CGObject_C vtable

[asdcxy]

i'm struggling with updating my vtable, because it seems they changed quite alot over the last year
this here is my vtable from 4.0.6a

Code:

class CGObject_C
{
public:
	//virtual void Function0();
	virtual void Function1();
	virtual void Function2();
	virtual void Function3();
	virtual void Function4();
	virtual void Function5();
	virtual void Function6();
	virtual void Function7();
	virtual void Function8();
	virtual void Function9();
	virtual void Function10();
	virtual void Function11();
	virtual void GetPosition(WoWPos* Position);
	virtual void Function13();
	virtual float GetFacing();
	virtual void Function15();
	virtual void Function16();
	virtual void Function17();
	virtual void Function18();
	virtual void Function19();
	virtual void Function20();
	virtual void Function21();
	virtual void Function22();
	virtual void Function23();
	virtual void Function24();
	virtual void Function25();
	virtual void Function26();
	virtual void Function27();
	virtual void Function28();
	virtual void Function29();
	virtual void Function30();
	virtual void Function31();
	virtual void Function32();
	virtual void Function33();
	virtual void Function34();
	virtual void Function35();
	virtual void Function36();
	virtual void Function37();
	virtual void Function38();
	virtual void Function39();
	virtual void Function40();
	virtual void Function41();
	virtual void Function42();
	virtual void Function43();
	virtual void Function44();
	virtual void Function45();
	virtual void OnRightClick();
	virtual void Function47();
	virtual void Function48();
	virtual void Function49();
	virtual void Function50();
	virtual void Function51();
	virtual void Function52();
	virtual void Function53();
	virtual void Function54();
	virtual void Function55();
	virtual void Function56();
	virtual char* GetObjectName();
	virtual void Function58();
	virtual void Function59();
	virtual void Function60();
	virtual void Function61();
	
	

	//virtual float GetScale();
	//BYTE unk4[10];				//	0004
	DWORD unk0;
	DWORD pDesc;
	BYTE unk12[2];
	int Type;					//	0014 [ 4 bytes ]
	BYTE unk18[0x30-0x18];		//  0018
	UINT64 GUID;						//	0030 [ 8 bytes ]

so far i figured out that it starts with
function0
getposition
function1
getfacing
the guid stayed at the same place and the type moved to somewhere else

it seems to me that the vtable offset in ida is around 92C2F8 (rebased), but where did getname() and onrightclick() go?
thanks for your help

[Empted]

My first thought is just copy func adresses post from dump thread (hail TOM_RUS), parse those and scan object's VMT to find matches. So it's here (not rebased), enjoy:

Code:

Function 0: adress=7FF3E0 name=CGObject_C::GetObjectDisplayTransportGUID
Function 1: adress=7FF3F0 name=CGObject_C::GetObjectDisplayPosition
Function 2: adress=7FF410 name=CGObject_C::GetObjectDisplayRawPosition
Function 3: adress=8B06B0 name=CGObject_C::GetObjectDisplaySmoothFacing
Function 4: adress=7FF430 name=CGObject_C::GetObjectDisplayMatrix
Function 5: adress=7FF450 name=CGObject_C::GetObjectDisplayTargetScale
Function 6: adress=7FF460 name=CGObject_C::GetObjectDisplayTargetModelScale
Function 7: adress=7FF470 name=CGObject_C::GetObjectDisplayBaseAlpha
Function 8: adress=7FF4F0 name=CGObject_C::GetObjectDisplayHeight
Function 9: adress=7FF480 name=CGObject_C::GetObjectDisplayName
Function 11: adress=835FA0 name=CGGameObject_C::CanObjectDisplayHighlight
Function 13: adress=8308A0 name=CGGameObject_C::IsObjectDisplayHighlightSuppress
ed
Function 14: adress=836060 name=CGGameObject_C::HandleObjectDisplayTrackChange
Function 16: adress=8308B0 name=CGGameObject_C::IsObjectDisplayLegalSelection
Function 17: adress=5D0220 name=Returns_False2
Function 18: adress=7FF490 name=CGObject_C::ShouldObjectDisplayRenderName
Function 19: adress=7FF4A0 name=CGObject_C::OnObjectDisplayNameVisibilityChanged

Function 20: adress=7FF4B0 name=CGObject_C::UpdateObjectDisplayNameString
Function 21: adress=7FF4C0 name=CGObject_C::GetObjectDisplaySelectionHighlightCo
lor
Function 22: adress=7FF4D0 name=CGObject_C::GetObjectDisplayNamePosition
Function 23: adress=83A890 name=CGGameObject_C::PostInit
Function 24: adress=83AA90 name=CGGameObject_C::Disable
Function 25: adress=834FF0 name=CGGameObject_C::Reenable
Function 26: adress=83AB30 name=CGGameObject_C::PostReenable
Function 28: adress=834D80 name=CGGameObject_C::UpdateWorldObject
Function 29: adress=AE0270 name=Returns_True
Function 31: adress=835EA0 name=CGGameObject_C::GetNamePosition
Function 42: adress=7FF3D0 name=CGObject_C::GetBaseAlpha
Function 44: adress=83A5E0 name=CGGameObject_C::GetRotation
Function 45: adress=8B02C0 name=CGObject_C::SetFrameOfReference
Function 51: adress=8351D0 name=CGGameObject_C::GetModelFileName
Function 55: adress=7FF1C0 name=CGObject_C::GetSelectionHighlightColor
Function 61: adress=830530 name=CGGameObject_C::ShouldRender
Function 65: adress=838760 name=CGGameObject_C::OnRightClick
Function 66: adress=8398F0 name=j_CGGameObject_C::OnRightClick
Function 73: adress=831C60 name=CGGameObject_C::GetName
Function 99: adress=41C4B0 name=Return_False

P.S.if you'll need to do same for Unit here is some code:

Code:

            uint VMT=ConsoleProgram.wow.ReadUInt(ObjectManager.GameObjectList.First().Value.BaseAddress);
            var reader=File.OpenText("tomrus.txt");
            var list = new List<string>();
            while (!reader.EndOfStream)
                list.Add(reader.ReadLine());
            var listPtr=new List<uint>();
            var listNames=new List<string>();
            foreach(string s in list)
            {
                uint utemp;
                string stemp;
                string[] splitted=s.Split(new string[]{"    "}, StringSplitOptions.None);
                var ci = new System.Globalization.CultureInfo("en-US");
                UInt32.TryParse(splitted[0], System.Globalization.NumberStyles.HexNumber, ci, out utemp);
                stemp = splitted[1];
                listPtr.Add(utemp-0x400000+(uint)ConsoleProgram.wow.MainModule.BaseAddress);
                listNames.Add(stemp);
            }
            for(uint i=0;i<100;i++)
            {
             uint ptr=ConsoleProgram.wow.ReadUInt(VMT+i*4);
             for(int j=0;j<listPtr.Count;j++)
                 if (ptr == listPtr[j]) 
                     Console.WriteLine("Function " + i.ToString() + ": adress=" + (listPtr[j]-(uint)ConsoleProgram.wow.MainModule.BaseAddress+0x400000).ToString("X") + " name=" + listNames[j]);
            }

[asdcxy]

this is already exactly what i asked for, the first code you posted is the vftable. thanks for your help
in which thread did you find it? i thought i looked through all threads

now the only question left is: where did type go? it isn't at 14 aymore
but i will check this later myself with cheatengine

[Empted]

That what i posted was generated by code below.
You'll find all you answers here ([WoW][5.0.5.16048] x86 Info Dump Thread). Same with object type (that is objectBase + 0x10). And use forum search, it's very helpful.
You are welcome

[asdcxy]

this one is wrong Function 51: adress=8351D0 name=CGGameObject_C::GetModelFileName
it's CGGameObject_C__CanInteract

i'm still trying to find CGGameObject_C__IsInInteractRange but no luck yet

[Empted]

this one is wrong Function 51: adress=8351D0 name=CGGameObject_C::GetModelFileName
it's CGGameObject_C__CanInteract

i'm still trying to find CGGameObject_C__IsInInteractRange but no luck yet

I'm sorry, but all those listed are fine. Just checked VMT 51:


P.S. I'll try to find out more virtual functions later.

[asdcxy]

0x8351D0 - 0x400000 = 0x4351D0

Code:

.text:004351D0                         CGGameObject_C__CanInteract proc near   ; DATA XREF: .rdata:00931834o
.text:004351D0
.text:004351D0                         arg_0           = dword ptr  8
.text:004351D0
.text:004351D0 55                                      push    ebp
.text:004351D1 8B EC                                   mov     ebp, esp
.text:004351D3 8B 81 D8 00 00 00                       mov     eax, [ecx+0D8h]
.text:004351D9 0F BE 40 2D                             movsx   eax, byte ptr [eax+2Dh]
.text:004351DD 83 C0 F5                                add     eax, 0FFFFFFF5h
.text:004351E0 83 F8 18                                cmp     eax, 18h        ; switch 25 cases
.text:004351E3 77 14                                   ja      short loc_4351F9 ; default
.text:004351E3                                                                 ; jumptable 008351EC cases 1,2,5-21,23
.text:004351E5 0F B6 90 18 52 43 00                    movzx   edx, ds:byte_435218[eax]
.text:004351EC FF 24 95 10 52 43 00                    jmp     ds:off_435210[edx*4] ; switch jump
.text:004351F3
.text:004351F3                         loc_4351F3:                             ; DATA XREF: .text:off_435210o
.text:004351F3 33 C0                                   xor     eax, eax        ; jumptable 008351EC cases 0,3,4,22,24
.text:004351F5 5D                                      pop     ebp
.text:004351F6 C2 04 00                                retn    4
.text:004351F9                         ; ---------------------------------------------------------------------------
.text:004351F9
.text:004351F9                         loc_4351F9:                             ; CODE XREF: CGGameObject_C__CanInteract+13j
.text:004351F9                                                                 ; CGGameObject_C__CanInteract+1Cj
.text:004351F9                                                                 ; DATA XREF: ...
.text:004351F9 E8 62 FF FF FF                          call    CWorld__ObjectCreate ; default
.text:004351F9                                                                 ; jumptable 008351EC cases 1,2,5-21,23
.text:004351FE 8B 4D 08                                mov     ecx, [ebp+arg_0]
.text:00435201 33 D2                                   xor     edx, edx
.text:00435203 85 C0                                   test    eax, eax
.text:00435205 0F 95 C2                                setnz   dl
.text:00435208 89 01                                   mov     [ecx], eax
.text:0043520A 8B C2                                   mov     eax, edx
.text:0043520C 5D                                      pop     ebp
.text:0043520D C2 04 00                                retn    4
.text:0043520D                         CGGameObject_C__CanInteract endp

this even matches exactly the caninteract function i used in 4.0.6

and it can't return a filename because it returns bool

Code:

bool __thiscall CGGameObject_C__CanInteract(int this, int a2)
{
  bool result; // eax@2
  int v3; // eax@3

  switch ( *(_BYTE *)(*(_DWORD *)(this + 216) + 45) )
  {
    case 11:
    case 14:
    case 15:
    case 33:
    case 35:
      result = 0;
      break;
    default:
      v3 = CWorld__ObjectCreate(this);
      *(_DWORD *)a2 = v3;
      result = v3 != 0;
      break;
  }
  return result;
}

[migtron]

This method has the signature bool CGGameObject_C::GetModelFileName(char** modelFileName) and returns the file name through the passed pointer. On success, it returns TRUE. Otherwise it returns FALSE. If you used this to check for interactability, you should have gotten some really odd results.

[asdcxy]

hmm, well i will have a look at this now and hoep to figure it out

at least the other problem solved, this is CGGameObject_C__IsInInteractRange:

Code:

int __thiscall sub_4305D0(int this)
{
  return (*(int (**)(void))(**(_DWORD **)(this + 436) + 32))();
}

who knows why it's not in the regular vftable...
does anybody know where this "other" vftable at 436 comes from?

[asdcxy]

caninteract should be 431CA0
somehow it returns true for death gates i cant use, but else it looks ok

[Empted]

Added more of functions to dump thread. Player VMT is most detailed, you'll probably find something there.