A New way to get the s_curMgr pointer menu

User Tag List

Results 1 to 6 of 6
  1. #1
    kynox's Avatar Account not activated by Email
    Reputation
    830
    Join Date
    Dec 2006
    Posts
    888
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    A New way to get the s_curMgr pointer

    Well, i only discovered this today while reversing WoW's packet handler. It has pro's and con's though..

    Pro's:
    Less Code
    More Efficient

    Con's:
    Have to find the offset each patch (Unless you use signature scanning to automatically find it).

    Code:
        DWORD* g_clientConnection    = (DWORD*)0x00D43468;
        DWORD   s_curMgr                 = NULL;
    
        while ( *gclientConnection == NULL )
            Sleep( 100 );
    
        while ( ( s_curMgr = *(DWORD*)( *gclientConnection + 0x21E8 ) ) == NULL )
            Sleep( 100 );
    
        // Loop through objects, yay!
    Last edited by kynox; 04-01-2008 at 09:07 AM.

    A New way to get the s_curMgr pointer
  2. #2
    UnknOwned's Avatar Legendary
    Reputation
    713
    Join Date
    Nov 2006
    Posts
    583
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Found anything interesting in the packet handler?

  3. #3
    ABitHazy's Avatar Member
    Reputation
    1
    Join Date
    Mar 2008
    Posts
    9
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hmm. All my code is based on the wowsharp stuff and thus i have been using s_CurMgr in my code as the base address. I've never really known what it was though. It's somehow related to TLS I assume? If you know I would love to know how.

    Up until now i'v been finding it through a very very cumbersome method:
    I find the player base
    then find a pointer to it
    take s_curMgr_NextObject (60 decimal) from this to get a possible object base
    add s_curMgr_TypeOffset (20 decimal) and read it, if its a number between 1 and 7 then i assume it's a proper object.
    so find another pointer to the object's base
    take s_curMgr_NextObject (60 decimal) from this to get a possible object base
    add s_curMgr_TypeOffset (20 decimal) and read it, if its a number between 1 and 7 then i assume it's a proper object.
    Continue like this till I get to the first object (there wont be any other objects that reference it)
    Find all references to the 1st objects base
    take s_curMgr_FirstObject (172 decimal) from them
    find pointers to these new addresses
    These are the possibilities for s_CurMgr

    there are usually only a few so i just close down the game, reopen it and test them all out.

    Stupid, Stupid way. But it works and i don't know any other way to do it.

    This looks like it could save me hours every patch if it works. what's the DWORD* g_clientConnection = (DWORD*)0x00D3C468;

    does the address 0x00D3C468 ever change? ie will it change through patches?

    Cheers,
    Hazy.

  4. #4
    AticAtac's Avatar Member
    Reputation
    16
    Join Date
    Feb 2008
    Posts
    25
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    the address 0x00D3C468 can and will change with each patch.
    All these methods are for finding THAT ONE adress from where you start to iterate through the object list. The other attributes (x,y,z, ...) are then relativ. So everyone might have his own method and come to the same result, since WoW (and all other applications) are full of pointers
    So far TLS is nothing magic or must-have to use, since it finds the slot which can be then used with the tebadress (thread-base-adress) to refer to the first object pointer. But having the TLS offset is not enough, you still need to figure out where the first object begins. Patch 2.4 showed this, not only the base-adress was changed (swaped with guid), also the offset to first object was changed from 0xac to 0xc !
    All these made me think (look at my other thread) to automate this process regardless of tls or any other methods. I don't want to hunt for the object-list, attributes, etc. again and i am sure it can be automated (actually i've done it!).
    So let the computer search for you, there are enough *unique* information there to find the proper adresses, offsets, etc.

  5. #5
    kynox's Avatar Account not activated by Email
    Reputation
    830
    Join Date
    Dec 2006
    Posts
    888
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just to add, my offset dumper reports the new offset is 0x00D43468. I've attached a log in case anyone finds it useful!

    So far TLS is nothing magic or must-have to use, since it finds the slot which can be then used with the tebadress (thread-base-adress) to refer to the first object pointer. But having the TLS offset is not enough, you still need to figure out where the first object begins.
    That is completely wrong! the object manager (s_curMgr) is the variable inside of the TLS. To get the first object in the array you simply go:

    Code:
    struct ListObject
    {
        char unknown0[0x3C];
    
        ListObject* Next; //003C
    
        char unknown1[0x6C];
    
        ListObject* First; //00AC
    };
    
        ListObject* curMgr = *(ListObject**)(TLSPTR + 0x10);
        ListObject* firstObject = curMgr->First;
        ListObject* ptr = firstObject;
    
        while ( ptr && ( (DWORD)ptr&1 ) == 0 )
        {
            CObject* pObject = (CObject*)ptr;
            // Do your shit
    
            firstObject = ptr;
            ptr = firstObject->Next;
            if ( ptr == firstObject )
                break;
         }
    Or using my new method

    Code:
        DWORD* g_clientConnection    = (DWORD*)0x00D43468;
        DWORD  g_curMgr              = NULL;
    
        // .............
    
        while ( *gclientConnection == NULL )
            Sleep( 100 );
    
        while ( ( s_curMgr = *(DWORD*)( *gclientConnection + 0x21E8 ) ) == NULL )
            Sleep( 100 );
    
    
        ListObject* curMgr = (ListObject*)g_curMgr;
        ListObject* firstObject = curMgr->First;
        ListObject* ptr = firstObject;
    
        while ( ptr && ( (DWORD)ptr&1 ) == 0 )
        {
            CObject* pObject = (CObject*)ptr;
            // Do your shit
    
            firstObject = ptr;
            ptr = firstObject->Next;
            if ( ptr == firstObject )
                break;
         }
    Found anything interesting in the packet handler?
    Well, its partly how i achieved the on-the-fly model editing/scaling (See Model Edit show off forum). I was able to trace through the SMSG_UPDATE_OBJECT packet handler and see how it updated the player model.

    FYI: 0x00680DF0 is the PacketHandler (2.4.1)
    00680E1B |. 8B44BE 74 MOV EAX,DWORD PTR DS:[ESI+EDI*4+74] ; ESI = Class EDI = Opcode pClass+0x74 = Start of handler functions.

    so pClass + (Opcode*4 + 0x74) = Handler

    </WALLOFTEXT>
    Attached Files Attached Files
    Last edited by kynox; 04-01-2008 at 09:25 AM.

  6. #6
    AticAtac's Avatar Member
    Reputation
    16
    Join Date
    Feb 2008
    Posts
    25
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the info.

    I was using greyman's method with tls and obviously yours is more clear and easier. I have to rethink my routines.

    Very interesting information you provided here!

Similar Threads

  1. Replies: 6
    Last Post: 12-23-2011, 10:00 PM
  2. The many new ways to get Bilgewater rep, etc... Bannable?
    By epeenlol in forum World of Warcraft Exploits
    Replies: 3
    Last Post: 11-24-2010, 02:49 PM
  3. [World Building] The New Way to get to GM Island on Live Servers
    By Matt in forum WoW Advanced Model Edits
    Replies: 530
    Last Post: 04-18-2009, 05:36 PM
  4. [NEW] Way to get out of EotS bubble before the game starts
    By SPVGamer4321 in forum World of Warcraft Exploits
    Replies: 23
    Last Post: 01-19-2009, 12:04 PM
All times are GMT -5. The time now is 12:33 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search