Sampling Pixels

So you know how to post mouse and keyboard events. How do we also get feedback from the game? For example, what if we want to know the health of a character or of a target opponent? You can learn many things by read­ing pixel colors from the screen. For example, health bars are typically red and located at a specific place on the screen. If you sample pixel colors from this area, you should be able to tell what value is present on the on-screen health indicator. You can use pixel sampling for a plethora of things, of course; this is just one example.

The following code snippet illustrates how to determine the color of a pixel:

COLORREF GetColorOfPixel(DWORD x, DWORD y)

{

HWND hWnd = GetForegroundWindow();

HDC hDC = GetDC(hWnd);

COLORREF cr = GetPixel(hDC, x, y);

ReleaseDC(hWnd, hDC);

return cr;

}

The code first gets the topmost window—which will be the game’s client window since it must be topmost (and in focus) in order to interact with your keystroke and mouse messages. This works if the game is in windowed mode as opposed to full-screen mode. Most games support windowed mode. The COLORREF will have values for red, blue, and green, and these can be used to deduce any color.

Figure 6–11 shows an example technique for checking the health, mana, or other information displayed in bars on the WoW interface.

Figure 6–11 - By sampling pixel color at the locations on the bar marked with an X, you can keep track of health, mana, and other information displayed as bars on the WoW interface.

A botting or combat assist program can sample the colors at the locations indicated on the screen. Given a few samples, the botting program can determine whether the character is at full, medium, or low health.

Countermeasures against Macro Bots

Macro-botting programs have one advantage over other types of botting programs—they are easy to understand and build. That’s why they are particularly popular. They also have the advantage that they don’t manipulate the game’s program memory at all, so the game won’t be able to detect that it’s being hacked.

In fact, a macro program such as this is hardly a hack at all—it’s merely simulating a real player by pressing keys and clicking the mouse. Game programs that hope to catch players using macro programs like this must resort to scanning the processes and window names on the system. This might seem like a violation of privacy (and we believe it is), but it’s the only way games can hope to detect macro programs at this level.

Macro programs like this aren’t used just for games like WoW. They are also used for online poker, and in poker games there is often a lot of money at stake. Programs can automatically play cards just as easily as they can drive a Paladin in a fantasy world. In the case of the popular online poker site PartyPoker.com, rumor has it that the game producers resort to taking full screenshots of your computer monitor, including everything visible at the time the shot is taken, and sending those shots home for analysis. Talk about an invasion of privacy!

Hiding from Process Lists

Some games read your PC’s process list in hopes of finding a known macro program, such as the AC Tool or something similar. This doesn’t work very well because it is trivial to rename your process to something else. Simply rename the .exe file before launching it.

Sometimes scanning a process list is used for more than just determining process names—it is also used to find processes for subsequent memory scans. In this case, renaming the .exe isn’t going to work. You need to hide the process entirely. This can be accomplished by using a rootkit.⁴ Hiding a program is simple—simply download the easy-to-use and popular FU rootkit from . Running FU will allow you to hide a process.

Changing Window Names

Another method games use to scan for botting software is to read the text of all open windows. If you suspect your target game is doing something like this, you may want to download the tool called the Governor (which we introduce in Chapter 2) from the book’s Web site or at . This tool will inform you if the game is attempting to read memory of processes and/or window texts.

To defeat window texts, simply randomize the names of your windows so they can’t be trivially fingerprinted.

Wielding Rootkits for Stealth

The most powerful form of botting stealth can be obtained by using rootkits. Rootkits are programs designed to hide other programs and data on a computer. Rootkits are not intrinsically bad; they are just tools and, like any tool, they can be used by bad guys or good guys. For game hacking, rootkits are particularly useful. More information on how rootkits can be used to hide botting programs is given later.

Generating Windows Messages

Of course, games always have messages specific to the game. If you can generate these messages and get them to the game client, you can in some sense manipulate the game client right through the front door.