[Question] How to find an Objectmanager

[streppel]

Heya,


first of all,this is not wow related,but as this is the more-frequently visited mem-editing section of the forums i hope that it's ok, cause it's generic.

So i'm looking into writing a bot and getting all the needed information out of the game for this.
i can read guids,can write then,everything is all right so far
what gives me headache is the object manager.
i'm pretty sure there is one in the game(at least one if note more for all the different types of objects), but currently can't seem to find it

i tryed to look for an object by its name or id,find it in memory and find a static pointer to this,so far so good
the problem begins when it comes down to knowing which offset is the one that actually is the list of the objmgr.
normally i'd just add another value and would find out wether or not my work was correctly.
Well,but we are talking about 8 level pointers here, and without me being the first object(as far as i have seen it right now).

could you give me a push in the right direction on how i should try to do it the best way?

thanks for your help
streppel

[Verletzer]

I have been meaning to write a tutorial on how to do this. There is a easy (once you understand it) method to get a pointer to the object manager that works across all versions of WoW (as far as I know). This method has been mentioned several times in the past few years but most people seem content to simply wait for somebody to spoon feed them the updated ObjectManager address after a patch. It makes me warm inside that some people actually want to know how to find it themselves.

Our journey begins in the Thread Information Block (TIB), also known as the TEB (Thread Environment Block). Regardless of what you want to call it, we are interested in the pointer that exists at offset 0x2C. At this offset we will find the linear address of the Thread Local Storage (TLS) array. Small side note: this is the address of the implicit TLS array, there is a different set of memory dedicated to the explicit TLS array. This applies to the Microsoft definition of implicit and explicit and is upheld by the VC++ compiler. The explicit TLS array exists at offset 0xE10 in the TIB. That small detail will not matter right now, but it can get confusing if you get deep into how TLS works.

Okay great, how do we read this information from outside WoW's memory space? I will not go into detail, but it can be accomplished by calling NtQueryInformationThread with the first parameter set to THREAD_QUERY_INFORMATION. This function allows us to obtain, among other things, the address of the TLS array. Another small note: be sure you obtain the information from WoW's main (first) thread as the TLS array is thread specific.

Each entry in the TLS array is a pointer to another memory location, hurray! The first TLS entry is the only one we are interested it. The address in the first entry points to a table (lets call it MagicTable) that contains, among other things, a pointer to the address of the ObjectManager. The ObjectManager pointer is offset 8 bytes from the beginning of the table.

I am sure that was confusing; it takes a while to get a grasp of all the pointers. To help visualize it, I used some fancy ASCII art. Treat the values in brackets "[ ]" as byte offsets. The characters, "->" represent a pointer.

TIB[0x2C] -> TLS
TLS[0x00] -> MagicTable
MagicTable[0x08] -> ObjectManager