[Release]WoW 2.4.1 Addresses

[Sychotix]

k.... then did you edit the value? -.-

[unknow2k]

code address:

005a8bad test eax,edx

eax:

Nothing: 0
Beasts: 1
Dragonkin: 2
Demons: 4
Elementals: 8
Giants: 16
Undead: 32
Humanoids: 64
Misc: 132
Everything: 255

you can modify code -> test edx,edx

to Everything

Hex Edit: 005a8bad 85,c2 -> 85,d2

[ABitHazy]

New descriptor offsets in 2.4.1:

s_objDescriptors = 15384696
s_itemDescriptors = 15383496
s_containerDescriptors= 15380816
s_unitDescriptors = 15376136
s_playerDescriptors = 15345576
s_gameObjectDescriptors = 15345056
s_dynamicObjectDescriptors = 15344736
s_corpseDescriptors = 15343976

[[Blackstorm]]

what do i edit the value to?

for instance, speedhack forward gives me the original value as random numbers..(58347672) and if i edit it, i will be frozen in place

[Sychotix]

thats probably because your not viewing it as the right type. They are either 4 byte (i guess) or Float values.

[Cypher]

lol nice =P must be a different type of movement state. ALso, your progrably right since they are all 4 byte but it still gives the same effect with mine so ill leave it.

1. The offset is wrong.
2. They're not a different type of state you're just off by a few bytes so you're modifying some of it not all of it.
3. Its not a float its a bitmask, view it as an Int32 and convert it to hex.

If you want some proof look at the following subroutines:

Code:

.data:0093E738 off_93E738      dd offset aJumporascendst ; DATA XREF: sub_6869B0+9r
.data:0093E738                                         ; sub_6869E0:loc_6869E3r
.data:0093E738                                         ; "JumpOrAscendStart"
.data:0093E73C off_93E73C      dd offset sub_687D00    ; DATA XREF: sub_6869B0:loc_6869B3r
.data:0093E740                 dd offset aAscendstop   ; "AscendStop"
.data:0093E744                 dd offset sub_687E10
.data:0093E748                 dd offset aDescendstop  ; "DescendStop"
.data:0093E74C                 dd offset sub_687E80
.data:0093E750                 dd offset aTogglerun    ; "ToggleRun"
.data:0093E754                 dd offset sub_687880
.data:0093E758                 dd offset aToggleautorun ; "ToggleAutoRun"
.data:0093E75C                 dd offset sub_687EB0
.data:0093E760                 dd offset aMoveforwardsta ; "MoveForwardStart"
.data:0093E764                 dd offset sub_687EF0
.data:0093E768                 dd offset aMoveforwardsto ; "MoveForwardStop"
.data:0093E76C                 dd offset sub_687F20
.data:0093E770                 dd offset aMovebackward_0 ; "MoveBackwardStart"
.data:0093E774                 dd offset sub_687F50
.data:0093E778                 dd offset aMovebackwardst ; "MoveBackwardStop"
.data:0093E77C                 dd offset sub_687F80
.data:0093E780                 dd offset aTurnleftstart ; "TurnLeftStart"
.data:0093E784                 dd offset sub_687FB0
.data:0093E788                 dd offset aTurnleftstop ; "TurnLeftStop"
.data:0093E78C                 dd offset sub_687FE0
.data:0093E790                 dd offset aTurnrightstart ; "TurnRightStart"
.data:0093E794                 dd offset sub_688010
.data:0093E798                 dd offset aTurnrightstop ; "TurnRightStop"
.data:0093E79C                 dd offset sub_688040
.data:0093E7A0                 dd offset aStrafeleftstar ; "StrafeLeftStart"
.data:0093E7A4                 dd offset sub_688070
.data:0093E7A8                 dd offset aStrafeleftstop ; "StrafeLeftStop"
.data:0093E7AC                 dd offset sub_6880A0
.data:0093E7B0                 dd offset aStraferightsta ; "StrafeRightStart"
.data:0093E7B4                 dd offset sub_6880D0
.data:0093E7B8                 dd offset aStraferightsto ; "StrafeRightStop"
.data:0093E7BC                 dd offset sub_688100
.data:0093E7C0                 dd offset aPitchupstart ; "PitchUpStart"
.data:0093E7C4                 dd offset sub_688130
.data:0093E7C8                 dd offset aPitchupstop  ; "PitchUpStop"
.data:0093E7CC                 dd offset sub_688160
.data:0093E7D0                 dd offset aPitchdownstart ; "PitchDownStart"
.data:0093E7D4                 dd offset sub_688190
.data:0093E7D8                 dd offset aPitchdownstop ; "PitchDownStop"
.data:0093E7DC                 dd offset sub_6881C0
.data:0093E7E0                 dd offset aTurnoraction_0 ; "TurnOrActionStart"
.data:0093E7E4                 dd offset sub_6881F0
.data:0093E7E8                 dd offset aTurnoractionst ; "TurnOrActionStop"
.data:0093E7EC                 dd offset sub_688230
.data:0093E7F0                 dd offset aCameraorsele_0 ; "CameraOrSelectOrMoveStart"
.data:0093E7F4                 dd offset sub_688260
.data:0093E7F8                 dd offset aCameraorselect ; "CameraOrSelectOrMoveStop"
.data:0093E7FC                 dd offset sub_6882A0
.data:0093E800                 dd offset aMoveandsteer_0 ; "MoveAndSteerStart"
.data:0093E804                 dd offset sub_6882F0
.data:0093E808                 dd offset aMoveandsteerst ; "MoveAndSteerStop"
.data:0093E80C                 dd offset sub_688340
.data:0093E810                 dd offset aSetmouselookov ; "SetMouselookOverrideBinding"
.data:0093E814                 dd offset sub_688EC0
.data:0093E818                 dd offset aMouselookstart ; "MouselookStart"
.data:0093E81C                 dd offset sub_688640
.data:0093E820                 dd offset aMouselookstop ; "MouselookStop"
.data:0093E824                 dd offset sub_688380
.data:0093E828                 dd offset aIsmouselooking ; "IsMouselooking"
.data:0093E82C                 dd offset sub_686B90

They call the following function:
Example = sub_687CA0(0x200, 1, dword_E7FC9C, 0); <-- TurnRightStart
Generic = SetControlBit(int ControlBit, BOOL Enable, int GetTickCount, int DoesntMatter = 0)

You'll notice that they're setting a BITMASK. If you trace through to the offset they're setting you can get the correct address.

Here's a list of some of the states:
0x1 moving forward
0x2 moving backward
0x4 strafing left
0x8 strafing right
0x10 turning left
0x20 turning right
0x100 walking
0x1000 dead
0x4000 Fall Forward
0x8000 Fall Backwards
0x2000 in freefall/jumping
0x10000 happens when you jump then strafe
0x200000 swimming
0x10000000 spirit form

(copypaste from EoN, don't have access to Visual Studio to pull down my enum from this computer)

[Sychotix]

no clue what a bitmask is but anyways... i added a bunch more hacks that i have been doing tonight. Have fun with them =D

Updated April 04, 2008

[Cypher]

Figured I'd post a quick little tutorial on how to get the time offsets the easy way (use this as an example to get other simple stuff).

WoWWiki is your friend:
World of Warcraft API - WoWWiki - Your guide to the World of Warcraft

Run a quick search for time related APIs and we see this:
GetGameTime() - Returns the time in-game.

Jump into IDA and load up WoW for static analysis.

Do a string search for GetGameTime and double click. You should see this:

Code:

.rdata:008BA0E8 aGetgametime    db 'GetGameTime',0      ; DATA XREF: .data:0093ECF0o

Follow the XREF to get to this:

Code:

.data:0093ECF0                 dd offset aGetgametime  ; "GetGameTime"
.data:0093ECF4                 dd offset sub_692DA0

Jump to sub_692DA0 which is the location of the GetGameTime routine.

You will be presented with this:

Code:

.text:00692DA0 ; =============== S U B R O U T I N E =======================================
.text:00692DA0
.text:00692DA0 ; Attributes: bp-based frame
.text:00692DA0
.text:00692DA0 sub_692DA0      proc near               ; DATA XREF: .data:0093ECF4o
.text:00692DA0
.text:00692DA0 var_C           = qword ptr -0Ch
.text:00692DA0 arg_0           = dword ptr  8
.text:00692DA0
.text:00692DA0                 push    ebp
.text:00692DA1                 mov     ebp, esp
.text:00692DA3                 fild    dword_C6FD34
.text:00692DA9                 push    esi
.text:00692DAA                 mov     esi, [ebp+arg_0]
.text:00692DAD                 sub     esp, 8
.text:00692DB0                 fstp    [esp+0Ch+var_C]
.text:00692DB3                 push    esi             ; int
.text:00692DB4                 call    sub_8215B0
.text:00692DB9                 fild    dword_C6FD30
.text:00692DBF                 add     esp, 4
.text:00692DC2                 fstp    [esp+0Ch+var_C]
.text:00692DC5                 push    esi             ; int
.text:00692DC6                 call    sub_8215B0
.text:00692DCB                 add     esp, 0Ch
.text:00692DCE                 mov     eax, 2
.text:00692DD3                 pop     esi
.text:00692DD4                 pop     ebp
.text:00692DD5                 retn
.text:00692DD5 sub_692DA0      endp

As you can (hopefully) see the offsets are now visible and obvious.

Very simple example, just to help out some of the newer guys who want to play around with stuff like this.

[Cypher]

no clue what a bitmask is but anyways... i added a bunch more hacks that i have been doing tonight. Have fun with them =D

Updated April 04, 2008

http://en.wikipedia.org/wiki/Mask_(computing)

If you're going to reverse engineer it really helps to know how to program first.

PS. A bunch of your other offsets are wrong too. I'll post the correct ones when I can be bothered.

[Sychotix]

PS. A bunch of your other offsets are wrong too. I'll post the correct ones when I can be bothered.

cool i guess but i still think if they work, why mess with em? lol

AHH and if bitmasking is refering to how "AND" works... then i already know what it is =P binary ftw

[Deltis]

Was wondering if someone could help with the following pointers / offsets:

CGGameUI__m_lockedTarget
CGPartyInfo__m_members
CGLootInfo__m_coins
CGLootInfo__m_loot
CGLootInfo__m_object
g_itemDBCache
s_curMgr_NextObject
s_curMgr_FirstObject
CGUnit_C__Name
CGGameObject_C__Name
CGPlayer_C__Y
CGPlayer_C__X
CGPlayer_C__Z
CGPlayer_C__Facing
CGPlayer_C__Speed
ItemObj_Name

Thank you

[Cypher]

cool i guess but i still think if they work, why mess with em? lol

AHH and if bitmasking is refering to how "AND" works... then i already know what it is =P binary ftw

They only seem to "work" because you actually don't know how to use them properly so you assume that if changing it seems to do something then it must be correct. You're actually off by a few bytes on several of your offsets. Again, you're editing some of the correct address just not all of it, hence why you may think its correct but you're actually mistaken.

Furthermore, you obviously don't understand how bit masking works or you'd get the right offsets. >_>

[Sychotix]

actually I use the offsets in which my pointer search gives me. I don't do anything with bitmasks.

[kynox]

CGUnit_C__Name
CGGameObject_C__Name
CGPlayer_C__Y
CGPlayer_C__X
CGPlayer_C__Z
CGPlayer_C__Facing
CGPlayer_C__Speed
ItemObj_Name

These offsets are redundant. You get all these values from the CObject structure!

[nfs12]

Nice find +rep