Need help with next phase:

[ShoniShilent]

i am moving on and had some initial success. however, i need help-

i found the following code segment:

007FAFDF CC INT3
007FAFE0 55 PUSH EBP
007FAFE1 8BEC MOV EBP,ESP
007FAFE3 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
007FAFE6 8B00 MOV EAX,DWORD PTR DS:[EAX]
007FAFE8 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
007FAFEB 2B01 SUB EAX,DWORD PTR DS:[ECX]
007FAFED 5D POP EBP
007FAFEE C3 RETN
007FAFEF CC INT3
007FAFF0 A1 38AAE800 MOV EAX,DWORD PTR DS:[E8AA38]
007FAFF5 8B88 20010000 MOV ECX,DWORD PTR DS:[EAX+120]
007FAFFB 8079 79 09 CMP BYTE PTR DS:[ECX+79],9
007FAFFF 75 13 JNZ SHORT WoW.007FB014
007FB001 6A 00 PUSH 0
007FB003 8D88 F0250000 LEA ECX,DWORD PTR DS:[EAX+25F0]
007FB009 68 79180000 PUSH 1879
007FB00E E8 ED38DFFF CALL WoW.005EE900
007FB013 C3 RETN
007FB014 33C0 XOR EAX,EAX
007FB016 C3 RETN
007FB017 CC INT3


note:

007FAFF0 A1 38AAE800 MOV EAX,DWORD PTR DS:[E8AA38]

this points to the player struct, from what i can gather. for instance:

if [E8AA38] = 19c10008

then 19c10008 + bf8 is the address which holds FLOAT for player Z coordinate.

so i have the following questions:


1) is there a list of current offsets for various useful information for the player struct? for instance the player mana, health, etc.

2) how do i get to the pointer to the list of what is around the player? is there an offset in the player struct that points to it?


I am not using TLS for the above but below here is what I found:

also i found the following code:

0077624E CC INT3
0077624F CC INT3
00776250 55 PUSH EBP
00776251 8BEC MOV EBP,ESP
00776253 A1 84AAE800 MOV EAX,DWORD PTR DS:[E8AA84]
00776258 64:8B0D 2C000000 MOV ECX,DWORD PTR FS:[2C]
0077625F 53 PUSH EBX
00776260 56 PUSH ESI
00776261 8B3481 MOV ESI,DWORD PTR DS:[ECX+EAX*4]
00776264 8B86 10000000 MOV EAX,DWORD PTR DS:[ESI+10]
0077626A 05 A8000000 ADD EAX,0A8
0077626F 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
00776272 A8 01 TEST AL,1
00776274 57 PUSH EDI

note:

00776253 A1 84AAE800 MOV EAX,DWORD PTR DS:[E8AA84]
00776258 64:8B0D 2C000000 MOV ECX,DWORD PTR FS:[2C]
0077625F 53 PUSH EBX
00776260 56 PUSH ESI
00776261 8B3481 MOV ESI,DWORD PTR DS:[ECX+EAX*4]

[e8aa84] holds the tls slot which ends up being 0 during run time

FS:[2C] holds the tls base address which ends up being 167ab0 at run time

so, MOV ESI,DWORD PTR DS:[ECX+EAX*4]

is [167ab0+0*4] which is

167ab0

this is supposed to be the WOWBase as described in thread:

http://www.mmowned.com/forums/wow-me...-tls-help.html

and then

WOWbase + 8 = Player GUID 8 byte long ( __int64 )
WOWbase + 16 = Addres of Objects list around player

when i add 8 to that i get 167ab8 (player GUID?)
when i add 16 to that (or hex 10) i get 167ac0 (Address of Objects?)

unfortunately, the above addresses neither hold any useful info nor do they point to any usefull address.

167ab8 has the following bytes:

00167AB0 C0 21 19 00 88 01 15 00 05 00 02 00 D7 01 08 00

and 167ac0 has:

00167AC0 00 00 00 00


so i can get to the player struct, but unfortunately i cannot seem to find the objects address like i should be able to. is there a way to point to the objects address once you have the player struct address? or do you HAVE to do the TLS method, which apparently I am doing wrong here since the values aren't showing what they should-

any help would be appreciated.

[KOS0937]

it's nice to see your enthusiasm, but please use the search function....
http://www.mmowned.com/forums/wow-me...ob-struct.html

[ShoniShilent]

it's nice to see your enthusiasm, but please use the search function....
http://www.mmowned.com/forums/wow-me...ob-struct.html

i looked at that page (and several others regarding TLS) before posting my question. there's alot of great information on that page and i am sure i will find it useful as i move forth. i don't wish to sound ungrateful or even lazy, but where on that page or in the following code segment is the answer to my question(s)?

struct mob_struct
{

__int64 guid; // unique mob identifier
int unknown1; // always 9?
int id; // mob id, can look up on www.thottbot.com/c<this number>
float selection_circle_size; //last patch prevents changing this to take effect
char zero[0x2c];
__int64 target; // mob current target
char zero2[0x10];
int current_health;
int zero3[2]; // mana %?
int health2;
int zero4;
int unknown3; // 40 42 0f 00
int health3; // not health
int unknown4; // 3c = 60, sometimes 79
int zero5;
int health4; // not health
int zero6;
int unknown5; // 40 42 0f 00
int level;
int con; // 07 = yellow, 14 = red, 1604 = green
int unknown7; // 00 02 02 00
int zero7[0x24];
int combat; // 00 00 00 00 = OOC, 00 08 08 00 = IC (526336)
};


i need to find the address that points to the list of objects around the player. perhaps i missed something glaring in that thread? i posted alot of info up there and maybe i am going down the wrong path, but i see nothing that helps me along here. that mob struct is useful once i get to the pointer that points to the mobs. thanks again for the speedy replies, but i am still lost here:

i am not doing the TLS correctly to begin with so there's no need to know the mob structure if i am not accessing the mob addresses correctly. please help!

i also see this:

TWoWObject = record
DontCare1: Integer;//0x00
DontCare2: Integer;//0x04
DontCare3: Integer;//0x08 pointer to compl. struct i.e. eObjectFields
DontCare4: Integer;//0x0C end of compl. struct
DontCare5: Integer;//0x10
ObjectType: Integer; //0x14 == 1..7
DontCare7: Integer;//0x18
DontCare8: Integer;//0x1C
DontCare9: Integer;//0x20
DontCare10: Integer;//0x24 ptr to item-struct?
PtrCheck: Integer;//0x28 PtrCheck == NextPtr while NextPtr --> WoWObject
DontCare12: Integer;//0x2C
GUID: Int64; //0x30 GUID
DontCare13: Integer;//0x38 end of each item-struct element (ptr to the next)?
NextPtr: Integer; //0x3C
end;

but don't really know what this is referring to. is:

DontCare3: Integer;//0x08 pointer to compl. struct i.e. eObjectFields

the pointer to the stuff around the player? if so then:

if [E8AA38] = 19c10008

then 19c10008+08 = pointer to objects around player?

[KOS0937]

exactly, [E8AA38]+8 points to eObjectFields. If it's a player this eObjectFields struct will be followed by eUnitFields and ePlayerFields. So to find the health of a unit, you have to:
-follow [E8AA38]+8 to the eObjectFields
-add the size of eObjectFields (0x1
-add UNIT_FIELD_HEALTH (from the eUnitFields struct; = 0x40)
and you've got the pointer to the HP:
[[E8AA38]+8]+58

[ShoniShilent]

exactly, [E8AA38]+8 points to eObjectFields. If it's a player this eObjectFields struct will be followed by eUnitFields and ePlayerFields. So to find the health of a unit, you have to:
-follow [E8AA38]+8 to the eObjectFields
-add the size of eObjectFields (0x1
-add UNIT_FIELD_HEALTH (from the eUnitFields struct; = 0x40)
and you've got the pointer to the HP:
[[E8AA38]+8]+58

ok, now we are getting somewhere! thanks very much!

this shows MY health and so i assume as the PLAYER that my info is always first. so my last question is how to access the NEXT object/data, etc. and then how do i know we are complete running throught the list?

also, is this how you determine the size of eObjectFields as (0x1? note:

enum eObjectFields {
OBJECT_FIELD_GUID=0x0,
OBJECT_FIELD_TYPE=0x8,
OBJECT_FIELD_ENTRY=0xC,
OBJECT_FIELD_SCALE_X=0x10,
OBJECT_FIELD_PADDING=0x14,
TOTAL_OBJECT_FIELDS=0x5
};

so OBJECT_FIELD_PADDING=0x14 takes up 4 bytes then which starts the next data at 0x18?


thanks so very much for all of the feedback so far!

[KOS0937]

that'S exactly how i've got 0x18 as the structs size.

To get the next object / unit / mob you have to follow the pointer at 0x3C.
That is [E8AA38]+3C points to the next object so
[[E8AA38]+3C] + 8 points to the eObjectFields struct of the first object that is not the player (yes, the first one is always the current player).

You can follow this pointer at 0x3C as long as it is the same as the pointer at 0x28. As soon as ?+28 differs from ?+3C (by exactly 0xA0) you have reached the end of the list (usually something between 50 and 150 objects are in this list)

[Zombie911]

WOWbase + 8 = Player GUID 8 byte long ( __int64 ) <-- It no pointer, it 8 byte integer, read 8 bytes

WOWbase + 16 = Addres of Objects list around player

Sorry for not fully answer.
After you got address, add 0xC to him and read 4 byte integer, now you got address where Object list begin.
From new address, start read this structure.

Code:

struct TObject{
	DWORD dummy0;
	DWORD dummy2;
	DWORD UnitData;
	DWORD dummy3;
	DWORD count;
	DWORD ObjectType;
	DWORD dummy5;
	DWORD dummy6;
	DWORD dummy7;
	DWORD dummy8;
	DWORD dummy10;
	DWORD dummy11;
	__int64 GUID;
	DWORD dummy12;
	DWORD NextPtr;
};

At NextPtr locate address of next object data.
My source code http://www.mmowned.com/forums/wow-me...-tls-help.html