[Release]WoW 2.4 Addresses

[AticAtac]

The offset to the first object in the list is: 0x15F50008
from here you can iterate through the list as you did before the patch.
Things like position, facing and npc/mob names moved around so i am right now looking for their relativ offset in the object list.

[UPDATE]
Use the offsets (+bf0, ...) @kth provided for position, etc. in the object-list.

[ABitHazy]

Any idea how to find a UNIT's name now? It seems to have changed from being

(Base+Offset)->+4->NT String with UNIT's Name.
or, if you prefer it written like this:
readNTstring(readint(readint(Base + Offset)+4))

yea i searched like the first 10,000 offsets from the base (in 2.3.3 the offset was 3496 so it shouldn't be too far off that) and couldn't find it. Maybe i'm just too tired to be doing this right now. Let me know if anyone has any insite into this.

Now time to share some pointers i found:

(If you're not familiar with VB, the &H means its in hex so just assume its in hex and ignore the &H) If there's no &H, it's in decimal.

Found all the descriptor pointers:
s_objDescriptors &HEA5078
s_itemDescriptors = &HEA4BC8
s_containerDescriptors = &HEA4150
s_unitDescriptors = &HEA2F08
s_playerDescriptors = &HE9B7A8
s_gameObjectDescriptors = &HE9B5A0
s_dynamicObjectDescriptors = &HE9B460
s_corpseDescriptors = &HE9B168

CGPlayer_C__CastingSpellId = 3912 (offset from UNIT or PLAYER structure, gives the ID of the spell that is being casted) 3916 seems to be the same thing.

Also found s_CurMgr if theres anyone else out there using the wowsharp structure for their bot.

[AticAtac]

NPC/MOB name, here you go:

curobj +0x2630 -> P+0x40 -> Name
My pseudo-code:
memclass.Read(curobj+0x2630, &nameofs, 4);
memclass.Read(nameofs+0x40, &nameofs, 4);
memclass.Read(nameofs, namebuf, 64);

[AticAtac]

Ok, forget the curobj offset i wrote before, it is of course each time you start wow different.
Keep your TLS-code ! There is only one minor (but important) change:
playerguid and wowbaseptr are switched !!! and curobj is at wowbaseptr+0xc (instead of 0xac)
So
wowbaseptr is now at tls_targetslot + 16
and
playerguid is at tls_targetslot + 8

It should then work.
Of course use the new offsets for name, x,y,z,facing

[Flos]

Ok, forget the curobj offset i wrote before, it is of course each time you start wow different.
Keep your TLS-code ! There is only one minor (but important) change:
playerguid and wowbaseptr are switched !!! and curobj is at wowbaseptr+0xc (instead of 0xac)
So
wowbaseptr is now at tls_targetslot + 16
and
playerguid is at tls_targetslot + 8

It should then work.
Of course use the new offsets for name, x,y,z,facing

If this works.. you made my day.. gonna try this tomorrow and buy you a beer if you somehow can get to austria ^^

[ABitHazy]

NPC/MOB name, here you go:

curobj +0x2630 -> P+0x40 -> Name
My pseudo-code:
memclass.Read(curobj+0x2630, &nameofs, 4);
memclass.Read(nameofs+0x40, &nameofs, 4);
memclass.Read(nameofs, namebuf, 64);

Thank you very much for this. I would give u rep if i could. How on earth did you find that out? Would take forever to search all the possabilities with 10000 numbers added to the base and 64 variants of each one. I'm assuming you did it some other way?
I wonder why it changed from + 4 to + 0x40? It's been +4 for as long as i can remember.

I am, however, not sure if the 0x2630 bit is right. It gave me a name, but not the name of the same UNIT whose base i was adding it to. I had a quick look and found that.

curobj +0xDB8 -> P+0x40 -> Name

Will give the UNIT's correct name. (never would have found that without your help though).

[AticAtac]

You are right, it should be 0xDB8 +0x40
Silly me ...
How i found the name offset ?
One of my chars is always standing besides "Einar Stormgrip" and i logged on with this char looked for the name "Einar" und had its offset. On the other side i got his obj-offset and reversed searched with found pointers, it wasn't really hard.
As with 2.3.3 i also freezed the whole RAM of wow so i can look back and check how things were there. For this i wrote my own memory-analysis program which can work with process or "freezed" RAM on harddisk. This way i am also sure that "Warden" can not detect me, since i don't use any known mem programs like cheatengine, artmoney, etc.

What i am still missing are the names of other players and objects.

[ABitHazy]

I found out how to find the name of an object today
only tested it for GAMEOBJECTs (ie. Object type = 5) and im prety sure it only works for these. But includes basically every object you can interact with ie chests, herbs, mining viens, other quest objects that you have to 'open' etc.

(Base + 54 -> +116 -> NT string.

or

ReadNTString(ReadInteger(ReadInteger(Base + 54 + 116))

I went for the brute force method when finding this, i read strings at:
ReadNTString(ReadInteger(ReadInteger(Base + i) + j))

i going from 0 to 4000 or so and j going 1 to 200

it took a while bit worked awesomely!

I must have a really inefficient method for reading memory or maybe its just the VB overheads because if i ever try and search for a value throughout the whole program it takes like 10 mins whereas Tsearch only takes like 10 seconds. Im sure it must do certain things make its searches more efficient, like skipping over blank sections of memory.

Does your program do things like that to make it more efficient AticAtac?


Also, here's a mystery i was never able to crack:
Have you ever looked at the positions of lifts (ie, at TB, thousand needles, etc.). The lifts themselves are DYNAMICOBJECTs, when you read their DYNAMICOBJECT_POS_X and DYNAMICOBJECT_POS_Y values they are in the right spot but their DYNAMICOBJECT_POS_Z value never changes... wtf??

The reason i was looking for the lift's Z value was so that i could get my bot to be able to go up/down lifts should they be in the path it is walking.

[AticAtac]

Great, i will test the object names! (+rep from me).

As for speed, you should use a cache before you search memory sequentially. What i do is to load a whole block into my cache (either from file or from process) and do all searching in memory, this is much faster!

I am not much into dynamic objects of wow, but as for lifts which move vertically i would suppose that their z-value don't change, but y-value.

The only thing (for me) left are now the names of other players.

[skypa]

Quick question: I read somewhere, that the facing direction can be written arbitrary, so if I want to turn my toon, I can just write the angle into the address. Somehow that doesn't work for me, the client reverts to the old value as soon as I detach from the process, the toon never turns.
If facing direction the way to go or is there even another address for some sort of player rotation which is indeed writable?
Turning the toon with key- or mouseinjection just seems too flaky.

[ABitHazy]

Skypa,
I'm not sure if any such address exists however if it did you would expect it to be stored in a static address somewhere outside the player's data structure. I'm guessing this because if you can change your player's heading from the data struct then it would let you change the heading of any object, which obviously can't happen.
I'd suggest searching for other addresses containing the player's facing and try manipulating them.
On a side note, I wouldn't really recommend building a bot based on that turning technique because it would be easily detectable. I don't know a lot about warden/detection but if they ever decided to look, it would be a dead giveaway if the player was changing directions without ever pressing any buttons.

AticAtac,
Thanks for the info, im goning to have to read into using cache a bit.
As for player names, I have never actually got them working properly, ill do a big search for them however i have a sneaky suspicion that you need to take their GUID and look it up in a table somewhere (which would make life a bitch). I'll have a bit of a fiddle. Might be a couple of days before I get a real good chance to though.

[EmiloZ]

Tyyy... +Rep x2

[Demonkunga]

This be a mostly leecher thread. But you guys are smart Don't let the higher ranked people put you down. You guys will be up here someday.

[macintox]

+rep to AticAtac for his great work, all those post are worth getting away from leecher no ? ^^

[Sychotix]

I Didnt post anything leeched lol... i found all of mine by doing simple memory editing with common sense =D

I had the idea of making one of the bomb flying quests work anywhere... i think i found the addy that shows which section of the zone im in, but I can only select the AOE target. After I select it, it wont let me do the action >_<. Also I can use it while ontop of the original mount that it used but it has no damage outside the Demon Scar or w/e its called.