[3.1.2] Some Changes...Few Static updates...

[HapaHaoleVA]

I'm late to the party, but here's a couple:

<Offset>
<Name>LuaGetState</Name>
<Address>0x004997B0</Address>
</Offset>
<Offset>
<Name>LuaThreadLock</Name>
<Address>0x00499720</Address>
</Offset>

[testout]

100 is a big jump. You can do this, but you'll just shoot into the sky, then probably die after you jump.

Have you not seen the gold sellers spelling their website in dead bodies in Orgrimmar? :P

[ostapus]

Bad luck @ everyone who got banned for the TextSegEnd modification. Then again, LOTS of people were using it afaik.

hmm, any hints how to work out this check ?

[Robske]

hmm, any hints how to work out this check ?

Dereference it / make the check function always return true.

[ostapus]

Dereference it / make the check function always return true.

mm, maybe i stated myself wrong - as i understand, warden is now checking for modification of that function (the one which checks if pointer is out of code seg space). so, how to bypass warden check and at the same time alter function.

[namreeb]

I believe Warden has it's own VMT. Set a hardware on-access breakpoint in OllyDbg for the TextSegEnd address (listed earlier in this thread), find the address of the calling function, and locate it in the VMT. I think you need only insert a hooked function into its slot in the VMT which always returns true.

[Shynd]

Or, you could search through the Wow.exe code segment for a series of 0xCC that is > 6 bytes long. Write "PUSH MyFunction; RETN" to one of those series of INT3s and register it as your function callback. It's in the text segment so it passes the out of scope check, and I don't think it's being looked for at the moment. Don't know if they're CRCing the text segment or not, though.

[Overon]

Lasttarget = 0x011D3F70

You can simply write a GUID in it and send the key for "Target Last Target" @ WoW.

[kynox]

Or, you could search through the Wow.exe code segment for a series of 0xCC that is > 6 bytes long. Write "PUSH MyFunction; RETN" to one of those series of INT3s and register it as your function callback. It's in the text segment so it passes the out of scope check, and I don't think it's being looked for at the moment. Don't know if they're CRCing the text segment or not, though.

Only during the authentication process.

[namreeb]

Code:

SetFacing:0x005AFA10

Not sure what to do with this. As stated in an older thread, I call this function yet nothing happens.

Code:

		unsigned long sf = 0x005AFA10;
		float rad = 0.0;
		CGObject_C *p = gpWoWX->GetCurMgr()->GetLocalPlayer();

		DBGLOG("Calling SetFacing at 0x" << std::hex << sf);

		_asm
		{
			mov ecx, p
			push rad
			call sf
		}

		DBGLOG("Done.");

I've done this while stationary and while moving. My character does not rotate.

[skra]

has anyone found the new pointer to the cameradata? i'd have a look myself, but i am hardly below the surface of all this RE stuff =(

[goderion]

has anyone found the new pointer to the cameradata? i'd have a look myself, but i am hardly below the surface of all this RE stuff =(

Maybe this is a good start to look for it:
0x006C3740 (GetCamera)

[Nesox]

Not sure what to do with this. As stated in an older thread, I call this function yet nothing happens.

Code:

        unsigned long sf = 0x005AFA10;
        float rad = 0.0;
        CGObject_C *p = gpWoWX->GetCurMgr()->GetLocalPlayer();

        DBGLOG("Calling SetFacing at 0x" << std::hex << sf);

        _asm
        {
            mov ecx, p
            push rad
            call sf
        }

        DBGLOG("Done.");

I've done this while stationary and while moving. My character does not rotate.

try declare a typedef for it. I havent tried that code but i think it should work. Also i had some problem when trying to get it to work it wouldn't use my float and therefor allways turn the same way

Code:

typedef int ( __stdcall *tSetFacing)(float* angle);
tSetFacing SetFacing = (tSetFacing)0x005AFA10;

[namreeb]

Thank you. I will try that in the morning and post my results.

Edit: Nope. Same result. Nada! In fact, now my hw on-execute breakpoint is not even being triggered.

[SKU]

SetFacing works fine for me, just tested it.

typedef void (__thiscall * tSetFacing)(void* lp, float angle);
tSetFacing oSetFacing = (tSetFacing)0x005AFA10;

then call it somewhere:

oSetFacing(reinterpret_cast<void*>(GetLocalPlayer()), 1.337f);

This is if you don't have a reconstructed player class.