Offset For 33598

[linmerovingian]

public class ObjectManager
{
public static int ObjectManagerPtr = 0x235BC58; //33598
public static int ObjectGUID = 0x58;
public static int ObjectTYPE = 0x20;
public static int FirstObject = 0x18;
public static int NextObject = 0x70;
}
public class GameInfo
{
public static int IsLoadingOrConnecting = 0x2249CF0; //33598
public static int InGameFlag = 0x257DE40; //33598
public static int LocalPlayerGUID = 0x265C7F0; //33598
public static int LocalPlayerName = 0x265C808; //33598
public static int LocalRealm = 0x265C038; //33598
public static int LocalRealmOffSet = 0x420;
public static int MouseoverGUID = 0x257DE48; //33598
public static int TargetGuid = 0x21B6858 + 0x48; //33598
public static int PetGuid = 0x258CD9C; //33598
public static int LastHardwareAction = 0x229BE60;
public static int GameVersion = 0x1C2154C; //33598
public static int GameBuild = 0x1C21554; //33598
public static int Timestamp = 0x229B40C; //33598
}
public class Lua
{
public static int LuaDostringPtr = 0x31D980; //33598
public static int LuaGetTextPtr = 0x31A280; //33598

}

[mucyii]

how to get container inf?

[xbec]

i cann't get the objectname,what can i do?

Code:

var mgr = memory.Read<IntPtr>(new IntPtr(0x235BC58), true);
            var curObjPtr = memory.Read<IntPtr>(mgr + 0x18);
            var list = new List<WoWObject>();
            while (curObjPtr != IntPtr.Zero && curObjPtr.ToInt64() % 2 == 0)
            {
                var curObj = memory.Read<WoWObject>(curObjPtr);
                var guid = memory.Read<SmartGuid>(curObj.Descriptors);
                list.Add(curObj);
                curObjPtr = memory.Read<IntPtr>(curObjPtr + 0x70);
            }

[Geneditor]

i cann't get the objectname,what can i do?

Code:

var mgr = memory.Read<IntPtr>(new IntPtr(0x235BC58), true);
            var curObjPtr = memory.Read<IntPtr>(mgr + 0x18);
            var list = new List<WoWObject>();
            while (curObjPtr != IntPtr.Zero && curObjPtr.ToInt64() % 2 == 0)
            {
                var curObj = memory.Read<WoWObject>(curObjPtr);
                var guid = memory.Read<SmartGuid>(curObj.Descriptors);
                list.Add(curObj);
                curObjPtr = memory.Read<IntPtr>(curObjPtr + 0x70);
            }

Thank you for asking this question.

I would also be interested in a working example on how to iterate the object list in current WoW Classic. A lot of information you can find online seems to be obsolete. My question would be:

1. In the past it seemed to be necessary to add a ClientConnection pointer to the ObjectMangerPtr. Is this still necessary? If yes, where can I find this pointer?

2. What is the exact layout of the WoWObject structure? What are the fields and datatypes?

I think a minimal working example of how to iterate the object list would speak for itself and could be helpful for many people.

[ejt]

I'm sure the proper way to iterate over objects is well documented in the forums but just so people stop asking:

Code:

struct TSGrowableArray
{
	int32_t Count;
	int32_t unk_04;
	int32_t Allocated;
	int32_t unk_0C;
	uintptr_t Data; // TSList
};

struct TSLink
{
	uintptr_t PrevLink; // TSLink
	uintptr_t Next;
};

struct TSList
{
	int32_t object_size; // almost certain its object_size
	int32_t unk_04; // possibly flags
	TSLink Link;
};

struct TSHashTable
{
	uintptr_t vtable;
	TSList List;
	TSGrowableArray Array;
	int32_t SlotMask;
	int32_t unk_03C;
	int32_t unk_040;
	int32_t unk_044;
	int32_t unk_048;
	int32_t unk_04C;
};

struct CGObjectManager
{
	TSHashTable ActiveObjects;	// 0x000
	TSHashTable InvalidObjects;	// 0x050
	TSList unk_0A0[14];			// 0x0A0
	TSList VisibleObjects;		// 0x1F0
	ObjectGuid LocalGuid;		// 0x220
	uint32_t CurMapId;			// 0x230
};

struct CGObject
{
	uintptr_t vptr;			// 0x000
	uintptr_t unk_008;		// 0x008
	uintptr_t Descriptors;	// 0x010
	uintptr_t unk_018;		// 0x018
	ObjectTypeId TypeId;	// 0x020
	ObjectTypeId TypeId2;	// 0x021
	uint16_t unk_022;		// 0x022
	ObjectTypeFlag TypeFlag;// 0x024
	uintptr_t unk_028;		// 0x028
	uintptr_t unk_030;		// 0x030
	uintptr_t unk_038;		// 0x038
	uintptr_t NextObject;	// 0x040
	uintptr_t ObjectMgr;	// 0x048
	uintptr_t unk_050;		// 0x050
	ObjectGuid Guid;		// 0x058
// ....
};

Code:

uintptr_t curObj = curmgr->ActiveObjects.List.Link.Next;
while (!(curObj & 1) && curObj)
{
	CGObject obj = clepta::memory::read<CGObject>(state, curObj);

	// ...

	// next object
	curObj = obj.NextObject;
}

haven't confirmed the structures in a while it is a working example

[xbec]

error...rereply

[xbec]

Thank you for asking this question.

I would also be interested in a working example on how to iterate the object list in current WoW Classic. A lot of information you can find online seems to be obsolete. My question would be:

1. In the past it seemed to be necessary to add a ClientConnection pointer to the ObjectMangerPtr. Is this still necessary? If yes, where can I find this pointer?

2. What is the exact layout of the WoWObject structure? What are the fields and datatypes?

I think a minimal working example of how to iterate the object list would speak for itself and could be helpful for many people.

my code can be working. ..
objManagerPtr = 0x235BC58 1.13.3.33598
iterate the object list：
objMangerPtr + 0x18 = curObjPtr
cruObjPtr+0x70 = nextObjPtr

Code:

    internal struct WoWObject
    {
        public IntPtr VTable;
        public IntPtr LegionExtra;
        public IntPtr Descriptors;
        public int unk2;
        public int TypeMask;
        public IntPtr unk4;
        public IntPtr unk5;
        public IntPtr unk6;
        public IntPtr unk7;
        public IntPtr unk8;
        public IntPtr unk9;
        public IntPtr unk10;
        public SmartGuid Guid;
    }

Code:

// Look https://github.com/TrinityCore/TrinityCore/blob/c674a3a18843c79b133600667f0b2bfc4c3d6594/src/server/game/Entities/Object/ObjectGuid.h#L79
    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct SmartGuid
    {
        public ulong Low;
        public ulong High;

        public GuidType Type
        {
            get { return (GuidType)(High >> 58); }
            set { High |= (ulong)value << 58; }
        }

        public int SubType
        {
            get { return (int)(Low >> 56); }
            set { Low |= (ulong)value << 56; }
        }

        public ushort RealmId
        {
            get { return (ushort)((High >> 42) & 0x1FFF); }
            set { High |= (ulong)value << 42; }
        }

        public ushort ServerId
        {
            get { return (ushort)((Low >> 40) & 0x1FFF); }
            set { Low |= (ulong)value << 40; }
        }

        public ushort MapId
        {
            get { return (ushort)((High >> 29) & 0x1FFF); }
            set { High |= (ulong)value << 29; }
        }

        public uint Id
        {
            get { return (uint)(High & 0xFFFFFF) >> 6; }
            set { High |= (ulong)value << 6; }
        }

        public ulong CreationBits
        {
            get { return Low & 0xFFFFFFFFFF; }
            set { Low |= value; }
        }

        public override string ToString()
        {
            if (Type == GuidType.Player)
                return $"{Type}-{RealmId}-{CreationBits:X8}";
            return $"{High:X16}{Low:X16}";
        }
    }

    public enum GuidType
    {
        None = 0,
        Uniq = 1,
        Player = 2,
        Item = 3,
        WorldTransaction = 4,
        StaticDoor = 5,
        Transport = 6,
        Conversation = 7,
        Creature = 8,
        Vehicle = 9,
        Pet = 10,
        GameObject = 11,
        DynamicObject = 12,
        AreaTrigger = 13,
        Corpse = 14,
        LootObject = 15,
        SceneObject = 16,
        Scenario = 17,
        AIGroup = 18,
        DynamicDoor = 19,
        ClientActor = 20,
        Vignette = 21,
        CallForHelp = 22,
        AIResource = 23,
        AILock = 24,
        AILockTicket = 25,
        ChatChannel = 26,
        Party = 27,
        Guild = 28,
        WowAccount = 29,
        BNetAccount = 30,
        GMTask = 31,
        MobileSession = 32,
        RaidGroup = 33,
        Spell = 34,
        Mail = 35,
        WebObj = 36,
        LFGObject = 37,
        LFGList = 38,
        UserRouter = 39,
        PVPQueueGroup = 40,
        UserClient = 41,
        PetBattle = 42,
        UniqUserClient = 43,
        BattlePet = 44,
        CommerceObj = 45,
        ClientSession = 46,
        Cast = 47,
    }

[xbec]

I'm sure the proper way to iterate over objects is well documented in the forums but just so people stop asking:

Code:

struct TSGrowableArray
{
	int32_t Count;
	int32_t unk_04;
	int32_t Allocated;
	int32_t unk_0C;
	uintptr_t Data; // TSList
};

struct TSLink
{
	uintptr_t PrevLink; // TSLink
	uintptr_t Next;
};

struct TSList
{
	int32_t object_size; // almost certain its object_size
	int32_t unk_04; // possibly flags
	TSLink Link;
};

struct TSHashTable
{
	uintptr_t vtable;
	TSList List;
	TSGrowableArray Array;
	int32_t SlotMask;
	int32_t unk_03C;
	int32_t unk_040;
	int32_t unk_044;
	int32_t unk_048;
	int32_t unk_04C;
};

struct CGObjectManager
{
	TSHashTable ActiveObjects;	// 0x000
	TSHashTable InvalidObjects;	// 0x050
	TSList unk_0A0[14];			// 0x0A0
	TSList VisibleObjects;		// 0x1F0
	ObjectGuid LocalGuid;		// 0x220
	uint32_t CurMapId;			// 0x230
};

struct CGObject
{
	uintptr_t vptr;			// 0x000
	uintptr_t unk_008;		// 0x008
	uintptr_t Descriptors;	// 0x010
	uintptr_t unk_018;		// 0x018
	ObjectTypeId TypeId;	// 0x020
	ObjectTypeId TypeId2;	// 0x021
	uint16_t unk_022;		// 0x022
	ObjectTypeFlag TypeFlag;// 0x024
	uintptr_t unk_028;		// 0x028
	uintptr_t unk_030;		// 0x030
	uintptr_t unk_038;		// 0x038
	uintptr_t NextObject;	// 0x040
	uintptr_t ObjectMgr;	// 0x048
	uintptr_t unk_050;		// 0x050
	ObjectGuid Guid;		// 0x058
// ....
};

Code:

uintptr_t curObj = curmgr->ActiveObjects.List.Link.Next;
while (!(curObj & 1) && curObj)
{
	CGObject obj = clepta::memory::read<CGObject>(state, curObj);

	// ...

	// next object
	curObj = obj.NextObject;
}

haven't confirmed the structures in a while it is a working example

Thanks for your reply, ejt. I really appreciate what you have done in the community.A lot of my knowledge comes from your enthusiastic reply!
= = =
I mean when you iterate over the objectManager.How to get the name,level,hp or mana etc of creature, NPC, player.

[Geneditor]

Thank you for your answers. Based on your information I am trying to read all objects, but the first object pointer already evaluates to an odd address, so the loop is never entered.

Running 64bit WowClassic, my application is also 64bit. Here is the code:

Code:

#include  "stdafx.h"
#include  <stdint.h>
#include  <Windows.h>
#include  <Psapi.h>
#include  <TlHelp32.h>

struct TSGrowableArray
{
	uint32_t Count;
	uint32_t unk_04;
	uint32_t Allocated;
	uint32_t unk_0C;
	uintptr_t Data; // TSList
};

struct TSLink
{
	uintptr_t PrevLink; // TSLink
	uintptr_t Next;
};

struct TSList
{
	uint32_t object_size; // almost certain its object_size
	uint32_t unk_04; // possibly flags
	TSLink Link;
};

struct TSHashTable
{
	uintptr_t vtable;
	TSList List;
	TSGrowableArray Array;
	uint32_t SlotMask;
	uint32_t unk_03C;
	uint32_t unk_040;
	uint32_t unk_044;
	uint32_t unk_048;
	uint32_t unk_04C;
};

struct ObjectGuid {
	uint64_t high;
	uint64_t low;
};

typedef uint8_t ObjectTypeId;
typedef uint32_t ObjectTypeFlag;

struct CGObjectManager
{
	TSHashTable ActiveObjects;	// 0x000
	TSHashTable InvalidObjects;	// 0x050
	TSList unk_0A0[14];			// 0x0A0
	TSList VisibleObjects;		// 0x1F0
	ObjectGuid LocalGuid;		// 0x220
	uint32_t CurMapId;			// 0x230
};

struct CGObject
{
	uintptr_t vptr;			// 0x000
	uintptr_t unk_008;		// 0x008
	uintptr_t Descriptors;	// 0x010
	uintptr_t unk_018;		// 0x018
	ObjectTypeId TypeId;	// 0x020
	ObjectTypeId TypeId2;	// 0x021
	uint16_t unk_022;		// 0x022
	ObjectTypeFlag TypeFlag;// 0x024
	uintptr_t unk_028;		// 0x028
	uintptr_t unk_030;		// 0x030
	uintptr_t unk_038;		// 0x038
	uintptr_t NextObject;	// 0x040
	uintptr_t ObjectMgr;	// 0x048
	uintptr_t unk_050;		// 0x050
	ObjectGuid Guid;		// 0x058
};

class WoWMemoryReader {

private:
	HANDLE phandle;
	DWORD_PTR baseAddress;

public:
	bool Open() {
		HWND hwnd = FindWindow(NULL, L"World of Warcraft");
		if (!hwnd)
		{
			return false;
		}

		DWORD pid;
		GetWindowThreadProcessId(hwnd, &pid);

		phandle = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
		if (!phandle)
		{
			return false;
		}

		baseAddress = GetModuleBase(L"WowClassic.exe", pid);
		return true;
	}

	template<typename T>
	T read(DWORD_PTR addr)
	{
		T val;
		unsigned char* address = (unsigned char*)baseAddress;
		address += addr;
		bool success = ReadProcessMemory(phandle, address, &val, sizeof(T), 0);
		return val;
	}

private:

	DWORD_PTR GetModuleBase(const WCHAR* lpModuleName, DWORD procId)
	{
		MODULEENTRY32 lpModuleEntry = { 0 };
		HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, procId);
		if (!hSnapShot)
			return NULL;
		lpModuleEntry.dwSize = sizeof(lpModuleEntry);
		BOOL bModule = Module32First(hSnapShot, &lpModuleEntry);
		while (bModule)
		{
			if (!wcscmp(lpModuleEntry.szModule, lpModuleName))
			{
				CloseHandle(hSnapShot);
				return (DWORD_PTR)lpModuleEntry.modBaseAddr;
			}
			bModule = Module32Next(hSnapShot, &lpModuleEntry);
		}
		CloseHandle(hSnapShot);
		return NULL;
	}
};

int main()
{
	WoWMemoryReader reader;
	reader.Open();
       
       // The memory reader initializes without error.

	CGObjectManager curmgr = reader.read<CGObjectManager>(0x235BC58);
	uintptr_t curObj = curmgr.ActiveObjects.List.Link.Next;

	// Not entering the loop because curObj % 2 == 1.

	while (!(curObj & 1) && curObj)
	{
		CGObject obj = reader.read<CGObject>(curObj);
		curObj = obj.NextObject;
	}
	return 0;
}

Can you spot any errors? (Of course better error handling etc., but reading memory works fine, it's just that the read data is wrong.)
Could it be a problem with the base address? It is definetly not 0x0 and I double checked it, it is the same I get from Process.MainModule.BaseAddress in the C# world.
Also TargetGUID can be read properly, so base address should be fine I hope.

[xbec]

uintptr_t mgrPtr = reader.read<uintptr_t >(0x235BC5; //mgrPtr
uintptr_t curPtr= reader.read<uintptr_t >(mgrPtr + 0x1; //curPtr
next:
uintptr_t curPtr= reader.read<uintptr_t >(curPtr + 0x70); //nextPtr

[Geneditor]

Thanks a lot.

Based on this information, I was able to extract health and mana information, as well as world coordinates:

// descriptor
// 0x10 descriptor offset (relative to object)
// offsets below are relative to descriptor
// 0xDC current health
// 0xE4 current mana
// 0xFC max health
// 0x104 max mana


// position x, y, z (relative to object)
// 0x1600
// 0x1604
// 0x1608

[ejt]

Thank you for your answers. Based on your information I am trying to read all objects, but the first object pointer already evaluates to an odd address, so the loop is never entered.

Running 64bit WowClassic, my application is also 64bit. Here is the code:

Code:

#include  "stdafx.h"
#include  <stdint.h>
#include  <Windows.h>
#include  <Psapi.h>
#include  <TlHelp32.h>

struct TSGrowableArray
{
	uint32_t Count;
	uint32_t unk_04;
	uint32_t Allocated;
	uint32_t unk_0C;
	uintptr_t Data; // TSList
};

struct TSLink
{
	uintptr_t PrevLink; // TSLink
	uintptr_t Next;
};

struct TSList
{
	uint32_t object_size; // almost certain its object_size
	uint32_t unk_04; // possibly flags
	TSLink Link;
};

struct TSHashTable
{
	uintptr_t vtable;
	TSList List;
	TSGrowableArray Array;
	uint32_t SlotMask;
	uint32_t unk_03C;
	uint32_t unk_040;
	uint32_t unk_044;
	uint32_t unk_048;
	uint32_t unk_04C;
};

struct ObjectGuid {
	uint64_t high;
	uint64_t low;
};

typedef uint8_t ObjectTypeId;
typedef uint32_t ObjectTypeFlag;

struct CGObjectManager
{
	TSHashTable ActiveObjects;	// 0x000
	TSHashTable InvalidObjects;	// 0x050
	TSList unk_0A0[14];			// 0x0A0
	TSList VisibleObjects;		// 0x1F0
	ObjectGuid LocalGuid;		// 0x220
	uint32_t CurMapId;			// 0x230
};

struct CGObject
{
	uintptr_t vptr;			// 0x000
	uintptr_t unk_008;		// 0x008
	uintptr_t Descriptors;	// 0x010
	uintptr_t unk_018;		// 0x018
	ObjectTypeId TypeId;	// 0x020
	ObjectTypeId TypeId2;	// 0x021
	uint16_t unk_022;		// 0x022
	ObjectTypeFlag TypeFlag;// 0x024
	uintptr_t unk_028;		// 0x028
	uintptr_t unk_030;		// 0x030
	uintptr_t unk_038;		// 0x038
	uintptr_t NextObject;	// 0x040
	uintptr_t ObjectMgr;	// 0x048
	uintptr_t unk_050;		// 0x050
	ObjectGuid Guid;		// 0x058
};

class WoWMemoryReader {

private:
	HANDLE phandle;
	DWORD_PTR baseAddress;

public:
	bool Open() {
		HWND hwnd = FindWindow(NULL, L"World of Warcraft");
		if (!hwnd)
		{
			return false;
		}

		DWORD pid;
		GetWindowThreadProcessId(hwnd, &pid);

		phandle = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
		if (!phandle)
		{
			return false;
		}

		baseAddress = GetModuleBase(L"WowClassic.exe", pid);
		return true;
	}

	template<typename T>
	T read(DWORD_PTR addr)
	{
		T val;
		unsigned char* address = (unsigned char*)baseAddress;
		address += addr;
		bool success = ReadProcessMemory(phandle, address, &val, sizeof(T), 0);
		return val;
	}

private:

	DWORD_PTR GetModuleBase(const WCHAR* lpModuleName, DWORD procId)
	{
		MODULEENTRY32 lpModuleEntry = { 0 };
		HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, procId);
		if (!hSnapShot)
			return NULL;
		lpModuleEntry.dwSize = sizeof(lpModuleEntry);
		BOOL bModule = Module32First(hSnapShot, &lpModuleEntry);
		while (bModule)
		{
			if (!wcscmp(lpModuleEntry.szModule, lpModuleName))
			{
				CloseHandle(hSnapShot);
				return (DWORD_PTR)lpModuleEntry.modBaseAddr;
			}
			bModule = Module32Next(hSnapShot, &lpModuleEntry);
		}
		CloseHandle(hSnapShot);
		return NULL;
	}
};

int main()
{
	WoWMemoryReader reader;
	reader.Open();
       
       // The memory reader initializes without error.

	CGObjectManager curmgr = reader.read<CGObjectManager>(0x235BC58);
	uintptr_t curObj = curmgr.ActiveObjects.List.Link.Next;

	// Not entering the loop because curObj % 2 == 1.

	while (!(curObj & 1) && curObj)
	{
		CGObject obj = reader.read<CGObject>(curObj);
		curObj = obj.NextObject;
	}
	return 0;
}

Can you spot any errors? (Of course better error handling etc., but reading memory works fine, it's just that the read data is wrong.)
Could it be a problem with the base address? It is definetly not 0x0 and I double checked it, it is the same I get from Process.MainModule.BaseAddress in the C# world.
Also TargetGUID can be read properly, so base address should be fine I hope.

Code:

	template<typename T>
	T read(DWORD_PTR addr)
	{
		T val;
		unsigned char* address = (unsigned char*)baseAddress;
		address += addr;
		bool success = ReadProcessMemory(phandle, address, &val, sizeof(T), 0);
		return val;
	}

you are adding base address to all your reads, you only need to add base address if its a non-based address like the object manager address.

[xbec]

Thanks a lot.

Based on this information, I was able to extract health and mana information, as well as world coordinates:

// descriptor
// 0x10 descriptor offset (relative to object)
// offsets below are relative to descriptor
// 0xDC current health
// 0xE4 current mana
// 0xFC max health
// 0x104 max mana


// position x, y, z (relative to object)
// 0x1600
// 0x1604
// 0x1608

is right.thx! curobj name you can read it?

[linmerovingian]

UnitName1 = 0x17B8,
UnitName2 = 0xE0,
ObjectName1 = 0x478,
ObjectName2 = 0xE0,

readstring ((ptr+1)+2)

untested.

[Lvv]

thanks
I found that you posted 2 ways to get the object. What is the difference between them? Thank you