How to find Tls slot for wowObjects?

[masho]

I found in the forum, WOW 2.4 TLS Example by Zombie911

I'am trying to use it in the actual version of wow, but some of the offsets are too old.
The question that i have is how to find the Tls slot of the wowObjects linked list?
how did someone find that the tsl slot index for the wowObject list was 0xE7DA2C?

Code:

const DWORD TIB_ptr = (int)BasicInformation.TebBaseAddress;
		
		DWORD TLS_index;
		DWORD TLS_ptr;
		DWORD TSL_slot;
		
			
		if( !mem->_dword(0xE7DA2C, &TSL_slot	) )				return false;
		if( !mem->_dword(TIB_ptr+0x2c, &TLS_ptr	) )				return false;
		if( !mem->_dword(TLS_ptr+(TSL_slot*4), &TLS_index) )	return false;
		if( !mem->_dword(TLS_index+16, &ObjectBasePtr) )		return false;
		if( !mem->int64(TLS_index+8, &playerGUID) )				return false;

[schlumpf]

When dissassembling WoW with IDA, it should mark these lines automatically:

009B75EC 00 60 38 01 TlsDirectory dd offset TlsStart
009B75F0 18 60 38 01 TlsEnd_ptr dd offset TlsEnd
009B75F4 C8 0C 2F 01 TlsIndex_ptr dd offset TlsIndex
009B75F8 40 E8 92 00 TlsCallbacks_ptr dd offset TlsCallbacks
009B75FC 00 00 00 00 TlsSizeOfZeroFill dd 0
009B7600 00 00 00 00 TlsCharacteristics dd 0

Alternatively: Look at GetLocalPlayerGUID or something similar and see:

0046C230 mov ecx, large fs:2Ch
0046C237 mov eax, TlsIndex
0046C23C mov edx, [ecx+eax*4]
0046C23F mov ecx, [edx+8]

Which is exactely the same as

TIB_ptr = (int)BasicInformation.TebBaseAddress;
mem->_dword(TIB_ptr+0x2c, &TLS_ptr)
mem->_dword(TLS_ptr+(TlsIndex*4), &base)
mem->int64(base+8, &playerGUID)

[masho]

i did notice a TlsIndex on ida but didn't think that was related with what i wanted, many thanks!

[mordok]

Humm, im lost again ^^. Let me please ask you somthing? In the past using shynds blog I managed to build a bot, but now since theres a new version of the game all my static pointers are useless.
I was using Kynox g_clientConnection, s_curMgr, and a static adress to TargetsGUID.

So here is the question how can I find with IDA (coz I searched for months this forums without any good answer) the g_clientConnection, s_curMgr. (or any other way of accesing the Object manager)
would It be possible to obtain it through TLSindex provided by IDA?

Code:

.data:012F0CC8 TlsIndex        dd ?                    ; DATA XREF: sub_46C160+13r
.data:012F0CC8                                         ; sub_46C1A0+9r ...

So what ill love to know is how to search with IDA the exact values for g_clientConnection static, s_curMgr offset, rather than just pull them out from this forum.
(soz for my english not native speaker ^_^ )

[lanman92]

Check the XRefs to that address(the TlsSlot). You should find the GetObjByGUID Func. Inside it it will show you the s_curMgr and g_clientConnection. It's kind of obvious. Having the old version to compare to the new version of WoW will make it easier to see. Download the archive of wow.exe's from the sticky.

[mordok]

I still fail. I think I need a step by step for dummies explaination the sort of one with screen captures and labels, thou I understand this might be too much to ask. : (

I see the cross-references to the TlsIndex(39 lines) thou I dont know how I can figure which one is the GetObjByGUID Func.

Screen capture of my IDA http://img22.imageshack.us/img22/6751/26439979.jpg

[Cypher]

I still fail. I think I need a step by step for dummies explaination the sort of one with screen captures and labels, thou I understand this might be too much to ask. : (

I see the cross-references to the TlsIndex(39 lines) thou I dont know how I can figure which one is the GetObjByGUID Func.

Screen capture of my IDA http://img22.imageshack.us/img22/6751/26439979.jpg

How? Its called reverse engineering.

[mordok]

Now I can see the form the example above.

GetLocalPlayerGUID

Code:

0046C230 mov ecx, large fs:2Ch
0046C237 mov eax, TlsIndex
0046C23C mov edx, [ecx+eax*4]
0046C23F mov ecx, [edx+8]

Would you be so kind to post me in this sort of fashion the GetObjByGUID , pointing out the s_curMgr and g_clientConnection so I could learn ^^ .

[lanman92]

Just a hint, the GetObjByGUID() func is used a TON in lua functions... FYI. That should help a lot. It's quite obvious actually.

[jjaa]

Your after the object manger, my understanding is that the object manager is created when the world is loaded. So look if we look at

.text:00403060 LoadNewWorld

we see at 0x00403105, call ClntObjMgrCreate
look at ClntObjMgrCreate and you should see:

.text:00470529 mov ecx, TlsIndex
.text:0047052F mov edx, large fs:2Ch
.text:00470536 mov esi, [edx+ecx*4]
.text:00470539 mov ecx, dword_11CB310
.text:0047053F mov [ecx+28A4h], eax

So 0x011CB310+ 0x28A4

[mordok]

1st thanks to all the ones who helped me!!!, 2nd I found it, at last!!!

I think this are the correct values.

Screen capture
http://img12.imageshack.us/img12/3033/bingok.jpg

Ill test this values, as soon as I beat my new enemy....FINDING targetGUID which im not quite sure about, but I think ill figure it out soon. (in 3.0.3 it was targetGUID = 0x010A58B8; )

[mordok]

Thanks Jjaa that answer was posted while I was posting mine XD. But thank you anyway + you've teached me another way to locate the object manger. Im sure this kind of posts could help many others ; )

Here I leave the new targetGUID and how to find it, so that many other can enjoy like me ^^.
http://img12.imageshack.us/img12/3452/targetguid.jpg

Now I only need to find where the values of this babys camed from

Code:

curMgr_FirstObject =  0xAC 
curMgr_PlayerGUID = 0xC0 
 
Object Offsets 
object_GUID = 0x30 
object_NextObject = 0x3C 
object_Type = 0x14 

offset_X = 0x7D0;
offset_Y = 0x7D4;
offset_Z = 0x7D8;
offset_R = 0x7DC;

and ill be able to sleep again like a baby myself ; )

[Apoc]

You've been given plenty of information, and code to complete what you want.

Go read the section rules before posting again.

First, and final warning. Next time it's infractions.