-
[Retail] Some Offsets 8.3.0.34963
All are offset from the base. I don't have CTM setup yet, so I don't have that offset
Code:
EnumVisibleObjects = 0xFA6980
FrameScriptGetText = 0x513530
FrameScriptExecute = 0x50F6B0
-
Member
Code:
CGGameUI__m_minimapZoneText = 0x2A6A600,
CGGameUI__m_zoneText = 0x2A6AD20
PlayerNameCache = 0x2593BE0,
CorpsePosition = 0x27C2D80,
ObjectMgrPtr = 0x29D2ED0,
UnitName = 2D0 F8,
ObjName = 108 E0,
CActorManager__Get 0x140DA2460
CActorManager__GetActor 0x140DA2470
CActorManager__GetActorUnit 0x140DA2540
CCameraManager__GetYaw 0x1416021B0
CCameraManager__Instance 0x141602100
CCameraShot__CalcYawPitch 0x14166EEC0
CGBattlefieldInfo__GetArenaOpponentPet 0x1412717B0
CGBattlefieldInfo__m_arenaOpponents 0x141271720
CGChat__m_afk 0x1411B1780
CGCommentator__GetPlayerGUID 0x1401BB1D0
CGCommentator__s_Commentator 0x141358670
CGGameObject_C__GetName 0x140E024D0
CGGameUI__CanPerformAction 0x141332980
CGGameUI__ClosestObjectMatch 0x14116B500
CGGameUI__GetRealmAddressFromName 0x141670D50
CGGameUI__m_currentObjectTrack 0x141170D40
CGGameUI__m_currentObjectTypeTrack 0x140EBDA70
CGInputControl__GetActive 0x141609070
CGInputControl__SetControlBit 0x14160A6C0
CGInputControl__UnsetControlBit 0x14160B5F0
CGInputControl__UpdateMouseMode 0x14160BA40
CGInputControl__UpdatePlayer 0x14160BB40
CGInstanceEncounter_C__GetBoss 0x1414FBAE0
CGParty__FindMember 0x140CA92C4
CGPartyMemberStateRepository__GetState 0x141522EE0
CGPlayer_C__GetAutoRangedCombatSpell 0x140CB5D5C
CGPlayer_C__m_activePlayerPtr 0x140CF6D00
CGPlayer_C__PushQuestToParty 0x140CFDD90
CGPlayer_C__UnitIsTrivial 0x140CCAA20
CGQuestInfo__m_npcInform 0x14152C5C0
CGSpellBook__m_autoRangedCombatSpell_0 0x1411EBAF0
CGUIBinding__CompareKey 0x1404D8120
CGUIBindings__Bind 0x1413DC020
CGUIBindings__GetBindingText 0x1413DDCB0
CGUIBindings__GetCommandKey 0x1413DE300
CGUIBindings__GetReducedKeyBinding 0x1413DE920
CGUnit_C__Dismount 0x140D5FE70
CGUnit_C__GetControllingPlayer 0x140D62670
CGUnit_C__GetDisplayClassName 0x140D62FF0
CGUnit_C__GetDisplayClassNameFromRecord 0x140D5F050
CGUnit_C__GetDisplayRaceName 0x140D633D0
CGUnit_C__GetUnitName 0x140D69490
CGUnit_C__IsRidingVehicle 0x140ED8010
CGUnit_C_GetPosition 0x14017F1C0
CGWorldFrame__GetActiveCamera 0x14118ED40
CGWorldFrame__GetActiveCamera_Maybe 0x140CF6950
ClientServices__Connection 0x1401BAFB0
ClientServices__GetCharacterName 0x1401BB200
ClientServices__Send 0x1401BCEC0
ClntObjMgrObjectDisplayPtr 0x140FAB040
ClntObjMgrObjectPtr 0x140FAB0C0
CM2Model__SetWorldTransform 0x1416A9520
CMath__normalizeAngleNegPiToPi_ 0x14113FC70
CompareUnitType 0x14026ACB8
CPassenger__GetPosition 0x140C5D290
DBCache__GetRecord 0x14055CBF0
DetermineDisplayRace 0x140D5F1F0
finite 0x140277B84
fmodf 0x141C97C08
FrameScript_DoesClipChildren 0x1406C6476
FrameScript_Execute 0x14050F6B0
FrameScript_GetDontSavePosition 0x1406B7D31
FrameScript_GetDuration 0x1407F9EB3
FrameScript_GetEffectivelyFlattensRenderLayers 0x1406C4B90
FrameScript_GetEndDelay 0x1407F9768
FrameScript_GetFieldSize 0x1401443E0
FrameScript_GetFlattensRenderLayers 0x1406C4328
FrameScript_GetProgress 0x140818076
FrameScript_GetScale 0x14076E174
FrameScript_GetStartDelay 0x1407740AB
FrameScript_GetText 0x140513530
FrameScript_IsDone 0x140701888
FrameScript_IsIgnoringParentScale_0 0x1406FF1F8
FrameScript_IsMouseClickEnabled 0x1406BA4E0
FrameScript_IsMouseMotionEnabled 0x1406BA6A0
FrameScript_IsMovable 0x1406B4478
FrameScript_IsPlaying 0x14070C030
FrameScript_IsResizable 0x1406BA050
FrameScript_IsUserPlaced 0x1406BA222
FrameScript_IsVisible_1 0x1406AC6B9
FrameScript_SetDontSavePosition 0x140322D70
FrameScript_SetEndPoint 0x1405ECAC0
FrameScript_SetStartPoint 0x1405CC197
FrameScript_SignalEvent 0x140B61E70
FrameTime_GetCurTimeMs 0x14049CE10
GetCameraBasePtr 0x140555680
GetInGameFlag 0x141177C50
GetIsLoadingOrConnecting 0x140184740
GetObjectMgrPtr_Maybe 0x140FAEFC0
GetRuneReady 0x1414FF430
index2adr 0x1401D04B0
Item_GetSpellIdById 0x140DCFA40
lua_error 0x1419A5560
Lua_isguid 0x1405160B0
Lua_isnumber 0x1401D1290
lua_isstring 0x1401D12C0
Lua_pushboolean 0x1401D15F0
Lua_pushnil 0x1401D1860
lua_pushnumber 0x1401D1880
Lua_pushstring 0x1401D18A0
Lua_stormassert 0x1401CAED0
Lua_toboolean 0x1401D2410
Lua_toguid 0x1405162D0
Lua_tolstring 0x1401D24F0
Lua_tonumber 0x1401D2470
Lua_tonumber_0 0x1401D2590
LuaC_step 0x1401D50B0
LuaO_str2d 0x1401C7FA0
LuaV_tonumber 0x1401D0230
LuaV_tostring 0x1401D02A0
Math_acos 0x1419A7000
Math_asin 0x1419A6FD0
Math_atan 0x1419A7030
Math_atan2 0x1419A7060
Math_ceil 0x1419A70B0
Math_cos 0x1419A6F10
Math_cosh 0x1419A6F40
Math_deg 0x1419A73A0
Math_exp 0x1419A7330
Math_floor 0x1419A7130
Math_fmod 0x1419A71B0
Math_frexp 0x1419A73E0
Math_ldexp 0x1419A7420
Math_log 0x1419A72D0
Math_log10 0x1419A7300
Math_max 0x1419A74F0
Math_modf 0x1419A7200
Math_pow 0x1419A7280
Math_random 0x1419A7570
Math_sin 0x1419A6EB0
Math_sinh 0x1419A6EE0
Math_sqrt 0x1419A7250
Math_tan 0x1419A6F70
Math_tanh 0x1419A6FA0
ParseTrailingTokens 0x1416719A0
Party_FindMember 0x1412493C0
Party_HasMemberPet 0x14124AB00
PartyInfo_GetActiveParty 0x141249650
PetInfo_FindSpellById 0x1414326B0
PetInfo_SendPetAction 0x1414344D0
Player_LeaveCombatMode 0x140CB1D20
PlayerCliPushQuestToParty__PlayerCliPushQuestToParty 0x140675900
Script_arshift 0x1419ABF10
Script_assert 0x1419A7E90
Script_band 0x1419ABCA0
Script_bnot 0x1419ABC60
Script_bor 0x1419ABD30
Script_bxor 0x1419ABDC0
Script_collectgarbage 0x1419A7CA0
Script_error 0x1419A78C0
Script_gcinfo 0x1419A7C70
Script_GetGUIDFromString 0x141671C10
Script_GetGUIDFromToken 0x141670580
Script_GetGUIDFromToken 0x1416705C0
Script_GetGUIDFromToken_0 0x141671900
Script_GetNameFromToken 0x14024EE60
Script_lshift 0x1419ABE50
Script_mod 0x1419ABBD0
Script_rshift 0x1419ABEB0
Specialization_IsTalentSelectedById 0x1412A9810
Spell_C__ClickSpell 0x140B86A40
Spell_CancelAutoRepeat 0x140B82DF0
Spell_CancelCast 0x140B83460
Spell_CancelChannel 0x140B83030
Spell_GetMinMaxRange 0x140B8B9B0
Spell_GetSomeSpellInfo 0x141D6EB70
Spell_GetSpellCharges 0x140B8DC90
Spell_GetSpellCooldown 0x140B8E090
Spell_GetSpellType 0x140B6BC60
Spell_HandleTerrainClick 0x140B93580
Spell_IsInRange 0x140B9B420
Spell_IsPlayerSpell 0x1411F2A60
Spell_IsSpellKnown 0x140D71BE0
Spell_IsStealable 0x1411E8D20
Spell_SomeInfo 0x140BCA590
SpellBook_CastSpell 0x1411E8F70
SpellBook_FindSlotBySpellId 0x1411EB410
SpellBook_GetOverridenSpell 0x1411EBB00
SpellDB_GetRow 0x141D709D0
SpellDB_HasAttribute 0x141D70990
SStrToUnsigned 0x14015AD90
strcasecmp 0x14025C900
Unit_CanAttack 0x140D502B0
Unit_GetAuraByIndex 0x140B7B640
Unit_GetFacing 0x1401BB660
Unit_GetPower 0x141676E70
Unit_GetPowerMax 0x141677060
Unit_Interact 0x14117BA60
Unit_IsFriendly 0x140D70B80
WorldFrame_GetCurrent 0x141D894E0
WorldFrame_Intersect 0x1416A1DE0
WowClientDB_Base__GetRecordDataUnsafe 0x140462640
WowClientDB2__GetRecord 0x14055D970
Not guaranteed to be completely correct
I also want to find CTM to see what it is
Last edited by 34D; 07-02-2020 at 09:51 PM.
-
Post Thanks / Like - 1 Thanks
GlittPrizes (1 members gave Thanks to 34D for this useful post)
-
Member
After some research, I seem to have found CTM
To be verified
-
Mostly the same.. this is what I have for the Unit Objects:
Code:
Type: 0x10
Guid: 0x40
Position: 0x150
Rotation: 0x15C
Health: 0x1378
Power: 0x1380
PowerMax: 0x1788
Target GUID: 0x1548
HealthMax: 0x1588
Level: 0x1598
edit: As far as in process goes, I want to access this stuff from the vtable though right? I'll see if I can make sense of that to get proper functionality for interacting, targeting, etc.
Last edited by GlittPrizes; 07-03-2020 at 07:03 PM.
Reason: edit
-
Member
Originally Posted by
34D
Code:
CGGameUI__m_minimapZoneText = 0x2A6A600,
CGGameUI__m_zoneText = 0x2A6AD20
PlayerNameCache = 0x2593BE0,
CorpsePosition = 0x27C2D80,
ObjectMgrPtr = 0x29D2ED0,
UnitName = 2D0 F8,
ObjName = 108 E0,
CActorManager__Get 0x140DA2460
CActorManager__GetActor 0x140DA2470
CActorManager__GetActorUnit 0x140DA2540
CCameraManager__GetYaw 0x1416021B0
CCameraManager__Instance 0x141602100
CCameraShot__CalcYawPitch 0x14166EEC0
CGBattlefieldInfo__GetArenaOpponentPet 0x1412717B0
CGBattlefieldInfo__m_arenaOpponents 0x141271720
CGChat__m_afk 0x1411B1780
CGCommentator__GetPlayerGUID 0x1401BB1D0
CGCommentator__s_Commentator 0x141358670
CGGameObject_C__GetName 0x140E024D0
CGGameUI__CanPerformAction 0x141332980
CGGameUI__ClosestObjectMatch 0x14116B500
CGGameUI__GetRealmAddressFromName 0x141670D50
CGGameUI__m_currentObjectTrack 0x141170D40
CGGameUI__m_currentObjectTypeTrack 0x140EBDA70
CGInputControl__GetActive 0x141609070
CGInputControl__SetControlBit 0x14160A6C0
CGInputControl__UnsetControlBit 0x14160B5F0
CGInputControl__UpdateMouseMode 0x14160BA40
CGInputControl__UpdatePlayer 0x14160BB40
CGInstanceEncounter_C__GetBoss 0x1414FBAE0
CGParty__FindMember 0x140CA92C4
CGPartyMemberStateRepository__GetState 0x141522EE0
CGPlayer_C__GetAutoRangedCombatSpell 0x140CB5D5C
CGPlayer_C__m_activePlayerPtr 0x140CF6D00
CGPlayer_C__PushQuestToParty 0x140CFDD90
CGPlayer_C__UnitIsTrivial 0x140CCAA20
CGQuestInfo__m_npcInform 0x14152C5C0
CGSpellBook__m_autoRangedCombatSpell_0 0x1411EBAF0
CGUIBinding__CompareKey 0x1404D8120
CGUIBindings__Bind 0x1413DC020
CGUIBindings__GetBindingText 0x1413DDCB0
CGUIBindings__GetCommandKey 0x1413DE300
CGUIBindings__GetReducedKeyBinding 0x1413DE920
CGUnit_C__Dismount 0x140D5FE70
CGUnit_C__GetControllingPlayer 0x140D62670
CGUnit_C__GetDisplayClassName 0x140D62FF0
CGUnit_C__GetDisplayClassNameFromRecord 0x140D5F050
CGUnit_C__GetDisplayRaceName 0x140D633D0
CGUnit_C__GetUnitName 0x140D69490
CGUnit_C__IsRidingVehicle 0x140ED8010
CGUnit_C_GetPosition 0x14017F1C0
CGWorldFrame__GetActiveCamera 0x14118ED40
CGWorldFrame__GetActiveCamera_Maybe 0x140CF6950
ClientServices__Connection 0x1401BAFB0
ClientServices__GetCharacterName 0x1401BB200
ClientServices__Send 0x1401BCEC0
ClntObjMgrObjectDisplayPtr 0x140FAB040
ClntObjMgrObjectPtr 0x140FAB0C0
CM2Model__SetWorldTransform 0x1416A9520
CMath__normalizeAngleNegPiToPi_ 0x14113FC70
CompareUnitType 0x14026ACB8
CPassenger__GetPosition 0x140C5D290
DBCache__GetRecord 0x14055CBF0
DetermineDisplayRace 0x140D5F1F0
finite 0x140277B84
fmodf 0x141C97C08
FrameScript_DoesClipChildren 0x1406C6476
FrameScript_Execute 0x14050F6B0
FrameScript_GetDontSavePosition 0x1406B7D31
FrameScript_GetDuration 0x1407F9EB3
FrameScript_GetEffectivelyFlattensRenderLayers 0x1406C4B90
FrameScript_GetEndDelay 0x1407F9768
FrameScript_GetFieldSize 0x1401443E0
FrameScript_GetFlattensRenderLayers 0x1406C4328
FrameScript_GetProgress 0x140818076
FrameScript_GetScale 0x14076E174
FrameScript_GetStartDelay 0x1407740AB
FrameScript_GetText 0x140513530
FrameScript_IsDone 0x140701888
FrameScript_IsIgnoringParentScale_0 0x1406FF1F8
FrameScript_IsMouseClickEnabled 0x1406BA4E0
FrameScript_IsMouseMotionEnabled 0x1406BA6A0
FrameScript_IsMovable 0x1406B4478
FrameScript_IsPlaying 0x14070C030
FrameScript_IsResizable 0x1406BA050
FrameScript_IsUserPlaced 0x1406BA222
FrameScript_IsVisible_1 0x1406AC6B9
FrameScript_SetDontSavePosition 0x140322D70
FrameScript_SetEndPoint 0x1405ECAC0
FrameScript_SetStartPoint 0x1405CC197
FrameScript_SignalEvent 0x140B61E70
FrameTime_GetCurTimeMs 0x14049CE10
GetCameraBasePtr 0x140555680
GetInGameFlag 0x141177C50
GetIsLoadingOrConnecting 0x140184740
GetObjectMgrPtr_Maybe 0x140FAEFC0
GetRuneReady 0x1414FF430
index2adr 0x1401D04B0
Item_GetSpellIdById 0x140DCFA40
lua_error 0x1419A5560
Lua_isguid 0x1405160B0
Lua_isnumber 0x1401D1290
lua_isstring 0x1401D12C0
Lua_pushboolean 0x1401D15F0
Lua_pushnil 0x1401D1860
lua_pushnumber 0x1401D1880
Lua_pushstring 0x1401D18A0
Lua_stormassert 0x1401CAED0
Lua_toboolean 0x1401D2410
Lua_toguid 0x1405162D0
Lua_tolstring 0x1401D24F0
Lua_tonumber 0x1401D2470
Lua_tonumber_0 0x1401D2590
LuaC_step 0x1401D50B0
LuaO_str2d 0x1401C7FA0
LuaV_tonumber 0x1401D0230
LuaV_tostring 0x1401D02A0
Math_acos 0x1419A7000
Math_asin 0x1419A6FD0
Math_atan 0x1419A7030
Math_atan2 0x1419A7060
Math_ceil 0x1419A70B0
Math_cos 0x1419A6F10
Math_cosh 0x1419A6F40
Math_deg 0x1419A73A0
Math_exp 0x1419A7330
Math_floor 0x1419A7130
Math_fmod 0x1419A71B0
Math_frexp 0x1419A73E0
Math_ldexp 0x1419A7420
Math_log 0x1419A72D0
Math_log10 0x1419A7300
Math_max 0x1419A74F0
Math_modf 0x1419A7200
Math_pow 0x1419A7280
Math_random 0x1419A7570
Math_sin 0x1419A6EB0
Math_sinh 0x1419A6EE0
Math_sqrt 0x1419A7250
Math_tan 0x1419A6F70
Math_tanh 0x1419A6FA0
ParseTrailingTokens 0x1416719A0
Party_FindMember 0x1412493C0
Party_HasMemberPet 0x14124AB00
PartyInfo_GetActiveParty 0x141249650
PetInfo_FindSpellById 0x1414326B0
PetInfo_SendPetAction 0x1414344D0
Player_LeaveCombatMode 0x140CB1D20
PlayerCliPushQuestToParty__PlayerCliPushQuestToParty 0x140675900
Script_arshift 0x1419ABF10
Script_assert 0x1419A7E90
Script_band 0x1419ABCA0
Script_bnot 0x1419ABC60
Script_bor 0x1419ABD30
Script_bxor 0x1419ABDC0
Script_collectgarbage 0x1419A7CA0
Script_error 0x1419A78C0
Script_gcinfo 0x1419A7C70
Script_GetGUIDFromString 0x141671C10
Script_GetGUIDFromToken 0x141670580
Script_GetGUIDFromToken 0x1416705C0
Script_GetGUIDFromToken_0 0x141671900
Script_GetNameFromToken 0x14024EE60
Script_lshift 0x1419ABE50
Script_mod 0x1419ABBD0
Script_rshift 0x1419ABEB0
Specialization_IsTalentSelectedById 0x1412A9810
Spell_C__ClickSpell 0x140B86A40
Spell_CancelAutoRepeat 0x140B82DF0
Spell_CancelCast 0x140B83460
Spell_CancelChannel 0x140B83030
Spell_GetMinMaxRange 0x140B8B9B0
Spell_GetSomeSpellInfo 0x141D6EB70
Spell_GetSpellCharges 0x140B8DC90
Spell_GetSpellCooldown 0x140B8E090
Spell_GetSpellType 0x140B6BC60
Spell_HandleTerrainClick 0x140B93580
Spell_IsInRange 0x140B9B420
Spell_IsPlayerSpell 0x1411F2A60
Spell_IsSpellKnown 0x140D71BE0
Spell_IsStealable 0x1411E8D20
Spell_SomeInfo 0x140BCA590
SpellBook_CastSpell 0x1411E8F70
SpellBook_FindSlotBySpellId 0x1411EB410
SpellBook_GetOverridenSpell 0x1411EBB00
SpellDB_GetRow 0x141D709D0
SpellDB_HasAttribute 0x141D70990
SStrToUnsigned 0x14015AD90
strcasecmp 0x14025C900
Unit_CanAttack 0x140D502B0
Unit_GetAuraByIndex 0x140B7B640
Unit_GetFacing 0x1401BB660
Unit_GetPower 0x141676E70
Unit_GetPowerMax 0x141677060
Unit_Interact 0x14117BA60
Unit_IsFriendly 0x140D70B80
WorldFrame_GetCurrent 0x141D894E0
WorldFrame_Intersect 0x1416A1DE0
WowClientDB_Base__GetRecordDataUnsafe 0x140462640
WowClientDB2__GetRecord 0x14055D970
Not guaranteed to be completely correct
I also want to find CTM to see what it is
How did you generate the list?
I tried to verify the list by incorporating them into my ida db.
I know that since after the initial static analysis of the exe, recognised functions are having function name automatically added, e.g. address 0x1c97c08 is named sub_1C97C08. Hence, I used a script to check the addresses listed above to see if they correspond to functions that IDA recognises.
The result is that the following addresses given in your list do not correspond to functions known to IDA (i.e. each of the addresses don't have a function name of the form sub_????? automatically added after the initial analysis):
Code:
offset 0x6c6476, FrameScript_DoesClipChildren
offset 0x6b7d31, FrameScript_GetDontSavePosition
offset 0x7f9eb3, FrameScript_GetDuration
offset 0x7f9768, FrameScript_GetEndDelay
offset 0x6c4328, FrameScript_GetFlattensRenderLayers
offset 0x818076, FrameScript_GetProgress
offset 0x76e174, FrameScript_GetScale
offset 0x7740ab, FrameScript_GetStartDelay
offset 0x701888, FrameScript_IsDone
offset 0x6ff1f8, FrameScript_IsIgnoringParentScale_0
offset 0x6b4478, FrameScript_IsMovable
offset 0x6ba222, FrameScript_IsUserPlaced
offset 0x6ac6b9, FrameScript_IsVisible_1
offset 0x5cc197, FrameScript_SetStartPoint
On closer examination these addresses seem to be corresponding to subroutines with weird behaviour e.g the function "FrameScript_DoesClipChildren" at offset 0x6c6476:
Code:
.text:00000000006C6467 mov [rcx+18h], edx
.text:00000000006C646A movups xmmword ptr [rcx+20h], xmm0
.text:00000000006C646E mov [rcx+30h], edx
.text:00000000006C6471 add rsp, 18h
.text:00000000006C6475 retn
.text:00000000006C6475 sub_6C6440 endp
.text:00000000006C6475
.text:00000000006C6476 ; ---------------------------------------------------------------------------
.text:00000000006C6476 xor al, 85h
.text:00000000006C6478 sbb byte ptr [rcx+16h], 3Dh
.text:00000000006C647C popfq
.text:00000000006C647D fxch7 st(1)
.text:00000000006C647F cmp al, 48h
.text:00000000006C6481 lea eax, off_21A5F80
.text:00000000006C6487 mov dword ptr [rcx+18h], 0
.text:00000000006C648E mov [rcx], rax
.text:00000000006C6491 mov rax, rcx
.text:00000000006C6494 mov [rcx+20h], edx
.text:00000000006C6497 mov [rcx+24h], r8d
.text:00000000006C649B movups xmm0, xmmword ptr [r9]
.text:00000000006C649F movups xmmword ptr [rcx+28h], xmm0
.text:00000000006C64A3 retn
.text:00000000006C64A3 ; ---------------------------------------------------------------------------
.text:00000000006C64A4 dd 0D94F3A15h
.text:00000000006C64A8 dq 0DEEE40263A6C0C8Ch
.text:00000000006C64B0
.text:00000000006C64B0 ; =============== S U B R O U T I N E =======================================
.text:00000000006C64B0
.text:00000000006C64B0
.text:00000000006C64B0 sub_6C64B0 proc near ; CODE XREF: sub_614700+9583p
.text:00000000006C64B0
.text:00000000006C64B0 arg_0 = qword ptr 8
.text:00000000006C64B0 arg_20 = dword ptr 28h
It looks like a real subroutine. But IDA cannot recognise it as a valid function e.g. in this case there is a 'popfq' but no corresponding push (which will cause an "sp-analaysis failed" if we try to create a function at this address). So how did you generate the list? How did you locate these kind of weird subroutines in the first place since even IDA seems to have problem recognising them?
Last edited by SailorMars; 07-04-2020 at 03:19 PM.
-
Member
Originally Posted by
SailorMars
How did you generate the list?
I tried to verify the list by incorporating them into my ida db.
I know that since after the initial static analysis of the exe, recognised functions are having function name automatically added, e.g. address 0x1c97c08 is named sub_1C97C08. Hence, I used a script to check the addresses listed above to see if they correspond to functions that IDA recognises.
The result is that the following addresses given in your list do not correspond to functions known to IDA (i.e. each of the addresses don't have a function name of the form sub_????? automatically added after the initial analysis):
Code:
offset 0x6c6476, FrameScript_DoesClipChildren
offset 0x6b7d31, FrameScript_GetDontSavePosition
offset 0x7f9eb3, FrameScript_GetDuration
offset 0x7f9768, FrameScript_GetEndDelay
offset 0x6c4328, FrameScript_GetFlattensRenderLayers
offset 0x818076, FrameScript_GetProgress
offset 0x76e174, FrameScript_GetScale
offset 0x7740ab, FrameScript_GetStartDelay
offset 0x701888, FrameScript_IsDone
offset 0x6ff1f8, FrameScript_IsIgnoringParentScale_0
offset 0x6b4478, FrameScript_IsMovable
offset 0x6ba222, FrameScript_IsUserPlaced
offset 0x6ac6b9, FrameScript_IsVisible_1
offset 0x5cc197, FrameScript_SetStartPoint
On closer examination these addresses seem to be corresponding to subroutines with weird behaviour e.g the function "FrameScript_DoesClipChildren" at offset 0x6c6476:
Code:
.text:00000000006C6467 mov [rcx+18h], edx
.text:00000000006C646A movups xmmword ptr [rcx+20h], xmm0
.text:00000000006C646E mov [rcx+30h], edx
.text:00000000006C6471 add rsp, 18h
.text:00000000006C6475 retn
.text:00000000006C6475 sub_6C6440 endp
.text:00000000006C6475
.text:00000000006C6476 ; ---------------------------------------------------------------------------
.text:00000000006C6476 xor al, 85h
.text:00000000006C6478 sbb byte ptr [rcx+16h], 3Dh
.text:00000000006C647C popfq
.text:00000000006C647D fxch7 st(1)
.text:00000000006C647F cmp al, 48h
.text:00000000006C6481 lea eax, off_21A5F80
.text:00000000006C6487 mov dword ptr [rcx+18h], 0
.text:00000000006C648E mov [rcx], rax
.text:00000000006C6491 mov rax, rcx
.text:00000000006C6494 mov [rcx+20h], edx
.text:00000000006C6497 mov [rcx+24h], r8d
.text:00000000006C649B movups xmm0, xmmword ptr [r9]
.text:00000000006C649F movups xmmword ptr [rcx+28h], xmm0
.text:00000000006C64A3 retn
.text:00000000006C64A3 ; ---------------------------------------------------------------------------
.text:00000000006C64A4 dd 0D94F3A15h
.text:00000000006C64A8 dq 0DEEE40263A6C0C8Ch
.text:00000000006C64B0
.text:00000000006C64B0 ; =============== S U B R O U T I N E =======================================
.text:00000000006C64B0
.text:00000000006C64B0
.text:00000000006C64B0 sub_6C64B0 proc near ; CODE XREF: sub_614700+9583p
.text:00000000006C64B0
.text:00000000006C64B0 arg_0 = qword ptr 8
.text:00000000006C64B0 arg_20 = dword ptr 28h
It looks like a real subroutine. But IDA cannot recognise it as a valid function e.g. in this case there is a 'popfq' but no corresponding push (which will cause an "sp-analaysis failed" if we try to create a function at this address). So how did you generate the list? How did you locate these kind of weird subroutines in the first place since even IDA seems to have problem recognising them?
These are 8.3.0.34963.
-
Member
Yes, i was testing with 8.3.0 34963 and noticed the weird subroutines. Also note that there are just a few and these routines are all FrameScript_??. while the other address+functions look valid.
Last edited by SailorMars; 07-05-2020 at 01:46 AM.
-
Originally Posted by
SailorMars
Yes, i was testing with 8.3.0 34963 and noticed the weird subroutines. Also note that there are just a few and these routines are all FrameScript_??. while the other address+functions look valid.
Need to enable the stack pointer in Ida. Popf there is setting flag for the assembly op like parity or carry. Maybe certain conditional jumps give Ida trouble.
Last edited by GlittPrizes; 07-05-2020 at 09:19 AM.
-
Member
Originally Posted by
hycolyte
Mostly the same.. this is what I have for the Unit Objects:
Code:
Type: 0x10
Guid: 0x40
Position: 0x150
Rotation: 0x15C
Health: 0x1378
Power: 0x1380
PowerMax: 0x1788
Target GUID: 0x1548
HealthMax: 0x1588
Level: 0x1598
edit: As far as in process goes, I want to access this stuff from the vtable though right? I'll see if I can make sense of that to get proper functionality for interacting, targeting, etc.
didn't check the others, but the healthMax is wrong, should be 0x1590, health is 0x1588/0x1378
-
didn't check the others, but the healthMax is wrong, should be 0x1590, health is 0x1588/0x1378
It was a situation where two addresses both had the value.. mighta picked the wrong one
Do you have some the VMT figured out? I found GetObjectName at the 15th virtual function, but I was doing it the hard way to get those. I will try to defeat the anti-debugging and post those
Last edited by GlittPrizes; 07-06-2020 at 10:58 AM.
Reason: shorten
-
This is what I've come up with so far on the vTable. I'm still trying to mainly figure out OnRightClick/OnLeftClick but no luck yet
Code:
const char* GetObjectName() // 15th
int64_t GetUnitLevel() // 16th
int64_t GetMountId() // 45th
Vector3 GetUnitPosition(int64_t, int64_t) // 56th
float GetUnitFacing() // 58th
-
Code:
# functions
ClntObjMgrEnumVisibleObjects: 0xFA6900
ClntObjMgrEnumVisibleObjectsPtr: 0xFA6980
ClntObjMgrIsValid: 0xFAAF90
ClntObjMgrGetActivePlayerPtr: 0xCF6D00 // Obfuscated with return address checks, do not call directly
ClntObjMgrObjectPtr: 0x11728E0 // probably wrong
ClntObjMgrGetCurrent: 0xFAA820
ClntObjMgrGetMapID: 0xFAA830
Script_GetGUIDFromToken: 0x16705C0
FrameScript_RegisterFunction: 0x510680
FrameScript_GetContext: 0x50FCE0
luaL_error: 0x19A5560
lua_pcall: 0x1D1560
lua_type: 0x1D26A0
lua_getfield: 0x1D0EC0
lua_gettop: 0x1D0FE0
lua_settop: 0x1D2230
# fields
s_curMgr: 0x29D2ED0
s_PlayerGuid: 0x28D3510
s_luaContext: 0x2939898
s_luaThreadId: 0x29398A0
s_textSectionStart: 0x29621E8
s_textSectionEnd: 0x29621F0
Last edited by xalcon; 07-21-2020 at 08:21 AM.
"Threads should always commit suicide - they should never be murdered" - DirectX SDK
-
Post Thanks / Like - 1 Thanks
GlittPrizes (1 members gave Thanks to xalcon for this useful post)
-
Member
offsets relevant to fishing bots:
Bobbing : 0x64 (should be a byte)
creator guid: 0x1E0 (128bits)
Game Object name: [[GameObjectBase+0x108]+0xE0]. Look for the string "Fishing Bobber", not sure if this applies to non-English client.
position : 0xc8 (3*floats, x,y,z)
Last edited by SailorMars; 07-20-2020 at 09:00 AM.
-
Post Thanks / Like - 1 Thanks
GlittPrizes (1 members gave Thanks to SailorMars for this useful post)
-
Member
Originally Posted by
xalcon
Code:
# functions
ClntObjMgrEnumVisibleObjects: 0xFA6900
ClntObjMgrEnumVisibleObjectsPtr: 0xFA6980
ClntObjMgrIsValid: 0xFAAF90
ClntObjMgrGetActivePlayerPtr: 0xCF6D00
ClntObjMgrObjectPtr: 0x11728E0
ClntObjMgrGetCurrent: 0xFAA820
ClntObjMgrGetMapID: 0xFAA830
Script_GetGUIDFromToken: 0x16705C0
FrameScript_RegisterFunction: 0x510680
FrameScript_GetContext: 0x50FCE0
luaL_error: 0x19A5560
lua_pcall: 0x1D1560
lua_type: 0x1D26A0
lua_getfield: 0x1D0EC0
lua_gettop: 0x1D0FE0
lua_settop: 0x1D2230
# fields
s_curMgr: 0x29D2ED0
s_PlayerGuid: 0x28D3510
s_luaContext: 0x2939898
s_luaThreadId: 0x29398A0
s_textSectionStart: 0x29621E8
s_textSectionEnd: 0x29621F0
BTW, don't call obfuscated functions like "ClntObjMgrGetActivePlayerPtr: 0xCF6D00" from injected code directly. First, it checks that the caller's address is within a pre-determined range. Second, it also checks that a CALL ('0xE8' ) opcode is used to invoke the function.
Code:
.text:0000000000CF6D00 000 push rbp
.text:0000000000CF6D02 008 push rbx
.text:0000000000CF6D03 010 push rsi
.text:0000000000CF6D04 018 push rdi
.text:0000000000CF6D05 020 push r12
.text:0000000000CF6D07 028 push r14
.text:0000000000CF6D09 030 push r15
.text:0000000000CF6D0B 038 mov rbp, rsp
.text:0000000000CF6D0E 038 sub rsp, 70h
.text:0000000000CF6D12 0A8 mov rdx, [rbp+38h]
.text:0000000000CF6D16 db 66h, 66h
.text:0000000000CF6D16 0A8 nop word ptr [rax+rax+00000000h]
At the beginning of the function, the mov rdx, [rbp+38h] loads the caller's return address. Then, the function checks the value of rdx is within some valid range and that the content of the memory prior to the return address is really containing a 5 byte CALL opcode like this:
-
Post Thanks / Like - 3 Thanks
-
I'm aware of the obfuscation and return checks, i even have that noted in my personal docs but thanks for clarifying how the return checks exactly work.
"Threads should always commit suicide - they should never be murdered" - DirectX SDK