WoW v3.0.2 Information

[ostapus]

Little bit contribution from me (in hope this would be new stuff). For a movement to the coords i am using the following code (pretty clear imo.. as of 3.0.2)

local __ptrCoords = 0x011F1068
local __ptrGoCommand = 0x011F0FF4

function _run2Coords(x, y, z)
_writeDouble(__ptrCoords, x)
_writeDouble(__ptrCoords+4, y)
_writeDouble(__ptrCoords+8, z)
_writeDword(__ptrGoCommand, 4) -- /script_writeDword(0x00D689BC, 4)
end

the player will run to coords ignoring other objects.

[lanman92]

I've never seen code like that before. It seems to be in autoit or VB, yet it looks in-process?

[mordok]

Here is a noob question for you guys. I managed to make a small app that uses g_clientConnection, s_curMgr...etc. But im currently leeching all the values from Cyphers dumps and other resources. eg:

Code:

Current Offsets and Addresses (3.0.3): 
clientConnection = 0x011CA260 (Address) 
mgrOffset = 0x2864 
firstObjectOffset = 0xAC 
nextObjectOffset = 0x3C 
playerGUIDOffset = 0xC0 
objectGUIDOffset = 0x30

So Im trying to stop leeching by debugging them myself.(thing that I know nearlly nothing about).

Anyway...Im currently trying stuff with IDA PRO, CE and OLLY. SO HERE IS THE INFAMOUS QUESTION. How do you find g_clientConnection, where the name g_clientConnection, s_curMgr comes from?, I spotted TslIndex, are they related? where shall I look for those values. how can I find structs for mobs, players myself, how do you do your dumps?.

Any help/advise/links related with this would be just g8.


-----------------------------------------------------------------------------
P.D. Chyper...if(WanToHelpMe){}else{dont reply me.:shutit:}

[lanman92]

I have no clue where you get the offset for the first obj from s_curMgr, but I know that if you do a text search for ObjectManager or something along those lines, you will find the function for the, well, object manager. In this function it shows you the g_clientConnection and s_curMgr offset.

EDIT: There is a definition of the UNIT_... class in the .rdata section. Search for "UNIT_FIELD_" and it shows all of the parts, the pointer to nextObj is in there I believe.

[mordok]

thanks, like always lanman92. Wow now all makes sence. Ill +rep you next time ill +rep someone because now I cant.

lanman92 do you remember when you gaved me this offset to find hp

MemoryRead (Playerbase+0x0 and to that add (0x17*4) and read again
where is that 0x08 taken from?

Can it be that the 0x08 was taken from here

Code:

push    offset aUsageUnithealt ; "Usage: UnitHealth(\"unit\")"
push    ebx
call    sub_7AEEE0
add     esp, 8
xor     eax, eax
pop     ebx
mov     esp, ebp
pop     ebp
retn

I assume that the 4 in +(0x17*4) is due to the value type (4 bytes) and UNIT_FIELD_HEALTH = 0x17. not shure how he got it thou ???
BTW.. in order to get offsets with ida can i do it in a CE fashion, like mark what it writes to that exact adress, and maby then run process or atach process? and later check the movements eg; esi+0x44 to get offset? breakpoints, would they do the same? When ever I do a run process It gives a acces violation error and screen goes black like if trying to lunch wow.exe.

So all this just can be sed in one question how do you find offsets for eg the UNIT_... with IDA.

[apollo0510]

thanks, like always lanman92. Wow now all makes sence. Ill +rep you next time ill +rep someone because now I cant.

lanman92 do you remember when you gaved me this offset to find hp

MemoryRead (Playerbase+0x0 and to that add (0x17*4) and read again
where is that 0x08 taken from?

Can it be that the 0x08 was taken from here

Code:

push    offset aUsageUnithealt ; "Usage: UnitHealth(\"unit\")"
push    ebx
call    sub_7AEEE0
add     esp, 8
xor     eax, eax
pop     ebx
mov     esp, ebp
pop     ebp
retn

I assume that the 4 in +(0x17*4) is due to the value type (4 bytes) and UNIT_FIELD_HEALTH = 0x17. not shure how he got it thou ???
BTW.. in order to get offsets with ida can i do it in a CE fashion, like mark what it writes to that exact adress, and maby then run process or atach process? and later check the movements eg; esi+0x44 to get offset? breakpoints, would they do the same? When ever I do a run process It gives a acces violation error and screen goes black like if trying to lunch wow.exe.

So all this just can be sed in one question how do you find offsets for eg the UNIT_... with IDA.

Hi murdok,

Your code simply shows the typical stack correction after a function call with 8 bytes on the stack as parameters for that function (C-style function call).

No, those 8 bytes offset are coming from this:

Code:

class PLAYER_STRUCT
{
public:
       ... some virtual functions, creating a vtable at offset 0
      int value1;                                      // at +4
      PLAYER_STORAGE* m_pStorage;   // at +8    <---- here you go. player storage contains the interesting values.
     ....
};

Greetings

Apollo

[ostapus]

I've never seen code like that before. It seems to be in autoit or VB, yet it looks in-process?

the code is in LUA :-)

[apollo0510]

the code is in LUA :-)

Hi Ostapus !

Just curious, what is your method of adding your C-Functions into the LUA enviroment ? You obviously add _writeDouble ? (Mine is to manipulate the value of an existing dummy C-function-lua-object ).

Greetings

Apollo

[ostapus]

Hi Ostapus !

Just curious, what is your method of adding your C-Functions into the LUA enviroment ? You obviously add _writeDouble ? (Mine is to manipulate the value of an existing dummy C-function-lua-object ).

Greetings

Apollo

Apollo,

you can register "your" C function thru pushcclosure ( offset 0x007ACAF0 for 3.0.2) and later call from in-proc (from regular wow addon).

[ostapus]

Apollo, for a little better demonstration

i've register just 1 C function and later calling it w/ different first parameter


function __proxy(op, ...)
if ( type(__uber_pupper_registered_function) == "function") then -- injection done, safe to call
return __uber_pupper_registered_function(op, ...)
end
return nil
end

-- Wrappers for uber puper function
function _readInteger(addr)
if ( not addr or addr == 0 ) then return nil end
return __proxy(1, addr)
end

function _readDouble(addr)
if ( not addr or addr == 0 ) then return nil end
return __proxy(2, addr)
end

function _readShort(addr)
if ( not addr or addr == 0 ) then return nil end
return __proxy(3, addr)
end

function _readDword(addr)
if ( not addr or addr == 0 ) then return nil end
return __proxy(4, addr)
end

local function _getObjectManager()
return __proxy(6)
end

[mordok]

Thanx apollo0510 (+rep). Now im just missing how you debugg the 0x17(value of Functiom_HEALTH) with any tool (IDA, CE, OLLY) any help on this would be AWSOME!

[GordonGekko]

Hey dudes,
just a question in regard to frops/loot objects. From the tables I tried to figure out which address stores the group member which is allowed to take a loot. Can you maybe help me with that?



Cheers
D

PS: Very nice cypher. Thx a lot for your work! REP +3 from me..

[apollo0510]

Thanx apollo0510 (+rep). Now im just missing how you debugg the 0x17(value of Functiom_HEALTH) with any tool (IDA, CE, OLLY) any help on this would be AWSOME!

My method is straight foreward:

If I am searching for something like MANA, I am constantly monitoring all values in the PLAYER_STORAGE structure. This structure contains either integer or float values ( each 4 bytes, thats why all offsets into it are written like index*4).

I am reporting only changes.

Then I change something ingame, like I am casting a spell that takes mana away.
It is very easy then to tell, which of the changing fields is the mana.

Greetings
Apollo

[mordok]

Damn clever appolo. THANKU SOOOO MUX <3 U, i was really lost trying to do complex stuff when I should do it like u, the easy way.

[Cypher]

My method is straight foreward:

If I am searching for something like MANA, I am constantly monitoring all values in the PLAYER_STORAGE structure. This structure contains either integer or float values ( each 4 bytes, thats why all offsets into it are written like index*4).

I am reporting only changes.

Then I change something ingame, like I am casting a spell that takes mana away.
It is very easy then to tell, which of the changing fields is the mana.

Greetings
Apollo

Nooooo. Thats a terrible way to do it.

All the descriptors are stored in the client!

You can dump them out of the client in an automated fashion quite trivially. Just search for one of the strings I posted, trace it back to the function that references it, and you'll see.