1. SRL Junior Member
Join Date
Jul 2009
Posts
164
Mentioned
5 Post(s)
Quoted
69 Post(s)

I have always wanted to read values directly from rs client . So I started to build a plugin for Simba to do that. After month of trying to understand concepts of programming and stealing code snippets from internets. ITS ready! Thanks everyone on forums who helped.

To use it:
1)You need rs3 nxt client.
2)Simba 64 bit build. Old:https://github.com/MerlijnWajer/Simb.../autobuild-421.
3)Plugin in plugins folder. https://github.com/pp9999/MemReading/releases/tag/0.1

4)Install mouse interception. Run as admin file bat. It should report success at console window : command.7z
It should take couple of minutes to display debug window if script is ran.
Check Simbas console for progress.
Move manually mouse to start mouse interception and keyboard
RS client and Simba must be at same scaling level.
How to do it:

Try system or application, which works for you.
There also small tutorial here:https://villavu.com/forum/showthread.php?t=177695

SRL Resource Library discord, ask stupid questions there.
Uploaded code onto GitHub as private.
Wanto fixit? Ask invite from
discord: test8888#6298

How to use script:
Simba Code:
program Test;{\$loadlib MemoryError}beginwait(199);SetupRSReading(True," ",-1, 0);repeat  wait(100+random(1099));    Writeln('Coordinates: ',GetPCoords());    Writeln('Floor: ',GetPFloorLv());until(false)end.

Some description for functions
Code:
SetupRSReading(True," ",-1,0);
Start plugin. Parameters: First is for starting graphical debug. Second is player name, it uses AOB to find it after all. Third is PID:
if it is 0 goes by first found.
If it is a number it tries to find client with this PID.
If it is -1, it opens up a list.
4th option is Mouse control method to be used:
0 is Inception driver.
1 is standard windows mouse commands they should be fine to use on remote desktop:https://villavu.com/forum/showthread.php?t=118173
2 don't bother with mouse emulation at all. Sends commands directly to client. For throwaway accounts should be fine.

Code:
GetPCoords();
Returns rs local player coordinates as Tpoint.

Code:
GetPFloorLv();
Returns rs local player groundplane level, ground 0, first floor 1 and so on.

in source
Code:
BOOLEAN FindNPCs1(int* id, int size , int dist, int accuracy, int lifepoint, WPOINT tilespot,int dist2, int action, SimbaString sidetext)
Code:
FindNPCs1([41],1,10,0,0,[0,0],0,0,'Attack');
For attacking/clicking npcs.
[41] = npc ids go there.
1 = amount of npc ids in box of [].
10 = how far to look for npcs in tiles. Range sort of.
0 = generate random non accuracy in pixels. For maximum leave at 0
0 = npc lifepoints. Can be left at 0
[0,0] = anchor of short. can be 0
0 = distance in tiles how far should function look from anchor. This part is to stop player clicking too far from anchor and getting lured away.
0 = clicking method. 0 left click, 1 right click, 2 move to npc, 3 do nothing.
'Attack' = Rs3 sidetext thing, works surprisingly well. Don't leave empty!.

More functions:Use
Code:
if (not CheckPAnim(120)) then begin /code/ end;
to check if players is animating. Number there is how many times to check vs 25 milliseconds. Some animations have huge caps between them.

Use
Code:
if (InveFull()) then begin /code/ end;
to check if inventory is full or not.

Use
Code:
if (InveItemcount(item1)<3) then begin /code/ end;
to count items in inventory, item1 is ID.

Use
Code:
if (InveFreecount()<9) then begin /code/ end;
to check how many spots are free.

Use
Code:
 ClickInv(item1,0);
to click item in inventory. Warning there is no check if inventory is actually open. So yea some fail safes should be added.

To click decor object, same stuff as npc goes in:
Code:
FindDobj([99],1,16,[0,0],[0,0],False,0,'Deposit');
There also special cases where object does not disappear but changes, made some functions to check certain booleans.
Code:
FindDobjA1([99],1,16,[0,0],[0,0],False,0,'Excavate');
Code:
FindDobjA2([99],1,16,[0,0],[0,0],False,0,'Excavate');
Mainly using them for archaeology resource caches.

To click active objects(portables and such):
Code:
FindAobj([99],1,16,[0,0],[0,0],False,0,'Excavate');
Check if inventory is open, returns bool,
Code:
CheckInvOpen();
Check if loot window is open
Code:
CheckLootW();
Tries to open inventory
Code:
OpenInv()
Picks text from right click menu
Code:
SelectChooseOption('Trade');
'player' is a name of the player we wanto know about.
Return true if player is interacting with other player or npc. Works for local or other players.
Code:
PlayersInterActing('player');
Gets animation id, either local or other.
Code:
GetPlayersAnimation('player');
Loops 100 times animation check. If it hits anykind of animation before 100 returns true. Either local or other players.
Code:
IsPlayersAnimating('player',100);

There is more, check simbas list on the side to see them all.

Join Date
Mar 2007
Posts
5,118
Mentioned
275 Post(s)
Quoted
900 Post(s)
Very interesting.. nice to see some progress with getting data from the NXT client

3. Could you provide source for it so I can give you a few pointers (pun intended) on what you can improve, and source should be provided anyhoo also when open source community

4. Very nice. Interested in seeing the source as well -- is this plugin Windows-only, or would it be possible to build for Mac/Linux targets as well? I know the method for reading memory differs across systems.

5. SRL Junior Member
Join Date
Jul 2009
Posts
164
Mentioned
5 Post(s)
Quoted
69 Post(s)
There isnt much to share, only few lines of code. I discovered that is almost impossible to find any pointers. Inventory is deleted when logged out and recreated in different spot. Obviously that command comes from somewhere and asm debuger on cheat engine shows something. But that asm thing is over my head

Hey guys can you make so that srl compiles on 64bit build also.

6. SRL Junior Member
Join Date
Jul 2009
Posts
164
Mentioned
5 Post(s)
Quoted
69 Post(s)
Messed around with it:

Low res for ancient computers:

Objects locations are not quite correct
Portal ID thing seems to be in almost right spot, also those vats 80, 83, 84 are off, rest is total mess.

Basically we know player position and object position in tiles. I tried to guess how much 1 tile is in pixels, seems like around 30 pixels. So player location - object location =x, (from game screen centre)x*30 almost got right object location in pixels.

Now with Rs curvature Plz help.

7. Post source already...
Also you will probably need to scan for things such as camera angle, rotation, zoom etc etc. Essentially recreating the W2S calculations the Reflection library uses, unless RS3 has any drastic changes.

8. SRL Junior Member
Join Date
Jul 2009
Posts
164
Mentioned
5 Post(s)
Quoted
69 Post(s)
Hi. Had a look this w2s calculation.

X := X - Reflect.Compass.CameraX;
Y := Y - Reflect.Compass.CameraY;
Z := Z - Reflect.Compass.CameraZ;
CurveX := Reflect.Compass.GetYaw;
CurveY := Reflect.Compass.GetPitch;

GetYaw is degrees 0 to 360? So ill put it to 0, max north.
GetPitch is angle, rsbot shows its max is 85. So 85.

X := X - Reflect.Compass.CameraX;
Y := Y - Reflect.Compass.CameraY;
Z := Z - Reflect.Compass.CameraZ;
CurveX := 0;
CurveY := 85;

But what are thos Compass x,y? Are they in pixels? Are they camera center point=? z?
Edit2: It looks like current player position? Maybe?
Edit3: Decided to have look myself.

Code:
OurTile := Reflect.Tiles.GetGlobalTile;
writeln('Point('+ IntToStr(OurTile.x) + ',' + IntToStr(OurTile.y) +')');
writeln(Reflect.Compass.CameraX);
writeln(Reflect.Compass.CameraY);
writeln(Reflect.Compass.CameraZ);
writeln(Reflect.Compass.GetYaw);
writeln(Reflect.Compass.GetPitch);
Output was on tut island:
Point(3096,3107)
7018
5965
-3023
1942
383
Dno those numbers are crazy. Why is compass 1942 maxses at 2000? Why is pitch 383 instead powerbots 83. What are those numbers x and y they seem to change with camera turning and with player location;

Edit4:Npcs.

Once npcs array is found it takes milliseconds to read all npcs.

Coords might be slightly off

9. SRL Junior Member
Join Date
Jul 2009
Posts
164
Mentioned
5 Post(s)
Quoted
69 Post(s)
Got bored and sauce is secret.

Mining guild.

Burth.

10. Originally Posted by alar82
-snip-
This is great, but why post in an open source community if you don't want to share the code? I'd love to expand on it.

11. SRL Member
Join Date
Oct 2007
Posts
187
Mentioned
7 Post(s)
Quoted
61 Post(s)
that looks amazeballs... how detectable is your method of injection? using official nxt client?

12. @klamor; it literally says in the title that it is Memory reading, thus it is not injection.

Also alar82 don't expect help if you don't provide source in an open source community, but it does look amazeballs.

13. Originally Posted by Joopi
@klamor; it literally says in the title that it is Memory reading, thus it is not injection.

Also alar82 don't expect help if you don't provide source in an open source community, but it does look amazeballs.
? maybe he's assuming dll injection. Java injection isn't the only type of injection.

14. I have a memory of some threads that this guy made where I tried to explain everything to him how you memory read with simba and how pointers works etc etc
But sure that isn't given in this thread so it was wrong of me to berate him

Besides, who mentioned anything about java?
I dont understand why anyone would go through the troubles of memory reading if they have already modified the client
Last edited by Joopi; 09-23-2017 at 12:47 PM.

15. Originally Posted by Joopi
I have a memory of some threads that this guy made where I tried to explain everything to him how you memory read with simba and how pointers works etc etc
But sure that isn't given in this thread so it was wrong of me to berate him

Besides, who mentioned anything about java?
I dont understand why anyone would go through the troubles of memory reading if they have already modified the client
You said memory reading thus it is not injection (i assumed you were thinking about java because you said this). You can have memory reading with injection. Also, mention or quote, so i can reply faster.

Also, it's pretty impossible to raw memory-read a JVM. (I'm assuming that's what you mean by modified client)
Last edited by Kasi; 09-23-2017 at 02:02 PM.

16. SRL Junior Member
Join Date
Jul 2009
Posts
164
Mentioned
5 Post(s)
Quoted
69 Post(s)
It uses AOB scan to locate resources, then just reads them. It shouldn't be any more detectable than screen color readers. As nothing is modified or injected to NXT client. No write rights to aplication are ever requested/changed. Detectability is zero as I botted a lot during double xp. Only way to jagex to catch it is by looking trough running processes and tag suspicious ones. Like wow warden anticheat or punkbuster. Jagex doesn't have anything like that :I

17. This is frikkin NXT there's no JVM @Kasi;
And by modified client I mean the client is modified, has injected code in it (and since it's NXT, it is at least currently fairly easy to solely rely on Memory Reading). Still nothing to do with Java since this is NXT.
Last edited by Joopi; 09-23-2017 at 03:03 PM.

18. Originally Posted by alar82
doesn't have anything like that :I
Not yet at least. Soon they'll start whisking around the memory locations just like the JVM on Java based clients does, and then it'll be hectic. And sure they can start detecting it with a VAC-like approach where they hook all the virtualQueryEx stuff (yes i dont know the specifics) and just record every process that request stuff from it.

19. SRL Member
Join Date
Oct 2007
Posts
187
Mentioned
7 Post(s)
Quoted
61 Post(s)
Originally Posted by Joopi
@klamor; it literally says in the title that it is Memory reading, thus it is not injection.

Also alar82 don't expect help if you don't provide source in an open source community, but it does look amazeballs.
sorry, i'm a noob. I thought memory reading was injection... still learning :P

20. Originally Posted by alar82
It uses AOB scan to locate resources, then just reads them. It shouldn't be any more detectable than screen color readers. As nothing is modified or injected to NXT client. No write rights to aplication are ever requested/changed. Detectability is zero as I botted a lot during double xp. Only way to jagex to catch it is by looking trough running processes and tag suspicious ones. Like wow warden anticheat or punkbuster. Jagex doesn't have anything like that :I

Just so ppl understand, AOB Scan = Array of Bytes Scan.. and he is using ReadProcessMemory or PTrace for that.

21. Originally Posted by Joopi
This is frikkin NXT there's no JVM @Kasi;
I know, but why did you say this though...

Originally Posted by Joopi
@klamor; it literally says in the title that it is Memory reading, thus it is not injection.
You can use injection and memory reading together though. You said it as if using one means it's not using the other. I assumed you meant java because of this. Sorry if i judged you by your scrubby SRL Jr Mem status.

Originally Posted by Joopi
I dont understand why anyone would go through the troubles of memory reading if they have already modified the client
ALOT of people do this. They inject and memory map DLLs and manually construct the headers/imports so that it doesn't show up on the PEB. (also look into reflective dll injection). Waay easier to hide a dll than to hide a process. Some games don't even allow you to run some programs like cheat engine whilst you're playing them (VAC).

Originally Posted by Joopi
Not yet at least. Soon they'll start whisking around the memory locations just like the JVM on Java based clients does, and then it'll be hectic. And sure they can start detecting it with a VAC-like approach where they hook all the virtualQueryEx stuff (yes i dont know the specifics) and just record every process that request stuff from it.
Huh, how do they hook VirtualQueryEx when he's operating in a different address space (not Injecting)? Without injecting and hooking VirtualQueryEx in every single process. It's impossible. VirtualQueryEx exists in kernel32 and is loaded by every process. Each process has it's own VirtualQueryEx. Hooking your own VirtualQueryEx has 0 effect on code executing in a different process / memory space since they don't call the one you hooked.

Also do you normally casually double-post?
Last edited by Kasi; 09-23-2017 at 10:16 PM.

22. Originally Posted by Kasi
I know, but why did you say this though...
Originally Posted by Kasi
Also, it's pretty impossible to raw memory-read a JVM. (I'm assuming that's what you mean by modified client)

But that's irrelevant so anyhoo.

Originally Posted by Kasi
Sorry if i judged you by your scrubby SRL Jr Mem status.
Just like you judged me based off my forums status, I judged Klamor based on his word choosing, "How detectable...", either it is, or it is not detectable, not really any middle ground. So what it really came down to is Klamor being lazy or simply did not understand how OP was doing this, and asked a typical question (How detectable is X) which just triggers many folks. You, in your whiteknight endeavours start getting technical and making fairly ambiguous statements not even knowing what game this is about, when all it really is about is OP's unambiguous concept and putting it to the test.

So before you go all "don't unfold in a thread that you don't even remotely know the technical details about", what it really is about is 2 foreign concepts that could be intertwined, but in this case aren't because this is pleb stuff, attracting pleb people, asking plebby questions.

Originally Posted by Kasi
Huh, how do they hook VirtualQueryEx...
As I said I don't know the specifics, but what I meant was that OP shouldn't be naive to think that this will work for the rest of his days. Again, no point in splitting semantic hairs when the original question was as simple and uninformed as the next person.

Originally Posted by Kasi
Also do you normally casually double-post?
Only sometimes
Last edited by Joopi; 09-24-2017 at 09:25 AM.

23. @Joopi;

Not sure what you mean by "Contradicts". Don't understand the context you used it in.

You said that is not injection because it is memory scanning which is straight up incorrect, you CAN use them both together. My thought process was what other type of injection could you possible be thinking of (This is the reason i brought up java injection - Pretty valid assumption regardless of the game, especially valid assumption since you seem to think injection and memory scanning shouldn't go hand in hand). If you read the brackets, i even said - (i'm assuming that's what you mean by modified client). Try reading posts in chronological order. In future - memory scanning and Injection can go hand in hand, and generally DO go hand in hand, but as OP said, he has no need to ATM.

Wasn't really judgement on your forum status, just a joke that you clearly overshot and misunderstood. What i am actually doing is pointing out some invalid information on a public forum, fair play if you wanna call it white knighting, I won't stop you, just one more incorrect thing you do.

I very much doubt this is "plebby". Personally, i prefer people asking questions that they don't know the answer to, than people answering questions to which they don't know the answer to.

Sure, the poster of the original question was mis-informed. But so are you, so don't answer questions you don't know the answer to or aren't informed well enough in

tldr; I made an incorrect assumption in order to understand what the fuck you were talking about. You were straight up wrong and spent a couple posts deflecting.

Anyhow, This will be my last post on this matter. I think it's been stretched far enough for "it is Memory reading, thus it is not injection.". Feel free to post some more incorrect shit that i might/might not post on.
Last edited by Kasi; 09-24-2017 at 11:15 AM.

24. @Kasi;
Again. The question was pretty simple and straight forward, he was misinformed and I pointed him in the right direction. Despite the answer being missinformative, just like a lot of things you said, it got the point across and corrected him. Everything else is a cope and semantic hair splitting. I understand now that people use different approaches for cheating and combine them, but given the circumstances this was not the case, which I was aware of.

But just to make it clear, the problem wasn't with person asking the question, it was that he didn't even know what the topic was to begin with.

Originally Posted by Kasi
especially valid assumption since you seem to think injection and memory scanning shouldn't go hand in hand)
if we'd talk about java based bots, where injection and reflection(compare memory scanning) are used, I would not think this. but since it is NXT I do think that they shouldn't go hand in hand. So a lot of the stuff that you say is based on a false assumption that you further motivate by that false assumption itself.
Last edited by Joopi; 09-24-2017 at 12:12 PM.

25. @Joopi; Solid deflecting. Not really sure how to get through to you. I know i said i wouldn't reply but you came up with some more stupid shit, i was just gonna PM but meh:

Firstly, He didn't know what the topic was to begin with, true. But you didn't help by telling him some incorrect info. He probably thinks that Memory Scanning and Injection shouldn't be used together now. Nice one. Whatever, i'll drop that now...

Mainly, why do you think Injection shouldn't be coupled with memory scanning? I know it's not needed but it adds a lot of benefits whilst reading memory. IE, not having to call ReadProcessMemory. Any rookie knows the overheads but i'll explain some just to appease you. You have to copy massive arrays/data unnecessarily, You can't do pointer math efficiently because of the overhead of ReadProcessMemory/VirtualQuery. Finally, the biggest point, All this shit is done cross-process so it's slow as fuck.

You wanna access a single model? that probably 6 different arrays (3 vert, 3 ind). You pass a pointer and a size to ReadProcessMemory, it'll copy the entire array back into your address space taking up 2x the data; a copy remotely, and one locally. You do this 6 times. Guess what? Works the same for every other struct. You have to make a copy of the entire block of data. You can do whatever math you want AFTER you've copied the entire data structure/array. Not to mention all this is Paged. Lets just say you're stupid enough to still think Injection is worthless with NXT. Please tell me why it is worthless? NXT doesn't detect injection AFAIK so go ahead, entertain me.