WoW v3.0.2 Information

[Cypher]

Can anyone help me out wwith using injection to parse an LUA string.

I have allocated some memory and written a string to it.

I have then allocate some memory and written code to it to call the

0x0077CDD0 -> CGameLua__Dostring

But i'm getting access violations.

Code I have tried:

Code:

mov EDX, [0x011CA260]
mov EDX, [EDX+0x2864]
FS mov EAX, [0x2C]
mov EAX, [EAX]
add EAX, 8
mov [EAX], edx
push {0}
call 0x0077CDD0         
retn

and

Code:

mov EDX, [0x011CA260]
mov EDX, [EDX+0x2864]
FS mov EAX, [0x2C]
mov EAX, [EAX]
add EAX, 8
mov [EAX], edx
mov ecx, {0}
call 0x0077CDD0         
retn

and

Code:

push {0}
call 0x0077CDD0         
retn

and

Code:

mov ecx, {0}
call 0x0077CDD0         
retn

wher {0} is replaced with the address of the string

wait, Has the address of the funtion changed in 3.0.3? If so what is the new offset?

Yes the function address has changed.

0x0077DEF0 is the new one.

[argh44z]

wait, Has the address of the funtion changed in 3.0.3? If so what is the new offset?

All RVA addresses will change between WoW versions (it'd be a weird coincidence if one single address didn't change). Even a single line change can change everything.

[testout]

Thanks!

So i'm trying to get this working (i'm not a "Lazy Programmer" Lazy-ass programmer incoming !! - that thread makes me lol irl)


IDA tells me the function looks like this:

Code:

.text:0077DEF0 sub_77DEF0      proc near    
.text:0077DEF0  
.text:0077DEF0
.text:0077DEF0 var_4           = dword ptr -4
.text:0077DEF0 arg_0           = dword ptr  8
.text:0077DEF0 arg_4           = dword ptr  0Ch
.text:0077DEF0 arg_8           = dword ptr  10h

So to work out what these paramaters are i looked at this function is calls it and is quite simple:

Code:

.text:0049C440 sub_49C440      proc near           
.text:0049C440
.text:0049C440 arg_0           = dword ptr  8
.text:0049C440
.text:0049C440                 push    ebp
.text:0049C441                 mov     ebp, esp
.text:0049C443                 push    esi
.text:0049C444                 mov     esi, [ebp+arg_0]
.text:0049C447                 push    1
.text:0049C449                 push    esi
.text:0049C44A                 call    sub_7AD710
.text:0049C44F                 add     esp, 8
.text:0049C452                 test    eax, eax
.text:0049C454                 jz      short loc_49C47D
.text:0049C456                 push    0
.text:0049C458                 push    1
.text:0049C45A                 push    esi
.text:0049C45B                 call    sub_7AD890
.text:0049C460                 add     esp, 0Ch
.text:0049C463                 test    eax, eax
.text:0049C465                 jz      short loc_49C47D
.text:0049C467                 cmp     byte ptr [eax], 0
.text:0049C46A                 jz      short loc_49C47D
.text:0049C46C                 mov     ecx, off_FC549C
.text:0049C472                 push    ecx
.text:0049C473                 push    eax
.text:0049C474                 push    eax
.text:0049C475                 call    sub_77DEF0
.text:0049C47A                 add     esp, 0Ch
.text:0049C47D
.text:0049C47D loc_49C47D:                        
.text:0049C47D                 xor     eax, eax
.text:0049C47F                 pop     esi
.text:0049C480                 pop     ebp
.text:0049C481                 retn
.text:0049C481 sub_49C440      endp

This only takes 1 argument (this function is called when using /script xxx).

so we push 3 pointers onto the stack before calling the dostring, and the correct the stack on return.

so this is the code I inject:

Code:

mov ecx, {0} ;0xFC549C in the other function
mov eax, {1} ; pointer to string
push ecx
push eax
push eax
call 0x0077DEF0 
add esp, 0Ch ; fix stack
retn

But this doesnt seem to work right.

Nothing happens unless there is an error in my LUA, then an error frame is shown (DoEmote does nothing for example).

Any clues?

[Cypher]

Hey, what exactly are you passing to the function. Could you give me a real example so I could see?

typedef void (__cdecl * tDoString)(const char * pszExec1, const char * pszExec2, void * pState = 0);
tDoString MyDoString = (tDoString)(0x0077DEF0);
MyDoString("ForceQuit()","ForceQuit()");

WARNING: The code above is untested and off the top of my head. It should work though.

If you can't get it working reply again and I'll write up some test code for you.

Its obvious you're well above the level of the moron in that other thread and the fact that you've been able to jump into IDA and do some research on your own makes me more than happy to give you a hand.

[testout]

DLL Injection makes it so much easier!

Code:

typedef void (__cdecl * tDoString)(const char * pszExec1, const char * pszExec2, void * pState = 0);
tDoString MyDoString = (tDoString)(0x0077DEF0);
MyDoString("ForceQuit()","ForceQuit()");

How come you ignore pState? What is pState? And why is the string passed twice? (wierd?)

I tried passing DoEmote("DANCE"), OpenAllBags()... nothing. I'll do some more digging...

[mordok]

Hi all :wave:. First i'll like to thx Cypher, because the last few weeks the green text was the WAY TO GO. Anyway im trying out somthing simple so Cypher / Kynox dumps are to big for what im trying. The idea is simple thou idont know why, maby im too noob or its just that i spent soo much time this week breathing code that my brain just cant handle any more. Anyway.... Im trying to read TLS to get the value of my player hp.

This is what i discovered so far:

1) Searched the values with cheat engine and coded C# with MemLib.dll to read that value. RESULT = WORKED but...dynamic adress.:confused:

2) Tried2 find static pointers and their offsets.....RESULT = not bad thou never gaved me the correct HEALTH VALUE dunno why.

3) I so A GREEN CHARMANDER LIGTH....so I sed...OBJECT MANGER!!!!COOOL....but same problem that in step 2. PLEASE, I really did research and tried...thou sad but true im stuck, i need some orientation. THIS IS WHAT I HAVE; BTW im assuming this pointer and offsets are correct for EUeng version of WOW.

clientConnection = 0x011CA260 (Address)
mgrOffset = 0x2864
playerGUIDOffset = 0xC0
hp= ¿?tried many.

C# here:
-------------------------------------------------------
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Diagnostics;
using MemoryLib;

namespace ConsoleApplication3
{
class Program
{
static void Main(string[] args)
{
Process.EnterDebugMode();
IntPtr hProcess = Memory.OpenProcess(Memory.GetProcessIdByProcessName("wow.exe"));


UInt32 g_clientConnection = Memory.ReadUInt(hProcess, 0x011CA260);
UInt32 s_curMgr = Memory.ReadUInt(hProcess, (g_clientConnection + 0x2864));
UInt32 playerGUID = Memory.ReadUInt(hProcess, (s_curMgr + 0xC0));
UInt32 hp = Memory.ReadUInt(hProcess, (playerGUID + 0x91));

{
Console.WriteLine(string.Format("Current hp:{0}", hp));
Console.ReadLine();
}


}
}
}


-------------------------------------------
couldnt find the insert text in scroll bars srry.
-----------------------------------------------------------------------------------
I will really apreciate Example of code. Thanks in advance....

[lanman92]

Look at Shynd's WoW Modification Journal. That's what got me started, it explains things pretty well.

Anyways, you're doing it wrong. You have to parse through all of the objects and compare their GUID to your local GUID. Once you find the base address of the one where your GUID equals that object, that is your playerbase. You now have to read (playerbase + 0x0 + (0x17 * 4) to get your hp. It's very complicated to do something so simple, but it's necessary to do any real kind of 'botting'. Page 4 of this thread explains how to read the HP correctly, I might be wrong.

[mordok]

I been at that journal before ill recheck it again. Thanks a lot lanman92 that was the push I was looking for. <3 lanman92 +rep

Ok but in Shyds journal he doesnt explain how to get object list guid, local GUID and compare.

Im not a copypasta leecher buy i'll LOVE++ a C# example.

[lanman92]

Code:

curObj = Memory.ReadUInt(hWow, (long)(s_curMgr + 0xAC));
nextObj = curObj;
 
while(curObj != 0)
{
    UInt64 cGUID = Memory.ReadUInt64(hWow, (long)(curObj + 0x30));
 
    if(cGUID == localGUID)
    {
          localObj = curObj;
    }
 
   nextObj = Memory.ReadUInt(hWow, (curObj + 0x3C));
      if (nextObj == curObj)
         break;
      else
         curObj = nextObj;
}

There you go. This is after the init. where I get s_curMgr and g_clientConnection. What exactly are you trying to do anyway?

EDIT: On a note, this is easier and more managable with C++ and classes using inheritance, VMT's, etc. It provides a lot of functionality and more things to do.

[mordok]

I dooooo lov uuuuu hail lanman92

Im trying to make a simple simple bot... but for now I just want to get the hp of my char

Im having trouble to do this:

1) get correct g_ClientConnection in order to get correct s_CurMgr
2) Finding local GUID
3)Finding object GUID and comparing object GUID with local GUID to get player Guid
4) adding offset to player Guid to find hp

correct me if wrong.

but im trying my best. Ill c what i can get with ur example.

[Shynd]

Hi, he just told you how to do it. You cannot add the offset to the player GUID because a GUID is just a unique identifier given to your local player (and all other loaded objects), not an address of any sort. You must loop through all loaded objects (which lanman has shown you how to do) and compare your local GUID (which you already know how to get) with the GUID of each of those objects. When they match, you know that the current object is your local player (re-read the code snippet he posted).

[mordok]

Thanks shynd but i did understand what he sed...Is exactly what i posted next. Thanks for your post it helped me to relise y had the correct values.
And thanks again to lanman92.


JUST IN CASE SOMEONE IS STRUGGLING TO DO THIS LIKE I WAS HERE IS MY WORKING C# CODE TO GET PLAYER HP
-------------------------------------------------------------------------

Code:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Diagnostics;
using MemoryLib;

namespace ConsoleApplication3
{
    class Program
    {
        static void Main(string[] args)
        {

            


            Process.EnterDebugMode();
            IntPtr hProcess = Memory.OpenProcess(Memory.GetProcessIdByProcessName("wow.exe"));
            
            //TLSwow = 00400000;
            uint g_clientConnection = Memory.ReadUInt(hProcess, 0x011CA260);
            uint s_curMgr = Memory.ReadUInt(hProcess, (g_clientConnection + 0x2864));
            uint localGUID = Memory.ReadUInt(hProcess, (s_curMgr + 0xC0));
            uint curObj = Memory.ReadUInt(hProcess, (s_curMgr + 0xAC));
            uint nextObj;
            uint localObj;

            nextObj = curObj;

            while (curObj != 0)
            {
                UInt64 cGUID = Memory.ReadUInt64(hProcess, (long)(curObj + 0x30));

                if (cGUID == localGUID)
                {
                    localObj = curObj;


                    uint prehp = Memory.ReadUInt(hProcess, (localObj + 0x08));
                    uint hp = Memory.ReadUInt(hProcess, (prehp + (0x17 * 4)));

                    {
                        Console.WriteLine(string.Format("Current Health:{0}", hp));
                        Console.ReadLine();
                    }


                }

                nextObj = Memory.ReadUInt(hProcess, (curObj + 0x3C));
                if (nextObj == curObj)
                    break;
                else
                    curObj = nextObj;
            }

---------------------------------------------------------------
Messy code I know but damn straight foward. hope it helps
---------------------------------------------------------------

For anyone that whana do somthing LOVELYYYYY
You know what would be great......A TUTORIAL to throw light who you got the g_ClientConection adress. and the offsets throough all values.

[Shynd]

You're frustrating, you know that?

[mordok]

/cry..... whyyyy?? im just trying to help /cry /cry while(cry){/cryabitmore}

[Functions]

Cypher ur awesome dude thanks, but like all, in c++ (op language) How do I get the value, I also need a program to find the offsets(memory values). So like It goes into the proccess, extract the data, you know what i get it now, All I need is a Memory Reader to find the Offset Values, But one more thing, Dont these values everytime you start up WoW because different ram is avaliable at that time 0x0000

new int a;
del int a;

Static ftw?