my process for locating dwStorage (descriptor array) offset

[namreeb]

When I started writing this post, it was going to be to ask for help, but as I gathered my thoughts while I wrote it things started to go better. I figured I'd post my results for the benefit of other people in my position.

I've been trying to update the object structure for 3.1.2 using the WoWX framework. I'm at the point where the dll injects succesfully and some of the events/hacks/etc function. There are also many crashes because the internal structure is out of date.

At this point, I am trying to find out what the proper offset into the game object class the pointer to the descriptor array (called dwStorage in WoWX) should be.

To try and find it, I thought I would start by finding the array itself, then search for the array's location to narrow it down. To find the array, I copied my char's GUID from OllyDbg, which if I target myself should be located at array+0x30. Since it is a level 1 gnome warrior, the toon has 50 health. This means I can expect a value of 50 to be located at array+0x44 (the 0x30 and 0x44 are taken from descriptor dumps for 3.1.2 posted by mordok in another thread). To be thorough I also included the max health value, also 50 (0x32). This resulted in the following search string:

Code:

B8 61 CC 02 00 00 00 05 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 32 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 32 00 00 00

The search turned up a single hit at 0x19A31AA8, which means the array should be located at 0x19A31AA8 - 0x30 or 0x19A31A78.

I now search for 781AA319 in OllyDbg and find 0x19A30358. This is (hopefully) the address of dwAddress (NOT the address referenced by it) for the local toon. To test for this, somewhere 'nearby' above this address I should find my GUID again, showing up in OllyDbg as 'B8 61 CC 02 00 00 00 05'. Before I can even click the search button, I see this value at 0x19A302B8. This is (again, hopefully) the location of the wGuid private member of the game object class, and it means that dwAddress is offset from wGuid by 0x19A30358 - 0x19A302B8 or 0xA0.

Now, I know from a previous (and even more horrendous trial-and-error) process that the offset of wGuid into the class is 0x30. And yes, this is what it was in the most recent released version of WoWX, but I had no reason to think it would be when I went through the process.

So, we know that the wGuid is object+0x30 and dwAddress (finally!) is object+0x30+0xA0 or object+0xD0.

Our new relevant code is:

Code:

private:
	unsigned char bUnknown[0x30-0x8];			// 0x0008 - 0x0030
	WGUID wGuid;						// 0x0030 - 0x0038
	unsigned char bUnknown2[0xD0-0x38];			// 0x0038 - 0x00D0
	unsigned long dwStorage;				// 0x00D0 - 0x00D4
	unsigned long dwStorage2;				// 0x00D4 - 0x00D8
	unsigned long dwInputControl;				// 0x00D8 - 0x00DC

Voila, GetKnownField et al now function as they should!

[tesserajk]

I have been looking at this for the last couple days attempting to figure it all out. Thanks for sharing your success to help the rest of us

[Bobbysing]

I'm a bit sad that you didn't post it on GD to contribute something back.. I would've told you then that you've only found the storage for units, but can't access all the other fields..

[namreeb]

/sadface...

Actually my reasoning was that it did not need to be posted in both places and from what I've read of the GD forums most people there should know how to do this already. Especially given your "finding stuff" thread.