__ClassPtr [14:45:20]: 0x012DAD10 -> CGameTime__TimePtr [14:45:20]: 0x012EA520 -> TextSegStartPtr [14:45:20]: 0x012EA524 -> TextSegEndPtr /me is an asshole /me waits patiently to see first of all if anyone 'gets it', second of all if anyone can link a certain comic that depicts this exact situation PS. Bonus: Those pointers are real and valid. (WoW.exe v3.0.3 Retail)

Well, despite this being an open source project I highly doubt server admins would protest to having WardenClient.dll supplied without source. Just make it a seperate project, an optional component that is closed source and supplied with a core patch to enable support for it. Thats not difficult at all, it would only really conflict with the "spirit" or "essence" of the project, although in my opinion security should sometimes trump those things if obscurity is the only option. The actual work lies in reversing what I would call one of the most 'complex' parts of WoW. PS. A friend of mine (Kynox) DID work hard for a long time and reverse pretty much all of Wardens code. He can connect to live servers and emulate a full dummy session including Warden requests and responses. After seeing most of the code for that and full dumps of what warden is doing I can tell you there is a LOT of work involved, far far far more than your average packet reversing session.

I'm gonna go ahead and assume you don't understand the magnitude of work that would entail. Thats far from the only problem.

Isn't it actually an old stat that has been reintroduced? I swear there used to be a stat called "spell power" aaages ago.

Quick bump. Probably gonna be working on a private server hack soon so I'll probably post my findings in the process if anyone is interested? I'll try and find suggested fixes too.

Showing existence? Sure. Here's a pic of me testing some stuff (3.0.2 - Retail Servers): [EDIT: DO NOT POST INGAME SCREENSHOTS] You said the maximum angle in the client is 57 degrees which is incorrect, I was just pointing that out. Whats calculated on the server is a different story. And here's some proof for you (from 3.0.2): .rdata:0096F640 CGlobals__MaxPlayerClimbAngle dd 6.4278764e-1 ; DATA XREF: sub_68F350r .rdata:0096F640 ; sub_68F380:loc_68F3A0r ... .rdata:0096F668 CGlobals__MaxNpcClimbAngle dd 1.7364818e-1 ; DATA XREF: sub_68F380+Fr .rdata:0096F668 ; sub_68F5B0+31r ... Take the inverse cosine of those floats to get the angle.

1-2. Your speed/tele anit-hacks could be bypassed with packet spoofing. 3. Your flying anti-hack could be bypassed by toggling off the flying flag in the movement packets. You should check for PITCHes. 4. You have the angles wrong. Maximum angle for players is 50 deg and maximum for npcs is 80. They're stored in the .rdata section as the cosine of the angle. 5. Ok. 6. Could be bypassed by hacking the client to not think its falling, at which point you would need to do more serverside checks and can't rely on packets from the client. 7. Yup

You spelled "intelligence" wrong. For multi-process (which I assume is what is the decision currently) pretty much all parts of the app will need modifications. I think the main idea is to improve stability, speed, and scalability. Also, the Visual Studio debugger would be better for the Windows platform due to its focus as a 'development' debugger rather than a 'reversing' debugger (ie Its much easier to use symbols and source files in VS than it is in OllyDbg). I know it was just a metaphor but I thought it was worth pointing out.

I'm talking more about client-side hacks here rather than server-side bugs but nevertheless its interesting. Regarding stat stacking, how exactly does that work? Could you provide me with an example of how it's done so I could dig into the related code. I don't see how a bug that allows stat changing couldn't be just 'fixed' without the need for redundant checks.

Lots of interesting replies posted since my last one. First off. Someone brought up an advantage I neglected to mention. On x86 a single process cannot address more than its pointer size (ignoring AWE which I assume requires modifications to the software), by splitting mangos into several processes you can work around this limitation. Whether or not this issue can be addressed by improving high-memory features is another issue entirely. Secondly. To Wyk3d, if its not an 'if' but a 'when' why not address it now? By doing multi-threading only to have to rewrite it a second time to implement muti-processes you're doing a lot of double handling. I say implement multi-processes now and then its not an issue. Third. Derex, unfortunately I am quite busy at the moment, I just finished high school and am starting Uni in 4 months, doing freelance software development at the moment to get some cash (WoW related stuff, writing bots, hacks, etc for private buyers). I may possibly have time in the future but I wouldn't put my eggs into that basket.

How about this. For the first movement packet a server receives that indicates the client is swimming the server 'starts the clock', whenever the client exits the water the server 'winds back the clock' the right amount, then forward again when the client is swimming again, etc, and disposing of the timer when its at full. The 'flying' flag is actually a different flag to the 'swimming' flag they just act in the same way. Because of this you could still kick users with the flying flag enabled without interfering with the swimming stuff, they are two separate things as far as I am aware (although I would have to double check, I will do so when I get some spare time). Even if the swimming flag CAN be used to fly you could still just use VMAPs to detect the flying crap (which would also take care of the non-flag based flying hacks). And oh, by the way, generally the flag can be toggled off in the packets client side, so you're not looking for the flag, you're looking for PITCH_UP and PITCH_DOWN movements that aren't supposed to be there.

/facepalm .

Just because you gain clustering doesn't mean you loose concurrency.. What do you see as the advantage of multithreading over multiple-processes? No-one is forcing you to use multiple servers, my understanding is that using a single server will be fine if you choose to. My mistake. You also have to keep in mind, not everyone is running a dedicated server just for mangos. Mangos (afaik) is designed to be an 'educational' project, so you need to think about to rest of your userbase. Some people (such as myself) are just enthusiasts who use mangos to "sandbox" WoW and test things or aid in reverse engineering. EDIT: And just to point out, even though Mangos has the flag enabled the flag still has to be enabled in the bootloader or it will do nothing.

Errr. Either you don't understand how threads work or you don't understand what I was trying to say. Either way I will address your concern. My point was not to say that multi-threading is not needed, on the contrary in fact, my point was that people are saying "if you have more than one thread you can tell x thread to run on CPU core y" or w/e. The point I was trying to make is the thread scheduler already does this and handles context switches and affinity masks a lot better than a human would so its best left alone. ie I'm saying that yes threads are good, but you shouldn't fiddle with thread scheduling settings because you'll most likely decrease performance (compared to a non-modified multi-threaded setup). Naturally you can set thread priorities but most of the other stuff should be left alone, that was the point I was trying to make. Don't you mean PAE? (For the 4GB on x32) This introduces problems of its own though and is not really an elegant solution. The only true solution if you want more than 3GB of addressable RAM in a reliable fashion on Windows is x64. The kernel has to go somewhere, all that PAE does is allow an individual process to address more RAM, it doesn't actually increase the amount available to the user-space as a whole. There is a setting to enable LARGEADDRESSSSUPPORT or w/e, but the kernel is generally given 2GB for a good reason so unless you're running a very heavy SQL server or something that needs access to GBs of data its probably best left alone.

Thanks, I didn't have access to my subversion server at the time of that post. I've dug up all the code I was missing now.

I know a guy who is using a navmesh for his bot platform and its highly accurate. So it is very possible to get accurate navemesh generation. Also, resource usage wouldn't be overly high as long as the algorithm is implemented correctly and you're not constantly calculating huuuge paths.