Wow Call Method Search.

[finnerj]

Hi all,

I am trying to use a pattern search to find the address for the CastSpellById.

I am currently doing this in C#..

uint CommandAddress = dwFindPattern(hProcess, 0x400000, 0x400000,
"8B 16 6A 00 6A 00 6A 00 52",
"xxxxxxxxx");

uint Commandmodified = MemoryLib.Memory.ReadUInt(hProcess, CommandAddress + 0xA);

How ever the Address I get is 0x00238622 :s and as we know the addres is actully
0x00773400.

Does anyone have any ideas what I am doing wrong or do i have the Pattern worng ?

Thanks for any help.

[kynox]

0xE8 (CALL Relative) isn't as simple as 0xE8 <Address of Function>.

You have to use CommandAddress + CommandModified + 5 (Size of Instruction).

Your FindPattern results in 0x0053ADD9. CommandModified at 0x00238622. So 0x0053ADD9 + 0x00238622 + 0x05 = 0x773400.

[finnerj]

Any have any ideas. whats going wrong here.

byte[] find = { 0xEB, 0x02, 0x33, 0xC0, 0x8B, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x64, 0x8B, 0x15, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x34, 0x8A, 0x8B, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x89, 0x81, 0x00, 0x00, 0x00, 0x00 };
string mask = "xxxxxx????xxx????xxxxx????xx????";
uint Pointer = SPattern.FindPattern(WOW.Handle, WOW.MainModule, find, mask);

//Offset to ObjectMgr & ObjectMgrOffest
//0x16 & 0x1C.

ObjectMgr = BM.ReadUInt(Pointer + 0x16);
ObjectMgrOffset = BM.ReadUInt(Pointer + 0x1C);

Console.WriteLine("Pointer: 0x{0:X8}\nObject Mgr: 0x{1:X8}\nObjectMgrOffset: 0x{2:X8}", Pointer,ObjectMgr, ObjectMgrOffset);

The output is:-
Pointer: 0x0046FD15
Object Mgr: 0x00000000
ObjectMgrOffset: 0x00000000

For somereason I cannot get the Object Mgr / ObjectMgrOffset..

Not sure why.. I used this From Olly to build this.

EB 02 JMP SHORT WoW.0046FD19
33C0 XOR EAX,EAX
8B0D A0F72E01 MOV ECX,DWORD PTR DS:[12EF7A0]
64:8B15 2C000000 MOV EDX,DWORD PTR FS:[2C]
8B348A MOV ESI,DWORD PTR DS:[EDX+ECX*4]
8B0D 60A21C01 MOV ECX,DWORD PTR DS:[11CA260]
8981 64280000 MOV DWORD PTR DS:[ECX+2864],EAX

[hypnodok]

Code:

.text:0046FD19                 mov     ecx, TlsIndex
.text:0046FD1F                 mov     edx, large fs:2Ch
.text:0046FD26                 mov     esi, [edx+ecx*4]
.text:0046FD29                 mov     ecx, dword_11CA260
.text:0046FD2F                 mov     [ecx+2864h], eax
.text:0046FD35                 mov     edx, dword_11CA260
.text:0046FD3B                 mov     [esi+8], eax
.text:0046FD41                 mov     [eax+0D0h], edx

.text:0046FD10  E8 AB EA FF FF EB 02 33  C0 8B 0D A0 F7 2E 01 64  Þ½Û  Ù3+ï
á¸.d
.text:0046FD20  8B 15 2C 00 00 00 8B 34  8A 8B 0D 60 A2 1C 01 89  ï§,...ï4èï
`óë
.text:0046FD30  81 64 28 00 00 8B 15 60  A2 1C 01 89 86 08 00 00  üd(..ï§`óëå..
.text:0046FD40  00 89 90 D0 00 00 00 E8  14 FF FF FF 8B 86 08 00  .ëÉð...Þ¶   ïå.

Hexview               Mask    Opcode
---------------------------------------------------
8B 0D A0 F7 2E 01      xx????  mov ecx,tlsindex 
64 8B 15 2C 00 00 00  xxx????  mov edx,fs:2c
8B 34  8A                  xxx     mov esi[edx+ecx*4]
8B 0D 60 A2 1C 01      xx????  mov ecx, 11ca260
89  81 64 28 00 00     xx???? mov [ecx+2864h], eax
8B 15 60  A2 1C 01     xx????  mov edx, dword_11CA260
89 86 08 00 00 00      xx????  mov [esi+8], eax
89 90 D0 00 00 00      xx????  mov [eax+0D0h], edx

This should work, if it doesnt let me know.
clientConnect = Address+0x12, offset = Address+0x18 if I counted correctly.