Page 27 of 30 FirstFirst ... 172324252627282930 LastLast
Results 391 to 405 of 440
  1. #391
    Legendary CoreCoins User DarkLinux's Avatar
    Reputation
    994
    Join Date
    May 2010
    Posts
    1,309
    Thanks G/R
    60/175
    CoreCoins
    1313
    Trade Feedback
    3 (100%)
    Thanks for the help, did a little more reversing

    Code:
    	class CSpellRange
    	{
    	public:
    		char		m_RangeIndex;					//0x0000 
    		float		m_MinRange;					//0x0004 
    		float		m_MaxRange;					//0x0008 
    		char		m_0x000C[76];
    	};//Size=0x0058
    
    	class CSpellCastingTime
    	{
    	public:
    		__int32		m_CastingTimeIndex;				//0x0000 
    		__int32		m_CastTime;					//0x0004 
    		char		m_0x0008[4];					//0x0008 
    		__int32		m_CastTime2;					//0x000C 
    
    	};//Size=0x0010
    	
    	class CDuration
    	{
    	public:
    		char		m_DurationIndex;				//0x0000 
    		__int32		m_Duration;					//0x0004 
    		char		m_0x0008[4];					//0x0008
    		__int32		m_Duration2;					//0x000C 
    
    		__int32 GetDuration()
    		{
    			return ((m_Duration / 1000) / 60);
    		}
    	};//Size=0x0010
    
    	class CIcon
    	{
    	public:
    		__int32		m_SpellIconID;					//0x0000 
    		char*		m_Icon;						//0x0004 
    
    	};//Size=0x0008
    
    	enum PowerType_e	//m_powerType
    	{
    		HEALTH = -2,
    		MANA = 0,
    		RAGE,
    		FOCUS,
    		ENERGY,
    		HAPPINESS,
    	};
    
    	enum SpellAttributesEx_s //m_AttributesEx (soruce mangos)
    	{
    		SPELL_ATTR_EX_DRAIN_ALL_POWER = 0x2,			//use all power (Only paladin Lay of Hands and Bunyanize)
    		SPELL_ATTR_EX_CHANNELED_1 = 0x4,			//channeled 1
    		SPELL_ATTR_EX_NOT_BREAK_STEALTH = 0x20,			//Not break stealth
    		SPELL_ATTR_EX_CHANNELED_2 = 0x40,			//channeled 2
    		SPELL_ATTR_EX_NEGATIVE = 0x80,				//negative spell?
    		SPELL_ATTR_EX_NOT_IN_COMBAT_TARGET = 0x100,		//Spell req target not to be in combat state
    		SPELL_ATTR_EX_NOT_PASSIVE = 0x400,			//not passive?
    		SPELL_ATTR_EX_DISPEL_AURAS_ON_IMMUNITY = 0x8000,	//remove auras on immunity
    		SPELL_ATTR_EX_UNAFFECTED_BY_SCHOOL_IMMUNE = 0x10000,	//unaffected by school immunity
    		SPELL_ATTR_EX_REQ_COMBO_POINTS1 = 0x100000,		//Req combo points on target
    		SPELL_ATTR_EX_REQ_COMBO_POINTS2 = 0x400000,		//Req combo points on target
    	};
    
    	enum SpellAttributesEx2_s //m_AttributesEx2 (soruce mangos)
    	{
    		SPELL_ATTR_EX2_AUTO_SHOOT = 0x20,			//Auto Shoot?
    		SPELL_ATTR_EX2_HEALTH_FUNNEL = 0x800,			//Health funnel pets?
    		SPELL_ATTR_EX2_NOT_NEED_SHAPESHIFT = 0x80000,		//does not necessarly need shapeshift
    		SPELL_ATTR_EX2_CANT_CRIT = 0x20000000,			//Spell can't crit
    	};
    
    	class CSpellRecord
    	{
    	public:
    		__int32		m_SpellID;					//0x0000 
    		__int32		m_School;					//0x0004 
    		__int32		m_Category;					//0x0008 
    		__int32		m_CastUI;					//0x000C 
    		__int32		m_Dispel;					//0x0010 (list 00C0D83C)
    		__int32		m_Mechanic;					//0x0014 
    		__int32		m_Attributes;					//0x0018 
    		__int32		m_AttributesEx;					//0x001C 
    		__int32		m_AttributesEx2;				//0x0020 
    		__int32		m_AttributesEx3;				//0x0024 
    		__int32		m_AttributesEx4;				//0x0028 
    		__int32		m_Stances;					//0x002C 
    		__int32		m_StancesNot;					//0x0030 
    		__int32		m_Targets;					//0x0034 
    		__int32		m_TargetCreatureType;				//0x0038 
    		__int32		m_RequiresSpellFocus;				//0x003C 
    		__int32		m_CasterAuraState;				//0x0040 
    		__int32		m_TargetAuraState;				//0x0044 
    		__int32		m_CastingTimeIndex;				//0x0048 
    		__int32		m_CategoryRecoveryTime;				//0x004C 
    		__int32		m_RecoveryTime;					//0x0050 
    		__int32		m_InterruptFlags;				//0x0054 
    		__int32		m_AuraInterruptFlags;				//0x0058 
    		__int32		m_ChannelInterruptFlags;			//0x005C 
    		__int32		m_procFlags; 					//0x0060 
    		__int32		m_procChance; 					//0x0064 
    		__int32		m_procCharges; 					//0x0068 
    		__int32		m_maxLevel; 					//0x006C 
    		__int32		m_baseLevel; 					//0x0070 
    		__int32		m_spellLevel; 					//0x0074 
    		__int32		m_DurationIndex; 				//0x0078 
    		__int32		m_powerType; 					//0x007C 
    		__int32		m_Cost; 					//0x0080 
    		__int32		m_CostPerlevel;					//0x0084 
    		__int32		m_PerSecond;					//0x0088 
    		__int32		m_PerSecondPerLevel;				//0x008C 
    		__int32		m_rangeIndex;					//0x0090 
    		float		m_speed;					//0x0094 
    		__int32		m_modalNextSpell;				//0x0098 
    		__int32		m_StackAmount;					//0x009C 
    		__int32		m_Totem[2];					//0x00A0 
    		__int32		m_Reagent[8];					//0x00A8 
    		__int32		m_ReagentCount[8];				//0x00C8 
    		__int32		m_EquippedItemClass;				//0x00E8 
    		__int32		m_EquippedItemSubClassMask;			//0x00EC 
    		__int32		m_EquippedItemInventoryTypeMask;		//0x00F0 
    		__int32		m_Effect[3];					//0x00F4 
    		__int32		m_EffectDieSides[3];				//0x0100 
    		__int32		m_EffectBaceDice[3];				//0x010C 
    		float		m_EffectDicePerLevel[3];			//0x0118 
    		float		m_EffectRealPointsPerLevel[3];			//0x0124 
    		__int32		m_EffectBasePoints[3];				//0x0130 
    		__int32		m_EffectMechanic[3];				//0x013C 
    		__int32		m_EffectImplicitTargetA[3];			//0x0148 
    		__int32		m_EffectImplicitTargetB[3];			//0x0154 
    		__int32		m_EffectRadiusIndex[3];				//0x0160 
    		__int32		m_EffectApplyAuraName[3];			//0x016C 
    		__int32		m_EffectAmplitude[3];				//0x0178 
    		float		m_EffectMultipleValue[3];			//0x0184 
    		__int32		m_EffectChainTarget[3];				//0x0190 
    		__int32		m_EffectItemType[3];				//0x019C 
    		__int32		m_EffectMiscValue[3];				//0x01A8 
    		__int32		m_EffectTriggerSpell[3];			//0x01B4 
    		float		m_EffectPointsPerComboPoint[3]; 		//0x01C0 
    		__int32		m_SpellVisual;					//0x01CC 
    		__int32		m_SpellVisual2;					//0x01D0 
    		__int32		m_SpellIconID;					//0x01D4 
    		__int32		m_activeIconID;					//0x01D8 
    		__int32		m_spellPriority;				//0x01DC 
    		char*		m_SpellName;					//0x01E0 
    		__int32		m_SpellNameTrash[7];				//0x01E4 
    		__int32		m_SpellNameFlag;				//0x0200 
    		char*		m_Rank;						//0x0204 
    		__int32		m_RankTrash[7];					//0x0208 
    		__int32		RankFlags;					//0x0224 
    		char*		m_Description;					//0x0228 
    		__int32		m_DescriptionTrash[7];				//0x022C 
    		__int32		m_DescriptionFlags;				//0x0248 
    		char*		m_ToolTip;					//0x024C 
    		__int32		m_ToolTipTrash[7];				//0x0250 
    		__int32		m_ToolTipFlags;					//0x026C 
    		__int32		m_CostPercentage;				//0x0270 
    		__int32		m_StartRecoveryCategory;			//0x0274 
    		__int32		m_StartRecoveryTime; 				//0x0278 
    		__int32		m_MaxTargetLevel; 				//0x027C 
    		__int32		m_SpellFamilyName; 				//0x0280 
    		__int64		m_SpellFamilyFlags; 				//0x0284 
    		__int32		m_MaxAffectedTargets; 				//0x028C 
    		__int32		m_DmgClass; 					//0x0290 
    		__int32		m_PreventionType; 				//0x0294 
    		__int32		m_StanceBarOrder; 				//0x0298 
    		float		m_DmgMultiplier[3]; 				//0x029C 
    		__int32		m_MinFactionId; 				//0x02A8 
    		__int32		m_MinReputation; 				//0x02AC 
    		__int32		m_RequiredAuraVision;				//0x02B0 
    
    		bool UsesComboPoints()
    		{
    			return (0x500000 & m_AttributesEx);
    		}
    
    		int GetCost(UnitField* unit = NULL)
    		{
    			int cost = m_Cost;
    			if (m_CostPercentage && unit)
    			{
    				if (m_powerType == HEALTH)
    				{
    					cost = (int)((float)unit->UNIT_FIELD_BASE_HEALTH * ((float)m_CostPercentage / (float)100.f));
    				}
    				else
    				{
    					cost = (int)((float)unit->UNIT_FIELD_BASE_MANA * ((float)m_CostPercentage / (float)100.f));
    				}
    			}
    			
    			if (m_PerSecond)
    			{
    				cost = m_PerSecond;
    			}
    
    			if (m_AttributesEx == SPELL_ATTR_EX_DRAIN_ALL_POWER && unit)
    			{
    				if (m_powerType == HEALTH)
    				{
    					cost = unit->UNIT_FIELD_MAXHEALTH;
    				}
    				if (m_powerType == MANA)
    				{
    					cost = unit->UNIT_FIELD_MAXPOWER1;
    				}
    				else if (m_powerType == RAGE)
    				{
    					cost = unit->UNIT_FIELD_MAXPOWER2;
    				}
    				else if (m_powerType == FOCUS)
    				{
    					cost = unit->UNIT_FIELD_MAXPOWER3;
    				}
    				else if (m_powerType == ENERGY)
    				{
    					cost = unit->UNIT_FIELD_MAXPOWER4;
    				}
    			}
    
    			if (m_powerType == RAGE)
    			{
    				return cost / 10;
    			}
    
    			return cost;
    		}
    
    		bool NeedsAura()
    		{
    			return (m_CasterAuraState);
    		}
    
    		bool HasAura(UnitField* unit)
    		{
    			return (unit->UNIT_FIELD_AURASTATE & (1 << (m_CasterAuraState - 1)));
    		}
    
    		CSpellRange* GetRangeObject()
    		{
    			DWORD RangeList = *(DWORD*)(0x00C0D79C);
    			if (RangeList)
    			{
    				DWORD RangeObject = *(DWORD*)(RangeList + (m_rangeIndex * 4));
    				if (RangeObject)
    				{
    					return (CSpellRange*)RangeObject;
    				}
    			}
    			return NULL;
    		}
    
    		CSpellCastingTime* GetCastingTimeObject()
    		{
    			DWORD CastingTimeList = *(DWORD*)(0x00C0D878);
    			if (CastingTimeList)
    			{
    				DWORD RangeObject = *(DWORD*)(CastingTimeList + (m_CastingTimeIndex * 4));
    				if (RangeObject)
    				{
    					return (CSpellCastingTime*)RangeObject;
    				}
    			}
    			return NULL;
    		}
    
    		CDuration* GetDurationObject()
    		{
    			DWORD DurationList = *(DWORD*)(0x00C0D828);
    			if (DurationList)
    			{
    				DWORD DurationObject = *(DWORD*)(DurationList + (m_DurationIndex * 4));
    				if (DurationObject)
    				{
    					return (CDuration*)DurationObject;
    				}
    			}
    			return NULL;
    		}
    
    		CIcon* GetIconObject()
    		{
    			DWORD IconList = *(DWORD*)(0x00C0D7EC);
    			if (IconList)
    			{
    				DWORD IconObject = *(DWORD*)(IconList + (m_SpellIconID * 4));
    				if (IconObject)
    				{
    					return (CIcon*)IconObject;
    				}
    			}
    			return NULL;
    		}
    	};//Size=0x02B4
    
    	static CSpellRecord* GetSpellObjectByIndex(int index, bool isPet = false)
    	{
    		DWORD spellID = *(DWORD*)(isPet ? 0x0B6F098 : 0x00B700F0 + (index * 4));
    		if (spellID)
    		{
    			DWORD SpellList = *(DWORD*)(0x00C0D788);
    			if (SpellList)
    			{
    				DWORD SpellObject = *(DWORD*)(SpellList + (spellID * 4));
    				if (SpellObject)
    				{
    					return (CSpellRecord*)SpellObject;
    				}
    			}
    		}
    		return NULL;
    	}
    --edit

    I flipped m_RecoveryTime and m_CategoryRecoveryTime, I dont know if thats really m_CategoryRecoveryTime
    Last edited by DarkLinux; 12-12-2016 at 03:32 AM.

  2. #392
    Legendary CoreCoins User DarkLinux's Avatar
    Reputation
    994
    Join Date
    May 2010
    Posts
    1,309
    Thanks G/R
    60/175
    CoreCoins
    1313
    Trade Feedback
    3 (100%)
    Was thinking I found something new... But I guess not
    Code:
    	static bool IsSpellOnCooldown(int SpellID)
    	{
    		DWORD GetSpellCooldown = 0x006E13E0;
    		__asm
    		{
    			mov ecx, 0xCECAEC	//Spell History
    			push 0 			//int* ready
    			push 0 			//int* start
    			push 0 			//int* duration
    			push 0			//false
    			push SpellID
    			call GetSpellCooldown
    		}
    	}
    ..edit, removed a push 0, had 1 too many.

    Quote Originally Posted by Corthezz View Post
    GetSpellCooldown at 0x006E13E0
    Not seeing the global cool down in the Spell History

    Code:
    0x00 lastSpell
    0x08 spellID
    0x10 start time
    0x1C start time
    0x28 spellID
    0x2C castTime
    Last edited by DarkLinux; 12-07-2016 at 02:17 AM.

  3. The Following 1 Members Gave Thanks To DarkLinux For This Useful Post:

    tutrakan
  4. #393
    Legendary CoreCoins User DarkLinux's Avatar
    Reputation
    994
    Join Date
    May 2010
    Posts
    1,309
    Thanks G/R
    60/175
    CoreCoins
    1313
    Trade Feedback
    3 (100%)
    Slowly moving away from lua calls. No need for such overhead.
    Code:
    	static int GetCreatureTypeIndex(PVOID creature)
    	{
    		DWORD _GetCreatureTypeIndex = 0x00605570;
    		__asm
    		{
    			mov ecx, creature
    			call _GetCreatureTypeIndex
    		}
    	}
    	
    	class CCreatureType
    	{
    	public:
    		__int32		m_CreatureTypeIndex;			//0x0000 
    		char*		m_CreatureType;				//0x0004 
    	};//Size=0x0008
    
    	static char* GetCreatureType(PVOID creature)
    	{
    		int typeIndex = GetCreatureTypeIndex(creature);
    
    		DWORD CreatureTypeList = *(DWORD*)(0x00C0DE2C);
    		if (CreatureTypeList)
    		{
    			DWORD CreatureTypeObject = *(DWORD*)(CreatureTypeList + (typeIndex * 4));
    			if (CreatureTypeObject)
    			{
    				return ((CCreatureType*)CreatureTypeObject)->m_CreatureType;
    			}
    		}
    		return "";
    	}
    
    	static bool IsCritter(PVOID creature)
    	{
    		return (strcmp(GetCreatureType(creature), "Critter") == 0);
    	}
    
    	static bool UnitCanAttack(PVOID unit, PVOID otherUnit)
    	{
    		DWORD _UnitCanAttack = 0x00606980;
    		__asm
    		{
    			push    otherUnit
    			mov     ecx, unit
    			call	_UnitCanAttack
    		}
    	}
    
    	enum UnitClassification_e
    	{
    		Normal = 0,
    		Elite,
    		RareElite,
    		WorldBoss,
    		Rare,
    	};
    	static int UnitClassification(PVOID unit)
    	{
    		DWORD _UnitClassification = 0x00605620;
    		__asm
    		{
    			mov     ecx, unit
    			call	_UnitClassification
    		}
    	}
    Last edited by DarkLinux; 12-07-2016 at 12:09 AM.

  5. The Following 1 Members Gave Thanks To DarkLinux For This Useful Post:

    tutrakan
  6. #394
    Active Member tutrakan's Avatar
    Reputation
    68
    Join Date
    Feb 2013
    Posts
    77
    Thanks G/R
    52/19
    CoreCoins
    157
    Trade Feedback
    0 (0%)
    Yes, UnitCanAttack is right and very usefull.

    I'm really curious, how you manage to reveal such a class structures. Do you use some tool or you have a specific technique for?
    Last edited by tutrakan; 12-07-2016 at 12:59 AM.

  7. #395
    Legendary CoreCoins User DarkLinux's Avatar
    Reputation
    994
    Join Date
    May 2010
    Posts
    1,309
    Thanks G/R
    60/175
    CoreCoins
    1313
    Trade Feedback
    3 (100%)
    I use CE to debug / view structures, and then when coding I use a program called ReClass. Coded by DrUnKeN ChEeTaH but its open source so many people are updating it (GitHub - dude719/Reclass-2016: ReClass 2016)

    Unless you are talking about args being sent when calling, thats just debugging with CE.
    Last edited by DarkLinux; 12-07-2016 at 01:07 AM.

  8. The Following 1 Members Gave Thanks To DarkLinux For This Useful Post:

    tutrakan
  9. #396
    Contributor CoreCoins User danwins's Avatar
    Reputation
    132
    Join Date
    Mar 2013
    Posts
    89
    Thanks G/R
    2/26
    CoreCoins
    609
    Trade Feedback
    1 (100%)
    Referencing the warden scans on kronos figured i would share:

    Code:
    warden_dump ( Kronos )
    Addr	  Size  Desc
    0x40362B  0x03  Warden::sub_403620
    0x49F6F2  0x03  Script_SendChatMessage
    0x538610  0x04  some jump table warden related?
    0x5E642C  0x05  func referencing some dword player_c / spell related
    0x680B81  0x05  unknown
    0x6CEE4E  0x05  unknown
    0x60BFA0  0x02  CGUnit_C::OnRightClick -> loot while mounted
    0x482ED8  0x06  CGWorldFrame::OnWorldUpdate modify unit -> desc -> UNIT_FIELD_FLAGS
    0x5ED2E3  0x06  CGPlayer_C::CanTrackObject
    0x6334F0  0x01  unknown some float @ 80DFFC
    0x636598  0x01  unknown some float @ 80DFFC 0.6427876353f
    0x494A50  0x07  CGGameUI::CanPerformAction
    0x7C63A8  0x04  Movement Related
    0x518062  0x01  Script_UnitLevel UnitReaction related?
    0x4711E0  0x02  CCharCreateInfo::CreateCharacter
    0x67063E  0x01  unknown
    0x6AB494  0x01  unknown
    0x60BFBF  0x02  CGUnit_C::OnRightClick loot related
    0x60FC30  0x04  sub_60FB60 auto follow related
    0x7C4955  0x03  CMovementData::GetPosition
    0x60FF65  0x02  CGUnit_C::sub_60FED0 tracking/follow related
    0x6AB1BF  0x03  unknown
    0x6CEE5B  0x06  unknown
    0x7C625E  0x02  Infinite Jump
    0x6341E3  0x02  unknown ( movement related? )
    0x636ED4  0x01  unknown some float @ 80DFFC
    0x7C705C  0x06  unknown
    0x7C6206  0x0B  unknown player move flags related
    0x5ED28D  0x06  CGPlayer_C::CanTrackUnit
    0x7C69A0  0x03  unknown
    0x5EC720  0x08  CGPlayer_C::GetLanguageSkill
    0x615BA7  0x04  unknown
    0x4711EA  0x01  CCharCreateInfo::CreateCharacter
    0x49F5DD  0x01  Script_SendChatMessage
    0x63379C  0x01  unknown some float @ 80DFFC
    0x60F7C9  0x06  unknown
    0x635C3A  0x01  unknown some float @ 80DFFC
    0x60FF71  0x01  CGUnit_C::sub_60FED0 tracking/follow related
    0x60BFB1  0x02  CGUnit_C::OnRightClick
    0x6163DB  0x03  Anti Root
    0x7C33DA  0x03  unknown
    0x7C63DD  0x03  movement related
    0x618919  0x04  unknown
    0x87D894  0x04  some float .data default value 60.148003f
    0x7C6E83  0x07  Swimming related
    0x618917  0x06  unknown
    0x80DFFC  0x04  some float .data default value 0.64278764f
    0x7C6269  0x04  Jump related
    0x7C6272  0x04  Jump Gravity
    0x615CF5  0x01  movement related jump table?
    0x7C625F  0x01  Jump related
    0x7C63DA  0x03  movement related?
    0x6341BC  0x02  unknown
    0x7C63D9  0x01  movement related?
    0x7C63BD  0x03  movement related?
    0x618918  0x04  movement related?
    0x5ABD50  0x06  ClientServices_CharacterValidateName
    0x7C620D  0x02  movement related?
    0x5FE54F  0x01  CGUnit_C::UpdateBaseAnimation
    0x616749  0x02  CMovement::MoveUnit
    0x60F650  0x06  unknown
    0x482BE3  0x01  CGWorldFrame::sub_482AD0
    0x6163DE  0x0A  Anti Root
    0x6ABF13  0x01  unknown
    0x6A467B  0x01  unknown
    0x6CA1B5  0x01  WardenClient_Process
    0x6D2743  0x06  unknown
    0x636198  0x01  unknown
    Does anyone know what function is at 0x7C6340 it looks movement related, and makes calles to CMovementData::GetPosition and CMovementData::GetFacing

    and also the float at 0x80DFFC its usually 0.6427876353f

  10. The Following 4 Members Gave Thanks To danwins For This Useful Post:

    DarkLinux, tutrakan, greenthing, alwaysLate..
  11. #397
    Elite User CoreCoins User Authenticator enabled namreeb's Avatar
    Reputation
    358
    Join Date
    Sep 2008
    Posts
    833
    Thanks G/R
    2/56
    CoreCoins
    5874
    Trade Feedback
    0 (0%)
    Quote Originally Posted by danwins View Post
    Does anyone know what function is at 0x7C6340 it looks movement related, and makes calles to CMovementData::GetPosition and CMovementData::GetFacing
    It is InitMovementStatus() and initializes the local client's movement status structure.

  12. The Following 1 Members Gave Thanks To namreeb For This Useful Post:

    DarkLinux
  13. #398
    Active Member greenthing's Avatar
    Reputation
    24
    Join Date
    Aug 2008
    Posts
    49
    Thanks G/R
    4/7
    CoreCoins
    49
    Trade Feedback
    0 (0%)
    Quote Originally Posted by DarkLinux View Post
    I use CE to debug / view structures, and then when coding I use a program called ReClass. Coded by DrUnKeN ChEeTaH but its open source so many people are updating it (GitHub - dude719/Reclass-2016: ReClass 2016)

    Unless you are talking about args being sent when calling, thats just debugging with CE.
    GitHub - KN4CK3R/ReClass.NET: A ReClass port to the .NET platform.
    FYI.

  14. #399
    Legendary CoreCoins User DarkLinux's Avatar
    Reputation
    994
    Join Date
    May 2010
    Posts
    1,309
    Thanks G/R
    60/175
    CoreCoins
    1313
    Trade Feedback
    3 (100%)
    Looked over some of the elysium warden scan and was a little lost on some of them,

    Code:
    LocalPlayer + 0 	//VTable Scan?
    LocalPlayer + A20 	//fallStartTime (edit danwins)
    LocalPlayer + A2C 	//Move Speed
    LocalPlayer + A34 	//Forward speed? (value = 7.f)
    LocalPlayer + A60 	//collision box Z (edit NotJuJuBoSc)
    LocalPlayer + 9E8  	//MovementFlags (Movement Struct)
    
    localPayerDescriptor + 0x58 //Health
    Why would they be scanning things like health? Why would they scan the vtable pointer, and then not scan any of the entries? I know someone could spoof the full table, but odd they dont check any other pointers.They scan some flags / states, cant the client be desynced and normal players get flagged?

    They are also scanning a pointer to the LocalPlayer, must be for a clientless client check.
    Last edited by DarkLinux; 12-20-2016 at 02:57 AM.

  15. #400
    Private NotJuJuBoSc's Avatar
    Reputation
    32
    Join Date
    Dec 2016
    Posts
    9
    Thanks G/R
    0/11
    CoreCoins
    63
    Trade Feedback
    0 (0%)
    Quote Originally Posted by DarkLinux View Post
    Looked over some of the elysium warden scan and was a little lost on some of them,

    Code:
    LocalPlayer + 0 	//VTable Scan?
    LocalPlayer + A20 	//Move state 
    LocalPlayer + A2C 	//Move Speed
    LocalPlayer + A34 	//Forward speed? (value = 7.f)
    LocalPlayer + A60 	//No idea (value = 1.f)
    LocalPlayer + 9E8  	//MovementFlags (Movement Struct)
    
    localPayerDescriptor + 0x58 //Health
    Why would they be scanning things like health? Why would they scan the vtable pointer, and then not scan any of the entries? I know someone could spoof the full table, but odd they dont check any other pointers.They scan some flags / states, cant the client be desynced and normal players get flagged?

    They are also scanning a pointer to the LocalPlayer, must be for a clientless client check.
    Their Warden is actually really interesting, they use memory scan warden's function as a "server side" memory reader.

    They start reading 4 bytes @ 00C7BCD4 CWorldScene__camTargEntity in the first warden scan packet, then when the client answer with those 4 bytes, (which is actually a pointer), they add 0x88 to get another pointer and so on, so they can read player object info and compare them server side.

    Really clever against clientless bot (not hard once you get it, but still, annoying to handle), great job @ Elysium

  16. The Following 3 Members Gave Thanks To NotJuJuBoSc For This Useful Post:

    Corthezz, culino2, DarkLinux
  17. #401
    Contributor culino2's Avatar
    Reputation
    167
    Join Date
    Feb 2013
    Posts
    95
    Thanks G/R
    59/22
    CoreCoins
    120
    Trade Feedback
    0 (0%)
    Quote Originally Posted by DarkLinux View Post
    Why would they be scanning things like health?
    On MangosZero there was an exploit to gather herbs and open chests while dead by setting the health > 0.

  18. The Following 1 Members Gave Thanks To culino2 For This Useful Post:

    DarkLinux
  19. #402
    Legendary CoreCoins User DarkLinux's Avatar
    Reputation
    994
    Join Date
    May 2010
    Posts
    1,309
    Thanks G/R
    60/175
    CoreCoins
    1313
    Trade Feedback
    3 (100%)
    @culino2
    Oh thats why, good to know

    @NotJuJuBoSc
    That is so cool, they really did think outside the box. I guess they could scan anything with that method. Hmm they could even upload modules or pages. I better add some type of check for a linear scan. Warden does not have a way to write to memory I hope?
    Last edited by DarkLinux; 12-19-2016 at 02:41 PM.

  20. #403
    Elite User CoreCoins User Authenticator enabled namreeb's Avatar
    Reputation
    358
    Join Date
    Sep 2008
    Posts
    833
    Thanks G/R
    2/56
    CoreCoins
    5874
    Trade Feedback
    0 (0%)
    With the currently available Warden modules from pre-cata, to my knowledge there is no way to write memory with it.

  21. The Following 1 Members Gave Thanks To namreeb For This Useful Post:

    DarkLinux
  22. #404
    Contributor CoreCoins User danwins's Avatar
    Reputation
    132
    Join Date
    Mar 2013
    Posts
    89
    Thanks G/R
    2/26
    CoreCoins
    609
    Trade Feedback
    1 (100%)
    warden module as dll (since the one posted in the other thread has messed up imports)

    79c0768d657977d697e10bad956cced1.zip

  23. The Following 2 Members Gave Thanks To danwins For This Useful Post:

    Corthezz, culino2
  24. #405
    Contributor culino2's Avatar
    Reputation
    167
    Join Date
    Feb 2013
    Posts
    95
    Thanks G/R
    59/22
    CoreCoins
    120
    Trade Feedback
    0 (0%)
    For the above Warden module:

    Code:
    0x4F90 Warden_AddTwoNumbers
    0x1180 Warden_Return0
    0x6230 Warden_Return1
    0x1940 Warden_GetProcAddress
    0x3520 Warden_GetModuleHandle
    0x7988 Warden_TlsSetValue
    0x1834 Warden_SHA1Init
    0x2AA4 Warden_SHA1Update
    0x5379 Warden_SHA1Final
    0x5906 Warden_SHA1Hash
    0x7494 Warden_SHA1Transform
    0x63B8 Warden_Process (called from the client in WardenClient::Process at WoW client offset 0x006CA190)
    0x2A7F Warden_CopyMem
    0x1780 Warden_CallCopyMem (scanned by Nostalrius with PageCheck)
    0x4099 Warden_OnPacket
    0x4EB0 Warden_PacketFinialize (adds 4 byte checksum and 2 byte size iirc)
    0x3DF4 Warden_RC4CryptPacket
    0x2CCF Warden_WoWClientSendWardenData
    0x7850 Warden_PacketPutInt8
    0x7890 Warden_PacketPutInt32
    0x1C80 Warden_PacketPutBytes
    0x78D0 Warden_PacketGetInt8
    0x7910 Warden_PacketGetInt32
    0x3ED2 Warden_PacketGetString
    0x62F0 Warden_PacketGetBytes
    0x5BD0 Warden_StorePageScanInfo (first parameter is 1 if warden should also check pages with PE headers, second is hash, third seed, fourth offset, last size)
    0x1000 Warden_PageCheckHashAndCompare
    0x79A0 Warden_ComparePageCheckHash (compare calculated memory hash with server hash)
    0x1190 Warden_CallProcCheckHashAndCompare (only gets called if both dll + exported function have been found (Warden_GetModuleHandle/Warden_GetProcAddress)
    0x1E00 Warden_ProcCheckHashAndCompare (same as above...)
    0x2713 Warden_CheckMPQFile (called in Warden_ScanCase) Nostalrius is using it, if you want to test this.
    0x2CFD Warden_ScanCase (calls all checks)
    
    Scan functions:
    
    0x11E4 Warden_PageCheckA_B (check 0xB2, 0xBF)
    0x3700 Warden_CopyRelativeAddress (check 0xF3, name stolen from Jadd)
    0x14D0 Warden_ModuleCheck (check 0xD9)
    
    vftable calls:
    0x2D77 leads to Warden_PageCheckA_B
    0x332C leads to Warden_CopyRelativeAddress
    0x33C9 leads to Warden_ModuleScan
    0x3021 leads to Warden_GetModuleHandle
    0x3062 leads to Warden_GetProcAddress
    0x308E leads to Warden_CallProcCheckHashAndCompare
    Last edited by culino2; 12-24-2016 at 07:43 PM. Reason: more

  25. The Following 3 Members Gave Thanks To culino2 For This Useful Post:

    Corthezz, tutrakan, luckruns0ut
 

 

Similar Threads

  1. [WoW][3.3.5.12340] Info Dump Thread
    By Nesox in forum WoW Memory Editing
    Replies: 82
    Last Post: 11-02-2014, 05:11 PM
  2. [WoW][4.0.3.13329] Info Dump Thread
    By TOM_RUS in forum WoW Memory Editing
    Replies: 73
    Last Post: 02-06-2011, 06:37 AM
  3. [WoW][4.0.1.13164] Info Dump Thread
    By Seifer in forum WoW Memory Editing
    Replies: 29
    Last Post: 01-18-2011, 09:14 AM
  4. [WoW][4.0.1.13205] Info Dump Thread
    By DrGonzo in forum WoW Memory Editing
    Replies: 12
    Last Post: 11-11-2010, 02:34 PM
  5. [WoW][3.3.3.11723] Info Dump Thread
    By miceiken in forum WoW Memory Editing
    Replies: 2
    Last Post: 03-27-2010, 04:42 PM
All times are GMT -5. The time now is 09:35 AM. Powered by vBulletin® Version 4.2.2
Copyright © 2017 vBulletin Solutions, Inc. All rights reserved. Digital Point modules: Sphinx-based search