WoW Classic Era 1.15.3, Object Manager / Object Traversal / Offsets

**Geneditor** · 08-27-2024

Hi everyone,

I'm am trying to get myself a another grinding bot working after a few years. I found that a couple of things have changed in WoW Classic, and I can't find good information on the recent client.

What I managed to do so far:

- dumped wow memory using scylla
- found object manager by searching for "Object manager list status" string with IDA
- by inspecting the code around "Object manager list status", I was able to iterate through "active objects" (as a string suggests)

Where I am stuck at:

- I am confused about how to properly iterate through objects, there seem to be different ways
- where to find the unit descriptor, object type, object guid, unit position, health etc.
- ida fails to completely understand the dumped binary, for example "UnitHealth" and nearly all other lua API procedures seemed to be messed up

Do you guuys have any recent information? I'll be sharing my information along the journey.

**Geneditor** · 08-27-2024

Update:

I was able to find the TargetGUID:

In IDA find the UnitHealth function, followd the first branch -> follow the second function -> follow the first function.

This function is a whole bunch of string compares ("targt", "player", "pet", ...), follow the branch with the "target" string compare, and you will find the target guid.

**Geneditor** · 08-28-2024

This is how I can count active objects. Seems to work (at least I get a reasonable number which changes when I walk around in the game), but I missing any offsets into the object, e.g. for guid or unit attributes. Any help?

Code:

Int64 objMgr = memoryReader.Read<Int64>(offsets.objectManager + imageOffset);
Int64 first = memoryReader.Read<Int64>(objMgr + 0x120);
Int64 current = first;

uint activeObjectCount = 0;

while (true)
{
current = memoryReader.Read<Int64>(current);
if (current == first) break;
activeObjectCount++;
}

I would also appreciate some tips on how to analyze the obfuscated code!

**Geneditor** · 08-28-2024

Update:

Did some memory scanning trying to find the target guid in one of the active objects, and I found two offsets that seem to return the
guid of an object. The two guids do not always match though, this might be due to some stale objects beeing in the list?

Code:

                uint activeObjectCount = 0;

                while (true)
                {
                    current = memoryReader.Read<Int64>(current);
                    if (current == first) break;
                    activeObjectCount++;

                    var entry = memoryReader.Read<IntPtr>(current + 0xf8);
                    var guid0 = memoryReader.Read<Guid>(entry + 0x0);
                    var guid1 = memoryReader.Read<Guid>(current - 0x50);


                    System.Console.WriteLine("Guid 0: " + guid0 + (guid1.Equals(targetGuid) ? "<-" : ""));
                    System.Console.WriteLine("Guid 1: " + guid1 + (guid1.Equals(targetGuid) ? "<-" : ""));
                }

Code:

TargetGUID: 43980470302598-2328932753397035072
Guid 0: 0-2328932753397035072
Guid 1: 4611686025361824436-887706105847742464
Guid 0: 0-887706105847742464
Guid 1: 4611686025361824437-887706105847742464
Guid 0: 0-887706105847742464
Guid 1: 4611686025361824438-887706105847742464
Guid 0: 0-887706105847742464
Guid 1: 4611686025361824439-887706105847742464
Guid 0: 0-887706105847742464
Guid 1: 4611686025361824440-887706105847742464
Guid 0: 0-887706105847742464
Guid 1: 4611686025361824441-887706105847742464
Guid 0: 4440742097011553785-887706105847742464
Guid 1: 0-1731075504817045504
Guid 0: 4440742097011553785-1731075504817045504
Guid 1: 0-1731075779694952448
Guid 0: -4660387851982012417-1731075779694952448
Guid 1: 0-1731076054572859392
Guid 0: 4440742097011553785-1731076054572859392
Guid 1: 43980470254283-3193623881857921408
Guid 0: 43980470300048-2328932753397035072
Guid 1: 43980470300048-2328932753397035072
Guid 0: 43980604472017-2328932753397035264
Guid 1: 43980604472017-2328932753397035264
Guid 0: 43980470276006-2328932753397035072
Guid 1: 43980470276006-2328932753397035072
Guid 0: 43980470300314-2328932753397036288
Guid 1: 43980470300314-2328932753397036288
Guid 0: 43980470283810-2328932753397036096
Guid 1: 43980470283810-2328932753397036096
Guid 0: 43980520585937-2328932753397036096
Guid 1: 43980520585937-2328932753397036096
Guid 0: 43980470302186-2328932753397035072
Guid 1: 43980470302186-2328932753397035072
Guid 0: 43980470276694-2328932753397035200
Guid 1: 43980470276694-2328932753397035200
Guid 0: 43980470300288-2328932753397035200
Guid 1: 43980470300288-2328932753397035200
Guid 0: 43980470254289-2328932753397043008
Guid 1: 43980470254289-2328932753397043008
Guid 0: 43980470254289-2328932753397754176
Guid 1: 43980470254289-2328932753397754176
Guid 0: 43980470276725-2328932753397035200
Guid 1: 43980470276725-2328932753397035200
Guid 0: 43980512197329-2328932753397044544
Guid 1: 43980512197329-2328932753397044544
Guid 0: 43980470254288-2328932753397032064
Guid 1: 43980470254288-2328932753397032064
Guid 0: 43980470300303-2328932753397035200
Guid 1: 43980470300303-2328932753397035200
Guid 0: 43980495420113-2328932753397044544
Guid 1: 43980495420113-2328932753397044544
Guid 0: 43980520585936-2328932753397044544
Guid 1: 43980520585936-2328932753397044544
Guid 0: 43980470302145-2328932753397035072
Guid 1: 43980470302145-2328932753397035072
Guid 0: 43980470302160-2328932753397035072
Guid 1: 43980470302160-2328932753397035072
Guid 0: 43980470254289-2328932753397035584
Guid 1: 43980470254289-2328932753397035584
Guid 0: 43980470302395-2328932753397036096
Guid 1: 43980470302395-2328932753397036096
Guid 0: 43980470302598-2328932753397035072<-
Guid 1: 43980470302598-2328932753397035072<-
Guid 0: 43980470302776-2328932753397035072
Guid 1: 43980470302776-2328932753397035072
Guid 0: 43980470303172-2328932753397035200
Guid 1: 43980470303172-2328932753397035200
Guid 0: 43980470303188-2328932753397036288
Guid 1: 43980470303188-2328932753397036288
Guid 0: 43980470303198-2328932753397035200
Guid 1: 43980470303198-2328932753397035200
Guid 0: 43980478691003-2328932753397036096
Guid 1: 43980478691003-2328932753397036096
Guid 0: 44038747-599475729696030720
Guid 1: 44038747-599475729696030720
Guid 0: 43980470301999-2328932753397035072
Guid 1: 43980470301999-2328932753397035072
Guid 0: 43980470303313-2328932753397035008
Guid 1: 43980470303313-2328932753397035008
Guid 0: 43980470303323-2328932753397035072
Guid 1: 43980470303323-2328932753397035072
Guid 0: 43980470303219-2328932753397035200
Guid 1: 43980470303219-2328932753397035200
Guid 0: 43980470302437-2328932753397036288
Guid 1: 43980470302437-2328932753397036288
Guid 0: 43980470303209-2328932753397036288
Guid 1: 43980470303209-2328932753397036288
Guid 0: 68719476738-2328932753397036288
Guid 1: 2473827253968-2473827253968
Active objects: 45

**xzidez** · 08-29-2024

It seems like your guid1 is what I used. This is how I grabbed it.

First aggregate the wowobjects.

Code:

        var current = Marshal.ReadIntPtr(objMngr + (nint)Offsets.ObjectManager.FirstObject);
        var first = current;


        while (current != IntPtr.Zero)
        {
            list.Add(new WoWObject(current - 0x68));
            current = Marshal.ReadIntPtr(current);


            if (current == first)
            {
                break;
            }
        }

Then you will find the Guid at wowobject + 0x18. (128 bit)

**Geneditor** · 09-01-2024

Update:

- I am still trying to reverse the obfuscated code in IDA
- based on the idea of Ferib: Reversing Common Obfuscation Techniques, I am able to recover reveal the control flow

I am still running into a few issues.

For example "mov some_register, [rbp + some_value]". My understanding is, that IDA thinks that in example below, "+18h" is not a function parameter? Does anyone have an idea what's going on and how to fix this?

Code:

sub_7FF6221A4390 proc near

var_20= qword ptr -20h
var_18= byte ptr -18h
arg_8= qword ptr  28h
arg_10= qword ptr  30h
arg_18= qword ptr  38h
arg_20= byte ptr  40h
arg_13840FA0= dword ptr  13840FC0h
arg_482B7C60= byte ptr  482B7C80h

push    rbp
push    rbx
push    rdi
mov     rbp, rsp
....

and then later

rbp_18.PNG

**Razzue** · 09-11-2024

Nothings really changed in classics object manager, all the code I have posted for classic wow is 100% still valid and usable.

Also, why manually count active objects? Manager + 0x10 == active objects. Manager + 0x120 = enum vis objects offset, so you can just loop read 0x0 from there (subtract 0x68 from read pointer to get entity pointer)

**Geneditor** · 09-16-2024

After getting a bit more familiar with IDA again, I managed to reverse everything myself. Here is my bot in action. If anyone is interested, PM me.

**Geneditor** · 09-20-2024

I am going to leave this here, in case it helps anyone:

Code:

{
  "CURRENT_TIME": "0x35D3E30",
  "CORPSE_RECOVERY_DELAY": "0x3924C84",
  "PLAYER_GUID": "0x380D8B0",
  "TARGET_GUID": "0x35D4398",
  "MOUSE_OVER_GUID": "0x3924D78",
  "CORPSE_POSITION": "0x3366B58",
  "OBJECT_MANAGER": "0x38C5420",
  "COOLDOWNS": "0x335F560",
  "ACTION_USABLE": "0x393049C",
  "ACTION_NOT_ENOUGH_POWER": "0x39303AF",
  "ACTION_SPELL_ID": "0x392FC90"
}

Shout-Out

User Tag List

Thread: WoW Classic Era 1.15.3, Object Manager / Object Traversal / Offsets

Thread Tools

Search Thread

WoW Classic Era 1.15.3, Object Manager / Object Traversal / Offsets

Similar Threads

[Selling] WoW Classic era 60 NE druid alliance FIREMAW EU

[Selling] Classic ERA Account Shop | Over 25+ Accounts | Lifetime Warranty | Daily Updated | WoW Classic ERA

[Buying] WTB Wow Classic Era Gold

[Buying] ⭐[10+ Years][RPGStash.com] Buying & Selling WoW / WoW Classic Era Gold🔥 24/7 ONLINE 🔥

[Selling] WoW Classic FullGeared rogue 15/17bis with COLLECTOR CLASSIC wow key BNET

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino