Info on Pointers and classes used in WAR

[HansW]

I spend some time with IDA Pro ( yes i own a legal copy ) and the WAR.exe. Heres what i found ( at least part of it ).

I plan to build a bot using LUA. The WAR lua interface gives away most of the informaion you need. There are some things missing though. I have and will add these in the form of Lua functions.
This should enable you to retrieve Entity Information, Target things and use Abilitys.

I'am building a DLL that is injected into the WAR.exe. On injection is registers some new global functions with the lua_state. I also open a console window for debug output and lua input. So i can test most of the stuff i do offline. The console accepts lua script commands and executes them in the lua VM that runs inside the WAR.exe.

The trick is to start WAR.exe directly, wait for the error box to come up, then DON't press ok, instead inject your DLL. Most of the objects used are already initalized and can be used (e.g. the lua_state) .

Maybe i will release my DLL and the source code , depends on the feedback.

As you see there is still some identification work to do. For the Entitys, i know how to get most of it, because there are functions that fill the lua representations, but some other things are not so easy to come by.

If anyone here would like to help me by working on the lua part of the bot just PM me and we can work something out.

I'am working on the ActionMapper and EventProcessor part of War now. If that means something to you and you feel like sharing what you learned about it, let me know. I'am willing to trade information.

Updated Object und Function Pointers: (03-04-09)

Code:

Objects:

	static const DWORD MainEntityListPtr = 0x00D31B4C //0x00D0AC14;
	static const DWORD PlayerPtr = 0x00D31D5C; //0x00D0AE18;
	static const DWORD MythicInterfacePtr = 0x00F24574;//0x00F06F68;
	static const DWORD lua_registerPtr = 0x005F7B60; //0x005EDF00;
	static const DWORD lua_GStringPtr = 0x00AED908;//0x00ACBE6C;
	static const DWORD lua_ExecuteBufferPtr = 0x008A00C9;//0x00882D02;

Functions:

	WarEntityBase* (__cdecl *  GetEntity)(int GUID) = reinterpret_cast<WarEntityBase* (__cdecl *  )(int )>(0x004082D2) ; // 0x0040822D
	void (__cdecl * CreateMapPin)(WarEntityBase *a1, signed int PinType) = reinterpret_cast<void (__cdecl *  )(WarEntityBase *,signed int  )>(0x005A27A4); // 0x0059885B

So here is the promised info:

The Classes used ( some information may not be accurate ).

Code:

#define BYTE unsigned char 
#define DWORD unsigned long
#define WORD unsigned short


struct WarEntityBase {
	DWORD m_Type;
	DWORD m_Level;
	DWORD unk_0x0008;
	float m_x;
	float m_y;
	float m_z;
	float unk_0x0018;
	float unk_0x001C;
	float unk_0x0020;
	DWORD unk_0x0024;
	float unk_0x0028;
	float unk_0x002C;
	float unk_0x0030;
	WORD unk_0x0034;
	WORD unk_0x0036;
	WORD unk_0x0038;
	char unknown58[2];
	DWORD unk_0x003C;
	DWORD m_GUID;
	DWORD unk_0x0044;
	WORD unk_0x0048;
	WORD unk_0x004A;
	float unk_0x004C;
	float unk_0x0050;
	float unk_0x0054;
	float unk_0x0058;
	float unk_0x005C;
	float unk_0x0060;
	float unk_0x0064;
	float unk_0x0068;
	DWORD unk_0x006C;
	DWORD unk_0x0070;
	WORD unk_0x0074;
	WORD unk_0x0076;
	WORD unk_0x0078;
	WORD unk_0x007A;
	WORD unk_0x007C;
	WORD unk_0x007E;
	float unk_0x0080;
	float unk_0x0084;
	float unk_0x0088;
	float unk_0x008C;
	float m_Heading;
	float unk_0x0094;
	float m_Target;
	float unk_0x009C;
	WORD unk_0x00A0;
	WORD unk_0x00A2;
	float unk_0x00A4;
	float unk_0x00A8;
	float unk_0x00AC;
	float unk_0x00B0;
	float unk_0x00B4;
	float unk_0x00B8;
	float unk_0x00BC;
	BYTE unk_0x00C0;
	char unknown193[3];
	BYTE unk_0x00C4;
	BYTE unk_0x00C5;
	char unknown198[2];
	float unk_0x00C8;
	float unk_0x00CC;
	DWORD unk_0x00D0;
	DWORD unk_0x00D4;
	BYTE unk_0x00D8;
	BYTE unk_0x00D9;
	BYTE unk_0x00DA;
	BYTE unk_0x00DB;
	BYTE unk_0x00DC;
	BYTE padByte;
	WORD unk_0x00DE;
	WORD unk_0x00E0;
	WORD padWord;
	DWORD unk_0x00E4;
	WORD unk_0x00E8;
	BYTE unk_0x00EA;
	BYTE unk_0x00EB;
};//Size=0x00EC(236)



struct WarListEntry
{
	DWORD m_ID; //0x0000  
	WarEntityBase* m_pItem; //0x0004  
};//Size=0x0008(8)


struct WarList
{
	DWORD vtable_ptr; //0x0000  
	WarListEntry** m_pList; //0x0004 set to B65FCC in Ctor 
	DWORD m_Size; //0x0008  
	DWORD m_SomeCount; //0x000C  
	float unk_0x0010; //_init_with_A5F2B4; //0x0010  
	float unk_0x0014; //_init_with_A67E44; //0x0014  
	DWORD unk_0x0018; //0x0018 Set to 0 in Ctor 
	DWORD unk_0x001C; //0x001C  
	BYTE m_bManageMemory; //0x0020 set to 1 or 0 
	char pad_0x0021[3]; //0x0021
};//Size=0x0024(36)




struct WarEntityType1 
{
	WarEntityBase Base;
	DWORD ID02663B30; //0x00EC  
	DWORD ID02635940; //0x00F0  
	DWORD ID02657B98; //0x00F4  
	WORD ID0263D000; //0x00F8  
	BYTE ID02659950; //0x00FA  
	BYTE ID02663BB0; //0x00FB  
	float ID02663148; //0x00FC  
	BYTE ID026630C8; //0x0100  
	BYTE ID02663C30; //0x0101  
	BYTE ID026631C8; //0x0102  
	BYTE ID02663370; //0x0103  
	float ID02661C48; //0x0104  
	BYTE ID02661A78; //0x0108  
		char unknown265[3]; //0x0109
	DWORD ID0264FB00; //0x010C  
	WORD ID02658970; //0x0110  
	WORD ID0265B4F0; //0x0112  
	WORD ID026632C8; //0x0114  
	BYTE ID0263E5E8; //0x0116  
	BYTE ID026579C8; //0x0117  
	DWORD ID026619F8; //0x0118  
	BYTE ID0264C6F0; //0x011C  
	BYTE ID0265FBA8; //0x011D  
		char unknown286[2]; //0x011E
};//Size=0x0120(288)


#define BYTE unsigned char 
#define DWORD unsigned long
#define WORD unsigned short
#define vtable_ptr DWORD vtable


struct CMythicInterface;
struct CBufferPtr;
struct CBufferSomething;
struct CSomeString;
struct CUnkObj_1;
struct CIDMaker;
struct CLuaScript;
struct C16BBuff;


struct CBufferPtr
{

	DWORD ID02668218; //0x0000  
	DWORD m_pStart; //0x0004  
	DWORD m_pEnd; //0x0008  
	DWORD m_pMax; //0x000C  
};//Size=0x0010(16)

struct CBufferSomething
{

	DWORD ID0267B710; //0x0000  
	DWORD ID0264B6D8; //0x0004  
	DWORD m_pBuff_S40; //0x0008  
	DWORD ID02679B18; //0x000C  
	CBufferPtr ID026689B0; //0x0010  
	DWORD ID02679A98; //0x0020  
	DWORD ID02679A18; //0x0024  
};//Size=0x0028(40)

struct CSomeString
{

	vtable_ptr; //0x0000  
	CUnkObj_1* ID02680F00; //0x0004  
	DWORD ID02668D20; //0x0008  
};//Size=0x000C(12)

struct CUnkObj_1
{

	DWORD ID0267A920; //0x0000  
	DWORD ID0266ADD0; //0x0004  
	DWORD ID0266AE50; //0x0008  
	DWORD ID02680D80; //0x000C  
	DWORD ID02680E00; //0x0010  
	DWORD ID02680E80; //0x0014  
	BYTE ID0267A408; //0x0018  
	BYTE ID0267A878; //0x0019  
		char unknown26[2]; //0x001A
};//Size=0x001C(28)

struct CIDMaker
{

	vtable_ptr; //0x0000  
	DWORD ID0268E708; //0x0004  
	DWORD ID0266A7C8; //0x0008  
	DWORD ID02679898; //0x000C  
	DWORD ID02679998; //0x0010  
	DWORD ID02679918; //0x0014  
	WORD ID02679818; //0x0018  
		char unknown26[2]; //0x001A
};//Size=0x001C(28)

struct CLuaScript
{

	DWORD ID0267E928; //0x0000  
	DWORD ID0268E3F8; //0x0004  
	DWORD ID0268E378; //0x0008  
};//Size=0x000C(12)

struct C16BBuff
{

	DWORD ID0267A7D0; //0x0000  
	DWORD ID02657700; //0x0004  
	DWORD ID0267C680; //0x0008  
	DWORD ID0267C700; //0x000C  
};//Size=0x0010(16)




struct CMythicInterface
{

	DWORD ID0264B8D0; //0x0000 MythicInterface___vftable_ 
	DWORD ID0264AEF8; //0x0004  
	DWORD ID0264AFA0; //0x0008  
	void* m_pLuaState; //0x000C CLuaState Pointer , is a LuaPlus State Object 
	DWORD ID0264B0F0; //0x0010  
		char unknown20[8]; //0x0014
	DWORD ID02659788; //0x001C  
	DWORD aString; //0x0020 std::basic_string 
		char unknown36[12]; //0x0024
	BYTE ID0264B198; //0x0030  
	BYTE ID0266B3C8; //0x0031  
	BYTE ID0264B780; //0x0032  
	BYTE ID0266B448; //0x0033  
	DWORD ID0266B4C8; //0x0034  
	BYTE* buffer_S40; //0x0038  
	DWORD ID0266B570; //0x003C  
	CBufferPtr m_ManagedBuffer; //0x0040 Is initialized with Buffer at 0x38 
	DWORD ID0264B390; //0x0050  
	DWORD ID0264EFB8; //0x0054  
	CBufferSomething ID0267B688; //0x0058  
	CBufferSomething ID0266A438; //0x0080  
	CBufferSomething ID0266A4C0; //0x00A8  
	CSomeString ID02669A18; //0x00D0  
	char* m_pName; //0x00DC Set to Root 
	DWORD ID0264F1B8; //0x00E0  
	DWORD ID0264F260; //0x00E4  
	DWORD ID0264F308; //0x00E8  
	DWORD ID0264F3B0; //0x00EC  
	DWORD ID0264F458; //0x00F0  
	float ID0264F500; //0x00F4  
	float ID0264F5A8; //0x00F8  
	WORD ID0264F650; //0x00FC  
		char unknown254[2]; //0x00FE
	DWORD ID0264F6F8; //0x0100  
	CIDMaker ID0268E2F0; //0x0104  
	CLuaScript m_LuaScripts[5]; //0x0120  
	DWORD ID0264F848; //0x015C  
	DWORD ID0264F8F0; //0x0160  
	DWORD ID0264F998; //0x0164  
	DWORD ID0264FA40; //0x0168  
	DWORD ID0264FB90; //0x016C  
	DWORD ID0264FAE8; //0x0170  
	CBufferSomething ID0264FF80; //0x0174  
	BYTE ID0264D920; //0x019C  
	BYTE ID0264D9C8; //0x019D  
		char unknown414[2]; //0x019E
	CSomeString m_mangedBuffer; //0x01A0  
	float ID0264FD88; //0x01AC  
	DWORD ID0264DA70; //0x01B0  
	DWORD ID0264DB18; //0x01B4  
	DWORD ID0264DBC0; //0x01B8  
	DWORD ID0264DC68; //0x01BC  
	DWORD ID0264DD10; //0x01C0  
	DWORD ID0264DDB8; //0x01C4  
	DWORD ID0264DE60; //0x01C8  
	DWORD ID0264DF08; //0x01CC  
	char m_User_ini_File[256]; //0x01D0  
		char unknown720[512]; //0x02D0
	BYTE ID02656200; //0x04D0  
	BYTE ID02656158; //0x04D1  
	WORD ID02657070; //0x04D2  
		char unknown1236[4]; //0x04D4
	CSomeString* m_punkBuf_4D8; //0x04D8  
	DWORD ID026571C0; //0x04DC  
		char unknown1248[4]; //0x04E0
	CSomeString* ID02657268; //0x04E4  
	DWORD ID026573B8; //0x04E8  
		char unknown1260[4]; //0x04EC
	DWORD ID02657460; //0x04F0  
	void* ptr_to_24B_Obj; //0x04F4  
	DWORD ID02657658; //0x04F8  
	WORD ID026577A8; //0x04FC  
		char unknown1278[2]; //0x04FE
	DWORD ID026853C8; //0x0500  
	CSomeString* ID026578F8; //0x0504  
	DWORD ID026579A0; //0x0508  
		char unknown1292[4]; //0x050C
	C16BBuff* ID02690F70; //0x0510  
	DWORD ID02657B98; //0x0514  
		char unknown1304[4]; //0x0518
	C16BBuff* ID02657C40; //0x051C  
	DWORD ID02657D90; //0x0520  
	DWORD ID0266FB70; //0x0524  
	DWORD ID02657EE0; //0x0528  
	DWORD ID02657F88; //0x052C  
	DWORD ID02658030; //0x0530  
	BYTE ID02657E38; //0x0534  
		char unknown1333[3]; //0x0535
	DWORD ID02659350; //0x0538  
	DWORD ID026593D0; //0x053C  
	DWORD ID02659450; //0x0540  
		char unknown1348[24]; //0x0544
	BYTE ID026594F8; //0x055C  
	BYTE ID0265D708; //0x055D  
	BYTE ID0267D7C8; //0x055E  
		char unknown1375[5]; //0x055F
	DWORD ID0267D848; //0x0564  
	DWORD ID0265D858; //0x0568  
	DWORD ID0265D900; //0x056C  
	DWORD ID0265D9A8; //0x0570  
	DWORD ID0265DA50; //0x0574  
	DWORD ID0265DAF8; //0x0578  
	DWORD ID0265DBA0; //0x057C  
	BYTE ID0265DC48; //0x0580  
		char unknown1409[3]; //0x0581
	DWORD ID0265DCF0; //0x0584  
	CSomeString* ID0265DD98; //0x0588  
	DWORD ID0265DE40; //0x058C  
	DWORD ID0265DEE8; //0x0590  
	DWORD ID0265DF90; //0x0594  
	DWORD ID0265E038; //0x0598  
	DWORD ID0265E0E0; //0x059C  
	DWORD ID0265E188; //0x05A0  
	DWORD ID0265E230; //0x05A4  
	DWORD ID0265E2D8; //0x05A8  
	DWORD ID0265E380; //0x05AC  
	DWORD ID0265E428; //0x05B0  
	DWORD ID0265E4D0; //0x05B4  
	CSomeString ID02690CE0; //0x05B8  
	DWORD ID0265E578; //0x05C4  
	DWORD ID0265E620; //0x05C8  
	DWORD ID0265E6C8; //0x05CC  
	DWORD ID0265E770; //0x05D0  
	DWORD ID0265E818; //0x05D4  
	BYTE ID0265E968; //0x05D8  
	BYTE ID0265E8C0; //0x05D9  
		char unknown1498[2]; //0x05DA
	WORD ID0267C528; //0x05DC  
	WORD ID0265EA10; //0x05DE  
		char unknown1504[64]; //0x05E0
	WORD ID0267C4A8; //0x0620  
	WORD ID02659E48; //0x0622  
		char unknown1572[64]; //0x0624
	WORD ID02690FF0; //0x0664  
	WORD ID0265A970; //0x0666  
		char unknown1640[64]; //0x0668
	WORD ID0267A728; //0x06A8  
	WORD ID0265B498; //0x06AA  
		char unknown1708[64]; //0x06AC
	WORD ID0267A680; //0x06EC  
	WORD ID0265F3C0; //0x06EE  
		char unknown1776[64]; //0x06F0
	WORD ID0267A5D8; //0x0730  
	WORD ID0265FEE8; //0x0732  
		char unknown1844[64]; //0x0734
	WORD ID0267A530; //0x0774  
	WORD ID02660A10; //0x0776  
		char unknown1912[64]; //0x0778
	WORD ID0267AB30; //0x07B8  
	WORD ID02661538; //0x07BA  
		char unknown1980[64]; //0x07BC
	WORD ID02669770; //0x07FC  
	WORD ID02662060; //0x07FE  
		char unknown2048[64]; //0x0800
	WORD ID02639B78; //0x0840  
	WORD ID02662B88; //0x0842  
		char unknown2116[64]; //0x0844
	WORD ID02688E88; //0x0884  
	WORD ID026636B0; //0x0886  
		char unknown2184[64]; //0x0888
	WORD ID026874D0; //0x08C8  
	WORD ID026641D8; //0x08CA  
		char unknown2252[64]; //0x08CC
	WORD ID026854C0; //0x090C  
	WORD ID02664D00; //0x090E  
		char unknown2320[64]; //0x0910
	WORD ID02639C78; //0x0950  
	WORD ID0266BCF0; //0x0952  
		char unknown2388[64]; //0x0954
	WORD ID0263A388; //0x0994  
	WORD ID0266C818; //0x0996  
		char unknown2456[64]; //0x0998
	WORD ID0263A408; //0x09D8  
	WORD ID0265BF48; //0x09DA  
		char unknown2524[64]; //0x09DC
	WORD ID0264FCE0; //0x0A1C  
	WORD ID0265CA70; //0x0A1E  
		char unknown2592[64]; //0x0A20
	WORD ID0267E7D8; //0x0A60  
	WORD ID02665E28; //0x0A62  
		char unknown2660[64]; //0x0A64
	WORD ID0264FC38; //0x0AA4  
	WORD ID02666950; //0x0AA6  
		char unknown2728[64]; //0x0AA8
	WORD ID0264FED8; //0x0AE8  
	WORD ID02667478; //0x0AEA  
		char unknown2796[64]; //0x0AEC
	WORD ID0267E758; //0x0B2C  
	WORD ID02667FA0; //0x0B2E  
		char unknown2864[64]; //0x0B30
	WORD ID0267E6D8; //0x0B70  
	WORD ID0266D8A8; //0x0B72  
		char unknown2932[64]; //0x0B74
	WORD ID0267E658; //0x0BB4  
	WORD ID0266E3D0; //0x0BB6  
		char unknown3000[64]; //0x0BB8
	WORD ID0267E5D8; //0x0BF8  
	WORD ID0266EEF8; //0x0BFA  
		char unknown3068[64]; //0x0BFC
	char m_unkBuff_S64[64]; //0x0C3C  
	char m_unkBuff2_S64[64]; //0x0C7C  
};//Size=0x0CBC(3260)


#define vtable_ptr DWORD vtable

#pragma pack(1)
struct CPlayer;




#define aCPlayer CPlayer

#pragma pack(1)
struct CBaseProcessor
{
public:
	vtable_ptr ; //0x0000 BaseProcessorObj vtable 
	DWORD ID026688C8; //0x0004 BaseProcessorObj vtable 
		char unknown8[12]; //0x0008
	DWORD ID02668948; //0x0014  
	DWORD ID02666F40; //0x0018  
		char unknown28[4]; //0x001C
	WORD m_Name; //0x0020  
		char unknown34[14]; //0x0022
	DWORD ID0265F8A0; //0x0030  
	DWORD ID0265FB58; //0x0034  
		char unknown56[4]; //0x0038
	WORD ID0266B808; //0x003C  
		char unknown62[14]; //0x003E
	DWORD ID02666EC0; //0x004C  
	DWORD ID0266A328; //0x0050  
		char unknown84[8]; //0x0054
	WORD ID0266DB10; //0x005C  
		char unknown94[14]; //0x005E
	DWORD ID0266DB90; //0x006C  
	DWORD ID0264F550; //0x0070  
		char unknown116[4]; //0x0074
	DWORD SubstructStart; //0x0078  
	WORD ID026638A0; //0x007C  
		char unknown126[14]; //0x007E
	DWORD ID0266DC10; //0x008C  
	DWORD ID02664590; //0x0090  
		char unknown148[24]; //0x0094
	DWORD ID0266B888; //0x00AC  
};//Size=0x00B0(176)

#pragma pack(1)
struct VTABLE_CEventCallback
{
public:
	DWORD* func1; //0x0000  
	DWORD* func2; //0x0004  
	DWORD* func3; //0x0008  
	DWORD* func4; //0x000C  
	DWORD* func5; //0x0010  
};//Size=0x0014(20)

#pragma pack(1)
struct WordArray1
{
public:
	WORD wordarray1_1; //0x0000  
	WORD wordarray1_2; //0x0002  
	WORD ID0267EC30; //0x0004  
	WORD ID02670990; //0x0006  
	WORD ID0267ECB0; //0x0008  
	WORD ID0266A9B0; //0x000A  
	WORD ID0267ED30; //0x000C  
	WORD ID026619D0; //0x000E  
	WORD ID0267EDB0; //0x0010  
	WORD ID02661BC8; //0x0012  
	WORD ID0265F688; //0x0014  
	WORD ID02673E40; //0x0016  
	WORD ID02645010; //0x0018  
	WORD ID0265F5E0; //0x001A  
	WORD ID026634B0; //0x001C  
	WORD ID0265F538; //0x001E  
	WORD ID02648908; //0x0020  
	WORD ID0265F730; //0x0022  
	WORD ID0265F490; //0x0024  
	WORD ID02648860; //0x0026  
	WORD ID026487B8; //0x0028  
	WORD ID02648710; //0x002A  
};//Size=0x002C(44)

#pragma pack(1)
struct CBuffer
{
public:
	vtable_ptr; //0x0000  
	DWORD PtrToStart; //0x0004 list of group buff handler ptr's (GroupMemberBuffTracker) 9 Ptr's 
	DWORD PtrToEnd; //0x0008  
	DWORD PtrToMax; //0x000C  
};//Size=0x0010(16)

#pragma pack(1)
struct ByteBuffer236
{
public:
	DWORD PtrToStart_self; //0x0000  
	DWORD Ptr_to_end_self; //0x0004  
		char unknown8[228]; //0x0008
};//Size=0x00EC(236)

#pragma pack(1)
struct word_array_2
{
public:
	WORD unk_word; //0x0000  
	BYTE unk_byte1; //0x0002  
	BYTE unk_byte2; //0x0003  
};//Size=0x0004(4)

class ListItem
{
public:
	WORD ID0F8BCF10; //0x0000  
	BYTE ID0F99DFC8; //0x0002  
	BYTE ID0263A970; //0x0003  
};//Size=0x0004(4)

#pragma pack(1)
struct unk_struct
{
public:
	vtable_ptr; //0x0000  
	WORD ID0F90F210; //0x0004  
		char unknown6[14]; //0x0006
	DWORD ID0263E530; //0x0014  
	DWORD ID02635CE0; //0x0018 set to 7 
	WORD ID0F906880; //0x001C  
	WORD ID0F959970; //0x001E  
	DWORD ID0F9ACA88; //0x0020  
	DWORD ID0F9AF750; //0x0024  
	DWORD ID0F9AF7D0; //0x0028  
	WORD ID026EC530; //0x002C  
	WORD ID0F99A1E0; //0x002E  
	float ID0F992D80; //0x0030  
	DWORD ID0262E330; //0x0034  
};//Size=0x0038(56)

#pragma pack(1)
struct unk_struct_2
{
public:
	DWORD ID0F9B1F88; //0x0000  
	DWORD ID0F954AB8; //0x0004  
	DWORD ID0F9A0CB0; //0x0008  
	DWORD ID0F950D00; //0x000C  
	DWORD ID02639C18; //0x0010  
	DWORD ID0F969670; //0x0014  
	WORD ID02643960; //0x0018  
		char unknown26[14]; //0x001A
	DWORD ID026439E0; //0x0028  
	DWORD ID0F8C9108; //0x002C set to 7 
	DWORD ID0F9696F0; //0x0030  
	DWORD ID0F8FC2E0; //0x0034  
		char unknown56[12]; //0x0038
	DWORD ID0F9B1E88; //0x0044  
	DWORD ID026E8EB8; //0x0048  
		char unknown76[4]; //0x004C
	WORD ID0F9A7040; //0x0050  
		char unknown82[14]; //0x0052
	DWORD ID0F9A70C0; //0x0060  
	DWORD ID0263E368; //0x0064  
	DWORD ID0263E2E8; //0x0068  
	DWORD ID0F9A7140; //0x006C  
	DWORD ID0FB85008; //0x0070  
	WORD ID0FB85088; //0x0074  
		char unknown118[2]; //0x0076
};//Size=0x0078(120)

#pragma pack(1) 
struct unk_struct_3
{
public:
	vtable_ptr; //0x0000  
	DWORD ID0x04; //0x0004  
	DWORD ID0x08; //0x0008  
	DWORD ID0x0C; //0x000C  
};//Size=0x0010(16)

#pragma pack(1)
struct unk_struct_4
{
public:
	WORD ID02635580; //0x0000  
		char unknown2[6]; //0x0002
	DWORD ID0F8F4008; //0x0008  
	DWORD ID02674828; //0x000C  
	DWORD ID0264CBD8; //0x0010  
	WORD ID0FA5DE38; //0x0014 set to 1 in CPlayer 
		char unknown22[2]; //0x0016
	DWORD ID026D45B0; //0x0018 set to 5 in CPlayer 
};//Size=0x001C(28)

#pragma pack(1)
struct world_CGroupMemberBuffTracker
{
public:
	vtable_ptr; //0x0000 const world::GroupMemberBuffTracker::`vftable' 
	char unknown4[136]; //0x0004
};//Size=0x008C(140)

#pragma pack(1)
struct unk_struct_cplayer_22c
{
public:
	CPlayer*  m_pPlayer; //0x0000  
	DWORD ID02663408; //0x0004  
	DWORD ID0265F7D8; //0x0008  
	DWORD ID0265F9D0; //0x000C  
	DWORD ID0265F928; //0x0010  
	char unknown20[20]; //0x0014
	WORD ID0471B140; //0x0028  
	BYTE ID02635AF8; //0x002A  
	WORD ID02694EB0; //0x002B  
	BYTE ID026929E0; //0x002D
	char unknown2E[2]; //0x002E
	void* ptr_to_12B; //0x0030  
	DWORD ID0264DA68; //0x0034  
	DWORD unk1;		//0x0038
	DWORD unk2;		//0x003C
	WORD ID02697810; //0x0040  
	WORD ID04719D30; //0x0042  
	DWORD ID04712898; //0x0044  
	DWORD ID02692C08; //0x0048  
	BYTE ID02648C80; //0x004C
	char unknown4D[3]; // 0x004D
};//Size=0x0050(80)
/*
struct unk_struct_cplayer_22c {
	CPlayer* m_pPlayer;
	DWORD data[19];
};
*/

#pragma pack(1)
struct CPlayerTargetTracker_Entry
{
public: //ID0472E3E0
	DWORD TargetGUID; //0x0000  
	DWORD ID0472BA08; //0x0004  
	float ID0472E3E0; //0x0008  
	BYTE ID04715148; //0x000C  
		char unknown13[3]; //0x000D
	DWORD ID04728620; //0x0010  
};//Size=0x0014(20)


#pragma pack(1)
struct CPlayerTargetTracker
{
public:
	vtable_ptr; //0x0000  
	aCPlayer* m_pPlayer; //0x0004  
	CPlayerTargetTracker_Entry m_TargetEntrys[4]; //0x0008  
	DWORD ID04718CE0; //0x0058  
	DWORD ID02690618; //0x005C  
	DWORD ID0463DF40; //0x0060  
	DWORD ID0463DEC0; //0x0064  
};//Size=0x0068(104)

#pragma pack(1)
struct CPosition {
public:
	float x;
	float y;
	float z;
};

#pragma pack(1)
struct CPlayer
{
public:
	vtable_ptr; //0x0000  
		char unknown4[4]; //0x0004
	BYTE ID0264ADA8; //0x0008  
		char unknown9[3]; //0x0009
	DWORD ID0264AEF8; //0x000C  
	DWORD ID0264B0F0; //0x0010  
	DWORD ID0264AE50; //0x0014  
	DWORD ID0263BF48; //0x0018 -1 
	DWORD ID0264AFA0; //0x001C -1 
	DWORD ID0264B048; //0x0020  
	CPosition m_Postion; //0x0024  
		char unknown48[12]; //0x0030
	float ID0264B2E8; //0x003C  
	float ID0264EF90; //0x0040  
	float ID0264B588; //0x0044  
	float m_Heading; //0x0048  
		char unknown76[4]; //0x004C
	float ID02651F18; //0x0050  
	float ID02652018; //0x0054  
	float ID02651AE0; //0x0058  
		char unknown92[4]; //0x005C
	DWORD ID02651B60; //0x0060  
	WORD ID02652338; //0x0064  
		char unknown102[6]; //0x0066
	BYTE ID026518E0; //0x006C  
		char unknown109[3]; //0x006D
	float ID02652158; //0x0070 defaulted to 3f80000 
	BYTE ID02652A18; //0x0074  
		char unknown117[3]; //0x0075
	float ID02651960; //0x0078  
	float ID02652808; //0x007C  
	float ID02652888; //0x0080  
	float ID02652908; //0x0084  
	float ID02652548; //0x0088  
	float m_Height; //0x008C  
	BYTE ID02652B18; //0x0090  
		char pad[3];
	float m_RunSpeed; // 0x0094
	float ID02652A98; //0x0098 defaulted to 3f80000 
	float ID02652438; //0x009C defaulted to 3f80000 
	float m_Run; //0x00A0  
	float ID02651750; //0x00A4  
	float ID026517D0; //0x00A8  
	float ID026520D8; //0x00AC  
	float ID026516D0; //0x00B0 defaulted to 42880000 
	float ID026521D8; //0x00B4 defaulted to 42880000 
	DWORD unknown0x00B8; // 0x00B8
	DWORD unknown0x00BC; // 0x00BC
	DWORD m_GUID; //0x00C0  
		char unknown196[4]; //0x00C4
	CBaseProcessor m_BaseProcessor; //0x00C8  
	DWORD  unknown0x0178;
	DWORD  unknown0x017C;
	DWORD ID02664378; //0x0180  
	DWORD m_Health;//0x0184
	DWORD m_MaxHealth;//0x0188
	DWORD ID02651300; //0x018C  
	DWORD unknown_0x0190; //0x0190
	DWORD m_ActionPoints; // 0x0194
	DWORD m_MaxActionPoints; // 0x0198
	DWORD ID026514F8; //0x019C  
	DWORD ID0264DCC0; //0x01A0 Set to 0x0E10h 
	DWORD ID0264DD68; //0x01A4  
	BYTE ID0264DEB8; //0x01A8 set to 0xff (-1) 
	BYTE ID0264DE10; //0x01A9 set to 0xff (-1) 
	BYTE ID026394D8; //0x01AA  
	BYTE ID0265F6E0; //0x01AB  
	VTABLE_CEventCallback ID02636420; //0x01AC  
	WordArray1 ID02661948; //0x01C0  
		char unknown492[60]; //0x01EC
	BYTE ID026815C8; //0x0228  
	BYTE ID02675488; //0x0229  
		char unknown554[2]; //0x022A
	unk_struct_cplayer_22c* unk_obj_1; //0x022C Constructor receives a CPlayer pointer (this) 
	BYTE* HugeObject; //0x0230 Size:207864 holds mulitple arrays of different size of the same struct 
	WORD ID0267F708; //0x0234  
		char unknown566[2]; //0x0236
	CBuffer ID04659C98; //0x0238 Stores BuffTracker 0-5 are Party Members, 6 is selftracker (PtrToStart[0-4] , PtrToStart[5]) , 7 , 8 = TargetBuffTracker (maybe hostile and friendly) 
		char unknown584[4]; //0x0248
	ByteBuffer236* ID0268E490; //0x024C  
	DWORD ID02656900; //0x0250  
	CPlayerTargetTracker* m_pTargetTracker; //0x0254  
	DWORD m_pTargetInfo; //0x0258  
	DWORD ID026E5D98; //0x025C  
	DWORD ID02653FA8; //0x0260  
	DWORD ID02654050; //0x0264  
		char unknown616[408]; //0x0268
	float ID02675A70; //0x0400  
	float ID0267A180; //0x0404  
	float ID0267A228; //0x0408  
	WORD ID0267A2D0; //0x040C  
	WORD ID0267A378; //0x040E  
		char unknown1040[24]; //0x0410
	ListItem List[120]; //0x0428 Format is WORD aWord; BYTE aByte1; BYTE aByte2; 
		char unknown1544[520]; //0x0608
	BYTE unk_array_120B_1[120]; //0x0810  
	BYTE unk_array_120B_2[120]; //0x0888  
	BYTE unk_array_120B_3[120]; //0x0900 filled with ascending numbers vom 1 to 120 
	BYTE ID026A6690; //0x0978  
	BYTE ID02697320; //0x0979  
		char unknown2426[2]; //0x097A
	unk_struct_4* ID0FA5DEF8; //0x097C  
	BYTE ID0269E170; //0x0980  
		char unknown2433[1]; //0x0981
	WORD ID02697470; //0x0982  
	BYTE ID026A6760; //0x0984  
		char unknown2437[3]; //0x0985
	DWORD ID0269E410; //0x0988 set to -1 
	BYTE ID02697518; //0x098C set to 1 
		char unknown2445[3]; //0x098D
	DWORD ID0269E2C0; //0x0990  
	DWORD ID0269E368; //0x0994  
	unk_struct ID0FCB61C0; //0x0998  
	BYTE ID0F90F438; //0x09D0  
	BYTE ID0F8B6DD8; //0x09D1  
		char unknown2514[2]; //0x09D2
	float ID02638A78; //0x09D4  
	float ID0F8B6E80; //0x09D8  
	float ID0F8B6F28; //0x09DC  
		char unknown2528[4]; //0x09E0
	float ID0F954608; //0x09E4  
		char unknown2536[4]; //0x09E8
	DWORD unk_array2[375]; //0x09EC  
	unk_struct_2 unk_struct2_array[20]; //0x0FC8  
	DWORD ID026540F8; //0x1928  
	DWORD ID0F9549D0; //0x192C  
	DWORD ID0F954D18; //0x1930 set to 1500 
		char unknown6452[4]; //0x1934
	DWORD ID0F954928; //0x1938  
		char unknown6460[4]; //0x193C
	float ID0F907990; //0x1940  
	DWORD ID0F8FEB20; //0x1944  
	DWORD ID0F8FEEE8; //0x1948  
	DWORD ID0F90B530; //0x194C  
	WORD ID0F90B5B0; //0x1950  
		char unknown6482[2]; //0x1952
	DWORD ID0F8FEE40; //0x1954  
	DWORD ID0F90B700; //0x1958  
	DWORD ID0F90B7A8; //0x195C  
	WORD ID0F90B850; //0x1960  
		char unknown6498[2]; //0x1962
	DWORD ID0F90B8F8; //0x1964  
	DWORD ID0F907670; //0x1968  
	DWORD ID0F9076F0; //0x196C  
	float ID0F907798; //0x1970  
		char unknown6516[4]; //0x1974
	DWORD ID0F907840; //0x1978  
		char unknown6524[8]; //0x197C
	DWORD ID0F8FECF0; //0x1984  
		char unknown6536[40]; //0x1988
	unk_struct_3 ID0264D8B0; //0x19B0  
	unk_struct_3 ID0F8EB938; //0x19C0  
		char unknown6608[8]; //0x19D0
	BYTE ID0F969590; //0x19D8  
		char unknown6617[3]; //0x19D9
	float ID026EB648; //0x19DC  
	float ID0F95FB20; //0x19E0  
	DWORD ID0F95FBC8; //0x19E4  
};//Size=0x19E8(6632)

The Offsets you need:

Code:

static const DWORD PlayerPtr = 0x00D0AE18; // pointer to CPlayer*
// used like this: CPlayer* m_pPlayer =  (CPlayer*)*((DWORD*)PlayerPtr);

static const DWORD PtrMainEntityList = 0x00D0AC14;
// used like this: WarList* m_pMainEntityList =  (WarList*)*((DWORD*)PtrMainEntityList);


static const DWORD MythicInterfacePtr = 0x00F06F68;
static const DWORD lua_registerPtr = 0x005EDF00;
static const DWORD lua_GStringPtr = 0x00ACBE6C;
static const DWORD lua_ExecuteBufferPtr = 0x00882D02;

Register you own Lua Functions:


Define a struct like this:

Code:

const war_luaL_Reg LuaExtender::ext_funcs[] = {
	  {"sp",shellprint},
	  {"sd",shelldump},
	  {NULL,NULL}
	};

Shellprint and sheldump as functions defined in my class. See the lua documentation for info about the struct


These asm functions will take care of the registration

Code:

static const char *g_DoStringName = "WarExtScriptCommand";

static __declspec(naked) void RegisterExtensions(const war_luaL_Reg* pRegList) {

	__asm {
		push    ebp                
		mov     ebp, esp           
		push	esi
		push	edi
		push	ebx
		
		mov		eax, dword ptr ds:[MythicInterfacePtr]
		mov		eax, [eax]
		mov		esi, [eax+0Ch]
		test	esi,esi
		jz	__noLS

		mov		ecx, [esi]
		

		mov		eax, dword ptr ds:[lua_GStringPtr]  // "_G"
		mov		ecx, [ecx]
		push	pRegList

		mov		ebx, dword ptr ds:[lua_registerPtr] // lua_register
		call	ebx
		add     esp, 4
		
__noLS:
		pop		ebx
		pop		edi
		pop		esi
		pop		ebp
		ret
	}
}

If you want to execute lua code use this function

Code:

void __cdecl LuaExtender::DoString( char* LuaCommand ) {
	
	 size_t StrSize = strlen(LuaCommand);

	 __asm {
        push	esi
		push	ebx
		 
		mov		eax, dword ptr ds:[MythicInterfacePtr]
		mov		eax, [eax]
		mov		esi, [eax+0Ch]

		mov		eax, LuaCommand
		push	offset g_DoStringName; 
		push	StrSize

		mov		ebx, dword ptr ds:[lua_ExecuteBufferPtr] 
		call	ebx

		pop		ebx
		pop		esi
	 }
 }

This function retrieves the lua_State Pointer ( this is not the LuaPlus State, it is the lua state owned by it)

Code:

lua_State* __cdecl LuaExtender::GetWarLuaState() {
	__asm {
		mov		eax, dword ptr ds:[MythicInterfacePtr]
		mov		eax, [eax]
		mov		eax, [eax+0Ch]
		mov		eax, [eax]
		mov		eax, [eax]
	}

}

Lua Example Function :

This function pointer can be used to retrieve an Entity by its GUID.

Code:

extern "C" {
	WarEntityBase* (__cdecl *  GetEntity)(int GUID) = reinterpret_cast<WarEntityBase* (__cdecl *  )(int )>(0x0040822D) ;
}


WarEntityBase* GetEntityByID(DWORD ID) {
	return ::GetEntity(ID);
}

This is how you define your own lua functions:

Code:

const war_luaL_Reg ext_funcs[] = {
	{"GetEntity",GetEntity},
	{NULL,NULL}
};

static int __cdecl GetEntity( lua_State* L ) {
	
	if ( lua_gettop(L) ) {
		WarEntityBase* pEntity = GetEntityByID(lua_tointeger(L,-1));
		
		if (pEntity) {
			int idx = FillEntityData(L,pEntity); // The FillEntityData just builds a lua table with the Entitys Data.

			if (idx) {
				return 1;
			}
		}
	}
	lua_settop(L,0);
	return 0;
}

Example how to use the CPlayerTargetTracker:

This is a lua function. It returns a lua table with tracker information and a subtable for every target type ( hostile, friendliy, default (don't now what it is) , and mouse ( mouseover Target )

Code:

signed int __cdecl GetTargets( lua_State* L ) {

	lua_newtable(L);
	int tableidx = lua_gettop(L);
	const char* TargetType[5] = {"hostile","friendly","default","mouse"};

	if (m_pPlayer->m_pTargetTracker) {
		lsetI(tableidx,"VtablePtr",m_pPlayer->m_pTargetTracker->vtable);
		lsetI(tableidx,"PlayerPtr",(DWORD)m_pPlayer->m_pTargetTracker->m_pPlayer);
		lsetI(tableidx,"ID04718CE0",m_pPlayer->m_pTargetTracker->ID04718CE0);
		lsetI(tableidx,"ID0463DF40",m_pPlayer->m_pTargetTracker->ID0463DF40);
		lsetI(tableidx,"ID0463DEC0",m_pPlayer->m_pTargetTracker->ID0463DEC0);
		lsetI(tableidx,"ID02690618",m_pPlayer->m_pTargetTracker->ID02690618);
		lsetI(tableidx,"TargetInfo", m_pPlayer->m_pTargetInfo);
		for (int i=0; i<4 ; i++) {
			lua_pushstring(L,TargetType[i]); // key for main table
			lua_newtable(L); // value for main table
			int sidx = lua_gettop(L);
			lsetI(sidx,"GUID",(DWORD)m_pPlayer->m_pTargetTracker->m_TargetEntrys[i].TargetGUID);
			lsetI(sidx,"ID04715148",(DWORD)m_pPlayer->m_pTargetTracker->m_TargetEntrys[i].ID04715148);
			lsetI(sidx,"ID04728620",(DWORD)m_pPlayer->m_pTargetTracker->m_TargetEntrys[i].ID04728620);
			lsetI(sidx,"ID0472BA08",(DWORD)m_pPlayer->m_pTargetTracker->m_TargetEntrys[i].ID0472BA08);
			lsetF(sidx,"Distance",(DWORD)m_pPlayer->m_pTargetTracker->m_TargetEntrys[i].m_Distance);
			lua_settable(L,tableidx); // Set main table
		}
		return 1;
	}
	lua_settop(L,0);
	return 0;
}

[taku.gamer]

What exactly are you using to compile it? Sorry LUA is very foreign to me, I'm only semi-familiar with VisualBasic and some C++

[suicidity]

Well if you were anything familiar with Java / C / C# / C++; You would realize that this is C#, not LUA.

Good work to the OP, +rep.

[taku.gamer]

=] I didn't look too deep at the code, it said LUA and I just skipped past it xD.

[Pickled]

Good work hans, although you pasted a whole load of excess junk using that REClass stuff, no need to bloat all your structures like that, will give you a/anyone headache

I have full lua hooks for my WAR Bot, my approach is utilising templates to grab any data, you also have to be careful to framelock/spinlock when accessing the lua stack incase you corrupt it, as GUI threads will access it often (assuming you access it from your own thread).

Suicidity, if you were anything familiar with C/C++/C# you would realise this is not C#. It's C.

Hans, if you need any help just drop me a PM.

Code:

luadata<int> v("GameData.Player.inCombat");

//other examples of extracting all the abilities for the current class
//useful for casting by id, name etc.
void Scourge::UpdateAbilityTable(DWORD Type)
{
	std::basic_string<wchar_t> script;

	wchar_t buf[4];
	wsprintfW((LPWSTR)&buf[0],L"%d",Type);

	script = L"scourge = {}; for k,v in pairs(Player.GetAbilityTable(";
	script.append(buf);
	script.append(L")) do table.insert(scourge,v) end");
	
	lua_State* Lu = pSInterface->GetLua();
	DoLuaScript(script);
	
	int init = lua_gettop(Lu);
	lua_getglobal(Lu,"scourge");
		
	if(lua_istable(Lu,-1))
	{
		int t = lua_gettop(Lu);
		LUAParseAbilityTable(Lu,t);
	}

	int cur = lua_gettop(Lu);
	lua_pop(Lu,cur-init);
}

[suicidity]

Suicidity, if you were anything familiar with C/C++/C# you would realise this is not C#. It's C.

Good catch, that was a typo; Wrote the post @ 4am, meant C.

[HansW]

Good work hans, although you pasted a whole load of excess junk using that REClass stuff, no need to bloat all your structures like that, will give you a/anyone headache

I have full lua hooks for my WAR Bot, my approach is utilising templates to grab any data, you also have to be careful to framelock/spinlock when accessing the lua stack incase you corrupt it, as GUI threads will access it often (assuming you access it from your own thread).

Suicidity, if you were anything familiar with C/C++/C# you would realise this is not C#. It's C.

Hans, if you need any help just drop me a PM.

[/code]

Thanx for the reply. The reason for the bloated sturcts is, that i generate Type Information for IDA Pro from it. I'am using the hexrays decompiler alot and it really helps reading the code, if things look like Entity->unk_0x0004 instead of *(dword*)(V10+0x04). I also walked through the constructors to build these structs, so in theory every struct member is a class member variable. Everytime i identify one, i replace the cryptic name with what it really is. As for the race conditions with other threads i plan to make core bot routines in lua , so they run inside the normal lua script thread that WAR has. I've not really looked into the critical sections (c++ wise) that are in the client, but maybe i will.

BTW. Just found the routine to add a Map marker for an Entity. I think i will build a little ingame War Radar.

Good till tomorrow so be quick ;-)

Code:

void (__cdecl * CreateMapPin)(WarEntityBase *a1, signed int PinType) = reinterpret_cast<void (__cdecl *  )(WarEntityBase *,signed int  )>(0x0059885B);

[HansW]

i updated the pointers for todays patch..

[HansW]

Another patch. i will update the structs and pointers later.

[Timmytimmelson]

You have access to all three targets ( friendly, hostile, mouseover ) through that.

I'm trying to write a simple bot for WAR right now, but I barely know what I'm doing in terms of what I want in the game memory...
If i read from the playerPtr + the offset for the target tracker i get = ?
what i really want is what will point me to the target object's xyz data/hostile or not/and hp

thanks for reading

[HansW]

do the following ( i assume you are accessing the war process from the outside )

1. Get the Player pointer by reading it from the PlayerPtr Address ( see other threads for the latest pointers )
2. now add 0x0254 to the Player pointer you read to get the Tracker Address.
3. read the TargetTracker Pointer from that address.
4. From the TargetTracker Pointer you read sizeof(CPlayerTargetTracker) Bytes and cast them to CPlayerTargetTracker

You won't get the Target Position or HP, only the distance to the player and the Target GUID. With the GUID you can search the EntityList to get what you want.

Hope that helps.

[PharmerPhale]

struct CPlayer
{
public:
...
float m_RunSpeed; // 0x0094
float ID02652A98; //0x0098 defaulted to 3f80000
float ID02652438; //0x009C defaulted to 3f80000
float m_Run; //0x00A0

Are these two run-related offsets still working for you, HansW? Most of the other information you provided was accurate. However, I think I found my m_Run at 0x00A4 (1 for moving, 0 for not). Still unable to find a speed though. 0x0094 has always returned a 0 value. If anyone has info on these two maybe let me know. I'll keep searching too.

[HansW]

The speed is at 0x0098 , it is 1 for normal and 1.2 if you flee. you can just set it to any value. As to the m_Run indicator, i don't use those. i call the functions that are used to move the player if you press the according keys.

[PharmerPhale]

Thanks for the info HansW. A minor correction to your post; 1.3(1.29999...) speed on flee. Could be useful to someone calculating the ETA for a waypoint system while taking advantage of flee every 30 seconds. Or something... =/

[fepple]

Any idea if/where the maximum zoom level is stored?