Looking for reliable way to cast spells...

[akh]

There’s a thing that has been bugging me recently. I'm trying to write a semi-bot to help me keep dots up on a target at all time, but I can’t seem to find a reliable way to cast spells.
I have tried several including calling the castSpellById function directly in ASM, calling the function using a functionpointer (typedef...), calling the function from a codeCave using BlackMagic and my latest attempt was to use LUA doString to cast spells.

I tested the mentioned methods by casting the spell "Demon Skin" over and over again. Usually it works fine at first, but after a while it crashes. Its quite random sometimes it crashes after 10 casts, and sometimes it can run for 30 minutes.

The errors are of the type access violations and occurs in various places, its the same errors as described in the similar topic Weird issues calling CastSpellByID.

Here are some codesnippits:

ASM function call:

Code:

DWORD* pTmp = NULL;
_asm 
{
	MOV EAX, DWORD PTR FS:[0x2C]
	MOV EAX, DWORD PTR DS:[eax]
	MOV pTmp, EAX
}
*(DWORD*)((DWORD)pTmp + 0x8) = curMgr;

DWORD dwCall = 0x00773400;
_asm 
{
	push 0
	push 0
	push 0
	push 686 //spellId for Demon Skin
	call dwCall
	add esp, 0x10
}

Crashinfo: ASM Function crash.txt

Function pointer:

Code:

typedef bool (__cdecl * tCastSpellById)(unsigned int SpellId, unsigned int Unk2, unsigned int Unk3, unsigned int Unk4);
tCastSpellById oCastSpellById = (tCastSpellById)gpWoWX->GetFindPattern()->GetAddress( "CastSpellById" );;

DWORD* pTmp = NULL;
_asm 
{
	MOV EAX, DWORD PTR FS:[0x2C]
	MOV EAX, DWORD PTR DS:[eax]
	MOV pTmp, EAX
}
*(DWORD*)((DWORD)pTmp + 0x8) = curMgr;

oCastSpellById(687,0,0,0);

Crashinfo: Function Pointer crash.txt, Function Pointer crash.dmp

BlackMagic codeCave:

Code:

uint codeCave = wow.AllocateMemory();
int CASTSPELLBYID = 0x00773400;
wow.Asm.Clear();

wow.Asm.AddLine("fs mov eax, [0x2C]");
wow.Asm.AddLine("mov eax, [eax]");
wow.Asm.AddLine("add eax, 8");
wow.Asm.AddLine("mov dword [eax], {0}", objectManager);

wow.Asm.AddLine("push 0");
wow.Asm.AddLine("push 0");
wow.Asm.AddLine("push 0");
wow.Asm.AddLine("push {0}", id);
wow.Asm.AddLine("call {0}", CASTSPELLBYID);
wow.Asm.AddLine("add esp,16");
wow.Asm.AddLine("retn");

wow.Asm.InjectAndExecute(codeCave);
wow.FreeMemory(codeCave);

Crashinfo: codeCave crash.txt, codeCave crash.dmp

LUA_Dostring

Code:

DWORD* pTmp = NULL;
_asm 
{
	MOV EAX, DWORD PTR FS:[0x2C]
	MOV EAX, DWORD PTR DS:[eax]
	MOV pTmp, EAX
}
*(DWORD*)((DWORD)pTmp + 0x8) = curMgr;

void * pState = gpWoWX->GetGameLua()->GetState();
char* command = "CastSpellByName(\"Demon Skin\");";
gpWoWX->GetGameLua()->Lua_Dostring(command,"",pState);

Crashinfo: lua crash.txt, lua crash.dmp

I don't know if it has any significance but im running Windows Vista 32bit with admin privileges and UAC disabled. The tests are done on a private server (Mangos).

I hope someone can help me out as I find this issue very annoying and would I would hate to resolve to sending keystrokes by sendkeys or something similar.

[starfish99]

You can simply call lua_dostring like this:

char* command = "CastSpellByName(\"Demon Skin\")";
gpWoWX->GetGameLua()->Lua_Dostring(command,command,0);

or send a packet to server
http://www.mmowned.com/forums/wow-me...g-packets.html

I think sending packets may be more reliable and effective, but there is a trouble of finding spell id.
I know the offset of it,
ptrGetSpellIDByName = 0x004D0A30
but I have not make it working yet.

[akh]

Thanks for your reply Starfish.

I'm trying to translate your delphi code to c++, but apparently im doing something wrong, maybe you can tell me what it is... when I try to run it I get an access violation at 0x00584454.

Here is my code:

Code:

Header file:
-------------------------------------------------
//datastore structure
#pragma pack(1)
struct TDataStore 
{
	DWORD ptrDataStore; // pDataStore1,pDataStore2
	DWORD ptrPacketData; //pointer to packet data
	DWORD UnKnown1; //always 0
	DWORD MayType; // 0x100 for normal, 0x300 for warden
	DWORD PacketLen; //data length
	DWORD UnKnown3; //always 0
};

#pragma pack(1)
struct TCastSpell 
{
	DWORD OpCode;
	BYTE Count;
	WORD SpellID;
	BYTE Zero1;
	BYTE Zero2;
	BYTE Zero3;
	DWORD SpellType;
};

#pragma pack(1)
struct TCastSpellTarget 
{
	DWORD OpCode;
	BYTE Count;
	WORD SpellID;
	BYTE Zero1;
	BYTE Zero2;
	BYTE Zero3;
	DWORD SpellType;
	WGUID Target;
};

#pragma pack(1)
struct TCastSpellAOE 
{
	DWORD OpCode;
	BYTE Count;
	WORD SpellID;
	BYTE Zero1;
	BYTE Zero2;
	BYTE Zero3;
	DWORD SpellType; //0x40
	FLOAT X;
	FLOAT Y;
	FLOAT Z;
};

-----------------------------------------------------------------

void sendSpellcast(WORD spellId) 
{
	DWORD* pTmp = NULL;
	_asm 
	{
		MOV EAX, DWORD PTR FS:[0x2C]
		MOV EAX, DWORD PTR DS:[eax]
		MOV pTmp, EAX
	}
	*(DWORD*)((DWORD)pTmp + 0x8) = curMgr;

	DWORD ptrSendPacket = 0x005843A0; //function address(currentconnection_sendpacket)
	DWORD pDataStore1 = 0x0092DB38; // first parameter (for normal)
	DWORD pDataStore2 = 0x0092EE40; // first parameter (for warden)
	DWORD ptrNextCastCount = 0x012E8541;//it's a counter, looping from 1 to FF
	DWORD CMSG_CAST_SPELL = 0x12E; //OpCode for cast spell
	
	BYTE count = *(BYTE*)ptrNextCastCount;
	TCastSpell castSpell = TCastSpell();
	
	castSpell.OpCode = CMSG_CAST_SPELL;
	castSpell.Count = count;
	castSpell.SpellID = spellId;
	castSpell.Zero1 = 0;
	castSpell.Zero2 = 0;
	castSpell.Zero3 = 0;
	castSpell.SpellType = 0;

	TDataStore dataStore = TDataStore();

	dataStore.ptrDataStore = pDataStore1;
	dataStore.ptrPacketData = (DWORD)&castSpell;
	dataStore.UnKnown1 = 0;
	dataStore.MayType = 0x100;
	dataStore.PacketLen = sizeof(castSpell);
	dataStore.UnKnown3 = 0;
	DWORD dwCurrentConnection = *(DWORD*)0x011CA260;
	DBGLOG("dwCurrentConnection: 0x" << std::hex << dwCurrentConnection);
	DWORD dataStorePointer = (DWORD)&dataStore;
	_asm 
	{		
		push dataStorePointer
		mov ecx, [dwCurrentConnection]
		mov ebx, ptrSendPacket
		call ebx
	}
	*(BYTE*)ptrNextCastCount = ++count;
}

Edit:

Here is my function for getting the spellid:

Code:

DWORD GetSpellByName( char* szName )
{
	unsigned long dwGetSpellIDByName = gpWoWX->GetFindPattern()->GetAddress( "GetSpellByName" );
	DWORD dwUnknown = 0;
	_asm
	{
		LEA EAX, dwUnknown
		PUSH EAX
		PUSH szName
		MOV  EAX, dwGetSpellIDByName
		CALL EAX
		ADD  ESP, 8
	}
}

Finally got it working, had an error with the spelltype, its 0 when casting "normal" spells.