[Retail] v11.0.7 59207 Offsets

[ring3]

Offsets are not tested and not much because i do it manually to learn.
More will come

Code:

ClntObjMgrObjectPtr: 0x1420BFA70
ClntObjMgrGetMapId: 0x1420BF010
GetUnitName: 0x1426EA000
s_curMgr: 0x144750D38

[ring3]

Code:

ClntObjMgrEnumVisibleObjects	0x20BE0F0
ClntObjMgrEnumVisibleObjectsPtr	0x20BE3D0
camera_manager: 0x47617D8
camera_manager_ptr: 0x3A58
InGameFlag: 0x497E564 & 0x40 != 0
IsLoadingOrConnecting: 0x498FEB0   OR   0x498FF10
WorldFrame_GetCurrent: 0x43D0130  sub_2328B0
UnitIsFriendly: 0x26F1370

[maikel233]

enjoy

Code:

Detected game version: 11.0.7.59207
Pattern search...
========-------Pattern search completed-------========
========-------X-HOOK Pattern output:-------========
========-------ClntObjMgr functions:-------========
Offset_ClntObjMgrEnumVisibleObjectsPtr = 0x00000000020BE3D0
Offset_ClntObjMgrGetMapId = 0x00000000020BF010
Offset_ClntObjMgrIsValid = 0x00000000020BF9C0
========-------Movement functions:-------========
Offset_ClickToMove = 0x00000000020BE3D0
Offset_FaceTo = 0x00000000020ADA60
Offset_Jump = 0x00000000020AD5B0
========-------Validation functions:-------========
Offset_InvalidPtrCheckMin = 0x0000000006067BD8
Offset_InvalidPtrCheckMax = 0x0000000006067BE0
Offset_HardwareEventPtr = 0x000000000344C350
========-------Item functions:-------========
Offset_CGItem_UseItemParm = 0x00000000047B1B80
Offset_CGItem_UseItem = 0x0000000002732440
========-------Spell functions:-------========
Offset_Spell_C_GetMinMaxRange = 0x00000000025E45B0
Offset_Spell_C_IsCurrentSpell = 0xFFFF8008557C0000
Offset_Spell_C_GetSpellCoolDown = 0x00000000025E69C0
Offset_Spell_C_CastSpell = 0x0000000002919620
Offset_Spell_C_HaveSpellPower = 0x00000000025EC240
Offset_SpellBook_findSlotBySpellId = 0x0000000002A21460
Offset_SpellBook_FindSpellByName = 0x0000000002F19AD0
Offset_SpellBook_Instance = 0x000000000074A730
Offset_SpellBook_RepeatingSpellId = 0x00000000207367BB
Offset_CGUnit_IsSpellKnown = 0x0000000002A2AD60
========-------General Unit functions:-------========
Offset_UnitReaction = 0x00000000027151A0
Offset_Cooldown = 0x00000000042FD990
Offset_GuidToString = 0x00000000024225A0
========-------CGPlayer functions:-------========
Offset_CGPlayer_C_HandleRepopRequest = 0x0000000002A07800
========-------CGGameObject functions:-------========
Offset_CGGameObject_C_CanUse = 0x00000000000C0000
Offset_CGGameObject_C_CanUseNow = 0x00000000000C0000
Offset_CGGameObject_C_IsLocked = 00x00000000000C0000
========-------Sprite functions:-------========
Offset_SpriteLeftClick = 0x000000000292D980
Offset_SpriteRightClick = 0x000000000292DE00
========-------Combat functions:-------========
Offset_CGUnit_C_OnAttackIconPressed =0x00000000000C0000
Offset_CGUnit_C_IsInMelee = 0x00000000000C0000
========-------Camera functions:-------========
Offset_Bool_MustEnterInstanceToRecoverBodymsg = 0x000000000430BCE4
Offset_CameraMgr = 0x00000000047617D8
Offset_CameraPtr = 0x0000000000003A58
========-------WorldFrame functions:-------========
Offset_WorldFrame_GetWorld = 0x00000000002328B0
Offset_WorldFrame_Intersect = 0x00000000021FD5B0
Offset_WorldFrame_GetScreenCoordinates = 0x0000000002333BB0
========-------Input functions:-------========
Offset_InputControl = 0x00000000042E9640
Offset_ToggleControlBit = 0x0000000002441850
Offset_HandleTerrainClick = 0x00000000025EB8A0
========-------Attack functions:-------========
Offset_CanAttack = 0x00000000026CE500
Offset_IsOutDoors = 0x000000004A980538
Offset_Dismount = 0x00000000026DF2A0
========-------ItemCache functions:-------========
Offset_GetItemCacheEntry = 0x000000000051B7B0
Offset_ItemCacheEntryBase = 0x000000003AC69747
========-------Merchant functions:-------========
Offset_Merchant_unk_arg = 0x00000000012F3BF0
Offset_Merchant = 0x0000000002C1C700
Offset_MerchantItems = 0x00000000049BE5D8
Offset_MerchantCount = 0x00000000049BE5DC
Offset_MerchantItemsInfoSize = 0x0000000000000098
Offset_MerchantItemsInfoStackCount = 0x0000000000000000
Offset_MerchantSellItem =0x00000000000C0000
Offset_MerchantBuyItem = 0x000000000268BDE0
Offset_MerchantGetAllRepairCost = 0x0000000002D21AE0
Offset_MerchantRepairStruct = 0x00000000006A4010
Offset_MerchantRepairAllItems = 0x000000000291CCB0
========-------Skill functions:-------========
Offset_GetSkillIndexById = 0x00000000026404B0
Offset_UseActionBar = 0x0000000002BAE3C0
========-------Corpse Retrieval functions:-------========
Offset_RetrieveCorpse1 = 0x00000000000C0000
Offset_RetrieveCorpseStruct = 0x00000000000C0000
Offset_RetrieveCorpse2 = 0x00000000000C0000
Offset_RetrieveCorpseGuid = 0x00000000000C0000
Offset_CorpseMapID = 0x000000000430BCE0
Offset_CorpsePos = 0x000000000430BD20
========-------Rune functions:-------========
Offset_GetRuneType = 0x00000000000C0000
Offset_IsRuneAtCooldown = 0x00000000000C0000
========-------Gossip functions:-------========
Offset_GossipSelectOption = 0x0000000002C6ABD0
========-------Target functions:-------========
Offset_LastTargetGuid = 0x0000000041617EA5
========-------Bone Position functions dunno if we can get this working THO:-------========
Offset_CM2ModelGetBonePosition = 0x00000000000C0000
========-------GameTime functions:-------========
Offset_GameTime = 0x00000000002ACFA0
========-------Quest functions:-------========
Offset_Quest_SelectActiveQuest = 0x000000000263A750
Offset_Quest_SelectAvalibleQuest =0x00000000000C0000
Offset_Quest_AcceptQuest = 0x0000000002DED8C0
Offset_Quest_IsQuestComplete = 0x0000000002DD7480
Offset_Quest_GetReward = 0x0000000004A359C8
Offset_Quest_GetQuestReward = 0x0000000002640100
Offset_Quest_GetQuestRewardid = 0x0000000004A37DB8
========-------Other:-------========
Offset_isLootWindowOpen = 0x00000000000C0000
Offset_IsPlayerInWorld = 0x000000000497E564
Offset_LastRedMessage = 0x000000000497E820
Offset_InstanceName = 0x00000000000C0000
========-------Unit Attributes:-------========
Offset_Type = 0x0000000000000008
Offset_Guid = 0x0000000000000018
Offset_Owner = 0x0000000000000000
Offset_Race = 0x0000000000000000
Offset_Class = 0x0000000000000000
Offset_Sex = 0x0000000000000000
Offset_AnimationStatus = 0x0000000000000000
Offset_GatherStatus = 0x0000000000000000
Offset_GetHealth = 0x00000000000016D0
Offset_GetMaxHealth = 0x0000000000001920
Offset_UnitFlag1 = 0x0000000000000019
Offset_UnitFlag2 = 0x000000000000001D
Offset_UnitFlag3 = 0x0000000000000021
Offset_DynamicFlag = 0x00000000000000DC
Offset_CreatureInfo = 0x0000000000000118
========-------Movement functions:-------========
Offset_Movement_Pointer = 0x00000000000000A0
Offset_Movement_Transport_Pointer = 0x0000000000000000
Offset_Movement_TransportGuid = 0x0000000000000010
Offset_Movement_Position = 0x0000000000000018
Offset_Movement_Rotation = 0x0000000000000028
Offset_Movement_Pitch = 0x0000000000000154
Offset_Movement_UnitSpeed = 0x00000000000001A0
Offset_Movement_MovementFlag = 0x00000000000000F8
Offset_Movement_MovementFlagEx = 0x00000000000000FC
Offset_Movement_CollisionWidth = 0x0000000000000244
Offset_Movement_CollisionHeight = 0x0000000000000248

[gdfsxwy]

seek help.
I missed the Wow.exe file for game version 11.0.7.59207 that I used for my IDA.
If there is no original file, decrypted Wow.exe can be accepted.
Please send the file to my email, thank you very much!
My email [email protected]

[evil2]

Does anyone know what exactly this value is for?

Unit Movement Struct + 0x38 <-- ?
(reference value: pos X = 0x18 )

[Taitasheri]

Can you guys explain how you find the offset from the camera manager to the camera object pointer? I don't understand where you get the 0x3A58, for example. The current retail camera manager is, as I was digging, at 0x4685118. But where do you go from there? Nothing seems to hint on any of such offsets in Lua strings & underlying C implementations. I can probably just search for fov/pitch/yaw/roll via CE, and pick up the closest address that is relative to the camera manager, but surely there must be a better way to do this? Been digging around for a couple of days and can't seem to get a crack on it.

[Sweann]

I'm searching text "GetCameraZoom" in ghidra, and i found something like this: "FUN_1004c817c("GetCameraZoom",FUN_10160b704);"
This is function registration for it's name, so You can continue and follow the route and you will end up a function with something like this: "return *(undefined8 *)(DAT_102292c08 + 0x3870);"

[Jinsett]

Are you on mac? I don't see any function subscriptions in my IDA... Only dispatch table, and they just reference strings...

[Jinsett]

even if I search for an intermediate value 3870, I don't see any function that returns it. the only thing I can find is the function that retrieves the active camera, and it gets it from rax + 478. can anyone explain what the problem could be? maybe my wow dump is wrong....

[Sweann]

even if I search for an intermediate value 3870, I don't see any function that returns it. the only thing I can find is the function that retrieves the active camera, and it gets it from rax + 478. can anyone explain what the problem could be? maybe my wow dump is wrong....

Yes I'm on mac, but it doesn't matter. You have to search a string reference which is used in a function then you could walk around.
What i wrote is working on Inter / Mac it's not platform specific.

The 0x3700 offset may change on each new build so this is why u need to us a binary pattern search later to skip manual lookup.

[Archos]

This is not right.....

[Archos]

wow.... wtf is this editor.

[Archos]

Here is a bit of an example (macOS, arm64, rebased split universal binary (meaning I split the universal binary into two new binaries and executed them seperatly):

We look for "GetCameraZoom":



CleanShot 2025-03-21 at [email protected]

Its found in two locations:



CleanShot 2025-03-21 at [email protected]

We follow it here where we find it being registered in the Lua environment. (Tip: You xref `sub_1E6A074` and find how one of the lua environments is setup and all of the functions that register lua functions).

CleanShot 2025-03-21 at [email protected]

Here we see a function (`sub_114F554`) being called. (sub_60B8 is basically `lua_pushnumber`)

CleanShot 2025-03-21 at [email protected]

We see that the sub returns `0x41FCA80 + 0x470`. `0x41FCA80 ` is PROBABLY the start of a structure.

CleanShot 2025-03-21 at [email protected]

`0x41FCA80 + 0x470 + 025C` = 0x41FD14C

Meaning our camera zoom value is at 0x41FD14C.

[Razzue]

`0x41FCA80 + 0x470 + 025C` = 0x41FD14C
Meaning our camera zoom value is at 0x41FD14C.

N...no?

GameAddress + CameraOffset -> read as IntPtr: CameraPtr
CameraPtr + 0x470 -> read as IntPtr : CCamera
CCamera + 0x25C -> Read as float : there's you're zoom value...

Code:

CameraPointer -> 0x4685118
CameraOffset   -> 0x478

Fields.Camera.Position      -> 0x10
Fields.Camera.Matrix        -> 0x1C
Fields.Camera.Fov             -> 0x40
Fields.Camera.Zoom         -> 0x25C
Fields.Camera.ZoomMax  -> 0x260

Code:

internal class CCamera
{
    internal static IntPtr Address
    {
        get
        {
            var pointer = Memory.Read<IntPtr>(Instance.Address + Offsets.CameraPointer);
            if (pointer == IntPtr.Zero) return pointer;


            Memory.Read(pointer + Offsets.CameraOffset, ref pointer);
            return pointer;
        }
    }


    internal static float GetZoom()
    {
        var address = Address;
        if (IntPtr.Zero == address) return -1f;


        return Memory.Read<float>(address + Fields.Camera.Zoom);
    }


    internal static void SetZoom(float value)
    {
        var address = Address;
        if (IntPtr.Zero == address) return;


        Memory.Write(address + Fields.Camera.Zoom, value);
        Memory.Write(address + Fields.Camera.ZoomMax, value);
    }
}

Capture.PNG

Please read what's right in front of your face..

if(41FCA80) return *(qword*)(41FCA80 + 0x470);
else return 0;
and
*(float*)(v2 + 0x25c);

[Archos]

N...no?

GameAddress + CameraOffset -> read as IntPtr: CameraPtr
CameraPtr + 0x470 -> read as IntPtr : CCamera
CCamera + 0x25C -> Read as float : there's you're zoom value...

Code:

CameraPointer -> 0x4685118
CameraOffset   -> 0x478

Fields.Camera.Position      -> 0x10
Fields.Camera.Matrix        -> 0x1C
Fields.Camera.Fov             -> 0x40
Fields.Camera.Zoom         -> 0x25C
Fields.Camera.ZoomMax  -> 0x260

Code:

internal class CCamera
{
    internal static IntPtr Address
    {
        get
        {
            var pointer = Memory.Read<IntPtr>(Instance.Address + Offsets.CameraPointer);
            if (pointer == IntPtr.Zero) return pointer;


            Memory.Read(pointer + Offsets.CameraOffset, ref pointer);
            return pointer;
        }
    }


    internal static float GetZoom()
    {
        var address = Address;
        if (IntPtr.Zero == address) return -1f;


        return Memory.Read<float>(address + Fields.Camera.Zoom);
    }


    internal static void SetZoom(float value)
    {
        var address = Address;
        if (IntPtr.Zero == address) return;


        Memory.Write(address + Fields.Camera.Zoom, value);
        Memory.Write(address + Fields.Camera.ZoomMax, value);
    }
}

Capture.PNG

Please read what's right in front of your face..

if(41FCA80) return *(qword*)(41FCA80 + 0x470);
else return 0;
and
*(float*)(v2 + 0x25c);

qword_41fca80 is the CameraPtr, right?