57171 Retail 11.0.5 objectmgr changes

[thateuler]

I'm trying to reverse that gmvision function to understand how object visibility is tracked. In 57171 there's a function call at 0x142966FB4 that determines is the object is visible or not. it returns -1 if not visible.

Code:

        isvisible = ObjectInfo(something, 0x13);
        value = num_activevisibleobjs + 1;
        if ( isvisible == -1 )
          value = num_activevisibleobjs;
        v24 = mg4_entry;
        num_activevisibleobjs = value;

Its the first parameter of ObjectInfo that I'm struggling to understand. (I just guessed at the name). The assembly is

Code:

.text:0000000142966FA1 8B 00                                mov     eax, [rax]
.text:0000000142966FA3 BA 13 00 00 00                       mov     edx, 13h
.text:0000000142966FA8 48 8D 0C 40                          lea     rcx, [rax+rax*2]
.text:0000000142966FAC 48 C1 E1 06                          shl     rcx, 6
.text:0000000142966FB0 48 03 4D 58                          add     rcx, [rbp+58h]
.text:0000000142966FB4 E8 C7 A4 94 FD                       call    ObjectInfo

My guess is that there's some data structure traversal going on. It looks like rcx is a pointer to a struct because inside ObjectInfo it appears to be accessing fields. it gets something from 0x2c, then something else from 0x8

Any insight is appreciated.

[scizzydo]

I'm trying to reverse that gmvision function to understand how object visibility is tracked. In 57171 there's a function call at 0x142966FB4 that determines is the object is visible or not. it returns -1 if not visible.

Code:

        isvisible = ObjectInfo(something, 0x13);
        value = num_activevisibleobjs + 1;
        if ( isvisible == -1 )
          value = num_activevisibleobjs;
        v24 = mg4_entry;
        num_activevisibleobjs = value;

Its the first parameter of ObjectInfo that I'm struggling to understand. (I just guessed at the name). The assembly is

Code:

.text:0000000142966FA1 8B 00                                mov     eax, [rax]
.text:0000000142966FA3 BA 13 00 00 00                       mov     edx, 13h
.text:0000000142966FA8 48 8D 0C 40                          lea     rcx, [rax+rax*2]
.text:0000000142966FAC 48 C1 E1 06                          shl     rcx, 6
.text:0000000142966FB0 48 03 4D 58                          add     rcx, [rbp+58h]
.text:0000000142966FB4 E8 C7 A4 94 FD                       call    ObjectInfo

My guess is that there's some data structure traversal going on. It looks like rcx is a pointer to a struct because inside ObjectInfo it appears to be accessing fields. it gets something from 0x2c, then something else from 0x8

Any insight is appreciated.

If you look right above that, there is a pointer to a structure containing multiple pointers to arrays which contain stuff like the EntityID to verify, and then get indexes to the other arrays that eventually point to the data passed into the rcx of that function. If you're internal... there still is the EnumVisibleObjects functions that you can just bypass all that

[evil2]

edit: solved

[jefflwq]

I'm using this

Code:

struct om_obj {
    void **vmt;             /* 0x00 - 0x08 */
    uint8_t otype;          /* 0x08 - 0x09 */
};

struct entity_builder {
    char fill[0x10];        /* 0x00 - 0x10 */
    wGUID guid;             /* 0x10 - 0x20 */
    struct om_obj *obj;     /* 0x20 - 0x30 */
};

struct hashent {
    struct hashent *next;        /* 0x00 - 0x08 */
    wGUID guid;                  /* 0x08 - 0x18 */
    struct entity_builder *eb;   /* 0x18 - 0x28 */
};

struct objMgr {
    uint64_t numslots;       /* 0x00 - 0x08 */
    struct hashent **slots;  /* 0x08 - 0x10 */
};

Code:

    for (int slot_ix = 0; slot_ix < (*ps_curMgr)->numslots; slot_ix++) {
        struct hashent *e;
        for (e = (*ps_curMgr)->slots[slot_ix]; e != NULL; e = e->next) {
            //L("got obj entguid %x%x ebguid %x%x", e->guid.high, e->guid.low, e->eb->guid.high, e->eb->guid.low);
            guids[added_ix] = e->guid;
            otypes[added_ix] = e->eb->obj->otype;
            added_ix++;
            assert(added_ix < MAX);
        }
    }

Code:

struct om_obj *
get_obj(wGUID guid) {

    uint32_t k2 = 0xA2AA033B * guid.high;
    uint32_t k1 = 0xD6D018F5 * guid.low;
    uint32_t index = (k1 + k2) % (*ps_curMgr)->numslots;

    struct hashent *pent;
    for(pent = (*ps_curMgr)->slots[index]; pent != NULL; pent = pent->next) {
        if (GUID_EQ(pent->guid, guid)) {
            return pent->eb->obj;
        }
    }

    return NULL;
}

The obj manager in 57171 is 0x1449f26e8. In 57212 its 0x144724718.

By this code, I have got 'om_obj', but I can't find xyz and facing, can these infoes be found in memory next to 'otype'?
before 11.0.5, I can got them just there.

[gdfsxwy]

Code:

//Old version 10.02
rcx = *(__int64*)(obj + 0xE8); 
r8 = rcx + 0xC0;

Discovered a new Guid offset:

Code:

guid = *(__int64 *)(obj+0x20 ) + 0x8

Other guid:

Code:

 __int64 v6 = *(__int64*)((*(__int64*)(DWORD64)&pent) + 24i64);
guid = v6 + 96;

[gdfsxwy]

By this code, I have got 'om_obj', but I can't find xyz and facing, can these infoes be found in memory next to 'otype'?
before 11.0.5, I can got them just there.

Player and NPC object coordinates:

Code:

*(__int64 *)(om_obj + 0xC8)+0x18

[provirus]

x, y, z is

Code:

(UnitAddress + 0x90) + 0x18

ObjMgr traversal in C#:

Code:

[StructLayout(LayoutKind.Explicit, Pack = 4)]
internal struct ObjectManagerStruct
{
  [FieldOffset(WowOffsets.ObjMgr_ArraySize)]
  public long ArraySize;

  [FieldOffset(WowOffsets.ObjMgr_ArrayBase)]
  public nint ArrayBase;

  [FieldOffset(WowOffsets.ObjMgr_ObjectCount)]
  public ulong ObjectCount;
}

Code:

[StructLayout(LayoutKind.Explicit, Pack = 4)]
internal struct ObjectManagerEntry
{
  [FieldOffset(WowOffsets.ObjMgr_EntryNext)]
  public nint Next;
  [FieldOffset(WowOffsets.ObjMgr_EntryGuid)]
  public Int128 WowGuid;
  [FieldOffset(WowOffsets.ObjMgr_EntryData)]
  public nint DataPtr;
}

Code:

[StructLayout(LayoutKind.Explicit, Pack = 4)]
internal struct ObjectManagerEntryData
{
  [FieldOffset(WowOffsets.ObjMgr_EntryDataGuid)]
  public Int128 WowGuid;
  [FieldOffset(WowOffsets.ObjMgr_EntryDataObject)]
  public nint ObjectBase;
}

Code:

internal enum ObjectManagerObjectType : byte
{
  Object = 0,
  Item = 1,
  Container = 2,
  AzeriteEmpoweredItem = 3,
  AzeriteItem = 4,
  Unit = 5,
  Player = 6,
  ActivePlayer = 7,
  GameObject = 8,
  Dynamic = 9,
  Corpse = 10,
  Areatrigger = 11,
  Scene = 12,
  Conversation = 13,
  AiGroup = 14,
  Scenario = 15,
  Loot = 16,
  Invalid = 17
}

Code:

var objMgr = Memory.Read<IntPtr>(Memory.ImageBase + Offsets.ObjectManager);
if (objMgr == IntPtr.Zero)
  return;

var objMgrData = Memory.Read<ObjectManagerStruct>(objMgr);
var arrayListBase = objMgrData.ArrayBase;
var arraySize = objMgrData.ArraySize;
var objectsCount = objMgrData.ObjectCount;

var playerGUID = Memory.Read<Int128>(Memory.ImageBase + Offsets.PlayerGUID);
var currentAddress = Memory.Read<IntPtr>(arrayListBase);

var counter = 0UL;
for (int x = 0; x < arraySize;)
{
  if (counter >= objectsCount)
    break;

  if (currentAddress == IntPtr.Zero)
  {
    currentAddress = Memory.Read<IntPtr>(arrayListBase + 0x8 * ++x);
    continue;
  }
  var entry = Memory.Read<ObjectManagerEntry>(currentAddress);
  var entryData = Memory.Read<ObjectManagerEntryData>(entry.DataPtr);
  if (entry.WowGuid != entryData.WowGuid)
    throw new InvalidDataException($"Entry's guid is not equal to entry data's guid!");

  var objType = Memory.Read<ObjectManagerObjectType>(entryData.ObjectBase + WowOffsets.ObjMgr_ObjectType);
  ++counter;

  // populating your lists here...

  if (entry.Next == IntPtr.Zero)
  {
    currentAddress = Memory.Read<IntPtr>(arrayListBase + 0x8 * ++x);
  }
  else
  {
    currentAddress = entry.Next;
  }
}

But this code returns objects that moved from the range of visibility. Could anyone please tell me how to determine if an object is visible? I'm pretty bad in IDA... 😅

[gdfsxwy]

Game object email coordinates X, Y, Z cannot be found.
It would be best if you could tell me the method you are looking for (IDA address).
Please help me, thank you!

[provirus]

Game object x, y, z is `ObjAddress + 0xA0`

[gdfsxwy]

Game object x, y, z is `ObjAddress + 0xA0`

You're right, thank you very much! I was foolish, I thought too much.

[szKaXo]

How to determine if a monster corpse is lootable?

[scizzydo]

How to determine if a monster corpse is lootable?

If they have the LOOTABLE flag

[gdfsxwy]

How to determine if a monster corpse is lootable?

*(_BYTE *)(obj + 0x7C) & 4) != 0

[szKaXo]

*(_BYTE *)(obj + 0x7C) & 4) != 0

I also use this offset to determine, but sometimes even after looted, it still shows as lootable.

[84771768]

x, y, z is

Code:

(UnitAddress + 0x90) + 0x18

ObjMgr traversal in C#:

Code:

[StructLayout(LayoutKind.Explicit, Pack = 4)]
internal struct ObjectManagerStruct
{
  [FieldOffset(WowOffsets.ObjMgr_ArraySize)]
  public long ArraySize;

  [FieldOffset(WowOffsets.ObjMgr_ArrayBase)]
  public nint ArrayBase;

  [FieldOffset(WowOffsets.ObjMgr_ObjectCount)]
  public ulong ObjectCount;
}

Code:

[StructLayout(LayoutKind.Explicit, Pack = 4)]
internal struct ObjectManagerEntry
{
  [FieldOffset(WowOffsets.ObjMgr_EntryNext)]
  public nint Next;
  [FieldOffset(WowOffsets.ObjMgr_EntryGuid)]
  public Int128 WowGuid;
  [FieldOffset(WowOffsets.ObjMgr_EntryData)]
  public nint DataPtr;
}

Code:

[StructLayout(LayoutKind.Explicit, Pack = 4)]
internal struct ObjectManagerEntryData
{
  [FieldOffset(WowOffsets.ObjMgr_EntryDataGuid)]
  public Int128 WowGuid;
  [FieldOffset(WowOffsets.ObjMgr_EntryDataObject)]
  public nint ObjectBase;
}

Code:

internal enum ObjectManagerObjectType : byte
{
  Object = 0,
  Item = 1,
  Container = 2,
  AzeriteEmpoweredItem = 3,
  AzeriteItem = 4,
  Unit = 5,
  Player = 6,
  ActivePlayer = 7,
  GameObject = 8,
  Dynamic = 9,
  Corpse = 10,
  Areatrigger = 11,
  Scene = 12,
  Conversation = 13,
  AiGroup = 14,
  Scenario = 15,
  Loot = 16,
  Invalid = 17
}

Code:

var objMgr = Memory.Read<IntPtr>(Memory.ImageBase + Offsets.ObjectManager);
if (objMgr == IntPtr.Zero)
  return;

var objMgrData = Memory.Read<ObjectManagerStruct>(objMgr);
var arrayListBase = objMgrData.ArrayBase;
var arraySize = objMgrData.ArraySize;
var objectsCount = objMgrData.ObjectCount;

var playerGUID = Memory.Read<Int128>(Memory.ImageBase + Offsets.PlayerGUID);
var currentAddress = Memory.Read<IntPtr>(arrayListBase);

var counter = 0UL;
for (int x = 0; x < arraySize;)
{
  if (counter >= objectsCount)
    break;

  if (currentAddress == IntPtr.Zero)
  {
    currentAddress = Memory.Read<IntPtr>(arrayListBase + 0x8 * ++x);
    continue;
  }
  var entry = Memory.Read<ObjectManagerEntry>(currentAddress);
  var entryData = Memory.Read<ObjectManagerEntryData>(entry.DataPtr);
  if (entry.WowGuid != entryData.WowGuid)
    throw new InvalidDataException($"Entry's guid is not equal to entry data's guid!");

  var objType = Memory.Read<ObjectManagerObjectType>(entryData.ObjectBase + WowOffsets.ObjMgr_ObjectType);
  ++counter;

  // populating your lists here...

  if (entry.Next == IntPtr.Zero)
  {
    currentAddress = Memory.Read<IntPtr>(arrayListBase + 0x8 * ++x);
  }
  else
  {
    currentAddress = entry.Next;
  }
}

But this code returns objects that moved from the range of visibility. Could anyone please tell me how to determine if an object is visible? I'm pretty bad in IDA... 😅

This looks very powerful, but I still don’t know how to obtain the data in ObjectManagerStruct, ObjectManagerEntry, and ObjectManagerEntryData. Can you provide a way to obtain it?