A morpher for 3.3.5 ? How it works ?

[poke123]

hello, I saw different programs for morph an unit client-side (eg: http://www.mmowned.com/forums/world-...a-3-0-9-a.html) but I would like to know how it works and how I can do it in AutoIt (or C#)
I have not seen any Thread on this subject but I could be wrong.

edit: apparently I need the address of UptdateModel but it is not in the info dump thread how can I get this adress ?
re-edit: Ok i've find the adress but I don't know how I can call the function I am new in ASM injection it's UpdateModel = 0x73e410

I've try:

Code:

uint dwCodeCaveMorphF = w.AllocateMemory(0x3000);
            uint dwMorphTargetBase = 0x2700;
            uint t = w.ReadUInt(13469608);
            uint t2 = w.ReadUInt(t + 52);
            uint playermorphbase = w.ReadUInt(  t2+ 36);
                dwMorphTargetBase += dwCodeCaveMorphF;
 
                w.Asm.Clear();
                // s_curMgr
                w.Asm.AddLine("mov eax, [0x00C79CE0]");
                w.Asm.AddLine("mov eax, [eax+0x2ED0]");
                w.Asm.AddLine("mov edx, eax");
                // TIB
                w.Asm.AddLine("xor eax, eax");
                w.Asm.AddLine("fs mov eax, [0xAC]");
                w.Asm.AddLine("mov eax, [eax]");
                w.Asm.AddLine("add eax, 8");
                w.Asm.AddLine("mov dword [eax], edx");
                // call updateModel
                w.Asm.AddLine("push 1");
                w.Asm.AddLine("push 1");
                //w.Asm.AddLine("mov {0}, {1}", dwMorphTargetBase, playermorphbase);
                w.Asm.AddLine("mov ecx, {0}", playermorphbase);
                w.Asm.AddLine("call {0}", UpdateModel); // ret 8
                // goodbye
                w.Asm.AddLine("retn");
                w.Asm.Inject(dwCodeCaveMorphF);

but it doesn't work

[poke123]

ok good, I found by myself it's

Code:

uint dwCodeCaveMorphF = w.AllocateMemory(0x3000);
                w.Asm.AddLine("push ebp");
                w.Asm.AddLine("mov ebp,esp");
                w.Asm.AddLine("sub esp,0x10");
                w.Asm.AddLine("mov eax, [0x0CD87A8]");
                w.Asm.AddLine("mov eax, [eax+0x034]");
                w.Asm.AddLine("mov eax, [eax+0x024]");
                w.Asm.AddLine("mov eax, [eax+0x08]");
                w.Asm.AddLine("mov EBX, [eax+0x110]");
                w.Asm.AddLine("mov dword [eax+0x010C], EBX");
                w.Asm.AddLine("jmp 0x073E416");
                w.Asm.Inject(w.ProcessHandle, dwCodeCaveMorphF);
                w.Asm.Clear();
                w.Asm.AddLine("jmp {0}", dwCodeCaveMorphF);
                w.Asm.Inject(0x73E410);

when the model is uptdate, the player is transformed into his native display id (which can be change by another program) if you want to inject this code whith autoit, it does not work but you can use cheat engine:

Code:

alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)

0073E410:
jmp newmem
nop
returnhere:

newmem: //this is allocated memory, you have read,write,execute access
push ebp
mov ebp,esp
sub esp,10
mov eax, [0CD87A8]
mov eax, [eax+034]
mov eax, [eax+024]
mov eax, [eax+08]
mov [eax+010C], <displa ID here>
jmp 073E416


originalcode:
push ebp
mov ebp,esp
sub esp,10

exit:
jmp returnhere