4.0 Migration

[caytchen]

Its patch day and IDA is eating up all my CPU cycles. Might as well start up a thread to collect whatever information might be relevant for a seamless migration to the new version.

- DBFilesClient loading is no longer one big unrolled function. See table at 0x00B96F08.
- Descriptors at Private Paste - Pastie
- PLAYER_GUILD is gone missing. Some initial research shows it in OBJECT_FIELD_DATA?!

Will extend this as I proceed. Also, feel free to share whatever you encounter.

[Arutha532]

Just started updating:

Code:

/// <summary>
/// Updated for 4.0.1.13164
/// CGUnit_C__UnitReaction : 001C51A0 
/// </summary>
public enum Reaction : uint
{
	FactionStartIndex = 0x7980CCC, //3.3.5a: AD3894
	FactionPointer = 0x7980D8, //3.3.5a: AD38A4
	FactionTotal = 0x7980C8, //3.3.5a: AD3890
	HostileOffset1 = 0x14,
	HostileOffset2 = 0x0C,
	FriendlyOffset1 = 0x10,
	FriendlyOffset2 = 0x0C,
}

/// <summary>
/// Updated for 4.0.1.13164
/// CGUnit_C__GetAura : 00061C70 , 4.0.1.13164
/// CGUnit_C__GetAura : 00556E10 , 3.3.5a
/// </summary>
public enum UnitAuras : uint
{
	CGUnit_C__GetAura = 0x00061C70,                   // 3.3.5a : 0x00556E10
	AuraCount1 = 0xF80,                       // 3.3.5a : 0xDD0
	AuraCount2 = 0xD04,                       // 3.3.5a : 0xC54
	AuraTable1 = 0xD00,                       // 3.3.5a : 0xC50
	AuraTable2 = 0xD08,                       // 3.3.5a : 0xC58
	AuraSize = 0x18,                           // 3.3.5a : 0x18
	AuraSpellId = 0x8                         // 3.3.5a : 0x8
} ;
		
/// <summary>
/// Updated for 4.0.1.13164
/// </summary>
public enum Chat : uint
{
	ChatStart = 0x9DC928, //3.3.5a: B75A60 + 3C         
	OffsetToNextMsg = 0x17C0, //Unchanged
}

The offsets are untested as i am from EU.

Everything is rebased to 0x1000 in IDA thank you Apoc!

[freeeddee]

What is this ?

[luciferc]

good job so far +rep,

BE sure you realize its now ASLR based like Aion and other games so take that into account when updating offsets.


To Freeeddee:

I hope your a troll.

[Apoc]

Protip: Use IDA to rebase to 0x1000. Then use those as relative addrs.

[RivaLfr]

Thank for the Descriptors caytchen +rep

Code:

        public static readonly uint clientConnection = 0x8A5C20;
        public static readonly uint objectManager = 0x4618;
        public static readonly uint firstObject = 0xB4;
        public static readonly uint nextObject = 0x3C;

        public static readonly uint DX_DEVICE = 0x970F94;
        public static readonly uint DX_DEVICE_IDX = 0x27B4;
        public static readonly uint ENDSCENE_IDX = 0xAC;

        public static readonly uint CTM = 0x8BD7D8;
        public static readonly uint CTM_DISTANCE = CTM + 0xC;
        public static readonly uint CTM_GUID = CTM + 0x20;
        public static readonly uint CTM_PUSH = CTM + 0x1C;
        public static readonly uint CTM_X = CTM + 0xA0;
        public static readonly uint CTM_Y = CTM + 0xA4;
        public static readonly uint CTM_Z = CTM + 0xA8;

        public static readonly uint Guid = 0x30;
        public static readonly uint GuidPlayer = 0xC8;

        public static readonly uint playerName = 0x8A5C58;

        public static readonly uint StatPvp = 0x9E060C; // 0xBEA4D0;
        public static readonly uint PvpExitWindow = 0x9E06D0; 

        public static readonly uint StartSlotIsReady = 0x9EDC58;

        public static readonly uint LastWowErrorMessage = 0x980A90;

        public static readonly uint gameState = 0x981692;

        public static readonly uint targetGUID = 0x9816B0;
        public static readonly uint LastTargetGUID = 0x9816B8;

        public static readonly uint petGUID = 0x9ED9A8;

        public static readonly uint FACTION_START_INDEX = 0x7980CC;
        public static readonly uint FACTION_POINTER = 0x7980D8;
        public static readonly uint FACTION_TOTAL = 0x7980C8;
        public static readonly uint HOSTILE_OFFSET_1 = 0x14;
        public static readonly uint HOSTILE_OFFSET_2 = 0x0C;
        public static readonly uint FRIENDLY_OFFSET_1 = 0x10;
        public static readonly uint FRIENDLY_OFFSET_2 = 0x0C;

        public static readonly uint lootWindow = 0x9EE9E0;

        public static readonly uint isLoadingOrConnecting = 0x96D514;

        public static readonly uint startBar = 0x9EE0D8;
        public static readonly uint nbBar = startBar + 0x11C;
        public static readonly uint nextBar = 0x4;

        public static readonly uint baseBoxChat = 0x8B7CA0;
        public static readonly uint statBoxChat = 0x978B48;

        public static readonly uint chatBufferStart = 0x983358;
        public static readonly uint NextMessage = 0x17C0;
        public static readonly uint msgFormatedChat = 0x3c;
        public static readonly uint chatBufferPos = 0x9DC8EC;

        public static readonly uint PlayerComboPoint = 0x981751;

        public enum FunctionWow
        {
            ClntObjMgrGetActivePlayer = 0x929E0,
            FrameScript__Execute = 0x3958F0,
            CGPlayer_C__ClickToMove = 0x1C7E20,
            ClntObjMgrGetActivePlayerObj = 0x34A0,
            FrameScript__GetLocalizedText = 0x1C1F60,
            TraceLine = 0; // ???????????
        }

        public enum CorpsePlayer
        {
            X = 0x9819BC,
            Y = X + 0x4,
            Z = Y + 0x4,
        }

        public enum AutoLoot
        {

            AutoLoot_Activate_Pointer = 0x981870,
            AutoLoot_Activate_Offset = 0x30,

        }
        public enum AutoSelfCast
        {

            AutoSelfCast_Activate_Pointer = 0x98186C,
            AutoSelfCast_Activate_Offset = 0x30,

        }
        public enum AutoInteract
        {

            AutoInteract_Activate_Pointer = 0x981850,
            AutoInteract_Activate_Offset = 0x30,

        }


        public enum UnitBaseGetUnitAura
        {
            AURA_COUNT_1 = 0xF80,
            AURA_COUNT_2 = 0xD04,
            AURA_TABLE_1 = 0xD00,
            AURA_TABLE_2 = 0xD08,
            AURA_SIZE = 0x18,
            AURA_SPELL_ID = 0x8    
        }

I have not tested, just dump with ida pro, I would do update on this post.

[caytchen]

Did they switch compiler options? The whole thing is full with SSE
Also, more radical inlining. Don't you dare, Blizzard!

[JuJuBoSc]

Code:

        public enum ObjectManager
        {

            CurMgrPointer = 0x008A5C20,                 // 4.0.1 13164
            CurMgrOffset = 0x4618,                      // 4.0.1 13164
            NextObject = 0x3C,                          // 4.0.1 13164
            FirstObject = 0xB4,                         // 4.0.1 13164
            LocalGUID = 0xC8                            // 4.0.1 13164

        }

        public enum CGUnit_C__GetCreatureRank
        {

            CGUnit_C__GetCreatureRank = 0x001B7000,     // 4.0.1 13164
            Offset1 = 0xA0C,                            // 4.0.1 13164
            Offset2 = 0x10,                             // 4.0.1 13164

        }

        public enum ShapeshiftForm
        {

            CGUnit_C__GetShapeshiftFormId = 0x0071AF70, // 4.0.1 13164

            BaseAddress_Offset1 = 0xF8,                 // 4.0.1 13164 
            BaseAddress_Offset2 = 0x213,                // 4.0.1 13164 

        }

        public enum UnitBaseGetUnitAura
        {

            CGUnit_Aura = 0x00061C70,                   // 4.0.1 13164
            AURA_COUNT_1 = 0xF80,                       // 4.0.1 13164
            AURA_COUNT_2 = 0xD04,                       // 4.0.1 13164
            AURA_TABLE_1 = 0xD00,                       // 4.0.1 13164
            AURA_TABLE_2 = 0xD08,                       // 4.0.1 13164
            AURA_SIZE = 0x18,                           // 4.0.1 13164
            AURA_SPELL_ID = 0x8                         // 4.0.1 13164

        }

        public enum IsFlying
        {

            // Reversed from Lua_IsFlying

            Offset = 0x44,                              // 4.0.1 13164
            Mask = 0x2000000,                           // 4.0.1 13164
            IsFlyingCapable_Mask = 0x1000000,           // 4.0.1 13164

        }

        public enum IsSwimming
        {

            // Reversed from Lua_IsSwimming

            Offset = 0xAE8,                             // 4.0.1 13164
            Mask = 0x200000,                            // 4.0.1 13164

        }

        public enum InCombat
        {

            // Reversed from Lua_UnitAffectingCombat

            Offset1 = 0xF8,                             // 4.0.1 13164
            Offset2 = 0x114,                            // 4.0.1 13164
            Mask = 0x13,                                // 4.0.1 13164

        }

        public enum AutoLoot
        {

            Pointer = 0x00981870,                       // 4.0.1 13164
            Offset = 0x30,                              // 4.0.1 13164

        }

        public enum AutoSelfCast
        {

            Pointer = 0x00981878,                       // 4.0.1 13164
            Offset = 0x30,                              // 4.0.1 13164

        }

        public enum ClickToMove
        {

            CGPlayer_C__ClickToMove = 0x1C7E20,         // 4.0.1 13164
            Pointer = 0x981850,                         // 4.0.1 13164
            Offset = 0x30,                              // 4.0.1 13164

        }

        public enum WoWChat
        {

            ChatBufferStart = 0x00983358,               // 4.0.1 13164
            NextMessage = 0x17C0,                       // 4.0.1 13164

        }

        public enum IsAutoAttacking
        {

            CGActionBar__IsCurrentAction = 0x0049AC50,  // 4.0.1 13164
            AutoAttackGUID = 0xAD8,                     // 4.0.1 13164

            ActiveSpellsPtr = 0x007F9B80,               // 4.0.1 13164
            ActiveSpellsSpellId = 0x20,                 // 4.0.1 13164 - Need verification

        }

        public enum ActionBar
        {

            CurrentActionBar = 0x009EE318,              // 4.0.1 13164
            ActionBarFirstSlot = 0x009EE0D8,            // 4.0.1 13164
            ActionBarBonus = 0x009EE31C,                // 4.0.1 13164
            GetActionCount = 0x009EDE98,                // 4.0.1 13164

        }

I will put everything in this post, reversing right now ...
Everything is rebased to 0x1000 in IDA.

[Robske]

I've updated most of my addresses. (will post later)

Any news on Traceline/Intersect and the new DBC format?

[caytchen]

Any news on Traceline/Intersect and the new DBC format?

There is a highly suspicious call at 0x00876AF1 (unchanged 0x00400000 imagebase) to a sophisticated version of the old CGWorldFrame__Intersect wrapper around TraceLine. Note the mask, __cdecl and 6 arguments. Also, 3.3.5 has a TraceLine call at the very same position.

[luciferc]

heres 4.0.1 US Exe
Download Wow exe

[PiroX]

Code:

CastingSpellIdOffset = 0xB24
ChannelSpellIdOffset = 0xB38
UnitNameOffset_1 = 0xA0C
UnitNameOffset_2 = 0x60
GameObjectNameOffset_1 = 0x1CC
GameObjectNameOffset_2 = 0x94

/untested, got through IDA

[TOM_RUS]

I've updated most of my addresses. (will post later)

Any news on Traceline/Intersect and the new DBC format?

!Offsets below isn't rebased!
sub_492170 is LoadDB2 (new *.db2 files), off_B96EF8 - db2 global table
sub_490390 is LoadDBC (old *.dbc files), off_B96F08 - dbc global table

*.db2/*.adb files structure:

Code:

                private const uint DB2FmtSig = 0x32424457;          // WDB2
                private const uint ADBFmtSig = 0x32484357;          // WCH2

                var signature = reader.ReadUInt32();

                if (signature != DB2FmtSig && signature != ADBFmtSig)
                {
                    Console.WriteLine("File {0} isn't valid DBC file!", fileName);
                    return;
                }

                RecordsCount = reader.ReadInt32();
                FieldsCount = reader.ReadInt32(); // not fields count in WCH2
                RecordSize = reader.ReadInt32();
                StringTableSize = reader.ReadInt32();

                // WDB2/WCH2 specific fields
                uint tableHash = reader.ReadUInt32(); // new field in WDB2
                uint build = reader.ReadUInt32(); // new field in WDB2

                int unk1 = reader.ReadInt32(); // new field in WDB2 (Unix time in WCH2)
                int unk2 = reader.ReadInt32(); // new field in WDB2
                int unk3 = reader.ReadInt32(); // new field in WDB2 (index table?)
                int locale = reader.ReadInt32(); // new field in WDB2
                int unk5 = reader.ReadInt32(); // new field in WDB2

                if (unk3 != 0)
                {
                    reader.ReadBytes(unk3 * 4 - HeaderSize);     // an index for rows
                    reader.ReadBytes(unk3 * 2 - HeaderSize * 2); // a memory allocation bank
                }

                m_rows = new byte[RecordsCount][];

                for (int i = 0; i < RecordsCount; i++)
                    m_rows[i] = reader.ReadBytes(RecordSize);

                int stringTableStart = (int)reader.BaseStream.Position;

                StringTable = new StringTable();

                while (reader.BaseStream.Position != reader.BaseStream.Length)
                {
                    int index = (int)reader.BaseStream.Position - stringTableStart;
                    StringTable[index] = reader.ReadStringNull();
                }

Updated idc script for labeling dbc offsets in IDA:

Code:

#include <ida.idc>

/************************************************************************
   Desc:                Label each database with an appropriate name and struct
   Author:  kynox
   Modified for Cataclysm by TOM_RUS
   Website: http://www.gamedeception.net
*************************************************************************/

static WoWDb_GetName( dbBase )
{
    auto dbName;

    // mov     eax, offset aDbfilesclientA ; "DBFilesClient\\Achievement.dbc"
    dbName = GetString( Dword(dbBase), -1, ASCSTR_C );

    //Message("%s", dbName);

    // Return the the token after \ and before .
    return substr( dbName, strstr( dbName, "\\" ) + 1, -5 );
}

static BuildStruct()
{
    // struct size changed, need figure out what was removed....
    auto id;
    id = AddStrucEx(-1,"WoWClientDB",0);

    AddStrucMember(id, "funcTable",   0X00,   0x20500400,     0X0,    4,      0XFFFFFFFF,     0X0,    0x000002);
    AddStrucMember(id, "numRows",     0X04,   0x20000400,     -1,     4);
    AddStrucMember(id, "maxIndex",    0X08,   0x20000400,     -1,     4);
    AddStrucMember(id, "minIndex",    0X0C,   0x20000400,     -1,     4);
    AddStrucMember(id, "stringTable", 0X10,   0x20000400,     -1,     4);
    AddStrucMember(id, "FirstRow",    0X14,   0x20000400,     -1,     4);
    AddStrucMember(id, "Rows",        0X18,   0x25500400,     0XFFFFFFFF,     4,      0XFFFFFFFF,     0X0,    0x000002);

    return id;
}

static StructBuilt()
{
    return ( GetStrucIdByName( "WoWClientDB" ) != -1 );
}

static main()
{
    auto curAddr, y, count;
    //                                     55 8B EC 51 53 56 57 8B 7D 08 8D 45 08 89 4D FC 8B 0F 50 51 E8 ? ? ? ? 83 7D 08 00 75 15 8B
    //curAddr = FindBinary( 0, SEARCH_DOWN, "55 8B EC 51 53 56 8B 75 08 57 8D 45 08 8B D9 8B 0E 50 51 E8 ? ? ? ? 83 7D 08 00 75 15 8B 16" );
    //                                     55 8B EC 81 EC 04 01 00 00 53 56 57 8B 7D 08 8D 45 08 89 4D FC 8B 0F 50 51 E8 ? ? ? ? 83 7D
    //curAddr = FindBinary( 0, SEARCH_DOWN, "55 8B EC 51 53 56 57 8B 7D 08 8D 45 08 89 4D FC 8B 0F 50 51 E8 ? ? ? ? 83 7D 08 00 75 15 8B" );
    curAddr = FindBinary( 0, SEARCH_DOWN, "55 8B EC 81 EC 04 01 00 00 53 56 57 8B 7D 08 8D 45 08 89 4D FC 8B 0F 50 51 E8 ? ? ? ? 83 7D" );

    if(curAddr == BADADDR)
    {
        Message("Can't find dbcLoadFunction, aborting...\n");
        return -1;
    }

    if ( !StructBuilt() )
    {
        Message( "Building struct..\n" );

        if( BuildStruct() == -1 )
        {
            Message( "Failed to build struct..\n" );
            return;
        }
    }

    for(y = RfirstB(curAddr); y != BADADDR; y = RnextB(curAddr, y))
    {
        auto dbNameOffset, dbStruct, dbName;

        dbStruct = ReadOperand(y, "mov", "offset");
        dbNameOffset = GetNameEffset(y);

        Message("%X %X %X\n", y, dbStruct, dbNameOffset);

        if(dbNameOffset == BADADDR)
        {
            count = count + HandleLoadLoop(dbStruct);
            continue;
        }

        SetType( dbStruct, "WoWClientDB;" );
        MakeStruct( dbStruct, "WoWClientDB" );

        dbName = WoWDb_GetName( dbNameOffset );

        Message("%s\n", dbName);

        MakeName( dbStruct, form( "g_%sDB", dbName ) );
        count++;
    }

    Message("DBC count %u\n", count);
}

static HandleLoadLoop(xref)
{
    auto count;
    do
    {
        auto dbNameOffset, dbStruct, dbName;
        
        dbStruct = Dword(xref);
        dbNameOffset = Dword(xref + 4);
        
        if(dbStruct == 0 || dbNameOffset == 0)
            break;

        dbName = WoWDb_GetName(dbNameOffset);

        Message("%X %X %s\n", dbStruct, dbNameOffset, dbName);

        SetType( dbStruct, "WoWClientDB;" );
        MakeStruct( dbStruct, "WoWClientDB" );
        MakeName( dbStruct, form( "g_%sDB", dbName ) );
        xref = xref + 8;
        count++;
    } while(1);
    return count;
}

static GetNameEffset( xref )
{
    auto offset, dbName;
    offset = ReadOperand( xref, "push", "offset" );
    dbName = GetString( Dword(offset), -1, ASCSTR_C );
    if(strstr( dbName, ".dbc" ) > -1)
        return offset;
    return BADADDR;
}

static ReadOperand( xref, operand, filter )
{
    auto prevFunc;
    prevFunc = PrevFunction( xref );
    //Message("%X %X\n", xref, prevFunc);
    do
    {
        auto disasm;
        disasm = GetDisasm( xref );

        if ( strstr( disasm, operand ) > -1 && strstr( disasm, filter ) > -1 )
            break;

        xref = PrevHead( xref, prevFunc );
    } while ( 1 );

    return GetOperandValue( xref, operand == "mov" ? 1 : 0);
}

[caytchen]

Uhm, I guess this is semi-news. Atleast they remind you now.

[boredevil]

Pattern for updating Idc ObjectDumper : "56 57 68 ? ? ? ? B8 06"

Functions rebased to 0x1000:

Code:

CInputControl_SetFlags = 0x53180
GetGameTiming = 0x3CF020
GetItemIDByName = 0x1AF120
GetLuaState = 0x394510
GetObjectByGUID = 0x93E30
GetSpellIdByName = 0x4654E0
GetUnitRelation = 0x1C51A0
InputEvent = 0x3CBF80
LuaLoadBuffer = 0x55AC10
Lua_Dostring = 0x3958F0
Lua_PCall = 0x35750
Lua_Register = 0x394740
Lua_Settop = 0x34700
Lua_Type = 0x349C0
Lua_getfield = 0x55A760
Lua_gettop = 0x346E0
Lua_pushboolean = 0x34FE0
Lua_pushcclosure = 0x34F10
Lua_pushinteger = 0x34DE0
Lua_pushnil = 0x34D90
Lua_pushnumber = 0x34DB0
Lua_pushstring = 0x34E10
Lua_replace = 0x34880
Lua_setfield = 0x35400
Lua_toboolean = 0x34BC0
Lua_tointeger = 0x34B80
Lua_tonumber = 0x34B40
Lua_tostring = 0x34BF0 
Lua_touserdata = 0x34D20
SelectUnit = 0x42A060
SetFacing2 = 0x1D3630
UseItem = 0x1B1110