Cypherjb

Well, windows is coming out with a new windows release in 2012, and they have already released a beta of it. I just installed it but was wondering if anyone else has tried it out and seen how mangos runs on it. You can DL it for free from microsoft (64 or 32 bit editions). Its basically windows XP with the interface features of Vista and some of the security features.

EDIT: I'll be testing this myself shortly, i just need to reinstall the .net framework and whatnot. yay for free 64 bit windows OS

"Its basically windows XP with the interface features of Vista and some of the security features."

Your ignorance astounds me...

On another note, I currently have the x64 Beta installed in VMWare and am relatively impressed with it though I will likely be using Windows Server 2008 R2 when it comes out (which should be at the same time as W7). If you're interested in a dedicated Windows box for Mangos I highly recommend the Windows Server family of OS's, I'm using Server 2008 on my desktop, laptop, and server and am highly impressed with it.

I wouldn't suggest installing Windows 7 as a primary OS currently though. Dual booting is fine, but the beta build is way too unstable to be considered usable as a primary OS. The x64 build is worse than the x86 one in terms of stability (for the beta that is.. in general I've found x64 to be much more stable than x86 on my 3 PCs).

ok dave you win. I have read and I do have an interest in the development of software such as this.

But if its just to learn, think I would rather pay to play, like most people, and be part of a larger comunity.

oh and am such bizzard has a few things to say about how legal reverse engineering there software is in the first place and using ad.exe to extract maps from there software too.

So what was just a questions about, a better/different way to do things. Is now just about a mod sitting on his high horse. I hope you feel good about that. Dave

You're totally clueless, please do some research before throwing around information you pulled from your ass.

I cite 'Sega v. Accolade':

"Where disassembly is the only way to gain access to the ideas and functional elements embodied in a copyrighted computer program and where there is a legitimate reason for seeking such access, disassembly is a fair use of the copyrighted work, as a matter of law"

Reverse engineering for the purposes of interoperability is considered lawful in most (if not all) US states/regions/etc. Because none of the Mangos project infringes on patent/copyright/trademark laws there is no issue with the legality of the project.

Distributing map/dbc/etc files would be illegal, the legality of distributing SQL dumps with quest/npc/etc spawns is highly questionable. The legality of the mangos project itself though is perfectly clear, no rights of Blizzard are being infringed upon, and reverse engineering the World of Warcraft client is a perfectly legal process because it is being done to discover information about proprietary file formats or network protocols.

As a side note, here are some quotes from the Chilling Effects FAQ on Reverse Engineering (site seems to be down currently):

Question: Is reverse engineering legal?

Answer: Reverse engineering has long been held a legitimate form of discovery in both legislation and court opinions. The Supreme Court has confronted the issue of reverse engineering in mechanical technologies several times, upholding it under the principles that it is an important method of the dissemination of ideas and that it encourages innovation in the marketplace. The Supreme Court addressed the first principle in Kewanee Oil v. Bicron, a case involving trade secret protection over synthetic crystals manufacturing by defining reverse engineering as "a fair and honest means of starting with the known product and working backwards to divine the process which aided in its development or manufacture." [416 U.S. 470, 476 (1974)] The principle that reverse engineering encourages innovation was articulated in Bonito Boats. v. Thunder Craft, a case involving laws forbidding the reverse engineering of the molding process of boat hulls, when the Supreme Court said that "the competitive reality of reverse engineering may act as a spur to the inventor, creating an incentive to develop inventions that meet the rigorous requirements of patentability." [489 U.S. 141 160 (1989)]

Congress has also passed legislation in a number of different technological areas specifically permitting reverse engineering. The Semiconductor Chip Protection Act (SCPA) explicitly includes a reverse engineering privilege allowing semiconductor chip designers to study the layout of circuits and incorporate that knowledge into the design of new chips. The Competition of Contracting Act of 1984 allows the defense industry to inspect and analyze the spare parts it purchases in order to facilitate competition in government contracts.

The law regarding reverse engineering in the computer software and hardware context is less clear, but has been described by many courts as an important part of software development. The reverse engineering of software faces considerable legal challenges due to the enforcement of anti reverse engineering licensing provisions and the prohibition on the circumvention of technologies embedded within protection measures. By enforcing these legal mechanisms, courts are not required to examine the reverse engineering restrictions under federal intellectual property law. In circumstances involving anti reverse engineering licensing provisions, courts must first determine whether the enforcement of these provisions within contracts are preempted by federal intellectual property law considerations. Under DMCA claims involving the circumvention of technological protection systems, courts analyze whether or not the reverse engineering in question qualifies under any of the exemptions contained within the law.

Question: Are licensing provisions prohibiting reverse engineering enforceable?

Answer: While the validity of licensing prohibitions of reverse engineering has not yet been decided by courts, the conflict between state laws that would enforce these provisions and federal intellectual property law has been addressed. When considering cases where breach of contract or trade secret misappropriation is claimed (both state law claims), courts must first determine whether or not intellectual property law preempts those contracts enforced by the individual state. Preemption occurs when courts determine that federal intellectual property law must be considered in order to address the issues involved in the particular provisions.

Section 301 of the Copyright Act provides that a state law claim is preempted if:

(1) the work to be protected comes within the subject matter of copyright; and

(2) the state-created right forming the basis of the state law claim is equivalent to any of the exclusive rights within the general scope of copyright."

In order for the claim to be preempted it must first pass this equivalency test, which determines whether the state-created rights in upholding the contract are merely alternative articulations of the exclusive rights of copyright law. If the court determines that the contract provisions contain an "extra element" that require analysis of the contract to be preempted by copyright law, the courts generally proceed to an analysis of the possible infringement or exemption under fair use of the activities of the reverse engineer.

Disclaimer: I am NOTE a lawyer and none of the above constitutes legal advice. I am a student and casual freelance software developer. One thing to note is that although I am NOT a lawyer by trade I have consulted a lawyer for multiple projects that required reverse engineering, if you are doubtful about the legality of your specific project I suggest you do the same.

Just a small idea - you can change the packet display to something more readable ..

For example a piece of tcpdump - http://paste2.org/p/124235

.. and I know about .. 5 opcode sniffers, so perhaps devs already have some, but it's always good to have a new one.

edit: err, forgot to add - you can search for that formatting mechanism in tcpdump sources (from where some other projects took it), or perhaps dsniff, I remember such code there as well.

Thanks.

This one isn't just a sniffer though, I have the ability to craft my own packets and send them to the server too. Dunno how useful that kind of functionality is to server devs.

Also, I'm currently adding XML support so I can describe packets and dump them out in a nicer format.

EDIT: Forgot to add, this runs inside WoW.exe because I like being able to use a D3D UI when testing stuff.

Did anyone except Arrai , read my posting ?

There´s a function in player.cpp , who sets the Team (alli,horde) for the chosen Race (over the dbc-files of course).

And No , it doesnt work with simply give a Nightelf 6000 rep in Orgrimmar .. it won´t get attacked .. yes , but can´t trade nore do something else.

Greets

Daniel

PS: Please read my posting ....

Do you listen? The client doesn't read the DBC files from the server, it uses local ones that CANNOT BE OVERRIDDEN FROM THE SERVER, there are client side restrictions, so doing what you want is impossible.

Partly. The main Horde/Alliance factions are hard-coded (or so it seems from a cursory visit to the source code), while some sub-groups do seem to be allowed to be made friendly or at least less warlike. I've managed to get Friendly rep with the Stormwolf Clan, f'instance- much to the consternation of the local Drarves.

If the faction comes up 'Neutral' when you first see it, you can toggle the 'At War' setting in the reputation panel of the client and go from there. However, this doesn't work for the main Alliance/Horde factions. The Defilers, Timbermaw Hold and others can also have their 'At War' setting turned off in the rep panel, but the others seem to be permanently set, hardcoded by the game code and keying on races.

I believe faction info is stored in DBC files, so you're require an MPQ edit to modify stuff like that. You can add custom reputations and spoof stuff like that on the client side with DBC edits.With a "modified client" (DBC files) you could add modified reputation functionality, but otherwise you will be limited by the static data in the DBCs.

Hey, I just finished my packet logger (HUUUGE thanks to you guys for your work, I snagged your Opcode enum ) and was wondering if the logs are useful at all to the devs? Or any opcodes in particular for that matter.

Sample output:

[20:15:20]: CNetClient::SendMessage: (Opcode - 0x0391 CMSG_TIME_SYNC_RESP) (Size - 12).
[20:15:20]: CNetClient::SendMessage: (Data - Hex) 91 03 00 00 08 00 00 00 FB BF 
[20:15:20]: CNetClient::SendMessage: (Data - Hex) D8 06 
[20:15:20]: CNetClient::SendMessage: (Data - ASCII) ..........
[20:15:20]: CNetClient::SendMessage: (Data - ASCII) ..
[20:15:23]: CNetClient::GetNetStats: (BandwidthIn - 1.24015) (BandwidthOut - 0.0193766) (Latency - 909).
[20:15:25]: CNetClient::ProcessMessage: (Timestamp - 114873202) (Opcode - 0x00DD SMSG_MONSTER_MOVE) (Size - 58).
[20:15:25]: CNetClient::ProcessMessage: (Data - Hex) DD 00 DB B6 6F F7 76 30 F1 BB 
[20:15:25]: CNetClient::ProcessMessage: (Data - Hex) C2 E1 45 11 06 28 C5 79 38 3B 
[20:15:25]: CNetClient::ProcessMessage: (Data - Hex) 44 31 FF 17 07 00 00 01 00 00 
[20:15:25]: CNetClient::ProcessMessage: (Data - Hex) 08 06 00 00 03 00 00 00 90 A5 
[20:15:25]: CNetClient::ProcessMessage: (Data - Hex) E1 45 8A E5 26 C5 79 A0 3B 44 
[20:15:25]: CNetClient::ProcessMessage: (Data - Hex) FE 27 80 FF 02 80 FF FE 
[20:15:25]: CNetClient::ProcessMessage: (Data - ASCII) ....o.v0..
[20:15:25]: CNetClient::ProcessMessage: (Data - ASCII) ..E..(.y8;
[20:15:25]: CNetClient::ProcessMessage: (Data - ASCII) D1........
[20:15:25]: CNetClient::ProcessMessage: (Data - ASCII) ..........
[20:15:25]: CNetClient::ProcessMessage: (Data - ASCII) .E..&.y.;D
[20:15:25]: CNetClient::ProcessMessage: (Data - ASCII) .'......
[20:15:26]: CNetClient::ProcessMessage: (Timestamp - 114873565) (Opcode - 0x0496 SMSG_AURA_UPDATE) (Size - 17).
[20:15:26]: CNetClient::ProcessMessage: (Data - Hex) 96 04 DB 4D 44 AF 75 30 F1 00 
[20:15:26]: CNetClient::ProcessMessage: (Data - Hex) C0 DD 00 00 19 50 00 
[20:15:26]: CNetClient::ProcessMessage: (Data - ASCII) ...MD.u0..
[20:15:26]: CNetClient::ProcessMessage: (Data - ASCII) .....P.

Obviously I could change the formatting or filter to just specific opcodes if needed. I get both incoming and outgoing data so thats not a problem either. Just curious if there is any use for any of the data. If not, no worries, I wrote it for one of my own projects anyway.

P.S. I realize the team is probably already using packet loggers, what I'm saying is that I can provide quite a lot of data from real-world play on 'retail' servers. I play WoW (retail) a lot so I get craploads of data.

I once tried something similar but I did see no other solution than changing the characters race - there seems to be some client restrictions :mellow:

Mind detailing the client restrictions? You've got me curious.

What you're referring to is a format specifier for c-style strings. Its used in the standard C library io functions such as printf/sprintf/etc.

The C++ way to add an int/float/whatever to a 'string' (a C++ style string) would be using stringstreams.

http://xkcd.com/138/

WINNER!!!!111oneoneone

Some pointers for you:

[14:45:20]: 0x011CA274 -> CNetClient__ClassPtr

[14:45:20]: 0x011779A4 -> CInputControl__ClassPtr

[14:45:20]: 0x012DAD10 -> CGameTime__TimePtr

[14:45:20]: 0x012EA520 -> TextSegStartPtr

[14:45:20]: 0x012EA524 -> TextSegEndPtr

/me is an asshole

/me waits patiently to see first of all if anyone 'gets it', second of all if anyone can link a certain comic that depicts this exact situation

PS. Bonus: Those pointers are real and valid. (WoW.exe v3.0.3 Retail)

I agree, but depending on how you look at it, it's the biggest problem, a showstopper if you will. Even if you work hard for many months and manage to reverse engineer 100% of the warden code, it will still be useless in an open source project. If the people writing the cheat programs would know how warden detects them, and more importantly, would know when detection support for their cheat is being added to it (on official they only know this after someone has been banned), they would easily be able to keep themselves undetected and it would be much harder to catch people using these tools.

Well, despite this being an open source project I highly doubt server admins would protest to having WardenClient.dll supplied without source. Just make it a seperate project, an optional component that is closed source and supplied with a core patch to enable support for it. Thats not difficult at all, it would only really conflict with the "spirit" or "essence" of the project, although in my opinion security should sometimes trump those things if obscurity is the only option.

The actual work lies in reversing what I would call one of the most 'complex' parts of WoW.

PS. A friend of mine (Kynox) DID work hard for a long time and reverse pretty much all of Wardens code. He can connect to live servers and emulate a full dummy session including Warden requests and responses. After seeing most of the code for that and full dumps of what warden is doing I can tell you there is a LOT of work involved, far far far more than your average packet reversing session.

How about instead of createing thousands of check, let's create support for "Warden". As far as i know the client comes with something like this implemented.

I'm gonna go ahead and assume you don't understand the magnitude of work that would entail.

Warden relies purely on obfuscation. As soon as MaNGOS, as an open source project, would implement it, all security is lost. For that reason it is not planed to implement it.

Thats far from the only problem.

Yep, it's new item stat type introduced in 3.0 client version. NYI.

Isn't it actually an old stat that has been reintroduced? I swear there used to be a stat called "spell power" aaages ago.

Quick bump.

Probably gonna be working on a private server hack soon so I'll probably post my findings in the process if anyone is interested? I'll try and find suggested fixes too.

1-2-3 and 6 - ok, your write cheat that doing all what you describe (or showing existence) I see on it and modify anticheat for new reality.

57 degree it's experemental maximum value, that contain some additional tolerance. In reality the calculated angle on serverside may more than 50 deg.

Showing existence? Sure. Here's a pic of me testing some stuff (3.0.2 - Retail Servers):

[EDIT: DO NOT POST INGAME SCREENSHOTS]

You said the maximum angle in the client is 57 degrees which is incorrect, I was just pointing that out. Whats calculated on the server is a different story.

And here's some proof for you (from 3.0.2):

.rdata:0096F640 CGlobals__MaxPlayerClimbAngle dd 6.4278764e-1 ; DATA XREF: sub_68F350r

.rdata:0096F640 ; sub_68F380:loc_68F3A0r ...

.rdata:0096F668 CGlobals__MaxNpcClimbAngle dd 1.7364818e-1 ; DATA XREF: sub_68F380+Fr

.rdata:0096F668 ; sub_68F5B0+31r ...

Take the inverse cosine of those floats to get the angle.

1-2. Your speed/tele anit-hacks could be bypassed with packet spoofing.

3. Your flying anti-hack could be bypassed by toggling off the flying flag in the movement packets. You should check for PITCHes.

4. You have the angles wrong. Maximum angle for players is 50 deg and maximum for npcs is 80. They're stored in the .rdata section as the cosine of the angle.

5. Ok.

6. Could be bypassed by hacking the client to not think its falling, at which point you would need to do more serverside checks and can't rely on packets from the client.

7. Yup

That was a pretty hard hit to intellegance levels right there. First I would like to personal put out there that when you were talking about multithreading vs multiprocessing, you never stated what you planned on implementing.

Are you going to rewrite the entire core on how processes are going to be transcieved, handled and or moved around internally? Are you working on making the process for outputs or input reading faster? Do you plan on rewriting the entire server? Are you working on character synchronization with maps/vmaps, collision or anything else relating to where the x/y/z axis input controllers are. Are you working on making SQL queries be non redundant. Making them seemlessy intergrate internally making less commands and less repitition.

What I am trying to get at is, what is your plan of attack. Its easy to say, which is better? Which do you prefer working on. You cannot judge someones intellegance or capability of knowledge by asking them which one they thing would be better to intergrate.

Are you planning on making a Multicore support while your at it, make it HT, or ST capable if applicable? Are you going to add quad core support, maybe mutilevel processing with buffer support using pipeline, or streamline data instead of a solid query every strike to the database. What is your plan?

You don't have one. I cannot comment and give you anything that would tell you.. x person knows what hes talking about if you don't give an A solution to your B answer.

I don't mean to come off rude, but honestly if I ask you which is better.. the Pri console debugger or Ollydebug. People are going to have there prefrences, suggestions and ideas of implementation. Now if I said, which one is better for Mangos, since we are working on making this a gaming framework. Obviously, the choice would be OllyDebug, since Pri is for single streamed data chunks. Where as Ollydebug can use data chunks. But then again, I can say your programming knowledge isn't good enough, or your not up to where I am because you have never used Pri. *Mainly because Pri is a program only used internally in game design*.

So, whats your plan?

What are you planning on improving?

What is your philosophy?

Why would changing x to y improve z?

Ask and answer/purpose what you want to do, and why you want to do it. Maybe then you might get what your looking for.

-Mynt

You spelled "intelligence" wrong.

For multi-process (which I assume is what is the decision currently) pretty much all parts of the app will need modifications. I think the main idea is to improve stability, speed, and scalability.

Also, the Visual Studio debugger would be better for the Windows platform due to its focus as a 'development' debugger rather than a 'reversing' debugger (ie Its much easier to use symbols and source files in VS than it is in OllyDbg). I know it was just a metaphor but I thought it was worth pointing out.

One of the most common bugs among servers is the ability to stat stack. I don't honestly know any way around this except doing a random redundant check on items. In Leaf we just randomly select a connection and compare item variables to the database. One problem with it though. It takes alot of memmory from redundancies.

-Mynt

I'm talking more about client-side hacks here rather than server-side bugs but nevertheless its interesting.

Regarding stat stacking, how exactly does that work? Could you provide me with an example of how it's done so I could dig into the related code. I don't see how a bug that allows stat changing couldn't be just 'fixed' without the need for redundant checks.

Lots of interesting replies posted since my last one.

First off.

Someone brought up an advantage I neglected to mention. On x86 a single process cannot address more than its pointer size (ignoring AWE which I assume requires modifications to the software), by splitting mangos into several processes you can work around this limitation.

Whether or not this issue can be addressed by improving high-memory features is another issue entirely.

Secondly.

To Wyk3d, if its not an 'if' but a 'when' why not address it now? By doing multi-threading only to have to rewrite it a second time to implement muti-processes you're doing a lot of double handling. I say implement multi-processes now and then its not an issue.

Third.

Derex, unfortunately I am quite busy at the moment, I just finished high school and am starting Uni in 4 months, doing freelance software development at the moment to get some cash (WoW related stuff, writing bots, hacks, etc for private buyers). I may possibly have time in the future but I wouldn't put my eggs into that basket.

This.

The problem is that water detection on server is not really that great and still fails a lot of times.

It also pretty much disallows checking for swim movetype to disallow flying cheats :-/ ...

How about this.

For the first movement packet a server receives that indicates the client is swimming the server 'starts the clock', whenever the client exits the water the server 'winds back the clock' the right amount, then forward again when the client is swimming again, etc, and disposing of the timer when its at full.

The 'flying' flag is actually a different flag to the 'swimming' flag they just act in the same way.

Because of this you could still kick users with the flying flag enabled without interfering with the swimming stuff, they are two separate things as far as I am aware (although I would have to double check, I will do so when I get some spare time).

Even if the swimming flag CAN be used to fly you could still just use VMAPs to detect the flying crap (which would also take care of the non-flag based flying hacks).

And oh, by the way, generally the flag can be toggled off in the packets client side, so you're not looking for the flag, you're looking for PITCH_UP and PITCH_DOWN movements that aren't supposed to be there.

Hi

How To download and use your anticheat ?

/facepalm .

No one here suggested that you tell the system which thread to run on which core/CPU. My point is that multithreading things like maps is FAR more valuable than providing cluster support. While I do have a ton of DL360 G2s available, I don't /really/ need a cluster. I'd prefer to have better multithreading support.

Just because you gain clustering doesn't mean you loose concurrency.. What do you see as the advantage of multithreading over multiple-processes? No-one is forcing you to use multiple servers, my understanding is that using a single server will be fine if you choose to.

No, AWE. AWE allows PPros or higher to address up to 64GB PAS when using the NT kernel.

My mistake.

Not for Mangos, which currently has the largeaddressaware flag enabled. You have a point for Term Servs, but again, not for Mangos which is what this thread is about.

Also, remember that OSes, like OS X/Darwin, provide a 4/4 split. It causes TLB trashing more-so than a system with a 2/2 or 3/2 split, but it does exist.

You also have to keep in mind, not everyone is running a dedicated server just for mangos. Mangos (afaik) is designed to be an 'educational' project, so you need to think about to rest of your userbase. Some people (such as myself) are just enthusiasts who use mangos to "sandbox" WoW and test things or aid in reverse engineering.

EDIT:

And just to point out, even though Mangos has the flag enabled the flag still has to be enabled in the bootloader or it will do nothing.

While this is true, you do not get as good of a performance improvement out of it as you would if the devs put work into optimizing the threading. And, of course, various components (e.g. maps) run on a single thread that could be split out into multiple threads.

Errr. Either you don't understand how threads work or you don't understand what I was trying to say. Either way I will address your concern.

My point was not to say that multi-threading is not needed, on the contrary in fact, my point was that people are saying "if you have more than one thread you can tell x thread to run on CPU core y" or w/e. The point I was trying to make is the thread scheduler already does this and handles context switches and affinity masks a lot better than a human would so its best left alone. ie I'm saying that yes threads are good, but you shouldn't fiddle with thread scheduling settings because you'll most likely decrease performance (compared to a non-modified multi-threaded setup). Naturally you can set thread priorities but most of the other stuff should be left alone, that was the point I was trying to make.

That is what AWE is for (and applications don't address RAM, they address virtual address space), and on some platforms they can use all 4GB VAS.

Don't you mean PAE? (For the 4GB on x32) This introduces problems of its own though and is not really an elegant solution. The only true solution if you want more than 3GB of addressable RAM in a reliable fashion on Windows is x64. The kernel has to go somewhere, all that PAE does is allow an individual process to address more RAM, it doesn't actually increase the amount available to the user-space as a whole. There is a setting to enable LARGEADDRESSSSUPPORT or w/e, but the kernel is generally given 2GB for a good reason so unless you're running a very heavy SQL server or something that needs access to GBs of data its probably best left alone.

Nice work!

While reading this post, I get some new ideas for my anticheat. Thanks for that.

The water breathing was done by sending packets with more than the normal size, so mangos become confused.

This is already fixed, as far as I know.

Greetings

FH

Thanks, I didn't have access to my subversion server at the time of that post. I've dug up all the code I was missing now.

A* on the fly ... which means very slow and a lot of memory usage.

But inplementing accurate navmesh for all this surface maybe very complicated and may be not that accurate.

I know a guy who is using a navmesh for his bot platform and its highly accurate. So it is very possible to get accurate navemesh generation. Also, resource usage wouldn't be overly high as long as the algorithm is implemented correctly and you're not constantly calculating huuuge paths.