[?] Retrieving Struct Pointer the fast way?

[Zephir]

Hello,

I watched many people retrieving all the pointers in no time by iterating through WoW Threads. This method seems to be around in this forum too.

I code in AutoIt and it does not have even half of the methods that are used in C++ StructPointer Programms... is anyone so kind to explain to me what is exactly done so that I can work my way around using DllCalls() and what not

Thank you in advance.

[Xarg0]

I'm not sure if everthing I'll explain is correct, since I didn't write any code to check if it's correct, but here is how you retrive the base pointer to the wowstruct with the tls method.
At first you read the value from E5C284, this adress contains the number of the tls_slot that points to the struct as an unsigned integer.
Now we need to obtain the tls index adress, at first you need an open threadhandle then you'll do a ntqueryinformationthread() to obtain the threadbasicinformation, the threadbasicinformation structure contains a pointer to the TEB, at the Offset 2c there is a pointer to the tls-index, you'll have to save the tls index Adress, next you obtain the pointer from the tls slot by reading it from the memory at [TLS_Index+TLS_slot*4] you have to multiply the tls_slot number with 4 because each tls_slot is 4bytes long, the next step is to add 0x8 to the Adress you obtained from the tls_slot, et voila you have the basepointer to the wowObject Linked list, you can now use all the known offsets to obtain data from wow, each Object in the Linked list holds a pointer to the next and the previous one, you can recognize the last object of the linked list since it's next objectptr will be 0x1C
I hope I made no mistake in my explaination ^^
mfg Xarg0

[Zephir]

very nice. I get it.

How do you get E5C284? Is this something rooted into the game core so it never changes? or will I have to hunt it down every patch?


p.s.
+Rep

[Cypher]

Hunt it down every patch, but it's easy to find. Open up WoW with IDA and type in "TlsIndex" in the "Names" window. Double click the variable to follow it to its location, then copy the offset it's stored at. Takes a total of about 3 seconds.

Check out this thread, it has the method in several languages, Delphi, C# and I think a half-done AutoIt one.

WoW.DeV • View topic - Proof of concept code - WoW memory reading