Debugging wow - ASM [intro] need help

[abuckau907]

Intro: I came to the conclusion that unless I understand how to dissassemble/reverseengineer wow, it wouldn't do any good to learn the offsets etc you guys post if one day something changes a little, and I can't fix it myself. So I figured my first step would be to set a break point on my health_address(es) and check out the code that accesses it. Hopefully from looking at the code I can learn more about the object's structure in memory. But..I think I picked a bad chunk to start with because other bp's lead to code that uses mov fs[2c] (for tls) so..i'll check that out tomorrow. Anyway, any comments on the chunk I did ..examine, would be greatly appreciated.

DMA Health
1015BB30
1015C3D4
AUTOHACK bb30

5C765C: mov [eax+edx*4],ecx

'Function(ByVal esp,ecx) ?

5c7650 push ebp
5c7651 mov ebp,esp esp=19FB60
5c7653 mov eax,[ecx+0x8]
5c7656 mov ecx,[ebp+0xC] []=health_value
5c7659 mov edx,[ebp+0x8] []=??some_multiplier 0-999ish
5c765c mov [eax+edx*4],ecx []=health_addr


ecx=1015ABA0

ecx + 8 + [ebp+0x8]*4 = health_addr
1015ABA8 + [esp+0x8]*4 = health_addr

so far I can't tell much about any structure..ebp+0xc=health_value, but I don't know where
ebp is being ..initialized,it might be significant like an object base_pointer, or might not.
Same w/ ecx. So the next step might be to...find any code that JMPS to 5c7650?

Again, thanks for any help.

[lanman92]

I would start by looking at the lua functions. It's pretty simple once you realize the base functions(getobjbyguid, getlocalplayer...tostring...etc). UnitHealth isn't very tough if I remember right. Get yourself IDA, also.

[abuckau907]

mm..will search later, but, quick question: The lua functions, why are they useful to us? I mean..I know what they are, scripts to control game objects etc.. but, do you create a new thread, and then call the Lua_function w/ your own parameters or? Lol, I don't even know the basic theory I'm not asking you to tell me anything specific, just an overview so I can decide if I'd rather investigate it now or keep doing what I'm doing. Thanks.

[lanman92]

Look up dostring on these forums. Use that to execute your lua in-process(or through codecaves). It can execute ANY lua function you want, even protected ones. So you can do cool stuff like write to the mouseoverGUID address, then call InteractUnit("mouseover"); and it will interact with that unit. Possibilities are endless

[abuckau907]

DMA health
101750F0
10175994
AUTOHACK 50F0

5C4E1C: mov[esi+0xF90],edx


5c4def int3
5c4df0 push ebp
5c4df1 mov ebp,esp
5c4df3 mov eax,[ebp+0xC]
5c4df6 push ebx
5c4df7 mov ebx,[ebp+0x8]
5c4dfa push esi
5c4dfb push edi
5c4dfc push 0x2DC
5c4e01 push 0x9A21Bc
5c4e06 push 0x8
5c4e08 push eax
5c4e09 push ebx
5c4e0a call 0x007Be110
5c4e0f mov esi,eax eax=10174160
5c4e11 mov ecx,[esi+0xD0]
5c4e17 mov edx,[ecx+0x44]
5c4e1a mov eax,ecx eax=10175950
5c4e1c mov [esi+0xF90],edx []=health_addr esi=10174160

10174160 = object_base_pointer

ecx=[object_base_pointer+0xD0] =_some_struct_pointer
edx=_some_struct_pointer +0x44 = [current_health]

obp+0xD0 = some_structure
some_structure + 0x44 = [current_health] ''Health offset inside some wow_base_object.structure

conclusion: eax is probably the wow_object_base_pointer (not ObjectManager, but an obj in its list)
inside the wow_object struct is a pointer to some specific data ie. struct_PlayableChar_data
and inside the struct_PlayableChar_data is a 'health' value at offset 0x44

The call to 0x007Be110 used code like mov ecx, fs[2c] which is TLS...so I'm getting closer Will follow that next time.

*Cypher* You probably do a lot of disassembling, you ever look at these areas of code? Any of the same thoughts,..problems, etc?


Maybe this is all wrong, and what I think are the pointers to structures are really just...not? haha, thanks guys.

Edit: After looking more, I don't think that I'm near wow_object_base yet.. (atleast after the call to 7be110), more likely the
a higher-level structure (lower?lol) . By structures I mean, wowObjectFields,wowUnitFields,wowPlayerFields, etc..since I started from the mov health_addr,value --> I should be in the most specific structure(which is..I don't know , looking into 7be110 should reveal more about structures? (ie. it it's going from tls, it should say like object_base_pointer=xxx, wowObjectFields=xxx, etc) I'm using the structure examples from http://www.mmowned.com/forums/wow-me...info-dump.html

From that post..
[WowUnitFields]
..
UNIT_FIELD_HEALTH=0x17

My understanding is that each object in the objectManager has a pointer to a structure that describes more data for the object
I thought that for my character ..obj_base_pointer + some offset(s) = unit_field_type/entry, entry being the pointer to the actual data. Then entry + (according to the above unit_field_health) is 0x17, but in my code it's 0x44 --> so apparently the pointers in the code i'm looking at aren't the WowUnitField/wow_base_object pointers?

Sorry about constantly updating the same post, hope this material isn't too commonly posted around the forum..lol, i looked but as you can see 1 of my eyes is broken

ps. lanman92
So you could do something like

for each GUID in ObjectManager.guidList
Set mouseOverGuid(guid)
result =InteractUnit("mouseover")

Select Case result
case 1
'friendly
case 2
'enemy 'just example..not actual values
..
End Select
and depending on if is enemy find more info (like location) ...etc..etc...Attack(guid) etc..etc..

[Shynd]

Something like (pseudo-code):

Code:

foreach (Object obj in Objects)
{
    WriteMemory(MOUSEOVERADDRESS, obj.GUID);
    Lua_DoString("myreaction = UnitReaction("player", "mouseover");
    Console.WriteLine(GetLocalizedText("myreaction"));
}

(C# syntax)

You'll have to find the addresses for Lua_DoString and GetLocalizedText, but I believe both are in the 3.1.3 dump thread somewhere. You'll also have to figure out how to execute code in WoW's context, but that's pretty well documented around here, also.

[lanman92]

To add onto this, it would be better to skip all the lua mess and just call the function without lua. No lua errors.

[abuckau907]

Hmm..so anyway, the only reason I'm disassembling is so I can 1) Read objects and 2) Read objects properties(location,name, etc)..and as far as offsets...the offset for health I'm getting is object_base + &HF90, but...I thought it was supposed to be like...

object_specific_data = object_base + OFFSET_to_specific_data

_health = object_specific_data + OFFSET_to_health

any thoughts?

[lanman92]

That's the way it is. There is such thing as false results in cheat engine(not false, but something may seem a way that it's actually not). It's [[ObjBase + 0x8] + HEALTH_OFFSET * 4].

[abuckau907]

I don't use cheat engine..i've seen tuts. about finding base pointers in it..but never got it to work (CE says it can't go beyond 1x..2x? pointer to pointer) so I didn't bother trying to learn..but, is that where you guys are getting the offsets for things like a PlayerObject's health, a basicWowObjectInObjectManagerList's GUID (...or, am I wrong on this..and I know it's all over the forum..i've been checking this site 20x/day everyday and I still apparently don't get it) but I thought that each object in the objManager's list has a guid...but then in some of the structs posted here some things have a second guid (not like... owner_guid..but a 2nd guid? - maybe that's just a new struct I need to learn about..or not, depending) but.. From what I thought there are a few basic structs (that I need at first..just starting lol) like wowBasicObject (objMgr's object..contains guid,type,next_obj) , wowPlayerObject (characters...health, experience, etc)
wowMobObject(basically a character..might even be..haven't learned yet..?)
anyway..I can link through the objMgr and find my LocalPlayer and from that find all my stats (hp,mp,gold,etc) and that all works fine..but when i want to find out more about like..an npc, my structs are incomplete..so..how are you getting to the asm code you're getting to :P or..how is cyper doing it ^o)

mm..i guess there isn't a specific question here...i just need to research the structure's better ( I don't know the diff between a npc, mob, char, node, etc) any ideas? I guess my problem is..i see a list of offsets and a struct name..but I don't know which types of objects in-game are of which struct type :S I guess I should be able to piece it together from this forum, but..has anyone else been at this point and then..lol, how did you piece it? Do I need to try more debugging so I can learn the structs myself or just..try to copy/paste/try (sometimes ppl post offsets in decimal..and when they don't work I try making it hex not converting, just sticking 0x infront of the decimal...not working well thus far) from here? Well...you keep reading so I keep typing

-Andrew

[luciferc]

Btw cool tid bit on Asm

You can make Vs 2008 show you your programs asm and trace through it step by step. :P (To learn of/c)

[abuckau907]

note: [] = structure/offsets as posted by boredevil at 'info dump 3.1.3 on the first page'

How I handle Objects:

Each basic object in the ObjMgr has a few basic properties
BaseAddress
NextBaseAddress
UnitPointerAddress
Guid
Type
XPos
YPos
ZPos
Rotation

But I don't think the x,y,z is correct :S Unless objects like spells just have 000 as location ?? Anyway, UnitPointerAddress is a pointer (baseAddress + to more specific data, like health. So for example in the basicObject's New Function. it calculates the nextbase,unitpointer,guid etc -->

Then..as I'm loopling through the ObjMgr I do a switch on the .Type (which is usually 1-7..when it's not, I assume it's the endof the ObjMgr and exit) and if npc or player then draw to radar (or whatever else I guess)

So this all works --> I can get more specific information about players and npc and monsters (npc's? lol) such as CurrentHealth, MaxHealth, etc -->

But now I need to know more about the structures..and the 3.1.3 info dump confuses me. For example:


[WowObjectFields]
..GUID = 0x0
..Type=0x2
I thought GUID was ObjectBase + &H30
Type was ObjectBase + &H14

.Type works, because when I only draw npc/plaers to radar image...they all show up correctly.

Maybe my GUID's are wrong..maybe they should be memRead(_unitFieldsAddr + 0x0)
instead of memRead(_base + &H30)

BUT ..because of the radar working correctly, i'm 99.9% sure my TYPE is correct.

[WowUnitFields]
Health=0x17

So..to calculate health my code is:

_unitFieldsAddr = ReadUint32(objectBaseAddr + &H
Health = ReadUint32(_unitFieldsAddr + &H17 * 4)



so when I want to get a value for a 'higher' class (ie. !wowBasicObj)
it's always

.Property = MemRead(_unitFieldAddress + wowObjectTypeOffsets.property)
ie
.CurrentExp=MemRead(_unitFieldAddr+wowPlayerOBjectOffsets.Exp) (&h260 * 4)

So I guess I REALLY Don't understand why guid=0x0,type=0x2 when my code for GUID and TYpe is totally different, but is correct (or..works?)(Maybe all the GUIDS are wrong in my list but...it seems to work)? Any thoughts?

[WowObjectFields]
OBJECT_FIELD_GUID=0x0 - what? GUid=(base+0x30)
OBJECT_FIELD_TYPE=0x2 - what? Type=(base+0x14)

[WowUnitFields]
UNIT_FIELD_HEALTH=0x17
UNIT_FIELD_MAXHEALTH=0x1F
UNIT_FIELD_LEVEL=0x35

[WowPlayerFields]
PLAYER_XP=0x260
PLAYER_NEXT_LEVEL_XP=0x261
[WowItemFields]
[WowContainerFields]
[WowGameObjectFields]
[WowDynamicObjectFields]
[WowCorpseFields]

I haven't even tried the one's w/o info under them..I think that's about the stage I'm at..but I don't understand [wowObjectFields] guid/type

The rest of the offsets work fine (assuming I use _unitPointeraddress + offset) so I'm...just confused Thanks for reading



ps. ugkbunb, shut the **** up ..1) you didn't add anything helpful to this post 2) Personally, I program In vb.net and to rep. hex it's &H infront of the number...most of you guys use a c-like language which uses 0x instead, I *thought* --> (ie. &h14 = 20decimal) I was using 0x in my examples as a 'syntax conveneince' because most of you seem to use C like languages.I could be wrong about 0x in C being the same as &H in vb.net, as I don't use C++ etc, but my code is in .net and the hex conversions work.
By the way, it was more of a joke --> I was so frustrated w/ offsets I just started typing &H in front of all my decimals :P to see if it would work<--not my strategy, more of ajoke, and ...do you even code??? Hahahahaha, you probably go that url everytime you think you know what an offset is, expecting it to ReadProcessMemory or something else, you're not really sure, but it doesn't so you got AutoIt and the first autoit tutorial taught you incorrectly about numbers(.I didn't understand number bases at first eithor..don't take it too hard) ..and then because *you* googled 'hacking wow' I have to read about how I don't know decimal from hex..god damnit. Yes, I'm a loser because I just spent 20 minutes flaming you in an online forum..but wtf
Thanks for your help tho, I don't know what I would have done without your helpful post :|

[Apoc]

ps. ugkbunb, shut the **** up you retard..1) you didn't add anything helpful to this post 2) Personally, I program In vb.net and to rep. hex it's &H infront of the number...most of you guys use a c-like language which uses 0x instead, I *thought* --> (ie. &h14 = 20decimal) I was using 0x in my examples as a 'syntax conveneince' because most of you seem to use C like languages.I could be wrong about 0x in C being the same as &H in vb.net, as I don't use C++ etc, but my code is in .net and the hex conversions work..Thanks for your help tho, I don't know what I would have done without your ever so helpful post :|

Watch the flaming.

0xCC == &HCC

Same thing, different syntax.

[ugkbunb]

ps. ugkbunb, shut the **** up ..1) you didn't add anything helpful to this post 2) Personally, I program In vb.net and to rep. hex it's &H infront of the number...most of you guys use a c-like language which uses 0x instead, I *thought* --> (ie. &h14 = 20decimal) I was using 0x in my examples as a 'syntax conveneince' because most of you seem to use C like languages.I could be wrong about 0x in C being the same as &H in vb.net, as I don't use C++ etc, but my code is in .net and the hex conversions work.
By the way, it was more of a joke --> I was so frustrated w/ offsets I just started typing &H in front of all my decimals :P to see if it would work<--not my strategy, more of ajoke, and ...do you even code??? Hahahahaha, you probably go that url everytime you think you know what an offset is, expecting it to ReadProcessMemory or something else, you're not really sure, but it doesn't so you got AutoIt and the first autoit tutorial taught you incorrectly about numbers(.I didn't understand number bases at first eithor..don't take it too hard) ..and then because *you* googled 'hacking wow' I have to read about how I don't know decimal from hex..god damnit. Yes, I'm a loser because I just spent 20 minutes flaming you in an online forum..but wtf
Thanks for your help tho, I don't know what I would have done without your helpful post :|

Wow. Such a hate filled post... First off common flaming etiquette calls for for the use of complete sentences. It hurts my brain trying to read what you wrote. Honestly tho, I was just attempting to point out something I saw as laughable. But hey, you said it was "more of ajoke," one I did not pick up on, so lets just leave it at that

Anyways... glad I could be of some help... wouldn't want you just slapping 0x in front of everything in a failed attempt to get things to work