ObjMgr nextObject offset

**derekman007** · 12-26-2014

Hey I am new to reversing and I am using IDA to find the object manager for build 6.0.3 19342.

Specifically I am unsure about how to find the next object offset from the current object.

After reading some threads about to how find the object manager I started to reverse the ClntObjMgrEnumVisibleObjects function.

I found that the ObjMgr is at wow base + 0xCB9068, the first object is at eax(ObjMgr) + 0x0D8. From other threads I gathered that the next object offset is
0x3C.

I am having trouble finding this from this function. If anyone could give me a suggestion on what to look into would be helpful. Also once I can loop over all objects is there some lua function I should look into which can give me insight into finding the descriptors offset and then health, power, etc offsets?

Here is my IDA text view with some comments:

Code:

.text:00657D20 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00657D20
.text:00657D20 ; Attributes: bp-based frame
.text:00657D20
.text:00657D20 ClntObjMgrEnumVisibleObjects proc near  ; CODE XREF: sub_66B7F0+7p
.text:00657D20                                         ; sub_66DC7F+11p ...
.text:00657D20
.text:00657D20 arg_0           = dword ptr  8
.text:00657D20 arg_4           = dword ptr  0Ch
.text:00657D20
.text:00657D20                 push    ebp
.text:00657D21                 mov     ebp, esp
.text:00657D23                 mov     eax, curMgr
.text:00657D28                 mov     eax, [eax+0D8h] ; First Object
.text:00657D2E                 push    esi
.text:00657D2F                 push    edi
.text:00657D30                 xor     edi, edi
.text:00657D32                 inc     edi
.text:00657D33                 test    al, 1
.text:00657D35                 jnz     short loc_657D3B
.text:00657D37                 test    eax, eax
.text:00657D39                 jnz     short loc_657D3F ; Jump if Object is not null?
.text:00657D3B
.text:00657D3B loc_657D3B:                             ; CODE XREF: ClntObjMgrEnumVisibleObjects+15j
.text:00657D3B                 xor     ecx, ecx
.text:00657D3D                 jmp     short loc_657D41
.text:00657D3F ; ---------------------------------------------------------------------------
.text:00657D3F
.text:00657D3F loc_657D3F:                             ; CODE XREF: ClntObjMgrEnumVisibleObjects+19j
.text:00657D3F                 mov     ecx, eax        ; ecx contains address of first object?
.text:00657D41
.text:00657D41 loc_657D41:                             ; CODE XREF: ClntObjMgrEnumVisibleObjects+1Dj
.text:00657D41                                         ; ClntObjMgrEnumVisibleObjects+48j
.text:00657D41                 test    cl, 1
.text:00657D44                 jnz     short loc_657D6C
.text:00657D46                 test    ecx, ecx
.text:00657D48                 jz      short loc_657D6C
.text:00657D4A                 mov     eax, curMgr     ; Move ObjMgrPtr to eax
.text:00657D4F                 push    [ebp+arg_4]
.text:00657D52                 mov     eax, [eax+0D0h]
.text:00657D58                 mov     esi, [eax+ecx+4]
.text:00657D5C                 push    ecx
.text:00657D5D                 call    [ebp+arg_0]
.text:00657D60                 pop     ecx
.text:00657D61                 pop     ecx
.text:00657D62                 test    eax, eax
.text:00657D64                 jz      short loc_657D6A
.text:00657D66                 mov     ecx, esi
.text:00657D68                 jmp     short loc_657D41
.text:00657D6A ; ---------------------------------------------------------------------------
.text:00657D6A
.text:00657D6A loc_657D6A:                             ; CODE XREF: ClntObjMgrEnumVisibleObjects+44j
.text:00657D6A                 xor     edi, edi
.text:00657D6C
.text:00657D6C loc_657D6C:                             ; CODE XREF: ClntObjMgrEnumVisibleObjects+24j
.text:00657D6C                                         ; ClntObjMgrEnumVisibleObjects+28j
.text:00657D6C                 mov     eax, edi
.text:00657D6E                 pop     edi
.text:00657D6F                 pop     esi
.text:00657D70                 pop     ebp
.text:00657D71                 retn
.text:00657D71 ClntObjMgrEnumVisibleObjects endp

Thanks for your time.

**fvicaria** · 12-26-2014

Originally Posted by derekman007

Hey I am new to reversing and I am using IDA to find the object manager for build 6.0.3 19342.

Specifically I am unsure about how to find the next object offset from the current object.

After reading some threads about to how find the object manager I started to reverse the ClntObjMgrEnumVisibleObjects function.

I found that the ObjMgr is at wow base + 0xCB9068, the first object is at eax(ObjMgr) + 0x0D8. From other threads I gathered that the next object offset is
0x3C.

I am having trouble finding this from this function. If anyone could give me a suggestion on what to look into would be helpful. Also once I can loop over all objects is there some lua function I should look into which can give me insight into finding the descriptors offset and then health, power, etc offsets?

Here is my IDA text view with some comments:

Code:

.text:00657D20 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00657D20
.text:00657D20 ; Attributes: bp-based frame
.text:00657D20
.text:00657D20 ClntObjMgrEnumVisibleObjects proc near  ; CODE XREF: sub_66B7F0+7p
.text:00657D20                                         ; sub_66DC7F+11p ...
.text:00657D20
.text:00657D20 arg_0           = dword ptr  8
.text:00657D20 arg_4           = dword ptr  0Ch
.text:00657D20
.text:00657D20                 push    ebp
.text:00657D21                 mov     ebp, esp
.text:00657D23                 mov     eax, curMgr
.text:00657D28                 mov     eax, [eax+0D8h] ; First Object
.text:00657D2E                 push    esi
.text:00657D2F                 push    edi
.text:00657D30                 xor     edi, edi
.text:00657D32                 inc     edi
.text:00657D33                 test    al, 1
.text:00657D35                 jnz     short loc_657D3B
.text:00657D37                 test    eax, eax
.text:00657D39                 jnz     short loc_657D3F ; Jump if Object is not null?
.text:00657D3B
.text:00657D3B loc_657D3B:                             ; CODE XREF: ClntObjMgrEnumVisibleObjects+15j
.text:00657D3B                 xor     ecx, ecx
.text:00657D3D                 jmp     short loc_657D41
.text:00657D3F ; ---------------------------------------------------------------------------
.text:00657D3F
.text:00657D3F loc_657D3F:                             ; CODE XREF: ClntObjMgrEnumVisibleObjects+19j
.text:00657D3F                 mov     ecx, eax        ; ecx contains address of first object?
.text:00657D41
.text:00657D41 loc_657D41:                             ; CODE XREF: ClntObjMgrEnumVisibleObjects+1Dj
.text:00657D41                                         ; ClntObjMgrEnumVisibleObjects+48j
.text:00657D41                 test    cl, 1
.text:00657D44                 jnz     short loc_657D6C
.text:00657D46                 test    ecx, ecx
.text:00657D48                 jz      short loc_657D6C
.text:00657D4A                 mov     eax, curMgr     ; Move ObjMgrPtr to eax
.text:00657D4F                 push    [ebp+arg_4]
.text:00657D52                 mov     eax, [eax+0D0h]
.text:00657D58                 mov     esi, [eax+ecx+4]
.text:00657D5C                 push    ecx
.text:00657D5D                 call    [ebp+arg_0]
.text:00657D60                 pop     ecx
.text:00657D61                 pop     ecx
.text:00657D62                 test    eax, eax
.text:00657D64                 jz      short loc_657D6A
.text:00657D66                 mov     ecx, esi
.text:00657D68                 jmp     short loc_657D41
.text:00657D6A ; ---------------------------------------------------------------------------
.text:00657D6A
.text:00657D6A loc_657D6A:                             ; CODE XREF: ClntObjMgrEnumVisibleObjects+44j
.text:00657D6A                 xor     edi, edi
.text:00657D6C
.text:00657D6C loc_657D6C:                             ; CODE XREF: ClntObjMgrEnumVisibleObjects+24j
.text:00657D6C                                         ; ClntObjMgrEnumVisibleObjects+28j
.text:00657D6C                 mov     eax, edi
.text:00657D6E                 pop     edi
.text:00657D6F                 pop     esi
.text:00657D70                 pop     ebp
.text:00657D71                 retn
.text:00657D71 ClntObjMgrEnumVisibleObjects endp

Thanks for your time.

You can find the next object offset by reversing ClntObjMgrEnumAllObjects but to save you time here it is: 0x3C

**TOM_RUS** · 12-26-2014

That specific function works like this:

Code:

BOOL __cdecl ClntObjMgrEnumVisibleObjects(int (__cdecl *callback)(_DWORD, _DWORD), void *param)
{
  int firstObj; // eax@1
  BOOL ret; // edi@1
  int curObj; // ecx@3
  int nextObj; // esi@7

  firstObj = *(_DWORD *)(s_objMgr + 0xD8);
  ret = 1;
  if ( !(firstObj & 1) && firstObj )
    curObj = *(_DWORD *)(s_objMgr + 0xD8);
  else
    curObj = 0;
  while ( !(curObj & 1) && curObj )
  {
    nextObj = *(_DWORD *)(*(_DWORD *)(s_objMgr + 0xD0) + curObj + 4);
    if ( !callback(curObj, param) )
      return 0;
    curObj = nextObj;
  }
  return ret;
}

As you can see next object is: [curObj + 4 + [s_objMgr + 0xD0]]. My guess that 0x3C offset comes from "4 + [s_objMgr + 0xD0]" part of this.

Shout-Out

User Tag List

Thread: ObjMgr nextObject offset

Thread Tools

Search Thread

ObjMgr nextObject offset

Similar Threads

WoW Offsets & WPE

Hiding offsets of proccess how ?

Swimming state offset

Enemy offsets

How do you find memory offsets in the game?

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino