[WoW] 1.12.1.5875 Info Dump Thread

[tutrakan]

The most interesting is that the module seems to change on every logon. Or it loads at more random address than before?

Uploadfiles.io - 154c3f90.bin
Uploadfiles.io - 154c5f20.bin
Uploadfiles.io - 15603d00.bin

[danwins]

I'm guessing they're cycling from these: WardenSigning/WardenModules at master * namreeb/WardenSigning * GitHub

not really that surprising honestly. I expected to see it sooner.

You can always check what module was loaded after exiting the client by looking at this file:

Code:

World of Warcraft\WDB\wowcache.wdb

struct looks like this:

Code:

wowcache.wdb_header ( size 0x2C )
offset	size	desc
0x00 	0x04	'WRDN' magic
0x04	0x04	client build eg '5875'
0x08	0x04	client locale eg 'enUS'
0x0C	0x04	unk
0x10	0x04	unk2
0x14	0x10	MD5 sum of the warden module.
0x24	0x04	record length.
0x28	0x04	Length of the next field (always record length -0x4)

0x2C	0x??	encrypted module

at 0x14 is the module md5.

If warden was loaded during the session you should expect to see it cached in this file after exiting the client.

[namreeb]

I'm guessing they're cycling from these: WardenSigning/WardenModules at master * namreeb/WardenSigning * GitHub

That is exactly where they are from

not really that surprising honestly. I expected to see it sooner.

The problem is that the numerical value of the opcodes as well as the challenge/response routine had to be identified for each one. Takes a while.

[DarkLinux]

Quick dump of elysiums warden scans, for logging purpose.

Code:

Address 007C625F, Size : 1
Address 0060BFB1, Size : 2
Address 007C625E, Size : 2
Address 00631615, Size : 2
Address 006A467B, Size : 1
Address 0060F650, Size : 6
Address 007C63DA, Size : 4
Address 00615CF5, Size : 1
Address 005EC720, Size : 8
Address 004D1C17, Size : 2
Address 007C4955, Size : 1
Address 007C63DD, Size : 3
Address 0060BFA0, Size : 2
Address 006341BC, Size : 2
Address 004711E0, Size : 2
Address 00616749, Size : 2
Address 007C705F, Size : 3
Address 006ABF13, Size : 1
Address 00482ED8, Size : 6
Address 00636598, Size : 1
Address 0087D898, Size : 4
Address 006163DE, Size : 10
Address 00635C3A, Size : 1
Address 007C63BD, Size : 3
Address 00636ED4, Size : 1
Address 006CA1B5, Size : 1
Address 005ED28D, Size : 6
Address 007C6272, Size : 4
Address 0060FF71, Size : 1
Address 007C705C, Size : 6
Address 006CEE4E, Size : 6
Address 007C6269, Size : 4
Address 006CEE5B, Size : 6
Address 00518062, Size : 1
Address 005ABD50, Size : 6
Address 006AB1BF, Size : 3
Address 005E642C, Size : 5
Address 00482BE3, Size : 1
Address 0060FC30, Size : 10
Address 0060BFBF, Size : 2
Address 00538610, Size : 4
Address 0080DFFC, Size : 4
Address 00CF0BC8, Size : 4
Address 0060FF65, Size : 2
Address 006D2743, Size : 6
Address 00494A50, Size : 7
Address 007C63A8, Size : 4
Address 007C33D9, Size : 5
Address 0049F5DD, Size : 1
Address 0063379C, Size : 1
Address 00636198, Size : 1
Address 005FE54F, Size : 1
Address 0067063E, Size : 1
Address 0040362B, Size : 3
Address 0087D894, Size : 4
Address 007C620D, Size : 2
Address 004711EA, Size : 1
Address 006334F0, Size : 1
Address 0049F6F2, Size : 3
Address 007C69A0, Size : 3
Address 007C63D9, Size : 1
Address 005ED2E3, Size : 6
Address 00C7B2A4, Size : 4
Address 007C6206, Size : 11
Address 00618913, Size : 8
Address 006AB494, Size : 1
Address 004C21C0, Size : 1
Address 007C6E83, Size : 7
Address 006163DB, Size : 2
Address 006341E3, Size : 2
Address 00846F64, Size : 6
Address 00615BA7, Size : 4
Address 007C4D41, Size : 10
Address 0060F7C9, Size : 6
Address 00822C10, Size : 6
Address 00680B81, Size : 5

[danwins]

above scans with extra detail:

Code:

Address 0040362B, Size : 3	// PollNet / WardenClient_Process check
Address 004711E0, Size : 2	// CCharCreateInfo::CreateCharacter / character name validation
Address 004711EA, Size : 1	// CCharCreateInfo::CreateCharacter / character name validation
Address 00482BE3, Size : 1	// CGWorldFrame::UpdateDayNightInfo / time related?
Address 00482ED8, Size : 6	// CGWorldFrame::OnWorldUpdate / anti afk?
Address 00494A50, Size : 7	// CGGameUI::CanPerformAction
Address 0049F5DD, Size : 1	// Script_SendChatMessage / chat while dead?
Address 0049F6F2, Size : 3	// Script_SendChatMessage / checking third int32 put into CMSG_MESSAGECHAT?
Address 004C21C0, Size : 1	// AutoLoot / EVENT_LOOT_BIND_CONFIRM? 
Address 004D1C17, Size : 2	// Script_CanViewOfficerNote
Address 00518062, Size : 1	// Script_UnitLevel / see unit level instead of skull?
Address 00538610, Size : 4	// NETEVENTQUEUE::Poll jumptable?
Address 005ABD50, Size : 6	// ClientServices_CharacterValidateName
Address 005E642C, Size : 5	// OnSupercededSpell?
Address 005EC720, Size : 8	// CGPlayer_C::GetLanguageSkill / hook check?
Address 005ED28D, Size : 6	// CGPlayer_C::CanTrackUnit / follow hack?
Address 005ED2E3, Size : 6	// CGPlayer_C::CanTrackObject / same as above?
Address 005FE54F, Size : 1	// CGUnit_C::UpdateBaseAnimation / CMovementShared::GetBaseSpeed / speed hack related?
Address 0060BFA0, Size : 2	// CGUnit_C::OnRightClick / loot while mounted
Address 0060BFB1, Size : 2	// CGUnit_C::OnRightClick
Address 0060BFBF, Size : 2	// CGUnit_C::OnRightClick
Address 0060F650, Size : 6	// sub_60F600 / follow hack related maybe?
Address 0060F7C9, Size : 6	// sub_60F600 / follow hack related maybe?
Address 0060FC30, Size : 10	// CGUnit_C::ClearTrackingTarget / s_trackingType check / click to move fix check?
Address 0060FF65, Size : 2	// CGUnit_C::SetTrackingTarget / follow related?
Address 0060FF71, Size : 1	// CGUnit_C::SetTrackingTarget / follow related?
Address 00615BA7, Size : 4	// movement heartbeat?
Address 00615CF5, Size : 1	// CMovement::UpdatePlayerMovement
Address 006163DB, Size : 2	// CMovement::UpdatePlayerMovement / anti root hack?
Address 006163DE, Size : 10	// CMovement::UpdatePlayerMovement / anti root hack?
Address 00616749, Size : 2	// CMovement::ExecuteMovement / MSG_MOVE_HEARTBEAT SendMovementPacket
Address 00618913, Size : 8	// sub_618900 / movement related / InitMovementStatus?
Address 00631615, Size : 2	// sub_6315F0 / unknown?
Address 006334F0, Size : 1	// wall climb
Address 0063379C, Size : 1	// wall climb
Address 006341BC, Size : 2	// super fly
Address 006341E3, Size : 2	// super fly?
Address 00635C3A, Size : 1	// wall climb
Address 00636198, Size : 1	// wall climb
Address 00636598, Size : 1	// wall climb
Address 00636ED4, Size : 1	// wall climb
Address 0067063E, Size : 1	// unknown
Address 00680B81, Size : 5	// CWorldScene::PrepareRenderLiquid / CWorldScene__camLiquid var / water related hack?
Address 006A467B, Size : 1	// sub_6A4670 / unknown CMap function?
Address 006AB1BF, Size : 3	// sub_6AADC0 / unknown CMap function?
Address 006AB494, Size : 1	// sub_6AADC0 / unknown CMap function?
Address 006ABF13, Size : 1	// collision?
Address 006CA1B5, Size : 1	// WardenClient_Process
Address 006CEE4E, Size : 6	// sub_6CEE30 / dword_CE9BD8 / unknown?
Address 006CEE5B, Size : 6	// sub_6CEE30 / dword_CE9BD8 / unknown?
Address 006D2743, Size : 6	// sub_6D2260 / flt_CE9C50 / unknown?
Address 007C33D9, Size : 5	// unknown?
Address 007C4955, Size : 1	// CMovementData::GetPosition
Address 007C4D41, Size : 10	// CMovementShared::GetBaseSpeed
Address 007C6206, Size : 11	// sub_7C61F0 / CMovement something
Address 007C620D, Size : 2	// sub_7C61F0 / CMovement something
Address 007C625E, Size : 2	// CMovement::PlayerJump / infinite jump
Address 007C625F, Size : 1	// CMovement::PlayerJump / anti jump / anti knockback?
Address 007C6269, Size : 4	// JumpGravityWater
Address 007C6272, Size : 4	// JumpGravity
Address 007C63A8, Size : 4	// InitMovementStatus / CMovementData::GetPosition?
Address 007C63BD, Size : 3	// InitMovementStatus / unk?
Address 007C63D9, Size : 1	// InitMovementStatus / m_pitch?
Address 007C63DA, Size : 4	// InitMovementStatus / m_fallStartTime - fall damage hack??
Address 007C63DD, Size : 3	// InitMovementStatus / unk?
Address 007C69A0, Size : 3	// sub_7C69A0 / CMovement?
Address 007C6E83, Size : 7	// sub_7C6E80 / Swim related?
Address 007C705C, Size : 6	// sub_7C7030 / unknown?
Address 007C705F, Size : 3	// sub_7C7030 / unk?
Address 0080DFFC, Size : 4	// .rdata flt_80DFFC / wallclimb
Address 00822C10, Size : 6	// .rdata string?
Address 00846F64, Size : 6	// .rdata string?
Address 0087D894, Size : 4	// .rdata flt_87D894 / movement related?
Address 0087D898, Size : 4	// .rdata flt_87D898 / movement related?
Address 00C7B2A4, Size : 4	// .rdata CWorld::enables / Rendering Options
Address 00CF0BC8, Size : 4	// .rdata timestamp

[Jadd]

More elegant __fastcall wrapper:

Code:

pop ebx          ; Store the return address.
pop ecx          ; Move 1st arg to ecx.
pop edx          ; Move 2nd arg to edx.
mov [esp], ebx   ; Restore the return address.
jmp <function>   ; Callee cleans the stack.

Edit: This is wrong, see below.

[tutrakan]

More elegant __fastcall wrapper:

Code:

pop ebx          ; Store the return address.
pop ecx          ; Move 1st arg to ecx.
pop edx          ; Move 2nd arg to edx.
mov [esp], ebx   ; Restore the return address.
jmp <function>   ; Callee cleans the stack.

There is missing "sub esp, 4" before "mov [esp], ebx". Or just put it like this:

Code:

pop ebx          ; Store the return address.
pop ecx          ; Move 1st arg to ecx.
pop edx          ; Move 2nd arg to edx.
push ebx         ; Restore the return address.
jmp <function>   ; Callee cleans the stack.

And of course there should be a check for the number of params to be always >= 2.

[Jadd]

There is missing "sub esp, 4" before "mov [esp], ebx".

Did you test it? You will crash every time. Pushing ebx will move the stack frame which is wrong.

And of course there should be a check for the number of params to be always >= 2.

AFAIK functions are never compiled as __fastcall if it takes less than two parameters.

[tutrakan]

Did you test it?

Yes.

However, this is usefull when we need to call a __fastcall function from c# (while it isn't supported convention) and we are forced to make such a wrapper.
This old one can be optimized for sure, but is tested and works:
[WoW] 1.12.1.5875 Info Dump Thread
And my fastcall "greymagic" detour modification works fine too:
[RELEASE] Modification of GreyMagic to support detouring of fastcalls

AFAIK functions are never compiled as __fastcall if it takes less than two parameters.

Go explain that to the WoW_3368-orig_32bit compiler: MEGA
There are plenty fastcall declared without even one parameter in ecx or edx - informacionsimbolos.txt.

[Jadd]

You're right, it should include sub esp, 4 or just use your solution. I only tested with one function and my delegate definition included one too many arguments so it was working for me. Edited my earlier post.

Go explain that to the WoW_3368-orig_32bit compiler: MEGA
There are plenty fastcall declared without even one parameter in ecx or edx - informacionsimbolos.txt.

In any case, fastcall with 1 parameter is identical to thiscall (at least for anything using VC++ compiler) and fastcall with no parameters is identical to stdcall, so it's better to use either of those since .NET supports it without the use of a wrapper.

[tutrakan]

...In any case, fastcall with 1 parameter is identical to thiscall (at least for anything using VC++ compiler) and fastcall with no parameters is identical to stdcall...

100% true. I was about to say the same.

P.S. For anyone else interested: x86 calling conventions - Wikipedia

[badusername1234]

Does anyone have any memory addresses or information about the auction house?
looked around in the PDB and in this thread but it seems most people don't care about the AH!

I had a similar problem. I'm not great with IDA (yet) so I just took a different approach than finding auction functions and stuff. I just send packets and parse what the server sends back. You can look at Mangos or something to see exactly how all the packets are structured so there's little reversing involved for you. A cool benefit of doing it that way is that you can reuse the same code for a clientless bot if you ever choose to make one.

While I'm posting, is anyone aware of a cross-continent teleport exploit that works on light's hope? I'm not asking for any details of it, just wondering if anyone has done it because I'm getting bored of my heartbeat teleporter and will probably be trying that soonish.

Edit: Random note - I have had accounts warden banned on either Nost/Elysium (I can't remember), and for some reason they let me log in on Light's Hope.

[namreeb]

While I'm posting, is anyone aware of a cross-continent teleport exploit that works on light's hope? I'm not asking for any details of it, just wondering if anyone has done it because I'm getting bored of my heartbeat teleporter and will probably be trying that soonish.

I'd be surprised if this were possible. The client controls where it is on the map, but does not ever control which map its on.

Edit: I've been able to 'fake' this in some cases by teleporting to portals between the maps and sending a gameobject interact message with them. Most private servers do not have server-side enforcement of gameobjec interaction permissions. This doesn't solve all possible (source map, target map) pairs though.

[bone91]

Does anyone have an example of calling the LootSlot function directly in memory? Calling LootSlot(1) in doString has no effect (neither has sending a Lua click to LootButton1). I suspect this is because it's not accepting virtual mouse clicks. CTM/Autoloot will be of no help, because I am trying to get Pickpocketing to work, where a spell will open the loot window and I'd like to avoid something as hacky as writing mouse position to memory and then injecting a click.

Edit: After fucking around with it a little bit, it seems that injecting AutoLoot before casting Pick Pocket does the trick.

[tutrakan]

...
Edit: I've been able to 'fake' this in some cases by teleporting to portals between the maps and sending a gameobject interact message with them. ...

Which portals you mean?