[WoW] 1.12.1.5875 Info Dump Thread

[namreeb]

My code to call __fastcall from C#:

Code:

    static class FastCall
    {
        public static T CreateToFastcall<T>(IntPtr functionPtr, string patchName) where T : class
        {
            var method = typeof(T).GetMethod("Invoke");
            if (method.GetParameters().Any(param => Marshal.SizeOf(param.ParameterType) != 4))
                throw new ArgumentException("Only supports functions with 32 bit parameters");

            var parameterCount = method.GetParameters().Length;

            var payload = new List<byte>();

            payload.Add(0x55);                                  // push ebp
            payload.AddRange(new byte[] { 0x89, 0xE5 });        // mov ebp, esp
            payload.AddRange(new byte[] { 0x8B, 0x4D, 0x08 });  // mov ecx, [ebp+0x08]
            payload.AddRange(new byte[] { 0x8B, 0x55, 0x0C });  // mov edx, [ebp+0x0C]

            if (parameterCount > 2)
                for (var i = 0; i < parameterCount - 2; i++)
                {
                    payload.AddRange(new byte[] { 0x8B, 0x5D, (byte)(0x10 + 4*i) });    // mov ebx, [ebp+0x10+4*i]
                    payload.Add(0x53);                                                  // push ebx
                }

            var callOpcodeLocation = payload.Count + 1;

            payload.AddRange(new byte[] { 0xE8, 0x00, 0x00, 0x00, 0x00 });  // call function

            if (parameterCount > 2)
            {
                payload.AddRange(new byte[] {0x89, 0xEC }); // mov esp, ebp
                payload.Add(0x5D);                          // pop ebp
            }

            payload.Add(0xC2);
            payload.AddRange(BitConverter.GetBytes((ushort)(parameterCount * 4)));     // retn 4 * paramCount

            var payloadPtr = Locator.PayloadSpace(payload.Count);

            var functionCall = functionPtr.ToInt32() - payloadPtr.ToInt32() - callOpcodeLocation - 5;

            // update payload
            payload[callOpcodeLocation + 0] = (byte)functionCall;
            payload[callOpcodeLocation + 1] = (byte)(functionCall >> 8);
            payload[callOpcodeLocation + 2] = (byte)(functionCall >> 16);
            payload[callOpcodeLocation + 3] = (byte)(functionCall >> 24);

            // deposit payload
            Patcher.CreatePatch(new Patcher.Patch(payloadPtr, payload.ToArray(), patchName));

            return Utilities.RegisterDelegate<T>(payloadPtr);
        }

        public static void RemoveToFastcall(string patchName)
        {
            Patcher.RemovePatch(patchName);
        }
    }

[namreeb]

Bump to let people know this thread has been renamed to the info dump thread for 1.12.1.5875 and I've added some useful function addresses to the first post.

[LogicWin]

Anyone got the Endscene offset?

[namreeb]

EndScene is not always in the same place, but this is the function that calls it (at 0x5A17B6)

Code:

.text:005A17A0                         CGxDeviceD3d__ISceneEnd proc near       ; CODE XREF: sub_59A870+2Dp
.text:005A17A0                                                                 ; CGxDeviceD3d__ScenePresent+2Ap
.text:005A17A0 56                                      push    esi
.text:005A17A1 8B F1                                   mov     esi, ecx
.text:005A17A3 8B 86 38 3A 00 00                       mov     eax, [esi+3A38h]
.text:005A17A9 85 C0                                   test    eax, eax
.text:005A17AB 74 19                                   jz      short loc_5A17C6
.text:005A17AD 8B 86 A8 38 00 00                       mov     eax, [esi+38A8h]
.text:005A17B3 8B 08                                   mov     ecx, [eax]
.text:005A17B5 50                                      push    eax
.text:005A17B6 FF 91 A8 00 00 00                       call    dword ptr [ecx+0A8h]
.text:005A17BC C7 86 38 3A 00 00 00 00+                mov     dword ptr [esi+3A38h], 0
.text:005A17C6
.text:005A17C6                         loc_5A17C6:                             ; CODE XREF: CGxDeviceD3d__ISceneEnd+Bj
.text:005A17C6 5E                                      pop     esi
.text:005A17C7 C3                                      retn
.text:005A17C7                         CGxDeviceD3d__ISceneEnd endp

[namreeb]

Speaking of EndScene, an easy way to disable rendering is:

Code:

        public static bool Enabled
        {
            get { return Marshal.ReadInt32(Locator.CGxDeviceD3d__device, 0xF2C) == 0; }
            set { Marshal.WriteInt32(Locator.CGxDeviceD3d__device, 0xF2C, value ? 0 : 1); }
        }

        #region CGxDeviceD3d::device
        public static IntPtr CGxDeviceD3d__device
        {
            get { return Marshal.ReadIntPtr(new IntPtr(0xC0ED38)); }
        }
        #endregion

Note that 'Enabled' means enabling the feature which disables rendering.

Edit: Note also that this will prevent EndScene from being called, so if you do stuff there that stuff won't happen with this enabled.

[namreeb]

Bumping because I changed my __fastcall trampoline code above.

[MartyT]

hihi

my code to fastcall

Code:

extern "C"
{
  void __declspec(dllexport) __declspec(naked) InvokeFastcall()
  {
    __asm
    {
      pop edx
      XCHG DWORD PTR SS:[ESP+8],EDX
      pop eax
      pop ecx
      jmp eax
    }
  }
}

Code:

		[DllImport("AppdomainManager.dll", EntryPoint = "InvokeFastcall", CallingConvention = CallingConvention.StdCall)] private unsafe static extern int Player_GetProperty_Stub(IntPtr address, Player* playerObject, int property);

		public unsafe static int Player_GetProperty(Player* player, int property)
		{
			return Player_GetProperty_Stub(Pointer_Player_GetProperty, player, property);
		}

[hamburger12]

Code:

MinimapZoneText = 0x74DA28
SubZoneText = 0x74E280
RealZoneText = 0x74B404
ZoneText = 0x74B3F8
ClickToMoveX = 0x84DA84
ClickToMovePus = 0x84D93C / 0/1
ObjectManager 0x741414
FirstObj = 0xAC
NextObj = 0x3C
Playerbase = 0x853D40

//Untested

[namreeb]

Moved to first post.

[Jadd]

No patching is needed for swim hack - just use 0x00200000 | 0x00000400.

I'll post some more hacks here soon.

[namreeb]

Hmm, yeah that work's better

[drassian]

So, I've found player x/y/z and camera angle

Code:

	  $CurrentRotationOfCam 			= _MemoryRead(0x00CE9B90, $DLLInformation, 'float')
	  $CurrentZ					= _MemoryRead(0x00225C28, $DLLInformation, 'float')
	  $CurrentX					= _MemoryRead(0x00C62524, $DLLInformation, 'float')
	  $CurrentY					= _MemoryRead(0x00C62528, $DLLInformation, 'float')

For some reason the static pointers came up straight away?

However for 'player roation' I've found the dynamic addresses and tried to find the static pointer but I seem to be going wrong somewhere and end up looping around?

If anyone can help me find the static address for 'player rotation' that would be a huge help - thanks (or a tut)

[Frosttall]

If anyone can help me find the static address for 'player rotation' that would be a huge help - thanks (or a tut)

Try this tutorial
http://www.ownedcore.com/forums/worl...ple-stuff.html ([Tutorial] How to find simple stuff)

[racoon1993]

I found:
playername: wowBaseAddress + 0x827D88
targetGUID: wowBaseAddress + 0x74E2D4
playerfacing: (wowBaseAddress + 0x86326C) + 0x78
playerX: wowBaseAddress + 0x862520
playerY: wowBaseAddress + 0x862524
playerZ: wowBaseAddress + 0x862528

//it is a bit buggy and not every time correct... i dont know why
player health: ((0x18C2E0) + 0x110) + 0x40

im searching for the correct x y z from players target...
if someone pls could look into it :/

[Frosttall]

I found:
playername: wowBaseAddress + 0x827D88
targetGUID: wowBaseAddress + 0x74E2D4
playerfacing: (wowBaseAddress + 0x86326C) + 0x78
playerX: wowBaseAddress + 0x862520
playerY: wowBaseAddress + 0x862524
playerZ: wowBaseAddress + 0x862528

//it is a bit buggy and not every time correct... i dont know why
player health: ((0x18C2E0) + 0x110) + 0x40

im searching for the correct x y z from players target...
if someone pls could look into it :/

You have to use the object manager for that. Loop trough the objectlist and compare the GUID of the objects with TargetGUID and return the object which has the same GUID.