[theory] alt method to get object list via codecave

[JuJuBoSc]

I don't understand why you don't want to use IDA, your arguments is invalid.

[TOM_RUS]

I don't understand what is wrong with method of getting list of objects people has been using for years (objmgr, firstobject, nextobject offsets).

[abuckau907]

I don't understand what is wrong with method of getting list of objects people has been using for years (objmgr, firstobject, nextobject offsets).

nothing is wrong with it. But if I had to do it from from scratch without this huge knowledge base, this is how I would do it. And it worked. Just trying something. My first time making a codecave that complex. Once I understand the linked list better, I'll find the static route for FirstObjectAddress. until then i'm trying to learn the structure of the list myself. with comments from y'all The goal is staticClientConnection + offset 1 + offset2 = first object but I can't do that atm without waiting for someone to post the offsets in an info dump. In the long run, my way isn't good, but to learn the structure of the linked list..it's working :/


2 steps away from figuring out NextObject offset - for myself. -4:26am..
*black out the byte arrays cuz i'm not sure where guid is stored haha

edit: would be funny if i'm actually patching EnumVisibleObjects. not sure :P

I made a codecave (that actually did something) and got wow to run it. That's big to me. Someone could have maybe commented how I did my POP's wrong in the first post..but no..i looked at that damn asm for hours, and finally got it, and it works, and I'm happy. I crashed wow a dozen times but I finally got it working. Why are you still posting here?(Unless you have something nice to say...)

[abuckau907]

Confirmed. Checked out the addresses, about 60 bytes in there are pointers to the addresses in my listbox. coincidence? I think i just found NextObject offset excuse me, re-found*

i saw right away there were pointers at the very beginning of the structure, tried following them but then j checked farther down the buffer for more pointers and voila, found some that were == to other object's .baseaddress.




Cannon to kill a mosquito.*

edit: I think I saw 'unit type' in there at the beginning..04 for local player and 03 for the new few objects. hmm.. Next is guid and targetguid.
: obviously this is old news for the 1337 ..maybe i should post it in programming section? sorry?


[Solved] won't update further.

[berlinermauer]

Just a Hint: You could overwrite the last - (Length of retn) byte as a hook. So you know when the buffer has filled. And in that Moment you just read from Start to last - (Length of retn).

My humble Opinion is just, that it is way harder to do it this way. Also keep in mind, that every Patching of Memory (In-Process) is dangerous. There are tons of ways to detect it, like Method Hashing, CallStack WriteProcessMemoryHook and at last but not at least: Crashing on errorneous Arguments (Try-Out) that could get you.

It is just that, EndScene is impossible to detect (as a bot) because most things do it. Fraps, Many Other Recording Suites, XFire, I guess the G19 will use that too.
As long as you stay private with this, what you hereby made impossible because Blizzard is surfing here (Hey Blizzard ), you could use this.
But keep in mind that as soon as they see this, they could securely ban you, as no legit application simply shall hook that.
To have some Proof they can also verify you by your method, your "Coding Signature" etc.

If I were you, I would use as much OutProcess as possible, but as much as InProcess as necessairy.
It is all the same with In-Process Reading. Nobody knows if their Hooks aren't surveilled. If, for example, they would look for the passing of the "AntiAFKAddress" and than see, that the Hook is dynamically writing/reading out of it, they could get you.

Nobody knows (Ok they DO know that this isn't true but could happen anytime, maybe even _WHILE_ playing) if they don't just log your cave as soon as it changes and send it to Blizzards Analytics.

If you are interessted I would moreover recommend to have some fun with hooking WoWFunctions like TargetUnit. Useless but funny to be asked every time If the Player should be able to Target that Unit
Maybe you would even Turn the Tide (Is it the Correct English saying?) and surveil Blizzard :P How about Hooking Warden itself and get asked everytime if it is allowed to ban you

Doing this, keep in mind the Blacklist of scanned adresses. Some People said, writing to them results in an instant ban. Well I tried on a trial account, nothing except an crash happend. Then I wrote 0xC3 which is retn (If I remember right) and everything worked out well? Anyways I would try to not relay on my findings

[homer91]

I said i don't want to use ida so you give me two more program to use with it. super. *******

He is offering a more known solution, don't be rude :P It's rare to see someone taking the time and explaining this nice about IDA. However it's nice to see you wanting to learn about all this from scratch

[Frosttall]

He is offering a more known solution, don't be rude :P It's rare to see someone taking the time and explaining this nice about IDA. However it's nice to see you wanting to learn about all this from scratch

Well I told him the way right from scratch: Search the value with cheatengine and their crossreferences and browse the memory regions with IDA.

The irony is just that he said that he has to wait for others to post their offsets in the dump thread, but doesn't want to be depended of others regarding the IDB....

[abuckau907]

The irony is... ?

I had a semi-working bot, but had to wait for someone to post staticclientconnection each patch. The irony is...the irony is...the irony is...the irony is. *******

[Apoc]

It's a pretty standard linked list. I'm not sure why you even need to use IDA to figure it out. CE, MHS, Olly, etc will let you disasm the EnumObjects func. Plus, you can create a pattern to find the address yourself.

I mean, good job for trying a new method, but damn, you're going way out of your way to make it harder for yourself in the long run. (And slower)

[abuckau907]

"It's a pretty standard linked list" --didn't know, now I do


Yeah, agreed. I got rid of that code now actually, now I use FirstObjAddr = GetRegisterOnce(0x******,regName) where 0x**** is some function which uses localplayer.baseaddress in a register. Not perfect, for example if wow window in minimized the codecave won't get run :P I only call it once on AttachToProcess(). Works well enough. Should find a static route, but, I can update this myself every patch maybe.

IDA - no not needed for simply finding the list - but I thought it'd make learning the structs (basicObj, unit, player etc) easier, but since I only use a very select few of the offsets anyway, CE and manually figuring it out works well enough so far.

Thanks Apoc.


found so far:
NextObject
Type
Guid
TargetGuid
health/energy/level
position

^^ that is enough to make a very very basic bot. It can know all enemies near you, with health and level. Can't do complicated stuff, but enough for grinding. Thanks everyone.

[abuckau907]

More info.


objmgrBasicObject has 2 pointers at the beginning of it. one is 'UnitFields' ? Both point a static distance away from .baseAddress, so maybe basing offsets from unitFields will require less offset updating. depending on which classes change in wow.

[abuckau907]

Just a Hint: You could overwrite the last - (Length of retn) byte as a hook. So you know when the buffer has filled. And in that Moment you just read from Start to last - (Length of retn).

I could have, but it would require me to constantly poll from my .net app to check if _memRead(codeCaveFilledMarkerLoc) != 0 . but it would work. There are imperfections, and fixes, for both our solutions. Thnx for the tip.

@Apoc "CE, MHS, Olly, etc will let you disasm the EnumObjects func." -- true, i meant that I don't know how to *find the functions* except by setting breakpoints on memory locs where I think they *will probably access* and go from there --> I don't know enough about the compile process/compilers/oop to even use tools like IDA to help me :/
I assume wow compiler exports it's structures into the .exe (standard compiler stuff?) so some of you are just reading the structure prototype from wow.exe to get your offsets for like.. UnitObjs, PlayerObjs etc. But I don't know, or know what I need to learn.