The most interesting is that the module seems to change on every logon. Or it loads at more random address than before?
Uploadfiles.io - 154c3f90.bin
Uploadfiles.io - 154c5f20.bin
Uploadfiles.io - 15603d00.bin
The most interesting is that the module seems to change on every logon. Or it loads at more random address than before?
Uploadfiles.io - 154c3f90.bin
Uploadfiles.io - 154c5f20.bin
Uploadfiles.io - 15603d00.bin
Last edited by tutrakan; 12-15-2017 at 04:47 PM.
I'm guessing they're cycling from these: WardenSigning/WardenModules at master * namreeb/WardenSigning * GitHub
not really that surprising honestly. I expected to see it sooner.
You can always check what module was loaded after exiting the client by looking at this file:
struct looks like this:Code:World of Warcraft\WDB\wowcache.wdb
at 0x14 is the module md5.Code:wowcache.wdb_header ( size 0x2C ) offset size desc 0x00 0x04 'WRDN' magic 0x04 0x04 client build eg '5875' 0x08 0x04 client locale eg 'enUS' 0x0C 0x04 unk 0x10 0x04 unk2 0x14 0x10 MD5 sum of the warden module. 0x24 0x04 record length. 0x28 0x04 Length of the next field (always record length -0x4) 0x2C 0x?? encrypted module
If warden was loaded during the session you should expect to see it cached in this file after exiting the client.
Quick dump of elysiums warden scans, for logging purpose.
Code:Address 007C625F, Size : 1 Address 0060BFB1, Size : 2 Address 007C625E, Size : 2 Address 00631615, Size : 2 Address 006A467B, Size : 1 Address 0060F650, Size : 6 Address 007C63DA, Size : 4 Address 00615CF5, Size : 1 Address 005EC720, Size : 8 Address 004D1C17, Size : 2 Address 007C4955, Size : 1 Address 007C63DD, Size : 3 Address 0060BFA0, Size : 2 Address 006341BC, Size : 2 Address 004711E0, Size : 2 Address 00616749, Size : 2 Address 007C705F, Size : 3 Address 006ABF13, Size : 1 Address 00482ED8, Size : 6 Address 00636598, Size : 1 Address 0087D898, Size : 4 Address 006163DE, Size : 10 Address 00635C3A, Size : 1 Address 007C63BD, Size : 3 Address 00636ED4, Size : 1 Address 006CA1B5, Size : 1 Address 005ED28D, Size : 6 Address 007C6272, Size : 4 Address 0060FF71, Size : 1 Address 007C705C, Size : 6 Address 006CEE4E, Size : 6 Address 007C6269, Size : 4 Address 006CEE5B, Size : 6 Address 00518062, Size : 1 Address 005ABD50, Size : 6 Address 006AB1BF, Size : 3 Address 005E642C, Size : 5 Address 00482BE3, Size : 1 Address 0060FC30, Size : 10 Address 0060BFBF, Size : 2 Address 00538610, Size : 4 Address 0080DFFC, Size : 4 Address 00CF0BC8, Size : 4 Address 0060FF65, Size : 2 Address 006D2743, Size : 6 Address 00494A50, Size : 7 Address 007C63A8, Size : 4 Address 007C33D9, Size : 5 Address 0049F5DD, Size : 1 Address 0063379C, Size : 1 Address 00636198, Size : 1 Address 005FE54F, Size : 1 Address 0067063E, Size : 1 Address 0040362B, Size : 3 Address 0087D894, Size : 4 Address 007C620D, Size : 2 Address 004711EA, Size : 1 Address 006334F0, Size : 1 Address 0049F6F2, Size : 3 Address 007C69A0, Size : 3 Address 007C63D9, Size : 1 Address 005ED2E3, Size : 6 Address 00C7B2A4, Size : 4 Address 007C6206, Size : 11 Address 00618913, Size : 8 Address 006AB494, Size : 1 Address 004C21C0, Size : 1 Address 007C6E83, Size : 7 Address 006163DB, Size : 2 Address 006341E3, Size : 2 Address 00846F64, Size : 6 Address 00615BA7, Size : 4 Address 007C4D41, Size : 10 Address 0060F7C9, Size : 6 Address 00822C10, Size : 6 Address 00680B81, Size : 5
above scans with extra detail:
Code:Address 0040362B, Size : 3 // PollNet / WardenClient_Process check Address 004711E0, Size : 2 // CCharCreateInfo::CreateCharacter / character name validation Address 004711EA, Size : 1 // CCharCreateInfo::CreateCharacter / character name validation Address 00482BE3, Size : 1 // CGWorldFrame::UpdateDayNightInfo / time related? Address 00482ED8, Size : 6 // CGWorldFrame::OnWorldUpdate / anti afk? Address 00494A50, Size : 7 // CGGameUI::CanPerformAction Address 0049F5DD, Size : 1 // Script_SendChatMessage / chat while dead? Address 0049F6F2, Size : 3 // Script_SendChatMessage / checking third int32 put into CMSG_MESSAGECHAT? Address 004C21C0, Size : 1 // AutoLoot / EVENT_LOOT_BIND_CONFIRM? Address 004D1C17, Size : 2 // Script_CanViewOfficerNote Address 00518062, Size : 1 // Script_UnitLevel / see unit level instead of skull? Address 00538610, Size : 4 // NETEVENTQUEUE::Poll jumptable? Address 005ABD50, Size : 6 // ClientServices_CharacterValidateName Address 005E642C, Size : 5 // OnSupercededSpell? Address 005EC720, Size : 8 // CGPlayer_C::GetLanguageSkill / hook check? Address 005ED28D, Size : 6 // CGPlayer_C::CanTrackUnit / follow hack? Address 005ED2E3, Size : 6 // CGPlayer_C::CanTrackObject / same as above? Address 005FE54F, Size : 1 // CGUnit_C::UpdateBaseAnimation / CMovementShared::GetBaseSpeed / speed hack related? Address 0060BFA0, Size : 2 // CGUnit_C::OnRightClick / loot while mounted Address 0060BFB1, Size : 2 // CGUnit_C::OnRightClick Address 0060BFBF, Size : 2 // CGUnit_C::OnRightClick Address 0060F650, Size : 6 // sub_60F600 / follow hack related maybe? Address 0060F7C9, Size : 6 // sub_60F600 / follow hack related maybe? Address 0060FC30, Size : 10 // CGUnit_C::ClearTrackingTarget / s_trackingType check / click to move fix check? Address 0060FF65, Size : 2 // CGUnit_C::SetTrackingTarget / follow related? Address 0060FF71, Size : 1 // CGUnit_C::SetTrackingTarget / follow related? Address 00615BA7, Size : 4 // movement heartbeat? Address 00615CF5, Size : 1 // CMovement::UpdatePlayerMovement Address 006163DB, Size : 2 // CMovement::UpdatePlayerMovement / anti root hack? Address 006163DE, Size : 10 // CMovement::UpdatePlayerMovement / anti root hack? Address 00616749, Size : 2 // CMovement::ExecuteMovement / MSG_MOVE_HEARTBEAT SendMovementPacket Address 00618913, Size : 8 // sub_618900 / movement related / InitMovementStatus? Address 00631615, Size : 2 // sub_6315F0 / unknown? Address 006334F0, Size : 1 // wall climb Address 0063379C, Size : 1 // wall climb Address 006341BC, Size : 2 // super fly Address 006341E3, Size : 2 // super fly? Address 00635C3A, Size : 1 // wall climb Address 00636198, Size : 1 // wall climb Address 00636598, Size : 1 // wall climb Address 00636ED4, Size : 1 // wall climb Address 0067063E, Size : 1 // unknown Address 00680B81, Size : 5 // CWorldScene::PrepareRenderLiquid / CWorldScene__camLiquid var / water related hack? Address 006A467B, Size : 1 // sub_6A4670 / unknown CMap function? Address 006AB1BF, Size : 3 // sub_6AADC0 / unknown CMap function? Address 006AB494, Size : 1 // sub_6AADC0 / unknown CMap function? Address 006ABF13, Size : 1 // collision? Address 006CA1B5, Size : 1 // WardenClient_Process Address 006CEE4E, Size : 6 // sub_6CEE30 / dword_CE9BD8 / unknown? Address 006CEE5B, Size : 6 // sub_6CEE30 / dword_CE9BD8 / unknown? Address 006D2743, Size : 6 // sub_6D2260 / flt_CE9C50 / unknown? Address 007C33D9, Size : 5 // unknown? Address 007C4955, Size : 1 // CMovementData::GetPosition Address 007C4D41, Size : 10 // CMovementShared::GetBaseSpeed Address 007C6206, Size : 11 // sub_7C61F0 / CMovement something Address 007C620D, Size : 2 // sub_7C61F0 / CMovement something Address 007C625E, Size : 2 // CMovement::PlayerJump / infinite jump Address 007C625F, Size : 1 // CMovement::PlayerJump / anti jump / anti knockback? Address 007C6269, Size : 4 // JumpGravityWater Address 007C6272, Size : 4 // JumpGravity Address 007C63A8, Size : 4 // InitMovementStatus / CMovementData::GetPosition? Address 007C63BD, Size : 3 // InitMovementStatus / unk? Address 007C63D9, Size : 1 // InitMovementStatus / m_pitch? Address 007C63DA, Size : 4 // InitMovementStatus / m_fallStartTime - fall damage hack?? Address 007C63DD, Size : 3 // InitMovementStatus / unk? Address 007C69A0, Size : 3 // sub_7C69A0 / CMovement? Address 007C6E83, Size : 7 // sub_7C6E80 / Swim related? Address 007C705C, Size : 6 // sub_7C7030 / unknown? Address 007C705F, Size : 3 // sub_7C7030 / unk? Address 0080DFFC, Size : 4 // .rdata flt_80DFFC / wallclimb Address 00822C10, Size : 6 // .rdata string? Address 00846F64, Size : 6 // .rdata string? Address 0087D894, Size : 4 // .rdata flt_87D894 / movement related? Address 0087D898, Size : 4 // .rdata flt_87D898 / movement related? Address 00C7B2A4, Size : 4 // .rdata CWorld::enables / Rendering Options Address 00CF0BC8, Size : 4 // .rdata timestamp
More elegant __fastcall wrapper:
Edit: This is wrong, see below.Code:pop ebx ; Store the return address. pop ecx ; Move 1st arg to ecx. pop edx ; Move 2nd arg to edx. mov [esp], ebx ; Restore the return address. jmp <function> ; Callee cleans the stack.
Last edited by Jadd; 12-23-2017 at 06:49 AM.
There is missing "sub esp, 4" before "mov [esp], ebx". Or just put it like this:And of course there should be a check for the number of params to be always >= 2.Code:pop ebx ; Store the return address. pop ecx ; Move 1st arg to ecx. pop edx ; Move 2nd arg to edx. push ebx ; Restore the return address. jmp <function> ; Callee cleans the stack.
Last edited by tutrakan; 12-22-2017 at 02:37 PM.
Yes.
However, this is usefull when we need to call a __fastcall function from c# (while it isn't supported convention) and we are forced to make such a wrapper.
This old one can be optimized for sure, but is tested and works:
[WoW] 1.12.1.5875 Info Dump Thread
And my fastcall "greymagic" detour modification works fine too:
[RELEASE] Modification of GreyMagic to support detouring of fastcalls
Go explain that to the WoW_3368-orig_32bit compiler: MEGA
There are plenty fastcall declared without even one parameter in ecx or edx - informacionsimbolos.txt.
Last edited by tutrakan; 12-23-2017 at 04:09 AM.
You're right, it should include sub esp, 4 or just use your solution. I only tested with one function and my delegate definition included one too many arguments so it was working for me. Edited my earlier post.
In any case, fastcall with 1 parameter is identical to thiscall (at least for anything using VC++ compiler) and fastcall with no parameters is identical to stdcall, so it's better to use either of those since .NET supports it without the use of a wrapper.
100% true. I was about to say the same.
P.S. For anyone else interested: x86 calling conventions - Wikipedia
Last edited by tutrakan; 12-23-2017 at 10:37 PM.
I had a similar problem. I'm not great with IDA (yet) so I just took a different approach than finding auction functions and stuff. I just send packets and parse what the server sends back. You can look at Mangos or something to see exactly how all the packets are structured so there's little reversing involved for you. A cool benefit of doing it that way is that you can reuse the same code for a clientless bot if you ever choose to make one.
While I'm posting, is anyone aware of a cross-continent teleport exploit that works on light's hope? I'm not asking for any details of it, just wondering if anyone has done it because I'm getting bored of my heartbeat teleporter and will probably be trying that soonish.
Edit: Random note - I have had accounts warden banned on either Nost/Elysium (I can't remember), and for some reason they let me log in on Light's Hope.
Last edited by badusername1234; 12-31-2017 at 11:51 AM.
I'd be surprised if this were possible. The client controls where it is on the map, but does not ever control which map its on.
Edit: I've been able to 'fake' this in some cases by teleporting to portals between the maps and sending a gameobject interact message with them. Most private servers do not have server-side enforcement of gameobjec interaction permissions. This doesn't solve all possible (source map, target map) pairs though.
Does anyone have an example of calling the LootSlot function directly in memory? Calling LootSlot(1) in doString has no effect (neither has sending a Lua click to LootButton1). I suspect this is because it's not accepting virtual mouse clicks. CTM/Autoloot will be of no help, because I am trying to get Pickpocketing to work, where a spell will open the loot window and I'd like to avoid something as hacky as writing mouse position to memory and then injecting a click.
Edit: After fucking around with it a little bit, it seems that injecting AutoLoot before casting Pick Pocket does the trick.
Last edited by bone91; 01-01-2018 at 04:35 PM.