[WoW][3.3.3] Info Dump Thread

[mnbvc]

3.3.3a:

Code:

enum LUA
{
	DoString = 0x4B32B0,
	GetLocalizedText = 0x5CAE50,
	EnumVisibleObjects = 0x80E410,
	ClntObjMgrObjectPtr = 0x80E690,
	ClntObjMgrGetActivePlayer = 0x80D0E0,
	GetGUIDByKeyword = 0x6D0D40
};

documentation on how to find this stuff when apoc is too slow at posting the dumps :P

DoString:
search for "runscript" in the strings window and follow the xref

Code:

      if ( *(_BYTE *)v1 )
        sub_4B32B0(v1, v1, *(_DWORD *)&off_A930B4);

0x4B32B0


GetLocalizedText:
"spelltargetunit"

last lines:

Code:

    sub_4D9BB0(v8, &v9, 97, -1, -1, 0);
    nullsub_4(&v9);

follow sub_4D9BB0

Code:

      || ((v16 = sub_4CE050(a2), sub_559E20(&v72, 64, "%s_PET", v16), !v10) ? (v17 = sub_4B3DE0(&v72, -1, 0),
                                                                               v62 = 1024,
                                                                               v57 = v17,
                                                                               v53 = &v70) : (v62 = 1024,
                                                                                              v57 = sub_5CAE50(&v72, -1),
                                                                                              v53 = &v70),

0x5CAE50


EnumVisibleObjects:
"targetnearestenemy"

Code:

    v1 = sub_98A140(a1, 1, 0);
    sub_725E60(v1, 1);
    dword_C53484 &= 0xFFFFFFDFu;

follow sub_725E60

Code:

      dword_C4EC60 = 0;
      dword_C4EC64 = 0;
      dword_C4EC68 = 0;
      dword_C4EC6C = a2;
      sub_722570(0);
      sub_80E410(sub_724A10, v6);

0x80E410


ClntObjMgrObjectPtr, ClntObjMgrGetActivePlayer and GetGUIDByKeyword:
"unithealth"

Code:

    v10 = 0;
    v5 = (char *)sub_488F90(a1, 1, 0);
    v9 = 0i64;
    sub_6D0D40(v5, (int)&v9, 0);
    v8 = v9;
    v3 = sub_80E690(v9, 8);
    v4 = v3;

GetGUIDByKeyword: 0x6D0D40
ClntObjMgrObjectPtr: 0x80E690

follow sub_6D0D40

Code:

LODWORD(v4) = sub_80D0E0();

ClntObjMgrGetActivePlayer: 0x80D0E0

[YetiHunter]

thanks alot +Rep

[Nonal]

I guess - yes, for each new connection there is new seeds.

3.3.3 add two new args in in crypto initalization fn - char *arg_seeds and int args_seeds_sz
for first connection its a zero, and client uses static seeds.
but for second connection - it nonzero and client uses it INSTEAD of static seeds.

Thanks abdula123, I got it working following your advice.
Indeed, according to assembly new c/s seeds are passed through auth challenge and only used in case we have to dynamically reconnect - provision for dynamic balancing of realm frontends ? - the other code path defaults to standard hardcoded seed. I am really wondering why hardcoded seeds have been kept in the code since we always go through an auth message.

This gives us:

Code:

		case SMSG_AUTH_CHALLENGE:
			GETINT32(hash1,pos);
			GETINT32(hash2,pos);
			for(i=0;i<32;i++) {
				GETINT8(providedSeed[i],pos);
			}
			break;

[XTZGZoReX]

Code:

		case SMSG_AUTH_CHALLENGE:
			GETINT32(hash1,pos);
			GETINT32(hash2,pos);
			for(i=0;i<32;i++) {
				GETINT8(providedSeed[i],pos);
			}
			break;

This is probably wrong.

AFAIK, they're 2 seeds consisting of 4 random uint32 each.

[Nonal]

This is probably wrong.

Well I can assure you it works...

AFAIK, they're 2 seeds consisting of 4 random uint32 each.

Which is indeed 32 bytes. Depend how we look at this array: 32byte seed (at connection level) or 2x16 bytes seeds for Inbound/Outbound half-duplex

Anyway, I agree to your naming point, and I have split arrays for better clarity.

Code:

		case SMSG_AUTH_CHALLENGE:
			//hexdump(pos,len);
			GETINT32(hash1,pos);
			GETINT32(hash2,pos);
			GETBYTES(inboundSeed,pos,16);
			GETBYTES(outboundSeed,pos,16);
			break;

Edit: I found your wowpacketparser while digging through your posts, that's great work ! I will read it tonight to check we are in sync on packets.

[XTZGZoReX]

Yeah, I just meant the representation of the data. Your reading was fine.