Morphing

[WiNiFiX]

I have been attempting to do basic morphing but think I am missing a step.
When I run the below code I get the mounts display ID of 43717 when i am on a "Black Dragon Turtle"
I then update the address value to 19478 which is a "Black Hawk Strider"

The memory value changes however, the ingame mount does not, any hints as to where I am going wrong.

Code:

IntPtr me = wow.Read<IntPtr>(new IntPtr(0xE379B0), true);
IntPtr descriptorBase = wow.Read<IntPtr>(me + 0x4, false);
int displayId = wow.Read<int>(descriptorBase + 0x1A8, false);  // This correctly shows the 43717

I then update the value to 19478            
wow.Write<int>(descriptorBase + 0x1A8, 19478, false);

and read it again and can confirm it updates correctly to 19478, however the mount does not change

[Corthezz]

Vanilla WoW has a function to update the display ID (taking a pointer to the object). I guess it is the same for retail

[aeo]

I asked this question a month ago or so you have to call the update function after changing the descriptor

[Filint]

Code:

CGUnit_C__UpdateDisplayInfo = 0x33D3C3
CGUnit_C__UpdateScale = 0x33B3E1

6.2.3.20779 32 bit, rebased. Untested but assumed correct. Call them after changing the values. I seem to remember they either take a guid or an object pointer as an argument. Can't be sure, reversing will certainly show you which.
Been a while since I dabbled in morphing so there may be more required.

A fantastic resource is l0l1dk's Just A Morpher (https://github.com/l0l1dk/Just-A-Morpher) you will find almost everything you need there

[WiNiFiX]

Thanks for the tips, but I have never successfully reversed fast-calls - is there a C# equivalent to it? (Keep in mind my bot is out of process)

Code:

void __fastcall Unit::CGUnit_C__UpdateDisplayInfo_Hook (size_t This, int, bool ForceUpdate)
{
    Unit Unit (This);

    if(DisplayIDs[Unit.GetGUID()])
    {
        Unit.SetDisplayID(DisplayIDs[Unit.GetGUID()]);
    }

    CGUnit_C__UpdateDisplayInfo_Trampoline(This, ForceUpdate);
}

I considered trying delegates but I have never gotten them to work from out-of-process, they seem to like being injected.

It would also help a lot of someone could generate some pseudo code for the function from IDA, my license expired for the De-compiler

[lolp1]

Thanks for the tips, but I have never successfully reversed fast-calls - is there a C# equivalent to it? (Keep in mind my bot is out of process)

What the hell? Fastcall is just a calling convention.. there is no reversing it or some unique c# fastcall.

I considered trying delegates but I have never gotten them to work from out-of-process, they seem to like being injected.

That is because they can not work if you are not injected. Your only option besides injecting a dll/hosting your app domain is to inject assembled asm code and create a remote thread to execute it, or apply a hook by writing out the assembly code manually.

[WiNiFiX]

@lolp thanks, regarding the first point - I meant "What is the C# equivalent to fastcall", I had the word reversing on my mind and it found its way into the sentence.
regarding point 2, that sux - assembler sux :P

[lolp1]

"What is the C# equivalent to fastcall"

It's just Fastcall. There is no special C# treatment. https://msdn.microsoft.com/en-us/library/k2b2ssfy.aspx

[danwins]

Morphing the mount requires its own function call:

not rebased

Code:

0073BB9A CGUnit_C__OnMountDisplayChanged

the function proto is something like this:

Code:

int __thiscall CGUnit_C__OnMountDisplayChanged(int this, int DisplayId)

also on a side note, theres actually a second method to morph unit scale instead of using CGUnit_C__UpdateScale found from the following function:

Code:

.text:0069887E CGObject_C__GetObjectDisplayHeight proc near
.text:0069887E                                         ; CODE XREF: CGObject_C__GetObjectDisplayHeight2j
.text:0069887E                                         ; sub_6D8318+39p
.text:0069887E
.text:0069887E var_4           = dword ptr -4
.text:0069887E
.text:0069887E                 push    ebp
.text:0069887F                 mov     ebp, esp
.text:00698881                 push    ecx
.text:00698882                 mov     eax, [ecx+100h]
.text:00698888                 test    eax, eax
.text:0069888A                 jz      short loc_698893
.text:0069888C                 movss   xmm0, dword ptr [eax+3Ch]
.text:00698891                 jmp     short loc_69889B
.text:00698893 ; ---------------------------------------------------------------------------
.text:00698893
.text:00698893 loc_698893:                             ; CODE XREF: CGObject_C__GetObjectDisplayHeight+Cj
.text:00698893                 movss   xmm0, ds:dword_F8FE94
.text:0069889B
.text:0069889B loc_69889B:                             ; CODE XREF: CGObject_C__GetObjectDisplayHeight+13j
.text:0069889B                 fld     dword ptr [ecx+0FCh]
.text:006988A1                 movss   [ebp+var_4], xmm0
.text:006988A6                 fmul    [ebp+var_4]
.text:006988A9                 leave
.text:006988AA                 retn
.text:006988AA CGObject_C__GetObjectDisplayHeight endp

simply writing to the value will change the player scale instantly (unlike the function which has a "grow" effect):

[WiNiFiX]

Thanks, and item morphing - do I also need to call an update or does it work like scale where it updates instantly?

[danwins]

the UpdateDisplayInfo function is used for model/items