[WoW] [7.0.3.22293] Release Info Dump Thread

[hunterz2000]

(rebased) 32bit CTM OFFSETS:
PUSH(ACTION) = 0xDDE8AC
CTM_Y = PUSH + 0x28
CTM_Z = CTM_Y + 0x4
CTM_X = CTM_Z + 0x4

[reliasn]

(rebased) 32bit CTM OFFSETS:
PUSH(ACTION) = 0xDDE8AC
CTM_Y = PUSH + 0x28
CTM_Z = CTM_Y + 0x4
CTM_X = CTM_Z + 0x4

PUSH = s_trackingType
CTM_X = s_trackingPos

Code:

s_trackingDistThreshold = 0xDDE8E4,
s_trackingPos = 0xDDE8D4,
s_trackingTarget = 0xDDE8B0,
s_trackingTurnSpeed = 0xDDE8EC,
s_trackingType = 0xDDE8AC

These names are used in the leaked Mac build 18179. Use whichever name you feel most comfortable with, but do keep in mind that any s_tracking* offset is related to Click to Move.

[hesa2020]

Hey guys im a software engineer, ive never really did reverse engineering but i would really like to start creating bot system.
So far ive been able to do some basic stuff like reading player name, level, etc.. ( yes i know really easy )
And ... i was wondering how do you find all these offsets so quickly ?
I mean ive tried to grab some offsets using cheat engine but it took me hours to find the right offset for player name.
What do you guys use, is there any tricks?

[-Ryuk-]

Hey guys im a software engineer, ive never really did reverse engineering but i would really like to start creating bot system.
So far ive been able to do some basic stuff like reading player name, level, etc.. ( yes i know really easy )
And ... i was wondering how do you find all these offsets so quickly ?
I mean ive tried to grab some offsets using cheat engine but it took me hours to find the right offset for player name.
What do you guys use, is there any tricks?

Ida, reverse engineering experience, custom IDA scripts, patterns

[Filint]

Ida, reverse engineering experience, custom IDA scripts, patterns

And Zynamics Bindiff once you've "found the offsets" the first time will speed up finding them when a new patch comes out.

All this stuff only scratches the surface of real reverse engineering. For a good general intro to reverse engineering there are 3 good books, here's some links (they're all "available" on the internet if you know what I mean):
Practical Malware Analysis
(My favorite): Practical Reverse Engineering
secrets of reverse engineering

[Zazazu]

Any got SpellCooldown entry offset for x86? Try find in CE by SpellId -- but did not succeed. Any help with find offset?

[shauren]

Thanks, actually made a mistakes, it says "Vehicule" for Unit, not transport.
Which is 8 (@MaiN, same then), just my Enum weren't updated, I miss WorldTransaction,

By the way, what I call GuidSubType is this:

Code:

        public GuidType GetWoWType
        {
            get { return (GuidType) (_hi >> 58); }
            set { _hi |= (ulong) value << 58; }
        }

        public GuidSubType GetWoWSubType
        {
            get { return (GuidSubType) (_lo >> 56); }
            set { _lo |= (ulong) value << 56; }
        }

It usually returns 64 for WoWItem type. Am I wrong somewhere about this ?

The only subtypes that I have been able to find out are defined here for Cast (blizz calls it cast source for this type) https://github.com/TrinityCore/Trini...s/Spell.h#L112
SPELL_CAST_SOURCE_PLAYER is the type used in CMSG_CAST_* opcodes, other types are generated serverside and seen in various packets
I have not seen any other use of subtype in the client except in ToString guid functions (which just prints it obviously giving no context on what it might be for)

[iceblockman]

spell cooldown

0xD362B8

[Zazazu]

spell cooldown

0xD362B8

Correct me if i wrong:
0xD362B8 + 0x4 = pointer to last used spell (if pointer [0xD362B8 + 0x4] = 0xD362B8 + 0x4 then spell list is empty, if spell.Next == 0xD362B8 + 0x4 -- its last CD spell in list)
0xD362B8 + 0x8 = pointer to last spell triggered GCD

SpellCooldownEntry struct now like:

Code:

    public struct SpellCooldownEntry
    {
        IntPtr Next;
        IntPtr Prev;
        uint SpellId;
        uint ItemId;
        uint StartTime;
        uint SpellOrItemCooldownDuration;
        uint SpellCategoryId;
        uint CategoryCooldownStartTime;
        uint CategoryCooldownDuration;
        byte pad0; //byte HasCooldown;
        byte pad1;
        byte pad2;
        byte pad3;
        uint GCDStartTime;
        uint StartRecoveryCategoryId;
        uint GCDDuration;
    }

Result:

Code:

Spell		3E744C38		SpellID: 20271 ItemID: 0 [11483380 / 6000]	GCD: 11483380 0			Next: 3E745AA8	Prev: 1ED62BD
GCD		3E745AA8		SpellID: 20271 ItemID: 0 [11483380 / 0]		GCD: 11483380 1500		Next: 3E744DF0	Prev: 3E744C38
Spell		3E744DF0		SpellID: 31935 ItemID: 0 [11481733 / 15000]	GCD: 11481733 0			Next: 3E7449D0	Prev: 3E745AA8
GCD		3E7449D0		SpellID: 31935 ItemID: 0 [11481733 / 0]		GCD: 11481733 1500		Next: 1ED62BC 	Prev: 3E744DF0

1ED62BC = Wow.exe + 0xD362B8+0x4

[KanotoInROK]

hm.. i think 'CGChat__m_currentChatIndex' is '0xEB0BF0' in x86

[drizz]

I've uploaded my i64 where I've i spent too much time identifying lua functions.

It is available here, should you want it.