[HowTo] Find ClickToMove

[xalcon]

Hey all,
Time to contribute some more of my lately gained knowledge
I know there is a threat just on the first page asking about this, but I think this post might be easier to find via search if its actually a thread with a usefull title
(I'm not a native english speaker, so there will be a lot of typos and weird grammar/wording in this text. Sorry for that :P)

I dare to say click to move is the most used system (by bots) to move a toon in wow. But a lot of people just copy the offset from the dump thread - and some of them aren't happy with that. They want to "learn" how to this on their own.
In this tutorial I'll try to teach you how to actually find the CTM Struct as well as the CGPlayer_C__ClickToMove function.

In this tutorial, I'm using CheatEngine for runtime searching and IDA to lookup the right function address by a given instruction offset. But you should easily be able to replace IDA by OllyDBG or any other disassembler.

first of all, a lot of stuff known today comes from those famous alpha builds which contained a shit ton debug information. (<inBeforeShitstorm/> Lol ) So there are some information you just have to accept as "given", like the Click To Move Type (13 => None, 4 = Walking, etc)

In order to find the ctm function (Called CGPlayer_C__ClickToMove()) I go through 3 steps: Finding the CTM Struct

1. Finding the CTM Struct
Apoc has documented the CTM struct here (Click to Move - Explained). So I fired up Cheat Engine and search for the value 13 (wow should be running at this point, with a toon logged in!). Then I enable CTM and click anywhere far away and while my toon is walking, I look for the value 4.
You may want to repeat this step until you have a single address left in the address list. In Build 18019 CTM.ActionType is located at wow.exe+0xD0EEBC

When we take a look at the CTM Struct apoc provided, we see that the struct is roughly 140 bytes in size.

Code:

public struct ClickToMoveInfoStruct
{
	public float InteractionDistance;

	private float Unknown3F;
	private float Unknown4F;
	public uint Timestamp;
	public uint ActionType;
	public ulong InteractGuid;

	/// <summary>
	/// Check == 2 (This might be some sort of flag?)
	/// Always 2 when using some form of CTM action. 0 otherwise.
	/// </summary>
	public uint IsClickToMoving;

	[MarshalAs(UnmanagedType.ByValArray, SizeConst = 21)]
	private uint[] Unknown6U;

	/// <summary>
	/// This will change in memory as WoW figures out where exactly we're going to stop. (Also the actual end location)
	/// </summary>
	public Point Dest;

	/// <summary>
	/// This is wherever we actually 'clicked' in game.
	/// </summary>
	public Point Click;
}

The ActionType we were searching for isnt the first value inside the struct. In fact, its the 5th entry located at StructBegin+((5-1)*4). Move the CTM Type address to your watched pointers and double click the address (or go rightlick -> change record -> address). In the address field, write wow.exe+D0EEBC-10

Why 10? Because CheatEngine is using hex values for input and 10hex equals 16dec (4*4). This means, the CTM Struct is located at wow.exe+D0EEAC

2. Validating the struct
Structs may change over time, due to added or removed features or whatever. Some of you might want to check if the struct provided by apoc is still valid.
To do this, we open the memory view for the struct location and click Tools -> Dissect Data/Structure. In the new window click Structures -> Define new structure. The name here is totally unimportant, so name it as you please. Cheat Engine will ask you if it should try to fill in the most basic types. Just say yes and give it a size of 140 (or more). I'm using 160, júst to look if there is something behind we might miss.

We will now fill in all known types and names so we can verify they are still valid. You should get something like this:

When I'm not mistaken, everything looks still valid. Only the naming for "DestX-Z" might a bit off... "CurrentX" is maybe a better name, but who cares about this value anyway?

3. The call!
Go back to the cheat engine main window and change the address of the ctm struct back to the ctm action type offset (18019: Wow.exe+D0EEBC)
Rightclick that entry and click "find out what writes to this address". (This will add a debugger to wow which requires administrator privileges!) The window should remain empty until you use ctm in wow... so rightlick on the ground and look what happens.
You character should start to move and a single address pops up. When your toon reaches the clicked position, another write should popup. The first write is the only one which really interests us, since the second one just "resets" the value once the ctm job is done.

So we click on the first entry and click on the button "show disassembler". The Memory view should popup, showing the address where our actiontype gets modified, something like

Now open up IDA (or your favorite disassembler) and browse to this address in the "IDA view" (Jump -> Jump to address). Scroll to the top of the function. Congrats, you have found CGPlayer_C::ClickToMove at 0x420543 (Build 5.4.7.18019)

I hope this actually helps some of you

[cenron]

Hey all,
Time to contribute some more of my lately gained knowledge
I know there is a threat just on the first page asking about this, but I think this post might be easier to find via search if its actually a thread with a usefull title
(I'm not a native english speaker, so there will be a lot of typos and weird grammar/wording in this text. Sorry for that :P)

I dare to say click to move is the most used system (by bots) to move a toon in wow. But a lot of people just copy the offset from the dump thread - and some of them aren't happy with that. They want to "learn" how to this on their own.
In this tutorial I'll try to teach you how to actually find the CTM Struct as well as the CGPlayer_C__ClickToMove function.

In this tutorial, I'm using CheatEngine for runtime searching and IDA to lookup the right function address by a given instruction offset. But you should easily be able to replace IDA by OllyDBG or any other disassembler.

first of all, a lot of stuff known today comes from those famous alpha builds which contained a shit ton debug information. (<inBeforeShitstorm/> Lol ) So there are some information you just have to accept as "given", like the Click To Move Type (13 => None, 4 = Walking, etc)

In order to find the ctm function (Called CGPlayer_C__ClickToMove()) I go through 3 steps: Finding the CTM Struct

1. Finding the CTM Struct
Apoc has documented the CTM struct here (Click to Move - Explained). So I fired up Cheat Engine and search for the value 13 (wow should be running at this point, with a toon logged in!). Then I enable CTM and click anywhere far away and while my toon is walking, I look for the value 4.
You may want to repeat this step until you have a single address left in the address list. In Build 18019 CTM.ActionType is located at wow.exe+0xD0EEBC

When we take a look at the CTM Struct apoc provided, we see that the struct is roughly 140 bytes in size.

Code:

public struct ClickToMoveInfoStruct
{
	public float InteractionDistance;

	private float Unknown3F;
	private float Unknown4F;
	public uint Timestamp;
	public uint ActionType;
	public ulong InteractGuid;

	/// <summary>
	/// Check == 2 (This might be some sort of flag?)
	/// Always 2 when using some form of CTM action. 0 otherwise.
	/// </summary>
	public uint IsClickToMoving;

	[MarshalAs(UnmanagedType.ByValArray, SizeConst = 21)]
	private uint[] Unknown6U;

	/// <summary>
	/// This will change in memory as WoW figures out where exactly we're going to stop. (Also the actual end location)
	/// </summary>
	public Point Dest;

	/// <summary>
	/// This is wherever we actually 'clicked' in game.
	/// </summary>
	public Point Click;
}

The ActionType we were searching for isnt the first value inside the struct. In fact, its the 5th entry located at StructBegin+((5-1)*4). Move the CTM Type address to your watched pointers and double click the address (or go rightlick -> change record -> address). In the address field, write wow.exe+D0EEBC-10

Why 10? Because CheatEngine is using hex values for input and 10hex equals 16dec (4*4). This means, the CTM Struct is located at wow.exe+D0EEAC

2. Validating the struct
Structs may change over time, due to added or removed features or whatever. Some of you might want to check if the struct provided by apoc is still valid.
To do this, we open the memory view for the struct location and click Tools -> Dissect Data/Structure. In the new window click Structures -> Define new structure. The name here is totally unimportant, so name it as you please. Cheat Engine will ask you if it should try to fill in the most basic types. Just say yes and give it a size of 140 (or more). I'm using 160, júst to look if there is something behind we might miss.

We will now fill in all known types and names so we can verify they are still valid. You should get something like this:

When I'm not mistaken, everything looks still valid. Only the naming for "DestX-Z" might a bit off... "CurrentX" is maybe a better name, but who cares about this value anyway?

3. The call!
Go back to the cheat engine main window and change the address of the ctm struct back to the ctm action type offset (18019: Wow.exe+D0EEBC)
Rightclick that entry and click "find out what writes to this address". (This will add a debugger to wow which requires administrator privileges!) The window should remain empty until you use ctm in wow... so rightlick on the ground and look what happens.
You character should start to move and a single address pops up. When your toon reaches the clicked position, another write should popup. The first write is the only one which really interests us, since the second one just "resets" the value once the ctm job is done.

So we click on the first entry and click on the button "show disassembler". The Memory view should popup, showing the address where our actiontype gets modified, something like

Now open up IDA (or your favorite disassembler) and browse to this address in the "IDA view" (Jump -> Jump to address). Scroll to the top of the function. Congrats, you have found CGPlayer_C::ClickToMove at 0x420543 (Build 5.4.7.18019)

I hope this actually helps some of you

I love you bro! This is exactly what I was looking for.....I wish there were more of these on forum that are nothing but tutorials like this.....Maybe a sub forum in the Memory Editing section? I would contribute the little knowledge I have.