Page 1 of 32 12345 11 ... LastLast
Results 1 to 15 of 477
  1. #1
    Elite User CoreCoins User Authenticator enabled namreeb's Avatar
    Reputation
    442
    Join Date
    Sep 2008
    Posts
    857
    Thanks G/R
    3/91
    CoreCoins
    6142
    Trade Feedback
    0 (0%)

    [WoW] 1.12.1.5875 Info Dump Thread

    Just curious if anyone is still actively working on reversing the 1.12.1 client? I've been tinkering with it a bit when I found a large but vulnerable private server which runs it.

    Edit: Adding some useful stuff.

    Code:
            public static readonly IntPtr CGGameUI__EnterWorld = new IntPtr(0x4908C0);
            public static readonly IntPtr CGLootInfo__HasLoot = new IntPtr(0x4C2A70);
            public static readonly IntPtr CGPlayer_C__CanTrackObject = new IntPtr(0x5ED2B0);
            public static readonly IntPtr CGPlayer_C__CanTrackUnit = new IntPtr(0x5ED210);
            public static readonly IntPtr CGPlayer_C__ClickToMove = new IntPtr(0x00611130);
            public static readonly IntPtr ClientConnection__SendPacket = new IntPtr(0x005379A0);
            public static readonly IntPtr ClientServices__SetMessageHandler = new IntPtr(0x005AB650);
            public static readonly IntPtr ClntObjMgrEnumVisibleObjects = new IntPtr(0x00468380);
            public static readonly IntPtr ClntObjMgrGetActivePlayer = new IntPtr(0x00468550);
            public static readonly IntPtr ClntObjMgrGetMapId = new IntPtr(0x00468580);
            public static readonly IntPtr ClntObjMgrObjectPtr = new IntPtr(0x00468460);
            public static readonly IntPtr ClntObjMgrSetMapId = new IntPtr(0x004685A0);
            public static readonly IntPtr CMovement__MoveUnit = new IntPtr(0x00616620);
            public static readonly IntPtr FrameScript__Execute = new IntPtr(0x00704CD0);
            public static readonly IntPtr FrameScript__Register = new IntPtr(0x00704120);
            public static readonly IntPtr FixSwimming = new IntPtr(0x007C6E88);
            public static readonly IntPtr GetContainerGuid = new IntPtr(0x4F93E0);
            public static readonly IntPtr NetClient__ProcessMessage = new IntPtr(0x537AA0);
    Last edited by namreeb; 08-10-2011 at 04:44 PM.

  2. The Following 1 Members Gave Thanks To namreeb For This Useful Post:

    mmobuyerx
  3. #2
    Contributor Robske's Avatar
    Reputation
    303
    Join Date
    May 2007
    Posts
    1,060
    Thanks G/R
    2/2
    CoreCoins
    152
    Trade Feedback
    0 (0%)
    Some of my friends tried out a private server a while back, I joined in to see how the client worked back then. The actual playing experience was so horrible compared to live that I just lost interest. I only got the basics (object iteration, some framescript) and a (heartbeat) based packet teleporter working.


    ClientConnection__SendPacket 0x005379A0
    Framescript__Execute 0x00704CD0
    PerformanceCounter 0x42C010

    GetPosition 5
    GetFacing 6
    GetName 28

    ObjectManager 0x00B41414
    FirstObject 0xAC
    NextObject 0x3C
    ActivePlayerGuid 0xC0

    I wasn't able to correctly invoke EnumVisibleObjects from C#, hence the 'manual' iteration of the linked list.
    "Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live." - Martin Golding
    "I cried a little earlier when I had to poop" - Sku

  4. The Following 1 Members Gave Thanks To Robske For This Useful Post:

    mmobuyerx
  5. #3
    Elite User CoreCoins User sitnspinlock's Avatar
    Reputation
    398
    Join Date
    Sep 2010
    Posts
    438
    Thanks G/R
    0/1
    CoreCoins
    5037
    Trade Feedback
    0 (0%)
    If you are interested, I wrote my own crappy sandbox server for 1.12.1 that I still use with some of my friends once and while. By crappy I mean tends to shit bricks with more then 10 clients, and uses a text based database :P

  6. The Following 1 Members Gave Thanks To sitnspinlock For This Useful Post:

    mmobuyerx
  7. #4
    Elite User CoreCoins User Authenticator enabled namreeb's Avatar
    Reputation
    442
    Join Date
    Sep 2008
    Posts
    857
    Thanks G/R
    3/91
    CoreCoins
    6142
    Trade Feedback
    0 (0%)
    That's interesting, Robske. I suppose it depends when you start playing the game and what you're used to. I basically stopped playing retail when TBC came out and haven't looked back much since. If they gave a paid option for vanilla, I would definitely go with that over a private server. As for the R/E stuff, we're at about the same place. Got fly hack working last night. Looking for lua_register presently to hook into the client a bit better.

    Thank you, everdox, but I'm already on vanillagaming.org's server.

    Edit:

    FrameScript::Register: 0x704120
    FrameScript::GetContext: 0x7040D0

    Woot!

    Edit 2: Scratch that. In 1.12.1 these functions are __fastcall and I'm not starting over in C++. **** it!
    Last edited by namreeb; 06-27-2011 at 08:52 PM.

  8. The Following 1 Members Gave Thanks To namreeb For This Useful Post:

    mmobuyerx
  9. #5
    Elite User CoreCoins User sitnspinlock's Avatar
    Reputation
    398
    Join Date
    Sep 2010
    Posts
    438
    Thanks G/R
    0/1
    CoreCoins
    5037
    Trade Feedback
    0 (0%)
    Being on an emulator you could probably call OnSwimStart() and start swimming anywhere, considering most emulators don't properly handle the packet checksums. I know at least mangos never handled this properly.

  10. #6
    Legendary CoreCoins User TOM_RUS's Avatar
    Reputation
    878
    Join Date
    May 2008
    Posts
    704
    Thanks G/R
    0/35
    CoreCoins
    4456
    Trade Feedback
    0 (0%)
    Quote Originally Posted by everdox View Post
    Being on an emulator you could probably call OnSwimStart() and start swimming anywhere, considering most emulators don't properly handle the packet checksums. I know at least mangos never handled this properly.
    FYI: there's no packet checksums (except for warden packets).

  11. The Following 1 Members Gave Thanks To TOM_RUS For This Useful Post:

    mmobuyerx
  12. #7
    Elite User CoreCoins User sitnspinlock's Avatar
    Reputation
    398
    Join Date
    Sep 2010
    Posts
    438
    Thanks G/R
    0/1
    CoreCoins
    5037
    Trade Feedback
    0 (0%)
    I guess what I meant to say was checking the movement type, if you sent something like swim forward on live you would get booted. Most emulators (like mine) don't handle this properly and just allow anything, no matter your coordinates.

    edit - actually I think groups like mangos added a 'vmaps' system but I dont know if its used entirely for that, because it would of course have many uses.
    Last edited by sitnspinlock; 06-27-2011 at 09:30 PM.

  13. #8
    Elite User CoreCoins User Authenticator enabled namreeb's Avatar
    Reputation
    442
    Join Date
    Sep 2008
    Posts
    857
    Thanks G/R
    3/91
    CoreCoins
    6142
    Trade Feedback
    0 (0%)
    I already have the fly hack working. Hooking my travelling salesman code up to wowhead atm, then finding noclip, then win

  14. #9
    Elite User CoreCoins User Authenticator enabled namreeb's Avatar
    Reputation
    442
    Join Date
    Sep 2008
    Posts
    857
    Thanks G/R
    3/91
    CoreCoins
    6142
    Trade Feedback
    0 (0%)
    Robske,

    I don't know what your problem iterating was, but I had one of my own which I just solved. For some reason, in this version of the binary, they take the filter parameter to ClntObjMgrObjectPtr via the ecx register. So you have to prototype as follows:

    Code:
            [UnmanagedFunctionPointer(CallingConvention.ThisCall)]
            private delegate IntPtr ClntObjMgrGetObjectPtrDelegate(uint filter, ulong guid);
    
            public static Object GetObjectByGuid(ulong guid)
            {
                var func =
                    (ClntObjMgrGetObjectPtrDelegate)
                    Marshal.GetDelegateForFunctionPointer(Locator.ClntObjMgrObjectPtr,
                                                          typeof(ClntObjMgrGetObjectPtrDelegate));
                var loc = func(0xFFFFFFFF, guid);
    
                if (loc == IntPtr.Zero)
                    throw new NullReferenceException("Cannot find object with GUID: 0x" + guid.ToString("X16"));
    
                return new Object(loc);
            }

  15. #10
    Contributor Robske's Avatar
    Reputation
    303
    Join Date
    May 2007
    Posts
    1,060
    Thanks G/R
    2/2
    CoreCoins
    152
    Trade Feedback
    0 (0%)
    Correct,

    .text:0048991E push edx
    .text:0048991F push eax
    .text:00489920 mov edx, offset a__ObjectObject ; "..\\Object/ObjectClient/Player_C.h"
    .text:00489925 mov ecx, 10h
    .text:0048992A call sub_468460

    This wasn't my problem (yet?) though If I remember correctly EnumVisibleObjects was fastcall, which would've been tricky to invoke from C#.
    "Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live." - Martin Golding
    "I cried a little earlier when I had to poop" - Sku

  16. #11
    Elite User CoreCoins User Authenticator enabled namreeb's Avatar
    Reputation
    442
    Join Date
    Sep 2008
    Posts
    857
    Thanks G/R
    3/91
    CoreCoins
    6142
    Trade Feedback
    0 (0%)
    Well when I saw that I thought they were using __fastcall to track the code and line number or something.

  17. #12
    Elite User CoreCoins User Authenticator enabled namreeb's Avatar
    Reputation
    442
    Join Date
    Sep 2008
    Posts
    857
    Thanks G/R
    3/91
    CoreCoins
    6142
    Trade Feedback
    0 (0%)
    Ahh, damn. EnumVisibleObjects is indeed __fastcall. Alternatively I suppose one could write a small wrapper function to set the registers appropriately and just inject the machine code.

  18. #13
    Private mute's Avatar
    Reputation
    1
    Join Date
    Jun 2008
    Posts
    1
    Thanks G/R
    0/0
    CoreCoins
    0
    Trade Feedback
    0 (0%)
    here are some offsets for teleport/speedhack

    Player_Base +
    Player_Y 09B8
    Player_X 09BC
    Player_Z 09C0
    Player_Facing 09C4
    Player_Speed 0A2C
    Player_SpeedModifierRun 0A34

    @namreeb
    how did you get your flyhack to work, any hints?

  19. #14
    Marshal lanman92's Avatar
    Reputation
    49
    Join Date
    Mar 2007
    Posts
    1,033
    Thanks G/R
    0/0
    CoreCoins
    4
    Trade Feedback
    0 (0%)
    Hook SendMovementPacket so that it never sends a swimming flag. Simple as that. You can then write to your movement state so that you can swim client side, and appear to be walking up through the air to everyone else.

  20. #15
    Elite User CoreCoins User Authenticator enabled namreeb's Avatar
    Reputation
    442
    Join Date
    Sep 2008
    Posts
    857
    Thanks G/R
    3/91
    CoreCoins
    6142
    Trade Feedback
    0 (0%)
    All I had to do to avoid detection on the realm I am playing on was to enable swimming locally. This by implication forces the client to build corresponding movement packets. Note that in addition to updating the movement flag there is a NOP to be written in a function which resets the flag. Just put a BP on write in Olly and you'll find it. If you can't, let me know.

 

 
Page 1 of 32 12345 11 ... LastLast

Similar Threads

  1. [WoW][3.3.5.12340] Info Dump Thread
    By Nesox in forum WoW Memory Editing
    Replies: 82
    Last Post: 11-02-2014, 04:11 PM
  2. [WoW][4.0.3.13329] Info Dump Thread
    By TOM_RUS in forum WoW Memory Editing
    Replies: 73
    Last Post: 02-06-2011, 05:37 AM
  3. [WoW][4.0.1.13164] Info Dump Thread
    By Seifer in forum WoW Memory Editing
    Replies: 29
    Last Post: 01-18-2011, 08:14 AM
  4. [WoW][4.0.1.13205] Info Dump Thread
    By DrGonzo in forum WoW Memory Editing
    Replies: 12
    Last Post: 11-11-2010, 01:34 PM
  5. [WoW][3.3.3.11723] Info Dump Thread
    By miceiken in forum WoW Memory Editing
    Replies: 2
    Last Post: 03-27-2010, 03:42 PM
All times are GMT -5. The time now is 10:06 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2017 vBulletin Solutions, Inc. All rights reserved. Digital Point modules: Sphinx-based search