[WoW] [7.3.5.25864]

[evil2]

x32

curMgrPtr/First/Local : 0x105DDCC / 0xD8 / 0xE8
Aura : 0x11A0 / 0x980
RunesPtr/Cnt : 0x12100BC / 0x12100F4
NamePlayerPtr : 0x1021C44
SpellCdPtr : 0x104AA80
SpellBookPtr : 0x11F6D20


no big changes, only some structs moved/changed 4-8 bytes..

anyone has the ptr for SpellOverwrite table?

[zhumoerju]

Help! # CTMmove Seems to be encrypted do not know how to solve

[DarkLinux]

Help! # CTMmove Seems to be encrypted do not know how to solve

[WoW] [7.3.0.24931]

[provirus]

x64 rebased

Code:

PlayerZoneID = 0x1BEC764;
NotLoadingScreen = 0x15F1624;
GameState = 0x1BD72BF;
GlueState = 0x1946049;
KnownSpells = 0x1BD8858;
LastHardwareAction = 0x18ABE00;
MouseoverGUID = 0x1BD7310;
BlackMarketNumItems = 0x1C2E870;
PlayerGUID = 0x1C68CF0;
TickCount = 0x18AAE4C;
ChatIsOpened = 0x18C3554;
BlackMarketItems = 0x1C2E878;
ChatBuffer = 0x1B79950;
UIFrameBase = 0x18ABDF8;
KnownSpellsCount = 0x1BD8850;
ObjectManager = 0x1961190;
FocusedWidget = 0x18ABDB0;

Code:

UnitDescriptors = 0x10;
UnitTargetGUID = 0xA0;
UnitClass = 0xD5;
UnitHealth = 0xE0;
UnitPower = 0xE8;
UnitHealthMax = 0x100;
UnitPowerMax = 0x108;
UnitLevel = 0x150;
UnitRace = 0x168;
UnitFlags = 0x184;
UnitMountDisplayID = 0x1B0;

Code:

AuraCount1 = 0x27E8;
AuraCount2 = 0x1DE8;
AuraTable1 = 0x1DEC;
AuraTable2 = 0x1DF0;

Code:

[StructLayout(LayoutKind.Explicit, Size = 0xA0)]
public struct WoWAura
{
	[FieldOffset(0x50)] public WoWGUID OwnerGUID;
	[FieldOffset(0x70)] public int SpellId;
	[FieldOffset(0x79)] public byte Stack;
	[FieldOffset(0x80)] public uint TimeLeftInMs;
}

[Zazazu]

x64

Code:

SpellOverwrite = 0x181BA50

Any know KnownSpellsBits offset for x64 or x86?

[pogob]

x86, rebased

Code:

WowConnection__Send = (IntPtr)9438625;
NetClient__SendRaw = (IntPtr)4577440;
NetClient__SendJam = (IntPtr)4577772;
NetClient__ProcessMessage = (IntPtr)4577275;
ClientServices__SendRaw = (IntPtr)1555595;
ClientServices__SendJam = (IntPtr)9517087;
CGChat__AddChatMessage = (IntPtr)6678569;
Chat.SendChatMessage = (IntPtr)6720085;
WowClientDB2_Base__GetRecordDataUnsafe = (IntPtr)3397682;
OsGetAsyncTimeMs = (IntPtr)2612910;
CGGameUI__m_currentObjectTrack = (IntPtr)18832272;
CGUnit_C__m_activeMover = (IntPtr)17938808;
Script_GetGUIDFromName = (IntPtr)6390516;
CGWorldFrame__s_currentWorldFrame = (IntPtr)18835852;
s_activeWorldScene = (IntPtr)19295144;
CWorldMap__QueryHeight = (IntPtr)8969147;
World__Intersect = (IntPtr)8777876;
Spell_C_GetSpellCooldown = (IntPtr)4438857;
Spell_C_IsUsableAction = (IntPtr)1843386;
Spell_C_RangeCheckSelected = (IntPtr)4497772;
Spell_C_CastSpell = (IntPtr)4413490;
Spell_C_StopCasting = (IntPtr)4503691;
Spell_C__HandleTerrainClick = (IntPtr)4451924;
CGSpellBook__FindSpellByName = (IntPtr)7076027;
Spell_C_GetFailType = (IntPtr)4388484;
CGUnit_C__SendMovementHeartBeat = (IntPtr)4995038;
CGPlayer_C__AddKnownSpell = (IntPtr)5060091;
CMovementShared__GetDistanceFallen = (IntPtr)12913187;
CMovement_C__SendMoveMessage_PlayerMoveFallLand = (IntPtr)4850527;

[MrNoble]

What happend to creating remote threads on live?
seems like the first instruction of the threads gets changed to "ret".

any way around this?

[doityourself]

What happend to creating remote threads on live?
seems like the first instruction of the threads gets changed to "ret".

any way around this?

works fine

[danwins]

What happend to creating remote threads on live?
seems like the first instruction of the threads gets changed to "ret".

any way around this?

works fine

DarkLinux mentioned this to me on skype, So i don't think its just you.

[culino2]

DarkLinux mentioned this to me on skype, So i don't think its just you.

Did a quick test, CreateRemoteThread is also still working for me, tested on build 25950 x86 binary. I wasn't logged in during my test, though.

[DarkLinux]

I guess Cheat Engine does not use CreateRemoteThread then. Never really looked...

[MrNoble]

Did a quick test, CreateRemoteThread is also still working for me, tested on build 25950 x86 binary. I wasn't logged in during my test, though.

How? whenever i make one, the bytes gets changed avoiding me to execute the whole code.

[culino2]

How? whenever i make one, the bytes gets changed avoiding me to execute the whole code.

Don't know what you're doing, but my dll is injecting fine, other winapi functions called in CreateRemoteThread are working too. I never called any WoW functions in CreateRemoteThread.

[enaf3n]

What happend to creating remote threads on live?
seems like the first instruction of the threads gets changed to "ret".

any way around this?

Haven't looked at it (and don't plan to), but most likely a TLS callback that is checking the start address of the thread. You could get around it by creating the thread in some slack space in the game's .text section, or better yet, suspending and hijacking a game thread temporarily to run your code.

If you're trying to inject a module then you could get around it by using something like SetWindowsHookEx, which will not create a thread at all and instead queues a procedure in user32 that will be executed by whatever thread calls into that library next.

[DarkLinux]

The TLS callback is obfuscated, but I'm guessing that's what they are doing. It must be checking if the start address resided inside a module.