Bot development for 2.4.3 and general questions

[Lollero1]

So I have started developing a bot for 2.4.3 but I'm a filthy scrub when it comes to reverse engineering. This is why I thought it would be good idea to gather here some basic information for me and others about how wow works beneath the surface. What I have been able to do so far is finding the hp and rage of the character, move the character with click-to-move and edit the wow settings. What I haven't figured out so far is combat and object manager. Let's talk first about combat. My current assumption is that there are at least two ways to start auto attacking. This is done either by calling lua function from action bar which does the targetting/attacking or doing it directly by editing mouse related variables. The whole combat process could be summed up like this:

1. Acquire target name or object and its coordinates from object manager
2. Set your target based on previous information
3. Move your character if needed either by click-to-move or manual movement
4. Begin auto-attacking either with calling macro from action bar or somehow do right click on the target
5. Do class based rotation

First question is. Where and what should I be looking at in wows memory to initiate auto-attacking?
The next question is about using spells/abilities. Is it possible to call them directly or do they have to be binded to action bar and then call that specific action bar? If calling the spell directly is possible can same be applied to items?

Then we get to object manager. To my understanding this is the thing that stores all the information like coordinates about other players/mobs/nodes (mining veins,flowers,fishing pools, quest items). Basically all the crucial information to make your innocent bot survive in the cruel world. Whenever something is within your draw distance it's listed in object managers data structure and likewise removed when the object is too far away. My question is how do I actually locate the object manager within the wows memory? I could be repeating same questions others have asked billion times but maybe this will help someone else too. Meanwhile I'm waiting for inputs from gurus I will keep reading and post the results here if I come up with something

[Lollero1]

Ok facepalm. Literally after posting this I read [2.4.3/General WoW] Help with Objectmanager and based on information there I was able to enable auto-attacking by first setting the GUID (you can get one from object manager I assume or from cheat engine after right clicking something for demo purposes) in 0x00d689c0 and then setting the 0x00d689bc to 10.

[Lollero1]

So far no progress with object manager since I am unable to locate it. Based on [2.4.3/General WoW] Help with Objectmanager it should be found by adding clientconnection address (0x00D43318 ) to ObjectManagerOffset (0x2218 ). The first object should be found by adding first object offset (0xAC) to previous result (clinet connection+objectmanager offset) but I can't find anything there with cheat engine. Am I missing something here?

[tutrakan]

So far no progress with object manager since I am unable to locate it. Based on [2.4.3/General WoW] Help with Objectmanager it should be found by adding clientconnection address (0x00D43318 ) to ObjectManagerOffset (0x2218 ). The first object should be found by adding first object offset (0xAC) to previous result (clinet connection+objectmanager offset) but I can't find anything there with cheat engine. Am I missing something here?

You can either use or reproduce the ClntObjMgrEnumObjects() function (i always prefer to reproduce it to avoid adding extra complexity to my code):

Code:

// starts at 0x0046B3F0
signed int __cdecl ClntObjMgrEnumObjects(int (__cdecl *callback)(__int64, int), int filter)
{
  int ObjMan; // esi@1
  int firstObj; // eax@1
  int i; // ebx@3

  ObjMan = *(__readfsdword(0x2C) + 4 * TlsIndex);
  firstObj = *(*(ObjMan + 8) + 0xAC);           // 0xAC = 1-st obj
  if ( !(firstObj & 1) && firstObj )
  {
    i = *(*(ObjMan + 8) + 0xAC);
  }
  else
  {
    i = 0;
  }
  while ( !(i & 1) && i )
  {
    if ( !(callback)(*(i + 0x30), *(i + 0x34), filter) )// invokes the callback passing current obj guid and filter as params
    {
      return 0;
    }
    i = *(i + *(*(ObjMan + 8) + 0xA4) + 4);     // 0xA4 = next obj
  }
  return 1;
}

[squiggy]

On tablet so sry if I appear to be a little short with you, I don't deal well with virtual keyboards.

objmgrBase: ((g_clientconnection)+s_curmgr) Read the client connection address before addin the offset.
First wowobject: (objmgrBase+0xac)
next wowobj: (wowobj+0x3c)

[Lollero1]

I have been meaning to thank you guys for help but being the typical lazy shit as I am, I'm doing it 2 weeks later after your responses. So you thank you for your help, it really pointed me in the right direction. I have been working on my bot and now I have all the basics for grinding but I'm now facing new challenge with looting. How do people implement their looting functionality? Some people seem to use CTM by setting the ctm guid and then the ctm action to 6. This however doesn't seem to work for some reason (I don't know if the private server's emulator has something to do with it). Another method which came to my mind was to set the mouse over guid and then sent right click to wow process but it doesn't work either. I went through some older threads but didn't find anything useful. Anyone has ideas on this? Oh and if someone has questions related to 2.4.3 bots I'm happy to help so I don't feel like filthy leech.

[DarkLinux]

Didn't find anything useful you say? hmmm

2.4.3 Offsets & Pointers (2.4.3 Offsets & Pointers)

I found that with click to move if in range it does not like to loot/interact sometimes.

[Lollero1]

Is there any other way than dll injection? So far I have been avoiding it since I'm using c# like a scrub but it's starting to look like I have to.

[DarkLinux]

Are you injecting shellcode to call things like dostring? Or are you only doing reads and writes?

[Lollero1]

Just reads and writes at the moment. Weird thing how click to move works from cheat engine but looting doesn't.
Edit:

Ok I have read a bit about dll injection and I can understand what you have shared in your link. I think the only missing key information is the this reference passed as an argument. Is it just a reference to your injected dll class? I'm talking specifically dOnRightClickObject and dOnRightClickUnit. You would think that in order to use them you would have to pass GUID as an argument but I'm guessing they are reading the guid from the variable which stores the mouse over objects guid.

It's getting late and can't think straight. Anyways here is a useful link to anyone else who is struggling with injection:
Calling Functions From Injected Library Using Function Pointers in C++ - UnKnoWnCheaTs Game Hacking Wiki

Edit:
Is the endscene hooking necessary if I want to call warcraft's functions? I'm injecting a dll by calling remotethread and attempting to call wow functions from there but all I have managed to do was to hang wow process or get disconnected from server. The dll looks like this without includes (saving precious lines):

Code:

DWORD WINAPI dllthread(LPVOID);
DWORD g_threadID;
HMODULE g_hModule;

DWORD WINAPI dllthread(LPVOID)
{
	class wowfunctions
	{
	public:
		typedef int(__thiscall* dOnRightClickUnit)(PVOID _this);
		int interact()
		{
			dOnRightClickUnit _OnRightClickUnit = (dOnRightClickUnit)0x00619E00; // 2.4.3
			return _OnRightClickUnit(this);
		}
	};
	wowfunctions *wowi = new wowfunctions();
	wowi->interact();
	delete wowi;
	return 0;
}


BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved)
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}

	if (ul_reason_for_call == DLL_PROCESS_ATTACH)
	{
		g_hModule = hModule;
		DisableThreadLibraryCalls(hModule);
		CreateThread(NULL, NULL, &dllthread, NULL, NULL, &g_threadID);
	}
	return TRUE;
}

[Lollero1]

The click to move functionality for looting seems to act weird. Based on what I have read it should work when CTM guid (0x00D689C0) is set have lootable corpse guid and CTM action to 6 (0x00689BC). However instead of beginning to loot/go to corpse CTM guid goes to zero and ctm action back to 13. The character doesn't even flinch. What makes it even more weird is the fact that click to move works with regular movement and attacking. The dll injection doesn't seem to work either (I am probably doing it wrong). It doesn't matter if I pass lootable unit's address, guid or just this to it. It just doesn't react. Any suggestions?

[DarkLinux]

Code:

wowfunctions *wowi = new wowfunctions();
wowi->interact();
delete wowi;

"wowi" should be the object you want to interact with, should be a pointer to the base of the object, like what you get from the object manager.

[Lollero1]

If I do the following in the injected dll:

Code:

	wowfunctions* wowi = (wowfunctions*)0x001EB3C388;
	wowi->interact()

The game just crashes. The address I'm using is a valid base address of a mob, gotten from objectmanager (I can read health and all that stuff in the main bot program). I have a feeling that I'm getting closer but something is still wrong.

[culino2]

Looks like a thread issue to me. You have to call the 'interact' function within WoW's main-thread.

[Lollero1]

So how does one actually do that? Some threads mention endscene. I assume I have to hook it and bring the execution to the injected dll where I can call the interact function. I Noticed some addresses posted in 2.4.3 offset pointer thread:
D3dx9:
devicePtr: wow.exe + 0x92a15c;
vtablePtr: device + 0x3864
endscenePtr: vtable+0xA8

So what to do after getting pointer to the endscene? Insert a hook somewhere?