-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREVERSING_NOTES.txt
199 lines (142 loc) · 6.57 KB
/
REVERSING_NOTES.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
// SETFACING SHITS 1.3.2019
// CPU Disasm
Address Hex dump Command Comments
006025AA |> \E8 71882600 CALL 0086AE20
006025AF |. 8BF8 MOV EDI,EAX
006025B1 |. E8 1A70FFFF CALL 005F95D0
// FUNCTION 00989B70 is the CGMOVEMENT SOMETHING
// these are the possible functions which set the EDI + 120 to the camera struct address or we
// 7B50A7
// 6EB7A5
// 6F149E
// 6F13EC
// 6F0A12
// 4D3810 RETURNS SOMETHING INTERESTING
7274D1 is where the angle is stored
the return values of those functions are [D4159C] and [C24954], which might be the ECX of all those functions
// CAST COND ERRMSG NOTES (13.2.2019)
// FIRST DIFFERENCE BETWEEN SUCCESS AND FAIL IS AT 8036A5 (FAIL JUMPS with JE to 8036AC, SUCCESS doesn't)
// this occurs in the function 803500 (the return value is 0 for fail and 1 for success (EAX))
// 808200 is one function that is called in fail and not called in success
// 808200 IS THE fucking function :DD
// 072E500 is a call site for CTM of type 2 ("Face")
// CTM notes:
// at least for CTM_MOVE and CTM_MOVE_AND_ATTACK, D689AC contains the minimum distance you need to be
// until you're considered done with the CTM. 9A8 is something i've not yet figured out, but it doesn't seem to really affect anything
// CTM_MOVE_ATTACK_ZERO must be 0 for at least CTM_MOVE_AND_ATTACK, otherwise segfault
// explanation: the function 7BCB00 segfaults at 7BCB14, if it's not
// can't remember which function calls 7BCB00, but the branch
// isn't taken when there's a 0 at D689CC. :D
// at Wow.exe:612A53 we can see that when the player is done CTMing,
// addresses D689C0-D689C8, D68998, D6899C are set to 0.0, and CTM_action to 0D
// seems like addresses D689A0 D689A4 D689A8 are floats, maybe some angles?
// A0 = the angle where the character should be walking?
// D689A8 and D689AC are weird..
// for walking, "mystery" is a constant float 0.5
// based on my testing, the addresses that change upon a legit CTM are:
// D6896C, D689A0:AC, D689B8:BC, D689C8, D68A0C:20, D68A90:94
// here's a memdump diff for evidence (range was D68800 - D68B00 i think):
/* $ diff pre-ctm.txt mid-ctm.txt
94c94
< 00D6896C 00000000
-- -
> 00D6896C 40E00000
107, 110c107, 110
< 00D689A0 00000000
< 00D689A4 00000000
< 00D689A8 00000000
< 00D689AC 00000000
-- -
> 00D689A0 3F588DE2
> 00D689A4 415F66F3
> 00D689A8 3E800000
> 00D689AC 3F000000
113, 114c113, 114
< 00D689B8 00000000
< 00D689BC 0000000D
-- -
> 00D689B8 3D3E07D9
> 00D689BC 00000004
117c117
< 00D689C8 00000000
-- -
> 00D689C8 00000002
134, 139c134, 139
< 00D68A0C 00000000
< 00D68A10 00000000
< 00D68A14 00000000
< 00D68A18 00000000
< 00D68A1C 00000000
< 00D68A20 00000000
-- -
> 00D68A0C C3F6F64F
> 00D68A10 C584BEC0
> 00D68A14 423572C4
> 00D68A18 C3F5789C
> 00D68A1C C584A3D1
> 00D68A20 4239D718
167, 168c167, 168
< 00D68A90 00000000
< 00D68A94 00000000
-- -
> 00D68A90 3F7FF605
> 00D68A94 00000001
*/
// D689A0 is the walking direction.
// seems like the player's spellbook spells are at C6FB00 + 4*n =)
// function at Wow.exe:7D8560 is of interest to clickable AOE spells. the aoe coordinates are at 7D85F3 (ESI+3C), where ESI seems to be mostly E1D828
// E1D734 contains a mask. for aoe its 40.
// 4D8450 seems to be a kind of input handler function :P
// 6FAD80 is where the AOE coordinates are inserted into those addresses (the float array is passed as argument to this func, ARG.1)
0xD43318 // joku unnamed spell struct staticci, liittyy LOS-checkauksiin.
(0xBA0BE0 myös joku offsetti)
spell failed status kirjoitetaan @ 40B6CC in thread 21 (apparently a network thread)
0x4203B0: socket send functions :D
0x6F96D0: called whenever a spell cast is done (calls the above function as well)
0x6FAD80: fires everytime a mouse button is pressed (CAMERASELECTORMOVE)
socket::send buffer is at [EDI+8], which would be LOCAL.8 of 0x6F96D0
0x420541 (func 0x4203B0): call to WS2::send()
CALLSTACK at moment of send():
0x4ACF80 -> 0x4A79F0 -> 0x4A1A60 -> 0x6FAD80 -> 0x6F96D0 -> 0x5B3CA0 -> 0x55F8A0 -> 0x4203B0
"PUSH 12E" 6F9C90 (12E is the packet opcode for spell cast, AKA CMSG_CAST_SPELL)
most TOP-level call unique to spells: 4ACF80
0xE1D828: some kind of spellcast-struct. AOE coords are at E1D864 - E1D86C, spellID is at E1D838, target GUID is at E1D840 (if any)
looks like 0x41F610 is the encryption function (called at 0x420520)
for an AOE spell, the socket buffer lies at EBP-0x330 of 0x6F96D0
40B570: memcpy
41FFB0 (called from 4204D2) is where the first byte of the packet is copied
the original packet buffer is LOCAL.5 of 0x4203B0
function 5B3B80 returns some kind of static socket struct base address =) can find the socket handle now!!
(lies at 0xD4332C :D)
SOCKET IS AT [[0xD4332C + 2198] + 4]
CMSG_GAMEOBJ_USE
-----------------------------------------------------------------
=================================================================
-----------------------------------------------------------------
-----------------------------------------------------------------
-----------------------------------------------------------------
-----------------------------------------------------------------
-----------------------------------------------------------------
=================================================================
=================================================================
=================================================================
=================================================================
=================================================================
WOTLK
-----------------------------------------------------------------
-----------------------------------------------------------------
-----------------------------------------------------------------
-----------------------------------------------------------------
-----------------------------------------------------------------
-----------------------------------------------------------------
-----------------------------------------------------------------
525E7E (call jotain) -> blocked
513530 is the "has been blocked from asdfsadf"
853CA0 is the function that sets D4139C to zero (or something else)
=================================================================
=================================================================
=================================================================
=================================================================
=================================================================
=================================================================
=================================================================