[WoW] [5.4.7 18019] Release x86 Info Dump Thread

[BoostON]

Thx Torpedoes

[wow4everloool]

i comfirme work perfect

thx you for your work and your scan information Torpedoes

-Nico

[Neji666]

thanks torpedoes my hero <3

[JuJuBoSc]

Seriously, people are still using PQR ? why ?

[xalcon]

because they think its safe when they use DynamoRIO. It might be, but I dare to say its not

[JuJuBoSc]

New warden scan :

Code:

0x000D75CE	6 Bytes (lua_load)

[daCoder]

New warden scan :

Code:

0x000D75CE	6 Bytes (lua_load)

What kind of bytes do you have there? The exe has has 55 8b ec 83 ec 14, but in the memory i see a far jmp.

[Journey]

What kind of bytes do you have there? The exe has has 55 8b ec 83 ec 14, but in the memory i see a far jmp.

I don't see any kind of jmp in x64 memory. I'm not sure why it would differ unless you have hooked it (hehe)?

Edit: Actually, it's probably related to this (Warden upgrade! Be careful!!!).


Also, for those curious about what the 64-bit variant of Warden scans:

Code:

0x7c75d3 | 5 bytes -- CGGameUI::CanPerformAction
0x7c75f8 | 4 bytes -- CGGameUI::CanPerformAction
0xef8588 | 8 bytes -- Movement related?
0x1563f0 | 6 bytes -- lua_load

As you can see, they don't seem to care as much about about the x64 side of things. This makes sense as most hacks are 32-bit and Blizzard likes to take a very targeted approach.

[sandra11]

i made a bot to anto login and select realm and enter world,i use the Script_GetText offsit to read the current grue frame,but my client crashs,is this offsit correct?

Script_GetText = 0x8088A2,

[daCoder]

I don't see any kind of jmp in x64 memory. I'm not sure why it would differ unless you have hooked it (hehe)?

Edit: Actually, it's probably related to this (Warden upgrade! Be careful!!!).

Thank you for the link. Very interesting stuff, what they do. Seems like i got flagged for beeing active too long in the game. This will also mean, that a basic warden protection by sending back the original byte is not working, since they are hooking the functions and change the values.

i made a bot to anto login and select realm and enter world,i use the Script_GetText offsit to read the current grue frame,but my client crashs,is this offsit correct?

Script_GetText = 0x8088A2,

The address is correct, but i have no idea if this can read the login frame.

[sandra11]

Code:

Hook.LuaDoString(“currGlue=CURRENT_GLUE_SCREEN”);
string frameName = Hook.GetScriptText("glueFrame");

i usually use this code to get the current grue screen,
first use LuaDoString,and then use Script_GetText offsite to read
i don't use my bot for abut half 1 year,now it cause the client crashed with the new offsit




it's the functions below

Code:

        public static string GetScriptText(string variable)
        {
            // Write variable in the allocated memory
            uint codeCave = Memory.AllocateMemory(Encoding.UTF8.GetBytes(variable).Length + 1);
            Memory.WriteBytes(codeCave, Encoding.UTF8.GetBytes(variable));

            String[] asm = new String[] 
                        {
                            "push 0",
                            "push -1",
                            "mov edx, " + codeCave + "",
                            "push edx",
                            "call " + FrameScript_GetText,
                            "add esp, 0Ch",
                            "retn",
                        };

            // get value
            string varResult = Encoding.ASCII.GetString(InjectAndExecuteReturn(asm));
            Memory.FreeMemory(codeCave);

            return varResult;
        }

	public static void LuaDoString(string command)
        {
            // Allocate memory
            uint DoStringArg_Codecave = Memory.AllocateMemory(Encoding.UTF8.GetBytes(command).Length + 1);

            // Write value:
            Memory.WriteBytes(DoStringArg_Codecave, Encoding.UTF8.GetBytes(command));

            // Write the asm stuff for Lua_DoString

            // int __cdecl FrameScript_ExecuteBuffer(const char *a1, int a2, int a3)
            String[] asm = new String[] 
            {
                "mov eax, " + DoStringArg_Codecave,
                "push 0",
                "push eax",
                "push eax",
                "mov eax, " + ((uint)Memory.BaseAddress + (uint)Lua_DoString), // Lua_DoString
                "call eax",
                "add esp, 0xC",
                "retn",    
            };

            // Inject
            InjectAndExecute(asm);
            // Free memory allocated 
            Memory.FreeMemory(DoStringArg_Codecave);
        }

Thank you for the link. Very interesting stuff, what they do. Seems like i got flagged for beeing active too long in the game. This will also mean, that a basic warden protection by sending back the original byte is not working, since they are hooking the functions and change the values.





The address is correct, but i have no idea if this can read the login frame.

[daCoder]

Seems like you need the offset for FrameScript_GetText, and you need one more value to be pushed.

Code:

FrameScript_GetText = 0x05139B;
FrameScript_GetText(token, ordinal, gender, 0);

try this with the new offset.

Code:

                             "push 0",
                            "push 0",
                            "push -1",
                            "mov edx, " + codeCave + "",
                            "push edx",
                            "call " + FrameScript_GetText,

[sandra11]

yes,perfect!
with your new offsit,my bot is running now!but no need to change any code.
2 reps given.

btw,i am a newbie of this,could you show me some tutorial that i can find this offsit in the next patch?
thank you,i would like to give you 2 reps everyday,very helpful!

Seems like you need the offset for FrameScript_GetText, and you need one more value to be pushed.

Code:

FrameScript_GetText = 0x05139B;
FrameScript_GetText(token, ordinal, gender, 0);

try this with the new offset.

Code:

                             "push 0",
                            "push 0",
                            "push -1",
                            "mov edx, " + codeCave + "",
                            "push edx",
                            "call " + FrameScript_GetText,

[JuJuBoSc]

Code:

                             "push 0",
                            "push 0",
                            "push -1",
                            "mov edx, " + codeCave + "",
                            "push edx",
                            "call " + FrameScript_GetText,

Why not just "push " + codeCave, ?

[plaguedog32]

Hi I'm new to reading stuff from memory but have made some decent progress. I'm stuck on reading unit auras and was wondering if anyone happens to have the aura table/count offsets? I've been poking around trying to find them but so far have only managed to find what I believe to be one of the count offsets on my own but am not having much luck beyond that.

Also as a side note I'm basing my aura access stuff on this ([WoW][5.0.4.16016] x86 Info Dump Thread) I assume the methodology for getting the auras is still the same from the time of this post since I haven't been able to find anything more recent than that.