WowClassic 1.15.7.60249 Offsets

[dreadcraft]

Code:

# pointers
object_manager = 0x376D0F8
player_guid = 0x3782C10
mouseover_guid = 0x389CA48
zone_text = 0x389BCA8
subzone_text = zone_text + 0x8
minimap_zone_text = subzone_text + 0x8
player_target_guid = 0x35651B8
last_target_guid = player_target_guid + 0x10
camera_manager = 0x377AF50

# offsets updated
camera = 0x478 # 1.15.6 was 0x3A58 
player_field_inventory = 0x15F98 # 1.15.6 was 0x138F0
unit_field_channel_spell = 0x790
unit_field_channel_start = 0x798
unit_field_channel_end = unit_field_channel_start + 0x4
# im guessing unit_field_cast_spell and relevant timestamps changed also but i'm not using them right now

looks like fortunately nothing big changed with object manager/entity builder but not sure since i have only minimally tested these.

something important though. I tried to reach out to @namreeb via DM but vbulletin would not allow it. not sure why since i've had plenty of DMs on this account.

anyways. dumpwow seems to be working fine in Windows 10 still, but running it in Windows 11 results in:

Wow base address: 0x7ff748bf0000
TLS callback directory: 0x7ff74b7a1518
First TLS callback: 0x7ff748bf4d70
Wow exited with code: 0xc0000005
Failed to read [...]log.txt

Tried running elevated command prompt and that didn't fix the issue. Not sure what's going on here but in the event that it's relevant to Blizzard making Windows 11-only changes to their anti-debugging measures I figured it was worth sharing here. I don't know my github login and don't have time to mess with it or WoW really right now.

Thanks to everyone who contributes here, esp. namreeb.

[scizzydo]

Code:

# pointers
object_manager = 0x376D0F8
player_guid = 0x3782C10
mouseover_guid = 0x389CA48
zone_text = 0x389BCA8
subzone_text = zone_text + 0x8
minimap_zone_text = subzone_text + 0x8
player_target_guid = 0x35651B8
last_target_guid = player_target_guid + 0x10
camera_manager = 0x377AF50

# offsets updated
camera = 0x478 # 1.15.6 was 0x3A58 
player_field_inventory = 0x15F98 # 1.15.6 was 0x138F0
unit_field_channel_spell = 0x790
unit_field_channel_start = 0x798
unit_field_channel_end = unit_field_channel_start + 0x4
# im guessing unit_field_cast_spell and relevant timestamps changed also but i'm not using them right now

looks like fortunately nothing big changed with object manager/entity builder but not sure since i have only minimally tested these.

something important though. I tried to reach out to @namreeb via DM but vbulletin would not allow it. not sure why since i've had plenty of DMs on this account.

anyways. dumpwow seems to be working fine in Windows 10 still, but running it in Windows 11 results in:


Tried running elevated command prompt and that didn't fix the issue. Not sure what's going on here but in the event that it's relevant to Blizzard making Windows 11-only changes to their anti-debugging measures I figured it was worth sharing here. I don't know my github login and don't have time to mess with it or WoW really right now.

Thanks to everyone who contributes here, esp. namreeb.

I haven't seen dumping issues with mine: GitHub - scizzydo/memdump: Windows x64 PE process memory dumper to disk

[namreeb]

I'm not sure why you couldn't DM me. In the case of dumpwow, the commits I made recently should fix that. The issue was with hadesmem relying on TLS which was not available at the time a function hook was being called. But that function hook was not critical to the export, so I've disabled it.

The import obfuscation has been updated and I haven't looked at that yet, so I wouldn't expect that to work.

[ring3]

Someone has found UnitExists and so on with classic build? I was searching for it but it seems like its strong obfuscated

[Makkah]

UnitExists:
[

Code:

v2 = lua_tolstring(a1, 1i64, 0i64);
  sub_142231120(&v29, v2, 0i64);
  v3 = sub_1402D4280();
  v4 = sub_1416D8760(
         &v29,
         (unsigned int)v3,
         "D:\\BuildServer\\A\\work-git\\wow\\Classic\\Source\\UIUtil\\ScriptEvents.cpp",
         218i64);
  v5 = sub_141E40B90();
  v7 = 0;
  if ( v29 || v30 )
  {
    if ( (v6 = (_QWORD *)sub_141BE3CE0(), *v6 == v29) && v6[1] == v30
      || v4 && (*(unsigned int (__fastcall **)(_QWORD))(**(_QWORD **)(v4 + 48) + 80i64))(*(_QWORD *)(v4 + 48))
      || v5 && (sub_141E40890(v5, &v29, 0i64) || (unsigned __int8)sub_141E416C0(v5, &v29)) )
    {
      v7 = 1;
    }
  }
  lua_pushboolean(a1, v7);

[namreeb]

I'm not sure why you couldn't DM me. In the case of dumpwow, the commits I made recently should fix that. The issue was with hadesmem relying on TLS which was not available at the time a function hook was being called. But that function hook was not critical to the export, so I've disabled it.

The import obfuscation has been updated and I haven't looked at that yet, so I wouldn't expect that to work.

Just posted version 0.4 which fixes a lot of the import reconstruction and TLS callback issues: Release 0.4 . namreeb/dumpwow . GitHub

[dreadcraft]

Just posted version 0.4 which fixes a lot of the import reconstruction and TLS callback issues: Release 0.4 . namreeb/dumpwow . GitHub

Wow, you rule man! I'm excited to take a look at this when I get home. Thank you again.

[dreadcraft]

Someone asked if I had a copy of 60249 so I uploaded it to mega.nz:
https://mega.nz/file/8NtgUTha#igEGG0...oQgtBuc-U-2qas
@scimmy

[Makkah]

Screenshot-2025-05-05-213824.png

your dump didnt handle the TLS, i highly recommend using @scizzydo PE dumper, its as easy as drag and drop your wow.exe into memdump.exe.

[scimmy]

Screenshot-2025-05-05-213824.png

your dump didnt handle the TLS, i highly recommend using @scizzydo PE dumper, its as easy as drag and drop your wow.exe into memdump.exe.

I think namreeb's dumper should handle all this too?

[Makkah]

i believe it does, but i have not tried it. ill post my ida db file for 1.15.7.60277 once i finish clean it up. currently writing a python script to fix the args in function automaticly.

[aeo]

i believe it does, but i have not tried it. ill post my ida db file for 1.15.7.60277 once i finish clean it up. currently writing a python script to fix the args in function automaticly.

Looking forward to this, you seem to have put a lot of time and effort in to the work.

[dreadcraft]

Hey all, sorry, regarding the TLS being bad I don't have the original packed executable anymore. So if you're not able to fix it, I'm certainly not able to.

Makkah, your python script to fix function args sounds really exciting. Would love to hear more.