[Help] How to find the object manager address? menu

User Tag List

Results 1 to 9 of 9
  1. #1
    0xd5d's Avatar Member
    Reputation
    11
    Join Date
    Mar 2021
    Posts
    20
    Thanks G/R
    22/5
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    [Help] How to find the object manager address?

    I'm learning reverse engineering as I plan to create a BOT when Wow classic Burning crusade will be released. I've read a huge part of this forum threads, and also other resources (like this book: http://index-of.es/Varios-2/Game%20Hacking.pdf), which were a tremendous help!

    I'm currently practicing on wow version 3.3.5a on a private server to learn the basics using C# and BOT examples you can find on github.

    I've come across many articles speaking about the object manager (like We are writing a bot for MMORPG with assembler and draenei. Part 4 / Sudo Null IT News, wor...t-manager.html, https://www.ownedcore.com/forums/wor...t-manager.html). Many of these articles ask for the object manager's address value (or are pretty old and I'm unsure if they are still relevant).

    I'm instead trying to understand how to find this address by myself.

    With cheat engine, I'm able to find my character (or my target) hit point, then understand the base address of my character (or target) by looking at the assembly instruction (see offset) or looking at the cheat engine window (example below: base address is 0x24636A48, health is at 0x24636A48 + 0xFB0)

    Capture.PNG

    But the object manager address is harder to catch, as I can't really change a value in the game to point toward it directly.

    I'm currently looking at the assembly instructions in Cheat engine, setting breakpoint while damaging enemies to find out where the base enemy address comes from. I'm able to find the value by running an existing working bot and comparing what I see in assembly and the real address value from the bot, but I'm pretty sure there are better way (and I won't have an existing bot for burning crusade to come )

    I've seen here (https://drewkestell.us/Article/6/Chapter/7) usage of dll injection to access EnumerableVisibleObjects, I whish I could find a simpler method using Cheat engine?

    How do you guys do to find the object manager address?
    Last edited by 0xd5d; 04-11-2021 at 01:10 PM.

    [Help] How to find the object manager address?
  2. #2
    _chase's Avatar Established Member
    Reputation
    95
    Join Date
    Dec 2019
    Posts
    57
    Thanks G/R
    16/49
    Trade Feedback
    0 (0%)
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    I'm sure you can find the object manager with runtime analysis, but it's super simple with static analysis.
    If you go in IDA and search for string, "Object manager list status: (use gmvision to see server onlys)" you should get directed to a function where you can find a snippet like the below.
    You can see I've already renamed the 3rd argument in 'printLogHead' as 's_curMgr'. That third argument should always be the object manager.

    As of 1.13.6.37497 the object manager is at [ModuleBase + 0x02694158]

    Code:
      printLogHead("Object manager list status: (use gmvision to see server onlys)", 7i64, s_curMgr, dword_1F7F570);
      printLogSub("    Active objects:    %u (%u visible)", 7i64, v1, v0);
      printLogSub("    Units: %u,   GameObjs: %u    Items: %u,    Other: %u", 7i64, v4, v5);
      printLogSub("    Objects waiting to be freed: %u objects", 7i64, v2, v18);
    Attached Thumbnails Attached Thumbnails [Help] How to find the object manager address?-png  
    Last edited by _chase; 04-16-2021 at 06:59 AM.

  3. Thanks 0xd5d (1 members gave Thanks to _chase for this useful post)
  4. #3
    oiramario's Avatar Established Member
    Reputation
    85
    Join Date
    Mar 2021
    Posts
    133
    Thanks G/R
    36/51
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    By another hand, you can go in IDA and search xrefs to name 'aObjectManagerL', there is only 1 call.
    And then, on the top of the function you can find the operand value that is the address of object manager.

  5. Thanks 0xd5d (1 members gave Thanks to oiramario for this useful post)
  6. #4
    0xd5d's Avatar Member
    Reputation
    11
    Join Date
    Mar 2021
    Posts
    20
    Thanks G/R
    22/5
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Many thanks! I currently have no knowledge of static analysis, I'm going to download IDA (or an equivalent decompiler as I've seen IDA pro is not free) and have a look :-)

    Stupid question probably, but from the code/screenshot how can you deduce the variable address?
    Last edited by 0xd5d; 04-12-2021 at 02:19 PM.

  7. #5
    xalcon's Avatar Contributor ふたなり
    Authenticator enabled
    Reputation
    198
    Join Date
    Oct 2008
    Posts
    291
    Thanks G/R
    20/58
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by _chase View Post
    I'm sure you can find the object manager with runtime analysis, but it's super simple with static analysis.
    If you go in IDA and search for string, "Object manager list status: (use gmvision to see server onlys)" you should get directed to a function where you can find a snippet like the below.
    You can see I've already renamed the 3 argument in 'printLogHead' as 's_curMgr'. That third argument should always be the object manager.

    As of 1.13.6.37497 the object manager is at [ModuleBase + 0x02694158]

    Code:
      printLogHead("Object manager list status: (use gmvision to see server onlys)", 7i64, s_curMgr, dword_1F7F570);
      printLogSub("    Active objects:    %u (%u visible)", 7i64, v1, v0);
      printLogSub("    Units: %u,   GameObjs: %u    Items: %u,    Other: %u", 7i64, v4, v5);
      printLogSub("    Objects waiting to be freed: %u objects", 7i64, v2, v18);
    In 3.3.5 the string does not contain the gmvision stuff, just look for object manager list status or something of that sort.
    Last edited by xalcon; 04-13-2021 at 03:37 AM.
    "Threads should always commit suicide - they should never be murdered" - DirectX SDK

  8. Thanks 0xd5d (1 members gave Thanks to xalcon for this useful post)
  9. #6
    netpanpeng2019's Avatar Member
    Reputation
    1
    Join Date
    Mar 2021
    Posts
    2
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What is this function? PrintLogHead

  10. #7
    maikel233's Avatar Contributor
    Reputation
    137
    Join Date
    Sep 2010
    Posts
    109
    Thanks G/R
    38/64
    Trade Feedback
    0 (0%)
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by netpanpeng2019 View Post
    What is this function? PrintLogHead
    Download the mac binary 18179

    Code:
     ConsoleWrite("Object manager list status: (use gmvision to see server onlys)");
      ConsoleWriteA("    Active objects:    %u (%u visible)", v26);
      ConsoleWriteA("    Units: %u,   GameObjs: %u    Items: %u,    Other: %u", v17);
      ConsoleWriteA("    Objects waiting to be freed: %u objects", v18);

  11. #8
    ChrisIsMe's Avatar Contributor
    Reputation
    164
    Join Date
    Apr 2017
    Posts
    210
    Thanks G/R
    67/100
    Trade Feedback
    0 (0%)
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Just make sure that you account for the visible object list and the hashlist object manager 'arraylist'

    Both are from the same base objectmanager address, which has the hashlist, hashlist length, visible list, first object, local player GUID, and local player movement globals. And some other stuff.

  12. Thanks 0xd5d (1 members gave Thanks to ChrisIsMe for this useful post)
  13. #9
    0xd5d's Avatar Member
    Reputation
    11
    Join Date
    Mar 2021
    Posts
    20
    Thanks G/R
    22/5
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by xalcon View Post
    In 3.3.5 the string does not contain the gmvision stuff, just look for object manager list status or something of that sort.
    Thanks a lot for your help. Looking with Ghidra I find this method (with the mentioned string "Object Manager list status:").

    Code:
    undefined4 UndefinedFunction_004d49e0(void)
    
    {
      int iVar1;
      uint uVar2;
      int in_FS_OFFSET;
      
      iVar1 = *(int *)(*(int *)(*(int *)(in_FS_OFFSET + 0x2c) + DAT_00d439bc * 4) + 8);
      uVar2 = *(uint *)(iVar1 + 0xac);
      if (((uVar2 & 1) != 0) || (uVar2 == 0)) {
        uVar2 = 0;
      }
      for (; ((uVar2 & 1) == 0 && (uVar2 != 0)); uVar2 = *(uint *)(*(int *)(iVar1 + 0xa4) + uVar2 + 4))
      {
      }
      uVar2 = *(uint *)(iVar1 + 0xc);
      if ((uVar2 & 1) == 0) goto joined_r0x004d4a33;
      do {
        uVar2 = 0;
        do {
          if (((uVar2 & 1) != 0) || (uVar2 == 0)) {
            uVar2 = *(uint *)(iVar1 + 0x34);
            if ((uVar2 & 1) == 0) goto joined_r0x004d4a61;
            goto LAB_004d4a63;
          }
          uVar2 = *(uint *)(*(int *)(iVar1 + 4) + uVar2 + 4);
          if ((uVar2 & 1) != 0) break;
    joined_r0x004d4a33:
        } while (uVar2 != 0);
      } while( true );
    LAB_004d4a63:
      uVar2 = 0;
      do {
        if (((uVar2 & 1) != 0) || (uVar2 == 0)) {
          FUN_00765270("Object manager list status:",(int *)&DAT_00000007);
          FUN_00765360("    Active objects:              %u objects (%u visible)",(int *)&DAT_00000007);
          FUN_00765360("    Objects waiting to be freed: %u objects",(int *)&DAT_00000007);
          return 1;
        }
        uVar2 = *(uint *)(*(int *)(iVar1 + 0x2c) + uVar2 + 4);
        if ((uVar2 & 1) != 0) break;
    joined_r0x004d4a61:
      } while (uVar2 != 0);
      goto LAB_004d4a63;
    }
    Can you please help me understand how can I deduce the object manager address at runtime from this?

Similar Threads

  1. Replies: 2
    Last Post: 10-20-2020, 10:38 AM
  2. [Help]How to find some addresses/offsets 5.0.5
    By broly7 in forum WoW Memory Editing
    Replies: 3
    Last Post: 01-09-2013, 05:32 PM
  3. [help] How to find fly hack address for the wow alpha ?
    By Phobe in forum WoW Memory Editing
    Replies: 4
    Last Post: 06-27-2008, 11:30 AM
  4. Basically how to find the static mem address
    By achaville in forum WoW Memory Editing
    Replies: 2
    Last Post: 04-26-2008, 03:02 PM
  5. How To: Find put ur IP address by clicking on an icon
    By ttttllllrrrr in forum Community Chat
    Replies: 1
    Last Post: 01-27-2007, 08:47 PM
All times are GMT -5. The time now is 04:33 PM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search