ObjectManager stuck on reading names

[kosacid]

problem solved thanks alot teufel123

Code:

header.h

#include <Windows.h>
#include <string>

using namespace std;
typedef unsigned int uint;

void WorkFunc();
void ReadProcMem(void *pAddress, void *pMem, int iSize);
void OpenConsole();

enum ObjectManager
{
    CurMgrPointer = 0x9BE7E0,
    CurMgrOffset = 0x463C,
    NextObject = 0x3C,
    FirstObject = 0xC0,
    LocalGUID = 0xC8
};

Main.cpp

#include "header.h"
DWORD dwThreadId;

BOOL WINAPI DllMain (HINSTANCE hInst,DWORD reason,LPVOID reserved)
{
	if(reason == DLL_PROCESS_ATTACH)
	{
		CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)WorkFunc,NULL, 0, &dwThreadId);
		OpenConsole();
	}

	if(reason == DLL_PROCESS_DETACH)
	{

	}
	return (TRUE);
}

void WorkFunc()
{
	while(TRUE)
	{
		if(GetAsyncKeyState(0x43))
		{
			system("CLS");
			uint BaseAddress = (uint)GetModuleHandle(0);
	        uint ObjectPointer;
	        ReadProcMem((LPVOID)(BaseAddress + CurMgrPointer),&ObjectPointer,4);
	        uint ObjectPointerOffset;
	        ReadProcMem((LPVOID)(ObjectPointer + CurMgrOffset),&ObjectPointerOffset,4);
	        uint FirstItem;
	        ReadProcMem((LPVOID)(ObjectPointerOffset + FirstObject),&FirstItem,4);
	        printf("CurMgrPointer: %X\n",ObjectPointer);
            printf("Object Manager: %X\n",ObjectPointerOffset);
	        printf("First Object: %X\n",FirstItem);
	        uint BaseObject = FirstItem;
	        int ObjectCount = 0;
	        while (BaseObject != 0 && BaseObject % 2 == 0)
	        {
		        ObjectCount++;
				DWORD nm;
                char name[100]="";
		        ReadProcMem((LPVOID)(BaseObject + 0x1CC),&nm, 4);
                ReadProcMem((LPVOID)(nm + 0xB4),&nm, 4);
                ReadProcMem((LPVOID)(nm),&name[0], 100*sizeof(char));
		        printf("Name: %s\n",name);
		        ReadProcMem((LPVOID)(BaseObject + NextObject),&BaseObject,4);
	        }
	        printf("Total ObjectCount = %i\n",ObjectCount);
		}
	}
}

void ReadProcMem(void *pAddress, void *pMem, int iSize)
{
	HANDLE hProc = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ, FALSE, GetCurrentProcessId());
	DWORD dwOld;
	VirtualProtectEx(hProc, pAddress, iSize, PAGE_EXECUTE_READWRITE, &dwOld);
	ReadProcessMemory(hProc, pAddress, pMem, iSize, 0);
	CloseHandle(hProc);
}

console.cpp

#include "header.h"
#include <windows.h>
#include <stdio.h>
#include <iostream>
#include <fstream>
#include <conio.h>
#include <io.h>

void OpenConsole()
{
    int outHandle, errHandle, inHandle;
    FILE *outFile, *errFile, *inFile;
    AllocConsole();
    CONSOLE_SCREEN_BUFFER_INFO coninfo;
    GetConsoleScreenBufferInfo(GetStdHandle(STD_OUTPUT_HANDLE), &coninfo);
    coninfo.dwSize.Y = 9999;
    SetConsoleScreenBufferSize(GetStdHandle(STD_OUTPUT_HANDLE), coninfo.dwSize);
    outHandle = _open_osfhandle((long)GetStdHandle(STD_OUTPUT_HANDLE),0);
    errHandle = _open_osfhandle((long)GetStdHandle(STD_ERROR_HANDLE),0);
    inHandle = _open_osfhandle((long)GetStdHandle(STD_INPUT_HANDLE),0);
    outFile = _fdopen(outHandle, "w" );
    errFile = _fdopen(errHandle, "w");
    inFile =  _fdopen(inHandle, "r");
    *stdout = *outFile;
    *stderr = *errFile;
    *stdin = *inFile;
    setvbuf( stdout, NULL, _IONBF, 0 );
    setvbuf( stderr, NULL, _IONBF, 0 );
    setvbuf( stdin, NULL, _IONBF, 0 );
    std::ios::sync_with_stdio();
}

[kosacid]

self bump
FirstObject whats the offset to the pointer to the object`s field
and i take it once you have the field LocalGUID = 0xC8 is the offset for the GUID
the reason im asking its been a while since i last was here alot has changed

[Bananenbrot]

Reading unit names out of process is tedious. You have to maintain at least 4-5 offsets. I would recommend to inject some code and call the Object VFunc instead. That way you only have to maintain the virtual table offset which is 48 currently (may have counted wrong... my patterns do that stuff for me). If you really want to read the name manually, say for a unit, then you have to implement CGUnit_C::GetUnitName (in TOM_RUS IDA database) yourself:

Code:

int __thiscall CGUnit_C::GetUnitName(int this, int a2, int a3)
{
...
  v3 = this;
  if ( (!a3 || !(*(_BYTE *)(this + 4098) & 0x80)) && !(*(_BYTE *)(this + 4071) & 1)
    || (result = CGUnit_C::GetUnitNameFromSpellData(a2)) == 0 )
  {
    v5 = *(_DWORD *)(v3 + 12);
    if ( ((unsigned int)*(_WORD *)(v5 + 16) >> 4) & 1 )
    {
      v6 = *(_DWORD *)(v3 + 12);
      v11 = *(_DWORD *)v5;
      v12 = *(_DWORD *)(v5 + 4);
      result = DBCache_NameCache::GetRecord(*(_DWORD *)v6, *(_DWORD *)(v6 + 4), &v11, sub_5ACF60, 0, 1);
      if ( result )
      {
        if ( a2 )
        {
          if ( *(_BYTE *)(result + 52) )
            *(_DWORD *)a2 = result + 52;
        }
        return result;
      }
    }
...
}

This is ugly even if you prettiefy it.

Edit: Oh, and it's

Code:

        // 4.3.4.15595
        public const int LocalPlayerGuidOffset = 0xC8; // [ObjectManager + this offset] := LocalPlayerGuid
        public const int GuidOffset = 0x30; // [Object + this offset] := Object's GUID
        public const int StartOffset = 0xC0; // [ObjectManager + this offset] := first object of linked list
        public const int NextOffset = 0x3C; // [Object + this offset] := next object

currently for me.

[kosacid]

for build 3.3.5(12340) i used this

Code:

void WorkFunc()
{
	while(TRUE)
	{
		if(GetAsyncKeyState(0x43))
		{
	        ReadProcMem((LPVOID)(StaticClientConnection),&ClientConnection,4);

	        ReadProcMem((LPVOID)(ClientConnection + ObjectManagerOffset),&ObjectManager,4);

	        ReadProcMem((LPVOID)(ObjectManager + FirstObjectOffset),&FirstObject,4);

	        printf("Client Connection: %X\n",ClientConnection);
            printf("Object Manager: %X\n",ObjectManager);
	        printf("First Object: %X\n",FirstObject);
	        BaseObject = FirstObject;
	        int ObjectCount = 0;
	        while (BaseObject != 0 && BaseObject % 2 == 0)
			{
				ObjectCount++;
		        DWORD nm;
                char name[100]="";
		        ReadProcMem((LPVOID)(BaseObject + 0x964),&nm, 4);
                ReadProcMem((LPVOID)(nm + 0x05C),&nm, 4);
                ReadProcMem((LPVOID)(nm),&name[0], 100*sizeof(char));
		        printf("Name: %s\n",name);
		        ReadProcMem((void*)(BaseObject + NextObjectOffset),&BaseObject,4);
			}
	        printf("ObjectCount = %i\n",ObjectCount);
		}
	}
}

basicly when you press C it gives you a list of mob names

[Bananenbrot]

Yeah, but they changed quite a bit since 3.3.5. As I said, you could still read them out, but it is even uglier than it used to be and you have to figure it out on your own, because nobody will perform the steps manually if you can just inject and call a function which does the stuff for you. I would try something else than reading unit names until you are at a point where you can call engine functions.

[_Mike]

Well he did say it was an injected dll so calling engine funcs shouldn't be a problem. But then again, he is using ReadProcessMem to read from his own address space.. And he's opening a new process handle for every read.
I thought that knowing <your language of choice> was a requirement for posting but I guess I was wrong.

[kosacid]

@_Mike its not designed for a constant read only when a key is pressed to take a snap shot, sorry wee all cant be elite programers some thing wee are working up to some day, so no need for being so negative, and it was a post to get a idea how to do it
@Bananenbrot ye your correct why do all that work when there a function for it ill go test that thanks

[_Mike]

There is nothing "elite" about pointer dereferencing.. It's one of the very first things one should learn about C imo. I don't mind people trying to learn about hacking wow, but you should at least have some basic programming knowledge first. If you can't manage a simple data pointer what makes you think you'll do any better with function pointers?
At best you might find some copy-paste ready code here but I doubt you'd understand how it actually works.
I'm not saying this just to be rude. I am actually trying to help you by saying that you need to learn the language first. And this isn't the place to do that.

[kosacid]

i can get the pointers my self np but i just dont want to mess about with my retail account when some one might allready have the pointers,and i dont copy and paste as you pointed out with my memory read function, i do use name`s though so folk might understand what im doing, i do get what your saying though just that i have my own ways of doing things at the end of the day it gets the job done and some might use it some wont
big problem is i dont quite know how far you can go before they notice your up to some thing
and i dont think pulling info is that bad but i dont want to push it lol

[teufel123]

For Objects. Found this in an old bot source which worked in 4.x.x something

Code:

$objname = _MemoryRead(_MemoryRead(_MemoryRead($CurrentObject + $ObjectName1, $wow, "dword") + $ObjectName2, $wow, "dword"), $wow, "char[32]") ;0x1CC=ObjectName1  0xB4=ObjectName2

[kosacid]

@teufel123 thanks alot

[joostvanpoppel]

I can get the X, Y, Z, rotation of each object in my area without problems. I'm currently trying to get the names of npcs, type 3.
For that i'm using UnitName1 = 0x91C and UnitName2 = 0x64.
ReadString(ReadCardinal(ReadCardinal(lObjectBaseAddress + UnitName1) + UnitName2))

Is it correct to user UnitName1/UnitName2 for this? And is my code correct?

[kosacid]

Download my projects from SourceForge.net
enum UnitName
{
ObjectName1 = 0x1CC,
ObjectName2 = 0xB4,
UnitName1 = 0x91C,
UnitName2 = 0x64,
PlayerNameCachePointer = 0x9980B0,
PlayerNameMaskOffset = 0x024,
PlayerNameBaseOffset = 0x01c,
PlayerNameStringOffset = 0x020
}

ye its right i used that also i completed what i was doing