Finding TLS addresses (how to?)

[mrbrdo]

Ok so a lot has been said on searching values for static addresses. But with the TLS method being so much more effective, I stopped searching for static addresses.

So how do you guys get the offsets you can use with TLS? Do you use the old leaked source, or use Olly to trace, or search for pointer to found value? Is there something written on this matter already?
Also, sometimes you get multiple addresses for the same value - how do you know which of those is the static one which will not change with wow restart, or in any case which to use?

Oh one more thing, are tools like TSearch or Cheat Engine detected by WoW? I used TSearch a while ago and i didn't get banned or anything but i'm not sure if i used it on the live servers... I only read values not write though (i did freeze tho).

Thank you again oh great masters :wave:

[blizzo]

** All address are for 2.4.2 and in hex of course **
** I dunno anything about what warden does or how it works **

You really need to disassemble the executable and follow the calls to find out what is going on. I use IDA cos the debugger is nice, and graph view is like the best thing ever!

There is some code at 00774CA0h (a function that returns the GUID of the current player) that accesses the Thread Information Block and specifically [FS:2Ch] which holds the linear address of the thread-local storage array.
You can read the values of the segment registers out of process by using GetThreadContext (the docs for _CONTEXT aren't great and you have to look in winnt.h for real details - but they are there) and GetThreadSelectorEntry which is how kynox (+Rep) did it.

There is also some interesting code around 00776100h which includes some strings like "Object manager list status:" and "Active objects: %u obj..." - worth looking at that It access the list of objects, so you can see where the pointer to the first object is (+ACh).

Once you have the pointer to the object manager and the pointer to the first object then you can read the data there in to a struct. The first DWORD is a pointer to the VTable for that object. The VTable is useful for finding cool functions. The VTable for the player class is at 008A8BF0h, and you can see functions like GetName at 008A8C98h. Which you can follow and reverse to see what data they access and do the same in your language of choice. These offsets you find will (probably) be relative to the start of the current object, you can just ReadProcessMemory them and do whatever you like with it. Shynd has done this with the GetFactionReaction function and has posted some good source code in his blog GetUnitReaction « Shynd’s WoW Modification Journal.

Hmm, looks like I went off on one there - hope any of that information is useful to you or anyone else that might read it.
Also, freezing a value with TSearch or CE will write to that address every 250ms (by default in CE).

[mrbrdo]

Great info, thank you, i have IDA and i will try it. (+rep)

Anyone else knows if CE/TSearch is detected by Warden? I heard there are some modified versions of CE that aren't detected, does that mean the original is? Because some people just try to scam you (download this undetectable version of whatever and it's a viruz), so i'm not completely sure, and TSearch seemed to work fine.

Thanks

[kynox]

Warden at this stage isn't scanning windows/processes, though it does scan modules, module names and drivers. So unless it does any of the aforementioned tasks, you should be fine.