[WoW] 1.12.1.5875 Info Dump Thread

[namreeb]

Well what you do is hook the function. When click to teleport is enabled you skip calling the original function. So, for example:

Code:

void ClickToMove_Hook(float x, float y, float z)
{
  if (ClickToTeleportEnabled)
    Teleport(x, y, z);
  else
    ClickToMove_Original(x, y, z)
}

[culino2]

Hooking CGWorldFrame::PerformDefaultAction is a good way to realize click2port. Reverse it and you'll know how to grab x/y/z.

0x00481F60

[notsentient]

Here's some offsets/pointers.

I got these by manually cross referencing the old WoWSharp pointers from 1.9 to 1.12 so they may not be all accurate.

Code:

"AutoStoreAllLootItems", 0x4C1FA0
"CGBuffBar__m_buffs", 0xBC6040
"CGBuffBar__m_durations", 0xBC5F68
"CGChat__AddChatMessage", 0x49A870
"CGGameUI__ClearTarget", 0x493910
"CGGameUI__LeftClick", 0x4925D0
"CGGameUI__RightClick", 0x492820
"CGGameUI__m_lockedTarget", 0xB4E2D8
"CGGameUI__m_player", 0xB41E30
"CGGameUI__s_lastErrorString", 0xB4DA40
"CGInputControl__GetActive", 0x5143E0
"CGInputControl__SetControlBit", 0x5EE7F0
"CGLootInfo__LootSlot", 0x4C2790
"CGLootInfo__m_coins", 0xB71BA0
"CGLootInfo__m_loot", 0xB71968
"CGLootInfo__m_object", 0xB71B48
"CGPartyInfo__m_leader", 0xBC75F8
"CGPartyInfo__m_members", 0xBC6F48
"CGSpellBook__m_knownSpells", 0xB700F0
"CGSpellBook__m_petSpells", 0xB6F098
"CGWorldFrame__RenderWorld", 0x482D70
"CGWorldMap__m_currentContinent", 0x84506C
"OsGetAsyncTimeMs", 0x42C010
"Spell_C_CastSpell", 0x6E5AD0
"Spell_C_CastSpellByID", 0x6E5A90
"WOW_LOCALE_CURRENT_LANGUAGE", 0xC0E080
"clientDB", 0xC0D53C
"g_HardwareEvent", 0xCF4DA0
"g_SpellDB", 0xC0D788
"g_SpellDBTotalRows", 0xC0D78C
"g_charClasses", 0xC0DEF4
"g_charClassesCount", 0xC0DEF8
"g_charRaces", 0xC0DEE0
"g_charRacesCount", 0xC0DEE4
"g_factionDB", 0xC0DD50
"g_factionGroupDB", 0xC0DD3C
"g_gameObjectDisplayInfoDB", 0xC0DCE4
"g_itemDBCache", 0xC0E2A0
"g_nameDBCache", 0xC0E228
"g_slotNames", 0xC0DA00
"g_slotNamesCount", 0xC0DA04
"g_spellItemEnchantment", 0xC0D7D0
"luaState", 0xCEEF74
"lua_gettop", 0x6F3070
"lua_tostring", 0x6F3690
"s_containerDescriptors", 0xB431D8
"s_corpseDescriptors", 0xB42B70
"s_corpsePosition", 0xB4E284
"s_curMgr", 0xB41414
"s_currentWorldFrame", 0xAF3220
"s_dynamicObjectDescriptors", 0xB42E80
"s_gameObjectDescriptors", 0xB42FD0
"s_itemDescriptors", 0xB4AE50
"s_objDescriptors", 0xB4B230
"s_playerDescriptors", 0xB43B68
"s_unitDescriptors", 0xB49F90

[abystus]

I've started creation of a bot, and things seem to be going well outside my ability to distinguish between normal mobs, critters, and npcs. I've tried the faction flag along with some others, but have not found a real solution. Right now I am limiting targetted mobs by health, though as you can probably guess it doesn't work flawlessly. Does anyone have an idea on how to distinguish between them (the structure offset to use, or if it is located somewhere else)? This is what I have working so far, though it's still very very early:





Among other things, I'd like to implement some sort of buffing mechanism, along with a way to actually target things (I've tried dll injection, but have only partially succeeded in actually targeting something as the function calls in this client are very limited). The looting action from hijacking click to move (which is the basis of my movement atm) requires a target or else you will just run in circles while trying to loot. Any help is appreciated in getting some of this stuff resolved.

[miceiken]

At least in the later versions of WoW, there is a GetCreatureType function to WoW's Unit class. Wouldn't surprise me if it's was there in vanilla too

[Sacred]

Code:

        private uint CreatureCache
        {
            get { return Memory.Magic.Read<uint>(BaseAddress + 0xB30); }
        }
		
        public Enums.WoWCreatureType CreatureType
        {
            get { return (Enums.WoWCreatureType)Memory.Magic.Read<int>(CreatureCache + 0x18); }
        }

        public Enums.WoWClassification Classification
        {
            get { return (Enums.WoWClassification)Memory.Magic.Read<int>(CreatureCache + 0x20); }
        }

Offsets are correct for 1.12.1.

[abystus]

Thanks for the help on finding creature types. I'd assume that is CreatureCache = ReadInt(ObjectBase +0xB30), then ReadInt(CreatureCache +0x18) and ReadInt(CreatureCache +0x20) respectively correct? Just saw "BaseAddress" so figured I would ask (would have to be ObjectBase to display per object returned).

I appreciate the help both of you provided, and threw a little rep for your time. By the way, is there any easy way to target mobs/npcs in this client? I tried to use TargetUnit along with dll injection, and modified the entry to where I could pass it GUID, but it seems that it is not designed to be force fed a GUID, and eventually will crash the client (though it works until that point). I have resorted to tab targeting until the GUID of my target matches the next target on my bot, and well while that works there has to be a better method. Thanks again!

[Sacred]

Thanks for the help on finding creature types. I'd assume that is CreatureCache = ReadInt(ObjectBase +0xB30), then ReadInt(CreatureCache +0x1 and ReadInt(CreatureCache +0x20) respectively correct?

Yes, it's correct.

Code:

        public static void TargetUnit(ulong guid)
        {
            uint num = Memory.Magic.AllocateMemory(8);
            Memory.Magic.Write<ulong>(num, guid);
            string[] asm =
                {
                    "mov ecx, " + num,
                    "call " + 0x489A40,
                    "retn"
                };
            Memory.Magic.Executor.Execute(asm);
            Memory.Magic.FreeMemory(num);
        }

[abystus]

Yes, it's correct.

Code:

        public static void TargetUnit(ulong guid)
        {
            uint num = Memory.Magic.AllocateMemory(8);
            Memory.Magic.Write<ulong>(num, guid);
            string[] asm =
                {
                    "mov ecx, " + num,
                    "call " + 0x489A40,
                    "retn"
                };
            Memory.Magic.Executor.Execute(asm);
            Memory.Magic.FreeMemory(num);
        }

Thank you for the quick response.

Looks like:

Code:

    public enum CreatureType
    {
        Unknown = 0,
        Beast,
        Dragon,
        Demon,
        Elemental,
        Giant,
        Undead,
        Humanoid,
        Critter,
        Mechanical,
        NotSpecified,
        Totem,
        NonCombatPet,
        GasCloud
    }

Though it appears that WowClaffication is always returning 0. Not exactly sure why. What exactly does the classification tell me?

I'll get to working testing some of this stuff out, and see how it goes tomorrow evening. I think you are temping me to use that magic library after all since it appears to be an all in one type thing (did not know it could allocate memory and execute asm). BTW, which library are you using (White, Black, Grey, etc...) in your example? Again, thanks for all the helpful examples, and the use of your time.

[abystus]

A port of RivaLfr's example ([Sample Code] EndScene Hook with ASM and blackmagic) to MemorySharp syntax. The address and asm have been updated for version 1.12.1.

Example Calls:

Code:

LuaDoString("CastSpellByName(\"Stealth\")");
LuaDoString("DoEmote(\"cry\")");

FastCall LuaDoString (Using MemorySharp):

Code:

public static byte[] LuaDoString(string Command)
{
	// Return Value
	byte[] tempBytes = new byte[0];

	try
	{
		//Allocate Memory For Command
		var DoStringArg_Codecave = Memory.Memory.Allocate(Encoding.UTF8.GetBytes(Command).Length + 1);

		//Execute Address
		IntPtr FrameScript_Execute = new IntPtr(0x00704CD0);

		//Write Command In Allocated Memory
		Memory.WriteString(DoStringArg_Codecave.BaseAddress, Command, false);

		var asm = new[] 
		{
			"mov ecx, " + DoStringArg_Codecave.BaseAddress,
			"mov edx, " + DoStringArg_Codecave.BaseAddress,
			"call " + FrameScript_Execute,
			"retn",    
		};

		//Inject and Execute
		tempBytes = Executor.Execute(asm);

		//Free Memory Allocated For Command
		Memory.Memory.Deallocate(DoStringArg_Codecave);
	}
	catch { }

	return tempBytes;
}

[Corthezz]

FrameScript_Execute is fastcall.
Does anyone got the function SetFacing?

[abystus]

FrameScript_Execute is fastcall.
Does anyone got the function SetFacing?

Appreciate the response. Looks like SetFacing = 0x76DCE0. Hope that helps.

[Achilees]

Have been looking for SpellBook and related offsets, with no luck, offset or any pointer is much appreciated.

[namreeb]

In general, a good way to find things is to look for the handlers for the lua functions which access the data you're interested in. In this case, there are quite a few spell book related lua functions that you could look at (if memory serves).

[namreeb]

Someone asked me in a private message for the location of FrameScript::GetLocalizedText. I am responding here so that more than one person may benefit from the answer.

To my knowledge, FrameScript::GetLocalizedText did not exist in the 1.12.1 binary. Instead, there is merely FrameScript::GetText, which I believe is located at 0x703BF0.

If you compare CGGameUI:isplayError in a recent version of the game to the 1.12.1 version, you will see the lack of FrameScript::GetLocalizedText in 1.12.1. For example...

This is from 4.3.3.15354 (and TOM_RUS's IDB published here ([WoW][4.3.3.15354] Info Dump Thread):

Code:

void CGGameUI::DisplayError(UIErrors errorCode, ...)
{
  char v1; // si@0
  UIErrors v2; // eax@1
  int v3; // eax@4
  int v4; // ecx@4
  int v5; // eax@4
  char *v6; // esi@8
  __int64 v7; // qax@10
  int v8; // eax@11
  int v9; // eax@13
  signed int v10; // esi@13
  char v11; // cl@14
  char v12; // [sp-4h] [bp-C98h]@8
  char Str; // [sp+0h] [bp-C94h]@13
  int v14; // [sp+BB8h] [bp-DCh]@7
  int v15; // [sp+BC4h] [bp-D0h]@7
  int v16; // [sp+C7Ch] [bp-18h]@7
  int v17; // [sp+C80h] [bp-14h]@7
  int v18; // [sp+C84h] [bp-10h]@7
  va_list va; // [sp+CA0h] [bp+Ch]@1

  va_start(va, errorCode);
  v2 = errorCode;
  if ( errorCode < ERR_COUNT )
  {
    if ( errorCode == ERR_BAG_FULL )
    {
      CGTutorial::TriggerTutorial(57);
      v2 = ERR_BAG_FULL;
    }
    v3 = 10 * v2;
    v4 = dword_D0A43C[2 * v3 / 4u];
    v5 = 2 * v3;
    if ( v4 == 0x44 )
    {
      if ( strcasecmp((&off_D0A438)[v5], "NONE") )
      {
        v16 = 0;
        v17 = 0;
        v18 = 0;
        v15 = -1;
        SE3SoundKitProperties::ResetToDefaults(&v14);
        SE3::PlaySoundKit2(
          (&off_D0A438)[20 * errorCode],
          0,
          (int)&v14,
          0,
          (int)".\\GameUI.cpp",
          15559,
          (int)"CGGameUI::DisplayError");
      }
    }
    else
    {
      sub_B33950(v4);
    }
    v12 = v1;
    v6 = (&off_D0A430)[20 * errorCode];
    if ( v6 )
    {
      if ( *v6 )
      {
        v7 = ClntObjMgrGetActivePlayer();
        if ( ClntObjMgrObjectPtr(v7, TYPEMASK_PLAYER) )
          v8 = FrameScript::GetLocalizedText(v6, -1);
        else
          v8 = FrameScript_GetText(v6, -1, 0);
        SStrVPrintf(&Str, 3000, v8, va);
        v9 = (int)byte_ED4A38;
        v10 = 2999;
        while ( 1 )
        {
          v11 = *(_BYTE *)(&Str - byte_ED4A38 + v9);
          *(_BYTE *)v9++ = v11;
          if ( !v11 )
            break;
          --v10;
          if ( !v10 )
            goto LABEL_18;
        }
        if ( v10 )
          goto LABEL_19;
LABEL_18:
        *(_BYTE *)v9 = 0;
LABEL_19:
        switch ( dword_D0A434[5 * errorCode] )
        {
          case 0:
            ChatFrame::AddMessage(&Str, dword_D0A440[5 * errorCode], 0);
            break;
          case 1:
            if ( Str )
              FrameScript_SignalEvent(EVENT_UI_INFO_MESSAGE, "%s", &Str);
            break;
          case 2:
            if ( Str )
              FrameScript_SignalEvent(EVENT_UI_ERROR_MESSAGE, "%s", &Str);
            break;
          case 3:
            ConsoleWriteA(&Str, 3, v12);
            break;
          default:
            return;
        }
      }
    }
  }
}

And now the same function in its 1.12.1 version:

Code:

void CGGameUI::DisplayError(int arg0, ...)
{
  int v1; // esi@0
  __int64 v2; // qax@3
  int v3; // eax@3
  int v4; // eax@4
  char *v5; // ecx@7
  int v6; // eax@9
  int Format; // [sp+0h] [bp-800h]@9
  va_list va; // [sp+80Ch] [bp+Ch]@1

  va_start(va, arg0);
  if ( arg0 < 465 )
  {
    if ( g_errorMessages[arg0].Unknown2 == 68 )
    {
      if ( SStrCmpI(g_errorMessages[arg0].Extra, "NONE", 0x7FFFFFFFu) )
        SndInterfacePlayInterfaceSound(g_errorMessages[arg0].Extra);
    }
    else
    {
      v2 = ClntObjMgrGetActivePlayer();
      v3 = ClntObjMgrObjectPtr(0x10u, "..\\Object/ObjectClient/Player_C.h", v2);
      if ( v3 )
      {
        v4 = sub_5ED5B0(v3, arg0);
        SndInterfacePlayVocalUISound(v4, g_errorMessages[arg0].Unknown2);
      }
    }
    v5 = g_errorMessages[arg0].Message;
    if ( v5 && *v5 )
    {
      v6 = FrameScript::GetText(-1, v5, v1, 0);
      SStrVPrintf((int)&Format, 2048, (char *)v6, va);
      SStrCopy(&unk_B4DA40, &Format, 2048);
      switch ( g_errorMessages[arg0].Unknown1 )
      {
        case 0:
          CGChat::AddChatMessage((int)&Format, g_errorMessages[arg0].Unknown3, 0, 0, 0, 0, 0, 0i64, 0, 0i64);
          break;
        case 1:
          CGGameUI::AddErrorMessage(&Format, 0);
          break;
        case 2:
          CGGameUI::AddErrorMessage(&Format, 1);
          break;
        case 3:
          ConsoleWriteA((char *)&Format, 3, Format);
          break;
        default:
          return;
      }
    }
  }
}