[WoW] [5.2.0 16650] x86 Info Dump Thread

[guizmows]

Quests Infos (Cached datas)

Offsets (from struct start)
Name : 0x5C
ObjectiveText : 25C
Description : E14

I'm still trying to find where QuestObjectives are stored. I guessed it was at 0x2DF4 or 0x2DF8 but it doesn't looks correct.

This struct is dam too big

did someone found them? it would help me a lot.

[doityourself]

Eh no, they're just implementing more and more jam messages, since 1 year or so. It's not that hard to write a wrapper class for jam messages and reversing the structures, WoW does the rest for you.

Here's a little example, I will not post my main wrapper class, but maybe you get the idea.

Code:

unit Jam.Example;

interface

uses
  WoWExt.JamMessage;

type
  CJamExample = class(CJamMessage)
    private type
      // 5.2
      TJamCliSomeExample = packed record
        npc: UInt64;
        blablaId: Integer;
        unk: Integer;
      end;
    private
      FJamStruct: TJamCliSomeExample;
    public
      constructor Create();
      procedure Example(const npc: UInt64; blablaId: Integer);
  end;

implementation

uses
  WoWExt.Defines;

constructor CJamExample.Create();
begin
  inherited Create(Pointer(off_Jam_Construct_Example), Pointer(off_Jam_Destruct_MultiplePackets));
end;

procedure CJamExample.Example(const npc: UInt64; blablaId: Integer);
begin
  FJamStruct.npc := npc;
  FJamStruct.blablaId:= blablaId;
  FJamStruct.unk := 1;
  SetStruct(FJamStruct, SizeOf(FJamStruct));
  Send(); // call clientservices::send
end;

end.

A few techical details:

- Every jam message/packet has it own constructor, which I'm calling
- I'm providing a buffer of 10kb for the created class (which is more than enough)
- The packet data begins at 0x10 in your buffer
- I move my data into the right position. The structures can be easily reversed, I prefer the jam put functions. Just search for the opcode and you'll find them. Since 5.2 you have to jump back to the vtable to find the rest of the put function - easy step
- Call ClientServices::Send with a pointer to your buffer to let WoW do the dirty work (calling the put function, sending the packet)

No need to deal with the xor, bitpack crap.

For wow emulators the bit shit is still needed...

[culino2]

For wow emulators the bit shit is still needed...

Yeah, sadly. I know that, just wanted to explain how to send packets. :P
Hope it's still useful for packet lovers like me.

[yellow82]

Obj_DisplayID = 0x24 <== ok?

i need it please

solved

curObject + Descriptor

descript + 0x24 = displayid!

[-Ryuk-]

For those of you who have a battleground bot, and used the method of writing the battlegroundID to the "SelectedBattleground" offset(SelectedBattleground = 0xDAD10C(rebased))

It should be noted that you cannot just call "JoinBattlefield(0);" after writing to that address anymore!

Instead you should pass the bgID to the lua function like this:

Code:

        public static void JointBattlegroundQueue(BattleGroundID id)
        {
            GeneralHelper.Sorcery.Write<int>(GeneralHelper.Sorcery.BaseAddress + Patchables.Offsets.Battleground.SelectedBattleground, (int)id);
            Lua.ExecuteBuffer(string.Format("JoinBattlefield({0});", (int)id));
        }

NOTE: I am still using the address so I can easily keep track of what BG I have selected, but blizzard just keep it with the Random bgID(32)! If you write to that address, and then manually select Random Battleground they its changed back to 32

Code:

    public enum BattleGroundID
    {
        AV = 1,
        AB = 3,
        WSG = 2,
        EOTS = 7,
        SOTA = 9,
        IOC = 30,
        TP = 108,
        BFG = 120,
        Random = 32,
        TK = 699,
        SM = 708,
        None = 0,
    }

[Mr.Sergey]

sdq928,

Code:

$messs2 =_MemoryRead("0x" & Hex($WowBase + $debmess + 0x44 + $next), $WowProcess, "char[1000]")

[2briards]

[QUOTE=VesperCore;2690460]From what I've got, it's not a typo, AURA_TABLE_1 && AURA_COUNT_2 are the same value.

For people who are curious what has changed:

v16357

Code:

int __thiscall CGUnit_C::GetAura(int this, unsigned int a2)
{
  unsigned int v2; // edx@1
  int v3; // ecx@1
  unsigned int v4; // esi@2
  int v5; // eax@5
  int result; // eax@6

  v2 = *(_DWORD *)(this + 0x1088);     // AuraCount1 = 0x1088,

  v3 = this + 0xD88;                   // AuraTable1 = 0xd88,
  if ( v2 == -1 )
    v4 = *(_DWORD *)(v3 + 4);          // AuraCount2 = 0xd8c,
  else
    v4 = v2;
  if ( a2 >= v4 )
  {
    result = 0;
  }
  else
  {
    v5 = 48 * a2;
    if ( v2 == -1 )
      result = *(_DWORD *)(v3 + 8) + v5;    // AuraTable2 = (0xd90  == v3 + 8 + this)
    else
      result = v3 + v5;
  }
  return result;
}

v16650

Code:

int __thiscall CGUnit_C::GetAura(int this, unsigned int a2)
{
  unsigned int v2; // edx@1
  int v3; // ecx@1
  unsigned int v4; // esi@2
  int v5; // eax@5
  int result; // eax@6

  v2 = *(_DWORD *)(this + 0x10C8);  // AuraCount1 = 0x10C8
  v3 = this + 0xDC8;                // AuraTable1 = 0xDC8
  if ( v2 == -1 )                
    v4 = *(_DWORD *)v3;             // AuraCount2 = (0xDC8 + this)
  else
    v4 = v2;
  if ( a2 >= v4 )
  {
    result = 0;
  }
  else
  {
    v5 = 48 * a2;
    if ( v2 == -1 )
      result = *(_DWORD *)(v3 + 4) + v5;  // AuraTable2 0xDCC == v3 + 4 
    else
      result = v3 + v5;
  }
  return result;
}

[Empted]

Some function names that are being scanned by warden just at their start (from push ebp opcode) with scan length:
Don't get caught

Code:

CGUnit_C::InitializeTrackingState        16
FrameScript::InvalidPtrCheck             4
Grunt::ClientLink::PackLogon             9
Checksum                                 9
CGGameUI::RegisterFrameFactories         5
luaD_rawrunprotected                     9
CGUnit_C::UpdateSwimmingStatus           9
ChatFrame::AddMessage                    18
CGWorldFrame::Render                     9

[tlvenn]

Anyone took a closer look at the cache entry struts (creature,guild,npc,gob,etc...) ? It seems they all have been updated.

[guizmows]

I can confirm (see my previous post) that at least QuestCache has been heavily changed.

I havne't finished to updated my version,