[WoW] [7.3.0.24920]

[air999]

WoW [Release x86] [Build 24920 (7.3.0) (Aug 28 2017 11:07:03)

Code:

            ["GameWorld"] = new OffsetCollection(new List<IOffset>()
            {
                new Offset("InWorld",               (IntPtr)0x0119274C),
                new Offset("ReloadingUI",           (IntPtr)0x0119274D),
                new Offset("AuroraState",           (IntPtr)0x00FE6884),
                new Offset("HasRealmList",          (IntPtr)0x01216D04),
                new Offset("ConnectedToWoW",        (IntPtr)0x00FE6871),
                new Offset("WaitingForRealmList",   (IntPtr)0x00FE688C),
                new Offset("CurrentConnection",     (IntPtr)0x01216D58),
                new Offset("CharacterName",         (IntPtr)0x01217978),
                new Offset("LatencyTime1",          (IntPtr)0x00000108),
                new Offset("LatencyTime2",          (IntPtr)0x0000010C),
            }),

            ["ObjectManager"] = new OffsetCollection(new List<IOffset>()
            {
                new Offset("CurMgr",                (IntPtr)0x00FFF244),
                new Offset("CurMgrFirst",           (IntPtr)0x0000000C),
                new Offset("CurMgrNext",            (IntPtr)0x00000044),
                new Offset("NameDBCache",           (IntPtr)0x00FC8268),
                new Offset("NameDBCacheFirst",      (IntPtr)0x0000000C),
                new Offset("NameDBCacheGUID",       (IntPtr)0x00000010),
                new Offset("NameDBCacheString",     (IntPtr)0x00000021),
            }),

            ["EventManager"] = new OffsetCollection(new List<IOffset>()
            {
                new Offset("SignalEvent",           (IntPtr)0x0019EDE4),
                new Offset("NetClientHandleData",   (IntPtr)0x0041B9B3),
                new Offset("NetClientSend",         (IntPtr)0x0041C12E),
            }),

            ["BindingManager"] = new OffsetCollection(new List<IOffset>()
            {
                new Offset("Bindings",              (IntPtr)0x011DB4DC),
                new Offset("BindingsFirst",         (IntPtr)0x00000018),
                new Offset("BindingsCommand",       (IntPtr)0x00000018),
                new Offset("BindingsIndex",         (IntPtr)0x0000001C),
                new Offset("BindingsKeyType",       (IntPtr)0x00000024),
                new Offset("BindingsSize",          (IntPtr)0x00000010),
                new Offset("BindingsCommandOffset", (IntPtr)0x000000C8),
                new Offset("BindingsCommandNext",   (IntPtr)0x000000C0),
                new Offset("BindingsCommandAdd",    (IntPtr)0x0000002C),
                new Offset("BindingsCommandKey",    (IntPtr)0x00000018),
                new Offset("BindingsCommandSize",   (IntPtr)0x00000018),
            }),

            ["ActionBarManager"] = new OffsetCollection(new List<IOffset>()
            {
                new Offset("SlotActions",           (IntPtr)0x011A68F8),
            }),

            ["SpellbookManager"] = new OffsetCollection(new List<IOffset>()
            {
                new Offset("Spells",                (IntPtr)0x0119374C),
            }),

            ["SpellManager"] = new OffsetCollection(new List<IOffset>()
            {
                new Offset("SpellHistory",          (IntPtr)0x00FEBF28),
                new Offset("SpellHistoryCharges",   (IntPtr)0x00000020),
                new Offset("KnownSpellBits",        (IntPtr)0x0119373C),
                new Offset("KnownSpellArray",       (IntPtr)0x01193744),
                new Offset("SpellListPtr",          (IntPtr)0x01193834),
                new Offset("SpellListCount",        (IntPtr)0x00000024),
                new Offset("SpellListHash",         (IntPtr)0x00000014),
                new Offset("SpellListNext",         (IntPtr)0x00000018),
                new Offset("SpellListOriginal",     (IntPtr)0x00000028),
                new Offset("SpellListId",           (IntPtr)0x00000030),
            }),

            ["WoWObject"] = new OffsetCollection(new List<IOffset>()
            {
                new Offset("Guid",                  (IntPtr)0x00000000, true),
                new Offset("GlobalId",              (IntPtr)0x00000000, true),
                new Offset("Descriptors",           (IntPtr)0x00000008, true),
                new Offset("Type",                  (IntPtr)0x00000010, true),
                new Offset("Entry",                 (IntPtr)0x00000024, true),
                new Offset("DynFlags",              (IntPtr)0x00000028, true),
                new Offset("CreatureInfoEntry",     (IntPtr)0x00000C78, true),
                new Offset("CreatureName",          (IntPtr)0x00000080, true),
                new Offset("UnitLocation",          (IntPtr)0x00000AE8, true),
                new Offset("UnitRotation",          (IntPtr)0x00000AF8, true),
                new Offset("GameObjectLocation",    (IntPtr)0x00000138, true),
                new Offset("GameObjectRotation",    (IntPtr)0x00000148, true),
                new Offset("FactionInfo",           (IntPtr)0x0000011C, true),
                new Offset("FactionId",             (IntPtr)0x000000A4, true),
            }),

            ["WoWGameObject"] = new OffsetCollection(new List<IOffset>()
            {
                new Offset("Location",              (IntPtr)0x00000138, true),
                new Offset("Rotation",              (IntPtr)0x00000148, true),
            }),

            ["WoWUnit"] = new OffsetCollection(new List<IOffset>()
            {
                new Offset("MouseoverGuid",         (IntPtr)0x01192750),
                new Offset("CastingSpellId",        (IntPtr)0x0000104C, true),
                new Offset("ChannelingSpellId",     (IntPtr)0x00001088, true),
                new Offset("ChannelingSpellEndTime",(IntPtr)0x0000108C, true),
                new Offset("Location",              (IntPtr)0x00000AE8, true),
                new Offset("Rotation",              (IntPtr)0x00000AF8, true),
                new Offset("Info",                  (IntPtr)0x0000011C, true),
                new Offset("InfoClass",             (IntPtr)0x000000A5, true),
                new Offset("InfoRace",              (IntPtr)0x000000A4, true),
                new Offset("InfoInCombat",          (IntPtr)0x000000A4, true),
                new Offset("SkinInfo",              (IntPtr)0x00000C78, true),
                new Offset("SkinFlags",             (IntPtr)0x00000060, true),
                new Offset("AuraCount",             (IntPtr)0x00001B28, true),
                new Offset("AuraTable",             (IntPtr)0x000011A8, true),
                new Offset("CreatureCacheEntry",    (IntPtr)0x00000C78, true),
                new Offset("PowerMultiplicator",    (IntPtr)0x00000012, true),
                new Offset("PowerIndexArray",       (IntPtr)0x010BB874),
            }),


            ["LocalPlayer"] = new OffsetCollection(new List<IOffset>()
            {
                new Offset("Name",                  (IntPtr)0x01217978),
                new Offset("InputControl",          (IntPtr)0x010EE934),
                new Offset("SimpleMapId",           (IntPtr)0x00E5B1B8),
                new Offset("Groups",                (IntPtr)0x01195F50),
            })

[evil2]

not fully tested x86

changed aura struct: size 0x98, spellid at 0x68
changed spellcast struct: target at 0x18
spellcd ptr 0xFEBF28 + 0x8
spellcharge ptr 0xFEBF28 + 0x20
spellbook ptr 0x1193750
runes ptr 0x11A8568

[noctural]

Has anyone been able to unpack the x86 binary and rebuild the IAT successfully? If so, can you post the unpacked exe?

[DarkLinux]

Has anyone been able to unpack the x86 binary and rebuild the IAT successfully? If so, can you post the unpacked exe?

Just dump it from memory, you will find everything you need.

[St1me]

Has anyone managed to get Local Player pointer offset? (was looking for x64)

[aeo]

Has anyone managed to get Local Player pointer offset? (was looking for x64)

It's easier to use another function or way of getting it now. You can use getunitfromname and pass "player". There is also a call inside getobjectbyguid you can use to get it from guid. If you use the original getobjectbyguid it will crash as obfuscated functions will throw exceptions

[CatsNimo]

Edit: Nevermind.

[itemm]

Help CTMx,y,z guid? x86

[DarkLinux]

Happy fun time function call

x64

Code:

E8 ? ? ? ? 48 85 C0 0F 84 ? ? ? ? 48 8B 10 48 8B C8 FF 92 ? ? ? ? 84 C0 0F 85 ? ? ? ? 48 8D 0D ? ? ? ?

Full of junk code and disassembler fuck up code. Should be fun

Paste2.org - Viewing Paste BAICtp96

[WiNiFiX]

Help CTMx,y,z guid? x86

Location was posted by air999 and if you cant find the offsets yourself I highly reccomend you dont try use any memory writing like CTM with 7.3 protections and obfuscations.
I myself gave up on memory reading / writing bots as of 7.3 for good, until some kind soul tells us how to "safely" bypass the protections.

[Light-Boost]

Position is encrypted, the following function decrypts it (x86)

Code:

55 8B EC 56 8B 75 08 51 F3 0F 10 06 F3 0F 59 05 ?? ?? ?? ?? F3 0F

[danwins]

Location was posted by air999 and if you cant find the offsets yourself I highly reccomend you dont try use any memory writing like CTM with 7.3 protections and obfuscations.
I myself gave up on memory reading / writing bots as of 7.3 for good, until some kind soul tells us how to "safely" bypass the protections.

I dont think the issue is writing to the ctm struct so much as finding where to write, i had a quick look earlier and it looks like s_trackingTarget and s_trackingPos arent even inside the struct anymore while other ones seem to still be untouched (s_trackingType/s_trackingFlags etc.)

confirmed(rebased):

Code:

7D5FC4  s_trackingFlags
10D0824  s_trackingType

unconfirmed(rebased):

Code:

10D07A8  s_trackingTarget

looks like s_trackingTarget and s_trackingPos values might be xored or something:

taken from(rebased):

Code:

472168  CGUnit_C::HandleTracking

before(old patch):

Code:

.text:0072127E 68 F0 5F 2E 01                          push    offset s_trackingPos
.text:00721283 8D 45 94                                lea     eax, [ebp+var_6C]
.text:00721286 50                                      push    eax
.text:00721287 8D 8B C0 0A 00 00                       lea     ecx, [ebx+0AC0h]
.text:0072128D E8 02 E0 FC FF                          call    CPassenger__GetPosition

after(image base at 0xB10000):

Code:

pd_rec0:00F823AD A1 E1 EB A7 01                          mov     eax, ds:dword_1A7EBE1
pd_rec0:00F823B2 8D 8B D0 0A 00 00                       lea     ecx, [ebx+0AD0h]
pd_rec0:00F823B8 35 FB 48 38 5D                          xor     eax, 5D3848FBh
pd_rec0:00F823BD 33 05 BC 07 BE 01                       xor     eax, ds:dword_1BE07BC
pd_rec0:00F823C3 89 45 B4                                mov     [ebp-4Ch], eax
pd_rec0:00F823C6 A1 69 EA A7 01                          mov     eax, ds:dword_1A7EA69
pd_rec0:00F823CB 35 E4 72 83 61                          xor     eax, 618372E4h
pd_rec0:00F823D0 33 05 C0 07 BE 01                       xor     eax, ds:dword_1BE07C0
pd_rec0:00F823D6 89 45 B8                                mov     [ebp-48h], eax
pd_rec0:00F823D9 8D 45 B0                                lea     eax, [ebp-50h]
pd_rec0:00F823DC 50                                      push    eax
pd_rec0:00F823DD 8D 85 64 FF FF FF                       lea     eax, [ebp-9Ch]
pd_rec0:00F823E3 50                                      push    eax
pd_rec0:00F823E4 E8 F3 DC FB FF                          call    CPassenger__GetPosition

I'm not sure if these xor values were static or generated at run-time. ill look into it more tomorrow.

edit:i should mention the offsets in this post were for build 24931

[danwins]

Position is encrypted, the following function decrypts it (x86)

Code:

55 8B EC 56 8B 75 08 51 F3 0F 10 06 F3 0F 59 05 ?? ?? ?? ?? F3 0F

I'm not sure what you are implying but this function existed in old builds aswell:

old(24461)

Code:

.text:00458048                         sub_458048      proc near               ; CODE XREF: sub_44FC9D+DEp
.text:00458048                                                                 ; Script_ClosestUnitPosition_0+8Bp ...
.text:00458048
.text:00458048                         var_8           = dword ptr -8
.text:00458048                         arg_0           = dword ptr  8
.text:00458048
.text:00458048 55                                      push    ebp
.text:00458049 8B EC                                   mov     ebp, esp
.text:0045804B 56                                      push    esi
.text:0045804C 8B 75 08                                mov     esi, [ebp+arg_0]
.text:0045804F 51                                      push    ecx
.text:00458050 F3 0F 10 06                             movss   xmm0, dword ptr [esi]
.text:00458054 F3 0F 59 05 9C BB E8 00                 mulss   xmm0, ds:dword_E8BB9C
.text:0045805C F3 0F 11 04 24                          movss   [esp+8+var_8], xmm0
.text:00458061 E8 5B 5D 0C 00                          call    sub_51DDC1
.text:00458066 66 0F 6E C0                             movd    xmm0, eax
.text:0045806A 0F 5B C0                                cvtdq2ps xmm0, xmm0
.text:0045806D F3 0F 59 05 04 41 E8 00                 mulss   xmm0, ds:dword_E84104
.text:00458075 F3 0F 11 06                             movss   dword ptr [esi], xmm0
.text:00458079 F3 0F 10 46 04                          movss   xmm0, dword ptr [esi+4]
.text:0045807E F3 0F 59 05 9C BB E8 00                 mulss   xmm0, ds:dword_E8BB9C
.text:00458086 F3 0F 11 04 24                          movss   [esp+8+var_8], xmm0
.text:0045808B E8 31 5D 0C 00                          call    sub_51DDC1
.text:00458090 83 66 08 00                             and     dword ptr [esi+8], 0
.text:00458094 59                                      pop     ecx
.text:00458095 66 0F 6E C0                             movd    xmm0, eax
.text:00458099 0F 5B C0                                cvtdq2ps xmm0, xmm0
.text:0045809C F3 0F 59 05 04 41 E8 00                 mulss   xmm0, ds:dword_E84104
.text:004580A4 F3 0F 11 46 04                          movss   dword ptr [esi+4], xmm0
.text:004580A9 5E                                      pop     esi
.text:004580AA 5D                                      pop     ebp
.text:004580AB C3                                      retn
.text:004580AB                         sub_458048      endp

current:

Code:

pd_rec0:011508B3                         sub_11508B3     proc near               ; CODE XREF: pd_rec0:010D8F38p
pd_rec0:011508B3                                                                 ; pd_rec0:010D90FFp ...
pd_rec0:011508B3
pd_rec0:011508B3                         var_8           = dword ptr -8
pd_rec0:011508B3                         arg_0           = dword ptr  8
pd_rec0:011508B3
pd_rec0:011508B3 55                                      push    ebp
pd_rec0:011508B4 8B EC                                   mov     ebp, esp
pd_rec0:011508B6 56                                      push    esi
pd_rec0:011508B7 8B 75 08                                mov     esi, [ebp+arg_0]
pd_rec0:011508BA 51                                      push    ecx
pd_rec0:011508BB F3 0F 10 06                             movss   xmm0, dword ptr [esi]
pd_rec0:011508BF F3 0F 59 05 8C 2D 77 01                 mulss   xmm0, dword_1772D8C
pd_rec0:011508C7 F3 0F 11 04 24                          movss   [esp+8+var_8], xmm0
pd_rec0:011508CC E8 7B C8 BC FF                          call    sub_D1D14C
pd_rec0:011508D1 66 0F 6E C0                             movd    xmm0, eax
pd_rec0:011508D5 0F 5B C0                                cvtdq2ps xmm0, xmm0
pd_rec0:011508D8 F3 0F 59 05 84 B8 76 01                 mulss   xmm0, dword_176B884
pd_rec0:011508E0 F3 0F 11 06                             movss   dword ptr [esi], xmm0
pd_rec0:011508E4 F3 0F 10 46 04                          movss   xmm0, dword ptr [esi+4]
pd_rec0:011508E9 F3 0F 59 05 8C 2D 77 01                 mulss   xmm0, dword_1772D8C
pd_rec0:011508F1 F3 0F 11 04 24                          movss   [esp+8+var_8], xmm0
pd_rec0:011508F6 E8 51 C8 BC FF                          call    sub_D1D14C
pd_rec0:011508FB 83 66 08 00                             and     dword ptr [esi+8], 0
pd_rec0:011508FF 59                                      pop     ecx
pd_rec0:01150900 66 0F 6E C0                             movd    xmm0, eax
pd_rec0:01150904 0F 5B C0                                cvtdq2ps xmm0, xmm0
pd_rec0:01150907 F3 0F 59 05 84 B8 76 01                 mulss   xmm0, dword_176B884
pd_rec0:0115090F F3 0F 11 46 04                          movss   dword ptr [esi+4], xmm0
pd_rec0:01150914 5E                                      pop     esi
pd_rec0:01150915 5D                                      pop     ebp
pd_rec0:01150916 C3                                      retn
pd_rec0:01150916                         sub_11508B3     endp