[WoW] [7.0.3.22289] Release Info Dump Thread

[Frosttall]

While we're on this topic, do you guys have any tricks for finding inner offsets?

You can find global offsets using signature scans and you can find Lua Functions and Descriptors by dumping the table. But how about things like unit positions, angles, etc.

Well pretty much same way you're finding global offsets. You look where they are used and create a pattern in exactly the same way. If you got the part of a function which accesses the X, Y and Z of a unit, the structure of the code in that part won't really change even though the data structure itself changes.

You could also go more advanced if you add LeaModifiers (load effective address) in case the function accessing the offset you're looking for is too general and triggers too many hits with the signatur scan. In that case just find a significant (in term of signature) method calling the function and work down from there - basically a signature scan with two layers.

[-Ryuk-]

Well pretty much same way you're finding global offsets. You look where they are used and create a pattern in exactly the same way. If you got the part of a function which accesses the X, Y and Z of a unit, the structure of the code in that part won't really change even though the data structure itself changes.

You could also go more advanced if you add LeaModifiers (load effective address) in case the function accessing the offset you're looking for is too general and triggers too many hits with the signatur scan. In that case just find a significant (in term of signature) method calling the function and work down from there - basically a signature scan with two layers.

Spot on, this is the way me and team do it, so simple and very effective.

[reliasn]

While we're on this topic, do you guys have any tricks for finding inner offsets?

You can find global offsets using signature scans and you can find Lua Functions and Descriptors by dumping the table. But how about things like unit positions, angles, etc.

I use sub-patterns for that (what Frosttall referred to as "signature scan with two layers").

Code:

{
  "CGUnit_C__GetPosition": {
    "pat": "55 8b ?? 8b ?? ?? ?? ?? ?? 8d ?? ?? 50 ff ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 5d c2"
  },
  "CMovementOffset": {
    "displ": 2,
    "ref": "CGUnit_C__GetPosition",
    "size": 4,
    "subpat": ".8b 8d"
  },
  "CMovementPos_Ofs": {
    "displ": 2,
    "ref": "CGUnit_C__GetPosition",
    "size": 1,
    "subpat": ".8d"
  }
}

So the Unit position would be at [address + CMovementOffset] + CMovementPos_Ofs. With those reads, you get the final "UnitPosXOffset" which is simply the final difference.

This JSON is parsed by my offset finder and applies primary opcode patterns in order to find the desired offset. It also supports string xrefs:

Code:

{
  "JumpOrAscendStart_Ofs": {
    "string": "JumpOrAscendStart"
  },
  "Script_JumpOrAscendStart": {
    "rebase": 1,
    "ref": "JumpOrAscendStart_Ofs+4",
    "size": 4
  },
  "CGUnit_C__OnFlightLocal": {
    "displ": 1,
    "function": 1,
    "ref": "Script_JumpOrAscendStart",
    "subpat": ".e8 eb"
  }
}

And you can mix opcodes with mnemonics as well, because sometimes a "push" is replaced with another opcode, but the logic of the ASM keeps the same.

Code:

{
  "CGGameUI__Initialize": {
    "string": "Whether taint logging is enabled"
  },
  "LoadScriptFunctions": {
    "ref": "CGGameUI__Initialize",
    "subpat": ".e8 e8 push e8",
    "displ": 1,
    "function": 1
  }
}

But I only do this because I had the "fun" idea to add support to all WoW versions from 5.4.8 to 7.0.3. If you are only working with the latest version, simple binary patterns should be enough to handle it all.

Anyways, the whole point is to use one offset to find others. If you are able to support "unlimited layers", that's better and faster! I think I've got some patterns here that have about 7 layers, as they start on CMovement_C__UpdatePlayerMovement and end on movement CMSG packet opcodes.