WoW Offsets learning menu

Shout-Out

User Tag List

Page 1 of 3 123 LastLast
Results 1 to 15 of 45
  1. #1
    Gringas's Avatar Member
    Reputation
    1
    Join Date
    Dec 2023
    Posts
    6
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    WoW Offsets learning

    Hello ownedcore!
    I learned how to work somehow on older versions of WoW, having offsets from this forum. But I would like not just to get a ready-made solution, but to figure it out myself. Please tell me how you can get offsets for the current version of the game. For example, I need to interact with lua (create my own function), where should I start, how to search for the offset of getContext, EnumVisibleObjects and other basic ones? What tools should I use for this? CheatEngine, x64 dbg, ida? It's just that when I see these big lists of offsets for the version of the game that was released recently, I wonder how people find it all so quickly and I want to learn how to do it. Thanks

    WoW Offsets learning
  2. #2
    nooberang's Avatar Member
    Reputation
    9
    Join Date
    Sep 2023
    Posts
    20
    Thanks G/R
    0/2
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I'm also extremely interested in an up-to date guide on how to work the wow memory, hell, I'd even pay for tutoring.

  3. #3
    Sweann's Avatar Active Member Authenticator enabled
    Reputation
    15
    Join Date
    Mar 2010
    Posts
    22
    Thanks G/R
    5/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes this is the key to find out where start to read actual game objects, currently trying to scan whole memory but its slow as ....
    Last edited by Sweann; 12-20-2023 at 09:34 AM.

  4. #4
    maikel233's Avatar Contributor
    Reputation
    142
    Join Date
    Sep 2010
    Posts
    110
    Thanks G/R
    39/64
    Trade Feedback
    0 (0%)
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Gringas View Post
    Hello ownedcore!
    I learned how to work somehow on older versions of WoW, having offsets from this forum. But I would like not just to get a ready-made solution, but to figure it out myself. Please tell me how you can get offsets for the current version of the game. For example, I need to interact with lua (create my own function), where should I start, how to search for the offset of getContext, EnumVisibleObjects and other basic ones? What tools should I use for this? CheatEngine, x64 dbg, ida? It's just that when I see these big lists of offsets for the version of the game that was released recently, I wonder how people find it all so quickly and I want to learn how to do it. Thanks
    Pretty much everything is already out here on the forum on how to get those offsets. Use the search button or just browse the pages...

    How i started was just opening the WoW Mac build in Ida pro. All functions are already defined in the mac build so its easy to find a function. From there find the function you want and search for any string nearby and just search that string in the live version.

    Now i just use a script that dumps all scripts functions and go from there...
    Last edited by maikel233; 12-20-2023 at 03:48 PM.

  5. #5
    Gringas's Avatar Member
    Reputation
    1
    Join Date
    Dec 2023
    Posts
    6
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've been studying the forum for a week now to get a little closer to the answer, how people are looking offsets. But most of the articles are already outdated, I've read how people search through TLS, but apparently it doesn't work anymore.
    wor...ern-tls-c.html
    I also read how people search for specific lines in IDA and find the object manager by clicking on them.
    https://www.ownedcore.com/forums/wor...r-address.html

    I've tried this with Windows build and Mac build (Took the game file from my macbook and opened it in IDA on Windows). I find the strings, but they don't contain links. Maybe it's some kind of protection, or I'm doing something wrong. I get the error "There are no xrefs to aObjectManagerL"

    The plan is to find the address (let's say the object manager) and then use CheatEngine to track how I can get it relative to BaseAddress.
    I obviously lack experience and knowledge, but I'm trying to figure this out and would be very grateful if someone would point me in the right direction.

  6. #6
    Sweann's Avatar Active Member Authenticator enabled
    Reputation
    15
    Join Date
    Mar 2010
    Posts
    22
    Thanks G/R
    5/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Tried it on Mac with hopper and ghidra both missing any reference for "aObjectManagerL" and other texts around there. Maybe the code is obfuscated and need to decode or dump the running program on Mac somehow now this is what i'm on.

  7. #7
    aeo's Avatar Contributor
    Reputation
    128
    Join Date
    Apr 2007
    Posts
    271
    Thanks G/R
    86/63
    Trade Feedback
    7 (100%)
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    there is an old mac build with symbols, thats the one you want to find. Sorry I dont have a link.,

  8. #8
    Sweann's Avatar Active Member Authenticator enabled
    Reputation
    15
    Join Date
    Mar 2010
    Posts
    22
    Thanks G/R
    5/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by aeo View Post
    there is an old mac build with symbols, thats the one you want to find. Sorry I dont have a link.,
    Yes i saw the reference for this file, but that one is only help to understand the internal mechanism of the app itself isn't?
    But to find he memory address of the object manager is different on every build, and this is what currently hard for me (us) to understand how to find. After that working with offsets about this base address will be "easy".

  9. #9
    maikel233's Avatar Contributor
    Reputation
    142
    Join Date
    Sep 2010
    Posts
    110
    Thanks G/R
    39/64
    Trade Feedback
    0 (0%)
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Gringas View Post
    I've been studying the forum for a week now to get a little closer to the answer, how people are looking offsets. But most of the articles are already outdated, I've read how people search through TLS, but apparently it doesn't work anymore.
    wor...ern-tls-c.html
    I also read how people search for specific lines in IDA and find the object manager by clicking on them.
    https://www.ownedcore.com/forums/wor...r-address.html

    I've tried this with Windows build and Mac build (Took the game file from my macbook and opened it in IDA on Windows). I find the strings, but they don't contain links. Maybe it's some kind of protection, or I'm doing something wrong. I get the error "There are no xrefs to aObjectManagerL"

    The plan is to find the address (let's say the object manager) and then use CheatEngine to track how I can get it relative to BaseAddress.
    I obviously lack experience and knowledge, but I'm trying to figure this out and would be very grateful if someone would point me in the right direction.
    ObjectManager - search "Active objects" or "Objects waiting to be freed" compare it with the mac / recent retail build.
    Double click -> Click on the data xref sub -> Decompile sub(F5) xref first QWORD. Take the one that has +40 and +F.
    ClntObjMgrEnumVisibleObjectsPtr+40
    ClntObjMgrEnumVisibleObjectsPtr+F

    Function looks like this:
    char __fastcall ClntObjMgrEnumVisibleObjectsPtr(unsigned int (__fastcall *a1)(signed __int64, __int64), __int64 a2)

    I would suggest to look at some ida tutorial footage on YT. I'm not that experienced either but i learned alot with CSGO
    Last edited by maikel233; 12-22-2023 at 12:52 PM.

  10. #10
    Sweann's Avatar Active Member Authenticator enabled
    Reputation
    15
    Join Date
    Mar 2010
    Posts
    22
    Thanks G/R
    5/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    A little progress for now, (Mac M1) WoW process from the base address dumped looks now decrypted / deobfuscated, so there is a function which is referencing "aObjectManagerL" aka "Object manager list status:"

    Code:
                         loc_101214cfc:
    0000000101214cfc         ldr        x24, [x8, #0x30 ]                            ; CODE XREF=sub_101214bcc+248
    0000000101214d00         adrp       x25, #0x102620000 
    0000000101214d04         str        wzr, [x25, #0x244 ]                          ; dword_102620244
    0000000101214d08         adr        x0, #0x1012134d0 
    0000000101214d0c         nop
    0000000101214d10         mov        x1, #0x0 
    0000000101214d14         bl         sub_100fe5504                               ; sub_100fe5504
    0000000101214d18         adrp       x1, #0x101da4000                             ; 0x101da486d@PAGE
    0000000101214d1c         add        x1, x1, #0x86d                               ; 0x101da486d@PAGEOFF, "Object manager list status: (use gmvision to see server onlys)"
    0000000101214d20         mov        w0, #0x7                                     ; argument #1  for method sub_10009dbf8
    0000000101214d24         bl         sub_10009dbf8                               ; sub_10009dbf8
    0000000101214d28         stp        x23, x19, [sp]
    0000000101214d2c         adrp       x1, #0x101da4000                             ; 0x101da48ac@PAGE
    0000000101214d30         add        x1, x1, #0x8ac                               ; 0x101da48ac@PAGEOFF, argument #2  for method sub_100097874, "    Active objects:    %u (%u visible)"
    0000000101214d34         mov        w0, #0x7                                     ; argument #1  for method sub_100097874
    0000000101214d38         bl         sub_100097874                               ; sub_100097874

  11. #11
    Sweann's Avatar Active Member Authenticator enabled
    Reputation
    15
    Join Date
    Mar 2010
    Posts
    22
    Thanks G/R
    5/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So in Mac version of SOD (1.15.0 52610) object manager address is 0x2620250, when logged off the value at this address goes to 0.

    Begining of the function looks like this:

    Code:
                         sub_101214bcc:
    0000000101214bcc         sub        sp, sp, #0x80                                ; DATA XREF=sub_101214a74+264
    0000000101214bd0         stp        x26, x25, [sp, #0x30 ]
    0000000101214bd4         stp        x24, x23, [sp, #0x40 ]
    0000000101214bd8         stp        x22, x21, [sp, #0x50 ]
    0000000101214bdc         stp        x20, x19, [sp, #0x60 ]
    0000000101214be0         stp        fp, lr, [sp, #0x70 ]
    0000000101214be4         add        fp, sp, #0x70 
    0000000101214be8         adrp       x8, #0x10 2620000                             ; 0x102620250@PAGE
    0000000101214bec         ldr        x8, [x8, #0x250 ]                            ; 0x102620250@PAGEOFF, qword_102620250
    0000000101214bf0         add        x9, x8, #0x120 
    0000000101214bf4         ldr        x10, [x8, #0x120 ]
    0000000101214bf8         cmp        x10, x9
    0000000101214bfc         b.eq       loc_101214c20
    
    0000000101214c00         mov        w19, #0x0
    If checking for "Client Object Manager Initialized: %d" string, in referenced code the same number can be found.

    Code:
                         loc_101214648:
    0000000101214648         ldr        w0, [x20, #0x160 ]                           ; argument #1  for method sub_101307204, CODE XREF=sub_1012142a8+632
    000000010121464c         mov        x1, x19                                     ; argument #2  for method sub_101307204
    0000000101214650         bl         sub_101307204                               ; sub_101307204
    0000000101214654         adrp       x8, #0x10 2620000                             ; 0x102620250@PAGE
    0000000101214658         ldr        x8, [x8, #0x250 ]                            ; 0x102620250@PAGEOFF, qword_102620250
    000000010121465c         str        w19, [x8, #0x160 ]
    0000000101214660         bl         sub_1012f675c                               ; sub_1012f675c
    0000000101214664         str        x19, [sp, #0x30  + var_30]
    0000000101214668         adrp       x0, #0x10 1da4000                             ; 0x101da4676@PAGE
    000000010121466c         add        x0, x0, #0x676                               ; 0x101da4676@PAGEOFF, argument #1  for method sub_101cc9d14, "Client Object Manager Initialized: %d"
    0000000101214670         bl         sub_101cc9d14                               ; sub_101cc9d14
    0000000101214674         ldp        fp, lr, [sp, #0x30 ]
    0000000101214678         ldp        x20, x19, [sp, #0x20 ]
    000000010121467c         ldp        x22, x21, [sp, #0x10 ]
    0000000101214680         add        sp, sp, #0x40 
    0000000101214684         ret
                            ; endp

  12. #12
    Sweann's Avatar Active Member Authenticator enabled
    Reputation
    15
    Join Date
    Mar 2010
    Posts
    22
    Thanks G/R
    5/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Any expert can give a little hint how can i find the camera manager? I'm on OSX and using Ghidra.
    Currently searching for scalars 0x3930 which is found in offset dumps.

    Are there any text reference maybe?

  13. #13
    Sweann's Avatar Active Member Authenticator enabled
    Reputation
    15
    Join Date
    Mar 2010
    Posts
    22
    Thanks G/R
    5/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Okay found the GetCameraZoom text which lead to lua function registration and so digging deeper i see the already reported 0x3930 value.

    Code:
    void FUN_1015957f4(void)
    {
      ...
      FUN_1004beca8("GetCameraZoom",FUN_1015a34e0);
      ...
      return;
    }
    
    undefined8 FUN_1015a34e0(undefined8 param_1)
    {
      long lVar1;
      
      lVar1 = FUN_100d013d0();
      FUN_100009db8((double)*(float *)(lVar1 + 600),param_1);
      return 1;
    }
    
    
    undefined8 FUN_100d013d0(void)
    {
      if (DAT_1021f01d8 != 0) {
        return *(undefined8 *)(DAT_1021f01d8 + 0x3930);
      }
      return 0;
    }
    Returned value confirmed with
    Code:
    /dump GetCamreaZoom()

  14. #14
    Sweann's Avatar Active Member Authenticator enabled
    Reputation
    15
    Join Date
    Mar 2010
    Posts
    22
    Thanks G/R
    5/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Anyone has a hint for 1.15.1 53623 SoD client, how can i access DB2 data in memory? Are there any connection between GameObject and DB2 (DBC records?!)

    In a GameObject at 0x148 offset there is a pointer for a "descriptor" (if i am correct) and so at this address on with a second offset 0xd8 there is the address for the name, but i would like to know the lock type of the object.
    In this area i found 2 possible 4byte data which is always 2 and 4 for mining nodes and 1 and 1 for herbs.

    With memory scan i found the address where the LockType and Lock data is loaded and its the same over restarts for locktype this is 0x2218F00

    In old posts found some clue to DBC but it works differently as i see.

  15. #15
    scizzydo's Avatar Contributor
    Reputation
    137
    Join Date
    Oct 2019
    Posts
    99
    Thanks G/R
    5/57
    Trade Feedback
    0 (0%)
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Sweann View Post
    Anyone has a hint for 1.15.1 53623 SoD client, how can i access DB2 data in memory? Are there any connection between GameObject and DB2 (DBC records?!)

    In a GameObject at 0x148 offset there is a pointer for a "descriptor" (if i am correct) and so at this address on with a second offset 0xd8 there is the address for the name, but i would like to know the lock type of the object.
    In this area i found 2 possible 4byte data which is always 2 and 4 for mining nodes and 1 and 1 for herbs.

    With memory scan i found the address where the LockType and Lock data is loaded and its the same over restarts for locktype this is 0x2218F00

    In old posts found some clue to DBC but it works differently as i see.
    CGGameObject_C::GetLockRec:
    Code:
    40 53 48 83 EC 20 48 83 B9 ? ? ? ? 00 48 8B D9 74 ? 0F BE 89 ? ? 00 00
    Reverse it for what you want, or just call the function and get the rec to check the type.

  16. Thanks Sweann (1 members gave Thanks to scizzydo for this useful post)
Page 1 of 3 123 LastLast

Similar Threads

  1. [PQR] Custom wow offset?
    By cabrobas in forum WoW Memory Editing
    Replies: 2
    Last Post: 04-04-2022, 04:40 PM
  2. WoW Offsets & WPE
    By RyanoAthens in forum World of Warcraft General
    Replies: 2
    Last Post: 03-11-2014, 10:15 PM
  3. 4.0.3 Wow - Offsets
    By luciferc in forum WoW Memory Editing
    Replies: 51
    Last Post: 11-25-2010, 12:04 PM
  4. im going to use wow to learn french!
    By Ermok in forum World of Warcraft General
    Replies: 7
    Last Post: 09-10-2007, 04:02 PM
All times are GMT -5. The time now is 12:14 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search