[Classic] How Click To Move?

[Icesythe7]

how can find ClntObjMgrGetActivePlayerPtr in IDA?

I use the function lua calls to get the player pointer by using a token like "player" "target" etc and it can be found in the lua function "UnitCanAttack" which calls it 2 times, then u can use it like so

Code:

uintptr_t IMorph::GetLocalPlayer() const
{
	return reinterpret_cast<uintptr_t(__fastcall*)(const char*)>(base + get_base_from_token_)("player");
}
uintptr_t get_base_from_token_ = 0x1127550; //as of 33728

I switched to this as the function I was using before (ClntObjMgrGetActivePlayerPtr) was not always reliable, ie if on a taxi would return incorrect info.

[Geneditor]

I use the function lua calls to get the player pointer by using a token like "player" "target" etc and it can be found in the lua function "UnitCanAttack" which calls it 2 times, then u can use it like so

Code:

uintptr_t IMorph::GetLocalPlayer() const
{
	return reinterpret_cast<uintptr_t(__fastcall*)(const char*)>(base + get_base_from_token_)("player");
}
uintptr_t get_base_from_token_ = 0x1127550; //as of 33728

I switched to this as the function I was using before (ClntObjMgrGetActivePlayerPtr) was not always reliable, ie if on a taxi would return incorrect info.

Out of curiousity, is your whole bot running in the wow process or how do you actually trigger the function from external?

One way I could think of would be hooking a function that is periodically invoked by wow; In the detour function you check the data of a code cave which you have to write to from extern. In this code cave you would e.g. write your target coordinates for CTM. Another way would be spawning a thread from within wow and run a tcp server and communicate via tcp, but I am not if that's going to work.

[Icesythe7]

Out of curiousity, is your whole bot running in the wow process or how do you actually trigger the function from external?

One way I could think of would be hooking a function that is periodically invoked by wow; In the detour function you check the data of a code cave which you have to write to from extern. In this code cave you would e.g. write your target coordinates for CTM. Another way would be spawning a thread from within wow and run a tcp server and communicate via tcp, but I am not if that's going to work.

It's a morpher not a bot and yes I only do internal I've never done anything external so I don't have any input on that unfortunately.

[Lvv]

Code:

48 83 ec ? 48 8b 81 ? ? ? ? 48 83 b8 ? ? ? ? ? 7e ? 4c 8b 41

theres the sig for ida

33728 offset is 0x8CAE30

bro how to find the sig in RETAIL

[badusername1234]

bro how to find the sig in RETAIL

for some reason i doubt you'll do this but i'll tell you anyway... those signatures are actually lists of instruction opcodes, not just random magical numbers. if you look in the .text section for a reference to a memory address of interest (e.g s_curMgr) inside of a function, you will see that the code will use this address with a mov instruction or something like that. across several game updates, you will also notice that the instructions doing this are often identical but with shifted addresses. the signature comes from taking the surrounding instructions and writing down their opcodes, and then for anything that can change (such as an address) you use a wildcard '?' to basically ignore that byte. then, in the next update, you should be able to find the exact same sequence of bytes and the address you are looking for will be in the same place (relative to your signature) as it was when you sigged it.

to create a signature for something you don't know how to reverse, you can open up an old binary and refer to an old (but not too old) info dump thread to get the address of what you want. if you're lucky and the function hasn't changed in the latest version, the instructions in this old function should match up to the latest version and you'll be able to create a signature that works on the latest version.

[Lvv]

for some reason i doubt you'll do this but i'll tell you anyway... those signatures are actually lists of instruction opcodes, not just random magical numbers. if you look in the .text section for a reference to a memory address of interest (e.g s_curMgr) inside of a function, you will see that the code will use this address with a mov instruction or something like that. across several game updates, you will also notice that the instructions doing this are often identical but with shifted addresses. the signature comes from taking the surrounding instructions and writing down their opcodes, and then for anything that can change (such as an address) you use a wildcard '?' to basically ignore that byte. then, in the next update, you should be able to find the exact same sequence of bytes and the address you are looking for will be in the same place (relative to your signature) as it was when you sigged it.

to create a signature for something you don't know how to reverse, you can open up an old binary and refer to an old (but not too old) info dump thread to get the address of what you want. if you're lucky and the function hasn't changed in the latest version, the instructions in this old function should match up to the latest version and you'll be able to create a signature that works on the latest version.

Thank you for your reply, but I don't have RETAIL's relatively old but very clear binary file. I found some according to the section of God's reply here. But there seems to be very few about ClickToMove.
By the way, at present, I want to achieve the move function. In addition to the postmessage, it should be this CTM. It seems that the CTM effect is better. So I am currently curious.

[Lvv]

It's a morpher not a bot and yes I only do internal I've never done anything external so I don't have any input on that unfortunately.

I am working on retail CTM but have no clue, can you give me some guidance? I am searching for 48 63 05??? 48 8D but I am not sure. How can I use CTMTrigger

[Lvv]

I use Arctium WoW Sandbox and Compare 8.2 client , find the offsets:MoveTo = 0x9D6C70 // 1.13.2.30979
The same method, but not working on the classic.
I want to know what methods everyone uses to achieve click to move.

Code:

        public void MoveTo(Vector3 position)
        {
                if (ObjectManager.InGame)
                {
                    //Get pPlayer
                    IntPtr ptr = ObjectManager.GetActivePlayerObjPtr();

                    IntPtr Codecave = Memory.MemoryManager.AllocateRawMemory(0xC);
                    Memory.MemoryManager.Write<float>(positionCodecave, position.X);
                    Memory.MemoryManager.Write<float>(positionCodecave + 4, position.Y);
                    Memory.MemoryManager.Write<float>(positionCodecave + 8, position.Z);
                    
                    var Mnemonics = new string[]                    
                    {
                    "sub rsp, 0x18",
                    $"mov rdx, {Codecave}",
                    $"mov rcx, {ptr}",
                    $"mov rax, {Memory.ModulesManager.MainModule.BaseAddress+(int)Offsets.Function.MoveTo}",
                    "call rax",
                    "add rsp, 0x18",
                    "retn"
                    };

                    InjectAndExecute(Mnemonics);
                    Memory.MemoryManager.FreeRawMemory(positionCodecave);
                }
        }

it still work in Retail?

[qpwo1029]

Code:

48 83 ec ? 48 8b 81 ? ? ? ? 48 83 b8 ? ? ? ? ? 7e ? 4c 8b 41

theres the sig for ida

33728 offset is 0x8CAE30

Do you know what's the CTM offset for 34219 (latest classic client). I used your sig and found 0x234932. But not sure if it's right
Annotation 2020-05-19 212659.png

I don't have a program to verify that. been looking for a C# library that can do InjectAndExecute, as I'll be doing this externally.

[qpwo1029]

Works fine for me on latest build (31043)

Code:

			
//store a temp position for testing
const auto lPlayer = reinterpret_cast<int64_t(__cdecl*)()>(ClassicMorph::ClntObjMgrGetActivePlayerPtr)();
tPos = *reinterpret_cast<ReClass::Vector3*>(lPlayer + 0x1600);
printf("%s", tPos.ToString(3));

//moved player and called function with prev saved pos
reinterpret_cast<void(__fastcall*)(int64_t, ReClass::Vector3*)>(ClassicMorph::Base + 0x9DF110)(lPlayer, &tPos);

P.S. Make sure you have click to move enabled or this will do nothing
让它下雨

According to this: https://www.ownedcore.com/forums/wor...explained.html (Click to Move - Explained)
It seems the CTM function's signature is like this: BOOL __thiscall CGPlayer_C__ClickToMove(WoWActivePlayer *this, CLICKTOMOVETYPE clickType, WGUID *interactGuid, WOWPOS *clickPos, float precision)
5 parameters in total, but in your code and OP's, you're only passing pActivePlayer and pXYZ, why can it work??

[badusername1234]

how can find ClntObjMgrGetActivePlayerPtr in IDA?

Find it in an old build, see how that usually gets called. Look for identifying features of the functions that call it and then use those features to find them in the latest version.

[Jadd]

According to this: https://www.ownedcore.com/forums/wor...explained.html (Click to Move - Explained)
It seems the CTM function's signature is like this: BOOL __thiscall CGPlayer_C__ClickToMove(WoWActivePlayer *this, CLICKTOMOVETYPE clickType, WGUID *interactGuid, WOWPOS *clickPos, float precision)
5 parameters in total, but in your code and OP's, you're only passing pActivePlayer and pXYZ, why can it work??

You may want to check the thread's date. A lot has happened in over 10 years...

[qpwo1029]

Found a tool today for inject & execute ASM.
* I'm on classic client ver 34266
* I found the pActivePlayer address from the objMgr with CE. It should be the right address as I'm able to find the offset of the character's coordinates - they change as my character moves.
* I found 0x23194C8 as the CTM function address, using the sig from Icesythe7 (I highly doubt if I did it wrong and it's not the right offset)
* Was calling the function with fastcall convention (rcx and rdx for the first 2 params)
I believe it's either a wrong func offset, or the injectAndExecute lib does not work.. Totally no idea. Can someone please give some hints?

Code:

            var process = new MyMemory.RemoteProcess((uint)Process.GetProcessesByName("wowclassic").First().Id);

            var posMem = process.MemoryManager.AllocateMemory(0xc);
            process.MemoryManager.Write(posMem.Pointer, 1638.189575f);
            process.MemoryManager.Write(posMem.Pointer + 4, -4410.206055f);
            process.MemoryManager.Write(posMem.Pointer + 8, 16.5262394f);
            IntPtr pActivePlayer = new IntPtr(0x2025a335820L);

            var mnemonics = new string[]
            {
                //"sub rsp, 0x18",
                $"mov rcx, {pActivePlayer}",
                $"mov rdx, {posMem.Pointer}",
                $"call {process.ModulesManager.MainModule.BaseAddress + 0x23194C8}",
                //"add rsp, 0x18",
                "retn"
            };
            process.Yasm.InjectAndExecute(mnemonics);
            process.MemoryManager.FreeRawMemory(posMem.Pointer);

[xbec]

Found a tool today for inject & execute ASM.
* I'm on classic client ver 34266
* I found the pActivePlayer address from the objMgr with CE. It should be the right address as I'm able to find the offset of the character's coordinates - they change as my character moves.
* I found 0x23194C8 as the CTM function address, using the sig from Icesythe7 (I highly doubt if I did it wrong and it's not the right offset)
* Was calling the function with fastcall convention (rcx and rdx for the first 2 params)
I believe it's either a wrong func offset, or the injectAndExecute lib does not work.. Totally no idea. Can someone please give some hints?

Code:

            var process = new MyMemory.RemoteProcess((uint)Process.GetProcessesByName("wowclassic").First().Id);

            var posMem = process.MemoryManager.AllocateMemory(0xc);
            process.MemoryManager.Write(posMem.Pointer, 1638.189575f);
            process.MemoryManager.Write(posMem.Pointer + 4, -4410.206055f);
            process.MemoryManager.Write(posMem.Pointer + 8, 16.5262394f);
            IntPtr pActivePlayer = new IntPtr(0x2025a335820L);

            var mnemonics = new string[]
            {
                //"sub rsp, 0x18",
                $"mov rcx, {pActivePlayer}",
                $"mov rdx, {posMem.Pointer}",
                $"call {process.ModulesManager.MainModule.BaseAddress + 0x23194C8}",
                //"add rsp, 0x18",
                "retn"
            };
            process.Yasm.InjectAndExecute(mnemonics);
            process.MemoryManager.FreeRawMemory(posMem.Pointer);

what library can use x64 ASM?

[qpwo1029]

what library can use x64 ASM?

MyMemory GitHub - JuJuBoSc/MyMemory: Process manipulation library for .NET that support x86/x64 written in C++/CLI.