Results 1 to 9 of 9

Thread: Reversing Oldschool With C++ to Create Bot

  1. #1
    Join Date
    Aug 2016
    Location
    Kentucky
    Posts
    254
    Mentioned
    3 Post(s)
    Quoted
    96 Post(s)

    Default Reversing Oldschool With C++ to Create Bot

    I've been playing with the idea of creating a runescape bot from scratch using c++.
    I know java would be more efficient, but I'm thinking that fact that there are no c++ bots, maybe it would be less detectable if kept private.

    I'm posting this here because I figured someone here may be interested, or can offer input.

    The method:
    Because it is almost impossible to rely on pointers when reversing java, I've resulted to creating byte signatures to find locations in memory. After reading the values needed, I would react accordingly by sending input to the game.

    So far I've created a reliable way of finding the players inventory items.
    I created a DirectX overlay to show item IDs for a debug or introduction to this project.

    With that said, has anyone had any experience trying to do this kind of thing?
    Anything I should watch out for, or better methods for finding memory locations?
    Screenshot_20191204-112337_Remote Desktop.jpg

    *Update*
    I've now retrieved player position. This one was a bit harder.
    The tile position is stored few milliseconds in the same address as some other garbage.
    I had to check if a relative value is a specific number to know if the address currently had the actual tile, or the trash.

    The video below has a demonstration of Inventory and position Data on a DirectX Overlay.
    The position data doesn't update very fast, but it will work for now.
    Last edited by Aspect; 12-06-2019 at 09:04 AM.

  2. #2
    Join Date
    Sep 2014
    Location
    C:\Simba\
    Posts
    565
    Mentioned
    9 Post(s)
    Quoted
    71 Post(s)

    Default

    It's been a while since I did anything memory scanning related but this looks super interesting! Can you find the base for these pointers, or whatever contains that in turn? I mean can you essentially reconstruct the structure by backtracking with the addresses you've found, or do you need separately scan for every different "object"?
    Feel free to ask me any questions, I will do my best to answer them!

    Previously known as YouPee.

  3. #3
    Join Date
    Dec 2007
    Posts
    2,112
    Mentioned
    71 Post(s)
    Quoted
    580 Post(s)

    Default

    There are fully fledged private c++ bots and have been for years. Mine might be public soon.

    https://i.imgur.com/ENC8pqJ.gifv
    Last edited by Kasi; 12-05-2019 at 03:17 AM.

  4. #4
    Join Date
    Aug 2016
    Location
    Kentucky
    Posts
    254
    Mentioned
    3 Post(s)
    Quoted
    96 Post(s)

    Default

    I haven't done a whole lot of backtracking, because the memory itself is always changing so quickly, I usually only have time to build a signature. It would be a lot easier to do this, but so far I've just been finding every piece individually. My program is also external, so that limits how much internal stuff I can do. If I could keep the memory stable long enough, I could reverse some of the objects and rebuild them by creating sigs to the object pointers themselves, but so far I haven't been able to achieve this.

  5. #5
    Join Date
    Jan 2018
    Posts
    3
    Mentioned
    0 Post(s)
    Quoted
    0 Post(s)

    Default

    Interesting. Thanks for sharing :-).

    Have you measured how long time it takes to find the memory location for the inventory items?

    As long as it isn't much more than 50-100ms, I can see this be a viable way of botting.

    Also, do you know if the location for an inventory item is fixed? Say you load the client and find the location of the first inventory item. Does that location stay the same throughout the session, or will it change? How about other fields?

  6. #6
    Join Date
    Aug 2016
    Location
    Kentucky
    Posts
    254
    Mentioned
    3 Post(s)
    Quoted
    96 Post(s)

    Default

    It's around 500 ms for me to find the location of the inventory, but once you have the address it seems to stay valid until a logout.

    I've got player position now.

    I've gotten the inventory by finding a string of bytes that are static and always relative offset away from the inventory.

    If you open cheat engine and log in for example, you can search for
    00 00 00 00 ?? 00 00 00 48 07 ?? ?? 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? 00 00 00 48 07 ?? ?? 14 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
    As an array of bytes.

    You should find one address, which is always "0x90" ahead of the first inventory slot. So I scan for this in c++, subtract the offset and loop through the inventory on a separate thread to fill the values.

    I have one for player position, now I just need to find world objects, and write a function that converts world location to screen location.
    After that, I have everything I need for a basic bot, and can add on from there.
    The cool thing about this method, is that it should last through most updates because its based on sigs instead of pointers.

    I will add I've been doing all of this on the 32 bit version of runelite.

  7. #7
    Join Date
    Aug 2016
    Location
    Kentucky
    Posts
    254
    Mentioned
    3 Post(s)
    Quoted
    96 Post(s)

    Default

    Even with just player position, I can now find the compass angle and use that information to throw into a function that uses that data to translate cords into the minimap. I can then in turn use that data to have a reliable way of navigating the game world to different tiles, assuming I have a path to my next location.

  8. #8
    Join Date
    Jan 2018
    Posts
    3
    Mentioned
    0 Post(s)
    Quoted
    0 Post(s)

    Default

    Very cool. Would be interesting if you further tested if the location of the player changes if you log in and out or if changes when you close and open the client. Either way, it would be OK to spent a few hundred ms to find the initial location, and then query that location afterwards very fast (how many ms are we talking about here?). What do you mean by "I had to check if a relative value is a specific number to know if the address currently had the actual tile, or the trash."?. But if I understand correctly, then you demonstrate that you don't actually have to worry about the multipliers etc., as at some point the client must calculate the actual value you get by multiplying the "obfuscated" value with the multiplier, and that is the number that you find occasionally in the location.

  9. #9
    Join Date
    Aug 2016
    Location
    Kentucky
    Posts
    254
    Mentioned
    3 Post(s)
    Quoted
    96 Post(s)

    Default

    The current signature I'm using only needs to be scanned for once and persists on logout. I dont have to worry about multipliers because I have found a section in memory where the position is either in the process of getting obfuscated or deobfuscated. this is why the entire section is so volatile. before finding other values, I'm going to look into reversing the obfuscation itself using the function I've found here.im having a hard time setting breakpoints without a crash so its difficult to debug and reverse it
    Last edited by Aspect; 12-06-2019 at 06:48 PM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •