Making a WoW Bot [Mac]

[ReppzYouTube]

maybe you should just create an EXE converter i mean so you can run it on an intel PPC, then you could download emu hack or whatever you want to that would proberly be better then starting creating a DMG version of emuhack (im using emu hacker as an EG) btw good luck

[enteleky]

Wait what?

And can anyone get me started a little more. I understand that I don't have the tools yet to understand everything but I just need input from everybody to get to that point.

So looking again I found this....

│AA0F0 mov dword ptr [esp+14h], 1
│AA0F8 mov dword ptr [esp+10h], 0
│AA100 mov dword ptr [esp+0Ch], offset aS_curmgr ; "s_curMgr"
│AA108 mov dword ptr [esp+8], 14Eh
│AA110 mov dword ptr [esp+4], offset aVolumesF2Us_83 ; "/Volumes/F2/usrbuild/xb/build/WoW_9183p"...
│AA118 mov dword ptr [esp], 85100000h
│AA11F call loc_47CA
│AA124 jmp loc_A9F71

Is offset aS_curmgr the memory location of s_curMgr... If so how do I get it?

I tried setting up a breakpoint on that line but it never tripped.

So I think I found the static pointer to the TLS_store that I grabbed from pthread_getspecific() its at 0x161b720. Now I have no idea what to do... Or if that is even right, or how to tell.

Thanks in advanced.

[enteleky]

Can anyone help me with whats above please?

[Cypher]

Don't double post just to bump your own thread.

Furthermore, you have a severe lack of understanding of what you're looking at, either learn the theory first of you're on your own with the practical.

[enteleky]

What would you suggest is the most important things to go look at? Could you just give me a list please.

[Shynd]

Books. On reverse-engineering. Especially the ones that have been posted on this forum that are on page 2 or 3 or 4 (wasn't too long ago that the thread was bumped).

[argh44z]

Wait what?

And can anyone get me started a little more. I understand that I don't have the tools yet to understand everything but I just need input from everybody to get to that point.

So looking again I found this....

│AA0F0 mov dword ptr [esp+14h], 1
│AA0F8 mov dword ptr [esp+10h], 0
│AA100 mov dword ptr [esp+0Ch], offset aS_curmgr ; "s_curMgr"
│AA108 mov dword ptr [esp+8], 14Eh
│AA110 mov dword ptr [esp+4], offset aVolumesF2Us_83 ; "/Volumes/F2/usrbuild/xb/build/WoW_9183p"...
│AA118 mov dword ptr [esp], 85100000h
│AA11F call loc_47CA
│AA124 jmp loc_A9F71

Is offset aS_curmgr the memory location of s_curMgr... If so how do I get it?

No, it's a string : "s_curMgr". The above is a call to an error or assert function. It's highly probable that wherever that is, that piece of code is executed after some error condition with s_curMgr (probably it being NULL or something). Look and analyze around this piece of code, it is probably doing something with s_curMgr, including a possible check for it being NULL.

I tried setting up a breakpoint on that line but it never tripped.

Probably because that error condition was not reached.

[enteleky]

Another question(Just wondering if I am understanding code right)... g_clientConnection is setup on login correct? And then once you click on a character then objMgr gets added to g_clientConnection.

Alright back to the drawing board... This stuff is hard to get a handle on.

[Nesox]

no?

<filla />

[enteleky]

Doing more research and learning a whole lot in the process I am still after curMgr and well I think I have found clientConnection. Can anyone confirm that this is the clientConnection...

clientConnection: 0x019d8c00

Thanks.

[Cypher]

Why don't you just confirm it yourself?

Check if it contains the correct values/pointers......

[enteleky]

Ok...

So I have been trying to disassemble the Unit Object... And it seems to be like this:

[Base = xxxxx]xxx

Add base before each of these below...

For example 0x6f0 = [Base]6f0

Current Health: 0x6f0
Max Health: 0x710
Strength: 0x7e4
Agility: 0x7e8
Stamina: 0x7ec
Intelligence: 0x7f0
Spirit: 0x7f4

But I was wondering do those line up to the Windows Offsets for player? I checked vs. the 3.0.2 Offsets thread but they didn't come out the same(Did the offsets change between 3.0.2 and 3.0.3?). If they don't how might I go about finding the Unit object beinging?

I think I may have gotten it... Does the object that holds the player data have a length of 36024?

[enteleky]

Ok I think I have found the objMgr... This snippet of ASM code comes from the GetObjectFromGUID()


│__text:000A7B4D mov ebp, esp
│__text:000A7B4F push edi
│__text:000A7B50 push esi
│__text:000A7B51 push ebx
│__text:000A7B52 sub esp, 4Ch
│__text:000A7B55 mov esi, [ebp+arg_0]
│__text:000A7B58 mov edi, [ebp+arg_4]
│__text:000A7B5B mov eax, ds:dword_121D5AC
│__text:000A7B60 mov [ebp+var_38], eax
│__text:000A7B63 test eax, eax
│__text:000A7B65 jz loc_A7C33
│__text:000A7B6B mov ecx, [eax+0C4h]
│__text:000A7B71 mov ebx, [eax+0C8h]
│__text:000A7B77 mov eax, ebx <---- I think this is the line in which the objMgr offset is put into eax.
│__text:000A7B79 or eax, ecx
│__text:000A7B7B jnz loc_A7C45
│__text:000A7B81 mov ebx, edi
│__text:000A7B83 or ebx, esi
│__text:000A7B85 jz loc_A7C33

Is the object manager at 0x0121d5ac+c8h?

The problem is when ever I set IDAs debugger to break on this line WoW spinlocks and IDA doesn't show its broken yet... Could anyone help me?

[Cypher]

I lol'd.

Free tip for you: Learn ASM before trying to reverse WoW.

Durrrrrrrr.

[enteleky]

Well instead of just laughing at me could you help me understand whats going on here?