[help] 4 missing offsets

[mordok]

Well, I decided to hunt all adresses, descriptors and any othe value that my bot use by searching them in wow.exe with IDA. I managed to find all except 4, so I decided to go over through all the threads that were related with object manager. Unfortunately only found the values and what they are, but not how they are obtained.

I know theres plenty of threads where you can find this values.

Code:

localGuid = 0xC0;
curObj = 0xAC;
cGUID = 0x30;
nextObj = 0x3C;

but I im trying to do an IDA script that will auto dump them, but I cant find em in IDA.

Could please someone tell me the adress where each of this 4 appear, in the same sort of way that if somone asked me where does the g_clientConnection appear in 3.1.0 I would answer here:

Code:

.text:007BBA29                 mov     ecx, g_clientConnection

so I could do an IDA script dumper for them.

[lanman92]

I think you can find those values in the GetObjByGUID function. Not sure though.

[mordok]

I know that this values remain the same...I think ^^. Is not knowing the values what im looking for. What I really want is how to find em in IDA, ill check GetObjGuid tomorrow just in case.

[wraithZX]

If you use GetObjectByGUID, follow that object's VMT function 9 for position, and function 48 for name. Both zero-starting.

[mordok]

I just realized that I also have to search for the x, y, z and rotation.

[KuRIoS]

I just realized that I also have to search for the x, y, z and rotation.

those have been given away here on the forum afaik tho

[mordok]

those have been given away here on the forum afaik tho

Is not the values what Im looking for . I know those are posted on 3.1.0 cypher´s thread. What I want to know is how to search em myself in IDA ^^

[BTW your avatar really makes my day, <3 it!]

[YetiHunter]

GUID and ID are the same, although Obj_name and xyz changed and Im pretty sure 0xAC is the same, I ran my object manager and it went through the objects fine, But only gave me GUID and ID correctly... Plz do post if anyone does know tho.

Could you post your offsets please? My OM ran through all objects, but the guids i'm reading don't match my targetguid or my localguid =(

[SKU]

Is not the values what Im looking for . I know those are posted on 3.1.0 cypher´s thread. What I want to know is how to search em myself in IDA ^^

[BTW your avatar really makes my day, <3 it!]

VMT is your friend.

[[pBase] + 4 * 9] = GetPosition( &WOWPOS )

Code:

.text:0056C1B0 PWOWPOS         = dword ptr  8
.text:0056C1B0
.text:0056C1B0                 push    ebp
.text:0056C1B1                 mov     ebp, esp
.text:0056C1B3                 mov     ecx, [ecx+0D8h]
.text:0056C1B9                 push    esi
.text:0056C1BA                 mov     esi, [ebp+PWOWPOS]
.text:0056C1BD                 lea     eax, [ecx+10h]
.text:0056C1C0                 push    eax
.text:0056C1C1                 push    esi
.text:0056C1C2                 call    sub_79CA30
.text:0056C1C7                 mov     eax, esi
.text:0056C1C9                 pop     esi
.text:0056C1CA                 pop     ebp
.text:0056C1CB                 retn    4

This function does not yet give us all the offsets we need, what
we know now: eax = ecx + 0x10 = [ecx + 0xD8] + 0x10, and this pointer
is the second argument for the call to sub_79CA30.
The first argument is the pointer to the WOWPOS struct.

.text:0079CA30                 push    ebp
.text:0079CA31                 mov     ebp, esp
.text:0079CA33                 mov     edx, [ecx+8]
.text:0079CA36                 sub     esp, 40h
.text:0079CA39                 push    esi
.text:0079CA3A                 mov     esi, [ecx+0Ch]
.text:0079CA3D                 mov     eax, edx
.text:0079CA3F                 or      eax, esi
.text:0079CA41                 jnz     short loc_79CA60
.text:0079CA43                 mov     ecx, [ebp+PSTRUCT]
.text:0079CA46                 mov     edx, [ecx]
.text:0079CA48                 mov     eax, [ebp+PWOWPOS]
.text:0079CA4B                 mov     [eax], edx
.text:0079CA4D                 mov     edx, [ecx+4]
.text:0079CA50                 mov     [eax+4], edx
.text:0079CA53                 mov     ecx, [ecx+8]
.text:0079CA56                 mov     [eax+8], ecx
.text:0079CA59                 pop     esi
.text:0079CA5A                 mov     esp, ebp
.text:0079CA5C                 pop     ebp
.text:0079CA5D                 retn    8

ecx = pSomeStruct + 0x10
then edx = [ecx], or edx = [ecx + 0x0]
and then edx is moved to the first member of the
WOWPOS struct, so this has to be x.

Then + 0x4 to point to the next member of the struct,
move y into the struct, etc.

This results in:
[[PlayerBase + 0xD8] + 0x10 + 0x0] = x
[[PlayerBase + 0xD8] + 0x10 + 0x4] = y
[[PlayerBase + 0xD8] + 0x10 + 0x8] = z

The rotation is much easier

.text:0056C1D0                 mov     ecx, [ecx+0D8h]
.text:0056C1D6                 fld     dword ptr [ecx+20h]
.text:0056C1D9                 push    ecx             ; float
.text:0056C1DA                 fstp    [esp+4+var_4]
.text:0056C1DD                 call    sub_79C9B0
.text:0056C1E2                 retn

[[PlayerBase + 0xD8] + 0x20] = r

Hope I didn't make any mistakes, rushed it a bit.

[mordok]

very nice example sku the only problem is that I use the object manager method (g_clientConnection + s_curMgr).

I go through the object manager like this A= Read(g_clientConnection), B = Read(A + s_curMgr) C = READ( B +curObj) and if it dosent match what I looking for I do C = Read( B+nextObj) till I get the one I want.

After I just objGUID = Read(C + cGUID) and finally objGUID + offset_X to find X coord.

Your example is great, thou I dont use player base : ( . So I guess that ill have to do what you showed in your example but starting in a different function (Its going to be a long way from the g_clienConnection to the X, not shure if this is the path to follow).

[Shynd]

Why would you use an object's unique ID (GUID, which is a 64-bit integer) as a pointer? It is useful for nothing other than identifying that object. You use player/object base address, you just don't know it because you don't understand what you're doing.

[Xzibit]

Why would you use an object's unique ID (GUID, which is a 64-bit integer) as a pointer? It is useful for nothing other than identifying that object. You use player/object base address, you just don't know it because you don't understand what you're doing.

well you can interact with a unit with its GUID, but besides that ya, I would only use it to make sure i dont store the same object twice in my array[] , thanks for the example sku, make consider that.

[mordok]

YES I DID A MISTAKE POSTING THE ABC EXAMPLE!!!!!! I was posting my get X by guid method and since I rushed it I made a mistake with the variable names, sorry for that.

The idea behind that was... I give the GUID as an argument to my method getObjectByGuid and the method works his way throught the object manager (starting at curObj =Read(Read(Read(g_clientConnection)+s_curMgr)+0xAC ) then finding each of the object guids "cGUID"(curObj+0x30) to compare them to the one I passed on the argument "objGUID" and if they are != do curObj = nexObj being nextObj Read(curObj+3C) to do again the same comparison. Whereas if the comparison gaved as result == I would return that object meaning that, thats the object corresponding to the guid I passed in the argument.

Ill then use my method getObjectsPositon passing as argument the object obtained in the other method to eventually do
Read(objectObtained + 0x7D0) to obtain X. Same for Y = 0x7D4 , Z = 0x7D8 , and Rotation = 0x7DC.

Note that that where the 3.0.9 values.

But anyway thats solved and is not an issue now. Its obvious that Im not a fraction of what u are at RCE (Shynd), but im trying ^^.

Im happy with how my bot its working (walks, finds & kills 100% what I wanted, and in fact thanks to you ^^).

What I want now Its to stop leeching the adresses and offsets from the forum each patch.

I mangaged to discover all the ones I use except the ones highlighted in orange and localGuid = 0xC0 (that I use to find my own GUID Read(Read(Read(g_clientConnection)+s_curMgr)+0xC0 )). I just want to be able to search them in IDA each patch. Dont get me wrong never expected to understand it 100% just wanted someone with a powerfull knowlage to post me the exact place where I can get those values just like SKU DID(BTW Thanks a lot sku), but for the method I use.

Anyway please dont be mean Shynd (I <3 U). If anyone knows where those values come and would like to explain me how to find em in IDA im listening and willing to work as hard I can to understand it.

[mordok]

Help with finding the WOWObject structure in IDA and how to rip the offsets from the GetObjectByGuid, would be a lovely place to start ; ).

[Shynd]

Try finding and putting a breakpoint on GetObjectByGUID and then calling something like '/script UnitName("player")' in-game. Your breakpoint should get triggered, then you can single-step through code execution, paying LARGE attention to things that look like offset, like [r32+0x30] or whatever (where r32 is EAX, ECX, EBP, or any other 32-bit register). May have to trigger your breakpoint and follow the code execution flow quite a few times until you get a good grasp of what's going on, but don't be discouraged. You can also use "mouseover" instead of "player" and mouse-over different types of units... objects, players, units, etc. Just play around with it until you're comfortable with the offsets associated with GetObjectByGUID, then try it with other subroutines as well. Lots of information to be learned out there.