[Retail] Some Offsets 8.3.0.34963 menu
Follow us:

User Tag List

Page 2 of 2 FirstFirst 12
Results 16 to 19 of 19
  1. 07-20-2020 #16
    GlittPrizes's Avatar
    GlittPrizes
    GlittPrizes is offline
    Active Member CoreCoins Purchaser Authenticator enabled
    Reputation
    58
    Join Date
    Nov 2019
    Posts
    104
    Thanks G/R
    53/33
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by SailorMars View Post

    At the beginning of the function, the mov rdx, [rbp+38h] loads the caller's return address. Then, the function checks the value of rdx is within some valid range and that the content of the memory prior to the return address is really containing a 5 byte CALL opcode like this:
    Code:
     E8 ?? ?? ?? ??
    Does this go for all functions that start like this? Can you call them higher in the chain (something above that calls it)?

    Also, is it better to use the VMT for interacting compared FramescriptExecute commands or are they both suspect due to the lack of a hardware event?
    Last edited by GlittPrizes; 07-20-2020 at 10:57 AM.
    Reply With Quote Reply With Quote
    [Retail] Some Offsets 8.3.0.34963
  2. 07-20-2020 #17
    SailorMars's Avatar
    SailorMars
    SailorMars is offline
    Member
    Reputation
    8
    Join Date
    Oct 2015
    Posts
    49
    Thanks G/R
    0/7
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by hycolyte View Post
    Does this go for all functions that start like this? Can you call them higher in the chain (something above that calls it)?

    Also, is it better to use the VMT for interacting compared FramescriptExecute commands or are they both suspect due to the lack of a hardware event?
    The OBFUSCATED functions normally have this kind of check hidden. They require a lot of manual work to patch the obfuscation code in order de-compile them, thus reveal the checks. Probably that is why they hide the check there. For normal functions, it is easy to de-compile them and hence to spot the code doing the check.

    Most of the check only check the immediate caller. So it is safe to call from higher up in the call chain - but i can't guarantee anything.

    I've no experience with VMT and framescript_execute. Perhaps some experts can shed some light on this.
    Last edited by SailorMars; 07-20-2020 at 12:18 PM.
    Reply With Quote Reply With Quote
  3. 07-20-2020 #18
    doityourself's Avatar
    doityourself
    doityourself is offline
    ★ Elder ★
    Reputation
    1424
    Join Date
    Nov 2008
    Posts
    843
    Thanks G/R
    35/448
    Trade Feedback
    0 (0%)
    Mentioned
    6 Post(s)
    Tagged
    0 Thread(s)
    It's always the same pattern for these checks. The ret address/call checks are not obfuscated at all so you can just pattern search these. Also if ida fails to analyze 'obfuscated' functions it's pretty easy to just fix the wrongly analyzed jumps to be able to decompile the funcs.
    Reply With Quote Reply With Quote
  4. 07-21-2020 #19
    xalcon's Avatar
    xalcon
    xalcon is offline
    Contributor ふたなり
    Authenticator enabled
    Reputation
    198
    Join Date
    Oct 2008
    Posts
    291
    Thanks G/R
    20/58
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by SailorMars View Post
    didn't check the others, but the healthMax is wrong, should be 0x1590, health is 0x1588/0x1378
    Since I've not seen anyone mention the reason for the 2 Health Values, this is what I've found out:
    The function CGUnit_C::GetDisplayedHealth @ 0xD63500 uses both values, depending on a configuration value which is stored at [[wow.exe + 0x2A6A948] + 0x5C]. I assume 0x2A6A948 is the offset to the CVar stuff, but the 5C offset is infact a CVar called "predictedHealth". If that CVar is 0, the client will use the health value stored at Unit+0x1588, otherwise it will use Unit+0x1378. The default setting for "predictedHealth" is 1.
    CVar predictedHealth - Wowpedia - Your wiki guide to the World of Warcraft
    "Threads should always commit suicide - they should never be murdered" - DirectX SDK
    Reply With Quote Reply With Quote
Page 2 of 2 FirstFirst 12
« Previous Thread | Next Thread »

Similar Threads

  1. [REQUEST] Some Offsets for 4.3.4
    By chaisar in forum WoW Bots Questions & Requests
    Replies: 1
    Last Post: 04-24-2012, 02:51 AM
  2. Some offsets
    By jojojoey12 in forum WoW Bots Questions & Requests
    Replies: 0
    Last Post: 10-17-2011, 04:44 PM
  3. need some help on finding memory stuff and check my current offsets
    By freitag in forum Age of Conan Exploits|Hacks
    Replies: 70
    Last Post: 11-21-2009, 02:56 PM
  4. Objectmanager - Some offset trouble
    By Ploski in forum WoW Memory Editing
    Replies: 10
    Last Post: 08-13-2009, 10:07 AM
  5. [MAC][3.1.2] Some Offsets and a request
    By Nonowmana in forum WoW Memory Editing
    Replies: 3
    Last Post: 05-27-2009, 02:38 PM
All times are GMT -5. The time now is 05:20 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search