[WoW] [3.1.1] General Information

[Cypher]

3.1.1 is upon us.

Info:
**** all has changed.
Globals have not changed in location, at all (or at least, none that I use). Page alignment ftw!
Functions have generally moved by a static amount. Find the lowest and highest boundaries for your functions, calculate the amount from neighbours, confirm, and just 'automate' the update process with some basic addition.
Descriptors, dbcs, etc are all the same as 3.1.0. Just use the dumps I posted in the 3.1.0 thread.

[Nesox]

thanks for the heads up

[goderion]

Many thanks for the Info!

Could someone up the binary?

PS: @Cypher
youtube.com/watch?v=E5iUvpjii14
lohol, nice good song ^^

[Cypher]

http://dl.getdropbox.com/u/74751/Wow-311.7z

Should be online in a few mins.

[Nesox]

thanks for the binary guess it hits EU on wednesday as usual

[Zephir]

hey fellows,

i understand you are unwilling dealing with peanuts all the time but still, i hope there is someone who can help me.

by now i am pretty familiar with the object structure in wow and can navigate through player and npc objects without problems. however i just cannot find the place where rouges store their combo points.

for some reason i remember the points being stored somewhere from power1 to power7 in the object struct. so i went and checked... negative. also tried the current target... nada.

so i decided to do it oldschool and started CE, searched for unknown value, "casted" sinister Strike, and checked for increased value.... nothing!

Now im lost. any body an idea?

thank you guys! You rock!

[Robske]

API GetComboPoints - WoWWiki - Your guide to the World of Warcraft

[FenixTX2]

Thanks for the heads up.

Although, does anyone know the BaseAddress offset value for player names?
I've been looking for ages and using Cheat Engine but still havn't found a thing.

Thanks.

[SKU]

This has been discussed a million times.

3.1.0 General info thread:
jjaa:

virtual const char * GetObjectName() = 0; //Function 48

[FenixTX2]

Ahh, thanks very much.

[FenixTX2]

I'm not sure if this will be of any help to anyone but here is the exact location from which to grab your targets name: 0x2E9E99E8 //string

[Zephir]

API GetComboPoints - WoWWiki - Your guide to the World of Warcraft

tried to PM you didnt work. i guess my rep is not high enough?^^

i guess you ment i should look in IDA for aGetComboPoints? I did and found quite something.

link to IDA Screenshot

however i am still very bad at this. you know i was hoping to find an address to begin with like when searching for TlsIndex. But i didnt

What would be the first step? A small hint maybe?

I appreciate your time and effort. Thank you.

Zephir

[SKU]

You are at the right place, you'll just have to follow the calls.

Anyway: byte_11CCFD9

[Zephir]

yes i've followed every single call possible ... always ended up in some subroutine that did not call anything.

maybe i am wrong, but i have been looking for something like this:

Code:

mov     edx, byte_11CCFD9

hope anyone's got another hint for me in the meantime I'll keep searching

[SKU]

Olly -> Search for all constants -> 11CCFD9 :P

I'll leave A LOT out, heading straight to the combopoints, this is not a good example of how to do it properly. :-P

Code:

.text:006A39A0 GetComboPoints

first interesting thing:

Code:

.text:006A39B5                 test    eax, eax
.text:006A39B7                 jnz     short loc_6A39CE

If eax is 0, the function will clean up and exit -> not interesting for us,
so we land here:

Code:

.text:006A39CE loc_6A39CE:

Some lua stuff I don't feel like reversing..
until:

Code:

.text:006A3A09                 call    sub_7B7C20

What does this function do?

Gets the object manager, then:

Code:

mov     eax, [ecx+0C0h]
mov     edx, [ecx+0C4h]
retn

[s_curMgr+0xC0] = lp_guid_low
[s_curMgr+0xC4] = lp_guid_high

So this function gives us the localplayer guid (on eax,edx)
or twice 0 if something bad happened.

Code:

jnz     short loc_6A3A62

One way leads to GetObjectByGuid ( with our guid ), the other, well I didn't look, because getting the localplayer sounds interesting.

Then it compares the result with EDI, and then either continues or jumps to

Code:

loc_6A3A4A:
mov     ecx, [ebp+var_4]
mov     edx, [ebp+var_8]
push    ecx
push    edx
call    0x6E1D40 ; interesting
movzx   eax, al
mov     [ebp+var_4], eax
fild    [ebp+var_4]
jmp     short loc_6A3A91

after that it jumps to the end of the function, does a pushnumber (woot) and returns.

let's take a closer look at this:

call 0x6E1D40

Code:

006E1D40                /$  55               PUSH EBP
006E1D41                |.  8BEC             MOV EBP,ESP
006E1D43                |.  8B45 08          MOV EAX,[ARG.1]                                           ;  Wow.<ModuleEntryPoint>
006E1D46                |.  8B4D 0C          MOV ECX,[ARG.2]
006E1D49                |.  8BD0             MOV EDX,EAX
006E1D4B                |.  0BD1             OR EDX,ECX
006E1D4D                |.  75 0B            JNZ SHORT Wow.006E1D5A
006E1D4F                |.  A1 38CF1C01      MOV EAX,DWORD PTR DS:[11CCF38]
006E1D54                |.  8B0D 3CCF1C01    MOV ECX,DWORD PTR DS:[11CCF3C]
006E1D5A                |>  3B05 28D01C01    CMP EAX,DWORD PTR DS:[11CD028]
006E1D60                |.  75 0F            JNZ SHORT Wow.006E1D71
006E1D62                |.  3B0D 2CD01C01    CMP ECX,DWORD PTR DS:[11CD02C]
006E1D68                |.  75 07            JNZ SHORT Wow.006E1D71
006E1D6A                |.  A0 D9CF1C01      MOV AL,BYTE PTR DS:[11CCFD9]
006E1D6F                |.  5D               POP EBP                                                   ;  kernel32.7C817077
006E1D70                |.  C3               RETN
006E1D71                |>  32C0             XOR AL,AL
006E1D73                |.  5D               POP EBP                                                   ;  kernel32.7C817077
006E1D74                \.  C3               RETN

As you can see, every jump taken ( except for the first ) leads to:
xor al,al

However if no jump is taken:

Code:

006E1D6A                |.  A0 D9CF1C01      MOV AL,BYTE PTR DS:[11CCFD9]
006E1D6F                |.  5D               POP EBP                                                   ;  kernel32.7C817077
006E1D70                |.  C3               RETN

There you go. I left out A LOT..
a) because I didn't care (got what I wanted)
b) luaengine is creepy