Using SelectTarget

[cenron]

OK so I for my first successful attempt at reversing I managed to get SelectTarget() working.

I am was so excited about this little achievement I thought I would post it so others can use it and since I did a search and couldn't find anything here is the code to use SelectTarget.

What is SelectTarget()?

Just like the name says it selects a unit without triggering the attack mode, which interact does when you use it to select a target.

I use it for my radar. So when you click on a element in the radar it selects that target.


The Meat & Potatos

Select Target takes target GUID as a paramter.

Code:

void CGLocalPlayer::SelectTarget( WGUID wGuid )
{
	unsigned long dwHiWord = ( wGuid >> 32 ); // Split GUID into 4byte chunks
	unsigned long dwLoWord = (unsigned long)wGuid; // Split GUID into 4byte chunks
	
	__asm
	{
		PUSH dwHiWord
		PUSH dwLoWord
		MOV EAX, 0x004AEBF0 ; As of 3.0.9
		CALL EAX
		ADD ESP, 0x08
	}
}

Again nothing to complicated but a useful function to have part of your arsenal.



Pattern

Code:

FindPattern("\x55\x8B\xEC\x83\xEC\x00\xE8\x00\x00\x00\x00\xF7\xD8\x1B\xC0\x40", "xxxxx?x????xxxx");

[Cypher]

You're over-complicating things.

A WGUID is just an in64 (or two unsigned longs), the function takes a WGUID, they just get split up because its more efficient than passing a pointer to a structure so small.

Here's a better and cleaner way that avoids breaking up the GUID:

Code:

typedef void (__cdecl* tLocalPlayer_SelectTarget)(WGUID NewGuid);
// Set the real pointer at runtime in your initilization func.
tLocalPlayer_SelectTarget pLocalPlayer_SelectTarget = 0;

void LocalPlayer::SelectTarget(WGUID NewGuid)
{
    pLocalPlayer_SelectTarget(NewGuid);
}

No inline asm, no manual splitting, etc. If you really wanted to break it up though you could just use the HighPart and LowPart fields in your struct/union/whatever.

eg.
unsigned long High = NewGuid.High;
unsigned long Low = NewGuid.Low;

Also, afaik, SelectTarget isn't TECHNICALLY a member of LocalPlayer, but its okay because SelectTarget isn't __thiscall so you can throw it wherever you want and not have to worry about passing 'this'.

[cenron]

You're over-complicating things.

A WGUID is just an in64 (or two unsigned longs), the function takes a WGUID, they just get split up because its more efficient than passing a pointer to a structure so small.

Here's a better and cleaner way that avoids breaking up the GUID:

Code:

typedef void (__cdecl* tLocalPlayer_SelectTarget)(WGUID NewGuid);
// Set the real pointer at runtime in your initilization func.
tLocalPlayer_SelectTarget pLocalPlayer_SelectTarget = 0;

void LocalPlayer::SelectTarget(WGUID NewGuid)
{
    pLocalPlayer_SelectTarget(NewGuid);
}

No inline asm, no manual splitting, etc. If you really wanted to break it up though you could just use the HighPart and LowPart fields in your struct/union/whatever.

eg.
unsigned long High = NewGuid.High;
unsigned long Low = NewGuid.Low;

Also, afaik, SelectTarget isn't TECHNICALLY a member of LocalPlayer, but its okay because SelectTarget isn't __thiscall so you can throw it wherever you want and not have to worry about passing 'this'.

As always you are right. The reason I posted it with inline asm because I wanted to show an example that could be used in or out of process. Thanks for the info though.

[swayenvoy]

That's just how i've done it in C#, the method is a member of my Unit Implementation.

The last line only displays the unitframe of the target .

Code:

public void Target()
        {
            string Pattern = "55 8B EC 83 EC 00 E8 00 00 00 00 F7 D8 1B C0";
            string Mask = "xxxxx?x????xxxx";

            uint CodeLocation = SPattern.FindPattern(_wowLib.iBlackMagic.ProcessHandle, _wowLib.iBlackMagic.MainModule, Pattern, Mask, ' ');

            uint codeCave = _wowLib.iBlackMagic.AllocateMemory(0x108);

            _wowLib.iBlackMagic.WriteUInt64(codeCave + 0x100, Guid);

            _wowLib.iBlackMagic.Asm.Clear();
            _wowLib.iBlackMagic.Asm.AddLine("MOV EAX,[0x{0}]",(codeCave + 0x100 + 0x4).ToString("X"));
            _wowLib.iBlackMagic.Asm.AddLine("PUSH EAX");
            _wowLib.iBlackMagic.Asm.AddLine("MOV EAX,[0x{0}]", (codeCave + 0x100 + 0x0).ToString("X"));
            _wowLib.iBlackMagic.Asm.AddLine("PUSH EAX");
            _wowLib.iBlackMagic.Asm.AddLine("CALL 0x{0}", CodeLocation.ToString("X"));
            _wowLib.iBlackMagic.Asm.AddLine("ADD ESP, 0x08");
            _wowLib.iBlackMagic.Asm.AddLine("RETN");
            _wowLib.iBlackMagic.Asm.InjectAndExecute(codeCave);

            _wowLib.iBlackMagic.FreeMemory(codeCave);

            _wowLib.Lua.DoString("ClearTarget(); TargetLastTarget();");
        }

Also thanks for the info cenron.

P.S.: Your Pattern should read

Code:

FindPattern("\x55...

[RiseAndShine]

Don't forget to do suspend Wow's Mainthread if you're injecting out of process.
Also, I'm a newb at ASM, but can you MOV 64bit GUIDs into EAX? Didn't know you can do that, I used PUSH 2 times to do that, like that:

Edit:
aww..okay forget about that , just noticed i was too stupid to read swayenvoy's code right.

Code:

            uint hi = (uint)((GUID >> 32) & 0xFFFFFFFF);
            uint lo = (uint)(GUID & 0xFFFFFFFF);

            wow.Asm.AddLine("push {0}", hi);
            wow.Asm.AddLine("push {0}", lo);
            wow.Asm.AddLine("call {0}", SelectUnit);

[arigity]

eax is a 32 bit register (which only takes values dword and below), rax would be its 64 bit version.

[Cypher]

Don't forget to do suspend Wow's Mainthread if you're injecting out of process.
Also, I'm a newb at ASM, but can you MOV 64bit GUIDs into EAX? Didn't know you can do that, I used PUSH 2 times to do that, like that:

Code:

            uint hi = (uint)((GUID >> 32) & 0xFFFFFFFF);
            uint lo = (uint)(GUID & 0xFFFFFFFF);

            wow.Asm.AddLine("push {0}", hi);
            wow.Asm.AddLine("push {0}", lo);
            wow.Asm.AddLine("call {0}", SelectUnit);

No. All the general purpose registers are 32-bit under IA-32 (which is what WoW runs under).

[cenron]

Code:

FindPattern("\x55...

Yep it was a typo thanks for the heads up its been updated.

[swayenvoy]

Yeah thats right, my Main Thread gets suspended by the Object Manager, and the OM raises an Event while the Thread is suspeded.

And if you read the code once again you will see that I only mov 32 bits to the Register twice.

Code:

_wowLib.iBlackMagic.Asm.AddLine("MOV EAX,[0x{0}]",(codeCave + 0x100 + 0x4).ToString("X"));
_wowLib.iBlackMagic.Asm.AddLine("PUSH EAX");
_wowLib.iBlackMagic.Asm.AddLine("MOV EAX,[0x{0}]", (codeCave + 0x100 + 0x0).ToString("X"));
_wowLib.iBlackMagic.Asm.AddLine("PUSH EAX");

First the high part and afterwards the low part.

I just was not sure how to generate 2 uints with bitwise operations. So i decided i let the asm to that stuff for me