WoW 3.3.5a Item Gem Offsets (0x70, 0x7C, 0x88) Incorrect in Warmane?

[Fufavu]

Hello everyone,

I'm developing a script in Python (`ctypes`) to read information from players in arena in WoW 3.3.5a (Build 12340), focusing on the **Warmane** server. The aim is to calculate the total resilience (items, enchants and gems).

**Current Progress and Logic

Most of the memory reading is working:

1. reading GUIDs via Object Manager (OM).
2. Reading visible ItemID/EnchantID from the player descriptor (`player_desc_ptr + 0x46C`, step .
3. Reading GUIDs from equipped items (`player_desc_ptr + 0x510`, step .
4. **Search for the Item descriptor (`item_desc_ptr`) via the item's GUID, iterating through the OM (confirmed to work, TypeID=1).

**The Problem - Reading the Gems

The difficulty lies in obtaining the **Enchantment IDs** of the set gems.

* Based on multiple sources (dumps of structures such as `eItemFields`, discussions of TC/Mangos), the Enchantment IDs of the gems (slots 2, 3, 4) should be in the following offsets relative to `item_desc_ptr`:
* Gem 1 (Slot Enc. 2): `item_desc_ptr + 0x70` (listed as `ITEM_FIELD_ENCHANTMENT_3_1`).
* Gem 2 (Slot Enc. 3): `item_desc_ptr + 0x7C` (listed as `ITEM_FIELD_ENCHANTMENT_4_1`)
* Gem 3 (Slot Enc. 4): `item_desc_ptr + 0x88` (listed as `ITEM_FIELD_ENCHANTMENT_5_1`)

* When reading `uint32` from these offsets (`0x70`, `0x7C`, `0x88`) after getting a valid `item_desc_ptr` in **Warmane**, the values returned are **not** Gem Enchantment IDs. I'm getting very large numbers (e.g. 592.xxx.xxx), which don't make sense as IDs. The search for `item_desc_ptr` is working (we found the correct Item object with TypeID 1), but the data in these specific offsets looks wrong.

**Help Request (Specific to Warmane/3.3.5a): **

Given that the standard offsets `0x70`, `0x7C`, `0x88` look correct in theory, but fail in practice in Warmane:

1. Does anyone have experience with the **specific** reading of these fields (enchantment/gema slots) in the 3.3.5a client connected to **Warmane**? Are there any known modifications or a different structure to these offsets in this environment?
2. Could there be some extra **direction** (e.g. `0x70` contains a pointer to the real ID)?
3. Is there any **other reliable** way to get the Enchantment IDs of the equipped gems by reading the memory of the 3.3.5a (Warmane) client? Perhaps through another internal structure or function?

I already have the mapping `Enchantment ID -> Resilience` ready. I just need to be able to read the correct memory ID. Any hint, validated offset for Warmane, or code snippet/pseudo-code demonstrating the correct reading would be greatly appreciated.

Thanks!

[Makkah]

Hello,

I was wondering where you obtained the values for ITEM_FIELD_ENCHANTMENT. I’ve been analyzing the MirrorInitialize function at 0x04F5720 in IDA, and I’ve dumped the descriptor offsets directly from there while the game is running.

It’s also possible to write a tool to dump these descriptors live during runtime.

Below are the offsets I retrieved for ItemFields:

Code:

enum ItemFields
{
    ITEM_FIELD_OWNER                  = 0x0006,
    ITEM_FIELD_CONTAINED              = 0x0008,
    ITEM_FIELD_CREATOR                = 0x000A,
    ITEM_FIELD_GIFTCREATOR            = 0x000C,
    ITEM_FIELD_STACK_COUNT            = 0x000E,
    ITEM_FIELD_DURATION               = 0x000F,
    ITEM_FIELD_SPELL_CHARGES          = 0x0010,
    ITEM_FIELD_FLAGS                  = 0x0015,
    ITEM_FIELD_ENCHANTMENT_1_1        = 0x0016,
    ITEM_FIELD_ENCHANTMENT_1_3        = 0x0018,
    ITEM_FIELD_ENCHANTMENT_2_1        = 0x0019,
    ITEM_FIELD_ENCHANTMENT_2_3        = 0x001B,
    ITEM_FIELD_ENCHANTMENT_3_1        = 0x001C,
    ITEM_FIELD_ENCHANTMENT_3_3        = 0x001E,
    ITEM_FIELD_ENCHANTMENT_4_1        = 0x001F,
    ITEM_FIELD_ENCHANTMENT_4_3        = 0x0021,
    ITEM_FIELD_ENCHANTMENT_5_1        = 0x0022,
    ITEM_FIELD_ENCHANTMENT_5_3        = 0x0024,
    ITEM_FIELD_ENCHANTMENT_6_1        = 0x0025,
    ITEM_FIELD_ENCHANTMENT_6_3        = 0x0027,
    ITEM_FIELD_ENCHANTMENT_7_1        = 0x0028,
    ITEM_FIELD_ENCHANTMENT_7_3        = 0x002A,
    ITEM_FIELD_ENCHANTMENT_8_1        = 0x002B,
    ITEM_FIELD_ENCHANTMENT_8_3        = 0x002D,
    ITEM_FIELD_ENCHANTMENT_9_1        = 0x002E,
    ITEM_FIELD_ENCHANTMENT_9_3        = 0x0030,
    ITEM_FIELD_ENCHANTMENT_10_1       = 0x0031,
    ITEM_FIELD_ENCHANTMENT_10_3       = 0x0033,
    ITEM_FIELD_ENCHANTMENT_11_1       = 0x0034,
    ITEM_FIELD_ENCHANTMENT_11_3       = 0x0036,
    ITEM_FIELD_ENCHANTMENT_12_1       = 0x0037,
    ITEM_FIELD_ENCHANTMENT_12_3       = 0x0039,
    ITEM_FIELD_PROPERTY_SEED          = 0x003A,
    ITEM_FIELD_RANDOM_PROPERTIES_ID   = 0x003B,
    ITEM_FIELD_DURABILITY             = 0x003C,
    ITEM_FIELD_MAXDURABILITY          = 0x003D,
    ITEM_FIELD_CREATE_PLAYED_TIME     = 0x003E,
    ITEM_FIELD_PAD                    = 0x003F,

    ITEM_END                          = 0x0040
};

[Fufavu]

Hello,

I was wondering where you obtained the values for ITEM_FIELD_ENCHANTMENT. I’ve been analyzing the MirrorInitialize function at 0x04F5720 in IDA, and I’ve dumped the descriptor offsets directly from there while the game is running.

It’s also possible to write a tool to dump these descriptors live during runtime.

Below are the offsets I retrieved for ItemFields:

Code:

enum ItemFields
{
    ITEM_FIELD_OWNER                  = 0x0006,
    ITEM_FIELD_CONTAINED              = 0x0008,
    ITEM_FIELD_CREATOR                = 0x000A,
    ITEM_FIELD_GIFTCREATOR            = 0x000C,
    ITEM_FIELD_STACK_COUNT            = 0x000E,
    ITEM_FIELD_DURATION               = 0x000F,
    ITEM_FIELD_SPELL_CHARGES          = 0x0010,
    ITEM_FIELD_FLAGS                  = 0x0015,
    ITEM_FIELD_ENCHANTMENT_1_1        = 0x0016,
    ITEM_FIELD_ENCHANTMENT_1_3        = 0x0018,
    ITEM_FIELD_ENCHANTMENT_2_1        = 0x0019,
    ITEM_FIELD_ENCHANTMENT_2_3        = 0x001B,
    ITEM_FIELD_ENCHANTMENT_3_1        = 0x001C,
    ITEM_FIELD_ENCHANTMENT_3_3        = 0x001E,
    ITEM_FIELD_ENCHANTMENT_4_1        = 0x001F,
    ITEM_FIELD_ENCHANTMENT_4_3        = 0x0021,
    ITEM_FIELD_ENCHANTMENT_5_1        = 0x0022,
    ITEM_FIELD_ENCHANTMENT_5_3        = 0x0024,
    ITEM_FIELD_ENCHANTMENT_6_1        = 0x0025,
    ITEM_FIELD_ENCHANTMENT_6_3        = 0x0027,
    ITEM_FIELD_ENCHANTMENT_7_1        = 0x0028,
    ITEM_FIELD_ENCHANTMENT_7_3        = 0x002A,
    ITEM_FIELD_ENCHANTMENT_8_1        = 0x002B,
    ITEM_FIELD_ENCHANTMENT_8_3        = 0x002D,
    ITEM_FIELD_ENCHANTMENT_9_1        = 0x002E,
    ITEM_FIELD_ENCHANTMENT_9_3        = 0x0030,
    ITEM_FIELD_ENCHANTMENT_10_1       = 0x0031,
    ITEM_FIELD_ENCHANTMENT_10_3       = 0x0033,
    ITEM_FIELD_ENCHANTMENT_11_1       = 0x0034,
    ITEM_FIELD_ENCHANTMENT_11_3       = 0x0036,
    ITEM_FIELD_ENCHANTMENT_12_1       = 0x0037,
    ITEM_FIELD_ENCHANTMENT_12_3       = 0x0039,
    ITEM_FIELD_PROPERTY_SEED          = 0x003A,
    ITEM_FIELD_RANDOM_PROPERTIES_ID   = 0x003B,
    ITEM_FIELD_DURABILITY             = 0x003C,
    ITEM_FIELD_MAXDURABILITY          = 0x003D,
    ITEM_FIELD_CREATE_PLAYED_TIME     = 0x003E,
    ITEM_FIELD_PAD                    = 0x003F,

    ITEM_END                          = 0x0040
};

**Hi Makkah,

Thanks a lot for taking the time to reply and for sharing the offsets you dumped from MirrorInitialize! That's really helpful.

Looking at the ItemFields enum you provided, it seems these values (0x1C, 0x1F, 0x22 for enchantments 3, 4, and 5 respectively) are the field indices rather than direct byte offsets, right?

If I multiply these indices by 4 (assuming 4 bytes per field/uint32), I get:

Code:

0x1C * 4 = 0x70
0x1F * 4 = 0x7C
0x22 * 4 = 0x88

These resulting byte offsets (0x70, 0x7C, 0x88) are exactly the ones I've been trying based on other sources and previous discussions here. Your live dump confirms these seem to be the correct locations within the item descriptor structure.

My core issue persists, though:
When I read a uint32 from item_descriptor_ptr + 0x70 (or +0x7C, +0x88) in the live Warmane (3.3.5a build 12340) client memory, I'm not getting valid Enchantment IDs. Instead, I'm reading very large numbers (like 592xxxxxx) that don’t look like IDs.

My process for getting the item_descriptor_ptr seems correct:

Finding the item object via GUID in the Object Manager.

Checking TypeID=1.

Reading the descriptor pointer at offset 0x8 from the object base.

This method works for reading other item properties, so the puzzle remains:
❓ Why would the correct byte offsets (0x70, 0x7C, 0x8, confirmed by your field indices, contain unexpected data specifically on the Warmane client?

Do you (or does anyone else) have any insights into:
🔹 Potential memory structure variations on Warmane?
🔹 Another method for reliably reading equipped gem Enchantment IDs on this specific client build/server environment?


I want to identify how much resilience the participants in the arena have, to identify the weakest, but I haven't been able to identify the gems yet.
*************** Left Arena ***************
14:37:15 [INFO] --- Last Session Summary ---
14:37:15 [INFO] GUID: 0x0000000000000001, Status: Ally (Group), Class: Death Knight, Armor: 0, Resil: 195
14:37:15 [INFO] GUID: 0x0000000000000002, Status: Ally (Group), Class: Priest, Armor: 0, Resil: 492
14:37:15 [INFO] GUID: 0x0000000000000003, Status: Opponent, Class: Paladin, Armor: 0, Resil: 509
14:37:15 [INFO] GUID: 0x0000000000000004, Status: Opponent, Class: Hunter, Armor: 0, Resil: 914
14:37:15 [INFO] GUID: 0x0000000000000005, Status: Self, Class: Warrior, Armor: 20587, Resil: 343
14:37:15 [INFO] GUID: 0x0000000000000006, Status: Opponent, Class: Rogue, Armor: 0, Resil: 513

Thanks again for confirming the field indices!