Object Manager Iteration Questions

[Cooldude]

Once you find the object manager (looks like qword_3667898 so 0x3667898 ), what does iterating through the object manager look like? I assume there are different values at each offset like object type 0x8, etc.. Someone said the structure has changed this past patch?

I have only used unlockers before where they give you a nice LUA function to work off of with all of the types mapped out already.

Let's say I wanted to
A: get a count of all objects in the object manager
B: narrow that down to only gameobjects
C: Further narrow the type down to herbs and mining nodes so I can get an XYZ of the GUID

I can attach and read the object manager pointer successfully, but not much luck beyond that yet as far as iterating it goes.

Code:

import pymem
import pymem.process


def main():
    process_name = "Wowclassic.exe"
    pm = pymem.Pymem(process_name)
    module = pymem.process.module_from_name(pm.process_handle, process_name)
    base_module = module.lpBaseOfDll


    OBJECT_MANAGER_OFFSET = 0x3667898
    object_manager_addr = base_module + OBJECT_MANAGER_OFFSET
    entity_array_ptr = pm.read_ulong(object_manager_addr + 0x8)


    ENTITY_SIZE = 0x30
    max_slots = 10000
    valid_objects = []


    for i in range(max_slots):
        entity_addr = entity_array_ptr + (i * ENTITY_SIZE)
        try:
            guid_bytes = pm.read_bytes(entity_addr + 0x18, 16)
        except Exception:
            continue
        entity_guid = int.from_bytes(guid_bytes, "little")
        if entity_guid == 0:
            continue
        try:
            object_base = pm.read_ulong(entity_addr + 0x28)
        except Exception:
            continue
        if object_base == 0:
            continue
        try:
            object_type = pm.read_uchar(object_base + 0x8)
            object_guid_bytes = pm.read_bytes(object_base + 0x18, 16)
            object_guid = int.from_bytes(object_guid_bytes, "little")
            object_id = pm.read_int(object_base + 0xC8)
        except Exception:
            continue


        valid_objects.append({
            "index": i,
            "entity_guid": entity_guid,
            "object_base": object_base,
            "object_type": object_type,
            "object_guid": object_guid,
            "object_id": object_id
        })


    print(f"Found {len(valid_objects)} valid objects:")   # not finding anything yet of course
    for obj in valid_objects:
        print(f"Index {obj['index']}: EntityGUID=0x{obj['entity_guid']:X}, "
              f"ObjectBase=0x{obj['object_base']:X}, "
              f"ObjectType={obj['object_type']}, "
              f"ObjectGUID=0x{obj['object_guid']:X}, "
              f"ObjectID={obj['object_id']}")


if __name__ == '__main__':
    main()

[Cooldude]

Okay so I think I forgot to dereference the pointer and that was giving me issues, I have a general concept working but still trying to navigate the offsets for the object ID, type, etc

This is clearly wrong except for the object count which seems to be correct, just looking around and trying to piece it together still

How does the object manager list look, like is there an new entity every x bytes, and then 4 bytes after that is the GUID for that entity, 4 bytes after that is the Type/category for the entity, etc...?

Code:

  
ENTITY_SIZE = 0x30  # Each ObjectEntity is 0x30 bytes?
ENTITY_GUID_OFFSET = 0x18  
ENTITY_OBJECT_OFFSET = 0x28  # Pointer to the game object.


# Offsets within the game object structure
OBJECT_TYPE_OFFSET = 0x8  # 1 byte: object type.
OBJECT_GUID_OFFSET = 0x18  # 16 bytes: object GUID.
OBJECT_ID_OFFSET = 0xC8  # 4 bytes: object ID.

Code:

Entity Array starts at: 0x163A64E6130
Object Count: 91
Found 15 valid objects:
Index 0: EntityGUID=0x163F066118000000163F0661B60, ObjectBase=0x163F06611D0, ObjectType=0, ObjectGUID=0xC5F5C000000000040000001A346C94A, ObjectID=-1335641544
Index 1: EntityGUID=0x163F066136000000163F0661310, ObjectBase=0x163F06613B0, ObjectType=6, ObjectGUID=0xC5F5C000000000040000001A346C950, ObjectID=-436878052
Index 2: EntityGUID=0x163F066145000000163F0661400, ObjectBase=0x163F06E1230, ObjectType=4, ObjectGUID=0x2050E40000063940005C540000215633, ObjectID=0
Index 3: EntityGUID=0x163F066263000000163F06615D0, ObjectBase=0x163F0661670, ObjectType=8, ObjectGUID=0x2050E4000000CDC0005C540000215634, ObjectID=-437115220
Index 4: EntityGUID=0x163F06620A000000163F0661B10, ObjectBase=0x163F06614F0, ObjectType=3, ObjectGUID=0x2050E4000000EDC0005C540000215633, ObjectID=176
Index 5: EntityGUID=0x163F06619E000000163F0661990, ObjectBase=0x163F0661C00, ObjectType=17, ObjectGUID=0x2050E400000C9E80005C54000021565F, ObjectID=-600534808
Index 6: EntityGUID=0x163F066254000000163F06624F0, ObjectBase=0x163F06617B0, ObjectType=20, ObjectGUID=0x2050E40000004AC0005C540000217DC4, ObjectID=-1218980780
Index 7: EntityGUID=0x163F0661D4000000163F06618A0, ObjectBase=0x163F0661D90, ObjectType=0, ObjectGUID=0x2C50E40000946440005C54000121562E, ObjectID=-379513832
Index 8: EntityGUID=0x163F0661F2000000163F0661ED0, ObjectBase=0x163F0661F60, ObjectType=6, ObjectGUID=0x2C50E40000946800005C54000121562E, ObjectID=-599882596
Index 9: EntityGUID=0x163F0661A3000000163F0662720, ObjectBase=0x163F06618F0, ObjectType=5, ObjectGUID=0x2050E40000004AC0005C5400002178DF, ObjectID=-600119764
Index 10: EntityGUID=0x163F0661A7000000163F0662280, ObjectBase=0x163F0662000, ObjectType=25, ObjectGUID=0x2050E40000004AC0005C540000217CD4, ObjectID=-1155930404
Index 11: EntityGUID=0x163F066259000000163F06627C0, ObjectBase=0x163F0662320, ObjectType=0, ObjectGUID=0x85F5C00000000000000000002C701B0, ObjectID=-1156464032
Index 12: EntityGUID=0x163F066245000000163F0661CF0, ObjectBase=0x163F06625E0, ObjectType=5, ObjectGUID=0x2050E40000004AC0005C540000217AF9, ObjectID=-1155633944
Index 13: EntityGUID=0x163F066281000000163F06621E0, ObjectBase=0x163F0662860, ObjectType=16, ObjectGUID=0x2C50E40000946700005C54000121562E, ObjectID=-1184716724
Index 14: EntityGUID=0x163F06629E000000163F0662990, ObjectBase=0x163F0662A30, ObjectType=23, ObjectGUID=0x2050E40000004AC0005C540000217D90, ObjectID=0

[mazer]

there is plenty of info a few threads down below like https://www.ownedcore.com/forums/wor...r-changes.html (WoW Classic 1.15.5.57638 Object Manager Changes)

nevertheless, here is some sample c# code so you get the idea behind this:

Code:

public void Update()
{
    UpdateFrameCache();
    UpdateGameState();
    _objects.Clear();

    var objMgrAddr = IntPtr.Add(MemoryReader.BaseAddress, (int)MemoryReader.Offsets.OBJECT_MANAGER);
    var objMgr = MemoryReader.ReadUInt64(objMgrAddr);

    var hashArrayPtr = MemoryReader.ReadUInt64(new IntPtr((long)objMgr + (long)MemoryReader.Offsets.HASH_ARRAY));
    var hashArrayMax = MemoryReader.ReadUInt64(new IntPtr((long)objMgr + (long)MemoryReader.Offsets.HASH_ARRAY_MAX));
    var entityArrayPtr = MemoryReader.ReadUInt64(new IntPtr((long)objMgr + (long)MemoryReader.Offsets.ENTITY_ARRAY));

    for (ulong i = 0; i < hashArrayMax; i++)
    {
        var entryOffset = i * 0x18;
        var entryAddr = new IntPtr((long)hashArrayPtr + (long)entryOffset);

        var guidLow = MemoryReader.ReadUInt64(entryAddr);
        var guidHigh = MemoryReader.ReadUInt64(IntPtr.Add(entryAddr, 0x8));
        var entityIndex = MemoryReader.ReadUInt64(IntPtr.Add(entryAddr, 0x10)) & 0x3FFFFFFF;

        if ((guidLow == 0 && guidHigh == 0) || (guidLow == 1 && guidHigh == 0x400000000000000))
            continue;
        if (entityIndex <= 0)
            continue;

        var entityBuilderPtr = MemoryReader.ReadUInt64(new IntPtr((long)entityArrayPtr + (long)(entityIndex * 0x8)));
        if (entityBuilderPtr <= 0)
            continue;

        var objectPtr = MemoryReader.ReadUInt64(new IntPtr((long)entityBuilderPtr + (long)MemoryReader.Offsets.ENTITY_OBJECT));
        if (objectPtr <= 0)
            continue;

        var objectType = MemoryReader.ReadByte(new IntPtr((long)objectPtr + 0x8));

        var obj = CreateObject(objectPtr, (ObjectManagerObjectType)objectType, (guidLow, guidHigh));
        if (obj != null)
        {
            if (obj.Type == ObjectManagerObjectType.ActivePlayer)
            {
                _activePlayer = (PlayerObject)obj;
            }
            _objects.Add(obj);
        }
    }

    foreach (var obj in _objects)
    {
        obj.DistanceToPlayer = Vector3.Distance(obj.Position, _activePlayer.Position);
    }
}

[Cooldude]

Thanks! That was very helpful and I was able to get it working.

When it comes to things like object positions, do these offsets change often between patches or is the structure always the same?

For example, say I wanted to find an objects vector3 position, would that be:
Object Manager address --> 0x8 -> 0x28 ---> position is somewhere in here? I think 0x8 would be the category type here.

Then beyond that, how would you know that it's an herb/mining node, is there a string offset somewhere with the name? Cause there could be different object types within gameobject that are not mining/herb nodes.

Really appreciate the insights, thank you!