[WoW] 1.12.1.5875 Info Dump Thread

[DarkLinux]

wow-one Warsong (30min scan)

Code:

EverScan 
By : Darklinux @ Ever-Devs.com / OwnedCore.com 

Address : 0x7c63da     Size : 0x3  //NoFallDamage
Address : 0x618919     Size : 0x4
Address : 0x7c625e     Size : 0x2  //InfiniteJump
Address : 0x7c4955     Size : 0x3
Address : 0x7c6272     Size : 0x4  //JumpGravity
Address : 0x615cf5     Size : 0x1  //AntiMove
Address : 0x7c6206     Size : 0xb
Address : 0x6163db     Size : 0x3  //AntiRoot
Address : 0x615ba7     Size : 0x4  //HeartbeatInterval
Address : 0x6341bc     Size : 0x2  //SuperFly
Address : 0x7c6269     Size : 0x4  //JumpGravityWater

Done

Looks like they are only scanning for Jadd's hack...
http://www.ownedcore.com/forums/worl...ml#post2436167 ([WoW] 1.12.1.5875 Info Dump Thread)

[DarkLinux]

@culino2
They do a lot of pointless scans by the looks of it. They normally have a size of zero and the address are all over the place. I let it run and it was up around the 300 market lols.

Also could you not just unlink the dll to bypass the dll file name hash?

Going to look into what else they scan a little more, thanks for the info

[DarkLinux]

It does not look like they do any self checks, but I dont know how safe it would be to start patching all this stuff. Thanks for the tip on using mod32first/next. Anything else I should look out for? How much have they reversed? Could they load any module they want?

[Master674]

I guess they can't load custom/modified modules. Dunno if there is more than one 1.12.1 module.
They could add a signature check without using mod32, they may implement/enable it later, so watch their scans.

They could. There is a bug in warden which could allow you to use arbitrary modules. And also spread around viruses n' shit.

[namreeb]

Yes there is a way to perform arbitrary code execution with Warden. I highly doubt anyone there will be able to figure it out, though.

@culino2
They do a lot of pointless scans by the looks of it. They normally have a size of zero and the address are all over the place. I let it run and it was up around the 300 market lols.

Also could you not just unlink the dll to bypass the dll file name hash?

Going to look into what else they scan a little more, thanks for the info

Are you sure about this? I haven't played there for six months or so but when I stopped all of their scans had a purpose..

[Master674]

Yes there is a way to perform arbitrary code execution with Warden. I highly doubt anyone there will be able to figure it out, though.



Are you sure about this? I haven't played there for six months or so but when I stopped all of their scans had a purpose..

Let's hope so. Cuz I don't really wanna be infected with viruses next time I log in to some random private server.

[namreeb]

Not to sound arrogant, but to my knowledge nobody has been able to reproduce it except me, and I haven't shared the details with anyone.

[DarkLinux]

The trace program I'm using will not attach to wow Anyone know of a function like,

RunMacro(id or "name") - Runs a macro.
RunMacroText("macro") - Interpret the given string as a macro and run it.

[namreeb]

I don't know how to run macros, but I can show you how to execute Lua code. Would that help? Are you in C# or C++?

[DarkLinux]

Well I found this addon called QuickHeal... Was going for something simple... I think I can call the lua code with RunScript, just need to find the function... I am using C++ and have doString and all that stuff working.

[namreeb]

Okay well one suggestion would be to put a conditional breakpoint on the packet sending function to have it pause only if the opcode is CMSG_LOGOUT_REQUEST or whatever. Then do /logout and go up a few frames in the stack to see where it came from.

[Sacred]

Some warden scans.

Code:

<?xml version="1.0"?>
<ArrayOfWardenScan xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <WardenScan>
    <Offset>0x00846F98</Offset>
    <Length>6</Length>
    <Bytes>77-69-6E-64-6F-77</Bytes>
    <Dynamic>0</Dynamic>
  </WardenScan>
  <WardenScan>
    <Offset>0x00000000</Offset>
    <Length>4</Length>
    <Bytes>78-AF-80-00</Bytes>
    <Dynamic>1</Dynamic>
    <Base>PlayerBase</Base>
  </WardenScan>
  <WardenScan>
    <Offset>0x000009E8</Offset>
    <Length>4</Length>
    <Bytes>00-00-00-00</Bytes>
    <Dynamic>1</Dynamic>
    <Description>MovementFlags</Description>
    <Base>PlayerBase</Base>
  </WardenScan>
  <WardenScan>
    <Offset>0x00000A2C</Offset>
    <Length>4</Length>
    <Bytes>00-00-00-00</Bytes>
    <Dynamic>1</Dynamic>
    <Base>PlayerBase</Base>
  </WardenScan>
  <WardenScan>
    <Offset>0x00000A34</Offset>
    <Length>4</Length>
    <Bytes>00-00-E0-40</Bytes>
    <Dynamic>1</Dynamic>    
    <Description>Speedhack</Description>
    <Base>PlayerBase</Base>
  </WardenScan>
  <WardenScan>
    <Offset>0x00000A60</Offset>
    <Length>4</Length>
    <Bytes>00-00-80-3F</Bytes>
    <Dynamic>1</Dynamic>
    <Description>Noclip</Description>
    <Base>PlayerBase</Base>
  </WardenScan>
  <WardenScan>
    <Offset>0x00001DC8</Offset>
    <Length>4</Length>
    <Bytes>46-00-00-00</Bytes>
    <Dynamic>1</Dynamic>
    <Base>PlayerBase</Base>
  </WardenScan>
  <WardenScan>
    <Offset>0x00846F64</Offset>
    <Length>6</Length>
    <Bytes>68-65-61-64-65-72</Bytes>
    <Dynamic>0</Dynamic>
  </WardenScan>
  <WardenScan>
    <Offset>0x007C4D41</Offset>
    <Length>7</Length>
    <Bytes>D9-81-8C-00-00-00-8B</Bytes>
    <Dynamic>0</Dynamic>
  </WardenScan>
  <WardenScan>
    <Offset>0x0080DFFC</Offset>
    <Length>4</Length>
    <Bytes>BB-8D-24-3F</Bytes>
    <Dynamic>0</Dynamic>
    <Description>WallClimb</Description>
  </WardenScan>
  <WardenScan>
    <Offset>0x007C4955</Offset>
    <Length>1</Length>
    <Bytes>8B</Bytes>
    <Dynamic>0</Dynamic>
  </WardenScan>
  <WardenScan>
    <Offset>0x00618917</Offset>
    <Length>6</Length>
    <Bytes>E8-24-DA-1A-00-5D</Bytes>
    <Dynamic>0</Dynamic>
  </WardenScan>
  <WardenScan>
    <Offset>0x007C6E83</Offset>
    <Length>7</Length>
    <Bytes>81-66-40-3F-FF-DF-FF</Bytes>
    <Dynamic>0</Dynamic>
  </WardenScan>
  <WardenScan>
    <Offset>0x004901C8</Offset>
    <Length>15</Length>
    <Bytes>5E-FF-48-00-6B-FF-48-00-78-FF-48-00-95-FF-48</Bytes>
    <Dynamic>0</Dynamic>
  </WardenScan>
  <WardenScan>
    <Offset>0x0048FF52</Offset>
    <Length>11</Length>
    <Bytes>83-F8-03-77-34-FF-24-85-C8-01-49</Bytes>
    <Dynamic>0</Dynamic>
  </WardenScan>
  <WardenScan>
    <Offset>0x006341BC</Offset>
    <Length>2</Length>
    <Bytes>74-25</Bytes>
    <Dynamic>0</Dynamic>
    <Description>SuperFly</Description>
  </WardenScan>
  <WardenScan>
    <Offset>0x007C63DA</Offset>
    <Length>3</Length>
    <Bytes>8B-4F-78</Bytes>
    <Dynamic>0</Dynamic>
    <Description>NoFallDamage</Description>
  </WardenScan>
  <WardenScan>
    <Offset>0x007C625F</Offset>
    <Length>1</Length>
    <Bytes>75</Bytes>
    <Dynamic>0</Dynamic>
    <Description>AntiJump</Description>
  </WardenScan>
  <WardenScan>
    <Offset>0x00615CF5</Offset>
    <Length>1</Length>
    <Bytes>F8</Bytes>
    <Dynamic>0</Dynamic>
    <Description>AntiMove</Description>
  </WardenScan>
  <WardenScan>
    <Offset>0x006163DB</Offset>
    <Length>3</Length>
    <Bytes>8A-47-4D</Bytes>
    <Dynamic>0</Dynamic>
    <Description>AntiRoot</Description>
  </WardenScan>
  <WardenScan>
    <Offset>0x007C625C</Offset>
    <Length>3</Length>
    <Bytes>F6-C4-30</Bytes>
    <Dynamic>0</Dynamic>
  </WardenScan>
  <WardenScan>
    <Offset>0x007C6272</Offset>
    <Length>4</Length>
    <Bytes>D8-93-FE-C0</Bytes>
    <Dynamic>0</Dynamic>
    <Description>JumpGravity</Description>
  </WardenScan>
  <WardenScan>
    <Offset>0x007C6269</Offset>
    <Length>4</Length>
    <Bytes>48-8C-11-C1</Bytes>
    <Dynamic>0</Dynamic>
    <Description>JumpGravityWater</Description>
  </WardenScan>
  <WardenScan>
    <Offset>0x007C6206</Offset>
    <Length>11</Length>
    <Bytes>25-FF-FF-DF-FB-0D-00-20-00-00-89</Bytes>
    <Dynamic>0</Dynamic>
    <Description>AirSwimHack</Description>
  </WardenScan>
</ArrayOfWardenScan>

Hashes:

Code:

SHA1: 0xC419521B6D39990C1D95329C8D94B59226CBAA98 (WpeSpy.dll)
SHA1: 0xE701343E439C74B675C72BBE2D8810A745569913 (Unknown)

[Jadd]

Some warden scans.

You might want to include which server this was on.

[Sacred]

You might want to include which server this was on.

Oh i forgot, it's valkyrie-wow


ClientDB offsets.

Code:

    public enum ClientDb
    {
        AnimationData = 0xC0E06C,
        AreaPOI = 0xC0E058,
        AreaTable = 0xC0E044,
        AreaTrigger = 0xC0E030,
        AttackAnimKits = 0xC0E01C,
        AttackAnimTypes = 0xC0E004,
        AuctionHouse = 0xC0DFF0,
        BankBagSlotPrices = 0xC0DFDC,
        CameraShakes = 0xC0DFC8,
        Cfg_Categories = 0xC0DFB4,
        Cfg_Configs = 0xC0DFA0,
        CharBaseInfo = 0xC0DF8C,
        CharHairGeosets = 0xC0DF78,
        CharSections = 0xC0DF64,
        CharStartOutfit = 0xC0DF50,
        CharVariations = 0xC0DF3C,
        CharacterFacialHairStyles = 0xC0DF28,
        ChatChannels = 0xC0DF14,
        ChatProfanity = 0xC0DF00,
        ChrClasses = 0xC0DEEC,
        ChrRaces = 0xC0DED8,
        CinematicCamera = 0xC0DEC4,
        CinematicSequences = 0xC0DEB0,
        CreatureDisplayInfo = 0xC0DE88,
        CreatureDisplayInfoExtra = 0xC0DE9C,
        CreatureFamily = 0xC0DE74,
        CreatureModelData = 0xC0DE60,
        CreatureSoundData = 0xC0DE4C,
        CreatureSpellData = 0xC0DE38,
        CreatureType = 0xC0DE24,
        DeathThudLookups = 0xC0DE10,
        DurabilityQuality = 0xC0DDE8,
        DurabilityCosts = 0xC0DDFC,
        Emotes = 0xC0DDD4,
        EmotesText = 0xC0DD98,
        EmotesTextData = 0xC0DDC0,
        EmotesTextSound = 0xC0DDAC,
        EnvironmentalDamage = 0xC0DD84,
        Exhaustion = 0xC0DD70,
        Faction = 0xC0DD48,
        FactionGroup = 0xC0DD5C,
        FactionTemplate = 0xC0DD34,
        FootprintTextures = 0xC0DD20,
        FootstepTerrainLookup = 0xC0DD0C,
        GameObjectArtKit = 0xC0DCF8,
        GameObjectDisplayInfo = 0xC0DCE4,
        GameTips = 0xC0DCD0,
        GMSurveyCurrentSurvey = 0xC0DCBC,
        GMSurveyQuestions = 0xC0DCA8,
        GMSurveySurveys = 0xC0DC94,
        GMTicketCategory = 0xC0DC80,
        GroundEffectDoodad = 0xC0DC6C,
        GroundEffectTexture = 0xC0DC58,
        HelmetGeosetVisData = 0xC0DC44,
        ItemBagFamily = 0xC0DC30,
        ItemClass = 0xC0DC1C,
        ItemDisplayInfo = 0xC0DC08,
        ItemGroupSounds = 0xC0DBF4,
        ItemPetFood = 0xC0DBE0,
        ItemRandomProperties = 0xC0DBCC,
        ItemSet = 0xC0DBB8,
        ItemSubClass = 0xC0DB90,
        ItemSubClassMask = 0xC0DBA4,
        ItemVisualEffects = 0xC0DB7C,
        ItemVisuals = 0xC0DB68,
        LanguageWords = 0xC0DB54,
        Languages = 0xC0DB40,
        LfgDungeons = 0xC0DB2C,
        Light = 0xCE9D60,
        LightFloatBand = 0xCE9D88,
        LightIntBand = 0xCE9D9C,
        LightParams = 0xCE9D74,
        LightSkybox = 0xCE9DB0,
        LiquidType = 0xC0DB18,
        LoadingScreens = 0xC0DB04,
        LoadingScreenTaxiSplines = 0xC0DAF0,
        Lock = 0xC0DADC,
        LockType = 0xC0DAC8,
        MailTemplate = 0xC0DAB4,
        Map = 0xC0DAA0,
        Material = 0xC0DA8C,
        NameGen = 0xC0DA78,
        NPCSounds = 0xC0DA64,
        NamesProfanity = 0xC0DA50,
        NamesReserved = 0xC0DA3C,
        Package = 0xC0DA28,
        PageTextMaterial = 0xC0DA14,
        PaperDollItemFrame = 0xC0DA00,
        PetLoyalty = 0xC0D9EC,
        PetPersonality = 0xC0D9D8,
        QuestInfo = 0xC0D9C4,
        QuestSort = 0xC0D9B0,
        Resistances = 0xC0D99C,
        ServerMessages = 0xC0D988,
        SheatheSoundLookups = 0xC0D974,
        SkillCostsData = 0xC0D960,
        SkillLineAbility = 0xC0D94C,
        SkillLineCategory = 0xC0D938,
        SkillLine = 0xC0D924,
        SkillRaceClassInfo = 0xC0D910,
        SkillTiers = 0xC0D8FC,
        SoundAmbience = 0xC0D8E8,
        SoundEntries = 0xC0D8D4,
        SoundProviderPreferences = 0xC0D8C0,
        SoundSamplePreferences = 0xC0D8AC,
        SoundWaterType = 0xC0D898,
        SpamMessages = 0xC0D884,
        SpellCastTimes = 0xC0D870,
        SpellCategory = 0xC0D85C,
        SpellChainEffects = 0xC0D848,
        Spell = 0xC0D780,
        SpellDispelType = 0xC0D834,
        SpellDuration = 0xC0D820,
        SpellEffectCameraShakes = 0xC0D80C,
        SpellFocusObject = 0xC0D7F8,
        SpellIcon = 0xC0D7E4,
        SpellItemEnchantment = 0xC0D7D0,
        SpellMechanic = 0xC0D7BC,
        SpellRadius = 0xC0D7A8,
        SpellRange = 0xC0D794,
        SpellShapeshiftForm = 0xC0D76C,
        SpellVisual = 0xC0D730,
        SpellVisualEffectName = 0xC0D758,
        SpellVisualKit = 0xC0D744,
        StableSlotPrices = 0xC0D71C,
        Stationery = 0xC0D708,
        StringLookups = 0xC0D6F4,
        Talent = 0xC0D6E0,
        TalentTab = 0xC0D6CC,
        TaxiNodes = 0xC0D6B8,
        TaxiPath = 0xC0D690,
        TaxiPathNode = 0xC0D6A4,
        TerrainType = 0xC0D67C,
        TerrainTypeSounds = 0xC0D668,
        TransportAnimation = 0xC0D654,
        UISoundLookups = 0xC0D640,
        UnitBlood = 0xC0D618,
        UnitBloodLevels = 0xC0D62C,
        VocalUISounds = 0xC0D604,
        WMOAreaTable = 0xC0D5F0,
        WeaponImpactSounds = 0xC0D5DC,
        WeaponSwingSounds2 = 0xC0D5C8,
        WorldMapArea = 0xC0D5B4,
        WorldMapContinent = 0xC0D5A0,
        WorldMapOverlay = 0xC0D58C,
        WorldSafeLocs = 0xC0D578,
        WorldStateUI = 0xC0D564,
        ZoneIntroMusic = 0xC0D550,
        ZoneMusic = 0xC0D53C,
    }

Some hacks

Code:

WaterWalk = 0x631610,
RemoveLuaProtection = 0x494A57,
ShowAllLevels = 0x518062,
UnderstandAllLanguages = 0x5EC720

[DarkLinux]

Thanks Sacred for the UnderstandAllLanguages hack

Has anyone run into the function that updates the player model, for something like a morph hack?