-
Member
Dark, do you have a clue what might be the check at 0081922E ?
and how to test it ?
Code:
.text:00819210 ; Attributes: bp-based frame
.text:00819210
.text:00819210 sub_819210 proc near ; CODE XREF: sub_4DD490+30p
.text:00819210 ; sub_510B30+35p ...
.text:00819210
.text:00819210 var_4 = dword ptr -4
.text:00819210 arg_0 = dword ptr 8
.text:00819210 arg_4 = dword ptr 0Ch
.text:00819210 arg_8 = dword ptr 10h
.text:00819210
.text:00819210 push ebp
.text:00819211 mov ebp, esp
.text:00819213 push ecx
.text:00819214 add dword_D413A0, 1
.text:0081921B mov eax, dword_D4139C
.text:00819220 mov [ebp+var_4], eax
.text:00819223 jz short loc_819237
.text:00819225 cmp dword_D413A4, 0
.text:0081922C jnz short loc_819237
.text:0081922E mov ecx, [ebp+arg_8]
.text:00819231 mov dword_D4139C, ecx
.text:00819237
.text:00819237 loc_819237: ; CODE XREF: sub_819210+13j
.text:00819237 ; sub_819210+1Cj
.text:00819237 push ebx
.text:00819238 push esi
.text:00819239 push edi
.text:0081923A mov edi, [ebp+arg_0]
.text:0081923D push edi
.text:0081923E call sub_76EE30
-
Contributor
use a debugger? and breakpoint @ 0081922E?
Code:
.text:00819210 FrameScript__Execute proc near ; CODE XREF: Lua_RunScript+30p
.text:00819210 ; Lua_RunScript_0+35p ...
.text:00819210
.text:00819210 var_4 = dword ptr -4
.text:00819210 arg_0 = dword ptr 8
.text:00819210 arg_4 = dword ptr 0Ch
.text:00819210 arg_8 = dword ptr 10h
.text:00819210
.text:00819210 55 push ebp
.text:00819211 8B EC mov ebp, esp
.text:00819213 51 push ecx
.text:00819214 83 05 A0 13 D4 00+ add dword_D413A0, 1
.text:0081921B A1 9C 13 D4 00 mov eax, dword_D4139C
.text:00819220 89 45 FC mov [ebp+var_4], eax
.text:00819223 74 12 jz short loc_819237
.text:00819225 83 3D A4 13 D4 00+ cmp dword_D413A4, 0
.text:0081922C 75 09 jnz short loc_819237
.text:0081922E 8B 4D 10 mov ecx, [ebp+arg_8]
.text:00819231 89 0D 9C 13 D4 00 mov dword_D4139C, ecx
.text:00819237
.text:00819237 loc_819237: ; CODE XREF: FrameScript__Execute+13j
.text:00819237 ; FrameScript__Execute+1Cj
.text:00819237 53 push ebx
.text:00819238 56 push esi
.text:00819239 57 push edi
.text:0081923A 8B 7D 08 mov edi, [ebp+arg_0]
.text:0081923D 57 push edi
.text:0081923E E8 ED 5B F5 FF call SStrLen
whatever its grabbing is getting stored in 0xD4139C which is xrefed here with some string information:
Code:
.text:00404D86 8B 15 9C 13 D4 00 mov edx, dword_D4139C
.text:00404D8C 52 push edx
.text:00404D8D 68 C8 22 9E 00 push offset aCurrentAddonS ; "Current Addon: %s\n"
.text:00404D92 8D 85 00 FC FF FF lea eax, [ebp+var_400]
.text:00404D98 68 00 04 00 00 push 400h ; a2
.text:00404D9D 50 push eax ; a1
.text:00404D9E E8 CD A2 36 00 call SStrPrintf
so my best guess with no debugger is that its a string buffer with addon info.
-
Contributor
Originally Posted by
macintelk
Dark, do you have a clue what might be the check at 0081922E ?
and how to test it ?
...
While i'm not Dark, i wanted to notice that the instruction at 0081922E is not a check, but a mov
Code:
.text:00819210 ; int __cdecl FrameScript::Execute(const char *script, const char *scriptname, bool tainted)
.text:00819210 FrameScript__Execute proc near ; CODE XREF: Lua_RunScript+30↑p
.text:00819210 ; Lua_RunScript_0+35↑p
.text:00819210 ; FrameXML_ProcessFile+302↑p
.text:00819210 ; FrameScript_Initialize+176↓p
.text:00819210 ; 0FFB0016↓p
.text:00819210 ; 123D0016↓p
.text:00819210 ; 13F20016↓p
.text:00819210 ; 13F30016↓p
.text:00819210
.text:00819210 var_4= dword ptr -4
.text:00819210 script= dword ptr 8
.text:00819210 scriptname= dword ptr 0Ch
.text:00819210 tainted= dword ptr 10h
.text:00819210
.text:00819210 55 push ebp
.text:00819211 8B EC mov ebp, esp
.text:00819213 51 push ecx
.text:00819214 83 05 A0 13 D4 00 01 add lua_taintexpected, 1
.text:0081921B A1 9C 13 D4 00 mov eax, lua_tainted
.text:00819220 89 45 FC mov [ebp+var_4], eax
.text:00819223 74 12 jz short loc_819237
.text:00819225 83 3D A4 13 D4 00 00 cmp lua_taintedclosure, 0
.text:0081922C 75 09 jnz short loc_819237
.text:0081922E 8B 4D 10 mov ecx, [ebp+tainted]
.text:00819231 89 0D 9C 13 D4 00 mov lua_tainted, ecx
Edit: I see now - you talk about warden MEM_CHECK (i confused it with asm instruction comparison).
Last edited by tutrakan; 03-03-2018 at 10:34 PM.
-
I'm guessing its related to,
Warden Private Server Script
if(issecure())then SendAddonMessage('B7da',"teFz",'WHISPER','l0l')else SendAddonMessage('B7da',"Vgp8",'WHISPER','l0l')end
Some type of lua unlocker I think.
-
Member
you guys are amazing- tks
made some research and found WardenAnalysis here Home * FKilic/WardenAnalysis Wiki * GitHub
and in this case this function
Code:
int __cdecl FrameScript_Execute(const char *a1, const char *a2, const char *a3)
{
bool luataintexpected; // zf@1
int luatainted; // edi@1
int v5; // eax@7
int result; // eax@7
int CVarContext; // [sp+Ch] [bp-4h]@1
luataintexpected = lua_taintexpected++ == -1;
luatainted = lua_tainted;
CVarContext = s_context;
if ( !luataintexpected && !lua_taintedclosure )
{
// The next line is protected by warden
lua_tainted = (int)a3;
if ( a3 )
{
if ( !lua_firstTaint )
{
lua_firstTaint = (int)a3;
if ( lua_getstack(s_context, 0, &lua_firstTaintInfo) )
lua_getinfo(CVarContext, "Snl", &lua_firstTaintInfo);
}
}
}
v5 = sub_A60B60((int)a1);
result = FrameScript_ExecuteBuffer(a1, v5, a2, 0, 0, 0);
if ( lua_taintexpected )
{
if ( !lua_taintedclosure )
{
lua_tainted = luatainted;
if ( luatainted )
{
if ( !lua_firstTaint )
{
lua_firstTaint = luatainted;
result = lua_getstack(CVarContext, 0, &lua_firstTaintInfo);
if ( result )
result = lua_getinfo(CVarContext, "Snl", &lua_firstTaintInfo);
}
}
}
}
--lua_taintexpected;
if ( lua_taintexpected <= 0 )
{
lua_taintexpected = 0;
lua_firstTaint = 0;
}
return result;
}
hope it helps others - btw a warden analysis thread is a great idea
-
Contributor
anyone know the function that is called to update your visual gear when you equip a piece? ie "0073E410 CGUnit_C__UpdateDisplayInfo" is called by wow whenever your model changes (should be called updatemodelinfo imo) but its not called by wow when u equip a piece of gear, while you can use this to morph your gear just fine I'd like to try to use the actual function wow uses to "UpdateGearInfo" and was just curious if anyone had stumbled upon this before i dig into it myself.
-
Member
Old thread.
But if anyone knows offsets for 3.3.5 for
IsUsableAction
and
IsUsableActionNoMana
it would be very much appreciated.
-
Member
Originally Posted by
jjlynn27
Old thread.
But if anyone knows offsets for 3.3.5 for
IsUsableAction
and
IsUsableActionNoMana
it would be very much appreciated.
It's Lua API. Just search for these strings.
https://www.ownedcore.com/forums/wor...ple-stuff.html ([Tutorial] How to find simple stuff)
-
Post Thanks / Like - 1 Thanks
jjlynn27 (1 members gave Thanks to Alex__ for this useful post)
-
Member
Thanks Alex, appreciated.
Thanks to Alex I found offsets that I needed myself.
Here they are if anyone else needs them.
Code:
IsUsableAction = 0x81DED8,
IsUsableActionNoMana = 0x81DC98,
Last edited by jjlynn27; 07-12-2019 at 02:46 PM.
-
Member
do these offsets work for Warmane? 3.3.5a I tried getting player_XP from the posted dump on the first page : wow.exe + 0x00AC66D8 offset 0x9E8
Just returns random numbers in that memory address.
-
Member
Originally Posted by
Cooldude
do these offsets work for Warmane? 3.3.5a I tried getting player_XP from the posted dump on the first page : wow.exe + 0x00AC66D8 offset 0x9E8
Just returns random numbers in that memory address.
if you are internal, call lua function UnitXP('player') or call the the function directly in game thread:
Code:
auto get_exp(){
auto func = reinterpret_cast<int ( __fastcall *)(wow_object* obj) >(0x0060a5d0);
return func(get_local_player());
}
if you are external, reverse code at 0x0060a5d0:
Code:
0060a5f0 MOV EP, dword ptr [ESI + 0x1008]
0060a5f6 MOV EP, dword ptr [EP + 0x798]
where esi is the pointer to local player:
Code:
auto get_exp2(){
auto lp_addr = (uint32_t)get_local_player();
auto ptr1 = (uint32_t*)(lp_addr + 0x1008);
auto ptr2 = (uint32_t*)(*ptr1 + 0x798);
return *ptr2;
}
-
Member
Can anyone help with unit size offset? I mean, we have offset 0x854, ok we can correct do TraceLine
Now i want to have correct distance to cast spell.
f.e. Fireball cast distance is 30 yards, in fact we can cast from 33 yards (1.5 player size +1.5 target size + 30 Fireball cast distance)
----------------------
got it. UNIT_FIELD_COMBATREACH = 0x42 -> ReadFloat(UnitFieldsAddress + Offsets.Unit.UNIT_FIELD_COMBATREACH);
Last edited by Borg333; 07-05-2022 at 02:22 PM.