[Mac][3.2] Finding the object list & reading object names

[flukes1]

It's often been said that there's no static pointer to WoW's object list on the Mac, but I've found one that works (for patch 3.2.0a, anyway):

OBJECT_LIST_LL_PTR = 0x1255A6C

The value at [[OBJECT_LIST_LL_PTR] + 0x1C] points to the head of the object list. This changes every time the game world is loaded, but it's easy to detect that and act accordingly.

Once you have that pointer, iterating through the list is easy. It seems to be similar to, but not exactly the same as, many of the other linked lists WoW uses internally.

The base list is a repeating structure of 3 int32s which looks like this:

0x0: should be 0x18, if not, you've reached the end
0x4: pointer to an object + 0x18
0x8: pointer to another object

One thing to watch out for is that many of the object pointers will be erroneous and will need to be ignored by your code, but I'll leave that problem to you.

Unfortunately this list doesn't actually contain every object in range of the player. In fact, quite often the player object itself will be missing. After scanning the initial list of object pointers (as above), your code needs to examine each object individually - each object contains a pointer to the 'next' object in memory at [object base + 0x34].

With all of that in mind, it's fairly simple to implement a kind of 'depth scan' which can find every object in memory. It may not be as fast as hooking WoW directly, but it's certainly safer & more practical on OS X, and is fast enough for my needs (I have a Python class which can read the entire list in <50ms).

Object Names

One common requirement is to read the names of nodes, NPCs and other players around you. This is a real pain in the arse because WoW keeps names separate from the base object structures.

Nodes: there's a structure at [object base + 0x408] containing the node name at 0x90 (e.g. Copper Vein) as a nul-terminated string.

Units: there's a structure at [object base + 0x95C] containing the unit name at 0x5C and description at 0x4 (e.g. Alanura Firecloud, Poisons & Reagents), again as nul-terminated strings.

Players are more complicated. WoW stores player and guild names in linked lists. You have to scan through these lists to find what you need. Player names are associated by GUID, and guild names are associated by guild ID. You'll need these:

PLAYER_NAMES_LL_PTR = 0x151C2C4
GUILD_NAMES_LL_PTR = 0x151C224

Reading these lists is very similar to reading the object list, with a few subtle differences which I'll let you discover for yourself.

Hope this helped someone.

[Cypher]

Often been said? By who??

Of course there has to be a pointer to it somewhere otherwise how the f*ck would WoW access it, lol.

[flukes1]

Often been said? By who??

Of course there has to be a pointer to it somewhere otherwise how the f*ck would WoW access it, lol.

Excellent point. I could be wrong but I'm sure I've seen a few posts saying something to that effect. "Often" would be the wrong word, so I retract that.

Pocket Gnome scans WoW's entire memory space for \x88\xae\xbf\x00 and I can't imagine they do that without reason to believe there's no static pointer? Perhaps it was more difficult to find in previous patches, who knows.

[Cypher]

Excellent point. I could be wrong but I'm sure I've seen a few posts saying something to that effect. "Often" would be the wrong word, so I retract that.

Pocket Gnome scans WoW's entire memory space for \x88\xae\xbf\x00 and I can't imagine they do that without reason to believe there's no static pointer? Perhaps it was more difficult to find in previous patches, who knows.

Rofl. Epic.

[suicidity]

They scan for a Pattern, because finding a pattern usually survives across multiple patches.

Then you don't have to manually update the static address Every patch; Removes some of the work.

[Tanaris4]

This is true, after version 2.4.3 GO/myself were unable to find a static pointer (and we stopped looking). Thanks for this post, will take a peak when I can actually fire up wow :-)

[Tanaris4]

@flukes1 any insight as to reading the player names? I've noticed there are generally ~4 memory addresses once you hit the actual player name struct.. seems to be.. go to the address -0x4 and you'll find the lowGUID, then you can compare the full GUID 0x1C more.

But I'm not sure which of the 4 addresses I should actually be using to move forward, sometimes the address points to something that is 0x4 or 0x8 past where the struct actually starts, and sometimes it points back to the object list.

Any ideas?

[flukes1]

Yeah, those linked lists are difficult to interpret. Have a look at my Python code (http://www.mmowned.com/forums/wow-me...nfinished.html), specifically constructs.py. In there is some code for iterating through a linked list in WoW's memory. My algorithm seems to work, it's just quite slow. I did write a version which strips out duplicates using an index, but scrapped it as Python wasn't fast enough to make it worthwhile.

Unfortunately name reading will always be a weak area for out-of-process memory tweaking until someone can write code which scans these DBs like WoW does (ala DbNameCache_GetInfoBlockById). For now, feel free to use & improve mine.

[Tanaris4]

Thanks this is very helpful, did you implement signature scanning? Just saw the search screenshot.

[flukes1]

It has a regex scanning function (many magnitudes faster than byte comparison in Python), which searches a given memory section. For example you can limit the search to segments of memory which have been assigned by malloc.

[Tanaris4]

Any idea how to determine what segments of memory functions are listed in? (my thoughts were to just look @ the start/end function list in IDA Pro - this is correct right?)

[flukes1]

In Mach-O executables, code is contained within __TEXT segments (.text on Windows). Odd naming convention, but there you go.

[Tanaris4]

:: delete meh ::