[PROBLEM] GetMinimapZoneText - Struggle With Getting The Address

**Fruschel** · 09-12-2016

Hello guys.

I've some problems and I ask you guys for helping me out.

I've read the tutorial "[Tutorial] How to find simple stuff" and followed his instructions but I'm not able to get my currently minimap zone text, here is the in my opinion most important part:

Code:

.text:005155D0 sub_5155D0      proc near               ; DATA XREF: .data:00AC838Co
.text:005155D0
.text:005155D0 arg_0           = dword ptr  8
.text:005155D0
.text:005155D0                 push    ebp
.text:005155D1                 mov     ebp, esp
.text:005155D3                 mov     eax, dword_BD0784
.text:005155D8                 test    eax, eax
.text:005155DA                 jnz     short loc_5155E1
.text:005155DC                 mov     eax, offset byte_9E14FF
.text:005155E1
.text:005155E1 loc_5155E1:                             ; CODE XREF: sub_5155D0+Aj
.text:005155E1                 push    eax
.text:005155E2                 mov     eax, [ebp+arg_0]
.text:005155E5                 push    eax
.text:005155E6                 call    sub_84E350
.text:005155EB                 add     esp, 8
.text:005155EE                 mov     eax, 1
.text:005155F3                 pop     ebp
.text:005155F4                 retn
.text:005155F4 sub_5155D0      endp

I think that (".text:005155DC mov eax, offset byte_9E14FF") 0x9E14FF is the address of the zone text, because it is a char *, so after that I opened up Cheat Engine and clicked on "Add Address Manually" and entered the following address: Wow.exe + 0x5E14FF - Type: Text - Length: 30, but nothing returned, although I was logged in WoW and stand in Stormwind.

What is the address I'm looking for?

So I hope you can help me guys! (By the way I don't have the pseudocode plugin)

Greetings

**Jadd** · 09-13-2016

Looks like you're not correctly following where eax is set before it's pushed to sub_84E350. Off the top of my head, this function would something look like this:

Code:

int sub_5155D0(void *a1) {
  char *some_text = *dword_BD0784;
  if (some_text == nullptr)
    some_text = byte_9E14FF;
  
  sub_84E350(a1, some_text);
  return 1;
}

Meaning dword_BD0784 points to the text value you're looking for, and if it points to nothing, use byte_9E14FF instead (probably just a null terminator, in other words "".)

**Fruschel** · 09-13-2016

Thank you Jadd.

This morning I got this solution too!

Problem:
My program read from the address "0x5E14FF" which was wrong, like Jadd called it.

Solution:
With using the address "0x7D0784" (0xBD0784 - 0x400000) my programm could read in which zone I am.

Here is the function with "GetMinimapZoneText", "GetSubZoneText" and "GetRealZoneText":

Code:

static public string[] GetLocation()
        {
            try
            {
                BlackMagic bmWoW = new BlackMagic();
                bmWoW.OpenProcessAndThread(SProcess.GetProcessFromWindowTitle("World of Warcraft"));
                IntPtr baseWoW = bmWoW.MainModule.BaseAddress;
                string[] strInformation = new string[3];
                // GetMinimapZoneText
                strInformation[0] = bmWoW.ReadASCIIString(bmWoW.ReadUInt((uint)baseWoW + 0x7D0784, false), 30);
                // GetSubZoneText
                strInformation[1] = bmWoW.ReadASCIIString(bmWoW.ReadUInt((uint)baseWoW + 0x7D0780, false), 30);
                // GetRealZoneText
                strInformation[2] = bmWoW.ReadASCIIString(bmWoW.ReadUInt((uint)baseWoW + 0x7D0788, false), 30);
                return strInformation;
            }
            catch (Exception ex)
            {
                string[] strException = new string[1];
                strException[0] = ex.ToString();
                return strException;
            }
        }

Now I got another question:
I'm trying to get the name of my player, I tried everything and nothing works. Do you got any solutions, tips etc.?

In IDA I generated a list of strings and searched for something like "UnitNameOwn" but that was not what I'm looking for...

So do you got some tips / tutorials which are relating to my problem?

Greetings,
Fruschel.

**Corthezz** · 09-14-2016

Originally Posted by Fruschel

Thank you Jadd.

[...]

Greetings,
Fruschel.

Hey Fruschel,

thanks for sharing your final solution! WoW Lua API functions arent renamed. Thus you can bring up the function window of IDA and search for a method which deals with your toons name. For example you can take a look at this one: API UnitName - WoWWiki - Wikia

I guess it will be a bit harder to reverse than the minimap function (have no idea how this function actually looks right now) but I think you should be able to manage it.
Just rename local variables, functions and everything else step by step to logical names and it will make sense.

A few starting points:
First and only parameter of Lua API functions is the stack pointer. Every function that deals with Lua will have this pointer as first argument. To retrieve the API function parameter ("unit", "player" etc.) it will call a function with the stack pointer as first and the argument index as second parameter.
Follow the branch that deals with the "player" parameter and you should be nearly there (info is based on 1.12.1 client).

Maybe I am overcomplicating stuff here and maybe you can just read the name somewhere out of the player object or the name cache but reversing Lua functions is an awesome starting point to get into the game

**Zazazu** · 09-14-2016

Originally Posted by Fruschel

Thank you Jadd.
Now I got another question:
I'm trying to get the name of my player, I tried everything and nothing works. Do you got any solutions, tips etc.?

In IDA I generated a list of strings and searched for something like "UnitNameOwn" but that was not what I'm looking for...

So do you got some tips / tutorials which are relating to my problem?

Greetings,
Fruschel.

For active player:

Code:

Wow.exe + 0xF3B088

For npc and other players need use another algorithm.

**Fruschel** · 09-14-2016

First I must say really big thanks to all of you guys!

So, firstly @Corthezz:
Jea, I'm very interested in hacking and "changing" the programm code for my benefits and working with LUA would be a nice idea for going on, but I don't have a clue how I using the WoW-LUA-Functions in my C# code.

Something like:

Code:

LUAObject wowLuaObject = new LUAObject("world-of-warcraft.lua");
string strName = wowLuaObject.CallFunction("UnitName", "player").ToString();;
MessageBox.Show("Your player name is: " + strName);

(This is just an example showing how I'm imagine working with LUA in C#)

My next goal is to get the name of my character and after that I want try to create a function which moves my character from position 1 (before-x, before-y, before-z) to position 2 (target-x, target-y, target-z).

So my final questions are:
1. How am I able to use the World Of Warcraft (Version: 3.3.5a - Wrath Of The Lich King) LUA functions in C#?
Is there any tutorial / guide / how to?
1.1. And is there also a guide how to use this functions, like attaching to WoW.exe and call "UnitName" from my source code?
---

@Zazazu:
Thanks, but I'm worried using this address in Wrath Of The Lichking will work and how am I using this? I'd open up Cheat Engine and click on "Add Address Manually" and type in "WoW.exe + F3B088" but I guess this is not how it works.

Greetings,
Fruschel.

**Zazazu** · 09-14-2016

Originally Posted by Fruschel

Something like:

Code:

LUAObject wowLuaObject = new LUAObject("world-of-warcraft.lua");
string strName = wowLuaObject.CallFunction("UnitName", "player").ToString();;
MessageBox.Show("Your player name is: " + strName);

(This is just an example showing how I'm imagine working with LUA in C#)

If i understund y need inject code in WoW function Framescript_ExecuteBuffer (DoLua()) and FrameScript_GetText or FrameScript_GetLocalizedText (GetResultText())
Call like:

Code:

DoLua("time = GetTime()");
var currentTime = GetResultText("time");

its equial

Code:

/run time = GetTime() print(time)

in WoW.

Originally Posted by Fruschel

@Zazazu:
Thanks, but I'm worried using this address in Wrath Of The Lichking will work and how am I using this? I'd open up Cheat Engine and click on "Add Address Manually" and type in "WoW.exe + F3B088" but I guess this is not how it works.

Sorry... My mistake, not see what version WoW u use )

**Fruschel** · 09-14-2016

I didn't mentioned it either, my fault.

**Corthezz** · 09-14-2016

You need to inject your app/dll into WoW to call those functions or write the asm bytecode to execute the function to WoW's memory and then let it get executed by WoW.
iHook from Ryuk is a good starting point for understanding how to inject asm byte code etc. Also I released a whole bot source a wile ago which might also help (the source is ugly tho).

Zazazu is right on this one. You can use something along DoString to execute Lua but my intention was that you look at what the function does and replicate it (like you did with the the minimap function).
It might be easier and faster if you just get DoString working and than proceed by just executing Lua API functions but actually really understanding what they do and replicating them is a great starting point for reversing which you shouldnt miss out.

**Fruschel** · 09-14-2016

Well, I'm looking now for tutorials which can help me to use LUA in C# - do you have any suggestions? Maybe there's a YouTuber or a guy here in Ownedcore which did wrote some kind of tutorial I'm lookin for.

But that's a bit hard work, so just for notice:
I must write an injector, which injects a dll (that I obviously wrote) from my main c# code.

This sounds very hard.

I try giving my best and when I got problems I'll let you know.

Greetings, Fru.

Edit:
Okay so far I looked up various threads in Ownedcore and Blizzhackers dealing with using LUA-functions in C# for World of Warcraft but I don't know how to realize this...

Is there anybody who have Skype or something like that, so I can talk to someone, that would be very very nice.

Greetings, Fru.