-
"01000200A0772400F08724006084240030872400040000F03B30000001010010C0020001"
They use that string when initializing the warden module. The address comes out to be 0x2C010+wow.exe OsGetAsyncTimeMs (thx @danwins), 0x303BF0+wow.exe, 0x248730+wow.exe and 0x2487F0+wow.exe.
But when setting a bp the return address is never anything inside warden.
I also have a bp on 0x006CA227 (aka Warden_Init) so I can set a bp on 0x31AC+warden. But it also never hits that bp.
Any ideas?
--edit
@namreeb thx, all offsets are named (mangos_warden/WardenWin.cpp at master * tomrus88/mangos_warden * GitHub)
--edit
Looks like the module gets loaded in the character screen but does not call the init function until ingame...
Last edited by DarkLinux; 03-01-2017 at 03:29 AM.
-
That string is just the hexadecimal form of the packet that is sent. You can compare it to something like this, for example: mangos_warden/WardenWin.cpp at master * tomrus88/mangos_warden * GitHub
-
Contributor
Didn't see jump posted anywhere that was working for me found it at 0x60DEA0 if anyone was intrested
Code:
int Jump()
{
typedef int(__thiscall *fnJump)(WoWObject* Player, int a2);
fnJump JumpThePlayer = (fnJump)wowAddr->Jump;
JumpThePlayer(Player, 0);
return 0;
}
-
Post Thanks / Like - 1 Thanks
Krack3n (1 members gave Thanks to Icesythe7 for this useful post)
-
Member
Is there any way to read the spells that are placed on the hotbar slots 0-12?
-
Contributor
Originally Posted by
mskc33
Is there any way to read the spells that are placed on the hotbar slots 0-12?
CGActionBar::m_slotActions @ 0x00BC6980.
Last edited by tutrakan; 03-05-2017 at 09:52 AM.
-
Post Thanks / Like - 1 Thanks
Natrist (1 members gave Thanks to tutrakan for this useful post)
-
Contributor
So I was messing around with loot with the usual method of interacting with the object(0x60BEA0) and then calling autoloot, when after xrefing back a bit i noticed that the interact function itself calls InteractObj at 0x60BFE4 which in turn calls AutoLoot, so i followed the disasm and turns out arg 2 is set from LocalPlayer + 0x1D30 which when autolooting is 1, so if u just call 0x60BEA0 with a 1 instead of a 0 it interacts and autoloots instantly instead of having to call autoloot and check if window open etc XD code example
P.S. works for skinning also
Code:
int InteractUnit(void *obj, int a1 = 0)
{
typedef int(__thiscall *fnInteractUnit)(void *obj, int a1);
fnInteractUnit InteractTheUnit = (fnInteractUnit)wowAddr->RightClickUnit; //0x60BEA0
InteractTheUnit(obj, a1);
return 0;
}
some crappy test code that works great
Code:
for (WoWObject* obj : GetObjects())
{
if (obj->type == Type::Unit)
{
if (obj->WoWObjectData->health == 0 && obj->WoWObjectData->hasLoot)
{
if (GetDistance(obj, Player) < 4 && !IsMoving())
{
isLooting = true;
if (Player->WoWObjectData->comLoot != 0x408)
{
cout << endl << "Looting...";
InteractUnit(obj, 1);
cout << endl << "Looted!";
Sleep(500);
isLooting = false;
}
}
example gif
https://i.gyazo.com/414935c83fb2dfa1...e8d19bcf42.mp4
Last edited by Icesythe7; 03-06-2017 at 09:15 AM.
-
Post Thanks / Like - 2 Thanks
DarkLinux,
bone91 (2 members gave Thanks to Icesythe7 for this useful post)
-
Banned
Originally Posted by
namreeb
Yes I noticed that the fmod .text segment is writeable. But even that doesn't help you because even fmod's own stack and heap would be in another page. You'd have to find a way to write to, and call, an arbitrary address. You could probably use the Warden memory reading function to find the base address of the fmod .text segment, though.
Edit: For general information, I think the way you'd have the highest chance of success to find something like this would be to look at the opcode handlers which write values to global variables offset by some parameter of the server's packet. For example MSG_RAID_TARGET_UPDATE, psuedo-code here:
Code:
int __stdcall Handler_MSG_RAID_TARGET_UPDATE(int _58, CDataStore *a2)
{
CDataStore *v2; // ebx@1
unsigned int v3; // esi@2
int v4; // ecx@3
CGObject_C *v5; // eax@4
unsigned __int64 v6; // ST04_8@9
CGObject_C *v7; // eax@9
int v8; // ecx@9
CGObject_C *v9; // eax@11
int a1; // [sp+4h] [bp-4Ch]@2
int a4[15]; // [sp+8h] [bp-48h]@3
unsigned __int64 a3; // [sp+44h] [bp-Ch]@8
char v14; // [sp+4Fh] [bp-1h]@1
v2 = a2;
CDataStore::Get8(a2, &v14);
if ( v14 )
{
qmemcpy(&a1, &dword_B71368, 0x40u);
memset(&dword_B71368, 0, 0x40u);
v3 = 0;
do
{
v4 = a4[2 * v3];
if ( v4 | *(&a1 + 2 * v3) )
{
v5 = ClntObjMgrObjectPtr(
8u,
"E:\\build\\buildWoW\\WoW\\Source\\Ui\\RaidInfo.cpp",
__PAIR__(v4, *(&a1 + 2 * v3)));
if ( v5 )
sub_608A90(v5);
}
++v3;
}
while ( v3 < 8 );
}
while ( !v2->VMT->IsRead(v2) )
{
CDataStore::Get8(v2, (_BYTE *)&a2 + 3);
CDataStore::Get64(v2, &a3);
if ( BYTE3(a2) < 8u )
{
HIDWORD(v6) = *(&dword_B7136C + 2 * BYTE3(a2));
LODWORD(v6) = *((_DWORD *)&dword_B71368 + 2 * BYTE3(a2));
v7 = ClntObjMgrObjectPtr(8u, "E:\\build\\buildWoW\\WoW\\Source\\Ui\\RaidInfo.cpp", v6);
v8 = BYTE3(a2);
*((_DWORD *)&dword_B71368 + 2 * v8) = a3;
*(&dword_B7136C + 2 * v8) = HIDWORD(a3);
if ( v7 )
sub_608A90(v7);
v9 = ClntObjMgrObjectPtr(8u, "E:\\build\\buildWoW\\WoW\\Source\\Ui\\RaidInfo.cpp", a3);
if ( v9 )
sub_608A90(v9);
}
}
FrameScript_SignalEvent(0x219u);
return 1;
}
Now if that 8 bit parameter were a 32 bit parameter, you could write 8 bytes at a time to any address larger than 0xB7136C, which would solve half the problem.
the real Hackerman.
-
Member
Sorry for asking, but how do I retrieve a player's speed?
I've never used the object manager pls hlp
-
Contributor
Player movement data cheat engine table:
Code:
<?xml version="1.0" encoding="utf-8"?>
<CheatTable CheatEngineTableVersion="18">
<CheatEntries>
<CheatEntry>
<ID>0</ID>
<Description>"ActivePlayer -> MovementData"</Description>
<LastState Value="00000000" Activated="0" RealAddress="0EAF09B0"/>
<ShowAsHex>1</ShowAsHex>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>00C7BCD4</Address>
<Offsets>
<Offset>0</Offset>
<Offset>118</Offset>
<Offset>28</Offset>
<Offset>88</Offset>
</Offsets>
<CheatEntries>
<CheatEntry>
<ID>7</ID>
<Description>"m_position.x"</Description>
<LastState Value="-8948.804688" Activated="0" RealAddress="0EAF09C0"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+10</Address>
</CheatEntry>
<CheatEntry>
<ID>1</ID>
<Description>"m_position.y"</Description>
<LastState Value="-123.137001" Activated="0" RealAddress="0EAF09C4"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+14</Address>
</CheatEntry>
<CheatEntry>
<ID>2</ID>
<Description>"m_position.z"</Description>
<LastState Value="83.25884247" Activated="0" RealAddress="0EAF09C8"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+18</Address>
</CheatEntry>
<CheatEntry>
<ID>3</ID>
<Description>"m_facing"</Description>
<LastState Value="3.064624786" Activated="0" RealAddress="0EAF09CC"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+1C</Address>
</CheatEntry>
<CheatEntry>
<ID>33</ID>
<Description>"m_pitch"</Description>
<LastState Value="-0.3159046471" Activated="0" RealAddress="0EAF09D0"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+20</Address>
</CheatEntry>
<CheatEntry>
<ID>5</ID>
<Description>"m_transportGUID"</Description>
<LastState Value="0000000000000000" Activated="0" RealAddress="0EAF09E8"/>
<ShowAsHex>1</ShowAsHex>
<Color>80000008</Color>
<VariableType>8 Bytes</VariableType>
<Address>+38</Address>
</CheatEntry>
<CheatEntry>
<ID>6</ID>
<Description>"m_moveFlags"</Description>
<LastState Value="00000000" Activated="0" RealAddress="0EAF09F0"/>
<ShowAsHex>1</ShowAsHex>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>+40</Address>
</CheatEntry>
<CheatEntry>
<ID>8</ID>
<Description>"m_anchorPosition.x"</Description>
<LastState Value="-8948.804688" Activated="0" RealAddress="0EAF09F4"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+44</Address>
</CheatEntry>
<CheatEntry>
<ID>9</ID>
<Description>"m_anchorPosition.y"</Description>
<LastState Value="-123.137001" Activated="0" RealAddress="0EAF09F8"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+48</Address>
</CheatEntry>
<CheatEntry>
<ID>10</ID>
<Description>"m_anchorPosition.z"</Description>
<LastState Value="83.25884247" Activated="0" RealAddress="0EAF09FC"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+4C</Address>
</CheatEntry>
<CheatEntry>
<ID>11</ID>
<Description>"m_anchorFacing"</Description>
<LastState Value="3.064624786" Activated="0" RealAddress="0EAF0A00"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+50</Address>
</CheatEntry>
<CheatEntry>
<ID>12</ID>
<Description>"m_anchorPitch"</Description>
<LastState Value="-0.3159046471" Activated="0" RealAddress="0EAF0A04"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+54</Address>
</CheatEntry>
<CheatEntry>
<ID>13</ID>
<Description>"m_moveStartTime"</Description>
<LastState Value="00000000" Activated="0" RealAddress="0EAF0A08"/>
<ShowAsHex>1</ShowAsHex>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>+58</Address>
</CheatEntry>
<CheatEntry>
<ID>14</ID>
<Description>"m_direction.x"</Description>
<LastState Value="-0.9970394373" Activated="0" RealAddress="0EAF0A0C"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+5C</Address>
</CheatEntry>
<CheatEntry>
<ID>15</ID>
<Description>"m_direction.y"</Description>
<LastState Value="0.07689189911" Activated="0" RealAddress="0EAF0A10"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+60</Address>
</CheatEntry>
<CheatEntry>
<ID>16</ID>
<Description>"m_direction.z"</Description>
<LastState Value="0" Activated="0" RealAddress="0EAF0A14"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+64</Address>
</CheatEntry>
<CheatEntry>
<ID>17</ID>
<Description>"m_direction2d.x"</Description>
<LastState Value="-0.9970394373" Activated="0" RealAddress="0EAF0A18"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+68</Address>
</CheatEntry>
<CheatEntry>
<ID>18</ID>
<Description>"m_direction2d.y"</Description>
<LastState Value="0.07689189911" Activated="0" RealAddress="0EAF0A1C"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+6C</Address>
</CheatEntry>
<CheatEntry>
<ID>19</ID>
<Description>"m_cosAnchorPitch"</Description>
<LastState Value="1" Activated="0" RealAddress="0EAF0A20"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+70</Address>
</CheatEntry>
<CheatEntry>
<ID>20</ID>
<Description>"m_sinAnchorPitch"</Description>
<LastState Value="0" Activated="0" RealAddress="0EAF0A24"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+74</Address>
</CheatEntry>
<CheatEntry>
<ID>21</ID>
<Description>"m_fallStartTime"</Description>
<LastState Value="00000000" Activated="0" RealAddress="0EAF0A28"/>
<ShowAsHex>1</ShowAsHex>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>+78</Address>
</CheatEntry>
<CheatEntry>
<ID>22</ID>
<Description>"m_fallStartElevation"</Description>
<LastState Value="83.53119659" Activated="0" RealAddress="0EAF0A2C"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+7C</Address>
</CheatEntry>
<CheatEntry>
<ID>23</ID>
<Description>"unk"</Description>
<LastState Value="00000000" Activated="0" RealAddress="0EAF0A30"/>
<ShowAsHex>1</ShowAsHex>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>+80</Address>
</CheatEntry>
<CheatEntry>
<ID>24</ID>
<Description>"m_currentSpeed"</Description>
<LastState Value="0" Activated="0" RealAddress="0EAF0A34"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+84</Address>
</CheatEntry>
<CheatEntry>
<ID>25</ID>
<Description>"m_walkSpeed"</Description>
<LastState Value="2.5" Activated="0" RealAddress="0EAF0A38"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+88</Address>
</CheatEntry>
<CheatEntry>
<ID>26</ID>
<Description>"m_runSpeed"</Description>
<LastState Value="7" Activated="0" RealAddress="0EAF0A3C"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+8C</Address>
</CheatEntry>
<CheatEntry>
<ID>27</ID>
<Description>"m_unkSpeed1"</Description>
<LastState Value="4.5" Activated="0" RealAddress="0EAF0A40"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+90</Address>
</CheatEntry>
<CheatEntry>
<ID>28</ID>
<Description>"m_swimSpeed"</Description>
<LastState Value="4.722221851" Activated="0" RealAddress="0EAF0A44"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+94</Address>
</CheatEntry>
<CheatEntry>
<ID>29</ID>
<Description>"m_unkSpeed2"</Description>
<LastState Value="2.5" Activated="0" RealAddress="0EAF0A48"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+98</Address>
</CheatEntry>
<CheatEntry>
<ID>30</ID>
<Description>"m_turnRate"</Description>
<LastState Value="3.141593933" Activated="0" RealAddress="0EAF0A4C"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+9C</Address>
</CheatEntry>
<CheatEntry>
<ID>31</ID>
<Description>"m_jumpsomething"</Description>
<LastState Value="0" Activated="0" RealAddress="0EAF0A50"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+A0</Address>
</CheatEntry>
<CheatEntry>
<ID>32</ID>
<Description>"unk"</Description>
<LastState Value="0" Activated="0" RealAddress="0EAF0A54"/>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>+A4</Address>
</CheatEntry>
<CheatEntry>
<ID>34</ID>
<Description>"some_timestamp"</Description>
<LastState Value="0D9C6C41" Activated="0" RealAddress="0EAF0A58"/>
<ShowAsHex>1</ShowAsHex>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>+A8</Address>
</CheatEntry>
</CheatEntries>
</CheatEntry>
</CheatEntries>
<UserdefinedSymbols/>
</CheatTable>
-
Post Thanks / Like - 2 Thanks
-
Member
Thanks a lot. I'll post my C++ functions and the structure for the data if anyone wants the easy way
-
Contributor
I hope you are aware that most of this is useless if your planning on doing speed hacks.
Most servers are capable of detecting changes to these values, nost/elysium scans the offsets directly, kronos doesn't scan them but still detects speed changes server side.
Last edited by danwins; 03-15-2017 at 05:55 PM.
-
Member
Yes, I know. I'm just registering my own script functions for an AddOn I'm writing and I wanted to get the current speed of my character.
-
Member
How can I append something to name plates on the client side? Is there a function to do so, or a structure/offset I can modify?
-
Originally Posted by
hates_sundays
How can I append something to name plates on the client side? Is there a function to do so, or a structure/offset I can modify?
By 'something' I assume you mean some text appended to the end of the unit name? If I were going to do this, I would probably find the call to CGObject_C::GetName() which is made for purposes of the name plates, and replace that call with a call to my function. This function would in turn call CGObject_C::GetName(), and then do whatever post-processing (i.e. appending) is desired.
-
Member
Guys, tell me please, how to check whether player is in combat? In advance many thanks!