[Classic] [Classic] 1.13.2.32089 - Learned Spells

[NoxiaZ]

Hi,

Anyone who can provide any information about how to receive which spells that have been learned.

I have covered the cooldowns with the spellhistory/cooldown pointer, but i can't locate the pointer for learned spells, or any offsets that points, hopefully someone has this information

The way i read cooldowns:
SpellHistory = 0x2178818
NEXT = 0x8;
SPELLID = 0x10;
STARTTIME = 0x1C;
DURATION = 0x20;

Code:

var cooldownBase = (IntPtr)Read(WowBaseAddress.Add(COOLDOWNS), typeof(IntPtr));
var spellCooldown = new SpellCooldownModel(cooldownBase);
spellCooldown.Update();
while (spellCooldown.Next != 0 && spellCooldown.SpellID != 0)
{
        Cooldowns.Add(spellCooldown);
    spellCooldown = new SpellCooldownModel((IntPtr)spellCooldown.Next);
    spellCooldown.Update();
}

EDIT:
I figured out my code for cooldown are not working as expected, was only tested with one spell on cooldown, not two - Looking more into that, still hoping some can provide info about learned spells

[ChrisIsMe]

__int64 __fastcall sub_DC4B00(int a1, int a2) this function has the offset for the spell book and (I assume) pet spell book, and the math to loop through it, it's just a an array of a bunch of pointers to the next entry.

Look at FindSpellBookSlotByID

Cooldowns in the history table have 2 different durations which you need, just look a bit further down in the struct.

[foRei]

__int64 __fastcall sub_DC4B00(int a1, int a2) this function has the offset for the spell book and (I assume) pet spell book, and the math to loop through it, it's just a an array of a bunch of pointers to the next entry.

Look at FindSpellBookSlotByID

Cooldowns in the history table have 2 different durations which you need, just look a bit further down in the struct.

The sub_DC4B00 function did you find that in IDA Pro 64bit ?

I try to find the function after doing initial analysis in IDA but there is no function named "sub_DC4B00".

[ChrisIsMe]

The sub_DC4B00 function did you find that in IDA Pro 64bit ?

I try to find the function after doing initial analysis in IDA but there is no function named "sub_DC4B00".

Yes in ida, rebased 0x0 obviously. Look for the string I posted. It’s the 3rd or so function called in there. It’s pretty obvious, two while loops and some offsets.

[charles420]

.data:0000000002546680 00 00 00 00 00 00 00 00 SpellBookNumSpells
.data:0000000002546688 00 00 00 00 00 00 00 00 SpellBookSpellsPtr

there's same two for mounts as well

.data:0000000002546720 00 00 00 00 MountBookNumMounts
.data:0000000002546728 00 00 00 00 00 00 00 00 MountBookMountsPtr

[foRei]

Yes in ida, rebased 0x0 obviously. Look for the string I posted. It’s the 3rd or so function called in there. It’s pretty obvious, two while loops and some offsets.

I did Edit -> Segments -> Rebase Program, then choose Image base and value 0x0, ticked both below. When I then search for sub_DC4B00 in functions window it finds nothing.

Am I missing something?

[ChrisIsMe]

I did Edit -> Segments -> Rebase Program, then choose Image base and value 0x0, ticked both below. When I then search for sub_DC4B00 in functions window it finds nothing.

Am I missing something?

Here's a pattern. E8 BC A5 00 00 48 8B 5C 24 30 48 8B CF

[foRei]

Here's a pattern. E8 BC A5 00 00 48 8B 5C 24 30 48 8B CF

Hmm thanks for helping, I've tried everything but cannot find any of the stuff you are linking. A simple byte search should easily yield the result but it does not. Im starting to think we're not looking at the same thing.

Just to be sure; We're looking at classic 1.13 (latest version) and analysing "_classic_/Wow.exe" in the folder right? The only other thing I can think of is that I have some setting set in IDA Pro that throws me off...

Anyhow, thx for your effort, sadly nothing worked for me >.<

[ChrisIsMe]

Hmm thanks for helping, I've tried everything but cannot find any of the stuff you are linking. A simple byte search should easily yield the result but it does not. Im starting to think we're not looking at the same thing.

Just to be sure; We're looking at classic 1.13 (latest version) and analysing "_classic_/Wow.exe" in the folder right? The only other thing I can think of is that I have some setting set in IDA Pro that throws me off...

Anyhow, thx for your effort, sadly nothing worked for me >.<

No this is a dumped exe with Scylla hide and x64 dbg

[foRei]

Well that explains everything, alrighty then I'm no longer lost

[NoxiaZ]

No this is a dumped exe with Scylla hide and x64 dbg

May i ask how you dumped that exe file or anywhere its possible to get hands in that file?

[ChrisIsMe]

May i ask how you dumped that exe file or anywhere its possible to get hands in that file?

https://www.ownedcore.com/forums/wor...ow-memory.html (How to Dump Wow from Memory....)

[NoxiaZ]

https://www.ownedcore.com/forums/wor...ow-memory.html (How to Dump Wow from Memory....)

I'm gonna look into that - Thank you so much for the link and time spend helping

[NoxiaZ]

.data:0000000002546680 00 00 00 00 00 00 00 00 SpellBookNumSpells
.data:0000000002546688 00 00 00 00 00 00 00 00 SpellBookSpellsPtr

there's same two for mounts as well

.data:0000000002546720 00 00 00 00 MountBookNumMounts
.data:0000000002546728 00 00 00 00 00 00 00 00 MountBookMountsPtr

Thanks for the offsets, yet i'm still trying to figure out how to read the SpellBookSpellsPtr - Think i have a lot to learn when it comes to reverse engineering.

[NoxiaZ]

@ChrisIsMe
@charles420


Thank you both for the effort you put into helping. I have now figured out how spellcooldown works, as well i figured out how to read from spellbook.
Again thank you a lot.

EDIT:
Posted my solution here: https://www.ownedcore.com/forums/wor...dtoscreen.html ([Classic] 1.13.2.32089 - SpellBook, Cooldowns, WorldToScreen)