Just to add, my offset dumper reports the new offset is 0x00D43468. I've attached a log in case anyone finds it useful!
So far TLS is nothing magic or must-have to use, since it finds the slot which can be then used with the tebadress (thread-base-adress) to refer to the first object pointer. But having the TLS offset is not enough, you still need to figure out where the first object begins.
That is completely wrong! the object manager (s_curMgr) is the variable inside of the TLS. To get the first object in the array you simply go:
Code:
struct ListObject
{
char unknown0[0x3C];
ListObject* Next; //003C
char unknown1[0x6C];
ListObject* First; //00AC
};
ListObject* curMgr = *(ListObject**)(TLSPTR + 0x10);
ListObject* firstObject = curMgr->First;
ListObject* ptr = firstObject;
while ( ptr && ( (DWORD)ptr&1 ) == 0 )
{
CObject* pObject = (CObject*)ptr;
// Do your shit
firstObject = ptr;
ptr = firstObject->Next;
if ( ptr == firstObject )
break;
}
Or using my new method
Code:
DWORD* g_clientConnection = (DWORD*)0x00D43468;
DWORD g_curMgr = NULL;
// .............
while ( *gclientConnection == NULL )
Sleep( 100 );
while ( ( s_curMgr = *(DWORD*)( *gclientConnection + 0x21E8 ) ) == NULL )
Sleep( 100 );
ListObject* curMgr = (ListObject*)g_curMgr;
ListObject* firstObject = curMgr->First;
ListObject* ptr = firstObject;
while ( ptr && ( (DWORD)ptr&1 ) == 0 )
{
CObject* pObject = (CObject*)ptr;
// Do your shit
firstObject = ptr;
ptr = firstObject->Next;
if ( ptr == firstObject )
break;
}
Found anything interesting in the packet handler?
Well, its partly how i achieved the on-the-fly model editing/scaling (See Model Edit show off forum). I was able to trace through the SMSG_UPDATE_OBJECT packet handler and see how it updated the player model.
FYI: 0x00680DF0 is the PacketHandler (2.4.1)
00680E1B |. 8B44BE 74 MOV EAX,DWORD PTR DS:[ESI+EDI*4+74] ; ESI = Class EDI = Opcode pClass+0x74 = Start of handler functions.
so pClass + (Opcode*4 + 0x74) = Handler
</WALLOFTEXT>