Thus the need for a bot. As micromacro has all the tools I need and then some to get started I'm sticking with it.
Forsaken World has many issues that need to be worked around. I'm trying to get something together to make a proper soultion but for now I'll just give what I manage to work out piece by piece.
Firstly, Forsaken World comes with a rather annoying anti-attach-debugger feature. In order to do write or access scans with a debugger or to even use olly you need to get around this feature and I found a way, although crude, by scowering the internet. This is from a post on nez-lab by KPNC (I have no idea who this is but he gave me the instructions I needed to figure out why it wasn't working for me):
Now that sums up most of the process but there are some quirks you need to be aware of. First, you need both versions of Olly (at least I did) to make this work around work. Olly 110 and Olly 200. For some reason certain features of Olly 110 were not properly added to Olly 200 (got that from the exetools forum) and so you are unable to properly see the names in ntdll.dll. So, you need to run Olly 110 as administrator, open Olly 200 from inside Olly 110, goto View\Executable Modules, click NTDLL.DLL at the bottom of the list, press CTRL+N, choose "DbgUiDebugActiveProcess" from the list of names, and press F2 to set the proper breakpoint.02/14/2009 07:37 pm by kpnc
the problem of anti-anti-attaching came up in conversation on the legendary wasm.ru site. Clerk (a very clever guy carring a heavy plasma gun, loaded with rounds of brilliant ideas) as always offered a very elegant, yet bizarre solution (ru). I wonder - what kind of Rasta stuff makes him so creative! well, stop to expatiate, back to business.
previous posts demonstrate numerous anti-attach tricks and most of them based on the system thread, creating by OS during attaching. here they are (the tricks): BaseThreadStartThunk => NO_ACCESS, NtRequestWaitReplyPort, DbgBreakPoint
the question is - how to ask OS do not create the system thread? to do it we should know OS internals. IDA-Pro/Soft-Ice shows us that KERNEL32!DebugActiveProcess comes to NTDLL!DbgUiDebugActiveProcess, who calls NTDLL!ZwDebugActiveProcess/ NTDLL!DbgUiIssueRemoteBreakin| NTDLL!DbgUiStopDebugging (just to dissemble NTDLL!DbgUiDebugActiveProcess to see it with your own eyes).
the point is - NTDLL!ZwDebugActiveProcess does all job, attaching a debugger to the process. . as soon as NTDLL!ZwDebugActiveProcess returns status ok, the process has been attached and can be debugger. but! operation system calls NTDLL!DbgUiIssueRemoteBreakin just to notify the debugger by generating breakpoint exception, however, we don’t need it!!!
so, what we’re going to do? I prefer to use old soft-ice with global breakpoints support. just set HW or software breakpoint on NTDLL!DbgUiDebugActiveProcess or NTDLL!ZwDebugActiveProcess and skip the rest of the function. it’s easy, but soft-ice does not work with newest operation system.
Clerk found the way how to do this with Olly. the idea is: load Olly into Olly. yeah! right!
1) load Olly into Olly /* to avoid a mess lets call the first Olly (I) and the loaded copy - Olly (II) */;
2) Olly (I): Set breakpoint on NTDLL!DbgUiDebugActiveProcess: View\Executable Modules\NTDLL.DLL, CTRL-N, “DbgUiDebugActiveProcess”, F2, ENTER;
3) Olly (I): run Olly (II): press F9 several times until right corner “paused” changed by “running” meaning that Olly (II) is still under debugging but it’s running now;
4) ALT-TAB to switch to Olly (II);
5) Olly (II): File\Attach\name_of_the_trickily_process to attach (for example: to_attach_36.exe);
6) Olly (I) pops up, the breakpoint has been triggered;
7) to_attach_36.exe is still running;
8) Olly (I): press F8 several time until NTDLL!ZwDebugActiveProcess is executed;
9) to_attach_36.exe has been stopped, Olly (II) has been attached to it, Olly (II) is stopped as well;
10) Olly (I): move cursor to the next command after NTDLL!DbgUiStopDebugging, right click to context menu and “new origin here” or simple press CTRL+Gray * (”gray” means small numeral keyboard);
11) Olly (I): press F9 to run Olly(II);
12) ALT-TAB to switch to Olly (II);
13) Olly (II) shows naked screen w/o any info, to_attach_36.exe is running;
14) Olly (II): View\Threads. do you see the only one thread? the main thread of the app?! wow!
15) Olly (II): press “pause” to stop to_attach_36.exe;
16) Olly (II) updates CPU window and from that moment we can trace to_attach_36.exe as usual;
Now that's just one part of it. You'll also need to download the MS tool (or your preference) that allows you to "suspend" proccesses.
NOTE: This program called "Process Explorer" can be downloaded from the Microsoft website. If the game crashes for any reason while suspended and doesn't load back up next time you run it, kill the proccess in the list in Process Explorer to get it working on next load. (Another quirk)
So that's as far as I got. I'll reply to this thread if I get any more of this working.
THERE IS NO MACRO OR MOD SYSTEM IN FORSAKEN WORLD SO THIS WILL NOT BE AS EASY AS RoM. It will be slow and grueling but I feel like it is doable and maybe even worth it (I can't see the cashshop in FW turning into something as awful as what frogster has done in RoM).
