Reversing question here:
Can someone(namreeb?) describe the 0x006E1A00 function, what it does and params please?
Signature: void __fastcall SomeSpellChecks(int spellRec, int someEnumArg, int FFFFFFFF, int FFFFFFFF, int zero)
Thanks!
Reversing question here:
Can someone(namreeb?) describe the 0x006E1A00 function, what it does and params please?
Signature: void __fastcall SomeSpellChecks(int spellRec, int someEnumArg, int FFFFFFFF, int FFFFFFFF, int zero)
Thanks!
Last edited by tutrakan; 05-17-2016 at 03:38 PM.
That function is this:
I'm not sure what the purpose of the last two parameters are, but they're almost always -1 from what I see.Code:void __fastcall Spell_C_SpellFailed(int spellId, SpellCastResult spellResult, int unk1, int unk2)
SpellCastResult comes from cmangos, but just for reference, here it is:
Code:enum SpellCastResult : __int8 { SPELL_FAILED_AFFECTING_COMBAT = 0x0, SPELL_FAILED_ALREADY_AT_FULL_HEALTH = 0x1, SPELL_FAILED_ALREADY_AT_FULL_MANA = 0x2, SPELL_FAILED_ALREADY_BEING_TAMED = 0x3, SPELL_FAILED_ALREADY_HAVE_CHARM = 0x4, SPELL_FAILED_ALREADY_HAVE_SUMMON = 0x5, SPELL_FAILED_ALREADY_OPEN = 0x6, SPELL_FAILED_MORE_POWERFUL_SPELL_ACTIVE = 0x7, SPELL_FAILED_BAD_IMPLICIT_TARGETS = 0x9, SPELL_FAILED_BAD_TARGETS = 0xA, SPELL_FAILED_CANT_BE_CHARMED = 0xB, SPELL_FAILED_CANT_BE_DISENCHANTED = 0xC, SPELL_FAILED_CANT_BE_PROSPECTED = 0xD, SPELL_FAILED_CANT_CAST_ON_TAPPED = 0xE, SPELL_FAILED_CANT_DUEL_WHILE_INVISIBLE = 0xF, SPELL_FAILED_CANT_DUEL_WHILE_STEALTHED = 0x10, SPELL_FAILED_CANT_TOO_CLOSE_TO_ENEMY = 0x11, SPELL_FAILED_CANT_DO_THAT_YET = 0x12, SPELL_FAILED_CASTER_DEAD = 0x13, SPELL_FAILED_CHARMED = 0x14, SPELL_FAILED_CHEST_IN_USE = 0x15, SPELL_FAILED_CONFUSED = 0x16, SPELL_FAILED_DONT_REPORT = 0x17, SPELL_FAILED_EQUIPPED_ITEM = 0x18, SPELL_FAILED_EQUIPPED_ITEM_CLASS = 0x19, SPELL_FAILED_EQUIPPED_ITEM_CLASS_MAINHAND = 0x1A, SPELL_FAILED_EQUIPPED_ITEM_CLASS_OFFHAND = 0x1B, SPELL_FAILED_ERROR = 0x1C, SPELL_FAILED_FIZZLE = 0x1D, SPELL_FAILED_FLEEING = 0x1E, SPELL_FAILED_FOOD_LOWLEVEL = 0x1F, SPELL_FAILED_HIGHLEVEL = 0x20, SPELL_FAILED_IMMUNE = 0x22, SPELL_FAILED_INTERRUPTED = 0x23, SPELL_FAILED_INTERRUPTED_COMBAT = 0x24, SPELL_FAILED_ITEM_ALREADY_ENCHANTED = 0x25, SPELL_FAILED_ITEM_GONE = 0x26, SPELL_FAILED_ENCHANT_NOT_EXISTING_ITEM = 0x27, SPELL_FAILED_ITEM_NOT_READY = 0x28, SPELL_FAILED_LEVEL_REQUIREMENT = 0x29, SPELL_FAILED_LINE_OF_SIGHT = 0x2A, SPELL_FAILED_LOWLEVEL = 0x2B, SPELL_FAILED_SKILL_NOT_HIGH_ENOUGH = 0x2C, SPELL_FAILED_MAINHAND_EMPTY = 0x2D, SPELL_FAILED_MOVING = 0x2E, SPELL_FAILED_NEED_AMMO = 0x2F, SPELL_FAILED_NEED_REQUIRES_SOMETHING = 0x30, SPELL_FAILED_NEED_EXOTIC_AMMO = 0x31, SPELL_FAILED_NOPATH = 0x32, SPELL_FAILED_NOT_BEHIND = 0x33, SPELL_FAILED_NOT_FISHABLE = 0x34, SPELL_FAILED_NOT_HERE = 0x35, SPELL_FAILED_NOT_INFRONT = 0x36, SPELL_FAILED_NOT_IN_CONTROL = 0x37, SPELL_FAILED_NOT_KNOWN = 0x38, SPELL_FAILED_NOT_MOUNTED = 0x39, SPELL_FAILED_NOT_ON_TAXI = 0x3A, SPELL_FAILED_NOT_ON_TRANSPORT = 0x3B, SPELL_FAILED_NOT_READY = 0x3C, SPELL_FAILED_NOT_SHAPESHIFT = 0x3D, SPELL_FAILED_NOT_STANDING = 0x3E, SPELL_FAILED_NOT_TRADEABLE = 0x3F, SPELL_FAILED_NOT_TRADING = 0x40, SPELL_FAILED_NOT_UNSHEATHED = 0x41, SPELL_FAILED_NOT_WHILE_GHOST = 0x42, SPELL_FAILED_NO_AMMO = 0x43, SPELL_FAILED_NO_CHARGES_REMAIN = 0x44, SPELL_FAILED_NO_CHAMPION = 0x45, SPELL_FAILED_NO_COMBO_POINTS = 0x46, SPELL_FAILED_NO_DUELING = 0x47, SPELL_FAILED_NO_ENDURANCE = 0x48, SPELL_FAILED_NO_FISH = 0x49, SPELL_FAILED_NO_ITEMS_WHILE_SHAPESHIFTED = 0x4A, SPELL_FAILED_NO_MOUNTS_ALLOWED = 0x4B, SPELL_FAILED_NO_PET = 0x4C, SPELL_FAILED_NO_POWER = 0x4D, SPELL_FAILED_NOTHING_TO_DISPEL = 0x4E, SPELL_FAILED_NOTHING_TO_STEAL = 0x4F, SPELL_FAILED_ONLY_ABOVEWATER = 0x50, SPELL_FAILED_ONLY_DAYTIME = 0x51, SPELL_FAILED_ONLY_INDOORS = 0x52, SPELL_FAILED_ONLY_MOUNTED = 0x53, SPELL_FAILED_ONLY_NIGHTTIME = 0x54, SPELL_FAILED_ONLY_OUTDOORS = 0x55, SPELL_FAILED_ONLY_SHAPESHIFT = 0x56, SPELL_FAILED_ONLY_STEALTHED = 0x57, SPELL_FAILED_ONLY_UNDERWATER = 0x58, SPELL_FAILED_OUT_OF_RANGE = 0x59, SPELL_FAILED_PACIFIED = 0x5A, SPELL_FAILED_POSSESSED = 0x5B, SPELL_FAILED_REQUIRES_AREA = 0x5D, SPELL_FAILED_REQUIRES_SPELL_FOCUS = 0x5E, SPELL_FAILED_ROOTED = 0x5F, SPELL_FAILED_SILENCED = 0x60, SPELL_FAILED_SPELL_IN_PROGRESS = 0x61, SPELL_FAILED_SPELL_LEARNED = 0x62, SPELL_FAILED_SPELL_UNAVAILABLE = 0x63, SPELL_FAILED_STUNNED = 0x64, SPELL_FAILED_TARGETS_DEAD = 0x65, SPELL_FAILED_TARGET_AFFECTING_COMBAT = 0x66, SPELL_FAILED_TARGET_AURASTATE = 0x67, SPELL_FAILED_TARGET_DUELING = 0x68, SPELL_FAILED_TARGET_ENEMY = 0x69, SPELL_FAILED_TARGET_ENRAGED = 0x6A, SPELL_FAILED_TARGET_FRIENDLY = 0x6B, SPELL_FAILED_TARGET_IN_COMBAT = 0x6C, SPELL_FAILED_TARGET_IS_PLAYER = 0x6D, SPELL_FAILED_TARGET_NOT_DEAD = 0x6E, SPELL_FAILED_TARGET_NOT_IN_PARTY = 0x6F, SPELL_FAILED_TARGET_NOT_LOOTED = 0x70, SPELL_FAILED_TARGET_NOT_PLAYER = 0x71, SPELL_FAILED_TARGET_NO_POCKETS = 0x72, SPELL_FAILED_TARGET_NO_WEAPONS = 0x73, SPELL_FAILED_TARGET_UNSKINNABLE = 0x74, SPELL_FAILED_THIRST_SATIATED = 0x75, SPELL_FAILED_TOO_CLOSE = 0x76, SPELL_FAILED_TOO_MANY_OF_ITEM = 0x77, SPELL_FAILED_TRAINING_POINTS = 0x79, SPELL_FAILED_TRY_AGAIN = 0x7A, SPELL_FAILED_UNIT_NOT_BEHIND = 0x7B, SPELL_FAILED_UNIT_NOT_INFRONT = 0x7C, SPELL_FAILED_WRONG_PET_FOOD = 0x7D, SPELL_FAILED_NOT_WHILE_FATIGUED = 0x7E, SPELL_FAILED_TARGET_NOT_IN_INSTANCE = 0x7F, SPELL_FAILED_NOT_WHILE_TRADING = 0x80, SPELL_FAILED_TARGET_NOT_IN_RAID = 0x81, SPELL_FAILED_DISENCHANT_WHILE_LOOTING = 0x82, SPELL_FAILED_PROSPECT_WHILE_LOOTING = 0x83, SPELL_FAILED_TARGET_FREEFORALL = 0x85, SPELL_FAILED_NO_EDIBLE_CORPSES = 0x86, SPELL_FAILED_ONLY_BATTLEGROUNDS = 0x87, SPELL_FAILED_TARGET_NOT_GHOST = 0x88, SPELL_FAILED_TOO_MANY_SKILLS = 0x89, SPELL_FAILED_CANT_USE_NEW_ITEM = 0x8A, SPELL_FAILED_WRONG_WEATHER = 0x8B, SPELL_FAILED_DAMAGE_IMMUNE = 0x8C, SPELL_FAILED_PREVENTED_BY_MECHANIC = 0x8D, SPELL_FAILED_PLAY_TIME = 0x8E, SPELL_FAILED_REPUTATION = 0x8F, SPELL_FAILED_MIN_SKILL = 0x90, SPELL_FAILED_UNKNOWN = 0x91, SPELL_CAST_OK = 0xFF, };
At first, i thought you were wrong, i was so convicted that this func. was a kind of a "Black Magic". So, thanks!
A pointer question: what these ones are for?
Addr + 0x110 - update: pointer to the the descriptors + ObjectFields.OBJECT_END (0x18)
0x00CECAC0
0x00CEAC58
Also, I'm looking for an IDA script for automated importing of enums.
For example i need to import the Opcodes https://github.com/mangoszero/server...rver/Opcodes.h in IDA.
Update:
Importing types in IDA is easy doable by local types subview (Shift-F1).
Thanks!
Last edited by tutrakan; 07-29-2016 at 12:39 PM.
Hello, sorry for this newbish question I just started playing with this stuff a couple of days ago. Ive seen others posting questions in this thread so I hope im not breaking any rules in doing the same.
Ive been working on porting an old glider like memory reading bot for wtlk to vanilla and I am almost (or possibly am) done.
Last thing ive been looking for is the aura/buff id location, this thread has been a great help for a lot of the offsets but i couldnt find it here nor anywhere else so i went digging for it.
Ive found an array which looks like its a uint[48] at wowobj+0xB58, this one contains the ids but reading a post about a similar issue for some 3.x client there should be a second one. Looking at what was accessing the address in cheat engine I identified a function which i tried studying in IDA(sub_5FF350). Its rather large though and I couldnt follow all but it doesnt look like its accessing some other array but only checking if the index is within bounds of the one Ive found. So ive started thinking that things might have worked differently in vanilla and that there was a buff cap. Id rather not continue searching for a needle which doesnt exist so Im asking here before continuing.
I also found someone linking CGBuffBar::GetBuffByIndex (sub_4E4430) which to my eyes seem to confirm this idea. Also is there some plugin to get ida to find and name those functions? im not finding many of the named ones in this thread.
TLDR:
1. Is there an additional array with aura/buff ids in vanilla or is the one at wowobj+0xB58 it?
2. Is it possible to get IDA to identify functions like CGBuffBar::GetBuffByIndex by name?
Thanks for your time.
To get all unit aura id's - you have to read at
iterating auraPos from 0x2F to 0x5E (there are all the 48 aura Id's /0..0x1F buffs and 0x20..0x2F debuffs?/ on the given unit).Code:int id = *(int*)(*(uint*)(addr + 8) + auraPos * 4) //the inner *(uint*) is a pointer to the descriptors
That's the way i'm reading them, but your way is even cooler:.Code:id = *(int*)(unit.Addr + 0xB58 + i * 4) // for i = 0..47
http://www.ownedcore.com/forums/worl...names-ida.html (WOW script names in IDA) - 1-st one posted renames the lua functions just fine.
Last edited by tutrakan; 05-18-2016 at 01:26 PM.
1 more question bothers me,
What are the server side checks for coord mods - either instant teleport or teleporting one step at a time and modifying the time-stamp to simulate a moving progress?
I suppose there is a warden (warden-like module) that kicks me out when i do instant teleport (ref Vlakyrie server).
It is the Warden or it is a custom server side check?
Can i have an example of that kind of verification. And a link to code pls.
Thanks.
Last edited by tutrakan; 05-18-2016 at 09:33 PM.
Those are server side checks that have nothing to do with Warden.
The only way you can see the code for them is by looking at the server code, which isn't available on most servers.
If you want to bypass server side checks, you just have to try and guess what the server is checking for.
It seems like i am the only one, who gets confused by the code examples.
Someone postet this Code:
But i don't find any information over "Executor.Execute(asm);" - I searched now for ~2 hrs on google and can't find any libary, example or similar.Code:public static byte[] LuaDoString(string Command) { // Return Value byte[] tempBytes = new byte[0]; try { //Allocate Memory For Command var DoStringArg_Codecave = Memory.Memory.Allocate(Encoding.UTF8.GetBytes(Command).Length + 1); //Execute Address IntPtr FrameScript_Execute = new IntPtr(0x00704CD0); //Write Command In Allocated Memory Memory.WriteString(DoStringArg_Codecave.BaseAddress, Command, false); var asm = new[] { "mov ecx, " + DoStringArg_Codecave.BaseAddress, "mov edx, " + DoStringArg_Codecave.BaseAddress, "call " + FrameScript_Execute, "retn", }; //Inject and Execute tempBytes = Executor.Execute(asm); //Free Memory Allocated For Command Memory.Memory.Deallocate(DoStringArg_Codecave); } catch { } return tempBytes; }
I just want to execute Lua code from my bot and get results.
Btw: I want to get quest informations from player quests (I already have it working, that i can read all quests with their id, all target info, all player info etc) but i am not able to convert the questid to any usefull information.
Like objectives, how many objectives i already have etc.
And: Is there a way to get the guildname? I get the guildid but again cant find any offset or pointer to a name. The only thing i find is the lua function "GetGuildInfo(guildid)", so when i get lua execution to work, would that solve my problem?
Any help would be really great! (I'm trying to learn all this stuff, but it's very hard)
API GetGuildInfo - Vanilla WoW Wiki - Wikia And if you do a search for "quest" you will have all the info that you asked.
The library in question is ManagedFasm (fasmdll_managed.dll).
And for DoString, if i remember well, the best way was to be called from the EndScene.
Last edited by tutrakan; 05-19-2016 at 08:15 AM.
You probably don't understand me correctly, sorry, i'm german
I know the lua functions and i know that dostring needs to be executed in endscene. I think i have all pointers for that, but the problem is, that i dont find the information to execute them.
Everything i find is to new, and everything for 1.12.1 has functions in it, that i cant find (Like the "Executor.Execute(asm);")
I need an function to Inject and execute the lua function and to get return value. I'm working currently on something, but till now it just crashes the client or doesnt work at all
I suck bad in english too
https://github.com/acidburn974/Blackmagic
Now get ready for some nasty code:
That is working from the outside approach, witch i don't recommend you.Code:public static readonly object inject_Lock = new object(); public static int InjectAsm(string[] asm, uint Addr) { lock (inject_Lock) { memory.Asm.Clear(); foreach (string str in asm) { memory.Asm.AddLine(str); } memory.Asm.Inject(Addr); return memory.Asm.Assemble().Length; } } public static uint ExecuteEnd(uint ingameEnableCodeCave = 1, bool dontReadValue = false) { lock (inject_Lock) { memory.WriteUInt(EnableCodeCavePtr, 1); memory.WriteUInt(IngameEnableCodeCavePtr, ingameEnableCodeCave); while (memory.ReadUInt(EnableCodeCavePtr) != 0) { } } if (dontReadValue) return EndData; return memory.ReadUInt(EndData); } public static uint InjectAndExecuteEnd(string[] asm, uint ingameEnableCodeCave = 1, bool dontReadValue = false) { InjectAsm(asm, EndCodeCave); return ExecuteEnd(ingameEnableCodeCave, dontReadValue); } //Get Text single argument public static string GetText(string command, string argument, int returnLength = 15) { string str = ""; DoString(command); memory.WriteASCIIString(GetTextArgumentsBuffer, argument + "\0"); string[] asm = new string[] { "push 0", "or edx, 0FFFFFFFFh", "mov ecx, " + GetTextArgumentsBuffer, "call " + (uint)Offsets.functions.GetText, "retn", }; uint argumentValue = InjectAndExecuteEnd(asm, 0); if (argumentValue != 0) { str = memory.ReadASCIIString(argumentValue, returnLength); } return str; } public static void HookEndScene(uint ptr) { memory.WriteUInt(EnableCodeCavePtr, 0); string[] asm = new string[] { "mov edi, edi", "push ebp", "mov ebp, esp", "pushfd", "pushad", //Test for waiting code "mov eax, [" + EnableCodeCavePtr + "]", "test eax, eax", "jz @out", "mov eax, [" + DostringReadyPtr + "]", "test eax, eax", "jz @out", "mov eax, [" + IngameEnableCodeCavePtr + "]", "test eax, eax", "jz @skipIngameCheck", "cmp dword [0x00B4B424], 1", //isInGame ? "jne @out", //"cmp dword [0x00BEBA40], 1", //WorldLoaded = 0x00BEBA40; //"jne @out", "mov ecx, [0x00C7BCD4]", "mov ecx, [ecx + 0x88]", "mov ecx, [ecx + 0x28]", "test ecx, ecx", //playerPtr == 0 ? "jz @out", "@skipIngameCheck:", "mov dword [" + EndData + "], 0", "call " + EndCodeCave, "mov [" + EndData + "], eax", "mov dword [" + EnableCodeCavePtr + "], 0", "@out:", "popad", "popfd", "jmp " + (ptr + 5), }; InjectAsm(asm, EndSceneCave); // create hook jump asm = new string[] { "jmp " + EndSceneCave }; InjectAsm(asm, ptr); EndSceneHooked = true; }
That way you will have ~10ms delay after every injected function call and at the end, the response time of your bot can take up to a few seconds (beside the ugly code).
The best way is to inject ALL your code inside the wow process and call wow functions with delegates.
Credits to Corthezz.
Last edited by tutrakan; 05-19-2016 at 02:22 PM.
I don't really care about delay As i only want this for for learning. So what do you mean with inject code and call functions?
I was thinking that the DoLua stuff is already code injection
Edit: How would you do these lookups? Getting the Guildname, Questinfo. Start attacking, casting spells etc. I was thinking lua injection would be the best way.
Last edited by SatyPardus; 05-19-2016 at 10:20 AM.
1. I meant to inject the whole bot ( .Net assembly) in the wow process instead of injecting small pieces of machine code one at a time.
2. The Corthezz bot is a good example for learning the latter way of injection.
Last edited by tutrakan; 05-19-2016 at 02:07 PM.
Yep, i am already trying to use the Corthezz bot, but sadly that is not working aswell. It will doesnt attach to the endscene or (when i find the right bytes) it will crash.
I am really stuck on this execution of lua code... That's the only problem i have
Last edited by SatyPardus; 05-19-2016 at 03:09 PM.