3.0.2 Addresses

[Zombie911]

I found some structured array at offset 0xC98 from entity base.
From offset i read integer and get number of elements in array.
One element look like:

Code:

struct AURA_ELEMENT
{
	__int64 GUID;			/* I think that GUID of aura caster */
	unsigned int id;			/* ID of aura */
	unsigned int unknown[2];	/* ???? */
};

And read so much how many elements in the array

Code:

unsigned int aura_total = read<unsigned int>( unit_base + 0xC98 );

AURA_ELEMENT * auras = new AURA_ELEMENT[ aura_total ];
for( int i = 0; i < aura_total; i++ )
{
	auras[i] = read<AURA_ELEMENT>( unit_base + 0xC98 + sizeof(unsigned int) + ( sizeof(AURA_ELEMENT) * i ) );
}

That is my method for reading unit aura data.
But i WARN! This method not stable. Sometimes these data freezes, I do not know why this is happening

[Dearleader]

i know.. btw. to get curObj and localGUID
the offsets seems to have changed i used to be able to get them with theese:

Code:

localGUID = Memory.ReadUInt64(hProcess, (ObjectManager.s_curMgr + 0xC0));
curObj = Memory.ReadUInt(hProcess, (ObjectManager.s_curMgr + 0xAC));

did it change? :yuck:

Neither have changed.

You were right about them not changing in 3.0.2 but I just hopped on the WoTLK beta & the offset to get to curObj has indeed changed there.

Localguid is still curmgr+c0 but curObj +AC returns invalid ptr perhaps they changed location in list, idk /shrug.

[kynox]

You were right about them not changing in 3.0.2 but I just hopped on the WoTLK beta & the offset to get to curObj has indeed changed there.

Localguid is still curmgr+c0 but curObj +AC returns invalid ptr perhaps they changed location in list, idk /shrug.

It hasn't changed, it's still 0xAC.

[Cypher]

Last beta build I checked it hasn't changed. Please post the latest build and I'll double check.

[Shynd]

I found some structured array at offset 0xC98 from entity base.
From offset i read integer and get number of elements in array.
One element look like:

Code:

struct AURA_ELEMENT
{
	__int64 GUID;			/* I think that GUID of aura caster */
	unsigned int id;			/* ID of aura */
	unsigned int unknown[2];	/* ???? */
};

And read so much how many elements in the array

Code:

unsigned int aura_total = read<unsigned int>( unit_base + 0xC98 );

AURA_ELEMENT * auras = new AURA_ELEMENT[ aura_total ];
for( int i = 0; i < aura_total; i++ )
{
	auras[i] = read<AURA_ELEMENT>( unit_base + 0xC98 + sizeof(unsigned int) + ( sizeof(AURA_ELEMENT) * i ) );
}

That is my method for reading unit aura data.
But i WARN! This method not stable. Sometimes these data freezes, I do not know why this is happening

unit_base + 0xC98 == total possible auras
You then need to loop through each one and check that aura_base + 0x08 (or the Id in your struct) is > 0 before continuing. If it's <= 0, then that aura has been removed.

Also, this is the struct with a few of your unknowns filled in:

Code:

struct AURA_ELEMENT
{
    __int64 GUID;
    DWORD ID;
    BYTE bUnknown[4];
    DWORD dwDuration;
    DWORD dwTimeStamp;
};

There's a few other things that need to be checked (differs between player and unit), but I'm tired and I don't feel like reversing any more tonight.

I'd bet part of bUnknown tells whether it's a buff or debuff, but I didn't look. Also looks like only the first three bytes of bUnknown are used, too. Why that is, I have no idea. Also, dwDuration is the number of milliseconds a buff lasts. Like, for a 30 minute buff, it'd be 1800000. dwTimeStamp is the tick count when the buff was cast; dwTimeLeft = dwDuration - (GetTickCount() - dwTimeStamp).

[Zombie911]

Thank you for Shynd addition, I want to make a follow-up, too

Code:

struct AURA_ELEMENT
{
    __int64 GUID;
    DWORD ID;
    BYTE bUnknown0;
    BYTE bCasrerLevel; <---- NEW
    BYTE bUnknown1;
    BYTE bUnknown2;
    DWORD dwDuration;
    DWORD dwTimeStamp;
};

I said something like that, for unknown reasons, these data are frozen (ie after death).
I think that the whole array from offset 0xC9C, is a history of auras that once were ar unit.

I also found another offset at 0xE2C. Very similar to previous thread, but differend by structure of elements. These are not frozen and behave correctly after death. It array of auras currently applied to unit.

entity_base + 0xE2C = total possible auras
And one element structure:

Code:

struct AURA_ELEMENT
{
      DWORD unknown;     /* I think it is TYPE of aura */
                                     /*(Aura, Buff, Debuff, Curse, Poison) */
                                     /* We need to clarify */

      DWORD ID;               /* Aura ID */
};

First element start at: 0xE30

[natt_]

im still a bit confused how to read the offsets from the struct with the playerBase

$lvl1Pointer = _MemoryRead(0x0127BFFC,$WH, "ptr")
$lvl2Pointer = _MemoryRead(($lvl1Pointer+0x30),$WH, "ptr")
$PlayerBase = _MemoryRead(($lvl2Pointer+0x2,$WH, "ptr")

and i tried $Playerbase+Offset but still false result, my auto-it skills with Nomad is fair. also i tried

$Playerbase in hex() and read it again with the offset, but still false result.

anyone?

[snowboom]

player_base + 0xA48 // player attacking check.
player_base + 0xA94 // player casting check.

[Dearleader]

Last beta build I checked it hasn't changed. Please post the latest build and I'll double check.

I'm pretty sure the first_obj_ptr offset has changed ( was $s_curMgr + 0xAC). the offset for s_CurMgr has changed as well. I believe it's now Client_Connection + 2864h
And Client Connection is: 0x01224838


Of course, I'm not 100% sure about this, but those are just the values I got when working with olly, I would appreciate it if anyone can confirm my finding.


BTW, here's the latest WoW beta build: RapidShare: Easy Filehosting

[Nesox]

it hasn't changed my object dumper works perfectley and i use the offset for first object, 0xAC and the offset for s_curMgr that is 0x285C so u are prolly doing something wrong. Assuming its for 3.0.2 9056

[Dearleader]

it hasn't changed my object dumper works perfectley and i use the offset for first object, 0xAC and the offset for s_curMgr that is 0x285C so u are prolly doing something wrong. Assuming its for 3.0.2 9056

Sir, we are talking about 3.0.3 9138 (WoW: Wrath of the Lich King BETA)

[Nesox]

Sir, we are talking about 3.0.3 9138 (WoW: Wrath of the Lich King BETA)

Ok, My bad

[Xarg0]

im still a bit confused how to read the offsets from the struct with the playerBase

$lvl1Pointer = _MemoryRead(0x0127BFFC,$WH, "ptr")
$lvl2Pointer = _MemoryRead(($lvl1Pointer+0x30),$WH, "ptr")
$PlayerBase = _MemoryRead(($lvl2Pointer+0x2,$WH, "ptr")

and i tried $Playerbase+Offset but still false result, my auto-it skills with Nomad is fair. also i tried

$Playerbase in hex() and read it again with the offset, but still false result.

anyone?

Well, first you should check if your lvl1pointer is valid, I don't know what memoryreading UDF you're using but if it's NomandMemory your calling _MemoryRead() wrong, the first argument is the process handle(not the window handle obtained by FindWindow()!!!), the second argument is the adress to read from and the last one is a string that specifices the data type to read.
To open a valid process handle you'll need to enable SeDebugPrivilege.

Once you've got the $PlayerBase you can read values out of the player struct like this

Code:

 $xCoord=_MemoryRead($processhandle, $PlayerBase+0x7D4, "float")

I'm not shure if the x offset is correct cause I wrote it from memory :-)

[UnknOwned]

Code:

VARindex =
0x009BBF8C +
0x2F0 +
0x14 +
0x48 +
0x14 +

[Dearleader]

Spent more time on this today & confirmed what I thought.

Code:

@dump_0047cdf5:

        mov ecx,ClientConnection
        mov dword ptr ds:[ecx+02864h],eax
        mov edx,ClientConnection
        push edx
        mov dword ptr ds:[esi+8],eax
        call @dump_00477DE0                 
        call @dump_0047CCC0                 
        push edi
        call @dump_00477D80                 
        add esp,8
        pop edi
        pop esi
        pop ebp
        retn                                 ;<= Procedure End

In the upcoming patch 3.0.3, g_ConnectionMgr has changed to 2864h.

I need to find out what the offset for the first_obj_ptr is since that's changed aswell.
latest WoW beta build: Wrath_of_the_lichking_3.03