[WoW] 1.12.1.5875 Info Dump Thread

[Jadd]

because they are all the same

That's a negative. Light's Hope has additional detection for movement cheats etc. And it's closed source, so no, I can't link you a reference.

[Saridormi]

because they are all the same:

this isn't true at all, you can't just look at open source emulator code to figure out what a specific server is doing

[dreadcraft]

Hey gents, quick question I was hoping you all could help out with.

For 1.12 - I'm writing an out of process bot in python for shits and gigs.
I am using the red error text aka CGGameUI__s_lastErrorString to see when I have certain UI issues going on.
But the game leaves the last string sitting at that address until the next error occurs, so it's hard to tell if this error is relevant.
Without hooking into any functions, would you know a way to make that determination?
I see that WoW!Sharp used the same address to detect ui errors but it would wipe it down afterwards by writing an arbitrary string to it ("You are Dead").
Is writing over the address after I have grabbed the error a safe solution?
Would elysium's warden detect me writing an empty byte string to CGGameUI__s_lastErrorString ?

Thanks in advance

[tutrakan]

this isn't true at all, you can't just look at open source emulator code to figure out what a specific server is doing

I was talking about the open source ones that have a lot of similarities.

Beside that, you both have a very good point, i didn't think about these custom anti cheats when i asked my question.

[Saridormi]

Hey gents, quick question I was hoping you all could help out with.

For 1.12 - I'm writing an out of process bot in python for shits and gigs.
I am using the red error text aka CGGameUI__s_lastErrorString to see when I have certain UI issues going on.
But the game leaves the last string sitting at that address until the next error occurs, so it's hard to tell if this error is relevant.
Without hooking into any functions, would you know a way to make that determination?
I see that WoW!Sharp used the same address to detect ui errors but it would wipe it down afterwards by writing an arbitrary string to it ("You are Dead").
Is writing over the address after I have grabbed the error a safe solution?
Would elysium's warden detect me writing an empty byte string to CGGameUI__s_lastErrorString ?

Thanks in advance

If you're writing memory you're not exactly "out of process" anymore :P

That said, if WoW never writes an empty string there then they *could* detect it, but I'd be surprised if they bothered seeing as they'd essentially have to track changes to it.

[dreadcraft]

Right you are Saridormi, none of my code currently does any memory writes, just reading.
For this occasion only I was considering it but I would rather not have to.
I just haven't come up with a better solution yet.
Thank you for your input.

[Saridormi]

Right you are Saridormi, none of my code currently does any memory writes, just reading.
For this occasion only I was considering it but I would rather not have to.
I just haven't come up with a better solution yet.
Thank you for your input.

I don't have anything off the top of my head but if I were to try and track it down, I'd maybe look for the timeout that gets set when the error message is shown.

Red errors appear on screen and fade out after a certain amount of time, so my guess is there's a member somewhere that tracks that.

[badusername1234]

char __fastcall CGWorldMap::GetWorldPosition(float* inPos, int mapid, float *outX, float* outY) is at 0x4a7360, it converts world coordinates (inPos) to 0-1 range map coordinates

does anyone have the function that does the inverse to this?

Edit: Oh I think I've found it at 0x4a7100 - the coordinates are weird though... I think I'm gonna need to read the area dbc to get this working?

[tutrakan]

char __fastcall CGWorldMap::GetWorldPosition(float* inPos, int mapid, float *outX, float* outY) is at 0x4a7360, it converts world coordinates (inPos) to 0-1 range map coordinates

does anyone have the function that does the inverse to this?

Edit: Oh I think I've found it at 0x4a7100 - the coordinates are weird though... I think I'm gonna need to read the area dbc to get this working?

I couldn't find such a func. It seems that you have to calculate it by yourself:

Code:

[StructLayout(LayoutKind.Sequential)]
public unsafe struct WowClientDB_Zone
{
    public Zone* m_records;
    public int m_numRecords;
    public Zone** m_recordsById;
    public int m_maxID; 
    public int m_loaded;
};

[StructLayout(LayoutKind.Sequential)]
public unsafe struct Zone
{
    public int Id;
    public int MapId;
    public int AreaId;
    public sbyte* InternalName;
    public float Left;
    public float Right;
    public float Top;
    public float Bottom;
};

[UnmanagedFunctionPointer(CallingConvention.StdCall)]
public delegate int GetMapAreaFromPos(float x, float y);
public static GetMapAreaFromPos _getMapAreaFromPos = Marshal.GetDelegateForFunctionPointer<GetMapAreaFromPos>((IntPtr)0x004A6EC0);

public static C3Vector MapToWorld(C2Vector map)
{
  	var ret = new C3Vector();

	var zoneid = _getMapAreaFromPos(map.X, map.Y);

	var zonedb = (WowClientDB_Zone*)0x00C0D5B4;

	if (zoneid >= 0 && zoneid <= zonedb->m_maxID)
	{
		var zone = zonedb->m_recordsById[zoneid];
		if (zone != null)
		{
			ret.X = zone->Top + map.Y * (zone->Bottom - zone->Top);
                        ret.Y = zone->Left + map.X * (zone->Right - zone->Left);
                        ret.Z = 25f;   // todo - FindMeshHeight
		}
	}
	return ret;
}

[badusername1234]

Not sure what the full enum is but some flags I've just found:

7 = yellow ? mark (you can hand in a quest)
5 = yellow ! mark (npc has a quest for you)
3 = silver ? mark (you have a quest in progress here)
1 = silver ! (quest too high level)

[youyanruyu]

I try to implement superfly hack with click-to-move in my bot, then find out that the pitch of character isn't used while walking. So it will only walk horizontally in air.
Looking for a solution to make it walk in air properly as if it is on a slope. Any ideas?
(Using air-swim hack with some fixes works fine, except it's slow speed.)

[danwins]

I try to implement superfly hack with click-to-move in my bot, then find out that the pitch of character isn't used while walking. So it will only walk horizontally in air.
Looking for a solution to make it walk in air properly as if it is on a slope. Any ideas?
(Using air-swim hack with some fixes works fine, except it's slow speed.)

Can't you just modify the swim speed to match your walking speed? I'm pretty sure setting swim state is the only way to "fly" properly on 1.12.1, check on the last page i posted a CETable with the movement struct including swim speed..

[youyanruyu]

Can't you just modify the swim speed to match your walking speed? I'm pretty sure setting swim state is the only way to "fly" properly on 1.12.1, check on the last page i posted a CETable with the movement struct including swim speed..

Pretty agree with your opinion that setting swim state is the only proper way. I realized that classic wow client itself doesn't implement any free fly function locally.
Why didn't I try to change swim speed? Some posts had mentioned that local speed of player is scanned by warden so I'm not sure if it's safe to do that.
Anyway, I'm trying to do more modifications to make it swim locally at running speed, and change swim packets to run packets before sending them.

[danwins]

They may scan the static speed presets to make sure you have not modified them but i don't believe they scan the global speed variable, or if they do there is some wiggle room for how strict it is, for example, the default value is 7.5, but you can set it to about 10-12 before you get disconnected.

Also I've not seen any servers ban for this, tho things may have changed, usually they will just disconnect you.

[dreadcraft]

Indoors Offset:

Code:

// offset is boolean, 1 == local player is indoors, 0 == local player might be outdoors but isn't necessarily so
// where WoW.exe = 0x400000 or your wow module base address
WoW.exe + 0x468608
WoW.exe + 0x706D44
WoW.exe + 0x8EAA60
WoW.exe + 0x7C8300

Just thought I would share this quick tidbit lads. I couldn't find an equivalent for 1.12 by searching so I thought I would share.
I'm using it to allow my bot to mount in BG's.
It's not perfect for this but if you add some additional checks, eg. track the distance you've covered since you were last indoors, it can be useful.
You can probably also use it for casting entangling roots and using travel form, etc.

Unfortunately I don't have any version of IDA or HexRays so I can't tell you exactly which of these offsets relates to what, but personally I am using 0x468608 as it is updated most frequently by the client in my tests. If someone has a better alternative to these or more information from an IDB please feel free to piggy-back.