I'm learning reverse engineering as I plan to create a BOT when Wow classic Burning crusade will be released. I've read a huge part of this forum threads, and also other resources (like this book: http://index-of.es/Varios-2/Game%20Hacking.pdf), which were a tremendous help!
I'm currently practicing on wow version 3.3.5a on a private server to learn the basics using C# and BOT examples you can find on github.
I'm instead trying to understand how to find this address by myself.
With cheat engine, I'm able to find my character (or my target) hit point, then understand the base address of my character (or target) by looking at the assembly instruction (see offset) or looking at the cheat engine window (example below: base address is 0x24636A48, health is at 0x24636A48 + 0xFB0)
But the object manager address is harder to catch, as I can't really change a value in the game to point toward it directly.
I'm currently looking at the assembly instructions in Cheat engine, setting breakpoint while damaging enemies to find out where the base enemy address comes from. I'm able to find the value by running an existing working bot and comparing what I see in assembly and the real address value from the bot, but I'm pretty sure there are better way (and I won't have an existing bot for burning crusade to come )
I've seen here (https://drewkestell.us/Article/6/Chapter/7) usage of dll injection to access EnumerableVisibleObjects, I whish I could find a simpler method using Cheat engine?
How do you guys do to find the object manager address?
I'm sure you can find the object manager with runtime analysis, but it's super simple with static analysis.
If you go in IDA and search for string, "Object manager list status: (use gmvision to see server onlys)" you should get directed to a function where you can find a snippet like the below.
You can see I've already renamed the 3rd argument in 'printLogHead' as 's_curMgr'. That third argument should always be the object manager.
As of 1.13.6.37497 the object manager is at [ModuleBase + 0x02694158]
Code:
printLogHead("Object manager list status: (use gmvision to see server onlys)", 7i64, s_curMgr, dword_1F7F570);
printLogSub(" Active objects: %u (%u visible)", 7i64, v1, v0);
printLogSub(" Units: %u, GameObjs: %u Items: %u, Other: %u", 7i64, v4, v5);
printLogSub(" Objects waiting to be freed: %u objects", 7i64, v2, v18);
By another hand, you can go in IDA and search xrefs to name 'aObjectManagerL', there is only 1 call.
And then, on the top of the function you can find the operand value that is the address of object manager.
Many thanks! I currently have no knowledge of static analysis, I'm going to download IDA (or an equivalent decompiler as I've seen IDA pro is not free) and have a look :-)
Stupid question probably, but from the code/screenshot how can you deduce the variable address?
I'm sure you can find the object manager with runtime analysis, but it's super simple with static analysis.
If you go in IDA and search for string, "Object manager list status: (use gmvision to see server onlys)" you should get directed to a function where you can find a snippet like the below.
You can see I've already renamed the 3 argument in 'printLogHead' as 's_curMgr'. That third argument should always be the object manager.
As of 1.13.6.37497 the object manager is at [ModuleBase + 0x02694158]
Code:
printLogHead("Object manager list status: (use gmvision to see server onlys)", 7i64, s_curMgr, dword_1F7F570);
printLogSub(" Active objects: %u (%u visible)", 7i64, v1, v0);
printLogSub(" Units: %u, GameObjs: %u Items: %u, Other: %u", 7i64, v4, v5);
printLogSub(" Objects waiting to be freed: %u objects", 7i64, v2, v18);
In 3.3.5 the string does not contain the gmvision stuff, just look for object manager list status or something of that sort.
Last edited by xalcon; 04-13-2021 at 03:37 AM.
"Threads should always commit suicide - they should never be murdered" - DirectX SDK
Just make sure that you account for the visible object list and the hashlist object manager 'arraylist'
Both are from the same base objectmanager address, which has the hashlist, hashlist length, visible list, first object, local player GUID, and local player movement globals. And some other stuff.