[Retail] Some Offsets 8.3.0.34963 menu

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1
    GlittPrizes's Avatar Active Member CoreCoins Purchaser Authenticator enabled
    Reputation
    58
    Join Date
    Nov 2019
    Posts
    104
    Thanks G/R
    53/33
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    [Retail] Some Offsets 8.3.0.34963

    All are offset from the base. I don't have CTM setup yet, so I don't have that offset

    Code:
    EnumVisibleObjects = 0xFA6980
    FrameScriptGetText = 0x513530
    FrameScriptExecute = 0x50F6B0

    [Retail] Some Offsets 8.3.0.34963
  2. #2
    34D's Avatar Member
    Reputation
    4
    Join Date
    May 2020
    Posts
    57
    Thanks G/R
    10/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Code:
    	CGGameUI__m_minimapZoneText = 0x2A6A600,
    	CGGameUI__m_zoneText = 0x2A6AD20
    	PlayerNameCache = 0x2593BE0,
    	CorpsePosition = 0x27C2D80,
    	ObjectMgrPtr = 0x29D2ED0,
    	UnitName = 2D0 F8,
    	ObjName = 108 E0,
    
    CActorManager__Get	0x140DA2460
    CActorManager__GetActor	0x140DA2470
    CActorManager__GetActorUnit	0x140DA2540
    CCameraManager__GetYaw	0x1416021B0
    CCameraManager__Instance	0x141602100
    CCameraShot__CalcYawPitch	0x14166EEC0
    CGBattlefieldInfo__GetArenaOpponentPet	0x1412717B0
    CGBattlefieldInfo__m_arenaOpponents	0x141271720
    CGChat__m_afk	0x1411B1780
    CGCommentator__GetPlayerGUID	0x1401BB1D0
    CGCommentator__s_Commentator	0x141358670
    CGGameObject_C__GetName	0x140E024D0
    CGGameUI__CanPerformAction	0x141332980
    CGGameUI__ClosestObjectMatch	0x14116B500
    CGGameUI__GetRealmAddressFromName	0x141670D50
    CGGameUI__m_currentObjectTrack	0x141170D40
    CGGameUI__m_currentObjectTypeTrack	0x140EBDA70
    CGInputControl__GetActive	0x141609070
    CGInputControl__SetControlBit	0x14160A6C0
    CGInputControl__UnsetControlBit	0x14160B5F0
    CGInputControl__UpdateMouseMode	0x14160BA40
    CGInputControl__UpdatePlayer	0x14160BB40
    CGInstanceEncounter_C__GetBoss	0x1414FBAE0
    CGParty__FindMember	0x140CA92C4
    CGPartyMemberStateRepository__GetState	0x141522EE0
    CGPlayer_C__GetAutoRangedCombatSpell	0x140CB5D5C
    CGPlayer_C__m_activePlayerPtr	0x140CF6D00
    CGPlayer_C__PushQuestToParty	0x140CFDD90
    CGPlayer_C__UnitIsTrivial	0x140CCAA20
    CGQuestInfo__m_npcInform	0x14152C5C0
    CGSpellBook__m_autoRangedCombatSpell_0	0x1411EBAF0
    CGUIBinding__CompareKey	0x1404D8120
    CGUIBindings__Bind	0x1413DC020
    CGUIBindings__GetBindingText	0x1413DDCB0
    CGUIBindings__GetCommandKey	0x1413DE300
    CGUIBindings__GetReducedKeyBinding	0x1413DE920
    CGUnit_C__Dismount	0x140D5FE70
    CGUnit_C__GetControllingPlayer	0x140D62670
    CGUnit_C__GetDisplayClassName	0x140D62FF0
    CGUnit_C__GetDisplayClassNameFromRecord	0x140D5F050
    CGUnit_C__GetDisplayRaceName	0x140D633D0
    CGUnit_C__GetUnitName	0x140D69490
    CGUnit_C__IsRidingVehicle	0x140ED8010
    CGUnit_C_GetPosition	0x14017F1C0
    CGWorldFrame__GetActiveCamera	0x14118ED40
    CGWorldFrame__GetActiveCamera_Maybe	0x140CF6950
    ClientServices__Connection	0x1401BAFB0
    ClientServices__GetCharacterName	0x1401BB200
    ClientServices__Send	0x1401BCEC0
    ClntObjMgrObjectDisplayPtr	0x140FAB040
    ClntObjMgrObjectPtr	0x140FAB0C0
    CM2Model__SetWorldTransform	0x1416A9520
    CMath__normalizeAngleNegPiToPi_	0x14113FC70
    CompareUnitType	0x14026ACB8
    CPassenger__GetPosition	0x140C5D290
    DBCache__GetRecord	0x14055CBF0
    DetermineDisplayRace	0x140D5F1F0
    finite	0x140277B84
    fmodf	0x141C97C08
    FrameScript_DoesClipChildren	0x1406C6476
    FrameScript_Execute	0x14050F6B0
    FrameScript_GetDontSavePosition	0x1406B7D31
    FrameScript_GetDuration	0x1407F9EB3
    FrameScript_GetEffectivelyFlattensRenderLayers	0x1406C4B90
    FrameScript_GetEndDelay	0x1407F9768
    FrameScript_GetFieldSize	0x1401443E0
    FrameScript_GetFlattensRenderLayers	0x1406C4328
    FrameScript_GetProgress	0x140818076
    FrameScript_GetScale	0x14076E174
    FrameScript_GetStartDelay	0x1407740AB
    FrameScript_GetText	0x140513530
    FrameScript_IsDone	0x140701888
    FrameScript_IsIgnoringParentScale_0	0x1406FF1F8
    FrameScript_IsMouseClickEnabled	0x1406BA4E0
    FrameScript_IsMouseMotionEnabled	0x1406BA6A0
    FrameScript_IsMovable	0x1406B4478
    FrameScript_IsPlaying	0x14070C030
    FrameScript_IsResizable	0x1406BA050
    FrameScript_IsUserPlaced	0x1406BA222
    FrameScript_IsVisible_1	0x1406AC6B9
    FrameScript_SetDontSavePosition	0x140322D70
    FrameScript_SetEndPoint	0x1405ECAC0
    FrameScript_SetStartPoint	0x1405CC197
    FrameScript_SignalEvent	0x140B61E70
    FrameTime_GetCurTimeMs	0x14049CE10
    GetCameraBasePtr	0x140555680
    GetInGameFlag	0x141177C50
    GetIsLoadingOrConnecting	0x140184740
    GetObjectMgrPtr_Maybe	0x140FAEFC0
    GetRuneReady	0x1414FF430
    index2adr	0x1401D04B0
    Item_GetSpellIdById	0x140DCFA40
    lua_error	0x1419A5560
    Lua_isguid	0x1405160B0
    Lua_isnumber	0x1401D1290
    lua_isstring	0x1401D12C0
    Lua_pushboolean	0x1401D15F0
    Lua_pushnil	0x1401D1860
    lua_pushnumber	0x1401D1880
    Lua_pushstring	0x1401D18A0
    Lua_stormassert	0x1401CAED0
    Lua_toboolean	0x1401D2410
    Lua_toguid	0x1405162D0
    Lua_tolstring	0x1401D24F0
    Lua_tonumber	0x1401D2470
    Lua_tonumber_0	0x1401D2590
    LuaC_step	0x1401D50B0
    LuaO_str2d	0x1401C7FA0
    LuaV_tonumber	0x1401D0230
    LuaV_tostring	0x1401D02A0
    Math_acos	0x1419A7000
    Math_asin	0x1419A6FD0
    Math_atan	0x1419A7030
    Math_atan2	0x1419A7060
    Math_ceil	0x1419A70B0
    Math_cos	0x1419A6F10
    Math_cosh	0x1419A6F40
    Math_deg	0x1419A73A0
    Math_exp	0x1419A7330
    Math_floor	0x1419A7130
    Math_fmod	0x1419A71B0
    Math_frexp	0x1419A73E0
    Math_ldexp	0x1419A7420
    Math_log	0x1419A72D0
    Math_log10	0x1419A7300
    Math_max	0x1419A74F0
    Math_modf	0x1419A7200
    Math_pow	0x1419A7280
    Math_random	0x1419A7570
    Math_sin	0x1419A6EB0
    Math_sinh	0x1419A6EE0
    Math_sqrt	0x1419A7250
    Math_tan	0x1419A6F70
    Math_tanh	0x1419A6FA0
    ParseTrailingTokens	0x1416719A0
    Party_FindMember	0x1412493C0
    Party_HasMemberPet	0x14124AB00
    PartyInfo_GetActiveParty	0x141249650
    PetInfo_FindSpellById	0x1414326B0
    PetInfo_SendPetAction	0x1414344D0
    Player_LeaveCombatMode	0x140CB1D20
    PlayerCliPushQuestToParty__PlayerCliPushQuestToParty	0x140675900
    Script_arshift	0x1419ABF10
    Script_assert	0x1419A7E90
    Script_band	0x1419ABCA0
    Script_bnot	0x1419ABC60
    Script_bor	0x1419ABD30
    Script_bxor	0x1419ABDC0
    Script_collectgarbage	0x1419A7CA0
    Script_error	0x1419A78C0
    Script_gcinfo	0x1419A7C70
    Script_GetGUIDFromString	0x141671C10
    Script_GetGUIDFromToken	0x141670580
    Script_GetGUIDFromToken	0x1416705C0
    Script_GetGUIDFromToken_0	0x141671900
    Script_GetNameFromToken	0x14024EE60
    Script_lshift	0x1419ABE50
    Script_mod	0x1419ABBD0
    Script_rshift	0x1419ABEB0
    Specialization_IsTalentSelectedById	0x1412A9810
    Spell_C__ClickSpell	0x140B86A40
    Spell_CancelAutoRepeat	0x140B82DF0
    Spell_CancelCast	0x140B83460
    Spell_CancelChannel	0x140B83030
    Spell_GetMinMaxRange	0x140B8B9B0
    Spell_GetSomeSpellInfo	0x141D6EB70
    Spell_GetSpellCharges	0x140B8DC90
    Spell_GetSpellCooldown	0x140B8E090
    Spell_GetSpellType	0x140B6BC60
    Spell_HandleTerrainClick	0x140B93580
    Spell_IsInRange	0x140B9B420
    Spell_IsPlayerSpell	0x1411F2A60
    Spell_IsSpellKnown	0x140D71BE0
    Spell_IsStealable	0x1411E8D20
    Spell_SomeInfo	0x140BCA590
    SpellBook_CastSpell	0x1411E8F70
    SpellBook_FindSlotBySpellId	0x1411EB410
    SpellBook_GetOverridenSpell	0x1411EBB00
    SpellDB_GetRow	0x141D709D0
    SpellDB_HasAttribute	0x141D70990
    SStrToUnsigned	0x14015AD90
    strcasecmp	0x14025C900
    Unit_CanAttack	0x140D502B0
    Unit_GetAuraByIndex	0x140B7B640
    Unit_GetFacing	0x1401BB660
    Unit_GetPower	0x141676E70
    Unit_GetPowerMax	0x141677060
    Unit_Interact	0x14117BA60
    Unit_IsFriendly	0x140D70B80
    WorldFrame_GetCurrent	0x141D894E0
    WorldFrame_Intersect	0x1416A1DE0
    WowClientDB_Base__GetRecordDataUnsafe	0x140462640
    WowClientDB2__GetRecord	0x14055D970

    Not guaranteed to be completely correct
    I also want to find CTM to see what it is
    Last edited by 34D; 07-02-2020 at 09:51 PM.

  3. Thanks GlittPrizes (1 members gave Thanks to 34D for this useful post)
  4. #3
    34D's Avatar Member
    Reputation
    4
    Join Date
    May 2020
    Posts
    57
    Thanks G/R
    10/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    After some research, I seem to have found CTM
    To be verified

  5. #4
    GlittPrizes's Avatar Active Member CoreCoins Purchaser Authenticator enabled
    Reputation
    58
    Join Date
    Nov 2019
    Posts
    104
    Thanks G/R
    53/33
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Mostly the same.. this is what I have for the Unit Objects:

    Code:
    Type: 		0x10
    Guid: 		0x40
    Position: 	0x150
    Rotation: 	0x15C
    Health: 	0x1378
    Power: 		0x1380
    PowerMax: 	0x1788
    Target GUID: 	0x1548
    HealthMax: 	0x1588
    Level: 		0x1598
    edit: As far as in process goes, I want to access this stuff from the vtable though right? I'll see if I can make sense of that to get proper functionality for interacting, targeting, etc.
    Last edited by GlittPrizes; 07-03-2020 at 07:03 PM. Reason: edit

  6. #5
    SailorMars's Avatar Member
    Reputation
    7
    Join Date
    Oct 2015
    Posts
    49
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by 34D View Post
    Code:
    	CGGameUI__m_minimapZoneText = 0x2A6A600,
    	CGGameUI__m_zoneText = 0x2A6AD20
    	PlayerNameCache = 0x2593BE0,
    	CorpsePosition = 0x27C2D80,
    	ObjectMgrPtr = 0x29D2ED0,
    	UnitName = 2D0 F8,
    	ObjName = 108 E0,
    
    CActorManager__Get	0x140DA2460
    CActorManager__GetActor	0x140DA2470
    CActorManager__GetActorUnit	0x140DA2540
    CCameraManager__GetYaw	0x1416021B0
    CCameraManager__Instance	0x141602100
    CCameraShot__CalcYawPitch	0x14166EEC0
    CGBattlefieldInfo__GetArenaOpponentPet	0x1412717B0
    CGBattlefieldInfo__m_arenaOpponents	0x141271720
    CGChat__m_afk	0x1411B1780
    CGCommentator__GetPlayerGUID	0x1401BB1D0
    CGCommentator__s_Commentator	0x141358670
    CGGameObject_C__GetName	0x140E024D0
    CGGameUI__CanPerformAction	0x141332980
    CGGameUI__ClosestObjectMatch	0x14116B500
    CGGameUI__GetRealmAddressFromName	0x141670D50
    CGGameUI__m_currentObjectTrack	0x141170D40
    CGGameUI__m_currentObjectTypeTrack	0x140EBDA70
    CGInputControl__GetActive	0x141609070
    CGInputControl__SetControlBit	0x14160A6C0
    CGInputControl__UnsetControlBit	0x14160B5F0
    CGInputControl__UpdateMouseMode	0x14160BA40
    CGInputControl__UpdatePlayer	0x14160BB40
    CGInstanceEncounter_C__GetBoss	0x1414FBAE0
    CGParty__FindMember	0x140CA92C4
    CGPartyMemberStateRepository__GetState	0x141522EE0
    CGPlayer_C__GetAutoRangedCombatSpell	0x140CB5D5C
    CGPlayer_C__m_activePlayerPtr	0x140CF6D00
    CGPlayer_C__PushQuestToParty	0x140CFDD90
    CGPlayer_C__UnitIsTrivial	0x140CCAA20
    CGQuestInfo__m_npcInform	0x14152C5C0
    CGSpellBook__m_autoRangedCombatSpell_0	0x1411EBAF0
    CGUIBinding__CompareKey	0x1404D8120
    CGUIBindings__Bind	0x1413DC020
    CGUIBindings__GetBindingText	0x1413DDCB0
    CGUIBindings__GetCommandKey	0x1413DE300
    CGUIBindings__GetReducedKeyBinding	0x1413DE920
    CGUnit_C__Dismount	0x140D5FE70
    CGUnit_C__GetControllingPlayer	0x140D62670
    CGUnit_C__GetDisplayClassName	0x140D62FF0
    CGUnit_C__GetDisplayClassNameFromRecord	0x140D5F050
    CGUnit_C__GetDisplayRaceName	0x140D633D0
    CGUnit_C__GetUnitName	0x140D69490
    CGUnit_C__IsRidingVehicle	0x140ED8010
    CGUnit_C_GetPosition	0x14017F1C0
    CGWorldFrame__GetActiveCamera	0x14118ED40
    CGWorldFrame__GetActiveCamera_Maybe	0x140CF6950
    ClientServices__Connection	0x1401BAFB0
    ClientServices__GetCharacterName	0x1401BB200
    ClientServices__Send	0x1401BCEC0
    ClntObjMgrObjectDisplayPtr	0x140FAB040
    ClntObjMgrObjectPtr	0x140FAB0C0
    CM2Model__SetWorldTransform	0x1416A9520
    CMath__normalizeAngleNegPiToPi_	0x14113FC70
    CompareUnitType	0x14026ACB8
    CPassenger__GetPosition	0x140C5D290
    DBCache__GetRecord	0x14055CBF0
    DetermineDisplayRace	0x140D5F1F0
    finite	0x140277B84
    fmodf	0x141C97C08
    FrameScript_DoesClipChildren	0x1406C6476
    FrameScript_Execute	0x14050F6B0
    FrameScript_GetDontSavePosition	0x1406B7D31
    FrameScript_GetDuration	0x1407F9EB3
    FrameScript_GetEffectivelyFlattensRenderLayers	0x1406C4B90
    FrameScript_GetEndDelay	0x1407F9768
    FrameScript_GetFieldSize	0x1401443E0
    FrameScript_GetFlattensRenderLayers	0x1406C4328
    FrameScript_GetProgress	0x140818076
    FrameScript_GetScale	0x14076E174
    FrameScript_GetStartDelay	0x1407740AB
    FrameScript_GetText	0x140513530
    FrameScript_IsDone	0x140701888
    FrameScript_IsIgnoringParentScale_0	0x1406FF1F8
    FrameScript_IsMouseClickEnabled	0x1406BA4E0
    FrameScript_IsMouseMotionEnabled	0x1406BA6A0
    FrameScript_IsMovable	0x1406B4478
    FrameScript_IsPlaying	0x14070C030
    FrameScript_IsResizable	0x1406BA050
    FrameScript_IsUserPlaced	0x1406BA222
    FrameScript_IsVisible_1	0x1406AC6B9
    FrameScript_SetDontSavePosition	0x140322D70
    FrameScript_SetEndPoint	0x1405ECAC0
    FrameScript_SetStartPoint	0x1405CC197
    FrameScript_SignalEvent	0x140B61E70
    FrameTime_GetCurTimeMs	0x14049CE10
    GetCameraBasePtr	0x140555680
    GetInGameFlag	0x141177C50
    GetIsLoadingOrConnecting	0x140184740
    GetObjectMgrPtr_Maybe	0x140FAEFC0
    GetRuneReady	0x1414FF430
    index2adr	0x1401D04B0
    Item_GetSpellIdById	0x140DCFA40
    lua_error	0x1419A5560
    Lua_isguid	0x1405160B0
    Lua_isnumber	0x1401D1290
    lua_isstring	0x1401D12C0
    Lua_pushboolean	0x1401D15F0
    Lua_pushnil	0x1401D1860
    lua_pushnumber	0x1401D1880
    Lua_pushstring	0x1401D18A0
    Lua_stormassert	0x1401CAED0
    Lua_toboolean	0x1401D2410
    Lua_toguid	0x1405162D0
    Lua_tolstring	0x1401D24F0
    Lua_tonumber	0x1401D2470
    Lua_tonumber_0	0x1401D2590
    LuaC_step	0x1401D50B0
    LuaO_str2d	0x1401C7FA0
    LuaV_tonumber	0x1401D0230
    LuaV_tostring	0x1401D02A0
    Math_acos	0x1419A7000
    Math_asin	0x1419A6FD0
    Math_atan	0x1419A7030
    Math_atan2	0x1419A7060
    Math_ceil	0x1419A70B0
    Math_cos	0x1419A6F10
    Math_cosh	0x1419A6F40
    Math_deg	0x1419A73A0
    Math_exp	0x1419A7330
    Math_floor	0x1419A7130
    Math_fmod	0x1419A71B0
    Math_frexp	0x1419A73E0
    Math_ldexp	0x1419A7420
    Math_log	0x1419A72D0
    Math_log10	0x1419A7300
    Math_max	0x1419A74F0
    Math_modf	0x1419A7200
    Math_pow	0x1419A7280
    Math_random	0x1419A7570
    Math_sin	0x1419A6EB0
    Math_sinh	0x1419A6EE0
    Math_sqrt	0x1419A7250
    Math_tan	0x1419A6F70
    Math_tanh	0x1419A6FA0
    ParseTrailingTokens	0x1416719A0
    Party_FindMember	0x1412493C0
    Party_HasMemberPet	0x14124AB00
    PartyInfo_GetActiveParty	0x141249650
    PetInfo_FindSpellById	0x1414326B0
    PetInfo_SendPetAction	0x1414344D0
    Player_LeaveCombatMode	0x140CB1D20
    PlayerCliPushQuestToParty__PlayerCliPushQuestToParty	0x140675900
    Script_arshift	0x1419ABF10
    Script_assert	0x1419A7E90
    Script_band	0x1419ABCA0
    Script_bnot	0x1419ABC60
    Script_bor	0x1419ABD30
    Script_bxor	0x1419ABDC0
    Script_collectgarbage	0x1419A7CA0
    Script_error	0x1419A78C0
    Script_gcinfo	0x1419A7C70
    Script_GetGUIDFromString	0x141671C10
    Script_GetGUIDFromToken	0x141670580
    Script_GetGUIDFromToken	0x1416705C0
    Script_GetGUIDFromToken_0	0x141671900
    Script_GetNameFromToken	0x14024EE60
    Script_lshift	0x1419ABE50
    Script_mod	0x1419ABBD0
    Script_rshift	0x1419ABEB0
    Specialization_IsTalentSelectedById	0x1412A9810
    Spell_C__ClickSpell	0x140B86A40
    Spell_CancelAutoRepeat	0x140B82DF0
    Spell_CancelCast	0x140B83460
    Spell_CancelChannel	0x140B83030
    Spell_GetMinMaxRange	0x140B8B9B0
    Spell_GetSomeSpellInfo	0x141D6EB70
    Spell_GetSpellCharges	0x140B8DC90
    Spell_GetSpellCooldown	0x140B8E090
    Spell_GetSpellType	0x140B6BC60
    Spell_HandleTerrainClick	0x140B93580
    Spell_IsInRange	0x140B9B420
    Spell_IsPlayerSpell	0x1411F2A60
    Spell_IsSpellKnown	0x140D71BE0
    Spell_IsStealable	0x1411E8D20
    Spell_SomeInfo	0x140BCA590
    SpellBook_CastSpell	0x1411E8F70
    SpellBook_FindSlotBySpellId	0x1411EB410
    SpellBook_GetOverridenSpell	0x1411EBB00
    SpellDB_GetRow	0x141D709D0
    SpellDB_HasAttribute	0x141D70990
    SStrToUnsigned	0x14015AD90
    strcasecmp	0x14025C900
    Unit_CanAttack	0x140D502B0
    Unit_GetAuraByIndex	0x140B7B640
    Unit_GetFacing	0x1401BB660
    Unit_GetPower	0x141676E70
    Unit_GetPowerMax	0x141677060
    Unit_Interact	0x14117BA60
    Unit_IsFriendly	0x140D70B80
    WorldFrame_GetCurrent	0x141D894E0
    WorldFrame_Intersect	0x1416A1DE0
    WowClientDB_Base__GetRecordDataUnsafe	0x140462640
    WowClientDB2__GetRecord	0x14055D970

    Not guaranteed to be completely correct
    I also want to find CTM to see what it is
    How did you generate the list?

    I tried to verify the list by incorporating them into my ida db.

    I know that since after the initial static analysis of the exe, recognised functions are having function name automatically added, e.g. address 0x1c97c08 is named sub_1C97C08. Hence, I used a script to check the addresses listed above to see if they correspond to functions that IDA recognises.

    The result is that the following addresses given in your list do not correspond to functions known to IDA (i.e. each of the addresses don't have a function name of the form sub_????? automatically added after the initial analysis):
    Code:
    offset 0x6c6476, FrameScript_DoesClipChildren
    offset 0x6b7d31, FrameScript_GetDontSavePosition
    offset 0x7f9eb3, FrameScript_GetDuration
    offset 0x7f9768, FrameScript_GetEndDelay
    offset 0x6c4328, FrameScript_GetFlattensRenderLayers
    offset 0x818076, FrameScript_GetProgress
    offset 0x76e174, FrameScript_GetScale
    offset 0x7740ab, FrameScript_GetStartDelay
    offset 0x701888, FrameScript_IsDone
    offset 0x6ff1f8, FrameScript_IsIgnoringParentScale_0
    offset 0x6b4478, FrameScript_IsMovable
    offset 0x6ba222, FrameScript_IsUserPlaced
    offset 0x6ac6b9, FrameScript_IsVisible_1
    offset 0x5cc197, FrameScript_SetStartPoint
    On closer examination these addresses seem to be corresponding to subroutines with weird behaviour e.g the function "FrameScript_DoesClipChildren" at offset 0x6c6476:

    Code:
    .text:00000000006C6467                 mov     [rcx+18h], edx
    .text:00000000006C646A                 movups  xmmword ptr [rcx+20h], xmm0
    .text:00000000006C646E                 mov     [rcx+30h], edx
    .text:00000000006C6471                 add     rsp, 18h
    .text:00000000006C6475                 retn
    .text:00000000006C6475 sub_6C6440      endp
    .text:00000000006C6475
    .text:00000000006C6476 ; ---------------------------------------------------------------------------
    .text:00000000006C6476                 xor     al, 85h
    .text:00000000006C6478                 sbb     byte ptr [rcx+16h], 3Dh
    .text:00000000006C647C                 popfq
    .text:00000000006C647D                 fxch7   st(1)
    .text:00000000006C647F                 cmp     al, 48h
    .text:00000000006C6481                 lea     eax, off_21A5F80
    .text:00000000006C6487                 mov     dword ptr [rcx+18h], 0
    .text:00000000006C648E                 mov     [rcx], rax
    .text:00000000006C6491                 mov     rax, rcx
    .text:00000000006C6494                 mov     [rcx+20h], edx
    .text:00000000006C6497                 mov     [rcx+24h], r8d
    .text:00000000006C649B                 movups  xmm0, xmmword ptr [r9]
    .text:00000000006C649F                 movups  xmmword ptr [rcx+28h], xmm0
    .text:00000000006C64A3                 retn
    .text:00000000006C64A3 ; ---------------------------------------------------------------------------
    .text:00000000006C64A4                 dd 0D94F3A15h
    .text:00000000006C64A8                 dq 0DEEE40263A6C0C8Ch
    .text:00000000006C64B0
    .text:00000000006C64B0 ; =============== S U B R O U T I N E =======================================
    .text:00000000006C64B0
    .text:00000000006C64B0
    .text:00000000006C64B0 sub_6C64B0      proc near               ; CODE XREF: sub_614700+9583p
    .text:00000000006C64B0
    .text:00000000006C64B0 arg_0           = qword ptr  8
    .text:00000000006C64B0 arg_20          = dword ptr  28h
    It looks like a real subroutine. But IDA cannot recognise it as a valid function e.g. in this case there is a 'popfq' but no corresponding push (which will cause an "sp-analaysis failed" if we try to create a function at this address). So how did you generate the list? How did you locate these kind of weird subroutines in the first place since even IDA seems to have problem recognising them?
    Last edited by SailorMars; 07-04-2020 at 03:19 PM.

  7. #6
    34D's Avatar Member
    Reputation
    4
    Join Date
    May 2020
    Posts
    57
    Thanks G/R
    10/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by SailorMars View Post
    How did you generate the list?

    I tried to verify the list by incorporating them into my ida db.

    I know that since after the initial static analysis of the exe, recognised functions are having function name automatically added, e.g. address 0x1c97c08 is named sub_1C97C08. Hence, I used a script to check the addresses listed above to see if they correspond to functions that IDA recognises.

    The result is that the following addresses given in your list do not correspond to functions known to IDA (i.e. each of the addresses don't have a function name of the form sub_????? automatically added after the initial analysis):
    Code:
    offset 0x6c6476, FrameScript_DoesClipChildren
    offset 0x6b7d31, FrameScript_GetDontSavePosition
    offset 0x7f9eb3, FrameScript_GetDuration
    offset 0x7f9768, FrameScript_GetEndDelay
    offset 0x6c4328, FrameScript_GetFlattensRenderLayers
    offset 0x818076, FrameScript_GetProgress
    offset 0x76e174, FrameScript_GetScale
    offset 0x7740ab, FrameScript_GetStartDelay
    offset 0x701888, FrameScript_IsDone
    offset 0x6ff1f8, FrameScript_IsIgnoringParentScale_0
    offset 0x6b4478, FrameScript_IsMovable
    offset 0x6ba222, FrameScript_IsUserPlaced
    offset 0x6ac6b9, FrameScript_IsVisible_1
    offset 0x5cc197, FrameScript_SetStartPoint
    On closer examination these addresses seem to be corresponding to subroutines with weird behaviour e.g the function "FrameScript_DoesClipChildren" at offset 0x6c6476:

    Code:
    .text:00000000006C6467                 mov     [rcx+18h], edx
    .text:00000000006C646A                 movups  xmmword ptr [rcx+20h], xmm0
    .text:00000000006C646E                 mov     [rcx+30h], edx
    .text:00000000006C6471                 add     rsp, 18h
    .text:00000000006C6475                 retn
    .text:00000000006C6475 sub_6C6440      endp
    .text:00000000006C6475
    .text:00000000006C6476 ; ---------------------------------------------------------------------------
    .text:00000000006C6476                 xor     al, 85h
    .text:00000000006C6478                 sbb     byte ptr [rcx+16h], 3Dh
    .text:00000000006C647C                 popfq
    .text:00000000006C647D                 fxch7   st(1)
    .text:00000000006C647F                 cmp     al, 48h
    .text:00000000006C6481                 lea     eax, off_21A5F80
    .text:00000000006C6487                 mov     dword ptr [rcx+18h], 0
    .text:00000000006C648E                 mov     [rcx], rax
    .text:00000000006C6491                 mov     rax, rcx
    .text:00000000006C6494                 mov     [rcx+20h], edx
    .text:00000000006C6497                 mov     [rcx+24h], r8d
    .text:00000000006C649B                 movups  xmm0, xmmword ptr [r9]
    .text:00000000006C649F                 movups  xmmword ptr [rcx+28h], xmm0
    .text:00000000006C64A3                 retn
    .text:00000000006C64A3 ; ---------------------------------------------------------------------------
    .text:00000000006C64A4                 dd 0D94F3A15h
    .text:00000000006C64A8                 dq 0DEEE40263A6C0C8Ch
    .text:00000000006C64B0
    .text:00000000006C64B0 ; =============== S U B R O U T I N E =======================================
    .text:00000000006C64B0
    .text:00000000006C64B0
    .text:00000000006C64B0 sub_6C64B0      proc near               ; CODE XREF: sub_614700+9583p
    .text:00000000006C64B0
    .text:00000000006C64B0 arg_0           = qword ptr  8
    .text:00000000006C64B0 arg_20          = dword ptr  28h
    It looks like a real subroutine. But IDA cannot recognise it as a valid function e.g. in this case there is a 'popfq' but no corresponding push (which will cause an "sp-analaysis failed" if we try to create a function at this address). So how did you generate the list? How did you locate these kind of weird subroutines in the first place since even IDA seems to have problem recognising them?
    These are 8.3.0.34963.

  8. #7
    SailorMars's Avatar Member
    Reputation
    7
    Join Date
    Oct 2015
    Posts
    49
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, i was testing with 8.3.0 34963 and noticed the weird subroutines. Also note that there are just a few and these routines are all FrameScript_??. while the other address+functions look valid.
    Last edited by SailorMars; 07-05-2020 at 01:46 AM.

  9. #8
    GlittPrizes's Avatar Active Member CoreCoins Purchaser Authenticator enabled
    Reputation
    58
    Join Date
    Nov 2019
    Posts
    104
    Thanks G/R
    53/33
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by SailorMars View Post
    Yes, i was testing with 8.3.0 34963 and noticed the weird subroutines. Also note that there are just a few and these routines are all FrameScript_??. while the other address+functions look valid.
    Need to enable the stack pointer in Ida. Popf there is setting flag for the assembly op like parity or carry. Maybe certain conditional jumps give Ida trouble.
    Last edited by GlittPrizes; 07-05-2020 at 09:19 AM.

  10. #9
    SailorMars's Avatar Member
    Reputation
    7
    Join Date
    Oct 2015
    Posts
    49
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by hycolyte View Post
    Mostly the same.. this is what I have for the Unit Objects:

    Code:
    Type: 		0x10
    Guid: 		0x40
    Position: 	0x150
    Rotation: 	0x15C
    Health: 	0x1378
    Power: 		0x1380
    PowerMax: 	0x1788
    Target GUID: 	0x1548
    HealthMax: 	0x1588
    Level: 		0x1598
    edit: As far as in process goes, I want to access this stuff from the vtable though right? I'll see if I can make sense of that to get proper functionality for interacting, targeting, etc.
    didn't check the others, but the healthMax is wrong, should be 0x1590, health is 0x1588/0x1378

  11. #10
    GlittPrizes's Avatar Active Member CoreCoins Purchaser Authenticator enabled
    Reputation
    58
    Join Date
    Nov 2019
    Posts
    104
    Thanks G/R
    53/33
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    didn't check the others, but the healthMax is wrong, should be 0x1590, health is 0x1588/0x1378
    It was a situation where two addresses both had the value.. mighta picked the wrong one

    Do you have some the VMT figured out? I found GetObjectName at the 15th virtual function, but I was doing it the hard way to get those. I will try to defeat the anti-debugging and post those
    Last edited by GlittPrizes; 07-06-2020 at 10:58 AM. Reason: shorten

  12. #11
    GlittPrizes's Avatar Active Member CoreCoins Purchaser Authenticator enabled
    Reputation
    58
    Join Date
    Nov 2019
    Posts
    104
    Thanks G/R
    53/33
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This is what I've come up with so far on the vTable. I'm still trying to mainly figure out OnRightClick/OnLeftClick but no luck yet

    Code:
    const char* GetObjectName()                 // 15th
    int64_t GetUnitLevel()                      // 16th
    int64_t GetMountId()                        // 45th
    Vector3 GetUnitPosition(int64_t, int64_t)   // 56th
    float GetUnitFacing()                       // 58th

  13. #12
    xalcon's Avatar Contributor ふたなり
    Authenticator enabled
    Reputation
    198
    Join Date
    Oct 2008
    Posts
    291
    Thanks G/R
    20/58
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Code:
    # functions
    ClntObjMgrEnumVisibleObjects:  0xFA6900
    ClntObjMgrEnumVisibleObjectsPtr: 0xFA6980
    ClntObjMgrIsValid: 0xFAAF90
    
    ClntObjMgrGetActivePlayerPtr: 0xCF6D00 // Obfuscated with return address checks, do not call directly
    ClntObjMgrObjectPtr: 0x11728E0 // probably wrong
    
    ClntObjMgrGetCurrent: 0xFAA820
    ClntObjMgrGetMapID: 0xFAA830
    Script_GetGUIDFromToken: 0x16705C0
    
    FrameScript_RegisterFunction: 0x510680
    FrameScript_GetContext: 0x50FCE0
    
    luaL_error: 0x19A5560
    lua_pcall: 0x1D1560
    lua_type: 0x1D26A0
    lua_getfield: 0x1D0EC0
    lua_gettop: 0x1D0FE0
    lua_settop: 0x1D2230
    
    # fields
    s_curMgr: 0x29D2ED0
    s_PlayerGuid: 0x28D3510
    s_luaContext: 0x2939898
    s_luaThreadId: 0x29398A0
    
    s_textSectionStart: 0x29621E8
    s_textSectionEnd: 0x29621F0
    Last edited by xalcon; 07-21-2020 at 08:21 AM.
    "Threads should always commit suicide - they should never be murdered" - DirectX SDK

  14. Thanks GlittPrizes (1 members gave Thanks to xalcon for this useful post)
  15. #13
    SailorMars's Avatar Member
    Reputation
    7
    Join Date
    Oct 2015
    Posts
    49
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    offsets relevant to fishing bots:

    Bobbing : 0x64 (should be a byte)
    creator guid: 0x1E0 (128bits)
    Game Object name: [[GameObjectBase+0x108]+0xE0]. Look for the string "Fishing Bobber", not sure if this applies to non-English client.
    position : 0xc8 (3*floats, x,y,z)
    Last edited by SailorMars; 07-20-2020 at 09:00 AM.

  16. Thanks GlittPrizes (1 members gave Thanks to SailorMars for this useful post)
  17. #14
    SailorMars's Avatar Member
    Reputation
    7
    Join Date
    Oct 2015
    Posts
    49
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by xalcon View Post
    Code:
    # functions
    ClntObjMgrEnumVisibleObjects:  0xFA6900
    ClntObjMgrEnumVisibleObjectsPtr: 0xFA6980
    ClntObjMgrIsValid: 0xFAAF90
    
    ClntObjMgrGetActivePlayerPtr: 0xCF6D00
    ClntObjMgrObjectPtr: 0x11728E0
    
    ClntObjMgrGetCurrent: 0xFAA820
    ClntObjMgrGetMapID: 0xFAA830
    Script_GetGUIDFromToken: 0x16705C0
    
    FrameScript_RegisterFunction: 0x510680
    FrameScript_GetContext: 0x50FCE0
    
    luaL_error: 0x19A5560
    lua_pcall: 0x1D1560
    lua_type: 0x1D26A0
    lua_getfield: 0x1D0EC0
    lua_gettop: 0x1D0FE0
    lua_settop: 0x1D2230
    
    # fields
    s_curMgr: 0x29D2ED0
    s_PlayerGuid: 0x28D3510
    s_luaContext: 0x2939898
    s_luaThreadId: 0x29398A0
    
    s_textSectionStart: 0x29621E8
    s_textSectionEnd: 0x29621F0

    BTW, don't call obfuscated functions like "ClntObjMgrGetActivePlayerPtr: 0xCF6D00" from injected code directly. First, it checks that the caller's address is within a pre-determined range. Second, it also checks that a CALL ('0xE8' ) opcode is used to invoke the function.

    Code:
    .text:0000000000CF6D00 000                 push    rbp
    .text:0000000000CF6D02 008                 push    rbx
    .text:0000000000CF6D03 010                 push    rsi
    .text:0000000000CF6D04 018                 push    rdi
    .text:0000000000CF6D05 020                 push    r12
    .text:0000000000CF6D07 028                 push    r14
    .text:0000000000CF6D09 030                 push    r15
    .text:0000000000CF6D0B 038                 mov     rbp, rsp
    .text:0000000000CF6D0E 038                 sub     rsp, 70h
    .text:0000000000CF6D12 0A8                 mov     rdx, [rbp+38h]
    .text:0000000000CF6D16                     db      66h, 66h
    .text:0000000000CF6D16 0A8                 nop     word ptr [rax+rax+00000000h]
    At the beginning of the function, the mov rdx, [rbp+38h] loads the caller's return address. Then, the function checks the value of rdx is within some valid range and that the content of the memory prior to the return address is really containing a 5 byte CALL opcode like this:
    Code:
     E8 ?? ?? ?? ??

  18. Thanks xalcon, GlittPrizes, Shenlok (3 members gave Thanks to SailorMars for this useful post)
  19. #15
    xalcon's Avatar Contributor ふたなり
    Authenticator enabled
    Reputation
    198
    Join Date
    Oct 2008
    Posts
    291
    Thanks G/R
    20/58
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I'm aware of the obfuscation and return checks, i even have that noted in my personal docs but thanks for clarifying how the return checks exactly work.
    "Threads should always commit suicide - they should never be murdered" - DirectX SDK

Page 1 of 2 12 LastLast

Similar Threads

  1. [REQUEST] Some Offsets for 4.3.4
    By chaisar in forum WoW Bots Questions & Requests
    Replies: 1
    Last Post: 04-24-2012, 02:51 AM
  2. Some offsets
    By jojojoey12 in forum WoW Bots Questions & Requests
    Replies: 0
    Last Post: 10-17-2011, 04:44 PM
  3. need some help on finding memory stuff and check my current offsets
    By freitag in forum Age of Conan Exploits|Hacks
    Replies: 70
    Last Post: 11-21-2009, 02:56 PM
  4. Objectmanager - Some offset trouble
    By Ploski in forum WoW Memory Editing
    Replies: 10
    Last Post: 08-13-2009, 10:07 AM
  5. [MAC][3.1.2] Some Offsets and a request
    By Nonowmana in forum WoW Memory Editing
    Replies: 3
    Last Post: 05-27-2009, 02:38 PM
All times are GMT -5. The time now is 08:23 PM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search