vftable(?) at [this + 436]

[asdcxy]

since i stumbled across this again i took a closer look at it and searched for more functions behind this offset, this is what i found

Code:

pattern: 8B 89 B4 01 00 00 8B 01 8B ? ? FF E2

int __thiscall sub_430570(int this)
{
  return (*(int (**)(void))(**(_DWORD **)(this + 436) + 60))();
}

int __thiscall sub_4305D0(int this)
{
  return (*(int (**)(void))(**(_DWORD **)(this + 436) + 32))();
}

int __thiscall CGGameObject_C__IsObjectDisplayHighlightSuppressed(int this)
{
  return (*(int (**)(void))(**(_DWORD **)(this + 436) + 16))();
}

char __thiscall sub_431CA0(int this)
{
  char result; // al@3

  if ( dword_C29D90 && *(_DWORD *)(dword_C29D90 + 48) )
    result = 1;
  else
    result = (*(int (**)(void))(**(_DWORD **)(this + 436) + 24))();
  return result;
}


pattern: 8B 89 B4 01 00 00 8B 01 8B ? ? ? ? ? FF E2

int __thiscall sub_43A660(int this)
{
  int result; // eax@2

  if ( *(_DWORD *)(this + 436) )
    result = (*(int (**)(void))(**(_DWORD **)(this + 436) + 132))();
  else
    result = 0;
  return result;
}

int __thiscall CGGameObject_C__CloseInteraction(int this)
{
  return (*(int (**)(void))(**(_DWORD **)(this + 436) + 152))();
}

does anybody know anything more about this? are there more functions i didn't find in ida yet? what are the functions doing behind this offset, why are they not in the regular vftable? (at least not all are in the regular vftable)

i was especially looking for IsInInteractRange (like if i'm near enough at a corpse to loot or at the auction master to talk with him) and CanInteract (like: is there loot in this corpse?) functions for the unit, the ones behind 436 only work for objects

[Apoc]

since i stumbled across this again i took a closer look at it and searched for more functions behind this offset, this is what i found

Code:

pattern: 8B 89 B4 01 00 00 8B 01 8B ? ? FF E2

int __thiscall sub_430570(int this)
{
  return (*(int (**)(void))(**(_DWORD **)(this + 436) + 60))();
}

int __thiscall sub_4305D0(int this)
{
  return (*(int (**)(void))(**(_DWORD **)(this + 436) + 32))();
}

int __thiscall CGGameObject_C__IsObjectDisplayHighlightSuppressed(int this)
{
  return (*(int (**)(void))(**(_DWORD **)(this + 436) + 16))();
}

char __thiscall sub_431CA0(int this)
{
  char result; // al@3

  if ( dword_C29D90 && *(_DWORD *)(dword_C29D90 + 48) )
    result = 1;
  else
    result = (*(int (**)(void))(**(_DWORD **)(this + 436) + 24))();
  return result;
}


pattern: 8B 89 B4 01 00 00 8B 01 8B ? ? ? ? ? FF E2

int __thiscall sub_43A660(int this)
{
  int result; // eax@2

  if ( *(_DWORD *)(this + 436) )
    result = (*(int (**)(void))(**(_DWORD **)(this + 436) + 132))();
  else
    result = 0;
  return result;
}

int __thiscall CGGameObject_C__CloseInteraction(int this)
{
  return (*(int (**)(void))(**(_DWORD **)(this + 436) + 152))();
}

does anybody know anything more about this? are there more functions i didn't find in ida yet? what are the functions doing behind this offset, why are they not in the regular vftable? (at least not all are in the regular vftable)

i was especially looking for IsInInteractRange (like if i'm near enough at a corpse to loot or at the auction master to talk with him) and CanInteract (like: is there loot in this corpse?) functions for the unit, the ones behind 436 only work for objects

GameObject->SubObject->SomeFunction()

It's just the SubObject

[Empted]

Hello. I couldn't find any InInteractRage, but as you are being so insisting (so even Apoc posted here ), so i decided to reverse some functions for you. That how it's done:

Code:

            float playerRad = ai.wow.ReadFloat(ai.wow.ReadUInt(ai.player.BaseAddress + 220) + 212);
            float corpseRad = ai.wow.ReadFloat(ai.wow.ReadUInt(npc.BaseAddress + 220) + 212 );
            float interactDistance = Math.Max(5.0f, playerRad + corpseRad + 1.3333334f );
            uint flags = ai.wow.ReadUInt(ai.wow.ReadUInt(npc.BaseAddress + 220) + 268);
            bool canBeLooted = (flags & 0x1) != 0;

What I should notice, that [[*+220]+212] is bounding range and [[*+220]+268] are dynamic flags.
Also as you can see, this is applied not to corpse object, but to dead unit object. You are welcome.

[asdcxy]

thanks for your efforts
but i'm 99% sure there is a function for it, because for objects it's there, too and it's needed to display the right mouse cursor
when i'm back home and have time for it i will try to follow the caninteract and ininteractrange from the object to the mouse cursor function they are being used at and then back to the unit function, maybe i will find something

[Empted]

You prefer to call function rather than just to do some math and mem read. So it's up to you.

P.S. i have no clue what's the benefit of calling functions and being injected when there is no need in it. Performance goes down this way.

[asdcxy]

right, that's the reason for me being injected

Code:

.rdata:00930E80 E0 37 43 00             off_930E80      dd offset sub_4337E0    ; DATA XREF: sub_432820+78o
.rdata:00930E84 40 D9 32 00                             dd offset Return_True
.rdata:00930E88 D0 FD 42 00                             dd offset sub_42FDD0
.rdata:00930E8C 60 14 43 00                             dd offset sub_431460
.rdata:00930E90 F0 52 85 00                             dd offset a3UlLeLam     ; "3++¦¦¦¦¦¦¦¦¦¦¦¦¦UïýïE\bïÇî"
.rdata:00930E94 00 62 43 00                             dd offset CGGameObject_C_SubObj__CanInteract
.rdata:00930E98 30 89 43 00                             dd offset sub_438930
.rdata:00930E9C F0 96 43 00                             dd offset sub_4396F0
.rdata:00930EA0 20 63 43 00                             dd offset CGGameObject_C_SubObj__IsInInteractRange
.rdata:00930EA4 70 AF 43 00                             dd offset sub_43AF70
.rdata:00930EA8 E0 2E 43 00                             dd offset sub_432EE0
.rdata:00930EAC B0 58 84 00                             dd offset nullsub_5
.rdata:00930EB0 E0 6A 43 00                             dd offset sub_436AE0
.rdata:00930EB4 70 30 43 00                             dd offset sub_433070
.rdata:00930EB8 10 60 78 00                             dd offset nullsub_3
.rdata:00930EBC D0 F3 3F 00                             dd offset CGObject_C__GetBaseAlpha
.rdata:00930EC0 F0 30 43 00                             dd offset sub_4330F0
.rdata:00930EC4 70 02 6E 00                             dd offset Returns_True
.rdata:00930EC8 B0 58 84 00                             dd offset nullsub_5
.rdata:00930ECC 30 6B 43 00                             dd offset sub_436B30
.rdata:00930ED0 00 8E 43 00                             dd offset sub_438E00
.rdata:00930ED4 60 8E 43 00                             dd offset sub_438E60
.rdata:00930ED8 20 13 43 00                             dd offset sub_431320
.rdata:00930EDC 60 0A 43 00                             dd offset CGObject_C__virtE4_0
.rdata:00930EE0 50 0A 43 00                             dd offset nullsub_2
.rdata:00930EE4 20 02 1D 00                             dd offset Returns_False2
.rdata:00930EE8 F0 52 85 00                             dd offset a3UlLeLam     ; "3++¦¦¦¦¦¦¦¦¦¦¦¦¦UïýïE\bïÇî"
.rdata:00930EEC 40 8D 43 00                             dd offset sub_438D40
.rdata:00930EF0 B0 58 84 00                             dd offset nullsub_5
.rdata:00930EF4 B0 58 84 00                             dd offset nullsub_5
.rdata:00930EF8 B0 58 84 00                             dd offset nullsub_5
.rdata:00930EFC 60 12 43 00                             dd offset sub_431260
.rdata:00930F00 D0 8D 43 00                             dd offset sub_438DD0
.rdata:00930F04 F0 52 85 00                             dd offset a3UlLeLam     ; "3++¦¦¦¦¦¦¦¦¦¦¦¦¦UïýïE\bïÇî"
.rdata:00930F08 50 0A 43 00                             dd offset nullsub_2
.rdata:00930F0C 20 42 0B 00                             dd offset nullsub_1
.rdata:00930F10 B0 58 84 00                             dd offset nullsub_5
.rdata:00930F14 B0 58 84 00                             dd offset nullsub_5
.rdata:00930F18 B0 58 84 00                             dd offset nullsub_5
.rdata:00930F1C 20 42 0B 00                             dd offset nullsub_1
.rdata:00930F20 70 0A 43 00                             dd offset sub_430A70
.rdata:00930F24 F0 52 85 00                             dd offset a3UlLeLam     ; "3++¦¦¦¦¦¦¦¦¦¦¦¦¦UïýïE\bïÇî"
.rdata:00930F28 80 0A 43 00                             dd offset sub_430A80
.rdata:00930F2C B0 58 84 00                             dd offset nullsub_5
.rdata:00930F30 90 FD 42 00                             dd offset sub_42FD90
.rdata:00930F34 00 00 00 00                             align 8

the vftable of this subobject, not many functions have names yet

[TOM_RUS]

Performance goes down this way.

Completely opposite. And a lot easier to do tons of things...

[Empted]

Completely opposite. And a lot easier to do tons of things...

Why then you use DBC pointers to get factions, area, item info, but not calling functions that can do it? and What about return value and synchronization?
edit: as I know each time you inject some code in process, you should suspend it for a while and if you, for example, will iterate throught mobs to find hostile one and call UnitReaction for each, this little suspend time will result in performance penalty. I'm wrong?

[asdcxy]

every time you inject, yes
but if you inject a dll you inject one time and you are done, after this no more interrupts

[Empted]

Not really. You still need to somehow trigger your code to execute. Like detour some function.

[asdcxy]

but this doesn't stop the game, it's just a jump to a different memory adress and after this back, so not much more than two assembler "jmp"s

[Empted]

This does stop the game, because you can't just write to executable section without suspending the thread. Also if you need to get return value, you should in some way place it in memory and signal for your bot application that it can read the result. If you don't do this, you probably just sleep some random time, enough long to get your code executed. In this way you make another time leak. Still i guess if all the bot implemented in WoW process (like gui is drawn ingame and so on) there is no problem then.

[asdcxy]

ipc is of course a different topic, but i don't need it, i have two buttons: inject, then the bot will start, uninject, then it stops, the other things it does alone
but if i wanted to have a gui i would write it in lua, that's more comfortable anyway

[TOM_RUS]

CGGameObject_C_TypeBase vtable functions (vtable at 0x00D303F0):

Code:

CGGameObject_C_TypeBase::~CGGameObject_C_TypeBase()
CGGameObject_C_TypeBase::CanBeSolid(void)
CGGameObject_C_TypeBase::ShouldFadeIn(void)
CGGameObject_C_TypeBase::CanHighlight(void)
CGGameObject_C_TypeBase::IsHighlightSuppressed(void)
CGGameObject_C_TypeBase::CanChangeCursor(void)
CGGameObject_C_TypeBase::CanUse(void)
CGGameObject_C_TypeBase::CanUseNow(GAME_ERROR_TYPE *,float *,char  const**)
CGGameObject_C_TypeBase::CheckRange(void)
CGGameObject_C_TypeBase::Use(void)
CGGameObject_C_TypeBase::OnUpdateFlags(uint)
CGGameObject_C_TypeBase::OnUpdateAnimProgress(void)
CGGameObject_C_TypeBase::UpdateState(int,int)
CGGameObject_C_TypeBase::Animate(float)
CGGameObject_C_TypeBase::ShouldRender(uint,int &,int &)
CGGameObject_C_TypeBase::GetBaseAlpha(void)
CGGameObject_C_TypeBase::HandleAnimEvent(uint,uint,C3Vector  const&,uint)
CGGameObject_C_TypeBase::HandleAnimInterrupted(void)
CGGameObject_C_TypeBase::HandleAnimFinished(void)
CGGameObject_C_TypeBase::ActivateDespawnAnim(void)
CGGameObject_C_TypeBase::ActivateOneShotAnim(GAMEOBJECT_ONESHOT_ANIM)
CGGameObject_C_TypeBase::ActivateCustomAnimKit(int,bool)
CGGameObject_C_TypeBase::DebugStatus(void)
CGGameObject_C_TypeBase::GetSpeed(void)
CGGameObject_C_TypeBase::AddPassenger(CPassenger *,int)
CGGameObject_C_TypeBase::IsPointInside(C3Vector  const&)
CGGameObject_C_TypeBase::GetMapObjectTransportID(void)
CGGameObject_C_TypeBase::PostInit(bool)
CGGameObject_C_TypeBase::PostInitWithStats(void)
CGGameObject_C_TypeBase::Reenable(void)
CGGameObject_C_TypeBase::Unk1(void)
CGGameObject_C_TypeBase::Disable(void)
CGGameObject_C_TypeBase::PostReenable(void)
CGGameObject_C_TypeBase::GetShipPath(void)
CGGameObject_C_TypeBase::UpdateMovement(ulong,uint)
CGGameObject_C_TypeBase::UpdateDisplay(TaggedTimeValue<World::SceneTimeMsTag>)
CGGameObject_C_TypeBase::ModelLoaded(void)
CGGameObject_C_TypeBase::StartInteraction(void)
CGGameObject_C_TypeBase::CloseInteraction(void)
CGGameObject_C_TypeBase::AddToolTipInfo(CGTooltip *)
CGGameObject_C_TypeBase::GetSequenceTimeFromRealTime(uint)
CGGameObject_C_TypeBase::GetTransportUpdateTime(void)
CGGameObject_C_TypeBase::GetInteractDistance(void)

additional functions available based on type of gameobject, for example for CGGameObject_C_Type_MapObjTransport you have 3 more (vtable at 0x00D31880):

Code:

CGGameObject_C_Type_WorldObj::UpdateDisplay(ulong)
CGGameObject_C_Type_WorldObj::CreateWorldObj(void)
CGGameObject_C_Type_WorldObj::DestroyWorldObj(void)

[Empted]

Opened 5.0.1 version for GetInteractRange. What it does:

Code:

  return *(float *)(base + 12);

That was funny.