-
Active Member
[Classic] [Classic] 1.13.2.32089 - Learned Spells
Hi,
Anyone who can provide any information about how to receive which spells that have been learned.
I have covered the cooldowns with the spellhistory/cooldown pointer, but i can't locate the pointer for learned spells, or any offsets that points, hopefully someone has this information
The way i read cooldowns:
SpellHistory = 0x2178818
NEXT = 0x8;
SPELLID = 0x10;
STARTTIME = 0x1C;
DURATION = 0x20;
Code:
var cooldownBase = (IntPtr)Read(WowBaseAddress.Add(COOLDOWNS), typeof(IntPtr));
var spellCooldown = new SpellCooldownModel(cooldownBase);
spellCooldown.Update();
while (spellCooldown.Next != 0 && spellCooldown.SpellID != 0)
{
Cooldowns.Add(spellCooldown);
spellCooldown = new SpellCooldownModel((IntPtr)spellCooldown.Next);
spellCooldown.Update();
}
EDIT:
I figured out my code for cooldown are not working as expected, was only tested with one spell on cooldown, not two - Looking more into that, still hoping some can provide info about learned spells
Last edited by NoxiaZ; 10-15-2019 at 04:21 PM.
Reason: Not working as expected
-
Contributor
__int64 __fastcall sub_DC4B00(int a1, int a2) this function has the offset for the spell book and (I assume) pet spell book, and the math to loop through it, it's just a an array of a bunch of pointers to the next entry.
Look at FindSpellBookSlotByID
Cooldowns in the history table have 2 different durations which you need, just look a bit further down in the struct.
Last edited by ChrisIsMe; 10-16-2019 at 03:01 AM.
-
Post Thanks / Like - 1 Thanks
NoxiaZ (1 members gave Thanks to ChrisIsMe for this useful post)
-
Member
Originally Posted by
ChrisIsMe
__int64 __fastcall sub_DC4B00(int a1, int a2) this function has the offset for the spell book and (I assume) pet spell book, and the math to loop through it, it's just a an array of a bunch of pointers to the next entry.
Look at FindSpellBookSlotByID
Cooldowns in the history table have 2 different durations which you need, just look a bit further down in the struct.
The sub_DC4B00 function did you find that in IDA Pro 64bit ?
I try to find the function after doing initial analysis in IDA but there is no function named "sub_DC4B00".
-
Contributor
Originally Posted by
foRei
The sub_DC4B00 function did you find that in IDA Pro 64bit ?
I try to find the function after doing initial analysis in IDA but there is no function named "sub_DC4B00".
Yes in ida, rebased 0x0 obviously. Look for the string I posted. It’s the 3rd or so function called in there. It’s pretty obvious, two while loops and some offsets.
-
Contributor
.data:0000000002546680 00 00 00 00 00 00 00 00 SpellBookNumSpells
.data:0000000002546688 00 00 00 00 00 00 00 00 SpellBookSpellsPtr
there's same two for mounts as well
.data:0000000002546720 00 00 00 00 MountBookNumMounts
.data:0000000002546728 00 00 00 00 00 00 00 00 MountBookMountsPtr
Last edited by charles420; 10-16-2019 at 06:57 AM.
-
Post Thanks / Like - 1 Thanks
NoxiaZ (1 members gave Thanks to charles420 for this useful post)
-
Member
Originally Posted by
ChrisIsMe
Yes in ida, rebased 0x0 obviously. Look for the string I posted. It’s the 3rd or so function called in there. It’s pretty obvious, two while loops and some offsets.
I did Edit -> Segments -> Rebase Program, then choose Image base and value 0x0, ticked both below. When I then search for sub_DC4B00 in functions window it finds nothing.
Am I missing something?
-
Contributor
Originally Posted by
foRei
I did Edit -> Segments -> Rebase Program, then choose Image base and value 0x0, ticked both below. When I then search for sub_DC4B00 in functions window it finds nothing.
Am I missing something?
Here's a pattern. E8 BC A5 00 00 48 8B 5C 24 30 48 8B CF
-
Member
Originally Posted by
ChrisIsMe
Here's a pattern. E8 BC A5 00 00 48 8B 5C 24 30 48 8B CF
Hmm thanks for helping, I've tried everything but cannot find any of the stuff you are linking. A simple byte search should easily yield the result but it does not. Im starting to think we're not looking at the same thing.
Just to be sure; We're looking at classic 1.13 (latest version) and analysing "_classic_/Wow.exe" in the folder right? The only other thing I can think of is that I have some setting set in IDA Pro that throws me off...
Anyhow, thx for your effort, sadly nothing worked for me >.<
-
Contributor
Originally Posted by
foRei
Hmm thanks for helping, I've tried everything but cannot find any of the stuff you are linking. A simple byte search should easily yield the result but it does not. Im starting to think we're not looking at the same thing.
Just to be sure; We're looking at classic 1.13 (latest version) and analysing "_classic_/Wow.exe" in the folder right? The only other thing I can think of is that I have some setting set in IDA Pro that throws me off...
Anyhow, thx for your effort, sadly nothing worked for me >.<
No this is a dumped exe with Scylla hide and x64 dbg
-
Member
Well that explains everything, alrighty then I'm no longer lost
-
Active Member
Originally Posted by
ChrisIsMe
No this is a dumped exe with Scylla hide and x64 dbg
May i ask how you dumped that exe file or anywhere its possible to get hands in that file?
-
Contributor
Originally Posted by
NoxiaZ
May i ask how you dumped that exe file or anywhere its possible to get hands in that file?
https://www.ownedcore.com/forums/wor...ow-memory.html (How to Dump Wow from Memory....)
-
Active Member
Originally Posted by
ChrisIsMe
I'm gonna look into that - Thank you so much for the link and time spend helping
-
Active Member
Originally Posted by
charles420
.data:0000000002546680 00 00 00 00 00 00 00 00 SpellBookNumSpells
.data:0000000002546688 00 00 00 00 00 00 00 00 SpellBookSpellsPtr
there's same two for mounts as well
.data:0000000002546720 00 00 00 00 MountBookNumMounts
.data:0000000002546728 00 00 00 00 00 00 00 00 MountBookMountsPtr
Thanks for the offsets, yet i'm still trying to figure out how to read the SpellBookSpellsPtr - Think i have a lot to learn when it comes to reverse engineering.
-
Active Member
@ChrisIsMe
@charles420
Thank you both for the effort you put into helping. I have now figured out how spellcooldown works, as well i figured out how to read from spellbook.
Again thank you a lot.
EDIT:
Posted my solution here: https://www.ownedcore.com/forums/wor...dtoscreen.html ([Classic] 1.13.2.32089 - SpellBook, Cooldowns, WorldToScreen)
Last edited by NoxiaZ; 10-18-2019 at 09:30 AM.
-
Post Thanks / Like - 2 Thanks