-
Contributor
Originally Posted by
xbec
how can find ClntObjMgrGetActivePlayerPtr in IDA?
I use the function lua calls to get the player pointer by using a token like "player" "target" etc and it can be found in the lua function "UnitCanAttack" which calls it 2 times, then u can use it like so
Code:
uintptr_t IMorph::GetLocalPlayer() const
{
return reinterpret_cast<uintptr_t(__fastcall*)(const char*)>(base + get_base_from_token_)("player");
}
uintptr_t get_base_from_token_ = 0x1127550; //as of 33728
I switched to this as the function I was using before (ClntObjMgrGetActivePlayerPtr) was not always reliable, ie if on a taxi would return incorrect info.
Last edited by Icesythe7; 04-04-2020 at 08:29 AM.
-
Post Thanks / Like - 1 Thanks
xbec (1 members gave Thanks to Icesythe7 for this useful post)
-
Member
Originally Posted by
Icesythe7
I use the function lua calls to get the player pointer by using a token like "player" "target" etc and it can be found in the lua function "UnitCanAttack" which calls it 2 times, then u can use it like so
Code:
uintptr_t IMorph::GetLocalPlayer() const
{
return reinterpret_cast<uintptr_t(__fastcall*)(const char*)>(base + get_base_from_token_)("player");
}
uintptr_t get_base_from_token_ = 0x1127550; //as of 33728
I switched to this as the function I was using before (ClntObjMgrGetActivePlayerPtr) was not always reliable, ie if on a taxi would return incorrect info.
Out of curiousity, is your whole bot running in the wow process or how do you actually trigger the function from external?
One way I could think of would be hooking a function that is periodically invoked by wow; In the detour function you check the data of a code cave which you have to write to from extern. In this code cave you would e.g. write your target coordinates for CTM. Another way would be spawning a thread from within wow and run a tcp server and communicate via tcp, but I am not if that's going to work.
-
Contributor
Originally Posted by
Geneditor
Out of curiousity, is your whole bot running in the wow process or how do you actually trigger the function from external?
One way I could think of would be hooking a function that is periodically invoked by wow; In the detour function you check the data of a code cave which you have to write to from extern. In this code cave you would e.g. write your target coordinates for CTM. Another way would be spawning a thread from within wow and run a tcp server and communicate via tcp, but I am not if that's going to work.
It's a morpher not a bot and yes I only do internal I've never done anything external so I don't have any input on that unfortunately.
-
Member
Originally Posted by
Icesythe7
Code:
48 83 ec ? 48 8b 81 ? ? ? ? 48 83 b8 ? ? ? ? ? 7e ? 4c 8b 41
theres the sig for ida
33728 offset is 0x8CAE30
bro how to find the sig in RETAIL
-
Active Member
Originally Posted by
Lvv
bro how to find the sig in RETAIL
for some reason i doubt you'll do this but i'll tell you anyway... those signatures are actually lists of instruction opcodes, not just random magical numbers. if you look in the .text section for a reference to a memory address of interest (e.g s_curMgr) inside of a function, you will see that the code will use this address with a mov instruction or something like that. across several game updates, you will also notice that the instructions doing this are often identical but with shifted addresses. the signature comes from taking the surrounding instructions and writing down their opcodes, and then for anything that can change (such as an address) you use a wildcard '?' to basically ignore that byte. then, in the next update, you should be able to find the exact same sequence of bytes and the address you are looking for will be in the same place (relative to your signature) as it was when you sigged it.
to create a signature for something you don't know how to reverse, you can open up an old binary and refer to an old (but not too old) info dump thread to get the address of what you want. if you're lucky and the function hasn't changed in the latest version, the instructions in this old function should match up to the latest version and you'll be able to create a signature that works on the latest version.
-
Member
Originally Posted by
badusername1234
for some reason i doubt you'll do this but i'll tell you anyway... those signatures are actually lists of instruction opcodes, not just random magical numbers. if you look in the .text section for a reference to a memory address of interest (e.g s_curMgr) inside of a function, you will see that the code will use this address with a mov instruction or something like that. across several game updates, you will also notice that the instructions doing this are often identical but with shifted addresses. the signature comes from taking the surrounding instructions and writing down their opcodes, and then for anything that can change (such as an address) you use a wildcard '?' to basically ignore that byte. then, in the next update, you should be able to find the exact same sequence of bytes and the address you are looking for will be in the same place (relative to your signature) as it was when you sigged it.
to create a signature for something you don't know how to reverse, you can open up an old binary and refer to an old (but not too old) info dump thread to get the address of what you want. if you're lucky and the function hasn't changed in the latest version, the instructions in this old function should match up to the latest version and you'll be able to create a signature that works on the latest version.
Thank you for your reply, but I don't have RETAIL's relatively old but very clear binary file. I found some according to the section of God's reply here. But there seems to be very few about ClickToMove.
By the way, at present, I want to achieve the move function. In addition to the postmessage, it should be this CTM. It seems that the CTM effect is better. So I am currently curious.
-
Member
Originally Posted by
Icesythe7
It's a morpher not a bot and yes I only do internal I've never done anything external so I don't have any input on that unfortunately.
I am working on retail CTM but have no clue, can you give me some guidance? I am searching for 48 63 05??? 48 8D but I am not sure. How can I use CTMTrigger
-
Member
Originally Posted by
imzz
I use Arctium WoW Sandbox and Compare 8.2 client , find the offsets:MoveTo = 0x9D6C70 // 1.13.2.30979
The same method, but not working on the classic.
I want to know what methods everyone uses to achieve click to move.
Code:
public void MoveTo(Vector3 position)
{
if (ObjectManager.InGame)
{
//Get pPlayer
IntPtr ptr = ObjectManager.GetActivePlayerObjPtr();
IntPtr Codecave = Memory.MemoryManager.AllocateRawMemory(0xC);
Memory.MemoryManager.Write<float>(positionCodecave, position.X);
Memory.MemoryManager.Write<float>(positionCodecave + 4, position.Y);
Memory.MemoryManager.Write<float>(positionCodecave + 8, position.Z);
var Mnemonics = new string[]
{
"sub rsp, 0x18",
$"mov rdx, {Codecave}",
$"mov rcx, {ptr}",
$"mov rax, {Memory.ModulesManager.MainModule.BaseAddress+(int)Offsets.Function.MoveTo}",
"call rax",
"add rsp, 0x18",
"retn"
};
InjectAndExecute(Mnemonics);
Memory.MemoryManager.FreeRawMemory(positionCodecave);
}
}
it still work in Retail?
-
Member
Originally Posted by
Icesythe7
Code:
48 83 ec ? 48 8b 81 ? ? ? ? 48 83 b8 ? ? ? ? ? 7e ? 4c 8b 41
theres the sig for ida
33728 offset is 0x8CAE30
Do you know what's the CTM offset for 34219 (latest classic client). I used your sig and found 0x234932. But not sure if it's right
Annotation 2020-05-19 212659.png
I don't have a program to verify that. been looking for a C# library that can do InjectAndExecute, as I'll be doing this externally.
-
Member
Originally Posted by
Icesythe7
Works fine for me on latest build (31043)
Code:
//store a temp position for testing
const auto lPlayer = reinterpret_cast<int64_t(__cdecl*)()>(ClassicMorph::ClntObjMgrGetActivePlayerPtr)();
tPos = *reinterpret_cast<ReClass::Vector3*>(lPlayer + 0x1600);
printf("%s", tPos.ToString(3));
//moved player and called function with prev saved pos
reinterpret_cast<void(__fastcall*)(int64_t, ReClass::Vector3*)>(ClassicMorph::Base + 0x9DF110)(lPlayer, &tPos);
P.S. Make sure you have click to move enabled or this will do nothing
让它下雨
According to this: https://www.ownedcore.com/forums/wor...explained.html (Click to Move - Explained)
It seems the CTM function's signature is like this: BOOL __thiscall CGPlayer_C__ClickToMove(WoWActivePlayer *this, CLICKTOMOVETYPE clickType, WGUID *interactGuid, WOWPOS *clickPos, float precision)
5 parameters in total, but in your code and OP's, you're only passing pActivePlayer and pXYZ, why can it work??
-
Active Member
Originally Posted by
xbec
how can find ClntObjMgrGetActivePlayerPtr in IDA?
Find it in an old build, see how that usually gets called. Look for identifying features of the functions that call it and then use those features to find them in the latest version.
-
Originally Posted by
qpwo1029
According to this:
https://www.ownedcore.com/forums/wor...explained.html (Click to Move - Explained)
It seems the CTM function's signature is like this: BOOL __thiscall CGPlayer_C__ClickToMove(
WoWActivePlayer *this, CLICKTOMOVETYPE clickType, WGUID *interactGuid, WOWPOS *clickPos, float precision)
5 parameters in total, but in your code and OP's, you're only passing pActivePlayer and pXYZ, why can it work??
You may want to check the thread's date. A lot has happened in over 10 years...
-
Member
Found a tool today for inject & execute ASM.
* I'm on classic client ver 34266
* I found the pActivePlayer address from the objMgr with CE. It should be the right address as I'm able to find the offset of the character's coordinates - they change as my character moves.
* I found 0x23194C8 as the CTM function address, using the sig from Icesythe7 (I highly doubt if I did it wrong and it's not the right offset)
* Was calling the function with fastcall convention (rcx and rdx for the first 2 params)
I believe it's either a wrong func offset, or the injectAndExecute lib does not work.. Totally no idea. Can someone please give some hints?
Code:
var process = new MyMemory.RemoteProcess((uint)Process.GetProcessesByName("wowclassic").First().Id);
var posMem = process.MemoryManager.AllocateMemory(0xc);
process.MemoryManager.Write(posMem.Pointer, 1638.189575f);
process.MemoryManager.Write(posMem.Pointer + 4, -4410.206055f);
process.MemoryManager.Write(posMem.Pointer + 8, 16.5262394f);
IntPtr pActivePlayer = new IntPtr(0x2025a335820L);
var mnemonics = new string[]
{
//"sub rsp, 0x18",
$"mov rcx, {pActivePlayer}",
$"mov rdx, {posMem.Pointer}",
$"call {process.ModulesManager.MainModule.BaseAddress + 0x23194C8}",
//"add rsp, 0x18",
"retn"
};
process.Yasm.InjectAndExecute(mnemonics);
process.MemoryManager.FreeRawMemory(posMem.Pointer);
-
Member
Originally Posted by
qpwo1029
Found a tool today for inject & execute ASM.
* I'm on classic client ver 34266
* I found the pActivePlayer address from the objMgr with CE. It should be the right address as I'm able to find the offset of the character's coordinates - they change as my character moves.
* I found 0x23194C8 as the CTM function address, using the sig from Icesythe7 (I highly doubt if I did it wrong and it's not the right offset)
* Was calling the function with fastcall convention (rcx and rdx for the first 2 params)
I believe it's either a wrong func offset, or the injectAndExecute lib does not work.. Totally no idea. Can someone please give some hints?
Code:
var process = new MyMemory.RemoteProcess((uint)Process.GetProcessesByName("wowclassic").First().Id);
var posMem = process.MemoryManager.AllocateMemory(0xc);
process.MemoryManager.Write(posMem.Pointer, 1638.189575f);
process.MemoryManager.Write(posMem.Pointer + 4, -4410.206055f);
process.MemoryManager.Write(posMem.Pointer + 8, 16.5262394f);
IntPtr pActivePlayer = new IntPtr(0x2025a335820L);
var mnemonics = new string[]
{
//"sub rsp, 0x18",
$"mov rcx, {pActivePlayer}",
$"mov rdx, {posMem.Pointer}",
$"call {process.ModulesManager.MainModule.BaseAddress + 0x23194C8}",
//"add rsp, 0x18",
"retn"
};
process.Yasm.InjectAndExecute(mnemonics);
process.MemoryManager.FreeRawMemory(posMem.Pointer);
what library can use x64 ASM?
-
Member