Offset to ObjectManager

[mozartmclaus]

Has anyone managed to get offset to the object manager and its table?

There is related info for WoW, but not for D3 so far:
In WoW it is: [[Base + ClientConnectionOffset] + ObjectManagerOffset]
http://www.ownedcore.com/forums/worl...-troubles.html (ObjectManager troubles)

[Nesox]

Has anyone managed to get offset to the object manager and its table?

There is related info for WoW, but not for D3 so far:
In WoW it is: [[Base + ClientConnectionOffset] + ObjectManagerOffset]
http://www.ownedcore.com/forums/worl...-troubles.html (ObjectManager troubles)

It's nothing like how wow handles it, read the older threads and it will come to you.
It's been discussed a few times already

[mozartmclaus]

You have mentioned yourself ObjectManager and TlsGetValue:
http://www.ownedcore.com/forums/diab...ta-player.html (Structure of data on player?)

im already reading all posts for 2 days, cant find any useful info about the basics of accessing the required data.

Do I have to call internal D3 functions (via code injection) or can I find structures holding the pointers to all objects (like tha hash table you mentioned)=

[BitHacker]

mozartmclaus,

There is a offset specified in one of the older posts. Let me see if I can find it real quick.

0x0156C8CC ObjectManagerPtr as for if its current I do not know. I haven't messed with it yet.

Just search "ObjectManagerPtr" in the sub-forum now you should find the posts.

-Bit_Hacker

[mozartmclaus]

Thanks a lot!

Here i have also found offsets to some useful functions:
http://www.ownedcore.com/forums/diab...mp-thread.html ([Diablo 3][[1.0.1.9558] Retail Patch 1 - Info Dump Thread)
He says he found them using pattern matching...
Very interesting.
Currently I have difficulty finding functions in IDA, its release build with no pdb info. So there no function names.
String data is not very useful on such core functions which don't reference it.
Was the beta version a debug build? this would explain from where the guy have patterns to find the functions again.

[BitHacker]

Mozartmclaus,

Alot of the names are coming from mooege source code. You look up the function in IDA Pro w/Hex Rays and just change the name of the function to the name you think it is.

There is no MAGIC to it. Its just a GUESS AND CHECK way of doing it. Sometimes your right. Sometimes your wrong.

If you want to import the dll export functions in a particular .exe that will change the names from sub_numberletter to an actual name get BinDiff for Ida pro. You will have to read "MalwareAnalystsCookbook" to understand how to merge the exports into the .exe for full function names.

Chapter 12 goes over how to use BinDiff to get actual function names.

Its a lot of CHECK CHECK REFERENCE REFERENCE CHECK CHECK name function CHECK CHECK lmao...

The other thing I've been noticing is that really you can use any function you want inside the .exe. Your really just using the function to get the info you want.
That just comes with experience in reverse engineering though.

-Bit_Hacker