WOW 3.3.5[12340] Teleport player

**semar** · 07-12-2014

Im writing own telehack for 3.3.5a version, but i have a little problem, its working only sometimes.
Its looks like im often editing wrong memory places.
base+0x938B0C <- xpos in player struct
Now my program on start searching in ram every places where vale is same as xpos from player struct, after that save in array if next two values are same as y and z values from player struct. Often it doesnt work, becouse sometimes editable value isnt same as pos from player struct(sometimes x_struct is like 1000.22 but editable value 1000.21), so program cant find it.
Every time program find 7-20 places with player pos but only one is editable(im trying to edit all of them every time when i want to teleport),
question is how to find it faster ? any offsets ?

PS: Sorry for my english

**Millionarie** · 07-12-2014

Once upon a time, when the grass was greener and the trees were tall, I used private teleport-gather-bot, which i made myself using teleport method parsed from public teleport hack AmultiHack.
That was a time of wow 3.3.3a-4.2.0. After 4.2.0 the teleport method was fixed..
I've written a dll, which was ejected to a wow proccess, then my bot called Teleport function using CreateRemoteThread. If you want, I can post asm file of my dll here (3.3.5 wow version).

**Corthezz** · 07-12-2014

Editing every address which stores the player coordinates isnt the best practice. You should really find a static way to access the x, y and z fields of the player object.

If you want, I can post asm file of my dll here (3.3.5 wow version).

Just do it

**semar** · 07-12-2014

Originally Posted by Corthezz

Editing every address which stores the player coordinates isnt the best practice

I know and sometimes its crash game or/and my program.

**Millionarie** · 07-13-2014

Originally Posted by Corthezz

Just do it

Port.asm:

Code:

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
    include \masm32\include\masm32rt.inc
    ;Include \masm32\include\windows.inc
    ;Include \masm32\include\kernel32.inc
    ;Include \masm32\include\user32.inc
    ;IncludeLib \masm32\lib\kernel32.lib
    ;IncludeLib \masm32\lib\user32.lib
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤


SetHook proto :dword,:dword,:dword
ReplaceCall proto :dword,:dword,:dword

wowproc1hook proto
wowproc2hook proto
wowproc3hook proto
wowproc4hook proto
wowproc5hook proto
wowproc6hook proto
wowproc7hook proto
wowproc8hook proto
wowproc9hook proto
wowproc10hook proto

endscenehook proto


    ; -------------------------------------------
    ; Build this DLL with the provided MAKEIT.BAT
    ; -------------------------------------------

;---- Адреса-------- 3.3.5

        wowproc1    equ 632B50h ;new 335
        wowproc2    equ 5FA170h ;new
        wowproc3    equ 7E2C30h ;new
        wowproc4    equ 5FAC83h ;new
        wowproc5    equ 682A00h ;new
        wowproc7    equ 6F1490h ;new
        wowproc8    equ 73C8E0h ;new
        wowproc9    equ 740D30h ;new
        wowproc10   equ 6F09F0h ;new
        wowproc10jmp equ 6F0AB2h ;new

        wowsendpacket   equ 76DD00h ;new 335
        wowtickcount    equ 86AE20h ;new 335
        wowgetpacketstruct equ 74B330h ;new 335

        wowattachstate equ 0BD0792h ;new 335


        CurMgrPtr   equ 00C79CE0h ;new 335
        CurMgrOfs   equ 00002ED0h ;new 335

        TLSMainTable    equ 08h ;new 335

        VFinteract  equ 44

        pDevicePtr_1    equ 00C5DF88h ;new 335
        pDevicePtr_2    equ 397Ch
        oEndScene       equ 00A8h
        ;В итоге d3d9.dll - EndScene RVA 412Сh (base 68D20000h)

	  retaddr1 equ 5FBFD9h ;335
	  retaddr2 equ 5FC08Fh ;335
	  
	  
	  magicoff0 equ 9E0E24h
	  magicoff05 equ 0CA1238h
	  magicoff1 equ 0C79CF4h

;---- и телефоны ---

      .data?
        hInstance dd ?        

        wowproc1old dq  ?
        wowproc2old dq  ?
        wowproc3old dq  ?
        wowproc4old dq  ?
        wowproc5old dq  ?
        wowproc7old dq  ?
        wowproc8old dq  ?
        wowproc9old dq  ?
        wowproc10old dq  ?
        wowproc10jmpold dq  ?
        endsceneold  dq ?
        
        endsceneaddr dd ?


        ;---
        somepacketid    dd  ?
        packetsleft     dd  ?        
        ;---


      .data

        PacketDistance  dd  3.5
        PacketDelay     dd  20
        TelDoneWait     dd  50
        currspeed       dd  1.0

        standartspeed   dd 7.0 
      
        teleportflag    dd  0
        playerbase      dd  0

        counter1        dd  0
        counter2        dd  0
        counter3        dd  0

        packettimer1    dd  0
        packettimer2    dd  0

        objbase         dd  0
        
        
        ;====DUBUG vars===
        File	db 'c:\amulti.log',0
        hFile	dd 0
        buffindx	dd 0
        maxbuff	equ 512
        buff	    db  maxbuff*4 dup (0)
        ;==================

      .code

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

LibMain proc instance:DWORD,reason:DWORD,unused:DWORD 

    ;int 3

    .if reason == DLL_PROCESS_ATTACH

      mov   eax, offset Teleport
      mov   eax, offset StopFall
      ;mov   eax, offset Interact
      mov   eax, offset teleportflag
      mov   eax, offset packetsleft
      mov   eax, offset objbase

      mrm hInstance, instance       ; copy local to global

      push  hInstance
      call  DisableThreadLibraryCalls
      
      call	getsomepacketid
	mov	somepacketid, eax
      call  SetHooks

	mov	eax, wowattachstate
	cmp	byte ptr [eax],	0
	jz	short locret_4482BB
	call	getplayerbase
	mov	playerbase, eax

locret_4482BB:

	;;---DEBUG
		call CreateLog
	;;---
      
      mov eax, TRUE                 ; return TRUE so DLL will start

    .elseif reason == DLL_PROCESS_DETACH

	;;---DEBUG
		call WriteLog
		call CloseLog
	;;---

    .elseif reason == DLL_THREAD_ATTACH

    .elseif reason == DLL_THREAD_DETACH

    .endif

    ret

LibMain endp

SetHooks proc

    Invoke  SetHook,(wowproc1 + 1),offset wowproc1hook,offset wowproc1old
    Invoke  SetHook,(wowproc2 + 1),offset wowproc2hook,offset wowproc2old
    Invoke  SetHook,(wowproc3 - 1),offset wowproc3hook,offset wowproc3old
    Invoke  SetHook,(wowproc4 - 1),offset wowproc4hook,offset wowproc4old
    Invoke  SetHook,(wowproc5 + 1),offset wowproc5hook,offset wowproc5old
    Invoke  SetHook,(wowproc7 + 1),offset wowproc7hook,offset wowproc7old
    Invoke  SetHook,(wowproc8 + 1),offset wowproc8hook,offset wowproc8old
    Invoke  SetHook,(wowproc9 + 1),offset wowproc9hook,offset wowproc9old
    Invoke  SetHook,(wowproc10 + 1),offset wowproc10hook,offset wowproc10old

    Invoke  SetHook,(wowproc10 + 2Bh), wowproc10jmp, offset wowproc10jmpold

    db  8Bh, 0Dh
    dd  pDevicePtr_1 ;mov     ecx, dword ptr [pDevicePtr_1] ;Поцелуй меня в задницу масм-инвалид
    
    mov     ecx, [ecx + pDevicePtr_2]
    mov     ecx, [ecx]
    mov     ecx, [ecx + oEndScene] ;;;;;4*42
    mov     endsceneaddr, ecx
    add     ecx, 2
    Invoke  SetHook, ecx, offset endscenehook, offset endsceneold

    ret
    
SetHooks endp


; -------------------------------------------


getsomepacketid proc
    var_118		= dword	ptr -118h
    var_114		= dword	ptr -114h
    var_110		= dword	ptr -110h
    var_10C		= dword	ptr -10Ch
    var_108		= dword	ptr -108h
    var_104		= dword	ptr -104h
    var_100		= byte      ptr -100h

		sub   esp, 118h
		mov	[esp+118h+var_118], magicoff0 ;
		lea	eax, [esp+118h+var_100]
		mov	[esp+118h+var_114], eax
		mov	[esp+118h+var_10C], 100h
		xor	eax, eax
		mov	[esp+118h+var_110], eax
		xor	eax, eax
		mov	[esp+118h+var_104], eax
		xor	eax, eax
		mov	[esp+118h+var_108], eax
		push	magicoff05 ;new
		lea	eax, [esp+11Ch+var_118]
		push	eax
		mov	eax, wowsendpacket
		call	eax
		add	esp, 8
		mov	eax, [esp+118h+var_108]
		add	esp, 118h
		retn

getsomepacketid endp

sendmovpacket	proc near		; CODE XREF: StartAddress+12Fp
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= byte ptr -118h
var_100		= byte ptr -100h

		push	ebx
		push	esi
		push	edi
		add	esp, -124h
		mov	esi, ecx
		lea	edi, [esp+124h+var_124]
		movsd
		movsd
		movsd
		mov	edi, edx
		mov	esi, eax
		lea	ebx, [esp+124h+var_118]
		mov	dword ptr [ebx], magicoff0 ;; magic offset 0
		lea	eax, [esp+124h+var_100]
		mov	[ebx+4], eax
		mov	dword ptr [ebx+0Ch], 100h
		xor	eax, eax
		mov	[ebx+8], eax
		xor	eax, eax
		mov	[ebx+14h], eax
		xor	eax, eax
		mov	[ebx+10h], eax
		lea	eax, [esp+eax+124h+var_100]
		mov	[eax], esi
		add	dword ptr [ebx+10h], 4
		push	magicoff05 ;;magic offset 0.5
		push	ebx
		mov	eax, wowsendpacket
		call	eax
		add	esp, 8
		cmp	esi, 0B7h
		jnz	short loc_44312C
		xor	eax, eax
		jmp	short loc_443131
; ДДДДД

loc_44312C:				; CODE XREF: sendmovpacket+5Ej
		mov	eax, 1

loc_443131:				; CODE XREF: sendmovpacket+62j
		mov	edx, [ebx+10h]
		lea	edx, [esp+edx+124h+var_100]
		mov	[edx], eax
		add	dword ptr [ebx+10h], 4
		mov	eax, [ebx+10h]
		lea	eax, [esp+eax+124h+var_100]
		mov	word ptr [eax],	0
		add	dword ptr [ebx+10h], 2
		mov	eax, [ebx+10h]
		lea	eax, [esp+eax+124h+var_100]
		mov	[eax], edi
		add	dword ptr [ebx+10h], 4
		mov	eax, [ebx+10h]
		lea	eax, [esp+eax+124h+var_100]
		mov	edx, [esp+124h+var_124]
		mov	[eax], edx
		add	dword ptr [ebx+10h], 4
		mov	eax, [ebx+10h]
		lea	eax, [esp+eax+124h+var_100]
		mov	edx, [esp+124h+var_120]
		mov	[eax], edx
		add	dword ptr [ebx+10h], 4
		mov	eax, [ebx+10h]
		lea	eax, [esp+eax+124h+var_100]
		mov	edx, [esp+124h+var_11C]
		mov	[eax], edx
		add	dword ptr [ebx+10h], 4
		mov	eax, [ebx+10h]
		lea	eax, [esp+eax+124h+var_100]
		xor	edx, edx
		mov	[eax], edx
		add	dword ptr [ebx+10h], 4
		mov	eax, [ebx+10h]
		lea	eax, [esp+eax+124h+var_100]
		xor	edx, edx
		mov	[eax], edx
		add	dword ptr [ebx+10h], 4
		push	ebx
		mov	eax, magicoff1 ;;magic offset 1
		mov	ecx, [eax]
		xor	edx, edx
		xor	eax, eax
		call	wowproc1org
		add	esp, 124h
		pop	edi
		pop	esi
		pop	ebx
		retn
sendmovpacket	endp

sendfallpacket proc
var_11C		= byte ptr -11Ch
var_1C		= byte ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	ebp
		mov	ebp, esp
		add	esp, 0FFFFFEE4h
		push	ebx
		push	esi
		mov	[ebp+var_4], ecx
		mov	esi, edx
		lea	ebx, [ebp+var_1C]
		mov	dword ptr [ebx], magicoff0
		lea	edx, [ebp+var_11C]
		mov	[ebx+4], edx
		mov	dword ptr [ebx+0Ch], 100h
		xor	edx, edx
		mov	[ebx+8], edx
		xor	edx, edx
		mov	[ebx+14h], edx
		xor	edx, edx
		mov	[ebx+10h], edx
		lea	edx, [ebp+edx+var_11C]
		mov	[edx], eax
		add	dword ptr [ebx+10h], 4
		push	magicoff05
		push	ebx
		mov	eax, wowsendpacket
		call	eax
		add	esp, 8
		mov	eax, [ebx+10h]
		lea	eax, [ebp+eax+var_11C]
		mov	[eax], esi
		add	dword ptr [ebx+10h], 4
		mov	eax, [ebx+10h]
		lea	eax, [ebp+eax+var_11C]
		mov	word ptr [eax],	0
		add	dword ptr [ebx+10h], 2
		mov	eax, [ebx+10h]
		lea	eax, [ebp+eax+var_11C]
		mov	edx, [ebp+var_4]
		mov	[eax], edx
		add	dword ptr [ebx+10h], 4
		mov	eax, [ebx+10h]
		lea	eax, [ebp+eax+var_11C]
		mov	edx, [ebp+arg_10]
		mov	[eax], edx
		add	dword ptr [ebx+10h], 4
		mov	eax, [ebx+10h]
		lea	eax, [ebp+eax+var_11C]
		mov	edx, [ebp+arg_C]
		mov	[eax], edx
		add	dword ptr [ebx+10h], 4
		mov	eax, [ebx+10h]
		lea	eax, [ebp+eax+var_11C]
		mov	edx, [ebp+arg_8]
		mov	[eax], edx
		add	dword ptr [ebx+10h], 4
		mov	eax, [ebx+10h]
		lea	eax, [ebp+eax+var_11C]
		mov	edx, [ebp+arg_4]
		mov	[eax], edx
		add	dword ptr [ebx+10h], 4
		mov	eax, [ebx+10h]
		lea	eax, [ebp+eax+var_11C]
		mov	edx, [ebp+arg_0]
		mov	[eax], edx
		add	dword ptr [ebx+10h], 4
		push	ebx
		mov	eax, magicoff1
		mov	ecx, [eax]
		xor	edx, edx
		xor	eax, eax
		call	wowproc1org
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h

sendfallpacket endp


getplayerbase	proc near		; CODE XREF: .text:004482AEp
					; sub_448324+73p

            ASSUME FS:NOTHING
            mov     eax, fs:[2Ch]
            mov     eax, [eax]
            mov	  eax, [eax + TLSMainTable]
            test    eax, eax
            jz    @@achtung
		mov	eax, 0CD87A8h ;;magic offset
		mov	eax, [eax]
            test  eax, eax
            jz    @@achtung
		add	eax, 34h      ;;magic little offset
		mov	eax, [eax]
            test  eax, eax
            jz    @@achtung
		add	eax, 24h      ;;magic liitle offset
		mov	eax, [eax]
@@achtung:
		retn       
getplayerbase	endp

getmovementflagofs	proc near		; CODE XREF: sub_4437B0+14p
					; StartAddress+21p ...
		test	eax, eax
		jnz	short loc_442957
		xor	eax, eax
		retn

loc_442957:				; CODE XREF: sub_442950+2j
		add	eax, 0D8h    ;;magic liitle friend
		mov	eax, [eax]
		add	eax, 44h     ;;magic little friend
		retn
getmovementflagofs	endp

getmycoordsofs	proc near		; CODE XREF: StartAddress+13p
					; sub_443E44+36p ...
		test	eax, eax
		jnz	short loc_44281F
		xor	eax, eax
		retn

loc_44281F:				; CODE XREF: sub_442818+2j
		add	eax, 798h   ;;magic little friend
		retn
getmycoordsofs	endp

getcurmountspeed proc near		; CODE XREF: StartAddress+D8p
					; sub_443F78+18Ap ...

var_4		= dword	ptr -4

		push	ecx
		test	eax, eax
		jnz	short loc_4428FC
		xor	eax, eax
		mov	[esp+4+var_4], eax
		jmp	short loc_44290D
; ДДДДДДД

loc_4428FC:				; CODE XREF: getcurmountspeed+3j
		add	eax, 0D8h
		mov	eax, [eax]
		add	eax, 94h      ;MoveSpeed offset
		mov	eax, [eax]
		mov	[esp+4+var_4], eax

loc_44290D:				; CODE XREF: getcurmountspeed+Aj
		fld	[esp+4+var_4]
		pop	edx
		retn
getcurmountspeed endp


floatfunc1 proc ; предполагаю возведение в степень
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch


            jmp     @@1
    dbl_const dq 2.147483647e9
@@1:
		push	ebp
		mov	ebp, esp
		push	ecx
		fld	[ebp+arg_0]
		fld	st
		fabs
		fld	dbl_const
		fcompp
		fstsw	ax
		sahf
		jb	short loc_40ABBE
		fld	st
		frndint
		fcomp	st(1)
		fstsw	ax
		sahf
		jnz	short loc_40ABBE
		fistp	[ebp+var_4]
		mov	eax, [ebp+var_4]
		mov	ecx, eax
		cdq
		fld1
		xor	eax, edx
		sub	eax, edx
		jz	short loc_40ABE9
		fld	[ebp+arg_4]
		jmp	short loc_40ABA9
; ДДДДД

loc_40ABA7:				; CODE XREF: sub_40AB6C+3Fj
					; sub_40AB6C+43j
		fmul	st, st

loc_40ABA9:				; CODE XREF: sub_40AB6C+39j
		shr	eax, 1
		jnb	short loc_40ABA7
		fmul	st(1), st
		jnz	short loc_40ABA7
		fstp	st
		cmp	ecx, 0
		jge	short loc_40ABE9
		fld1
		fdivrp	st(1), st
		jmp	short loc_40ABE9
; ДДДДДДДДД

loc_40ABBE:				; CODE XREF: sub_40AB6C+17j
					; sub_40AB6C+23j
		fld	[ebp+arg_4]
		ftst
		fstsw	ax
		sahf
		jz	short loc_40ABE7
		fldln2
		fxch	st(1)
		fyl2x
		fxch	st(1)
		fmulp	st(1), st
		fldl2e
		fmulp	st(1), st
		fld	st
		frndint
		fsub	st(1), st
		fxch	st(1)
		f2xm1
		fld1
		faddp	st(1), st
		fscale

loc_40ABE7:				; CODE XREF: sub_40AB6C+5Bj
		fstp	st(1)

loc_40ABE9:				; CODE XREF: sub_40AB6C+34j
					; sub_40AB6C+4Aj ...
		pop	ecx
		pop	ebp
		retn	8

floatfunc1 endp

floatfunc2 proc
var_4		= dword	ptr -4
arg_0		= tbyte	ptr  8
arg_C		= tbyte	ptr  14h

		push	ebp
		mov	ebp, esp
		push	ecx
		fld	[ebp+arg_0]
		fld	st
		fabs
		fld	dbl_const
		fcompp
		fstsw	ax
		sahf
		jb	short loc_40AB3A
		fld	st
		frndint
		fcomp	st(1)
		fstsw	ax
		sahf
		jnz	short loc_40AB3A
		fistp	[ebp+var_4]
		mov	eax, [ebp+var_4]
		mov	ecx, eax
		cdq
		fld1
		xor	eax, edx
		sub	eax, edx
		jz	short loc_40AB65
		fld	[ebp+arg_C]
		jmp	short loc_40AB25
; ДДД

loc_40AB23:				; CODE XREF: sub_40AAE8+3Fj
					; sub_40AAE8+43j
		fmul	st, st

loc_40AB25:				; CODE XREF: sub_40AAE8+39j
		shr	eax, 1
		jnb	short loc_40AB23
		fmul	st(1), st
		jnz	short loc_40AB23
		fstp	st
		cmp	ecx, 0
		jge	short loc_40AB65
		fld1
		fdivrp	st(1), st
		jmp	short loc_40AB65
; ДД

loc_40AB3A:				; CODE XREF: sub_40AAE8+17j
					; sub_40AAE8+23j
		fld	[ebp+arg_C]
		ftst
		fstsw	ax
		sahf
		jz	short loc_40AB63
		fldln2
		fxch	st(1)
		fyl2x
		fxch	st(1)
		fmulp	st(1), st
		fldl2e
		fmulp	st(1), st
		fld	st
		frndint
		fsub	st(1), st
		fxch	st(1)
		f2xm1
		fld1
		faddp	st(1), st
		fscale

loc_40AB63:				; CODE XREF: sub_40AAE8+5Bj
		fstp	st(1)

loc_40AB65:				; CODE XREF: sub_40AAE8+34j
					; sub_40AAE8+4Aj ...
		pop	ecx
		pop	ebp
		retn	18h

floatfunc2 endp

floatfunc3	proc near		; CODE XREF: StartAddress+ECp

var_C		= word ptr -0Ch
var_A		= word ptr -0Ah
var_8		= qword	ptr -8

		sub	esp, 0Ch
		fnstcw	[esp+0Ch+var_C]
		fnstcw	[esp+0Ch+var_A]
		wait
		or	[esp+0Ch+var_A], 0F00h
		fldcw	[esp+0Ch+var_A]
		fistp	[esp+0Ch+var_8]
		wait
		fldcw	[esp+0Ch+var_C]
		pop	ecx
		pop	eax
		pop	edx
		retn
floatfunc3	endp

floatfunc4	proc near		; CODE XREF: sub_41A228+D8p
var_8		= qword	ptr -8

		sub	esp, 8
		fistp	[esp+8+var_8]
		wait
		pop	eax
		pop	edx
		retn
floatfunc4	endp

getsomething1	proc near		; CODE XREF: sub_443F78+140p

var_4		= dword	ptr -4

		push	ecx
		test	eax, eax
		jnz	short loc_4428E0
		xor	eax, eax
		mov	[esp+4+var_4], eax
		jmp	short loc_4428EA
; ДДДДДДДДДДДДД

loc_4428E0:				; CODE XREF: sub_4428D4+3j
		add	eax, 7A8h ;getsomething1
		mov	eax, [eax]
		mov	[esp+4+var_4], eax

loc_4428EA:				; CODE XREF: sub_4428D4+Aj
		fld	[esp+4+var_4]
		pop	edx
		retn
getsomething1	endp

getsomething2	proc near		; CODE XREF: sub_446E3C+80p
					; sub_447CD0+Ap
		test	eax, eax
		jnz	short loc_44291B
		xor	eax, eax
		retn
; ДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДД

loc_44291B:				; CODE XREF: sub_442914+2j
		add	eax, 808h
		mov	eax, [eax]
		retn
getsomething2	endp




;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

wowproc1hook proc   ;1111111111111111111111111111111111111111111111111
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

            pop   ebp

		push	ebp
		mov	ebp, esp
		push	ecx  ;var_4
		push	ebx
		push	esi
		push	edi
		mov	ecx, [ebp+arg_0]
		mov	edx, ecx
		mov	eax, [edx+4]
		mov	esi, eax
		add	esi, 4
		add	esi, somepacketid
		mov	ebx, [edx+0Ch]
		sub	ebx, 100h
		jz	short loc_443309
		sub	ebx, 200h
		jz	loc_443602
		jmp	loc_443610
; ДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДД

loc_443309:				; CODE XREF: sub_4432D0+26j
		;;---DEBUG
			mov ebx, [eax]
			call AddLogBuff
		;;---
		cmp	teleportflag, 1
		jnz	short loc_443602
		mov	ebx, [eax]
		sub	ebx, 0B4h
		jz	loc_443610
		sub	ebx, 26h
		jz	loc_443610
		sub	ebx, 14h
		jz	loc_443610
		sub	ebx, 1E0h
		jz	loc_443610

loc_443602:				; CODE XREF: sub_4432D0+2Ej
		push	ecx
		xor	edx, edx
		xor	eax, eax
		mov	ecx, [ebp+var_4]
		call	wowproc1org

loc_443610:				; CODE XREF: sub_4432D0+34j
					; sub_4432D0+4Aj ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	4

wowproc1hook endp

wowproc1org proc

    push    ebp
    mov     ebp,esp
    push    esi
    mov     esi,ecx
    push     (wowproc1 + 6)
    retn
    
wowproc1org endp

wowproc2hook proc   ;222222222222222222222222222222222222222222222222222
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

            pop   ebp

		push	ebp
		mov	ebp, esp
		push	ecx ;var_4
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, teleportflag
		cmp	ebx,	1
		jnz	short loc_44364F
		cmp	esi, 2
		jz	short loc_44364F
		lea	eax, [ebp+4]	; ret addr
		mov	[ebp+var_4], eax
		mov	eax, [ebp+var_4]
		cmp	dword ptr [eax], retaddr1
		jnz	short loc_44364B
		mov	eax, [ebp+var_4]
		mov	dword ptr [eax], retaddr2

loc_44364B:				; CODE XREF: sub_443618+28j
		xor	eax, eax
		jmp	short loc_44365A
; ДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДД

loc_44364F:				; CODE XREF: sub_443618+12j
					; sub_443618+17j
		mov	ebx, [ebp+arg_4]
		push	ebx
		push	esi
		call	wowproc2org

loc_44365A:				; CODE XREF: sub_443618+35j
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8

wowproc2hook endp

wowproc2org proc
    push    ebp
    mov     ebp,esp
    sub     esp,20h
    push     (wowproc2 + 6)
    retn
wowproc2org endp

wowproc3hook proc   ;333333333333333333333333333333333333333333

            pop     esi

		mov	  eax, wowtickcount ; starts few secs before entering a realm
		call	  eax
		mov	  counter1, eax
		mov	  counter2, eax
		mov	  eax, 3F800000h
		mov	  currspeed, eax
		xor	  eax, eax
            mov     playerbase,eax
            retn
wowproc3hook endp

wowproc4hook proc   ;4444444444444444444444444444444444444444444

            pop   esi

		call	getsomepacketid
		mov	somepacketid, eax
		xor	edx, edx
		mov	playerbase, edx
		retn

wowproc4hook endp

wowproc5hook proc   ;55555555555555555555555555555555555555555555
            var_4		= dword	ptr -4

            pop   ebp
            
		push	ebp
		mov	ebp, esp
		mov	eax, offset wowproc5org
		call	eax

		mov	eax, wowattachstate ;attach state?
		cmp	byte ptr [eax],	0
		jz	short loc_4483A4
		mov	eax, playerbase
		test	eax, eax
		jnz	short loc_4483A4
		call	getplayerbase
		mov	playerbase, eax

loc_4483A4:				; CODE XREF: sub_448324+67j
					; sub_448324+71j


		pop	ebp
		retn

wowproc5hook endp

wowproc5org proc
    push    ebp
    mov     ebp,esp
    sub     esp,0Ch
    push    (wowproc5 + 6)
    retn
wowproc5org endp

wowproc6hook proc
    		push	ebx		; speedhack stuff
		push	esi
		add	esp, -8
		mov	eax, wowtickcount
		call	eax
		mov	ebx, eax
		cmp	ebx, counter1
		jb	short loc_442B79
		cmp	counter1, 0
		jnz	short loc_442B89

loc_442B79:				; CODE XREF: .text:00442B6Ej
		mov	counter1, ebx
		mov	counter2, ebx
		mov	eax, ebx
		jmp	short loc_442BC7
; ДДДДДДД

loc_442B89:				; CODE XREF: .text:00442B77j
		mov	esi, ebx
		sub	esi, counter1
		mov	counter1, ebx
		mov	[esp], esi
		xor	eax, eax
		mov	[esp+4], eax
		fild	qword ptr [esp]
		fmul	currspeed
		call	floatfunc4
		add	eax, counter2
		mov	edx, counter2
		mov	counter3, edx
		mov	counter2, eax
		mov	eax, ebx

loc_442BC7:				; CODE XREF: .text:00442B87j
		pop	ecx
		pop	edx
		pop	esi
		pop	ebx
		retn

wowproc6hook endp

wowproc7hook proc            
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

            pop   esi

		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, wowgetpacketstruct
		call	ebx
		mov	ebx, eax
		cmp	packettimer2, 0
		jnz	short loc_442CA5
		cmp	packettimer1, 0
		jnz	short loc_442CA5
		mov	eax, ebx
		add	eax, 128h
		mov	edx, [eax]
		mov	packettimer1, edx
		mov	edx, [eax+4]
		mov	packettimer2, edx
		jmp	short loc_442CBD
; ДДДДДДДДДД

loc_442CA5:				; CODE XREF: wowhook7+18j wowhook7+21j
		mov	eax, ebx
		add	eax, 128h
		mov	edx, packettimer1
		mov	[eax], edx
		mov	edx, packettimer2
		mov	[eax+4], edx

loc_442CBD:				; CODE XREF: wowhook7+3Bj
		mov	eax, [ebp+arg_4]
		push	eax
		mov	eax, [ebp+arg_0]
		push	eax
		call	wowproc7org
		add	esp, 8
		mov	ecx, eax
		mov	eax, ebx
		mov	edx, eax
		add	edx, 128h
		mov	esi, [edx]
		mov	packettimer1, esi
		mov	esi, [edx+4]
		mov	packettimer2, esi
		add	eax, 12Ch	;little off!!!
		mov	esi, counter2
		mov	[eax], esi
		mov	eax, counter2
		mov	[edx], eax
		mov	eax, ecx
		pop	esi
		pop	ebx
		pop	ebp
		retn

wowproc7hook endp

wowproc7org proc
    push    esi
    push    edi
    call    wowproc6hook
    push    (wowproc7 + 7)
    retn
wowproc7org endp

wowproc8hook proc
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

            pop   ebp

		push	ebp
		mov	ebp, esp
		add	esp, 0FFFFFFF0h
		push	ebx
		mov	[ebp+var_4], ecx
		mov	ebx, wowgetpacketstruct
		call	ebx
		mov	ebx, eax
		cmp	packettimer2, 0
		jnz	short loc_442D55
		cmp	packettimer1, 0
		jnz	short loc_442D55
		mov	eax, ebx
		add	eax, 128h
		mov	edx, [eax]
		mov	packettimer1, edx
		mov	edx, [eax+4]
		mov	packettimer2, edx
		mov	edx, [eax]
		mov	[ebp+var_10], edx
		mov	edx, [eax+4]
		mov	[ebp+var_C], edx
		jmp	short loc_442D78
; ДДДДДДДДДДДД

loc_442D55:				; CODE XREF: wowhook8+1Dj wowhook8+26j
		mov	eax, ebx
		add	eax, 128h
		mov	edx, packettimer1
		mov	[eax], edx
		mov	edx, packettimer2
		mov	[eax+4], edx
		mov	edx, [eax]
		mov	[ebp+var_10], edx
		mov	edx, [eax+4]
		mov	[ebp+var_C], edx

loc_442D78:				; CODE XREF: wowhook8+4Bj
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+arg_14]
		push	eax
		mov	eax, [ebp+arg_10]
		push	eax
		mov	eax, [ebp+arg_C]
		push	eax
		mov	eax, [ebp+arg_8]
		push	eax
		mov	eax, [ebp+arg_4]
		push	eax
		mov	eax, [ebp+arg_0]
		push	eax
		call	wowproc8org
		add	ebx, 128h	;little off!!
		mov	edx, [ebp+var_10] ; packettimer1
		mov	[ebx], edx
		mov	edx, [ebp+var_C] ; packettimer2
		mov	[ebx+4], edx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h

wowproc8hook endp

wowproc8org proc
    push    ebp
    mov     ebp, esp
    sub     esp, 0CCh
    push    (wowproc8 + 9)
    retn
wowproc8org endp

wowproc9hook proc
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

            pop   ebp

		push	ebp
		mov	ebp, esp
		add	esp, 0FFFFFFF0h
		push	ebx
		mov	[ebp+var_4], ecx
		mov	ebx, wowgetpacketstruct
		call	ebx
		mov	ebx, eax
		cmp	packettimer2, 0
		jnz	short loc_442E01
		cmp	packettimer1, 0
		jnz	short loc_442E01
		mov	eax, ebx
		add	eax, 128h
		mov	edx, [eax]
		mov	packettimer1, edx
		mov	edx, [eax+4]
		mov	packettimer2, edx
		mov	edx, [eax]
		mov	[ebp+var_10], edx
		mov	edx, [eax+4]
		mov	[ebp+var_C], edx
		jmp	short loc_442E24
; ДДДДДДДДДДДДДДДД

loc_442E01:				; CODE XREF: wowhook9+1Dj wowhook9+26j
		mov	eax, ebx
		add	eax, 128h
		mov	edx, packettimer1
		mov	[eax], edx
		mov	edx, packettimer2
		mov	[eax+4], edx
		mov	edx, [eax]
		mov	[ebp+var_10], edx
		mov	edx, [eax+4]
		mov	[ebp+var_C], edx

loc_442E24:				; CODE XREF: wowhook9+4Bj
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+arg_8]
		push	eax
		mov	eax, [ebp+arg_4]
		push	eax
		mov	eax, [ebp+arg_0]
		push	eax
		call	wowproc9org
		add	ebx, 128h
		mov	edx, [ebp+var_10]
		mov	[ebx], edx
		mov	edx, [ebp+var_C]
		mov	[ebx+4], edx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch

wowproc9hook endp

wowproc9org proc
            push   ebp
            mov    ebp, esp
            sub    esp, 60h
            push   (wowproc9 + 6)
            retn
wowproc9org endp

wowproc10hook proc
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

            pop     ebp

		push	ebp
		mov	ebp, esp
		add	esp, -8
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, wowgetpacketstruct
		call	ebx
		mov	ebx, eax
		mov	eax, ebx
		mov	esi, eax
		add	esi, 128h
		mov	edx, [esi]
		mov	[ebp+var_8], edx
		mov	edx, [esi+4]
		mov	[ebp+var_4], edx
		add	eax, 12Ch
		mov	edx, counter3
		mov	[eax], edx
		mov	eax, counter3
		mov	[esi], eax
		mov	eax, playerbase
		add	eax, 788h ;; magic very int-g offs (wowproc10magic
		cmp	eax, edi
		jnz	short loc_442C3E
		mov	edx, counter3
		push	edx
		mov	edx, counter2
		push	edx
		mov	ecx, eax
		xor	edx, edx
		xor	eax, eax
		call	wowproc10org
		jmp	short loc_442C52
; ДДДДДДДДДДДДДДДД

loc_442C3E:				; CODE XREF: wowhook10+4Ej
		mov	eax, [ebp+arg_4]
		push	eax
		mov	eax, [ebp+arg_0]
		push	eax
		mov	ecx, edi
		xor	edx, edx
		xor	eax, eax
		call	wowproc10org

loc_442C52:				; CODE XREF: wowhook10+70j
		mov	edx, [ebp+var_8]
		mov	[esi], edx
		mov	edx, [ebp+var_4]
		mov	[esi+4], edx
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ecx
		pop	ebp
		retn	8
wowproc10hook endp

wowproc10org proc
            PUSH    EBP
            MOV     EBP,ESP
            SUB     ESP,0Ch
            push    (wowproc10 + 6)
            retn
wowproc10org endp

endscenehook proc
    mov     eax, objbase
    test    eax,eax
    jnz     @@1
    jmp     endsceneorg    
@@1:
    push    offset objbase
    call    Interact
    xor     eax,eax
    mov     objbase, eax
    jmp     endsceneorg    
endscenehook endp

endsceneorg proc
    push    ebp
    mov     ebp, esp
    push    0FFh
    mov     eax, endsceneaddr
    add     eax, 7
    push    eax
    retn
endsceneorg endp


; -------------------------------------------

Teleport proc ; input: dword, указатель на структуру XYZ (все float)

var_44		= tbyte	ptr -44h
var_28		= tbyte	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		push	ebp
		mov	ebp, esp
		add	esp, -28h
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_18]

        	mov	eax, playerbase
		call	getmovementflagofs
		mov	[ebp+var_C], eax
            cmp     word ptr [eax], 0
            jnz     @@end   ; никаких телепортов при движении


		mov	eax, playerbase
		call	getmycoordsofs
		mov	ebx, eax

		mov	eax, 1
		mov	teleportflag, eax

 		;mov	eax, offcurspeed
 		;mov	eax, [eax]
 		;mov	[ebp+var_4], eax
 		;push	0
 		;call	setspeedfactor
            mov   eax, currspeed
            mov   [ebp+var_4], eax
            xor   eax, eax
            mov   currspeed, eax

            mov   esi, counter2
 
		mov	eax, [ebp+arg_0]

            mov   ecx, [eax + 0Ch]
            mov   edx, [eax + 10h]
            mov   PacketDelay, ecx            
            mov   PacketDistance, edx
            
		fld	dword ptr [eax]
		fsub	dword ptr [ebx]
		fstp	dword ptr [edi]
		wait
		mov	eax, [ebp+arg_0]
		fld	dword ptr [eax+4]
		fsub	dword ptr [ebx+4]
		fstp	dword ptr [edi+4]
		wait
		mov	eax, [ebp+arg_0]
		fld	dword ptr [eax+8]
		fsub	dword ptr [ebx+8]
		fstp	dword ptr [edi+8]
		wait
		push	dword ptr [edi]
		push	40000000h ;2.0
		call	floatfunc1
		fstp	[ebp+var_1C]
		wait
		push	dword ptr [edi+4]
		push	40000000h
		call	floatfunc1
		fadd	[ebp+var_1C]
		fstp	[ebp+var_28]
		wait
		push	dword ptr [edi+8]
		push	40000000h
		call	floatfunc1
		fld	[ebp+var_28]
		faddp	st(1), st
		add	esp, 0FFFFFFF4h
		fstp	[esp+44h+var_44]
		wait
		push	3FFEh
		push	80000000h
		push	0
		call	floatfunc2
		fstp	[ebp+var_8]
		wait
		mov	eax, playerbase
		call	getcurmountspeed
		fdiv	standartspeed
		fmul	PacketDistance
		fdivr	[ebp+var_8]
		call	floatfunc3
		inc	eax
		mov	packetsleft, eax
		fild	packetsleft
		fdivr	dword ptr [edi]
		fstp	dword ptr [edi]
		wait
		fild	packetsleft
		fdivr	dword ptr [edi+4]
		fstp	dword ptr [edi+4]
		wait
		fild	packetsleft
		fdivr	dword ptr [edi+8]
		fstp	dword ptr [edi+8]
		wait
		mov	ecx, ebx
		mov	edx, esi
		mov	eax, 0B5h
		call	sendmovpacket
		cmp	packetsleft, 0
		jle	short loc_443A54

loc_4439ED:				; CODE XREF: StartAddress+1A2j
		mov	eax, wowattachstate
		cmp	byte ptr [eax],	0
		jnz	short loc_443A0B
		xor   eax,eax
		mov	teleportflag, eax
		jmp	loc_443ACB
; ДДДДДДДДДДДДДДДДДДД

loc_443A0B:				; CODE XREF: StartAddress+145j
		mov	eax, PacketDelay
		push	eax
		call	Sleep
            timeslice equ 1F4h
		add	esi, timeslice
		fld	dword ptr [ebx]
		fadd	dword ptr [edi]
		fstp	dword ptr [ebx]
		wait
		fld	dword ptr [ebx+4]
		fadd	dword ptr [edi+4]
		fstp	dword ptr [ebx+4]
		wait
		fld	dword ptr [ebx+8]
		fadd	dword ptr [edi+8]
		fstp	dword ptr [ebx+8]
		wait
		mov	ecx, ebx
		mov	edx, esi
		mov	eax, 0EEh
		call	sendmovpacket
		dec	packetsleft
		cmp	packetsleft, 0
		jg	short loc_4439ED

loc_443A54:				; CODE XREF: StartAddress+13Bj
		mov	eax, PacketDelay
		push	eax
		call	Sleep
		add	esi, timeslice

		mov	eax, [ebp+var_C]
		mov	dword ptr [eax], 80000000h

loc_443A83:				; CODE XREF: StartAddress+1C8j
		mov	ecx, ebx
		mov	edx, esi
		mov	eax, 0B7h
		call	sendmovpacket
		mov	counter2, esi

		;push	[ebp+var_4]
		;call	setspeedfactor
            mov   eax, [ebp+var_4]
            mov   currspeed, eax
            
		mov	eax, TelDoneWait
		push	eax
		call	Sleep
		xor	eax, eax
		mov	teleportflag, eax

@@end:
loc_443ACB:				; CODE XREF: StartAddress+156j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4

Teleport endp

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

Interact proc ptrObjBase:dword

    mov     eax, ptrObjBase
    mov     ecx, [eax]      ;base
    
    mov     eax, CurMgrPtr
    mov     eax, [eax]
    mov     edx, [eax + CurMgrOfs] ;Object manager

    ASSUME FS:NOTHING
    mov     eax, fs:[2Ch]
    mov     eax, [eax]
    lea	eax, [eax + TLSMainTable]
    mov     [eax], edx ;Set current manager
    
    
    mov     eax, [ecx] ;Func table
    mov     eax, [eax + 4*VFinteract]
    call    eax

    ret
Interact endp

StopFall proc

var_4		= dword	ptr -4

		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	eax, wowattachstate
		cmp	byte ptr [eax],	0
		jnz	short loc_446E61
		jmp	short loc_446ED0
; ДДДДДДДДДДДДД

loc_446E61:				; CODE XREF: sub_446E3C+Ej
		mov	eax, playerbase
		call	getmycoordsofs
		mov	ebx, eax
		mov	eax, playerbase
		call	getsomething1
		fstp	[ebp+var_4]
		wait
		mov	esi, counter2
		mov	eax, playerbase
		call	getmovementflagofs
		mov	dword ptr [eax], 80000000h
		push	dword ptr [ebx]
		push	dword ptr [ebx+4]
		push	dword ptr [ebx+8]
		push	[ebp+var_4]
		mov	eax, playerbase
		call	getsomething2
		push	eax
		mov	ecx, esi
		xor	edx, edx
		mov	eax, 0C9h
		call	sendfallpacket

loc_446ED0:				; CODE XREF: sub_446E3C+23j
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn  4 ;arg pop

StopFall endp

; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

UnHook proc funcaddr:dword,old8baddr:dword

    push  eax
    push  ecx
    push  edx    
    mov edx, old8baddr
    mov eax, [edx]
    mov ecx, [edx+4]
    mov edx, funcaddr
    mov [edx], eax
    mov [edx+4], ecx
    pop edx
    pop ecx
    pop eax
    
    ret

UnHook endp

SetHook proc funcaddr:dword,trapaddr:dword,old8baddr:dword ;set jump hook
      local oldprot:dword,hookbytes:dword
      push  ebx
      push  eax
      push  ecx
      push  edx
      mov   ebx,old8baddr
	Invoke VirtualProtect,funcaddr,5,PAGE_EXECUTE_READWRITE,addr oldprot
	test	eax,eax
	jz	@@2
	mov	eax,funcaddr
	mov	ecx,trapaddr
	sub	ecx,eax
	sub	ecx,5
	mov	hookbytes,ecx
	mov	ecx,[eax]
	mov	edx,[eax+4]    
	mov	[ebx],ecx
	mov	[ebx+4],edx
	mov	byte ptr [eax],0E9h
	mov	ecx,hookbytes
	mov	[eax+1],ecx
      Invoke VirtualProtect,funcaddr,5,oldprot,addr oldprot
@@2:
      pop   edx
      pop   ecx
      pop   eax
      pop   ebx
	ret
SetHook endp

ReplaceCall proc funcaddr:dword,trapaddr:dword,old8baddr:dword ;set call hook
      local oldprot:dword,hookbytes:dword
      push  ebx
      push  eax
      push  ecx
      push  edx
      mov   ebx,old8baddr
	Invoke VirtualProtect,funcaddr,5,PAGE_EXECUTE_READWRITE,addr oldprot
	test	eax,eax
	jz	@@2
	mov	eax,funcaddr
	mov	ecx,trapaddr
	sub	ecx,eax
	sub	ecx,5
	mov	hookbytes,ecx
	mov	ecx,[eax]
	mov	edx,[eax+4]    
	mov	[ebx],ecx
	mov	[ebx+4],edx
	mov	byte ptr [eax],0E8h
	mov	ecx,hookbytes
	mov	[eax+1],ecx
      Invoke VirtualProtect,funcaddr,5,oldprot,addr oldprot
@@2:
      pop   edx
      pop   ecx
      pop   eax
      pop   ebx
	ret
ReplaceCall endp

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
;-------------------------------Debug func---
CreateLog proc
          Invoke	CreateFile,addr File,GENERIC_WRITE,0,0,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,0
          mov	hFile, eax
	  ret
CreateLog endp
CloseLog proc
	Invoke	CloseHandle,hFile
	ret
CloseLog endp
WriteLog proc
	local prm:dword
	Invoke	WriteFile,hFile,addr buff,maxbuff*4,addr prm,0
	ret
WriteLog endp
AddLogBuff proc ;in ebx
	push ecx 
	push edx
	mov ecx, buffindx
	cmp ecx, maxbuff
	jz @@1
	mov edx, offset buff
	mov [edx+ecx*4], ebx
	inc ecx
	mov buffindx, ecx
@@1:
	pop edx
	pop ecx	 
	ret
AddLogBuff endp
;--------------------------------------------

end LibMain

Makeit.bat: (masm32)

Code:

@echo off
if exist port.obj del port.obj
if exist port.dll del port.dll
\masm32\bin\ml /c /coff port.asm
\masm32\bin\Link /SUBSYSTEM:WINDOWS /DLL /DEF:port.def port.obj 
del port.obj
del port.exp
dir port.*
pause

port.def :

Code:

LIBRARY port
 ; EXPORTS [your_exported_proc_name]

How to use:
Inject dll in to a 3.3.5 wow process, allocate memory in the wow process, save there this structure: dword x, dword y, dword z, dword PacketDelay, dword PacketDistance.
CreateRemoteThread Teleport proc, pointer to that structure as argument. To abort teleport writememoryprocess to zero "teleportflag" and "packetsleft"

**semar** · 07-15-2014

I found it!
Editable x pos [[[[Wow.exe+0x006DB754]+0x24]+0x740]+0x0] + 34
ofc ypos = xpos+0x4 and zpos=xpos+0x8
TeleHack finished

**semar** · 08-14-2014

Sometimes i had problems with this pointer, doesnt work on dungeons/bg and sometimes on outland so i found correct pointer:
[[[[[Wow.exe+0x008D87A8 ] + 0x34] + 0x24] + 0x770] + 0x0] + 0x28

**tobmaps** · 08-14-2014

You found the correct one, but those offsets already available at public for few years :S
X,Y,Z:

Code:

(((0xCD87A8) + 0x34) + 0x24) + 0x798
(((0xCD87A8) + 0x34) + 0x24) + 0x79C
(((0xCD87A8) + 0x34) + 0x24) + 0x7A0

**duanyiemo3** · 06-05-2018

hi guys. i want make a program like MultiHack.exe . it can port player to anywhere. first i find player's x y z base address . and i try to change the address.but it not work.
What else do I need to do next to make it work?

Shout-Out

User Tag List

Thread: WOW 3.3.5[12340] Teleport player

Thread Tools

Search Thread

WOW 3.3.5[12340] Teleport player

Similar Threads

[WoW][3.3.5.12340] Info Dump Thread

Cayotic WoW 3.3.5 (12340)

need a gameobject which teleports players to a base

EWH 0.7 Elektro255 WoW Hack (2.1.3) [teleport,speed hack, tracking...]

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino