Kynox Object Dumper

[divmaster]

Hi,

i try to get this code working, but i always get this output:

----------------------
WoW Object Dumper (Out of Process)
by kynox

Local GUID: CCCCCCCCCCCCCCCC
GUID: CCCCCCCCCCCCCCCC Location: -107374176.000000 -107374176.000000 -107374176.000000
----------------------

I compiled it with Visual Studio 2008 Express on Windows XP with Wow up and running.

Here is my compiled Code. Anyone an idea what is wrong?

Code:

#include <Windows.h>
#include <stdio.h>
#include <iostream>
#include <TlHelp32.h>

using namespace std;



int AddDebugPrivileges();

DWORD dwGetObjManager( DWORD dwPID )
{
	//AddDebugPrivileges();
	HANDLE			hSnapShot = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, dwPID );

	THREADENTRY32	te32;
	te32.dwSize = sizeof(THREADENTRY32);
	
	if ( Thread32First( hSnapShot, &te32 ) )
	{
		
		do 
		{
			if ( te32.th32OwnerProcessID == dwPID )
			
				{
				
				HANDLE		hThread	= OpenThread( THREAD_ALL_ACCESS, false, te32.th32ThreadID );
				
				CONTEXT		ctx		= { CONTEXT_SEGMENTS };
				LDT_ENTRY	ldtEntry;

				GetThreadContext( hThread, &ctx );
				GetThreadSelectorEntry( hThread, ctx.SegFs, &ldtEntry );

				DWORD dwThreadBase		=	ldtEntry.BaseLow|(ldtEntry.HighWord.Bytes.BaseMid<<16)|(ldtEntry.HighWord.Bytes.BaseHi<<24);
				DWORD dwThreadStorage	=	NULL;
				DWORD dwBytesRead		=	NULL;
				DWORD dwObjManager		=	NULL;

				CloseHandle( hThread );

				
				AddDebugPrivileges();
				HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, dwPID );
				ReadProcessMemory( hProcess, (LPVOID)(dwThreadBase + 0x2C),		(LPVOID)&dwThreadStorage,	4, &dwBytesRead );
				ReadProcessMemory( hProcess, (LPVOID)(dwThreadStorage),			(LPVOID)&dwThreadStorage,	4, &dwBytesRead );
				ReadProcessMemory( hProcess, (LPVOID)(dwThreadStorage + 0x10),	(LPVOID)&dwObjManager,		4, &dwBytesRead );

				CloseHandle( hProcess );

				return dwObjManager;
			}
		} while ( Thread32Next( hSnapShot, &te32 ) );
		
	}

	CloseHandle( hSnapShot );

	return NULL;
}

int main( int argc, char* argv[] )
{
	AddDebugPrivileges();
	cout << "WoW Object Dumper (Out of Process) " << endl << "by kynox" << endl << endl;

	HANDLE			hSnapShot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, NULL );
	HANDLE			hProcess;

	PROCESSENTRY32	pe32;
	pe32.dwSize = sizeof(PROCESSENTRY32);

	DWORD			dwPids[10];
	int				iCurrentPids = 0;

	DWORD			dwObjMgr	 = 0;

	if ( Process32First( hSnapShot, &pe32 ) )
	{
		do 
		{
			if ( !stricmp( pe32.szExeFile, "Wow.exe" ) )
			{
				dwPids[iCurrentPids++] = pe32.th32ProcessID;
			}

		} while ( Process32Next( hSnapShot, &pe32 ) );
	}

	CloseHandle( hSnapShot );
	
	if ( iCurrentPids > 1 )
	{
		cout << "Multiple WoW processes have been found" << endl;
		
		for( int i = 0; i < iCurrentPids; i++ )
			cout << "(" << i << ") " << dwPids[i] << endl;

		int iProcessID = 0;
		cout << "Select process: ";
		cin >> iProcessID;
	
        while ( (iProcessID+1 > iCurrentPids) || (iProcessID < 0) )
		{
			cout << "Select process: ";
			cin >> iProcessID;
		}
		
		dwObjMgr = dwGetObjManager( dwPids[iProcessID] );
		hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, dwPids[iProcessID] );
	} else {
		dwObjMgr = dwGetObjManager( dwPids[0] );
	}
	
	if ( dwObjMgr == NULL )
	{
		cout << "Could not find ObjMgr!" << endl;
	}
	
	INT64	LocalGuid;
	DWORD	dwFirstObject;
	DWORD	dwCurObject;
	DWORD	dwBytesRead;

	AddDebugPrivileges();
	hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, dwPids[0] );
	

	ReadProcessMemory( hProcess, (LPVOID)(dwObjMgr + 0xC0), (LPVOID)&LocalGuid, 8, &dwBytesRead );
	ReadProcessMemory( hProcess, (LPVOID)(dwObjMgr + 0xAC), (LPVOID)&dwFirstObject, 4, &dwBytesRead );

	printf( "Local GUID: %016I64X\r\n", LocalGuid );

	dwCurObject = dwFirstObject;

	while ( dwCurObject && (dwCurObject&1) == 0 )
	{
		INT64 ObjGuid;
		ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x30),	(LPVOID)&ObjGuid, 8, &dwBytesRead );

		float X, Y, Z;
		ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0xBF0),	(LPVOID)&X, 4, &dwBytesRead );
		ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0xBF4),	(LPVOID)&Y, 4, &dwBytesRead );
		ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0xBFC),	(LPVOID)&Z, 4, &dwBytesRead );

		printf( "GUID: %016I64X Location: %f %f %f\r\n", ObjGuid, X, Y, Z );

		dwFirstObject = dwCurObject;

		ReadProcessMemory( hProcess, (LPVOID)(dwFirstObject + 0x3C),(LPVOID)&dwCurObject, 4, &dwBytesRead );

		if ( dwCurObject == dwFirstObject )
			break;
	}
	
	int i;
	cin >> i;
	return 0;
}

//-----------------------------------------------------------

// We need to do this to gain access to read the process
int AddDebugPrivileges()
{
	HANDLE hToken;
	TOKEN_PRIVILEGES tp;

	OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES, &hToken);

	if( !LookupPrivilegeValueA( NULL, "SeDebugPrivilege", &tp.Privileges[0].Luid ) )
	{
		CloseHandle(hToken);
		return 1;
	}

	tp.PrivilegeCount = 1;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

	if( !AdjustTokenPrivileges( hToken, FALSE, &tp, 0, (PTOKEN_PRIVILEGES)NULL, 0) )
	{
		CloseHandle(hToken);
		return 1;
	}

	CloseHandle(hToken);
	return 0;
}

[jjaa]

TLS index thing is now 0x8

ReadProcessMemory( hProcess, (LPVOID)(dwThreadStorage + 0x, (LPVOID)&dwObjManager, 4, &dwBytesRead );

and XYZ is

ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x7D0), (LPVOID)&X, 4, &dwBytesRead );
ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x7D4), (LPVOID)&Y, 4, &dwBytesRead );
ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x7D, (LPVOID)&Z, 4, &dwBytesRead );

Try that, it should work....i think

[divmaster]

PERFECT!!!!!!!!!!

Did you know that values or can i found them by my self?

AND..... i got a lot of GUID´s with its XYZ coordinates.

Can some gibe me a hint on how to get more details from this objects?

How could i find out what this objects are?

[jjaa]

PERFECT!!!!!!!!!!

Did you know that values or can i found them by my self?

AND..... i got a lot of GUID´s with its XYZ coordinates.

Can some gibe me a hint on how to get more details from this objects?

How could i find out what this objects are?

i suggest you read through Shynd’s WoW Modification Journal and search the forums, there is a lot of information on these forums

[charlie2025]

Hello,

divmaster > Good work, thank you..


But one question,

I have

Code:

		// Read ObjGuid and TYPE
		ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x30),	(LPVOID)&ObjGuid, 8, &dwBytesRead );
        ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x32),	(LPVOID)&type, 8, &dwBytesRead );
       
		// Read mana and HP
        ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x58), (LPVOID)&maxHealth, 4, &dwBytesRead );
        ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x5C), (LPVOID)&maxMana, 4, &dwBytesRead );
        
	    // Read entry
        ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x33), (LPVOID)&entry, 4, &dwBytesRead );
        
		// Read position
		ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x7D0), (LPVOID)&X, 4, &dwBytesRead );
        ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x7D4), (LPVOID)&Y, 4, &dwBytesRead );
        ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x7D8), (LPVOID)&Z, 4, &dwBytesRead ); 
        ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x7DC), (LPVOID)&O, 4, &dwBytesRead );

Position it reads well, but how to get offset of entry, type and maxHealth and maxMana ? on Clarification of Object Data « Shynd’s WoW Modification Journal I found some values, but they are outdated and don't work .. and from UpdateFields.h from Mangos, I couldn't search it..

[divmaster]

Maybe you can try these values....

CurrentHealthOffset = 0x17 * 4,
MaxHealthOffset = 0x1F * 4,
CurrentManaOffset = 0x18 * 4,
MaxManaOffset = 0x20 * 4,

[charlie2025]

Maybe you can try these values....

CurrentHealthOffset = 0x17 * 4,
MaxHealthOffset = 0x1F * 4,
CurrentManaOffset = 0x18 * 4,
MaxManaOffset = 0x20 * 4,

Doesn't work :/

[Nesox]

Doesn't work :/

hp = [[dwObjectBase + 0x08] + 0x17 * 4]
you need to acess one of the storage pointers to be able to get data out of the descriptors

[charlie2025]

I have it

Code:

		// Read ObjGuid and TYPE
		ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x30),	(LPVOID)&ObjGuid, 8, &dwBytesRead );
        ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x32),	(LPVOID)&type, 4, &dwBytesRead );
       
		// Read mana and HP
        ReadProcessMemory( hProcess, (LPVOID)((dwCurObject + 0x08) + 0x1F *4 ), (LPVOID)&maxHealth, 4, &dwBytesRead );
        ReadProcessMemory( hProcess, (LPVOID)((dwCurObject + 0x08) + 0x20 *4 ), (LPVOID)&maxMana, 4, &dwBytesRead );
        
	    // Read entry
        ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x33), (LPVOID)&entry, 4, &dwBytesRead );
        
		// Read position
		ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x7D0), (LPVOID)&X, 4, &dwBytesRead );
        ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x7D4), (LPVOID)&Y, 4, &dwBytesRead );
        ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x7D8), (LPVOID)&Z, 4, &dwBytesRead ); 
        ReadProcessMemory( hProcess, (LPVOID)(dwCurObject + 0x7DC), (LPVOID)&O, 4, &dwBytesRead ); 

 		 // Write
        npcfound(entry, maxHealth, maxMana, X, Y, Z, O);

and npcfound()

Code:

void npcfound(int entry, int maxHealth, int maxMana, float x, float y, float z, float o)
{
	printf("Found creature entry %d , (MaxHP %d , MaxMANA %d), position X:%f , Y:%f , Z:%f , O:%f \r\n", entry, maxHealth, maxMana, x,y,z,o);
}

But entry, maxhp and maxmana is always so high value

for example

entry - 805322464
maxhp - 52066770
maxmana - 520667701

[divmaster]

Do you have an idea on how to get the names of the objects? Not only the Type and GUID?

[Cypher]

Do you have an idea on how to get the names of the objects? Not only the Type and GUID?

Virtual function. GetObjectName.

[divmaster]

Ähhh :confused:

Where does that virtual funktion come from?

[arigity]

http://www.mmowned.com/forums/wow-me...ns-vtable.html

http://www.mmowned.com/forums/wow-me...s-3-0-9-a.html