[Guide] Finding "ObjectManager" "Patterns"

[vulcanaoc]

Hai guys,

So I thought I'd write up a short guide on how to dynamically locate WoW's game object linked list. (aka CurrentManager, ObjectManager, etc.) This guide will not yield copy-pasta-able code.

The results are version-independent, as long as WoW's function for creating the current manager does not change. I know that it will work from 3.0.9 to 3.1.3

We start at WoW's "CreateCurMgr" function. This is located at 0x7C0740 in 3.1.3. Scrolling down through the ASM a bit, we run into the following:

Code:

007C0787 - 33 c0                      - xor eax,eax
007C0789 - 8b 0d fc d9 35 01          - mov ecx,[0135d9fc]
007C078F - 64 8b 15 2c 00 00 00       - mov edx,fs:[0000002c]
007C0796 - 8b 34 8a                   - mov esi,[edx+ecx*4]
007C0799 - 8b 0d 80 9f 13 01          - mov ecx,[01139f80]
007C079F - 89 81 34 2c 00 00          - mov [ecx+00002c34],eax
007C07A5 - 8b 15 80 9f 13 01          - mov edx,[01139f80]
007C07AB - 89 86 10 00 00 00          - mov [esi+00000010],eax
007C07B1 - 89 90 d0 00 00 00          - mov [eax+000000d0],edx

Specifically, the two lines that will yield the required information to acquire the linked list's base are:

Code:

007C0799 - 8b 0d 80 9f 13 01          - mov ecx,[01139f80]
007C079F - 89 81 34 2c 00 00          - mov [ecx+00002c34],eax

The first line loads the address pointed to by 0x1139F80 into the ECX register. The second line loads the value of EAX into the address pointed to by ECX + 0x2C34. Both 0x1139F80 and 0x2C34 will change depending on the version of WoW being examined.

So let's dynamically locate them using patterns! This is how I create patterns:

When creating patterns, it is best to mitigate the chances of not finding the correct addresses because some little thing has changed. This requires a brain, and some analysis of the ASM. Below is the code with everything that *could* change replaced with XX's:

Code:

007C078F - 64 8b 15 XX XX XX XX       - mov edx,fs:[XXXXXXXX]
007C0796 - 8b 34 XX                   - mov esi,[XX]
007C0799 - 8b 0d XX XX XX XX          - mov ecx,[XXXXXXXX]
007C079F - 89 81 XX XX XX XX          - mov [ecx+XXXXXXXX],eax
007C07A5 - 8b 15 XX XX XX XX          - mov edx,[XXXXXXXX]

This leaves us with the following patterns:

Code:

Pointer: 64 8B 15 XX XX XX XX 8B 34 XX 8B 0D [4 bytes holding what we want] 89 81
Offset: 64 8B 15 XX XX XX XX 8B 34 XX 8B 0D XX XX XX XX 89 81 [4 bytes holding what we want] 8B 15

The patterns overlap quite a bit. This shouldn't be a problem unless the pattern scanner being used cannot handle overlapping.

Hope this can help at least one person out!

Credits:
Lbot //for the 3.0.9 pattern which led me to all of this.

[flo8464]

Thanks for it, got some other question regarding that function.

I am pretty sure its a __cdecl call and I need to call it with 1 argument.

But what is that argument?

I tried it by just passing a zero, my result at least looked valid but WoW crashed immediatly after doing it.

Edit: Or does it create a new Objmgr struct/object instead of returning the address of the objectmanager used? Would at least explain the crash.

[lanman92]

That function initializes the pointers to the objectmanager. You just have to read from them to get the OM.

[flo8464]

That function initializes the pointers to the objectmanager. You just have to read from them to get the OM.

Well, I was just hoping there are smoother way than pointer reading if I am already in-Process. But ok, I ll do that.

[lanman92]

Use DWORD_PTRs. It's practically direct ASM, and faster than calling a function.

[vulcanaoc]

Well, I was just hoping there are smoother way than pointer reading if I am already in-Process. But ok, I ll do that.

I can't think of any, and I haven't tried. AFAIK WoW doesn't have any dedicated function to simply "get" the object manager list.