[WoW] 1.12.1.5875 Info Dump Thread

[tutrakan]

Reversing question here:
Can someone(namreeb?) describe the 0x006E1A00 function, what it does and params please?
Signature: void __fastcall SomeSpellChecks(int spellRec, int someEnumArg, int FFFFFFFF, int FFFFFFFF, int zero)
Thanks!

[namreeb]

That function is this:

Code:

void __fastcall Spell_C_SpellFailed(int spellId, SpellCastResult spellResult, int unk1, int unk2)

I'm not sure what the purpose of the last two parameters are, but they're almost always -1 from what I see.

SpellCastResult comes from cmangos, but just for reference, here it is:

Code:

enum SpellCastResult : __int8
{
  SPELL_FAILED_AFFECTING_COMBAT = 0x0,
  SPELL_FAILED_ALREADY_AT_FULL_HEALTH = 0x1,
  SPELL_FAILED_ALREADY_AT_FULL_MANA = 0x2,
  SPELL_FAILED_ALREADY_BEING_TAMED = 0x3,
  SPELL_FAILED_ALREADY_HAVE_CHARM = 0x4,
  SPELL_FAILED_ALREADY_HAVE_SUMMON = 0x5,
  SPELL_FAILED_ALREADY_OPEN = 0x6,
  SPELL_FAILED_MORE_POWERFUL_SPELL_ACTIVE = 0x7,
  SPELL_FAILED_BAD_IMPLICIT_TARGETS = 0x9,
  SPELL_FAILED_BAD_TARGETS = 0xA,
  SPELL_FAILED_CANT_BE_CHARMED = 0xB,
  SPELL_FAILED_CANT_BE_DISENCHANTED = 0xC,
  SPELL_FAILED_CANT_BE_PROSPECTED = 0xD,
  SPELL_FAILED_CANT_CAST_ON_TAPPED = 0xE,
  SPELL_FAILED_CANT_DUEL_WHILE_INVISIBLE = 0xF,
  SPELL_FAILED_CANT_DUEL_WHILE_STEALTHED = 0x10,
  SPELL_FAILED_CANT_TOO_CLOSE_TO_ENEMY = 0x11,
  SPELL_FAILED_CANT_DO_THAT_YET = 0x12,
  SPELL_FAILED_CASTER_DEAD = 0x13,
  SPELL_FAILED_CHARMED = 0x14,
  SPELL_FAILED_CHEST_IN_USE = 0x15,
  SPELL_FAILED_CONFUSED = 0x16,
  SPELL_FAILED_DONT_REPORT = 0x17,
  SPELL_FAILED_EQUIPPED_ITEM = 0x18,
  SPELL_FAILED_EQUIPPED_ITEM_CLASS = 0x19,
  SPELL_FAILED_EQUIPPED_ITEM_CLASS_MAINHAND = 0x1A,
  SPELL_FAILED_EQUIPPED_ITEM_CLASS_OFFHAND = 0x1B,
  SPELL_FAILED_ERROR = 0x1C,
  SPELL_FAILED_FIZZLE = 0x1D,
  SPELL_FAILED_FLEEING = 0x1E,
  SPELL_FAILED_FOOD_LOWLEVEL = 0x1F,
  SPELL_FAILED_HIGHLEVEL = 0x20,
  SPELL_FAILED_IMMUNE = 0x22,
  SPELL_FAILED_INTERRUPTED = 0x23,
  SPELL_FAILED_INTERRUPTED_COMBAT = 0x24,
  SPELL_FAILED_ITEM_ALREADY_ENCHANTED = 0x25,
  SPELL_FAILED_ITEM_GONE = 0x26,
  SPELL_FAILED_ENCHANT_NOT_EXISTING_ITEM = 0x27,
  SPELL_FAILED_ITEM_NOT_READY = 0x28,
  SPELL_FAILED_LEVEL_REQUIREMENT = 0x29,
  SPELL_FAILED_LINE_OF_SIGHT = 0x2A,
  SPELL_FAILED_LOWLEVEL = 0x2B,
  SPELL_FAILED_SKILL_NOT_HIGH_ENOUGH = 0x2C,
  SPELL_FAILED_MAINHAND_EMPTY = 0x2D,
  SPELL_FAILED_MOVING = 0x2E,
  SPELL_FAILED_NEED_AMMO = 0x2F,
  SPELL_FAILED_NEED_REQUIRES_SOMETHING = 0x30,
  SPELL_FAILED_NEED_EXOTIC_AMMO = 0x31,
  SPELL_FAILED_NOPATH = 0x32,
  SPELL_FAILED_NOT_BEHIND = 0x33,
  SPELL_FAILED_NOT_FISHABLE = 0x34,
  SPELL_FAILED_NOT_HERE = 0x35,
  SPELL_FAILED_NOT_INFRONT = 0x36,
  SPELL_FAILED_NOT_IN_CONTROL = 0x37,
  SPELL_FAILED_NOT_KNOWN = 0x38,
  SPELL_FAILED_NOT_MOUNTED = 0x39,
  SPELL_FAILED_NOT_ON_TAXI = 0x3A,
  SPELL_FAILED_NOT_ON_TRANSPORT = 0x3B,
  SPELL_FAILED_NOT_READY = 0x3C,
  SPELL_FAILED_NOT_SHAPESHIFT = 0x3D,
  SPELL_FAILED_NOT_STANDING = 0x3E,
  SPELL_FAILED_NOT_TRADEABLE = 0x3F,
  SPELL_FAILED_NOT_TRADING = 0x40,
  SPELL_FAILED_NOT_UNSHEATHED = 0x41,
  SPELL_FAILED_NOT_WHILE_GHOST = 0x42,
  SPELL_FAILED_NO_AMMO = 0x43,
  SPELL_FAILED_NO_CHARGES_REMAIN = 0x44,
  SPELL_FAILED_NO_CHAMPION = 0x45,
  SPELL_FAILED_NO_COMBO_POINTS = 0x46,
  SPELL_FAILED_NO_DUELING = 0x47,
  SPELL_FAILED_NO_ENDURANCE = 0x48,
  SPELL_FAILED_NO_FISH = 0x49,
  SPELL_FAILED_NO_ITEMS_WHILE_SHAPESHIFTED = 0x4A,
  SPELL_FAILED_NO_MOUNTS_ALLOWED = 0x4B,
  SPELL_FAILED_NO_PET = 0x4C,
  SPELL_FAILED_NO_POWER = 0x4D,
  SPELL_FAILED_NOTHING_TO_DISPEL = 0x4E,
  SPELL_FAILED_NOTHING_TO_STEAL = 0x4F,
  SPELL_FAILED_ONLY_ABOVEWATER = 0x50,
  SPELL_FAILED_ONLY_DAYTIME = 0x51,
  SPELL_FAILED_ONLY_INDOORS = 0x52,
  SPELL_FAILED_ONLY_MOUNTED = 0x53,
  SPELL_FAILED_ONLY_NIGHTTIME = 0x54,
  SPELL_FAILED_ONLY_OUTDOORS = 0x55,
  SPELL_FAILED_ONLY_SHAPESHIFT = 0x56,
  SPELL_FAILED_ONLY_STEALTHED = 0x57,
  SPELL_FAILED_ONLY_UNDERWATER = 0x58,
  SPELL_FAILED_OUT_OF_RANGE = 0x59,
  SPELL_FAILED_PACIFIED = 0x5A,
  SPELL_FAILED_POSSESSED = 0x5B,
  SPELL_FAILED_REQUIRES_AREA = 0x5D,
  SPELL_FAILED_REQUIRES_SPELL_FOCUS = 0x5E,
  SPELL_FAILED_ROOTED = 0x5F,
  SPELL_FAILED_SILENCED = 0x60,
  SPELL_FAILED_SPELL_IN_PROGRESS = 0x61,
  SPELL_FAILED_SPELL_LEARNED = 0x62,
  SPELL_FAILED_SPELL_UNAVAILABLE = 0x63,
  SPELL_FAILED_STUNNED = 0x64,
  SPELL_FAILED_TARGETS_DEAD = 0x65,
  SPELL_FAILED_TARGET_AFFECTING_COMBAT = 0x66,
  SPELL_FAILED_TARGET_AURASTATE = 0x67,
  SPELL_FAILED_TARGET_DUELING = 0x68,
  SPELL_FAILED_TARGET_ENEMY = 0x69,
  SPELL_FAILED_TARGET_ENRAGED = 0x6A,
  SPELL_FAILED_TARGET_FRIENDLY = 0x6B,
  SPELL_FAILED_TARGET_IN_COMBAT = 0x6C,
  SPELL_FAILED_TARGET_IS_PLAYER = 0x6D,
  SPELL_FAILED_TARGET_NOT_DEAD = 0x6E,
  SPELL_FAILED_TARGET_NOT_IN_PARTY = 0x6F,
  SPELL_FAILED_TARGET_NOT_LOOTED = 0x70,
  SPELL_FAILED_TARGET_NOT_PLAYER = 0x71,
  SPELL_FAILED_TARGET_NO_POCKETS = 0x72,
  SPELL_FAILED_TARGET_NO_WEAPONS = 0x73,
  SPELL_FAILED_TARGET_UNSKINNABLE = 0x74,
  SPELL_FAILED_THIRST_SATIATED = 0x75,
  SPELL_FAILED_TOO_CLOSE = 0x76,
  SPELL_FAILED_TOO_MANY_OF_ITEM = 0x77,
  SPELL_FAILED_TRAINING_POINTS = 0x79,
  SPELL_FAILED_TRY_AGAIN = 0x7A,
  SPELL_FAILED_UNIT_NOT_BEHIND = 0x7B,
  SPELL_FAILED_UNIT_NOT_INFRONT = 0x7C,
  SPELL_FAILED_WRONG_PET_FOOD = 0x7D,
  SPELL_FAILED_NOT_WHILE_FATIGUED = 0x7E,
  SPELL_FAILED_TARGET_NOT_IN_INSTANCE = 0x7F,
  SPELL_FAILED_NOT_WHILE_TRADING = 0x80,
  SPELL_FAILED_TARGET_NOT_IN_RAID = 0x81,
  SPELL_FAILED_DISENCHANT_WHILE_LOOTING = 0x82,
  SPELL_FAILED_PROSPECT_WHILE_LOOTING = 0x83,
  SPELL_FAILED_TARGET_FREEFORALL = 0x85,
  SPELL_FAILED_NO_EDIBLE_CORPSES = 0x86,
  SPELL_FAILED_ONLY_BATTLEGROUNDS = 0x87,
  SPELL_FAILED_TARGET_NOT_GHOST = 0x88,
  SPELL_FAILED_TOO_MANY_SKILLS = 0x89,
  SPELL_FAILED_CANT_USE_NEW_ITEM = 0x8A,
  SPELL_FAILED_WRONG_WEATHER = 0x8B,
  SPELL_FAILED_DAMAGE_IMMUNE = 0x8C,
  SPELL_FAILED_PREVENTED_BY_MECHANIC = 0x8D,
  SPELL_FAILED_PLAY_TIME = 0x8E,
  SPELL_FAILED_REPUTATION = 0x8F,
  SPELL_FAILED_MIN_SKILL = 0x90,
  SPELL_FAILED_UNKNOWN = 0x91,
  SPELL_CAST_OK = 0xFF,
};

[tutrakan]

At first, i thought you were wrong, i was so convicted that this func. was a kind of a "Black Magic". So, thanks!

A pointer question: what these ones are for?

Addr + 0x110 - update: pointer to the the descriptors + ObjectFields.OBJECT_END (0x18)
0x00CECAC0
0x00CEAC58

Also, I'm looking for an IDA script for automated importing of enums.
For example i need to import the Opcodes https://github.com/mangoszero/server...rver/Opcodes.h in IDA.

Update:
Importing types in IDA is easy doable by local types subview (Shift-F1).

Thanks!

[squiggy]

Hello, sorry for this newbish question I just started playing with this stuff a couple of days ago. Ive seen others posting questions in this thread so I hope im not breaking any rules in doing the same.

Ive been working on porting an old glider like memory reading bot for wtlk to vanilla and I am almost (or possibly am) done.
Last thing ive been looking for is the aura/buff id location, this thread has been a great help for a lot of the offsets but i couldnt find it here nor anywhere else so i went digging for it.

Ive found an array which looks like its a uint[48] at wowobj+0xB58, this one contains the ids but reading a post about a similar issue for some 3.x client there should be a second one. Looking at what was accessing the address in cheat engine I identified a function which i tried studying in IDA(sub_5FF350). Its rather large though and I couldnt follow all but it doesnt look like its accessing some other array but only checking if the index is within bounds of the one Ive found. So ive started thinking that things might have worked differently in vanilla and that there was a buff cap. Id rather not continue searching for a needle which doesnt exist so Im asking here before continuing.

I also found someone linking CGBuffBar::GetBuffByIndex (sub_4E4430) which to my eyes seem to confirm this idea. Also is there some plugin to get ida to find and name those functions? im not finding many of the named ones in this thread.

TLDR:

1. Is there an additional array with aura/buff ids in vanilla or is the one at wowobj+0xB58 it?
2. Is it possible to get IDA to identify functions like CGBuffBar::GetBuffByIndex by name?

Thanks for your time.

[tutrakan]

To get all unit aura id's - you have to read at

Code:

int id = *(int*)(*(uint*)(addr + 8) + auraPos * 4)   //the inner *(uint*) is a pointer to the descriptors

iterating auraPos from 0x2F to 0x5E (there are all the 48 aura Id's /0..0x1F buffs and 0x20..0x2F debuffs?/ on the given unit).

That's the way i'm reading them, but your way is even cooler:

Code:

id = *(int*)(unit.Addr + 0xB58 + i * 4)   // for i = 0..47

.

http://www.ownedcore.com/forums/worl...names-ida.html (WOW script names in IDA) - 1-st one posted renames the lua functions just fine.

[tutrakan]

1 more question bothers me,

What are the server side checks for coord mods - either instant teleport or teleporting one step at a time and modifying the time-stamp to simulate a moving progress?
I suppose there is a warden (warden-like module) that kicks me out when i do instant teleport (ref Vlakyrie server).
It is the Warden or it is a custom server side check?
Can i have an example of that kind of verification. And a link to code pls.

Thanks.

[Saridormi]

1 more question bothers me,

What are the server side checks for coord mods - either instant teleport or teleporting one step at a time and modifying the time-stamp to simulate a moving progress?
I suppose there is a warden (warden-like module) that kicks me out when i do instant teleport (ref Vlakyrie server).
It is the Warden or it is a custom server side check?
Can i have an example of that kind of verification. And a link to code pls.

Thanks.

Those are server side checks that have nothing to do with Warden.

The only way you can see the code for them is by looking at the server code, which isn't available on most servers.

If you want to bypass server side checks, you just have to try and guess what the server is checking for.

[SatyPardus]

It seems like i am the only one, who gets confused by the code examples.
Someone postet this Code:

Code:

public static byte[] LuaDoString(string Command)
{
	// Return Value
	byte[] tempBytes = new byte[0];

	try
	{
		//Allocate Memory For Command
		var DoStringArg_Codecave = Memory.Memory.Allocate(Encoding.UTF8.GetBytes(Command).Length + 1);

		//Execute Address
		IntPtr FrameScript_Execute = new IntPtr(0x00704CD0);

		//Write Command In Allocated Memory
		Memory.WriteString(DoStringArg_Codecave.BaseAddress, Command, false);

		var asm = new[] 
		{
			"mov ecx, " + DoStringArg_Codecave.BaseAddress,
			"mov edx, " + DoStringArg_Codecave.BaseAddress,
			"call " + FrameScript_Execute,
			"retn",    
		};

		//Inject and Execute
		tempBytes = Executor.Execute(asm);

		//Free Memory Allocated For Command
		Memory.Memory.Deallocate(DoStringArg_Codecave);
	}
	catch { }

	return tempBytes;
}

But i don't find any information over "Executor.Execute(asm);" - I searched now for ~2 hrs on google and can't find any libary, example or similar.
I just want to execute Lua code from my bot and get results.

Btw: I want to get quest informations from player quests (I already have it working, that i can read all quests with their id, all target info, all player info etc) but i am not able to convert the questid to any usefull information.
Like objectives, how many objectives i already have etc.
And: Is there a way to get the guildname? I get the guildid but again cant find any offset or pointer to a name. The only thing i find is the lua function "GetGuildInfo(guildid)", so when i get lua execution to work, would that solve my problem?

Any help would be really great! (I'm trying to learn all this stuff, but it's very hard)

[tutrakan]

API GetGuildInfo - Vanilla WoW Wiki - Wikia And if you do a search for "quest" you will have all the info that you asked.

The library in question is ManagedFasm (fasmdll_managed.dll).

And for DoString, if i remember well, the best way was to be called from the EndScene.

[tutrakan]

The only way you can see the code for them is by looking at the server code, which isn't available on most servers.

Can i have an example of that kind of verification. And a link to that server code please?

"All I can say is wow!"

[SatyPardus]

API GetGuildInfo - Vanilla WoW Wiki - Wikia And if you do a search for "quest" you will have all the info that you asked.

The library in question is ManagedFasm (fasmdll_managed.dll).

And for DoString, if i remember well, the best way was to be called from the EndScene.

You probably don't understand me correctly, sorry, i'm german

I know the lua functions and i know that dostring needs to be executed in endscene. I think i have all pointers for that, but the problem is, that i dont find the information to execute them.
Everything i find is to new, and everything for 1.12.1 has functions in it, that i cant find (Like the "Executor.Execute(asm);")

I need an function to Inject and execute the lua function and to get return value. I'm working currently on something, but till now it just crashes the client or doesnt work at all

[tutrakan]

I suck bad in english too

https://github.com/acidburn974/Blackmagic

Now get ready for some nasty code:

Code:

public static readonly object inject_Lock = new object();
        public static int InjectAsm(string[] asm, uint Addr)
        {
            lock (inject_Lock)
            {
                memory.Asm.Clear();
                foreach (string str in asm)
                {
                    memory.Asm.AddLine(str);
                }
                memory.Asm.Inject(Addr);

                return memory.Asm.Assemble().Length;
            }
        }
public static uint ExecuteEnd(uint ingameEnableCodeCave = 1, bool dontReadValue = false)
        {
            lock (inject_Lock)
            {
                memory.WriteUInt(EnableCodeCavePtr, 1);
                memory.WriteUInt(IngameEnableCodeCavePtr, ingameEnableCodeCave);

                while (memory.ReadUInt(EnableCodeCavePtr) != 0) { }
            }

            if (dontReadValue) return EndData;

            return memory.ReadUInt(EndData);
        }

        public static uint InjectAndExecuteEnd(string[] asm, uint ingameEnableCodeCave = 1, bool dontReadValue = false)
        {
            InjectAsm(asm, EndCodeCave);

            return ExecuteEnd(ingameEnableCodeCave, dontReadValue);
        }

//Get Text single argument        
        public static string GetText(string command, string argument, int returnLength = 15)
        {
            string str = "";

            DoString(command);

            memory.WriteASCIIString(GetTextArgumentsBuffer, argument + "\0");

            string[] asm = new string[]
                {
                    "push 0",
                    "or edx, 0FFFFFFFFh",
                    "mov ecx, " + GetTextArgumentsBuffer,
                    "call " + (uint)Offsets.functions.GetText,
                    "retn",    
                };

            uint argumentValue = InjectAndExecuteEnd(asm, 0);
            if (argumentValue != 0)
            {
                str = memory.ReadASCIIString(argumentValue, returnLength);
            }
            return str;
        }


public static void HookEndScene(uint ptr)
        {
            memory.WriteUInt(EnableCodeCavePtr, 0);

            string[] asm = new string[]
                {
                    "mov edi, edi",
                    "push ebp",
                    "mov ebp, esp",

                    "pushfd",
                    "pushad",                            
                            
                    //Test for waiting code
                    "mov eax, [" + EnableCodeCavePtr + "]",
                    "test eax, eax",
                    "jz @out",                    

                    "mov eax, [" + DostringReadyPtr + "]",
                    "test eax, eax",
                    "jz @out",

                    "mov eax, [" + IngameEnableCodeCavePtr + "]",
                    "test eax, eax",
                    "jz @skipIngameCheck",

                    "cmp dword [0x00B4B424], 1",        //isInGame ?
                    "jne @out",
                    //"cmp dword [0x00BEBA40], 1",        //WorldLoaded = 0x00BEBA40;
                    //"jne @out",
                    "mov ecx, [0x00C7BCD4]",
                    "mov ecx, [ecx + 0x88]",
                    "mov ecx, [ecx + 0x28]",
                    "test ecx, ecx",                    //playerPtr == 0 ?
                    "jz @out",
                      
                 "@skipIngameCheck:",                      
                    "mov dword [" + EndData + "], 0",
                    "call " + EndCodeCave,
                          
                    "mov [" + EndData + "], eax",

                    "mov dword [" + EnableCodeCavePtr + "], 0",
                           
                 "@out:",
                    "popad",
                    "popfd",
                    "jmp " + (ptr + 5),
                };

            InjectAsm(asm, EndSceneCave);

            // create hook jump  
            asm = new string[]
                {
                    "jmp " + EndSceneCave
                };

            InjectAsm(asm, ptr);

            EndSceneHooked = true;
        }

That is working from the outside approach, witch i don't recommend you.
That way you will have ~10ms delay after every injected function call and at the end, the response time of your bot can take up to a few seconds (beside the ugly code).

The best way is to inject ALL your code inside the wow process and call wow functions with delegates.

Credits to Corthezz.

[SatyPardus]

I don't really care about delay As i only want this for for learning. So what do you mean with inject code and call functions?
I was thinking that the DoLua stuff is already code injection

Edit: How would you do these lookups? Getting the Guildname, Questinfo. Start attacking, casting spells etc. I was thinking lua injection would be the best way.

[tutrakan]

1. I meant to inject the whole bot ( .Net assembly) in the wow process instead of injecting small pieces of machine code one at a time.

2. The Corthezz bot is a good example for learning the latter way of injection.

[SatyPardus]

Yep, i am already trying to use the Corthezz bot, but sadly that is not working aswell. It will doesnt attach to the endscene or (when i find the right bytes) it will crash.
I am really stuck on this execution of lua code... That's the only problem i have