[Release]WoW 2.4.1 Addresses

[Cypher]

it works just fine. All of them.

Not on live.

[Sychotix]

yes they do... you can do about a 4% speed increase with any of the addresses (except maybe the elite one but i havn't messed with that one much) on live servers without disconnecting.

[Cypher]

yes they do... you can do about a 4% speed increase with any of the addresses (except maybe the elite one but i havn't messed with that one much) on live servers without disconnecting.

4% != Working.

[Cypher]

Oh, I forgot to mention originally, the reason you had trouble editing the jump height is probably because it's stored in the RDATA section and marked as read only. Depending on how you're modifying it you might need to call VirtualProtectEx (VirtualProtectEx Function (Windows)) first.

[Sychotix]

lol i guess Ollydbg (or one of its modified programs) do that =P

EDIT: also.. 4% ! 0% =D it may not be TOO much... but there is a method in which you can keep a buff (like sprint or a mount) which i wont post.

[Cypher]

lol i guess Ollydbg (or one of its modified programs) do that =P

EDIT: also.. 4% ! 0% =D it may not be TOO much... but there is a method in which you can keep a buff (like sprint or a mount) which i wont post.

Orrr, you could just write a proper speedhack.

[Noloony]

How do i use: Facing Direction - [00E849E0]+0xBFC ?
and if i edit it can i set it like when im moving forwart i only move over the y-axe ?

[Sychotix]

just change the value and idk but probably

[Noloony]

nvm already found out how to use it tnxs anyway

[lunitune]

Excuse me if these were covered elsewhere.

This post is more for less experienced members like myself. I look forward to the more experienced members posting higher level knowledge.

2.4.1 - 0xD48B08 is address that this cursor type happens in.

Decimal value = description

1 = normal

3 = banker/auctioneer in range (money bag)
4 = attack in range
5 = use (fishing bobber) in range
6 = talk (cartoon chat bubble)

8 = money bags in range (merchant)

10 = trainer book in range
11 = mining in range
12 = skin in range
13 = herbalism in range
15 = mail in range
16 = loot in range
18 = repair in range

23 = quest giver ! in range
24 = repeatable quest giver in range (blue ?)

28 = banker/auctioneer/guild bank out of range (money bags)
29 = attack out of range
30 = use - out of range
31 = talk (cartoon chat bubble) - out of range

33 = money bags out of range (merchant)

35 = trainer book out of range
36 = mining out of range
37 = skin out of range
38 = herbalism out of range
40 = mail out of range
41 = loot out of range
43 = repair out of range

48 = Quest giver ! out of range
49 = repeatable quest giver out of range (blue ?)

51 = ask for directions out of range AND in range (scroll over guards)

-----

I think most people know this from previous posts. But for anyone new basically there is a static memory location that holds a (int) number which identifies what cursor is on screen. Eg if it is a cog such as you get when fishing or a scroll like when you mouse over a city guard who can give directions.

-----

Someone in a previous post had found the location:
wow 2.2.3 it was 0xC51920
If you open wow 2.2.3 in OllyDebug then do a binary search in the main thread for this number you find where in the program the mouse cursor is referenced.

To do a binary search in olly use ctrl+B. Remember to put the number in backwards (little endian vs big endian stuff):
2019C5
This comes up in a few places. The one I locked in on in 2.2.3 was at line 0x53BB40 in the exe. It looks like this (last line):

Code:

0053BB2F    CC            INT3
0053BB30    55            PUSH    EBP
0053BB31    8BEC          MOV     EBP,ESP
0053BB33    81EC 08010000 SUB     ESP,108
0053BB39    A1 E8E48A00   MOV     EAX,DWORD PTR DS:[8AE4E8]
0053BB3E    33C5          XOR     EAX,EBP
0053BB40    8945 FC       MOV     [LOCAL.1],EAX
0053BB43    53            PUSH    EBX
0053BB44    56            PUSH    ESI
0053BB45    B8 01000000   MOV     EAX,1
0053BB4A    33DB          XOR     EBX,EBX
0053BB4C    57            PUSH    EDI
0053BB4D    A3 2019C500   MOV     DWORD PTR DS:[C51920],EAX        ; Cursor Type

Line 53BB39 has a static address in it that will change from patch to patch so taking the line after that to the beginning of the line that has our address in it, ie lines 0053BB3E to 0053BB4D we get the following binary (to binary copy, select the appropriate lines, right click and look for the binary option):

Code:

33 C5 89 45 FC 53 56 B8 01 00 00 00 33 DB 57 A3

I have stopped at A3 because what comes after that is the mem loc that we're looking for, and this changes from patch to patch.

What I have in that binary string is a signature which I can then search for in 2.4.1.

I do it through olly however Justme of dasm fame wrote an app that can automatically find the address you're looking for, once you input a search string like above.

You can also automate these searches in other programs like IDA (and maybe Olly) too, but I don't know enough to elaborate on this.

In wow 2.4.1 do a binary search in the main thread for the above string of binary numbers.

Alas nothing is found.

Normally this method works and you'll end up finding an identical set of code with different addresses, however in this case the code was changed between 2.2.3 and 2.4.1.

There are many options here.

1) in Cheat Engine or TSearch do a search for known values and narrow it down. Eg hold the mouse over the mailbox in range and search for that value, then again with the mouse over a different object.

This didn't quite work for me either as between those 2 versions they added more mouse types.

2) Search for an unknown value and narrow it down. There are descriptions of this elsewhere, however if you want it again I can do one.

3) What I did was this. Just below the location I locked in on in 2.2.3 you'll see the line

Code:

0053BB81  |.  68 880D8600   |PUSH    2_2_3WoW.00860D88               ;  ASCII "Interface\Cursor\%s.blp"

Now in 2.4.1 - Right click in the CPU window > Search For > All Referenced Text Strings.

In the text strings window that appears right click and search for
Interface\\Cursor

When the search finds one double click on it to be taken to that location in the CPU window. A couple of hits down you'll find a very similar piece of asm to the above. They have changed a couple of bytes in the code which is what put us off in the first method.

But we have our address

[lunitune]

How do i use: Facing Direction - [00E849E0]+0xBFC ?
and if i edit it can i set it like when im moving forwart i only move over the y-axe ?

Does that mean that facing a particular direction is just a matter of editing this value? I thought it required injection?

[Sychotix]

Does that mean that facing a particular direction is just a matter of editing this value? I thought it required injection?

do you even know what you were injecting? lol

[galpha]

Writing the value of a rotation in memory will change your rotation instantly, but writing = detectable.

Also lunitune , very nice analysis . Are you coding in C++? If that's the case, you might wanna look for pattern marching:

code signatures via C++ stream-based extensible pattern matching - Game Deception - Forums

[Sychotix]

when you change a value, your not writing memory. Also, injecting a should be just as detectable, if not more, than simply using a memory editor to change the value. The memory editor that I use has a ton of anti-anti-hack protection so I doubt warden even notices the program or its methods of writing memory.

I could create a DLL right now to edit the value for you but im too lazy to go download a compiler but this should be the basics... (its an example from my dll KartDebug for KartRider which is now open-source)

P=0.5f;
__asm{
mov eax, P;
mov ebx, 008F4B98h;
mov [ebx], eax;
}

[kynox]

when you change a value, your not writing memory. Also, injecting a should be just as detectable, if not more, than simply using a memory editor to change the value. The memory editor that I use has a ton of anti-anti-hack protection so I doubt warden even notices the program or its methods of writing memory.

I could create a DLL right now to edit the value for you but im too lazy to go download a compiler but this should be the basics... (its an example from my dll KartDebug for KartRider which is now open-source)

P=0.5f;
__asm{
mov eax, P;
mov ebx, 008F4B98h;
mov [ebx], eax;
}

Why make use inline asm?

*(float*)0x008F4B98 = 0.5f;