Page 1 of 6 123 ... LastLast
Results 1 to 25 of 144

Thread: Memory reading.

  1. #1
    Join Date
    Jul 2009
    Posts
    166
    Mentioned
    5 Post(s)
    Quoted
    69 Post(s)

    Default Memory reading.

    I have always wanted to read values directly from rs client . So I started to build a plugin for Simba to do that. After month of trying to understand concepts of programming and stealing code snippets from internets. ITS ready! Thanks everyone on forums who helped.

    Join our discord: https://discord.gg/ywSDHbXmF5

    To use it:
    1)You need rs3 nxt client.
    2)Simba 64 bit build. Old:https://github.com/MerlijnWajer/Simb.../autobuild-421.
    3)Plugin in plugins folder. https://github.com/pp9999/MemReading/releases/tag/0.1

    4)Install mouse interception. Run as admin file bat. It should report success at console window : command.7z
    It should take couple of minutes to display debug window if script is ran.
    Check Simbas console for progress.
    Move manually mouse to start mouse interception and keyboard
    RS client and Simba must be at same scaling level.
    How to do it:


    Try system or application, which works for you.
    There also small tutorial here:https://villavu.com/forum/showthread.php?t=177695

    SRL Resource Library discord, ask stupid questions there.
    Uploaded code onto GitHub as private.
    Wanto fixit? Ask invite from
    discord: test8888#6298

    How to use script:
    Simba Code:
    program Test;
    {$loadlib MemoryError}

    begin
    wait(199);
    SetupRSReading(True," ",-1, 0);

    repeat
      wait(100+random(1099));
        Writeln('Coordinates: ',GetPCoords());
        Writeln('Floor: ',GetPFloorLv());
    until(false)
    end.

    Some description for functions
    Code:
    SetupRSReading(True," ",-1,0);
    Start plugin. Parameters: First is for starting graphical debug. Second is player name, it uses AOB to find it after all. Third is PID:
    if it is 0 goes by first found.
    If it is a number it tries to find client with this PID.
    If it is -1, it opens up a list.
    4th option is Mouse control method to be used:
    0 is Inception driver.
    1 is standard windows mouse commands they should be fine to use on remote desktop:https://villavu.com/forum/showthread.php?t=118173
    2 don't bother with mouse emulation at all. Sends commands directly to client. For throwaway accounts should be fine.

    Code:
    GetPCoords();
    Returns rs local player coordinates as Tpoint.

    Code:
    GetPFloorLv();
    Returns rs local player groundplane level, ground 0, first floor 1 and so on.

    in source
    Code:
    BOOLEAN FindNPCs1(int* id, int size , int dist, int accuracy, int lifepoint, WPOINT tilespot,int dist2, int action, SimbaString sidetext)
    Code:
    FindNPCs1([41],1,10,0,0,[0,0],0,0,'Attack');
    For attacking/clicking npcs.
    [41] = npc ids go there.
    1 = amount of npc ids in box of [].
    10 = how far to look for npcs in tiles. Range sort of.
    0 = generate random non accuracy in pixels. For maximum leave at 0
    0 = npc lifepoints. Can be left at 0
    [0,0] = anchor of short. can be 0
    0 = distance in tiles how far should function look from anchor. This part is to stop player clicking too far from anchor and getting lured away.
    0 = clicking method. 0 left click, 1 right click, 2 move to npc, 3 do nothing.
    'Attack' = Rs3 sidetext thing, works surprisingly well. Don't leave empty!.

    More functions:Use
    Code:
    if (not CheckPAnim(120)) then begin /code/ end;
    to check if players is animating. Number there is how many times to check vs 25 milliseconds. Some animations have huge caps between them.

    Use
    Code:
    if (InveFull()) then begin /code/ end;
    to check if inventory is full or not.

    Use
    Code:
    if (InveItemcount(item1)<3) then begin /code/ end;
    to count items in inventory, item1 is ID.

    Use
    Code:
    if (InveFreecount()<9) then begin /code/ end;
    to check how many spots are free.

    Use
    Code:
     ClickInv(item1,0);
    to click item in inventory. Warning there is no check if inventory is actually open. So yea some fail safes should be added.

    To click decor object, same stuff as npc goes in:
    Code:
    FindDobj([99],1,16,[0,0],[0,0],False,0,'Deposit');
    There also special cases where object does not disappear but changes, made some functions to check certain booleans.
    Code:
    FindDobjA1([99],1,16,[0,0],[0,0],False,0,'Excavate');
    Code:
    FindDobjA2([99],1,16,[0,0],[0,0],False,0,'Excavate');
    Mainly using them for archaeology resource caches.

    To click active objects(portables and such):
    Code:
    FindAobj([99],1,16,[0,0],[0,0],False,0,'Excavate');
    Check if inventory is open, returns bool,
    Code:
    CheckInvOpen();
    Check if loot window is open
    Code:
    CheckLootW();
    Tries to open inventory
    Code:
    OpenInv()
    Picks text from right click menu
    Code:
    SelectChooseOption('Trade');
    'player' is a name of the player we wanto know about.
    Return true if player is interacting with other player or npc. Works for local or other players.
    Code:
    PlayersInterActing('player');
    Gets animation id, either local or other.
    Code:
    GetPlayersAnimation('player');
    Loops 100 times animation check. If it hits anykind of animation before 100 returns true. Either local or other players.
    Code:
    IsPlayersAnimating('player',100);

    There is more, check simbas list on the side to see them all.
    Last edited by alar82; 09-25-2021 at 11:59 PM. Reason: Added disc

  2. #2
    Join Date
    Mar 2007
    Posts
    5,125
    Mentioned
    275 Post(s)
    Quoted
    901 Post(s)

    Default

    Very interesting.. nice to see some progress with getting data from the NXT client

    Forum account issues? Please send me a PM

  3. #3
    Join Date
    Sep 2014
    Location
    C:\Simba\
    Posts
    565
    Mentioned
    9 Post(s)
    Quoted
    71 Post(s)

    Default

    Could you provide source for it so I can give you a few pointers (pun intended) on what you can improve, and source should be provided anyhoo also when open source community
    Feel free to ask me any questions, I will do my best to answer them!

    Previously known as YouPee.

  4. #4
    Join Date
    Dec 2011
    Location
    East Coast, USA
    Posts
    4,231
    Mentioned
    112 Post(s)
    Quoted
    1869 Post(s)

    Default

    Very nice. Interested in seeing the source as well -- is this plugin Windows-only, or would it be possible to build for Mac/Linux targets as well? I know the method for reading memory differs across systems.
    GitLab projects | Simba 1.4 | Find me on IRC or Discord | ScapeRune scripts | Come play bot ScapeRune!

    <BenLand100> we're just in the transitional phase where society reclassifies guns as Badâ„¢ before everyone gets laser pistols

  5. #5
    Join Date
    Jul 2009
    Posts
    166
    Mentioned
    5 Post(s)
    Quoted
    69 Post(s)

    Default

    There isnt much to share, only few lines of code. I discovered that is almost impossible to find any pointers. Inventory is deleted when logged out and recreated in different spot. Obviously that command comes from somewhere and asm debuger on cheat engine shows something. But that asm thing is over my head

    Hey guys can you make so that srl compiles on 64bit build also.

  6. #6
    Join Date
    Jul 2009
    Posts
    166
    Mentioned
    5 Post(s)
    Quoted
    69 Post(s)

    Default

    Messed around with it:


    Low res for ancient computers:


    Objects locations are not quite correct
    Portal ID thing seems to be in almost right spot, also those vats 80, 83, 84 are off, rest is total mess.

    Basically we know player position and object position in tiles. I tried to guess how much 1 tile is in pixels, seems like around 30 pixels. So player location - object location =x, (from game screen centre)x*30 almost got right object location in pixels.

    Now with Rs curvature Plz help.

  7. #7
    Join Date
    Sep 2014
    Location
    C:\Simba\
    Posts
    565
    Mentioned
    9 Post(s)
    Quoted
    71 Post(s)

    Default

    Post source already...
    Also you will probably need to scan for things such as camera angle, rotation, zoom etc etc. Essentially recreating the W2S calculations the Reflection library uses, unless RS3 has any drastic changes.
    Feel free to ask me any questions, I will do my best to answer them!

    Previously known as YouPee.

  8. #8
    Join Date
    Jul 2009
    Posts
    166
    Mentioned
    5 Post(s)
    Quoted
    69 Post(s)

    Default

    Hi. Had a look this w2s calculation.

    X := X - Reflect.Compass.CameraX;
    Y := Y - Reflect.Compass.CameraY;
    Z := Z - Reflect.Compass.CameraZ;
    CurveX := Reflect.Compass.GetYaw;
    CurveY := Reflect.Compass.GetPitch;

    GetYaw is degrees 0 to 360? So ill put it to 0, max north.
    GetPitch is angle, rsbot shows its max is 85. So 85.

    X := X - Reflect.Compass.CameraX;
    Y := Y - Reflect.Compass.CameraY;
    Z := Z - Reflect.Compass.CameraZ;
    CurveX := 0;
    CurveY := 85;

    But what are thos Compass x,y? Are they in pixels? Are they camera center point=? z?
    Edit2: It looks like current player position? Maybe?
    Edit3: Decided to have look myself.

    Code:
    OurTile := Reflect.Tiles.GetGlobalTile;
      writeln('Point('+ IntToStr(OurTile.x) + ',' + IntToStr(OurTile.y) +')');
       writeln(Reflect.Compass.CameraX);
       writeln(Reflect.Compass.CameraY);
       writeln(Reflect.Compass.CameraZ);
       writeln(Reflect.Compass.GetYaw);
       writeln(Reflect.Compass.GetPitch);
    Output was on tut island:
    Point(3096,3107)
    7018
    5965
    -3023
    1942
    383
    Dno those numbers are crazy. Why is compass 1942 maxses at 2000? Why is pitch 383 instead powerbots 83. What are those numbers x and y they seem to change with camera turning and with player location;

    Edit4:Npcs.

    Once npcs array is found it takes milliseconds to read all npcs.

    Coords might be slightly off

  9. #9
    Join Date
    Jul 2009
    Posts
    166
    Mentioned
    5 Post(s)
    Quoted
    69 Post(s)

    Default

    Got bored and sauce is secret.

    Mining guild.

    Burth.

  10. #10
    Join Date
    Jan 2012
    Location
    East Coast
    Posts
    733
    Mentioned
    81 Post(s)
    Quoted
    364 Post(s)

    Default

    Quote Originally Posted by alar82 View Post
    -snip-
    This is great, but why post in an open source community if you don't want to share the code? I'd love to expand on it.

  11. #11
    Join Date
    Oct 2007
    Posts
    187
    Mentioned
    7 Post(s)
    Quoted
    61 Post(s)

    Default

    that looks amazeballs... how detectable is your method of injection? using official nxt client?

  12. #12
    Join Date
    Sep 2014
    Location
    C:\Simba\
    Posts
    565
    Mentioned
    9 Post(s)
    Quoted
    71 Post(s)

    Default

    @klamor; it literally says in the title that it is Memory reading, thus it is not injection.

    Also alar82 don't expect help if you don't provide source in an open source community, but it does look amazeballs.
    Feel free to ask me any questions, I will do my best to answer them!

    Previously known as YouPee.

  13. #13
    Join Date
    Dec 2007
    Posts
    2,112
    Mentioned
    71 Post(s)
    Quoted
    580 Post(s)

    Default

    Quote Originally Posted by Joopi View Post
    @klamor; it literally says in the title that it is Memory reading, thus it is not injection.

    Also alar82 don't expect help if you don't provide source in an open source community, but it does look amazeballs.
    ? maybe he's assuming dll injection. Java injection isn't the only type of injection.

  14. #14
    Join Date
    Sep 2014
    Location
    C:\Simba\
    Posts
    565
    Mentioned
    9 Post(s)
    Quoted
    71 Post(s)

    Default

    I have a memory of some threads that this guy made where I tried to explain everything to him how you memory read with simba and how pointers works etc etc
    But sure that isn't given in this thread so it was wrong of me to berate him

    Besides, who mentioned anything about java?
    I dont understand why anyone would go through the troubles of memory reading if they have already modified the client
    Last edited by Joopi; 09-23-2017 at 12:47 PM.
    Feel free to ask me any questions, I will do my best to answer them!

    Previously known as YouPee.

  15. #15
    Join Date
    Dec 2007
    Posts
    2,112
    Mentioned
    71 Post(s)
    Quoted
    580 Post(s)

    Default

    Quote Originally Posted by Joopi View Post
    I have a memory of some threads that this guy made where I tried to explain everything to him how you memory read with simba and how pointers works etc etc
    But sure that isn't given in this thread so it was wrong of me to berate him

    Besides, who mentioned anything about java?
    I dont understand why anyone would go through the troubles of memory reading if they have already modified the client
    You said memory reading thus it is not injection (i assumed you were thinking about java because you said this). You can have memory reading with injection. Also, mention or quote, so i can reply faster.

    Also, it's pretty impossible to raw memory-read a JVM. (I'm assuming that's what you mean by modified client)
    Last edited by Kasi; 09-23-2017 at 02:02 PM.

  16. #16
    Join Date
    Jul 2009
    Posts
    166
    Mentioned
    5 Post(s)
    Quoted
    69 Post(s)

    Default

    It uses AOB scan to locate resources, then just reads them. It shouldn't be any more detectable than screen color readers. As nothing is modified or injected to NXT client. No write rights to aplication are ever requested/changed. Detectability is zero as I botted a lot during double xp. Only way to jagex to catch it is by looking trough running processes and tag suspicious ones. Like wow warden anticheat or punkbuster. Jagex doesn't have anything like that :I

  17. #17
    Join Date
    Sep 2014
    Location
    C:\Simba\
    Posts
    565
    Mentioned
    9 Post(s)
    Quoted
    71 Post(s)

    Default

    This is frikkin NXT there's no JVM @Kasi;
    And by modified client I mean the client is modified, has injected code in it (and since it's NXT, it is at least currently fairly easy to solely rely on Memory Reading). Still nothing to do with Java since this is NXT.
    Last edited by Joopi; 09-23-2017 at 03:03 PM.
    Feel free to ask me any questions, I will do my best to answer them!

    Previously known as YouPee.

  18. #18
    Join Date
    Sep 2014
    Location
    C:\Simba\
    Posts
    565
    Mentioned
    9 Post(s)
    Quoted
    71 Post(s)

    Default

    Quote Originally Posted by alar82 View Post
    doesn't have anything like that :I
    Not yet at least. Soon they'll start whisking around the memory locations just like the JVM on Java based clients does, and then it'll be hectic. And sure they can start detecting it with a VAC-like approach where they hook all the virtualQueryEx stuff (yes i dont know the specifics) and just record every process that request stuff from it.
    Feel free to ask me any questions, I will do my best to answer them!

    Previously known as YouPee.

  19. #19
    Join Date
    Oct 2007
    Posts
    187
    Mentioned
    7 Post(s)
    Quoted
    61 Post(s)

    Default

    Quote Originally Posted by Joopi View Post
    @klamor; it literally says in the title that it is Memory reading, thus it is not injection.

    Also alar82 don't expect help if you don't provide source in an open source community, but it does look amazeballs.
    sorry, i'm a noob. I thought memory reading was injection... still learning :P

  20. #20
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    Quote Originally Posted by alar82 View Post
    It uses AOB scan to locate resources, then just reads them. It shouldn't be any more detectable than screen color readers. As nothing is modified or injected to NXT client. No write rights to aplication are ever requested/changed. Detectability is zero as I botted a lot during double xp. Only way to jagex to catch it is by looking trough running processes and tag suspicious ones. Like wow warden anticheat or punkbuster. Jagex doesn't have anything like that :I


    Just so ppl understand, AOB Scan = Array of Bytes Scan.. and he is using ReadProcessMemory or PTrace for that.
    I am Ggzz..
    Hackintosher

  21. #21
    Join Date
    Dec 2007
    Posts
    2,112
    Mentioned
    71 Post(s)
    Quoted
    580 Post(s)

    Default

    Quote Originally Posted by Joopi View Post
    This is frikkin NXT there's no JVM @Kasi;
    I know, but why did you say this though...

    Quote Originally Posted by Joopi View Post
    @klamor; it literally says in the title that it is Memory reading, thus it is not injection.
    You can use injection and memory reading together though. You said it as if using one means it's not using the other. I assumed you meant java because of this. Sorry if i judged you by your scrubby SRL Jr Mem status.

    Quote Originally Posted by Joopi View Post
    I dont understand why anyone would go through the troubles of memory reading if they have already modified the client
    ALOT of people do this. They inject and memory map DLLs and manually construct the headers/imports so that it doesn't show up on the PEB. (also look into reflective dll injection). Waay easier to hide a dll than to hide a process. Some games don't even allow you to run some programs like cheat engine whilst you're playing them (VAC).

    Quote Originally Posted by Joopi View Post
    Not yet at least. Soon they'll start whisking around the memory locations just like the JVM on Java based clients does, and then it'll be hectic. And sure they can start detecting it with a VAC-like approach where they hook all the virtualQueryEx stuff (yes i dont know the specifics) and just record every process that request stuff from it.
    Huh, how do they hook VirtualQueryEx when he's operating in a different address space (not Injecting)? Without injecting and hooking VirtualQueryEx in every single process. It's impossible. VirtualQueryEx exists in kernel32 and is loaded by every process. Each process has it's own VirtualQueryEx. Hooking your own VirtualQueryEx has 0 effect on code executing in a different process / memory space since they don't call the one you hooked.

    Also do you normally casually double-post?
    Last edited by Kasi; 09-23-2017 at 10:16 PM.

  22. #22
    Join Date
    Sep 2014
    Location
    C:\Simba\
    Posts
    565
    Mentioned
    9 Post(s)
    Quoted
    71 Post(s)

    Default

    Quote Originally Posted by Kasi View Post
    I know, but why did you say this though...
    Contradicts
    Quote Originally Posted by Kasi View Post
    Also, it's pretty impossible to raw memory-read a JVM. (I'm assuming that's what you mean by modified client)

    But that's irrelevant so anyhoo.

    Quote Originally Posted by Kasi View Post
    Sorry if i judged you by your scrubby SRL Jr Mem status.
    Just like you judged me based off my forums status, I judged Klamor based on his word choosing, "How detectable...", either it is, or it is not detectable, not really any middle ground. So what it really came down to is Klamor being lazy or simply did not understand how OP was doing this, and asked a typical question (How detectable is X) which just triggers many folks. You, in your whiteknight endeavours start getting technical and making fairly ambiguous statements not even knowing what game this is about, when all it really is about is OP's unambiguous concept and putting it to the test.

    So before you go all "don't unfold in a thread that you don't even remotely know the technical details about", what it really is about is 2 foreign concepts that could be intertwined, but in this case aren't because this is pleb stuff, attracting pleb people, asking plebby questions.



    Quote Originally Posted by Kasi View Post
    Huh, how do they hook VirtualQueryEx...
    As I said I don't know the specifics, but what I meant was that OP shouldn't be naive to think that this will work for the rest of his days. Again, no point in splitting semantic hairs when the original question was as simple and uninformed as the next person.

    Quote Originally Posted by Kasi View Post
    Also do you normally casually double-post?
    Only sometimes
    Last edited by Joopi; 09-24-2017 at 09:25 AM.
    Feel free to ask me any questions, I will do my best to answer them!

    Previously known as YouPee.

  23. #23
    Join Date
    Dec 2007
    Posts
    2,112
    Mentioned
    71 Post(s)
    Quoted
    580 Post(s)

    Default

    @Joopi;

    Not sure what you mean by "Contradicts". Don't understand the context you used it in.

    You said that is not injection because it is memory scanning which is straight up incorrect, you CAN use them both together. My thought process was what other type of injection could you possible be thinking of (This is the reason i brought up java injection - Pretty valid assumption regardless of the game, especially valid assumption since you seem to think injection and memory scanning shouldn't go hand in hand). If you read the brackets, i even said - (i'm assuming that's what you mean by modified client). Try reading posts in chronological order. In future - memory scanning and Injection can go hand in hand, and generally DO go hand in hand, but as OP said, he has no need to ATM.

    Wasn't really judgement on your forum status, just a joke that you clearly overshot and misunderstood. What i am actually doing is pointing out some invalid information on a public forum, fair play if you wanna call it white knighting, I won't stop you, just one more incorrect thing you do.

    I very much doubt this is "plebby". Personally, i prefer people asking questions that they don't know the answer to, than people answering questions to which they don't know the answer to.

    Sure, the poster of the original question was mis-informed. But so are you, so don't answer questions you don't know the answer to or aren't informed well enough in

    tldr; I made an incorrect assumption in order to understand what the fuck you were talking about. You were straight up wrong and spent a couple posts deflecting.

    Anyhow, This will be my last post on this matter. I think it's been stretched far enough for "it is Memory reading, thus it is not injection.". Feel free to post some more incorrect shit that i might/might not post on.
    Last edited by Kasi; 09-24-2017 at 11:15 AM.

  24. #24
    Join Date
    Sep 2014
    Location
    C:\Simba\
    Posts
    565
    Mentioned
    9 Post(s)
    Quoted
    71 Post(s)

    Default

    @Kasi;
    Again. The question was pretty simple and straight forward, he was misinformed and I pointed him in the right direction. Despite the answer being missinformative, just like a lot of things you said, it got the point across and corrected him. Everything else is a cope and semantic hair splitting. I understand now that people use different approaches for cheating and combine them, but given the circumstances this was not the case, which I was aware of.

    But just to make it clear, the problem wasn't with person asking the question, it was that he didn't even know what the topic was to begin with.

    Quote Originally Posted by Kasi View Post
    especially valid assumption since you seem to think injection and memory scanning shouldn't go hand in hand)
    if we'd talk about java based bots, where injection and reflection(compare memory scanning) are used, I would not think this. but since it is NXT I do think that they shouldn't go hand in hand. So a lot of the stuff that you say is based on a false assumption that you further motivate by that false assumption itself.
    Last edited by Joopi; 09-24-2017 at 12:12 PM.
    Feel free to ask me any questions, I will do my best to answer them!

    Previously known as YouPee.

  25. #25
    Join Date
    Dec 2007
    Posts
    2,112
    Mentioned
    71 Post(s)
    Quoted
    580 Post(s)

    Default

    @Joopi; Solid deflecting. Not really sure how to get through to you. I know i said i wouldn't reply but you came up with some more stupid shit, i was just gonna PM but meh:

    Firstly, He didn't know what the topic was to begin with, true. But you didn't help by telling him some incorrect info. He probably thinks that Memory Scanning and Injection shouldn't be used together now. Nice one. Whatever, i'll drop that now...

    Mainly, why do you think Injection shouldn't be coupled with memory scanning? I know it's not needed but it adds a lot of benefits whilst reading memory. IE, not having to call ReadProcessMemory. Any rookie knows the overheads but i'll explain some just to appease you. You have to copy massive arrays/data unnecessarily, You can't do pointer math efficiently because of the overhead of ReadProcessMemory/VirtualQuery. Finally, the biggest point, All this shit is done cross-process so it's slow as fuck.

    You wanna access a single model? that probably 6 different arrays (3 vert, 3 ind). You pass a pointer and a size to ReadProcessMemory, it'll copy the entire array back into your address space taking up 2x the data; a copy remotely, and one locally. You do this 6 times. Guess what? Works the same for every other struct. You have to make a copy of the entire block of data. You can do whatever math you want AFTER you've copied the entire data structure/array. Not to mention all this is Paged. Lets just say you're stupid enough to still think Injection is worthless with NXT. Please tell me why it is worthless? NXT doesn't detect injection AFAIK so go ahead, entertain me.

Page 1 of 6 123 ... LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •