Am I looking in the right place for these descriptors?

[taladork]

I did a string search in Ida for "CGObjectData", "CGItemData", etc and in the comments all of the parts that I might need are listed like below:


Is this what I'm looking for to use with a descriptor dumper?

[aeo]

Yes, there is a function that loads them all in x86 there is a push offset for each descriptor category(object,item,unit,player fields). You can jump them a few ways. In WowMoPObjMgrTest/DescriptorsDumper.cs at master * tomrus88/WowMoPObjMgrTest * GitHub those are the offsets that need updating. However JADD has also posted an IDA script that i believe looks at the strings and instruction patterns to dump them. I always used the TOMRUS way but it misses a few fields in x64 i believe( nativeSex and a few others)

[taladork]

Yes, there is a function that loads them all in x86 there is a push offset for each descriptor category(object,item,unit,player fields). You can jump them a few ways. In WowMoPObjMgrTest/DescriptorsDumper.cs at master * tomrus88/WowMoPObjMgrTest * GitHub those are the offsets that need updating. However JADD has also posted an IDA script that i believe looks at the strings and instruction patterns to dump them. I always used the TOMRUS way but it misses a few fields in x64 i believe( nativeSex and a few others)

I will keep playing around and see if I can find this function you mention... I tried JADD's script, but I think I need to update the search pattern or something because it can't find the Framescript function.

[WiNiFiX]

I always used this method to find FrameScript_Execute its not the best way im sure, but works for me
How to get PQR offsets - 2 / 3 - YouTube

[taladork]

I always used this method to find FrameScript_Execute its not the best way im sure, but works for me
How to get PQR offsets - 2 / 3 - YouTube

That is funny this is the video that inspired me to work on this last night. I am confused though, I'm not showing most of the xrefs I need. I changed the cross reference depth, but still nothing shows (below):

[WiNiFiX]

That is funny this is the video that inspired me to work on this last night. I am confused though, I'm not showing most of the xrefs I need. I changed the cross reference depth, but still nothing shows (below):

You looking at .rdata, he is looking at .text make sure you on the same screen as him.

[taladork]

You looking at .rdata, he is looking at .text make sure you on the same screen as him.

Yes but just before he is at the .text screen he double clicks the reference from the .rdata screen. I followed by jumping by name, searched "aCompat_lua", double clicked and I'm at the same place as him with no xref

[WiNiFiX]

Which wow version are you trying to get this for ? if its for 7.3 dont forget its obfuscated and you need to run IDA on a dumped exe from memory.

[taladork]

Which wow version are you trying to get this for ? if its for 7.3 dont forget its obfuscated and you need to run IDA on a dumped exe from memory.

7.3

Oh interesting I should have known better Gunna try that thanks.

Update: I managed to dump the exe from memory, and now I can see the xref nice!

[danwins]

7.3.0 25021 untested

functions(rebased):

Code:

4177A4 MirrorInitializeStaticDescriptors
417DB4 CGObject__InitializeBaseDataDescriptors
41949C CGItem__InitializeBaseDataDescriptors
41973D CGContainer__InitializeBaseDataDescriptors
4183DE CGUnit__InitializeBaseDataDescriptors
419CE5 CGPlayer__InitializeBaseDataDescriptors
419A49 CGGameObject__InitializeBaseDataDescriptors
4198AF CGDynamicObject__InitializeBaseDataDescriptors
41978F CGCorpse__InitializeBaseDataDescriptors
418F73 CGAreaTrigger__InitializeBaseDataDescriptors
41A973 CGSceneObject__InitializeBaseDataDescriptors
41A9EA CGConversation__InitializeBaseDataDescriptors

offsets(rebased):

Code:

107FFC8 g_baseObjDescriptors
1080058 g_baseItemDescriptors
10803F8 g_baseContainerDescriptors
1080AC8 g_baseUnitDescriptors
1081440 g_basePlayerDescriptors
108E1F8 g_baseGameObjectDescriptors
108E300 g_baseDynamicObjectDescriptors
108E370 g_baseCorpseDescriptors
108E698 g_baseSceneObjectDescriptors
108E5B0 g_baseAreaTriggerDescriptors
10803EC g_baseConversationDescriptors

my guess is that your dumping method is producing bad results that ida isnt having a good time with.

if ida isnt automatically creating xrefs for those strings, get the base address of it and Search -> Sequence of Bytes -> <address> and it should lead you to the above functions.

[taladork]

7.3.0 25021 untested

functions(rebased):

Code:

4177A4 MirrorInitializeStaticDescriptors
417DB4 CGObject__InitializeBaseDataDescriptors
41949C CGItem__InitializeBaseDataDescriptors
41973D CGContainer__InitializeBaseDataDescriptors
4183DE CGUnit__InitializeBaseDataDescriptors
419CE5 CGPlayer__InitializeBaseDataDescriptors
419A49 CGGameObject__InitializeBaseDataDescriptors
4198AF CGDynamicObject__InitializeBaseDataDescriptors
41978F CGCorpse__InitializeBaseDataDescriptors
418F73 CGAreaTrigger__InitializeBaseDataDescriptors
41A973 CGSceneObject__InitializeBaseDataDescriptors
41A9EA CGConversation__InitializeBaseDataDescriptors

offsets(rebased):

Code:

107FFC8 g_baseObjDescriptors
1080058 g_baseItemDescriptors
10803F8 g_baseContainerDescriptors
1080AC8 g_baseUnitDescriptors
1081440 g_basePlayerDescriptors
108E1F8 g_baseGameObjectDescriptors
108E300 g_baseDynamicObjectDescriptors
108E370 g_baseCorpseDescriptors
108E698 g_baseSceneObjectDescriptors
108E5B0 g_baseAreaTriggerDescriptors
10803EC g_baseConversationDescriptors

my guess is that your dumping method is producing bad results that ida isnt having a good time with.

if ida isnt automatically creating xrefs for those strings, get the base address of it and Search -> Sequence of Bytes -> <address> and it should lead you to the above functions.

I think you are right I'm going to try a dump plugin with ollydbg see if that works. I can see the xrefs now, but when I did a search for the offsets you listed nothing showed up (7.3.0 35021) so something is not right.

[taladork]

I guess you can't attach to process a debugger anymore so I will need a different method to dump the file. I used something called Process Dumper at first, but I don't think it's making a proper PE it's just separating everything into dlls

[danwins]

My offsets are rebased, Meaning they are relative to the image base.

you need to take note of whatever the image base is when you dump it,

for example, if wow.exe was loaded at 0x400000(the default image base assuming no aslr or packing shenanigens) then you would need to add this to the offsets given above.

EDIT: process dumper works fine, it dumps all the currently loaded modules as well as the main executable. it even (conveniently for you) labels the image base in the name of the file.

[taladork]

My offsets are rebased, Meaning they are relative to the image base.

you need to take note of whatever the image base is when you dump it,

for example, if wow.exe was loaded at 0x400000(the default image base assuming no aslr or packing shenanigens) then you would need to add this to the offsets given above.

EDIT: process dumper works fine, it dumps all the currently loaded modules as well as the main executable. it even (conveniently for you) labels the image base in the name of the file.

I wasn't calculating the rebase properly. I now am matching the same offsets as you. I was looking at the default value in the rebase option of ida instead of the first address or the base address saved in the name of the dumped exe.

[taladork]

As far as Framescript_Execute for naming I found it's location in hex, but I'm not sure what the pattern would be (the start is the same):

Code:

FrameScript_RegisterFunction_Pattern = "55 8B EC A1 ? ? ? ? 56 6A 00"
FrameScript_RegisterFunction = FindBinary(0, SEARCH_DOWN, FrameScript_RegisterFunction_Pattern)

FrameScript_RegisterFunctionNamespaceWithCount_Pattern = "55 8B EC 53 56 8B 35 ? ? ? ? FF 75 10"

Hex: