Click To Move in OllyDebug

[kingdeking]

Helllo guys,

I am having some trouble finding the function ClickToMove in Olly Debug. Even though offsets are provided in the dump thread I dont seem to find it. I am using WoW 4.06a. The dump thread says the ClickToMove offset is:

5C8590 CGPlayer_C::ClickToMove

http://www.ownedcore.com/forums/worl...mp-thread.html ([WoW][4.0.6.13623] Info Dump Thread)


This offset is rebased. So I should just add the base address of WoW.exe and add that offset to ClickToMove. Now look when I fire up OllyDebug I see the following Base Address:




So thats the math I do to get the right offset:

0x00140000 + 0x005C8590 = 0x00708590
^
Base Address of WoW.exe

But look where I end up:





Now. when I put a breakpoint there its not called when I do clickToMove in WoW. What am I doing wrong? Is the Base Address wrong or the offset?

[QKdefus]

0x5C8590 CGPlayer_C__ClickToMove = Function dump (offsets NOT rebased)

0x5c8590 - 400000 = 0x1c8590 rebased

0x1c8590 + 140000 = 0x308591 olly

[kingdeking]

0x5C8590 CGPlayer_C__ClickToMove = Function dump (offsets NOT rebased)

0x5c8590 - 400000 = 0x1c8590 rebased

0x1c8590 + 140000 = 0x308591 olly

Ow yeah, thanks a lot. Didnt know the imagebase was still in there ;]

[romb0t]

@QKdefus
You beat me

It is why you have "NOT REBASED" in the TOM_RUSS posting

[QKdefus]

not really used with olly, had to test it manually with 433 lol.

good luck

[kingdeking]

Hello,

I need to dig that up. Can someone help me with the WoWPos structure that ClickToMove takes? I cant find it out......

[Bananenbrot]

Code:

struct WoWPos
{
    float X, Y, Z;
};

Basically a normal 3D vector. Some people also suggest a fourth float for facing, but I cannot reproduce why and until now it was enough to pass 12 bytes...

[kingdeking]

Thanks,

I managed to get that far now:

typedef bool (__thiscall* ClickToMove_t)(__int32* ClassPointer, __int32 ClickToMoveType, __int64* pGUID, sWoWPos* pPos, float Precision);

This is the last piece of the puzzle:
_int32* ClassPointer

I dont understand how to obtain this pointer. One way might be to hook ClickToMove and use it once in game and obtain the pointer but thats plain ugly. Anyone got some info on this?


edit: I hooked the function and Im getting the pointer like this but its so ugly. And I have looked up GetActivePlayer but it does not return the pointer. So idk how to do this better.

[Bananenbrot]

Actually, you are supposed to call ClickToMove with the active player's address... at least it works for me.

[kingdeking]

hmm, so weird when I call GetActivePlayer within my DLL the function returns something different than when WoW calls it. I think it has something to do with Threads because the first line of GetActivePlayer accesses FS-Segment. Thats really stupid... WoW is really a bitch to me today. Anyone can help?

And here is the asm of GetActivePlayer:

Code:

MOV ECX, DWORD PTR FS:[2C]
MOV EAX,DWORD PTR DS:[1B4C170]
MOV EDX,DWORD PTR DS:[ECX+EAX*4]
MOV ECX,DWORD PTR DS:[EDX+8]
TEST ECX,ECX
JNZ SHORT Wow.011A523E
XOR EAX,EAX
XOR EDX,EDX
RETN
MOV EAX,DWORD PTR DS:[ECX+B8]
MOV EDX,DWORD PTR DS:[ECX+BC]
RETN

I also tried copying the function and just calling my own implementation, but same result.

[migtron]

WoW uses ThreadLocal storage for several things, including the object manager. So either you dive deep into structures which are not part of any official API or you reverse engineer functions like GetActivePlayer to get the necessary offsets. GetActivePlayer returns a GUID by the way, so you still need to get the actual object after finding the GUID.

[kingdeking]

What do you mean by reverse engineer functions like GetActivePlayer. There is nothing to reverse here, the function is naked. All i can try is maybe see where it is called from and see how the reutnr value of GetActivePlayer is handled, since you say GetActivePlayer returns a GUID, the actual object might be obtained in the caller function..

edit: o snap, now i understand, clicktomove takes the player object, and i can find it by iterating over the objects, right? I got it now ... long day.

[migtron]

I mean that you see what is happening with the object from thread local storage after WoW gets it. In this case, you see that a specific value (the player GUID) is gotten from a certain offset. The thread local value this offset is relative to is the object manager, which you probably already found other ways to get access to. Or can easily find in the respective threads in this forum.

[kingdeking]

Okay thanks a lot, I am obtaining the player guid using the offsets provided in this forum since messing with TLS and whatever not is above my level.... I am iterating over the objects now receiving the pointer to the player object successfully and being able to call ClickToMove successfully aswell. Thanks for all the help! I can proceed writing my own personal bot now.