Field Dumper

[kosacid]

i built this to view the Field data i found it usfull so i though i would post it

header.h

Code:

#include <Windows.h>
#include <math.h>
#include <string>
#include <tlhelp32.h>

using namespace std;
typedef unsigned int uint;
void ReadProcMem(void *pAddress, void *pMem, int iSize);
unsigned long GetPid(char *procName);
DWORD GetBase(char* DllName, DWORD tPid);
void Test();

main.cpp

Code:

#include "header.h"

DWORD Pid;
uint BaseAddress;

bool start=false;
int size;

enum ObjectManager
{
    CurMgrPointer = 0x9BE7E0,
    CurMgrOffset = 0x463C,
    FirstObject = 0xC0,
    NextObject = 0x3C,
};

int main(int argc, char* argv[])
{
	Pid = GetPid("Wow.exe");
	BaseAddress = GetBase("Wow.exe",Pid);
	size = atoi(argv[1]);
	while(1)
	{	
		if(GetAsyncKeyState(0x70))
		{
			start=true;
		}
		if(start)
		{
			Test();
		}
	}
	return 0;
}

void Test()
{
	uint ObjectPointer;
	ReadProcMem((LPVOID)(BaseAddress + CurMgrPointer),&ObjectPointer,4);
	ReadProcMem((LPVOID)(ObjectPointer + CurMgrOffset),&ObjectPointer,4);
	ReadProcMem((LPVOID)(ObjectPointer + FirstObject),&ObjectPointer,4);
	FILE *field;
	field = fopen("Field.txt","at");

	while (ObjectPointer != 0 && ObjectPointer % 2 == 0)
	{
		uint dsfp;
		ReadProcMem((LPVOID)(ObjectPointer + 0xC),&dsfp,4);
		int x=0;
		printf("start\n");
	        fprintf(field,"start\n");
		for (x = 0; x <= size; x+=4)
		{
			uint bb;
			ReadProcMem((LPVOID)(dsfp + x),&bb,4);
			fprintf(field,"%X=%u ",x,bb);
			printf("%X=%u ",x,bb);
		}
		printf("\nend\n");
	        fprintf(field,"\nend\n");
		ReadProcMem((LPVOID)(ObjectPointer + NextObject),&ObjectPointer,4);
	}
	start=false;
	Sleep(1000);
	fclose(field);
}

void ReadProcMem(void *pAddress, void *pMem, int iSize)
{
	HANDLE hProc = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ, FALSE, Pid);
	DWORD dwOld;
	VirtualProtectEx(hProc, pAddress, iSize, PAGE_EXECUTE_READWRITE, &dwOld);
	ReadProcessMemory(hProc, pAddress, pMem, iSize, 0);
	CloseHandle(hProc);
}

unsigned long GetPid(char *procName)
{
   PROCESSENTRY32 pe;
   HANDLE thSnapshot;
   BOOL retval, ProcFound = false;
   thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
   if(thSnapshot == INVALID_HANDLE_VALUE)
   {
      return false;
   }
   pe.dwSize = sizeof(PROCESSENTRY32);
   retval = Process32First(thSnapshot, &pe);
   while(retval)
   {
      if(strcmp(pe.szExeFile, procName)==0 )
      {
         ProcFound = true;
         break;
      }
      retval    = Process32Next(thSnapshot,&pe);
      pe.dwSize = sizeof(PROCESSENTRY32);
   }
   if (!ProcFound) return 0;
   return pe.th32ProcessID;
}

DWORD GetBase(char* DllName, DWORD tPid)
{
    HANDLE snapMod;
    MODULEENTRY32 me32;
    if (tPid == 0) return 0;
    snapMod = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, tPid);
    me32.dwSize = sizeof(MODULEENTRY32);
    if (Module32First(snapMod, &me32))
	{
        do{
              if (strcmp(DllName,me32.szModule) == 0)
			  {
                  CloseHandle(snapMod);
                  return (DWORD) me32.modBaseAddr;
			  }
		}while(Module32Next(snapMod,&me32));
    }
    CloseHandle(snapMod);
	return 0;
}

just make a bat file up say Dumper.bat put in it NameOfExe.exe 512
when you press F1 it will dump it to file have a search for say your health you will find your char or the ID eg 668 for the bobber if your fishing
just make a blank console and add your header and main to it and paste the code in it should compile

[FishDance]

Nice work.

Question: where did you get the 0xC from to add to the object pointer to jump into the descriptor fields? I don't see this in the info dumps or any of the other threads.

This line:
ReadProcMem((LPVOID)(ObjectPointer + 0xC),&dsfp,4);

[greenegzofyoshi]

Question: where did you get the 0xC from to add to the object pointer to jump into the descriptor fields? I don't see this in the info dumps or any of the other threads.

This line:
ReadProcMem((LPVOID)(ObjectPointer + 0xC),&dsfp,4);

From the info dump thread :

Descriptor is at 0xC

[FishDance]

Thank you.

[FishDance]

If this is the object field data, shouldn't the first field be the object GUID and the third field is the object type? And GUID should be 64bit, correct? This doesn't seem correct in the parse:

start
0=274 4=4048579830 8=0 C=0 10=9 14=27894 18=1065353216 1C=0 20=0 24=0 28=0 2C=0 30=0 34=0 38=99617038 3C=33554432 40=0 44=0 48=0 4C=0 50=0 54=0 58=0 5C=0 60=0 64=16908544 68=470873 6C=0 70=0 74=0 78=0 7C=0 80=470873 84=0 88=0 8C=0 90=0 94=0 98=0 9C=0 A0=0 A4=0 A8=0 AC=0 B0=0 B4=0 B8=0 BC=0 C0=85 C4=2203 C8=0 CC=0 D0=0 D4=16793608 D8=0 DC=0 E0=2000 E4=2000 E8=0 EC=1050438271 F0=1065353216 F4=27101 F8=27101 FC=0 100=0 104=0 108=0 10C=0 110=0 114=0 118=0 11C=0 120=0 124=0 128=1065353216 12C=1065353216 130=0 134=0 138=0 13C=0 140=0 144=0 148=0 14C=0 150=0 154=0 158=0 15C=0 160=0 164=0 168=0 16C=0 170=0 174=0 178=0 17C=0 180=0 184=0 188=0 18C=0 190=0 194=0 198=0 19C=0 1A0=0 1A4=0 1A8=0 1AC=0 1B0=0 1B4=0 1B8=0 1BC=0 1C0=0 1C4=0 1C8=0 1CC=0 1D0=0 1D4=257 1D8=0 1DC=0 1E0=0 1E4=0 1E8=0 1EC=0 1F0=0 1F4=0 1F8=0 1FC=0 200=0
end

edit: I found the object type at object+0x14 and guid at object+0x30

Does this not hold the guild in the descriptor or is that just the pointer to the guid (OBJECT_FIELD_GUID)?:
{
OBJECT_FIELD_GUID = 0x0,
OBJECT_FIELD_DATA = 0x2,
OBJECT_FIELD_TYPE = 0x4,
OBJECT_FIELD_ENTRY = 0x5,
OBJECT_FIELD_SCALE_X = 0x6,
OBJECT_FIELD_PADDING = 0x7,
OBJECT_END = 0x8
};

[kosacid]

enum eGameObjectFields
{
GAMEOBJECT_DISPLAYID = OBJECT_END + 0x2,
GAMEOBJECT_FLAGS = OBJECT_END + 0x3,
GAMEOBJECT_PARENTROTATION = OBJECT_END + 0x4,
GAMEOBJECT_DYNAMIC = OBJECT_END + 0x8,
GAMEOBJECT_FACTION = OBJECT_END + 0x9,
GAMEOBJECT_LEVEL = OBJECT_END + 0xA,
GAMEOBJECT_BYTES_1 = OBJECT_END + 0xB,
GAMEOBJECT_END = OBJECT_END + 0xC
};

OBJECT_END = 0x8
so take GAMEOBJECT_DISPLAYID if you do this
8+2=A then A*4=28 so if you look in your dump at 28 you will notice thats the id on wowhead

also depends on how you want to read
uint bb;
ReadProcMem((LPVOID)(dsfp + x),&bb,4);
fprintf(field,"%X=%u ",x,bb);
printf("%X=%u ",x,bb);

example

float bb;
ReadProcMem((LPVOID)(dsfp + x),&bb,4);
fprintf(field,"%X=%f ",x,bb);
printf("%X=%f ",x,bb);

also rember to do this
UINT64 bb;
ReadProcMem((LPVOID)(dsfp + x),&bb,;

[kosacid]

you can also do this
ReadProcMem((LPVOID)(ObjectPointer + x),&bb,4);

[FishDance]

Thank you. This is very helpful. Using this post and some other guides for nubs, I put together some code to read health and mana descriptors to help wrap my head around this. I am new to memory editing but not very new to C++. I made this code as verbose as possible because I felt a lot of the guides had some holes in the explanations. I am late to the memory editing game so there were a lot of things I had to piece together. I think I sourced and explained everything properly to make this as unambiguous as possible:

Code:

// ReadHealth.cpp
// This was cobbled together from the information in posts made by kosacid, gononono64 and zamba1587 from ownedcore.
// Sources:
// http://www.ownedcore.com/forums/world-of-warcraft/world-of-warcraft-bots-programs/wow-memory-editing/319172-guide-how-make-wow-bot-complete-newbs.html
// http://www.ownedcore.com/forums/world-of-warcraft/world-of-warcraft-bots-programs/wow-memory-editing/331072-guide-how-create-wow-bot-using-autoit-memory-reading.html
// http://www.ownedcore.com/forums/world-of-warcraft/world-of-warcraft-bots-programs/wow-memory-editing/369580-field-dumper.html
// http://www.ownedcore.com/forums/world-of-warcraft/world-of-warcraft-bots-programs/wow-memory-editing/336013-guides-starting-point-newbs.html

#include "stdafx.h"
#include <Windows.h>
#include <TlHelp32.h>

// Helper function to get the dynamic base address of a module given the PID and module name.
DWORD dwGetModuleBaseAddress(DWORD dwProcessIdentifier, const TCHAR *lpszModuleName) 
{ 
   HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessIdentifier); 
   DWORD dwModuleBaseAddress = 0; 
   if(hSnapshot != INVALID_HANDLE_VALUE) 
   { 
      MODULEENTRY32 ModuleEntry32 = {0}; 
      ModuleEntry32.dwSize = sizeof(MODULEENTRY32); 
      if(Module32First(hSnapshot, &ModuleEntry32)) 
      { 
         do 
         { 
            if(_tcscmp(ModuleEntry32.szModule, lpszModuleName) == 0) 
            { 
               dwModuleBaseAddress = (DWORD)ModuleEntry32.modBaseAddr; 
               break; 
            } 
         } 
         while(Module32Next(hSnapshot, &ModuleEntry32)); 
      } 
      CloseHandle(hSnapshot); 
   } 
   return dwModuleBaseAddress; 
} 

int _tmain(int argc, _TCHAR* argv[])
{
	// Descriptor Structures
	// Gratefully leached from:  http://www.ownedcore.com/forums/world-of-warcraft/world-of-warcraft-bots-programs/wow-memory-editing/347720-wow-4-3-4-15595-info-dump-thread.html
	enum eObjectFields
	{
		OBJECT_FIELD_GUID = 0x0,
		OBJECT_FIELD_DATA = 0x2,
		OBJECT_FIELD_TYPE = 0x4,
		OBJECT_FIELD_ENTRY = 0x5,
		OBJECT_FIELD_SCALE_X = 0x6,
		OBJECT_FIELD_PADDING = 0x7,
		OBJECT_END = 0x8
	};

	enum eUnitFields
	{
		UNIT_FIELD_CHARM = OBJECT_END + 0x0,
		UNIT_FIELD_SUMMON = OBJECT_END + 0x2,
		UNIT_FIELD_CRITTER = OBJECT_END + 0x4,
		UNIT_FIELD_CHARMEDBY = OBJECT_END + 0x6,
		UNIT_FIELD_SUMMONEDBY = OBJECT_END + 0x8,
		UNIT_FIELD_CREATEDBY = OBJECT_END + 0xA,
		UNIT_FIELD_TARGET = OBJECT_END + 0xC,
		UNIT_FIELD_CHANNEL_OBJECT = OBJECT_END + 0xE,
		UNIT_CHANNEL_SPELL = OBJECT_END + 0x10,
		UNIT_FIELD_BYTES_0 = OBJECT_END + 0x11,
		UNIT_FIELD_HEALTH = OBJECT_END + 0x12,
		UNIT_FIELD_POWER1 = OBJECT_END + 0x13,			// A.K.A. Mana
		UNIT_FIELD_POWER2 = OBJECT_END + 0x14,
		UNIT_FIELD_POWER3 = OBJECT_END + 0x15,
		UNIT_FIELD_POWER4 = OBJECT_END + 0x16,
		UNIT_FIELD_POWER5 = OBJECT_END + 0x17,
		UNIT_FIELD_MAXHEALTH = OBJECT_END + 0x18,
		UNIT_FIELD_MAXPOWER1 = OBJECT_END + 0x19,
		UNIT_FIELD_MAXPOWER2 = OBJECT_END + 0x1A,
		UNIT_FIELD_MAXPOWER3 = OBJECT_END + 0x1B,
		UNIT_FIELD_MAXPOWER4 = OBJECT_END + 0x1C,
		UNIT_FIELD_MAXPOWER5 = OBJECT_END + 0x1D,
		UNIT_FIELD_POWER_REGEN_FLAT_MODIFIER = OBJECT_END + 0x1E,
		UNIT_FIELD_POWER_REGEN_INTERRUPTED_FLAT_MODIFIER = OBJECT_END + 0x23,
		UNIT_FIELD_LEVEL = OBJECT_END + 0x28,
		UNIT_FIELD_FACTIONTEMPLATE = OBJECT_END + 0x29,
		UNIT_VIRTUAL_ITEM_SLOT_ID = OBJECT_END + 0x2A,
		UNIT_FIELD_FLAGS = OBJECT_END + 0x2D,
		UNIT_FIELD_FLAGS_2 = OBJECT_END + 0x2E,
		UNIT_FIELD_AURASTATE = OBJECT_END + 0x2F,
		UNIT_FIELD_BASEATTACKTIME = OBJECT_END + 0x30,
		UNIT_FIELD_RANGEDATTACKTIME = OBJECT_END + 0x32,
		UNIT_FIELD_BOUNDINGRADIUS = OBJECT_END + 0x33,
		UNIT_FIELD_COMBATREACH = OBJECT_END + 0x34,
		UNIT_FIELD_DISPLAYID = OBJECT_END + 0x35,
		UNIT_FIELD_NATIVEDISPLAYID = OBJECT_END + 0x36,
		UNIT_FIELD_MOUNTDISPLAYID = OBJECT_END + 0x37,
		UNIT_FIELD_MINDAMAGE = OBJECT_END + 0x38,
		UNIT_FIELD_MAXDAMAGE = OBJECT_END + 0x39,
		UNIT_FIELD_MINOFFHANDDAMAGE = OBJECT_END + 0x3A,
		UNIT_FIELD_MAXOFFHANDDAMAGE = OBJECT_END + 0x3B,
		UNIT_FIELD_BYTES_1 = OBJECT_END + 0x3C,
		UNIT_FIELD_PETNUMBER = OBJECT_END + 0x3D,
		UNIT_FIELD_PET_NAME_TIMESTAMP = OBJECT_END + 0x3E,
		UNIT_FIELD_PETEXPERIENCE = OBJECT_END + 0x3F,
		UNIT_FIELD_PETNEXTLEVELEXP = OBJECT_END + 0x40,
		UNIT_DYNAMIC_FLAGS = OBJECT_END + 0x41,
		UNIT_MOD_CAST_SPEED = OBJECT_END + 0x42,
		UNIT_MOD_CAST_HASTE = OBJECT_END + 0x43,
		UNIT_CREATED_BY_SPELL = OBJECT_END + 0x44,
		UNIT_NPC_FLAGS = OBJECT_END + 0x45,
		UNIT_NPC_EMOTESTATE = OBJECT_END + 0x46,
		UNIT_FIELD_STAT0 = OBJECT_END + 0x47,
		UNIT_FIELD_STAT1 = OBJECT_END + 0x48,
		UNIT_FIELD_STAT2 = OBJECT_END + 0x49,
		UNIT_FIELD_STAT3 = OBJECT_END + 0x4A,
		UNIT_FIELD_STAT4 = OBJECT_END + 0x4B,
		UNIT_FIELD_POSSTAT0 = OBJECT_END + 0x4C,
		UNIT_FIELD_POSSTAT1 = OBJECT_END + 0x4D,
		UNIT_FIELD_POSSTAT2 = OBJECT_END + 0x4E,
		UNIT_FIELD_POSSTAT3 = OBJECT_END + 0x4F,
		UNIT_FIELD_POSSTAT4 = OBJECT_END + 0x50,
		UNIT_FIELD_NEGSTAT0 = OBJECT_END + 0x51,
		UNIT_FIELD_NEGSTAT1 = OBJECT_END + 0x52,
		UNIT_FIELD_NEGSTAT2 = OBJECT_END + 0x53,
		UNIT_FIELD_NEGSTAT3 = OBJECT_END + 0x54,
		UNIT_FIELD_NEGSTAT4 = OBJECT_END + 0x55,
		UNIT_FIELD_RESISTANCES = OBJECT_END + 0x56,
		UNIT_FIELD_RESISTANCEBUFFMODSPOSITIVE = OBJECT_END + 0x5D,
		UNIT_FIELD_RESISTANCEBUFFMODSNEGATIVE = OBJECT_END + 0x64,
		UNIT_FIELD_BASE_MANA = OBJECT_END + 0x6B,
		UNIT_FIELD_BASE_HEALTH = OBJECT_END + 0x6C,
		UNIT_FIELD_BYTES_2 = OBJECT_END + 0x6D,
		UNIT_FIELD_ATTACK_POWER = OBJECT_END + 0x6E,
		UNIT_FIELD_ATTACK_POWER_MOD_POS = OBJECT_END + 0x6F,
		UNIT_FIELD_ATTACK_POWER_MOD_NEG = OBJECT_END + 0x70,
		UNIT_FIELD_ATTACK_POWER_MULTIPLIER = OBJECT_END + 0x71,
		UNIT_FIELD_RANGED_ATTACK_POWER = OBJECT_END + 0x72,
		UNIT_FIELD_RANGED_ATTACK_POWER_MOD_POS = OBJECT_END + 0x73,
		UNIT_FIELD_RANGED_ATTACK_POWER_MOD_NEG = OBJECT_END + 0x74,
		UNIT_FIELD_RANGED_ATTACK_POWER_MULTIPLIER = OBJECT_END + 0x75,
		UNIT_FIELD_MINRANGEDDAMAGE = OBJECT_END + 0x76,
		UNIT_FIELD_MAXRANGEDDAMAGE = OBJECT_END + 0x77,
		UNIT_FIELD_POWER_COST_MODIFIER = OBJECT_END + 0x78,
		UNIT_FIELD_POWER_COST_MULTIPLIER = OBJECT_END + 0x7F,
		UNIT_FIELD_MAXHEALTHMODIFIER = OBJECT_END + 0x86,
		UNIT_FIELD_HOVERHEIGHT = OBJECT_END + 0x87,
		UNIT_FIELD_MAXITEMLEVEL = OBJECT_END + 0x88,
		UNIT_FIELD_PADDING = OBJECT_END + 0x89,
		UNIT_END = OBJECT_END + 0x8A
	};

	// Offsets
	// Gratefully leached from:  http://www.ownedcore.com/forums/world-of-warcraft/world-of-warcraft-bots-programs/wow-memory-editing/347720-wow-4-3-4-15595-info-dump-thread.html
	const DWORD dwDescriptorOffset = 0xC;  // From Vandra.  Source:  http://www.ownedcore.com/forums/world-of-warcraft/world-of-warcraft-bots-programs/wow-memory-editing/347720-wow-4-3-4-15595-info-dump-thread-4.html#post2248388
	const DWORD CurMgrPointer = 0x9BE7E0;
	const DWORD CurMgrOffset = 0x463C;
	const DWORD NextObject = 0x3C;
	const DWORD FirstObject = 0xC0;
	const DWORD LocalGUID = 0xC8;
	const DWORD dwObjectTypeOffset = 0x14;   // This value and the one below were dug out of replies in the info dump threads and are also in the gononono64 and zamba1587 guides.
	const DWORD dwObjectGuidOffset = 0x30;

	// Variables
	UINT64 playerGUID, uObjGUID;
	DWORD dObjectManager, dReadObject, dObjType, dPlayerObject = 0;
	DWORD dwPlayerHealth, dwPlayerMana, dwPlayerDescrip, dwPID = 0;

	// Check to see if there is an instance running
	HWND window = FindWindow(0, _T("World of Warcraft")); 
    if( window == 0 ){ 
       printf("Window not found! There doesn't appear to be an instance of WoW running.\n");
       return -1; 
    }

    GetWindowThreadProcessId(window, &dwPID);

	DWORD baseAddr = dwGetModuleBaseAddress(dwPID, _T("Wow.exe"));

	HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ, FALSE, dwPID);
	if (hProcess == NULL)
	{
		printf("OpenProcess failed with error code %d\n", GetLastError());
		return -1;
	}
	printf("Attached to process ID: %d\n", dwPID);

	// Locate the object manager
	BOOL bRead = ReadProcessMemory(hProcess, reinterpret_cast <void *>(baseAddr + CurMgrPointer), &dObjectManager, 4, 0);
	bRead = ReadProcessMemory(hProcess, reinterpret_cast <void *>(dObjectManager + CurMgrOffset), &dObjectManager, 4, 0);
	printf("Address of object manager: %x\n", dObjectManager);

	// Get the GUID of the player
	// This is 64bit so we read 8 bytes
	bRead = ReadProcessMemory(hProcess, reinterpret_cast <void *>(dObjectManager + LocalGUID), &playerGUID, 8, 0);

	// Find the player object by GUID search
	bRead = ReadProcessMemory(hProcess, reinterpret_cast <void *>(dObjectManager + FirstObject), &dReadObject, 4, 0);
	bRead = ReadProcessMemory(hProcess, reinterpret_cast<void *>(dReadObject + dwObjectTypeOffset), &dObjType, 4, 0);
	while ((dObjType > 0) && (dObjType < 8))
	{
		ReadProcessMemory(hProcess, reinterpret_cast<void *> (dReadObject + dwObjectGuidOffset), &uObjGUID, 8, 0);
		if ( uObjGUID == playerGUID)
		{
			dPlayerObject = dReadObject;
			printf("Player object found.\n");
		}
		bRead = ReadProcessMemory(hProcess, reinterpret_cast<void *>(dReadObject + NextObject), &dReadObject, 4, 0);
		bRead = ReadProcessMemory(hProcess, reinterpret_cast<void *>(dReadObject + dwObjectTypeOffset), &dObjType, 4, 0);
	}
	if (dPlayerObject == 0)
	{
		printf("Player object not found.\n");
		CloseHandle(hProcess);
		return -1;
	}

	// Read the address for the descriptor belonging to the player object
	bRead = ReadProcessMemory(hProcess, reinterpret_cast<void *>(dPlayerObject + dwDescriptorOffset), &dwPlayerDescrip, 4, 0);

	printf("Reading health and mana.  Press C to stop.\n");
	while(1)
	{
		// Check for key press to abort
		if(GetAsyncKeyState(0x43)) break;
		// Read player health
		bRead = ReadProcessMemory(hProcess, reinterpret_cast<void *>(dwPlayerDescrip + UNIT_FIELD_HEALTH*sizeof(DWORD)), &dwPlayerHealth, 4, 0);
		// Read player mana
		bRead = ReadProcessMemory(hProcess, reinterpret_cast<void *>(dwPlayerDescrip + UNIT_FIELD_POWER1*sizeof(DWORD)), &dwPlayerMana, 4, 0);
		printf("Player Health: %d\n", dwPlayerHealth);
		printf("Player Mana: %d\n", dwPlayerMana);
		Sleep(1000);
	}

	CloseHandle(hProcess);
	return 0;
}

This was written using Visual C++ Express with precompiled headers and unicode enabled.

[kosacid]

you can do the same with the code i used

main.cpp

Code:

#include "header.h"

DWORD Pid;
uint BaseAddress;

enum ObjectManager
{
    CurMgrPointer = 0x9BE7E0,
    CurMgrOffset = 0x463C,
    FirstObject = 0xC0,
    NextObject = 0x3C,
    LocalGUID = 0xC8,
};

enum eUnitFields
{
	OBJECT_END = 0x8,
	UNIT_FIELD_CHARM = OBJECT_END + 0x0,
	UNIT_FIELD_SUMMON = OBJECT_END + 0x2,
	UNIT_FIELD_CRITTER = OBJECT_END + 0x4,
	UNIT_FIELD_CHARMEDBY = OBJECT_END + 0x6,
	UNIT_FIELD_SUMMONEDBY = OBJECT_END + 0x8,
	UNIT_FIELD_CREATEDBY = OBJECT_END + 0xA,
	UNIT_FIELD_TARGET = OBJECT_END + 0xC,
	UNIT_FIELD_CHANNEL_OBJECT = OBJECT_END + 0xE,
	UNIT_CHANNEL_SPELL = OBJECT_END + 0x10,
	UNIT_FIELD_BYTES_0 = OBJECT_END + 0x11,
	UNIT_FIELD_HEALTH = OBJECT_END + 0x12,
	UNIT_FIELD_POWER1 = OBJECT_END + 0x13,			// A.K.A. Mana
	UNIT_FIELD_POWER2 = OBJECT_END + 0x14,
	UNIT_FIELD_POWER3 = OBJECT_END + 0x15,
	UNIT_FIELD_POWER4 = OBJECT_END + 0x16,
	UNIT_FIELD_POWER5 = OBJECT_END + 0x17,
	UNIT_FIELD_MAXHEALTH = OBJECT_END + 0x18,
	UNIT_FIELD_MAXPOWER1 = OBJECT_END + 0x19,
	UNIT_FIELD_MAXPOWER2 = OBJECT_END + 0x1A,
	UNIT_FIELD_MAXPOWER3 = OBJECT_END + 0x1B,
	UNIT_FIELD_MAXPOWER4 = OBJECT_END + 0x1C,
	UNIT_FIELD_MAXPOWER5 = OBJECT_END + 0x1D,
	UNIT_FIELD_POWER_REGEN_FLAT_MODIFIER = OBJECT_END + 0x1E,
	UNIT_FIELD_POWER_REGEN_INTERRUPTED_FLAT_MODIFIER = OBJECT_END + 0x23,
	UNIT_FIELD_LEVEL = OBJECT_END + 0x28,
	UNIT_FIELD_FACTIONTEMPLATE = OBJECT_END + 0x29,
	UNIT_VIRTUAL_ITEM_SLOT_ID = OBJECT_END + 0x2A,
	UNIT_FIELD_FLAGS = OBJECT_END + 0x2D,
	UNIT_FIELD_FLAGS_2 = OBJECT_END + 0x2E,
	UNIT_FIELD_AURASTATE = OBJECT_END + 0x2F,
	UNIT_FIELD_BASEATTACKTIME = OBJECT_END + 0x30,
	UNIT_FIELD_RANGEDATTACKTIME = OBJECT_END + 0x32,
	UNIT_FIELD_BOUNDINGRADIUS = OBJECT_END + 0x33,
	UNIT_FIELD_COMBATREACH = OBJECT_END + 0x34,
	UNIT_FIELD_DISPLAYID = OBJECT_END + 0x35,
	UNIT_FIELD_NATIVEDISPLAYID = OBJECT_END + 0x36,
	UNIT_FIELD_MOUNTDISPLAYID = OBJECT_END + 0x37,
	UNIT_FIELD_MINDAMAGE = OBJECT_END + 0x38,
	UNIT_FIELD_MAXDAMAGE = OBJECT_END + 0x39,
	UNIT_FIELD_MINOFFHANDDAMAGE = OBJECT_END + 0x3A,
	UNIT_FIELD_MAXOFFHANDDAMAGE = OBJECT_END + 0x3B,
	UNIT_FIELD_BYTES_1 = OBJECT_END + 0x3C,
	UNIT_FIELD_PETNUMBER = OBJECT_END + 0x3D,
	UNIT_FIELD_PET_NAME_TIMESTAMP = OBJECT_END + 0x3E,
	UNIT_FIELD_PETEXPERIENCE = OBJECT_END + 0x3F,
	UNIT_FIELD_PETNEXTLEVELEXP = OBJECT_END + 0x40,
	UNIT_DYNAMIC_FLAGS = OBJECT_END + 0x41,
	UNIT_MOD_CAST_SPEED = OBJECT_END + 0x42,
	UNIT_MOD_CAST_HASTE = OBJECT_END + 0x43,
	UNIT_CREATED_BY_SPELL = OBJECT_END + 0x44,
	UNIT_NPC_FLAGS = OBJECT_END + 0x45,
	UNIT_NPC_EMOTESTATE = OBJECT_END + 0x46,
	UNIT_FIELD_STAT0 = OBJECT_END + 0x47,
	UNIT_FIELD_STAT1 = OBJECT_END + 0x48,
	UNIT_FIELD_STAT2 = OBJECT_END + 0x49,
	UNIT_FIELD_STAT3 = OBJECT_END + 0x4A,
	UNIT_FIELD_STAT4 = OBJECT_END + 0x4B,
	UNIT_FIELD_POSSTAT0 = OBJECT_END + 0x4C,
	UNIT_FIELD_POSSTAT1 = OBJECT_END + 0x4D,
	UNIT_FIELD_POSSTAT2 = OBJECT_END + 0x4E,
	UNIT_FIELD_POSSTAT3 = OBJECT_END + 0x4F,
	UNIT_FIELD_POSSTAT4 = OBJECT_END + 0x50,
	UNIT_FIELD_NEGSTAT0 = OBJECT_END + 0x51,
	UNIT_FIELD_NEGSTAT1 = OBJECT_END + 0x52,
	UNIT_FIELD_NEGSTAT2 = OBJECT_END + 0x53,
	UNIT_FIELD_NEGSTAT3 = OBJECT_END + 0x54,
	UNIT_FIELD_NEGSTAT4 = OBJECT_END + 0x55,
	UNIT_FIELD_RESISTANCES = OBJECT_END + 0x56,
	UNIT_FIELD_RESISTANCEBUFFMODSPOSITIVE = OBJECT_END + 0x5D,
	UNIT_FIELD_RESISTANCEBUFFMODSNEGATIVE = OBJECT_END + 0x64,
	UNIT_FIELD_BASE_MANA = OBJECT_END + 0x6B,
	UNIT_FIELD_BASE_HEALTH = OBJECT_END + 0x6C,
	UNIT_FIELD_BYTES_2 = OBJECT_END + 0x6D,
	UNIT_FIELD_ATTACK_POWER = OBJECT_END + 0x6E,
	UNIT_FIELD_ATTACK_POWER_MOD_POS = OBJECT_END + 0x6F,
	UNIT_FIELD_ATTACK_POWER_MOD_NEG = OBJECT_END + 0x70,
	UNIT_FIELD_ATTACK_POWER_MULTIPLIER = OBJECT_END + 0x71,
	UNIT_FIELD_RANGED_ATTACK_POWER = OBJECT_END + 0x72,
	UNIT_FIELD_RANGED_ATTACK_POWER_MOD_POS = OBJECT_END + 0x73,
	UNIT_FIELD_RANGED_ATTACK_POWER_MOD_NEG = OBJECT_END + 0x74,
	UNIT_FIELD_RANGED_ATTACK_POWER_MULTIPLIER = OBJECT_END + 0x75,
	UNIT_FIELD_MINRANGEDDAMAGE = OBJECT_END + 0x76,
	UNIT_FIELD_MAXRANGEDDAMAGE = OBJECT_END + 0x77,
	UNIT_FIELD_POWER_COST_MODIFIER = OBJECT_END + 0x78,
	UNIT_FIELD_POWER_COST_MULTIPLIER = OBJECT_END + 0x7F,
	UNIT_FIELD_MAXHEALTHMODIFIER = OBJECT_END + 0x86,
	UNIT_FIELD_HOVERHEIGHT = OBJECT_END + 0x87,
	UNIT_FIELD_MAXITEMLEVEL = OBJECT_END + 0x88,
	UNIT_FIELD_PADDING = OBJECT_END + 0x89,
	UNIT_END = OBJECT_END + 0x8A
};



int main(int argc, char* argv[])
{
	Pid = GetPid("Wow.exe");
	BaseAddress = GetBase("Wow.exe",Pid);
	while(1)
	{	
		Test();
	}
	return 0;
}

void Test()
{
	uint ObjectPointer;
	ReadProcMem((LPVOID)(BaseAddress + CurMgrPointer),&ObjectPointer,4);
	ReadProcMem((LPVOID)(ObjectPointer + CurMgrOffset),&ObjectPointer,4);
	UINT64 me;
	ReadProcMem((LPVOID)(ObjectPointer + LocalGUID),&me, 8);
	ReadProcMem((LPVOID)(ObjectPointer + FirstObject),&ObjectPointer,4);
	while (ObjectPointer != 0 && ObjectPointer % 2 == 0)
	{
		UINT64 gID;
	    ReadProcMem((LPVOID)(ObjectPointer + 0x30),&gID,8);
		uint dsfp;
		ReadProcMem((LPVOID)(ObjectPointer + 0xC),&dsfp,4);
		if(me == gID)
		{
			uint Health;
			ReadProcMem((LPVOID)(dsfp + (UNIT_FIELD_HEALTH*4)),&Health,4);
			uint Mana;
			ReadProcMem((LPVOID)(dsfp + (UNIT_FIELD_POWER1*4)),&Mana,4);
			system("CLS");
			printf("Health = %u Mana = %u",Health,Mana);
		}
		ReadProcMem((LPVOID)(ObjectPointer + NextObject),&ObjectPointer,4);
	}
}

void ReadProcMem(void *pAddress, void *pMem, int iSize)
{
	HANDLE hProc = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ, FALSE, Pid);
	DWORD dwOld;
	VirtualProtectEx(hProc, pAddress, iSize, PAGE_EXECUTE_READWRITE, &dwOld);
	ReadProcessMemory(hProc, pAddress, pMem, iSize, 0);
	CloseHandle(hProc);
}

unsigned long GetPid(char *procName)
{
   PROCESSENTRY32 pe;
   HANDLE thSnapshot;
   BOOL retval, ProcFound = false;
   thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
   if(thSnapshot == INVALID_HANDLE_VALUE)
   {
      return false;
   }
   pe.dwSize = sizeof(PROCESSENTRY32);
   retval = Process32First(thSnapshot, &pe);
   while(retval)
   {
      if(strcmp(pe.szExeFile, procName)==0 )
      {
         ProcFound = true;
         break;
      }
      retval    = Process32Next(thSnapshot,&pe);
      pe.dwSize = sizeof(PROCESSENTRY32);
   }
   if (!ProcFound) return 0;
   return pe.th32ProcessID;
}

DWORD GetBase(char* DllName, DWORD tPid)
{
    HANDLE snapMod;
    MODULEENTRY32 me32;
    if (tPid == 0) return 0;
    snapMod = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, tPid);
    me32.dwSize = sizeof(MODULEENTRY32);
    if (Module32First(snapMod, &me32))
	{
        do{
              if (strcmp(DllName,me32.szModule) == 0)
			  {
                  CloseHandle(snapMod);
                  return (DWORD) me32.modBaseAddr;
			  }
		}while(Module32Next(snapMod,&me32));
    }
    CloseHandle(snapMod);
	return 0;
}

[FishDance]

Yeah, I just wanted to start kinda from scratch to help learn all the parts and make sure I understood all the structures correctly. Thanks again for the code. It helped a lot. Reading the autoit code made me want to jump out of a window.