Spell_C_CastSpell need help ！

[34D]

I checked some

Code:

struct CSpellCastParameters
{
	int16_t	unk1;
	int16_t unk2;
};

bool Spell_C_CastSpell(unsigned int spellId, CSpellCastParameters* parameters, intptr_t item, WowGuid* pGuid)
{
	return reinterpret_cast<bool(__fastcall*)(unsigned int, intptr_t, intptr_t, intptr_t)>(offset::Spell_C_CastSpell)(spellId, intptr_t(parameters), item, intptr_t(pGuid));
}

CSpellCastParameters temp = {0, 0};
Spell_C_CastSpell(spellId, &temp, 0, &pGuid);

The main thread is running, the game crashes, and the memory cannot be read.
Where is the problem? Thanks.

[ChrisIsMe]

aaaaaaaaaaaaaaaaaaaa

[BenjaminT]

Is it available ?
i'll send a private message

[34D]

I see the signature as something like

Code:

Spell_C_CastSpell(unitPTR, spellID, 0LL, targetGUID, &ptrToSpellId, 0LL);

I recommend referencing Script_Stuck

Code:

__int64 __fastcall Script_Stuck(__int64 a1, __int64 a2, double a3, __m128 zero)
{
  unsigned int stuckSpellID; // ebx
  __int64 unitPTR; // rax
  __int128 targetGUID; // [rsp+0h] [rbp-20h] BYREF

  stuckSpellID = CGSpellBook::m_stuckSpell;
  targetGUID = 0LL;
  unitPTR = ((__int64 (__fastcall *)(__int64, __int64, double, double))ClntObjMgrGetActivePlayer)(
              a1,
              a2,
              0.0,
              *(double *)zero.i64);
  Spell_C_CastSpell(
    unitPTR,
    stuckSpellID,
    0LL,
    &targetGUID,
    (unsigned int *)&unkown_always_0_maybe,
    0LL,
    (__m128)0LL,
    zero);
  return 0LL;
}

the "ptrToSpellId may be the spell override ID, it comes up in Script_CastSpellByName()

Code:

spellBookSpellID_or_override = CGSpellBook::FindSpellByName(v13, v67);
  if ( spellBookSpellID_or_override
    || v13
    && *v13
    && (v17 = CGSpellBook::FindSpellByName(v13, &v46),
        (spellBookSpellID_or_override = CGSpellBook::GetOverrideSpellByName(v17, 0LL, 1LL, 0LL)) != 0) )

Something to note is that there's an item pointer and I believe an item amount that are passed to this method, though I believe those are generally ruled out in modern wow and only really matter in TBC (Create healthstone for example will require a soul stone item pointer and count 1 to be passed) I haven't looked at how the function is handled in the most recent update of TBC though, which syncs the client up with retail (for the most part)

THX I‘m in Retail.

Code:

char __fastcall Spell_C_CastSpell_D(__int64 a1, int *a2, __int64 a3, __int128 *a4)
{
  __int128 *v4; // rsi
  __int64 v5; // rbp
  int *v6; // rbx
  unsigned int v7; // edi
  __int64 v8; // rax

  v4 = a4;
  v5 = a3;
  v6 = a2;
  v7 = a1;
  v8 = CGPlayer_C__m_activePlayerPtr(a1);
  return Spell_C_CastSpell(v8, v7, v5, v4, v6, 0i64);
}

This one I wrote is a dump to the Spell_C_CastSpell you showed with some parameters reduced, I think the current problem is on ptrToSpellId

https://www.ownedcore.com/forums/wor...castspell.html (Reversing CastSpell)

I tried to change the structure to the same as shown by Jadd, but still a memory error occurs

[UsuallyHome]

Spell_C_CastSpell(L,spellSlot,0,targetGuid,0,0)
spellSlot from spell book index+1 or slotBySpellId(id,0)

[ChrisIsMe]

aaaaaaaaaaaaaaaaaaaa

[34D]

Code:

if (func::CGSpellBook_IsSpellKnown(spellId))
{
auto tempId = func::CGSpellBook_GetOverridenSpell(spellId);
auto slot = func::CGSpellBook_FindSlotBySpellID(tempId);

if (slot)
func::CGSpellBook_CastSpell(spellSlot, pGuid);



	inline int8_t CGSpellBook_CastSpell(int32_t spellSlot, CGGuid* pGuid)
	{
		return reinterpret_cast<int8_t(__fastcall*)(int32_t, int32_t, CGGuid*, uint8_t, uint8_t)>(offset::CGSpellBook_CastSpell)(spellSlot, 0, pGuid, 0, 0);
	}

I also found the same function
Currently they are working fine
I still want to pass spellID and tarGUID directly to cast spells directly

[34D]

Spell_C_CastSpell(L,spellSlot,0,targetGuid,0,0)
spellSlot from spell book index+1 or slotBySpellId(id,0)

Thanks I'm currently using it to cast spells normally

[34D]

Here's some code that won't crash, but it also won't work (you'll get an error from the server). I don't really know why, but maybe it'll get you closer. I don't have enough time to continue looking into it today though.

Code:

 

    CGPlayer* player = (CGPlayer*)GetObjectManager()->GetLocalPlayer();

    unsigned int spellId = 73920; // healing rain
    unsigned int override = 73920; // healing rain

    GUID guid = player->guid;

    uintptr_t* spell = CGSpellBook_GetSpell(spellId);

    __m128* v1 = (__m128*)malloc(sizeof(__m128));
    uint8_t casted = ((uint8_t(*)(CGPlayer*, unsigned int, CGItem*, GUID*, unsigned int*, int64_t, __m128, __m128))(base + SPELL_C_CASTSPELL))(player, spellId, 0, &guid, &override, 0, *v1, *v1);

Bonus CGSpellBook::GetSpell code, if you want to do it all yourself, in reference to what UsuallyHome was talking about, I believe it's probably CGSpellBook::CastSpell, which you'll probably need this for.. (This method is called in Script_CastSpell)

Code:

uintptr_t* CGSpellBook_GetSpell(unsigned int spellId)
{
    uintptr_t* CGSpellBook_m_spells = (uintptr_t*)(base + CGSPELLBOOK_M_SPELLS);
    if (CGSpellBook_m_spells) {
        uintptr_t* spellsTable = *(uintptr_t**)((uintptr_t)CGSpellBook_m_spells + 0x8);
        int spellSize = *(int*)((uintptr_t)CGSpellBook_m_spells);

        unsigned int index = 0;
        while (1) {
            uintptr_t* spell = *(uintptr_t**)((uintptr_t)spellsTable + 8 * index);
            if (*(unsigned int*)((uintptr_t)spell + 4) == spellId && *(int*)(uintptr_t)spell == 1 && (*(uint8_t*)((uintptr_t)spell + 20) & 4) == 0) {
                return spell;
            }
            if (spellSize == ++index) {
                return 0;
            }
        }
    }
    return 0;
}

IDA seems to have a hell of a time trying to disassemble the function, so I'd probably look further into it with a debugger or something...

I think I found the answer unsigned int* &override need to give a space. instead of writing 0 or a address

Thanks for your help