[WoW][3.2.0] Info Dump Thread

[LegacyAX]

M2 Collision = 0x0075CA3E
WMO Collision = 0x00765A8A
Nothing is solid = 0x012D6A1C

Hey thanks for posting the M2 clip address, The one i was usin doesnt work for 3.2,

Mind tellin me what value you use? I tryed to Up it +1 but it crashes wow, Thanks mate

[lanman92]

It's most likely a jmp patch or the like. Look at in olly and check.

[Clain]

Connection offset = 0x0125A590
Session key offset(40 byte value k) = [0x0125A590] + 0x508

EDIT: Had it for the ptr build lol, cromon is right.

[Cromon]

ClientConnection is 0x125A590 for me, Clain, but the session key is cc + 0x508, yes.

[Overflow]

Can anyone please help me with the camera address and offset? I never seem to be able to find it myself ;( . with that said, can anyone give me some pointers as to where to look? I guess the biggest problem for me is that I do not really know when they are used by wow (which lua func etc), as I myself only use them to convert 3d->2d

[Sel3n]

Hey thanks for posting the M2 clip address, The one i was usin doesnt work for 3.2,

Mind tellin me what value you use? I tryed to Up it +1 but it crashes wow, Thanks mate

Not tested, but i test it now, and give feedback.

EDIT : I'd fail, you're right this crash my wow.exe humm.

[Sel3n]

No offsets is correct =/

[LegacyAX]

damn anyone found a working m2 clip yet?

Heres the original M2 clip code...

Code:

0075CBB2  |. 52             |PUSH EDX                                ; /Arg1
0075CBB3  |. 8BCF           |MOV ECX,EDI                             ; |
0075CBB5  |. E8 F6D2FEFF    |CALL WoW.00749EB0                       ; \Wow.00749EB0
0075CBBA  |. 84C0           |TEST AL,AL
0075CBBC  |. 74 17          |JE SHORT WoW.0075CBD5
0075CBBE  |. 8B45 FC        |MOV EAX,DWORD PTR SS:[EBP-4]
0075CBC1  |. 8B4D F8        |MOV ECX,DWORD PTR SS:[EBP-8]
0075CBC4  |. 50             |PUSH EAX                                ; /Arg3
0075CBC5  |. 51             |PUSH ECX                                ; |Arg2
0075CBC6  |. 57             |PUSH EDI                                ; |Arg1
0075CBC7  |. 8B7D 10        |MOV EDI,DWORD PTR SS:[EBP+10]           ; |
0075CBCA  |. 8D45 98        |LEA EAX,DWORD PTR SS:[EBP-68]           ; |
0075CBCD  |. E8 1EF9FFFF    |CALL WoW.0075C4F0                       ; \Wow.0075C4F0
0075CBD2  |. 83C4 0C        |ADD ESP,0C
0075CBD5  |> 8B15 EC652C01  |MOV EDX,DWORD PTR DS:[12C65EC]
0075CBDB  |. 8956 2C        |MOV DWORD PTR DS:[ESI+2C],EDX
0075CBDE  |> 8B45 08        |MOV EAX,DWORD PTR SS:[EBP+8]
0075CBE1  |. 8B00           |MOV EAX,DWORD PTR DS:[EAX]
0075CBE3  |. 03C3           |ADD EAX,EBX
0075CBE5  |. 8B58 04        |MOV EBX,DWORD PTR DS:[EAX+4]
0075CBE8  |.^E9 57FFFFFF    \JMP WoW.0075CB44
0075CBED  |> 5F             POP EDI
0075CBEE  |. 5E             POP ESI
0075CBEF  |. 5B             POP EBX
0075CBF0  |> 8BE5           MOV ESP,EBP
0075CBF2  |. 5D             POP EBP
0075CBF3  \. C3             RETN

It seems to freeze wow instantly after passing through an m2 object. Sometimes crashing wow completely. if anyone else has the 3.1.3 binary thatd be great to post it so when can fix this.

Im on my laptop out of town so I only have olly and limited binaries... and 3.1.3 isnt one of them let me know if anyone already fixed this.

[Nesox]

Look in the sticky

[abuckau907]

@Overflow: (I'm new at this, but I think...)

I don't know anything about the camera data (I'm guessing it has an x,y,z, rotation, and pitch?) ..anyway, have you ever found a mem. address in ram before? Like..if you know your health is +420, search for 420...the program will find a LOT of addresses..so you change your health amount and then refine the search.eventually you'll get 1 address where the data is stored (for example, camera pitch is stored at static 0x1111). Assuming you can find mem addresses, set a breakpoint on it (you might find more than one) and see what code reads/writes from that location.
You don't need to know which lua functions use it..once you set a bp you'll see which functions use it. Then it's a matter at looking at the functions that use it..and seeing if you can figure out what you need. (Again, I don't use camera stuff, so I don't know, just general ideas)

I don't think I really explained it well enough, but it's kind of hard without writing every detail, esp. not knowing how much you know/if you don't know asm very well (I don't :P) Anyway, if you PM me with a more specific question I can try to help you out..I'm new to debugging/asm, but I understand *some* basics: I can teach..not really much, but I've found super easy things like..LocalPlayer_HealthOffset, etc..if you're past that., nvm

[Overflow]

abuckau907: thanks for the answer. I do know a few ways to find stuff by reversing or simply search in memory. The problem is that I do not know what to search for. I have no idea what the pitch, x,y,z zoom are at any given moment so I cant search for it.

[Sel3n]

-my 3.1.3 m2 clip

Code:

.text:005068B0                 push    ebp
.text:005068B1                 mov     ebp, esp
.text:005068B3                 push    ecx
.text:005068B4                 test    [ebp+arg_C], offset unk_F0000F
.text:005068BB                 push    ebx
.text:005068BC                 push    esi
.text:005068BD                 push    edi
.text:005068BE                 jz      loc_506977
.text:005068C4                 mov     eax, [ebp+arg_0]
.text:005068C7                 mov     eax, [eax+8]
.text:005068CA                 test    al, 1
.text:005068CC                 jnz     short loc_5068D2
.text:005068CE                 test    eax, eax

-my 3.2.0 M2 clip

Code:

.text:0075CA30                 push    ebp
.text:0075CA31                 mov     ebp, esp
.text:0075CA33                 push    ecx
.text:0075CA34                 test    [ebp+arg_C], offset unk_F0000F
.text:0075CA3B                 push    ebx
.text:0075CA3C                 push    esi
.text:0075CA3D                 push    edi
.text:0075CA3E                 jz      loc_75CAF6
.text:0075CA44                 mov     eax, [ebp+arg_0]
.text:0075CA47                 mov     eax, [eax+8]
.text:0075CA4A                 test    al, 1
.text:0075CA4C                 jnz     short loc_75CA52
.text:0075CA4E                 test    eax, eax
.text:0075CA50                 jnz     short loc_75CA59

Code:

==============================================================================
World of WarCraft (build 10192)

Exe:      C:\Users\Public\Games\World of Warcraft\WoW.exe
Time:     Aug 11, 2009  6:45:14.058 PM
User:     Principal
Computer: PC-HOME
------------------------------------------------------------------------------

This application has encountered a critical error:

ERROR #132 (0x85100084) Fatal Exception
Program:	C:\Users\Public\Games\World of Warcraft\WoW.exe
Exception:	0xC0000005 (ACCESS_VIOLATION) at 001B:0075D28A

The instruction at "0x0075D28A" referenced memory at "0x70AACF33".
The memory could not be "read".

sick! =)

That's I have found, in 3.1.3 I write my value in 0x005068BE, and this work, but in 3.2.0, when I write my value in 0x0075CA3E, this crash wow.exe =O

Ps : between 3.1.3 and 3.2.0 I'd change my language (AutoIt to C#, but after test in 3.1.3 this isn't a C# writing error, because that's work on 3.1.3 \o/)

It's August and I work in summer camp, I haven't time to search for this =/

Else, wallclimb and scale not changed

WallClimb => pBase + 0x858
Scale => pBase + 0x98

[abuckau907]

@Overflow: What are you using to debug? I use TSearch and Artmoney..depending on the software you use..it should have more options for 'search' other than just 'exact value' for example..you could search for a range (0-360) (which is slow) ..even better: Tsearch (I think? AM?) has a secondary 'filter' search and you can do options like 'has decreased' 'has increased' 'has not changed', 'has changed' etc.. So if you know you haven't change the camera angle..use 'had not changed' For example when you go from a FPS view to an over-the-top view the value is eithor increasing or decreasing (not sure personally..but there's only 2 options so it's not hard to guess/brute-force) I haven't tried it yet, adding other stuff to the bot first..but that should help.

[donth8me]

I hear tsearch is detected from way back in the day. I'm new to reading/writing to memory so I don't know much about anything. After Tsearch not showing wow in the process', I loaded up Permedit and now I can see wow.exe using Tsearch. The thing is, I type something in WoW's chat window, searched for it, and didn't come up with anything useful. I moved on to using MHS which is "Memory Hacking Software" by L. Spiro. The program works nice, shows wow.exe in the process' and it shows the memory location of something I typed in wow. The problem is, the memory location it displays doesn't match up with the current 0x010CCB94 that is the first location for storing WoWs chat log.

After doing uint 0x010CCB94 + 0-59 * 0x17C0 and displaying all of those in a messagebox that equal an actual number I still get nothing that MHS has displayed. MHS shows, with this search, 5 locations where the sting i typed into WoW is located. Nothing adds up.

Math is my strong point. On a scale of 1-10 I rate myself a strong 8 and that is me being modest. I'm pulling my hair out here. Can I get some pointers on using any of these memory scanning tools or a link w/ literature on another tool?

I program in C# which isn't as easy as C++ from what I hear on doing what I want to do but I'm not looking for easy, nor hard. C# is what I'm learning and what I'm going to stick with. Did I just get off subject? I want to know about memory reading tools ffs!

FIGURED IT OUT!! GG tried olly and it worked a lot better than tsearch. Things add up now!

[Sel3n]

The new offset fo water walking is 0x006D46C4, tested and approuved!