2.4.3: cast ground target AoE spell to specific spots / interact with dynamic objects

[elip]

Hello everyone,

I'm trying to reverse-engineer the Burning Crusade client mouse handling code. The two problems I'm trying to solve specifically are:

1) casting "ground target" AoE spells programmatically (e.g. Blizzard) to a specific spot. The approaches that have crossed my mind are
a) calling CastSpellByName(), and then synthesizing a mouse click from WINAPI, after which I hook the function that inputs the coordinates after the perspective un-transform etc. (I have found the address for this) and fill up with my own values - (not really feasible, since I'm dealing with a multibox scenario here).
b) skipping mouse input altogether and trying to find the top-level function that immediate follows from the mouse click (hooking the win32 event loop was a dead-end, as far as I could tell)
c) socket/packet injection

2) clicking dynamic objects, such as mage tables, summoning portals or Manticron Cubes in Magtheridon's Lair - click-to-move kinda works, but only from a very specific angle and distance, so not reliable.

Would anyone have any insight on these topics, or general advice/RE techniques for researching this stuff? Any version will do

Thanx,

-Elip

[Corthezz]

Some input:
If I remember right Bots which triggered CTM by just mem writes had a problem if you didnt do a legit CTM before because some values werent initialized. If you can you should try to call the internal CTM function of WoW.

There is also an internal functions for casting AOE's which takes the spell ID and a struct with the X, Y, Z coordinates (at work right now and guessing so I might be wrong).
Some easy steps to get you going finding the function yourself:
Activate the AOE selection circle with a spell.
Scan for unknown initial value.
Do random stuff which doesnt change the state of the circle
Scan for unchanged values a few times
Cancel AOE
Cast for changed
Do random stuff
Cast for unchanged a few times
Rinse and repeat

Same can be done with the spell ID used to trigger the AOE circle.
After some time you should find two memory addresses which hold the AOE circle state aswell the AOE spell by ID which is about to being cast when you select the spot with the circle.
Check xrefs to those addresses and write down possible functions.

Tinker around. NOP out some instructions and see if shit is stil working etc.

Thats atleast how I found it on 1.12.1

[namreeb]

How I usually find functions which send a particular opcode is to use OllyDbg to put a conditional breakpoint on the packet send function for when the opcode matches the one you're interested in. Then you can walk up the call stack to find which function called the packet send function. If you're lucky, you'll find a function that takes a spell id and a position as its parameters, and you can just call it.

[elip]

namreeb: excellent advice! I wasn't able to find a function that would take spellID and coords as parameters, but I managed to find the static address where the socket handle is stored, and reverse the packet "encryption" (lolz ) function. Then I just WSOCK2::send() synthesized packets through that socket

Thanks!

[namreeb]

You're welcome. But if you're going to build a packet yourself, you should use WoW's packet send function. It will handle the header encryption for you (including update state so the next legit packet is encrypted correctly as well) and avoid having to call any WinSock2 functions.

NetClient::SendPacket is at 0x55F8A0 in 2.4.3.