3.3.5a 12340 Offsets

**macintelk** · 03-02-2018

Dark, do you have a clue what might be the check at 0081922E ?

and how to test it ?

Code:

.text:00819210 ; Attributes: bp-based frame
.text:00819210
.text:00819210 sub_819210      proc near               ; CODE XREF: sub_4DD490+30p
.text:00819210                                         ; sub_510B30+35p ...
.text:00819210
.text:00819210 var_4           = dword ptr -4
.text:00819210 arg_0           = dword ptr  8
.text:00819210 arg_4           = dword ptr  0Ch
.text:00819210 arg_8           = dword ptr  10h
.text:00819210
.text:00819210                 push    ebp
.text:00819211                 mov     ebp, esp
.text:00819213                 push    ecx
.text:00819214                 add     dword_D413A0, 1
.text:0081921B                 mov     eax, dword_D4139C
.text:00819220                 mov     [ebp+var_4], eax
.text:00819223                 jz      short loc_819237
.text:00819225                 cmp     dword_D413A4, 0
.text:0081922C                 jnz     short loc_819237
.text:0081922E                mov     ecx, [ebp+arg_8]
.text:00819231                 mov     dword_D4139C, ecx
.text:00819237
.text:00819237 loc_819237:                             ; CODE XREF: sub_819210+13j
.text:00819237                                         ; sub_819210+1Cj
.text:00819237                 push    ebx
.text:00819238                 push    esi
.text:00819239                 push    edi
.text:0081923A                 mov     edi, [ebp+arg_0]
.text:0081923D                 push    edi
.text:0081923E                 call    sub_76EE30

**danwins** · 03-02-2018

use a debugger? and breakpoint @ 0081922E?

Code:

.text:00819210                   FrameScript__Execute proc near          ; CODE XREF: Lua_RunScript+30p
.text:00819210                                                           ; Lua_RunScript_0+35p ...
.text:00819210
.text:00819210                   var_4           = dword ptr -4
.text:00819210                   arg_0           = dword ptr  8
.text:00819210                   arg_4           = dword ptr  0Ch
.text:00819210                   arg_8           = dword ptr  10h
.text:00819210
.text:00819210 55                                push    ebp
.text:00819211 8B EC                             mov     ebp, esp
.text:00819213 51                                push    ecx
.text:00819214 83 05 A0 13 D4 00+                add     dword_D413A0, 1
.text:0081921B A1 9C 13 D4 00                    mov     eax, dword_D4139C
.text:00819220 89 45 FC                          mov     [ebp+var_4], eax
.text:00819223 74 12                             jz      short loc_819237
.text:00819225 83 3D A4 13 D4 00+                cmp     dword_D413A4, 0
.text:0081922C 75 09                             jnz     short loc_819237
.text:0081922E 8B 4D 10                          mov     ecx, [ebp+arg_8]
.text:00819231 89 0D 9C 13 D4 00                 mov     dword_D4139C, ecx
.text:00819237
.text:00819237                   loc_819237:                             ; CODE XREF: FrameScript__Execute+13j
.text:00819237                                                           ; FrameScript__Execute+1Cj
.text:00819237 53                                push    ebx
.text:00819238 56                                push    esi
.text:00819239 57                                push    edi
.text:0081923A 8B 7D 08                          mov     edi, [ebp+arg_0]
.text:0081923D 57                                push    edi
.text:0081923E E8 ED 5B F5 FF                    call    SStrLen

whatever its grabbing is getting stored in 0xD4139C which is xrefed here with some string information:

Code:

.text:00404D86 8B 15 9C 13 D4 00                 mov     edx, dword_D4139C
.text:00404D8C 52                                push    edx
.text:00404D8D 68 C8 22 9E 00                    push    offset aCurrentAddonS ; "Current Addon: %s\n"
.text:00404D92 8D 85 00 FC FF FF                 lea     eax, [ebp+var_400]
.text:00404D98 68 00 04 00 00                    push    400h            ; a2
.text:00404D9D 50                                push    eax             ; a1
.text:00404D9E E8 CD A2 36 00                    call    SStrPrintf

so my best guess with no debugger is that its a string buffer with addon info.

**tutrakan** · 03-02-2018

Originally Posted by macintelk

Dark, do you have a clue what might be the check at 0081922E ?

and how to test it ?
...

While i'm not Dark, i wanted to notice that the instruction at 0081922E is not a check, but a mov

Code:

.text:00819210                         ; int __cdecl FrameScript::Execute(const char *script, const char *scriptname, bool tainted)
.text:00819210                         FrameScript__Execute proc near          ; CODE XREF: Lua_RunScript+30↑p
.text:00819210                                                                 ; Lua_RunScript_0+35↑p
.text:00819210                                                                 ; FrameXML_ProcessFile+302↑p
.text:00819210                                                                 ; FrameScript_Initialize+176↓p
.text:00819210                                                                 ; 0FFB0016↓p
.text:00819210                                                                 ; 123D0016↓p
.text:00819210                                                                 ; 13F20016↓p
.text:00819210                                                                 ; 13F30016↓p
.text:00819210
.text:00819210                         var_4= dword ptr -4
.text:00819210                         script= dword ptr  8
.text:00819210                         scriptname= dword ptr  0Ch
.text:00819210                         tainted= dword ptr  10h
.text:00819210
.text:00819210 55                      push    ebp
.text:00819211 8B EC                   mov     ebp, esp
.text:00819213 51                      push    ecx
.text:00819214 83 05 A0 13 D4 00 01    add     lua_taintexpected, 1
.text:0081921B A1 9C 13 D4 00          mov     eax, lua_tainted
.text:00819220 89 45 FC                mov     [ebp+var_4], eax
.text:00819223 74 12                   jz      short loc_819237
.text:00819225 83 3D A4 13 D4 00 00    cmp     lua_taintedclosure, 0
.text:0081922C 75 09                   jnz     short loc_819237
.text:0081922E 8B 4D 10                mov     ecx, [ebp+tainted]
.text:00819231 89 0D 9C 13 D4 00       mov     lua_tainted, ecx

Edit: I see now - you talk about warden MEM_CHECK (i confused it with asm instruction comparison).

**DarkLinux** · 03-02-2018

I'm guessing its related to,

Warden Private Server Script

if(issecure())then SendAddonMessage('B7da',"teFz",'WHISPER','l0l')else SendAddonMessage('B7da',"Vgp8",'WHISPER','l0l')end

Some type of lua unlocker I think.

**macintelk** · 03-03-2018

you guys are amazing- tks

made some research and found WardenAnalysis here Home * FKilic/WardenAnalysis Wiki * GitHub

and in this case this function

Code:

int __cdecl FrameScript_Execute(const char *a1, const char *a2, const char *a3)
{
  bool luataintexpected; // zf@1
  int luatainted; // edi@1
  int v5; // eax@7
  int result; // eax@7
  int CVarContext; // [sp+Ch] [bp-4h]@1

  luataintexpected = lua_taintexpected++ == -1;
  luatainted = lua_tainted;
  CVarContext = s_context;
  if ( !luataintexpected && !lua_taintedclosure )
  {
    // The next line is protected by warden
    lua_tainted = (int)a3;
    if ( a3 )
    {
      if ( !lua_firstTaint )
      {
        lua_firstTaint = (int)a3;
        if ( lua_getstack(s_context, 0, &lua_firstTaintInfo) )
          lua_getinfo(CVarContext, "Snl", &lua_firstTaintInfo);
      }
    }
  }
  v5 = sub_A60B60((int)a1);
  result = FrameScript_ExecuteBuffer(a1, v5, a2, 0, 0, 0);
  if ( lua_taintexpected )
  {
    if ( !lua_taintedclosure )
    {
      lua_tainted = luatainted;
      if ( luatainted )
      {
        if ( !lua_firstTaint )
        {
          lua_firstTaint = luatainted;
          result = lua_getstack(CVarContext, 0, &lua_firstTaintInfo);
          if ( result )
            result = lua_getinfo(CVarContext, "Snl", &lua_firstTaintInfo);
        }
      }
    }
  }
  --lua_taintexpected;
  if ( lua_taintexpected <= 0 )
  {
    lua_taintexpected = 0;
    lua_firstTaint = 0;
  }
  return result;
}

hope it helps others - btw a warden analysis thread is a great idea

**Icesythe7** · 10-22-2018

anyone know the function that is called to update your visual gear when you equip a piece? ie "0073E410 CGUnit_C__UpdateDisplayInfo" is called by wow whenever your model changes (should be called updatemodelinfo imo) but its not called by wow when u equip a piece of gear, while you can use this to morph your gear just fine I'd like to try to use the actual function wow uses to "UpdateGearInfo" and was just curious if anyone had stumbled upon this before i dig into it myself.

**jjlynn27** · 07-03-2019

Old thread.
But if anyone knows offsets for 3.3.5 for

IsUsableAction

and

IsUsableActionNoMana

it would be very much appreciated.

**Alex__** · 07-03-2019

Originally Posted by jjlynn27

Old thread.
But if anyone knows offsets for 3.3.5 for

IsUsableAction

and

IsUsableActionNoMana

it would be very much appreciated.

It's Lua API. Just search for these strings.
https://www.ownedcore.com/forums/wor...ple-stuff.html ([Tutorial] How to find simple stuff)

**jjlynn27** · 07-04-2019

Thanks Alex, appreciated.

Thanks to Alex I found offsets that I needed myself.

Here they are if anyone else needs them.

Code:

IsUsableAction = 0x81DED8,
IsUsableActionNoMana = 0x81DC98,

**Cooldude** · 01-07-2020

do these offsets work for Warmane? 3.3.5a I tried getting player_XP from the posted dump on the first page : wow.exe + 0x00AC66D8 offset 0x9E8

Just returns random numbers in that memory address.

**krustx** · 04-22-2020

Originally Posted by Cooldude

do these offsets work for Warmane? 3.3.5a I tried getting player_XP from the posted dump on the first page : wow.exe + 0x00AC66D8 offset 0x9E8

Just returns random numbers in that memory address.

if you are internal, call lua function UnitXP('player') or call the the function directly in game thread:

Code:

auto get_exp(){
    auto func = reinterpret_cast<int ( __fastcall *)(wow_object* obj) >(0x0060a5d0);
    return func(get_local_player());
}

if you are external, reverse code at 0x0060a5d0:

Code:

0060a5f0        MOV        EP, dword ptr [ESI + 0x1008]
0060a5f6        MOV        EP, dword ptr [EP + 0x798]

where esi is the pointer to local player:

Code:

auto get_exp2(){
    auto lp_addr = (uint32_t)get_local_player();
    auto ptr1 = (uint32_t*)(lp_addr + 0x1008);
    auto ptr2 = (uint32_t*)(*ptr1 + 0x798);
    return *ptr2;
}

**Borg333** · 07-05-2022

Can anyone help with unit size offset? I mean, we have offset 0x854, ok we can correct do TraceLine
Now i want to have correct distance to cast spell.
f.e. Fireball cast distance is 30 yards, in fact we can cast from 33 yards (1.5 player size +1.5 target size + 30 Fireball cast distance)
----------------------
got it. UNIT_FIELD_COMBATREACH = 0x42 -> ReadFloat(UnitFieldsAddress + Offsets.Unit.UNIT_FIELD_COMBATREACH);

Shout-Out

User Tag List

Thread: 3.3.5a 12340 Offsets

Thread Tools

Search Thread

Similar Threads

WoW Offsets & WPE

3.3.5 12340 Offsets List

Swimming state offset

Enemy offsets

How do you find memory offsets in the game?

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino