-
Member
(rebased) 32bit CTM OFFSETS:
PUSH(ACTION) = 0xDDE8AC
CTM_Y = PUSH + 0x28
CTM_Z = CTM_Y + 0x4
CTM_X = CTM_Z + 0x4
-
Originally Posted by
hunterz2000
(rebased) 32bit CTM OFFSETS:
PUSH(ACTION) = 0xDDE8AC
CTM_Y = PUSH + 0x28
CTM_Z = CTM_Y + 0x4
CTM_X = CTM_Z + 0x4
PUSH = s_trackingType
CTM_X = s_trackingPos
Code:
s_trackingDistThreshold = 0xDDE8E4,
s_trackingPos = 0xDDE8D4,
s_trackingTarget = 0xDDE8B0,
s_trackingTurnSpeed = 0xDDE8EC,
s_trackingType = 0xDDE8AC
These names are used in the leaked Mac build 18179. Use whichever name you feel most comfortable with, but do keep in mind that any s_tracking* offset is related to Click to Move.
-
Post Thanks / Like - 1 Thanks
KanotoInROK (1 members gave Thanks to reliasn for this useful post)
-
Member
Hey guys im a software engineer, ive never really did reverse engineering but i would really like to start creating bot system.
So far ive been able to do some basic stuff like reading player name, level, etc.. ( yes i know really easy )
And ... i was wondering how do you find all these offsets so quickly ?
I mean ive tried to grab some offsets using cheat engine but it took me hours to find the right offset for player name.
What do you guys use, is there any tricks?
-
Originally Posted by
hesa2020
Hey guys im a software engineer, ive never really did reverse engineering but i would really like to start creating bot system.
So far ive been able to do some basic stuff like reading player name, level, etc.. ( yes i know really easy )
And ... i was wondering how do you find all these offsets so quickly ?
I mean ive tried to grab some offsets using cheat engine but it took me hours to find the right offset for player name.
What do you guys use, is there any tricks?
Ida, reverse engineering experience, custom IDA scripts, patterns
|Leacher:11/2009|Donor:02/2010|Established Member:09/2010|Contributor:09/2010|Elite:08/2013|
-
Post Thanks / Like - 1 Thanks
KanotoInROK (1 members gave Thanks to -Ryuk- for this useful post)
-
Originally Posted by
-Ryuk-
Ida, reverse engineering experience, custom IDA scripts, patterns
And Zynamics Bindiff once you've "found the offsets" the first time will speed up finding them when a new patch comes out.
All this stuff only scratches the surface of real reverse engineering. For a good general intro to reverse engineering there are 3 good books, here's some links (they're all "available" on the internet if you know what I mean):
Practical Malware Analysis
(My favorite): Practical Reverse Engineering
secrets of reverse engineering
-
Post Thanks / Like - 1 Thanks
KanotoInROK (1 members gave Thanks to Filint for this useful post)
-
Contributor
Any got SpellCooldown entry offset for x86? Try find in CE by SpellId -- but did not succeed. Any help with find offset?
-
Established Member
Originally Posted by
VesperCore
Thanks, actually made a mistakes, it says "Vehicule" for Unit, not transport.
Which is 8 (@MaiN, same then), just my Enum weren't updated, I miss WorldTransaction,
By the way, what I call GuidSubType is this:
Code:
public GuidType GetWoWType
{
get { return (GuidType) (_hi >> 58); }
set { _hi |= (ulong) value << 58; }
}
public GuidSubType GetWoWSubType
{
get { return (GuidSubType) (_lo >> 56); }
set { _lo |= (ulong) value << 56; }
}
It usually returns 64 for WoWItem type. Am I wrong somewhere about this ?
The only subtypes that I have been able to find out are defined here for Cast (blizz calls it cast source for this type) https://github.com/TrinityCore/Trini...s/Spell.h#L112
SPELL_CAST_SOURCE_PLAYER is the type used in CMSG_CAST_* opcodes, other types are generated serverside and seen in various packets
I have not seen any other use of subtype in the client except in ToString guid functions (which just prints it obviously giving no context on what it might be for)
-
Member
-
Contributor
Originally Posted by
iceblockman
spell cooldown
0xD362B8
Correct me if i wrong:
0xD362B8 + 0x4 = pointer to last used spell (if pointer [0xD362B8 + 0x4] = 0xD362B8 + 0x4 then spell list is empty, if spell.Next == 0xD362B8 + 0x4 -- its last CD spell in list)
0xD362B8 + 0x8 = pointer to last spell triggered GCD
SpellCooldownEntry struct now like:
Code:
public struct SpellCooldownEntry
{
IntPtr Next;
IntPtr Prev;
uint SpellId;
uint ItemId;
uint StartTime;
uint SpellOrItemCooldownDuration;
uint SpellCategoryId;
uint CategoryCooldownStartTime;
uint CategoryCooldownDuration;
byte pad0; //byte HasCooldown;
byte pad1;
byte pad2;
byte pad3;
uint GCDStartTime;
uint StartRecoveryCategoryId;
uint GCDDuration;
}
Result:
Code:
Spell 3E744C38 SpellID: 20271 ItemID: 0 [11483380 / 6000] GCD: 11483380 0 Next: 3E745AA8 Prev: 1ED62BD
GCD 3E745AA8 SpellID: 20271 ItemID: 0 [11483380 / 0] GCD: 11483380 1500 Next: 3E744DF0 Prev: 3E744C38
Spell 3E744DF0 SpellID: 31935 ItemID: 0 [11481733 / 15000] GCD: 11481733 0 Next: 3E7449D0 Prev: 3E745AA8
GCD 3E7449D0 SpellID: 31935 ItemID: 0 [11481733 / 0] GCD: 11481733 1500 Next: 1ED62BC Prev: 3E744DF0
1ED62BC = Wow.exe + 0xD362B8+0x4
-
Member
hm.. i think 'CGChat__m_currentChatIndex' is '0xEB0BF0' in x86
-
Member
I've uploaded my i64 where I've i spent too much time identifying lua functions.
It is available here, should you want it.