Tls 2.4.3 C# does this look resonable?

[Nesox]

Hi, its been awhile since i posted anything but im doing it now so if anyone would like to answer some of my questions it would be kind

1. the new Tls-Index for 2.4.3 is 0xE2563C? right, i looked it up with Ida

2. this part of code i dont fully understand , the slot is the Tls-Index right?
and the tlsoffset i read on another thread that it shoud be 0x08 for 2.4.3 but if u look at the other piece of code it reads the tls offset from base adress of the thread + 0x2C? and the value of the offset would be 0x153500.

Code:

int tlsoffset = m_Memory.ReadInteger((int)tbi.TebBaseAddress + 0x2C);
int targetslot = m_Memory.ReadInteger(tlsoffset + (slot * 4));
WowObjectBasePointer = m_Memory.ReadInteger(targetslot + 8);
long MyGUID = m_Memory.ReadLong(targetslot + 16);

3.After you get the WowObjectBasePointer how would you go on to copy/enumerate the mob/player data struct?

i know some of this questions has been asked before and kynox posted c++ source an app that fetches the pointer. but have mercy im currently learning c++ got 1 book ive been studying C# for about 1 year now also bought a book recently: Exploiting Online Games: Cheating Massively Distrubuted System. Its quite nice and helped me some.
:wave:


this is the output im getting now.

Code:

int WowObjectBasePointer = 0;

            uint THREAD_QUERY_INFORMATION = 0x40;
            IntPtr snaphandle = IntPtr.Zero;
            IntPtr threadhandle = IntPtr.Zero;

            MemoryReader m_Memory = new MemoryReader();
            Process[] listProcesses = Process.GetProcesses();

            int PID = 0;
            bool WoWfound = false;

            int index = 0;
            for (int i = 0; i < listProcesses.Length; i++)
                if (listProcesses[i].MainWindowTitle == "World of Warcraft")
                { PID = listProcesses[i].Id; WoWfound = true; index = i; break; }

            if (WoWfound != false)
            {
                m_Memory.Open(listProcesses[index]);
            }
            else
                MessageBox.Show("Unable to find Wow");



            int slot = m_Memory.ReadInteger(0xE2563C);

            snaphandle = CreateToolhelp32Snapshot(MemoryReader.TH32CS_SNAPTHREAD, 0);
            if (snaphandle != null)
            {
                THREADENTRY32 info = new THREADENTRY32();
                info.dwSize = (uint)System.Runtime.InteropServices.Marshal.SizeOf(typeof(THREADENTRY32));
                bool morethreads = true;
                bool found = false;
                if (Thread32First(snaphandle, ref info))
                {
                    while (morethreads && !found)
                    {
                        if (info.th32OwnerProcessID == m_Memory.ReadProcess.Id)
                        {
                            threadhandle = OpenThread(THREAD_QUERY_INFORMATION, false, info.th32ThreadID);
                            if (threadhandle != null)
                            {
                                THREAD_BASIC_INFORMATION tbi = new THREAD_BASIC_INFORMATION();
                                if (NtQueryInformationThread(threadhandle, 0, ref tbi, (uint)System.Runtime.InteropServices.Marshal.SizeOf(typeof(THREAD_BASIC_INFORMATION)), IntPtr.Zero) == 0)
                                {
                                    int tlsoffset = m_Memory.ReadInteger((int)tbi.TebBaseAddress + 0x2C);
                                    int targetslot = m_Memory.ReadInteger(tlsoffset + (slot * 4));
                                    WowObjectBasePointer = m_Memory.ReadInteger(targetslot + 8);
                                    long MyGUID = m_Memory.ReadLong(targetslot + 16);
                                    string status_string = "Base pointer found: " + WowObjectBasePointer.ToString("X") + "n";
                                    status_string += "GUID of player:     " + MyGUID.ToString("X") + "n";
                                    CloseHandle(threadhandle);
                                    found = true;

                                    label1.Text = status_string;
                                    
                                }
                            }
                        }
                        info.dwSize = (uint)System.Runtime.InteropServices.Marshal.SizeOf(typeof(THREADENTRY32));
                        morethreads = Thread32Next(snaphandle, ref info);
                    }
                }
                CloseHandle(snaphandle);
                
            }
            return WowObjectBasePointer;

[kynox]

I for one, no longer use the TLS to read the s_curMgr pointer, as i found an easier method.

Simply read from [ [0x00D43318] + 0x2218 ] and you have your pointer!

[Sychotix]

you converted to my methods! =P TLS = noobzor =D

[Cypher]

you converted to my methods! =P TLS = noobzor =D

[Apoc]

[Cypher]

Win picture. Saved.

[Nesox]

hehe, ok im looking at the Journal and his sample code, ExternalFindPattern but after you get the s_CurMgr Pointer according to Shynd's sample code i got s_CurMgr to be 0x0173C708 so if u read from that that's the adress to the s_CurMgr right? then what? sry for maybe a stupid question but im not rly good at reversing altho im a bit into Lena's reversing for noobies! =)