-
Member
Originally Posted by
djanius
Guys, tell me please, how to check whether player is in combat? In advance many thanks!
You're going to want to use the "Search Thread" on this thread feature for better answers than mine but briefly:
- Get your unit's base address from object manager
- Combat status can be checked via movement flags or unit flags, but unit flags are what I will use for this example.
- Unit Flags are a descriptor, so we will now break our code down into the following steps:
PHP Code:
<?
// this is pseudo-code
// where $wow_unit_base_address is the base address of the unit whose combat status we are checking...
// wow unit offset to descriptor ptr
$descriptor_offset = 0x8
// offset to unit flags from descriptor base address
$unit_field_unit_flags_offset = 0xB8
// we will compare this combat flag using a bitwise operation to the value we read from the unit flags descriptor
$in_combat_flag_mask = 0x80000
$descriptor_base_address = MemoryRead($wow_unit_base_address + $descriptor_offset, "dword")
$unit_flags = MemoryRead($descriptor_base_address + $unit_field_unit_flags_offset, "dword")
// $unit_flags will now contain the unit's flag data in a mask format, eg. 0x00080038
// 0x00080038 as an example is a hunter pet in combat, 0x30 = hunter pet, 0x8 = player or pet, 0x80000 = in combat
// bitwise comparison to see the combat flag exists
If BitAnd($unit_flags, $in_combat_flag_mask) = $in_combat_flag_mask{
// unit is in combat
// do action
//
} else {
// unit is not in combat
// do action
//
}
-
Post Thanks / Like - 1 Thanks
djanius (1 members gave Thanks to RobertoSageto for this useful post)
-
Member
Hi I posted a thread about this but this is probably the correct place.... I am just starting to reverse the 1.12.1 client
I've been trying to do the most basic thing I could think of - logging in via the client:
I've tried two methods of logging in, I've tried to call the DefaultServerLogin method at 0046D160 and also tried to call a method called by DefaultServerLogin that takes login/pass as arguments at 0046AFB0
When I call the nested method the function call works but all I see is the "Connecting" login box -- and when I try to call the top level DefaultServerLogin it doesnt recognize the GUI textboxes as valid....
0046D160
Code:
.text:0046D160 fn_DefaultServerLogin proc near ; DATA XREF: .data:00837484o
.text:0046D160 push esi
.text:0046D161 mov edx, 1
.text:0046D166 mov esi, ecx
.text:0046D168 call sub_6F3510 // returns 1 during normal execution, but during injection returns 0
.text:0046D16D test eax, eax
.text:0046D16F jz short loc_46D1AA // during injection makes this jump and ends function prematurely
.text:0046D171 mov edx, 2
.text:0046D176 mov ecx, esi
.text:0046D178 call sub_6F3510 // returns 1 during normal execution, but during injection returns 0
.text:0046D17D test eax, eax
.text:0046D17F jz short loc_46D1AA // during injection never makes it to this jump
.text:0046D181 push edi
.text:0046D182 mov edx, 2 ; ID of GUI textbox
.text:0046D187 mov ecx, esi ; base address
.text:0046D189 call fn_WoW_GetGUIData
.text:0046D18E mov edx, 1 ; ID of GUI textbox
.text:0046D193 mov ecx, esi ; base address
.text:0046D195 mov edi, eax ; password
.text:0046D197 call fn_WoW_GetGUIData
.text:0046D19C mov edx, edi ; password
.text:0046D19E mov ecx, eax ; username
.text:0046D1A0 call fn_DefaultServerLogin_Validate
.text:0046D1A5 pop edi
.text:0046D1A6 xor eax, eax
.text:0046D1A8 pop esi
.text:0046D1A9 retn
.text:0046D1AA ; ---------------------------------------------------------------------------
.text:0046D1AA
.text:0046D1AA loc_46D1AA: ; CODE XREF: fn_DefaultServerLogin+Fj
.text:0046D1AA ; fn_DefaultServerLogin+1Fj
.text:0046D1AA push offset aUsageDefaultse ; "Usage: DefaultServerLogin(\"accountName"...
.text:0046D1AF push esi
.text:0046D1B0 call sub_6F4940
.text:0046D1B0 fn_DefaultServerLogin endp
Here's my code:
Code:
// VanillaDll.cpp : Defines the exported functions for the DLL application.
//
#include "stdafx.h"
#include "Console.h"
#include <ctime>
#include <iostream>
#include <stdio.h>
#include <sstream>
#include <iomanip>
#include "Utils.h"
namespace Vanilla {
typedef int(__thiscall *ppLogin)(char *login, char *pass); ppLogin pLogin = NULL;
typedef int(__thiscall *ppDefaultLoginValidate)(char *login, char *pass); ppDefaultLoginValidate pValidate = NULL;
typedef int(__thiscall *ppDefaultLogin)(DWORD ecx); ppDefaultLogin pDefaultLogin = NULL;
typedef int(__stdcall *ppGetFuncPtrBase)(); ppGetFuncPtrBase pGetFuncPtrBase = NULL;
unsigned int __stdcall GETPTRBASE() {
return pGetFuncPtrBase();
}
void __fastcall DefaultServerLogin() {
DWORD ecx = pGetFuncPtrBase();
pDefaultLogin(ecx);
}
void DefaultLogin(char* login, char* pass) {
unsigned int address;
//__asm mov edx, pass;
__asm call GETPTRBASE;
__asm mov address, eax;
std::stringstream ss;
ss << std::hex << address;
std::string addressStr = ss.str();
Utils::Log("Address is 0x%s", addressStr.c_str());
__asm call pGetFuncPtrBase;
__asm mov esi, eax;
__asm mov edx, pass;
pValidate(login, pass);
}
bool Attach(HINSTANCE DLL, VOID* Reserved) {
Console::RedirectIOToConsole();
Utils::Log("Hello were logging now....");
//int(*hLogin)(char*,char*);
pLogin = (ppLogin)0x005AB4B0;
pDefaultLogin = (ppDefaultLogin)0x0046D160;
pValidate = (ppDefaultLoginValidate)0x0046AFB0;
pGetFuncPtrBase = (ppGetFuncPtrBase)0x007040D0;
Utils::Log("Typedef set hook ready");
Utils::Log("Calling login at address 0x0046AFB0");
DefaultServerLogin();
//pLogin("user", "pass");
//DefaultLogin("user","pass");
Utils::Log("Hook called");
return true;
}
bool Detach() {
return true;
}
}
Calling 0046D160 should attempt to login with the current text contained in memory (expecting to get a "Enter a username" popup), but it simply gives me the invalid default info jump. One thing I notice is that naturally the method gets called from this method 006F6050
This looks to me like a function ptr handler and checks if the ptr is pointing to a valid function within the binaries .text segment but it's at this point I start to really hit trouble.
-
Member
Hey!
I'm trying to figure out how to work with Bit Slicer (memory editing tool for mac) to make simple cheat, however I can't manage to work any manually added address.
If i'm searching through changable value - it's fine. But i'm trying to figure out how to make a speedhack, for instance..
Base (wow.exe) + 0x0087BCD4 + 0x88 + 0x28 - this is what i found for player base, however how can I add it to bitslicer?
I've tried like [0x0087BCD4] + 0x88 + 0x28 because seems like [] brackets makes address as a pointer, but no success.
Any one have been using Bit Slicer?
-
Member
Hello, just seeking a bit of information on converting a 3D point to a point on the screen.
When looking at recreating a World to Screen function, I found this.
World to screen
Specifically, the post that shows you can use an existing function for this.
Code:
0087202D CGWorldFrame__GetScreenCoordinates
The offset is for 7.1.0.22996, a client that I don't have and wouldn't know how to acquire to try and get a function signature.
Anybody found this in 1.12.1.5875? Had a search around the forums and the 1.12.1 binary, it's been proving to be a pain for me to find. Does that exact function date back this far? Should I bother, or just recreate World to Screen from reading memory?
Many thanks.
-
Originally Posted by
hamgaacaan
Anybody found this in 1.12.1.5875? Had a search around the forums and the 1.12.1 binary, it's been proving to be a pain for me to find. Does that exact function date back this far? Should I bother, or just recreate World to Screen from reading memory?
Many thanks.
It exists in the 1.0.0 binary/pdb so it most likely exists in 1.12.1 too.
-
Elite User
Originally Posted by
hamgaacaan
Hello, just seeking a bit of information on converting a 3D point to a point on the screen.
When looking at recreating a World to Screen function, I found this.
World to screen
Specifically, the post that shows you can use an existing function for this.
Code:
0087202D CGWorldFrame__GetScreenCoordinates
The offset is for 7.1.0.22996, a client that I don't have and wouldn't know how to acquire to try and get a function signature.
Anybody found this in 1.12.1.5875? Had a search around the forums and the 1.12.1 binary, it's been proving to be a pain for me to find. Does that exact function date back this far? Should I bother, or just recreate World to Screen from reading memory?
Many thanks.
Haven't checked, just found it named in my idb:
00483EE0
-
Active Member
Can anyone confirm or deny that the client is able to send hardware id information to the server? I haven't found anything to suggest that in IDA yet but maybe someone here has found something.
-
There are a few cases where it can. If you submit a bug report it does. Also if the login server requests a hardware survey and streams an mpq to you with the module to run it.
-
Post Thanks / Like - 1 Thanks
-
Member
Edit: Nevermind, found it. My apologies... I actually found this offset earlier through CE debugger but somehow managed to muck up my notes or something... not sure, so just a simple mistake costing me a lot of extra time.
Oh well .
For 1.12.1, to get a player's experience points, read 0xB30 from descriptor base to get current amount and 0xB34 to get total amount (the amount needed to advance to the next level). Once you reach lv60 or max level 0xB34 should = 0.
Thanks guys.
Last edited by RobertoSageto; 04-18-2017 at 06:41 PM.
Reason: Answered own question
-
Elite User
Anyone could help me out with pet stuff?
I am searching a function like GetActivePetPtr() or something like that.
Was looking at GetPetHappiness located at 0x004be900 which calls:
call WoW.exe+68460 to get the active pet ptr, seems like it is fastcall? and takes two parameters, not sure tho
any help is much appreciated
-
Contributor
Originally Posted by
asdfx123
Anyone could help me out with pet stuff?
I am searching a function like GetActivePetPtr() or something like that.
Was looking at GetPetHappiness located at 0x004be900 which calls:
call WoW.exe+68460 to get the active pet ptr, seems like it is fastcall? and takes two parameters, not sure tho
any help is much appreciated
just enumerate through the object list looking for the owner guid descriptor matching the players guid.
edit: alternatively, it looks like it may store the pet guid @ 0x00B714A0 ( i cant confirm tho, as i have no pet class to test on 1.12.1 )
Last edited by danwins; 04-21-2017 at 05:24 AM.
-
Post Thanks / Like - 1 Thanks
asdfx123 (1 members gave Thanks to danwins for this useful post)
-
Elite User
Originally Posted by
danwins
just enumerate through the object list looking for the owner guid descriptor matching the players guid.
edit: alternatively, it looks like it may store the pet guid @ 0x00B714A0 ( i cant confirm tho, as i have no pet class to test on 1.12.1 )
just tested it, can confirm this, damn how dumb i am not looking into the guid... lolz my bad
[edit]
thx for ur help
Last edited by asdfx123; 04-21-2017 at 06:28 AM.
-
Member
Does anyone know if you can retrieve the GUID of caster of a debuff in 1.12?
The lua function UnitDebuff does not retrieve it (was only added in 2.0 I think), but is it somewhere in the memory?
-
Member
Does anyone know why I might be crashing when I'm calling the interact with object function?
I'm calling it remotely by making a code cave like so:
Code:
WoW.exe+034F - push 00 { 0 }
WoW.exe+0351 - mov ecx,OBJECTPTR
WoW.exe+0356 - call WoW.exe+1F8660
WoW.exe+035B - ret
I write the cave and address each time I call my interact function and then start a remote thread.
Code:
VirtualProtectEx(currentProcess, (LPVOID)(caveLocation), 20, 0x40, &prevAccessProtection); // Remove protection of the section of memory.
WriteProcessMemory(currentProcess, LPVOID(caveLocation), cave, sizeof(cave), NULL);
WriteProcessMemory(currentProcess, LPVOID(pointerLocation), &object.addressStart, sizeof(object.addressStart), NULL);
HANDLE hThread = CreateRemoteThread(currentProcess, 0, 0, (LPTHREAD_START_ROUTINE)caveLocation, 0, 0, 0);
//close thread handle
CloseHandle(hThread);
This appears to crash about 50% of the time, and then the other 50% it seems to work without a problem.
Edit: Been at this constantly for about 12 hours, and not sure why but I keep seeing errors like "0xC0000005 (ACCESS_VIOLATION) at 0023:0064B3FD" where the ending address there changes between 2-4 different locations each time. Am I supposed to be calling the function only at a certain point which would require me to be internal?
Last edited by larcerkev; 05-06-2017 at 07:22 PM.
-
Elite User
Originally Posted by
larcerkev
This appears to crash about 50% of the time, and then the other 50% it seems to work without a problem.
It's a thread problem, you have to call it within WoW's main-thread.