// WoWConsole.cpp : Defines the entry point for the console application. // #include "stdafx.h" HANDLE openSecureProcess(LPCTSTR wndclass, DWORD rights); DWORD g_Base = NULL; #define s_curMgr 0x00B41414 #define s_curMgr_FirstObject 0xAC #define s_curMgr_NextObject 0x3C #define PLAYER_BASE_ADDRESS 0x0012C318 #define CONTINENT 0x7F38A8 int GReadInt(DWORD address) { int ret; HANDLE wow = openSecureProcess("GxWindowClassD3d", PROCESS_ALL_ACCESS); if(wow!=INVALID_HANDLE_VALUE) { ReadProcessMemory(wow, (void*)address, (void*)&ret, 4, NULL); return ret; } } DWORD GReadLong(DWORD address) { DWORD ret = 0; HANDLE wow = openSecureProcess("GxWindowClassD3d", PROCESS_ALL_ACCESS); if(wow!=INVALID_HANDLE_VALUE) { ReadProcessMemory(wow, (void*)address, (void*)&ret, sizeof(DWORD), NULL); return ret; } } float GReadFloat(DWORD address) { float ret = 0.0f; HANDLE wow = openSecureProcess("GxWindowClassD3d", PROCESS_ALL_ACCESS); if(wow!=INVALID_HANDLE_VALUE) { ReadProcessMemory(wow, (void*)address, (void*)&ret, sizeof(float), NULL); return ret; } } char* GReadString(DWORD pAddr, int size) { char *readBuf = (char*)malloc(size+1); HANDLE wow = openSecureProcess("GxWindowClassD3d", PROCESS_ALL_ACCESS); ReadProcessMemory(wow, (void*)pAddr, (void*)readBuf, size, NULL); return readBuf; } struct dw { DWORD base; int t; }; DWORD BruteThread(void *param) { char filename[MAX_PATH]; dw* d = (dw*)param; sprintf(filename, "brute%d.log",d->t); FILE* fp=fopen(filename, "w"); float x = 0.0f; for(DWORD ax = 0x1;ax<0x3C;ax=ax+0x1) { x = GReadFloat(d->base + ax); if(x>323.0f && x) continue; fprintf(fp, "0x%X + 0x%X f: %f\n",d->base,ax,x); } fclose(fp); return 1; } DWORD BruteStringThread(void *param) { FILE* fp=fopen("brute.log", "w"); dw* d = (dw*)param; float x = 0.0f; for(DWORD ax = 0x1;ax<0x3C;ax=ax+0x1) { x = GReadFloat(d->base + ax); if(x>323.0f) continue; fprintf(fp, "0x%X + 0x%X f: %f\n",d->base,ax,x); } fclose(fp); return 1; } void BruteforceOffset(DWORD base, int ofs) { dw* d = new dw; d->base = base; d->t = ofs; HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)BruteThread, (PVOID)d, 0, NULL); WaitForSingleObject(hThread, INFINITE); } void BruteforceName(DWORD base) { DWORD sPtr = GReadInt( base + 0x20 ); char *item = GReadString(sPtr, 64); } void WalkLinkedList() { DWORD currObjMgr = GReadInt(s_curMgr); FILE *fp = fopen("log.txt", "w"); // + 0xB4 == pointer to the first entry, by substracting 0x3C // the while can stay the same while running through the whole linked list DWORD ptrOffset = s_curMgr_NextObject; DWORD ptr = currObjMgr + (s_curMgr_FirstObject - ptrOffset); fprintf(fp,"ptr: 0x%X\n",ptr); int type; int times = 0; DWORD guid = 0; float x,y,z,facing; x=y=z=facing=0.0f; while(currObjMgr > 0) { // fprintf(fp,"Reading 0x%X\n", ptr+ptrOffset); ptr = GReadInt((ptr + ptrOffset)); //fprintf(fp,"GReadInt Returned: 0x%X\n", ptr); if( (ptr&0x1) != 0 || ptr == 0 || ptr == 0x1c) { printf("Breaking\n"); break; } type = GReadInt((ptr + 0x14)); if(type == 4) // player { guid = GReadLong(ptr+0x30); y = GReadFloat(ptr+0x0C); x = GReadFloat(ptr+0x10); z = GReadFloat(ptr+0x14); facing = GReadFloat(ptr+0x18); fprintf(fp, "WOW_PLAYER at 0x%X (0x%X): x: %f y: %f z:%f, facing: %f\n",ptr,guid,x,y,z,facing); //BruteforceOffset(ptr, times); } else if(type==3)//unit { guid = GReadLong(ptr+0x30); y = GReadFloat(ptr+0x0C); x = GReadFloat(ptr+0x10); z = GReadFloat(ptr+0x14); facing = GReadFloat(ptr+0x18); fprintf(fp, "WOW_UNIT at 0x%X (0x%X): x: %f y: %f z:%f, facing: %f\n",ptr,guid,x,y,z,facing); BruteforceOffset(ptr, times); } else if(type==5)//gameobject { guid = GReadLong(ptr+0x30); y = GReadFloat(ptr+0x0C); x = GReadFloat(ptr+0x10); z = GReadFloat(ptr+0x14); facing = GReadFloat(ptr+0x18); fprintf(fp, "WOW_GAMEOBJECT at 0x%X (0x%X): x: %f y: %f z:%f, facing: %f\n",ptr,guid,x,y,z,facing); //BruteforceOffset(ptr, times); } else if(type==1) { DWORD sPtr = GReadInt( ptr + 0x20 ); char *item = GReadString(sPtr, 64); fprintf(fp, "WOW_ITEM 0x%X %s\n", ptr, item); } times++; } } HANDLE openSecureProcess(LPCTSTR wndclass, DWORD rights) { DWORD pid; HWND window; HANDLE process; PACL dacl; PSECURITY_DESCRIPTOR secdesc; // Find a window which uses the window class. window = FindWindow(wndclass, 0); if(window == 0) { return 0; } // Get the process id of the process which created it. GetWindowThreadProcessId(window, &pid); // Try to open the process with the requested rights. process = OpenProcess(rights, 0, pid); if(process != 0) { return process; } // Get the DACL of this process since we know we have // all rights in it. This really can't fail. if(GetSecurityInfo(GetCurrentProcess(), SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, &dacl, 0, &secdesc) != ERROR_SUCCESS) { return 0; } // Open it with WRITE_DAC access so that we can write to the DACL. process = OpenProcess(WRITE_DAC, 0, pid); if(process == 0) { LocalFree(secdesc); return 0; } if(SetSecurityInfo(process, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION | UNPROTECTED_DACL_SECURITY_INFORMATION, 0, 0, dacl, 0) != ERROR_SUCCESS) { LocalFree(secdesc); return 0; } // The DACL is overwritten with our own DACL. We // should be able to open it with the requested // privileges now. CloseHandle(process); LocalFree(secdesc); process = OpenProcess(rights, 0, pid); if (process == 0) { return 0; } return process; } DWORD FindBaseAddress() { DWORD baseTemp, base; LPCTSTR procName = "GxWindowClassD3d"; HANDLE wow = openSecureProcess(procName, PROCESS_ALL_ACCESS); ReadProcessMemory(wow, (void*)PLAYER_BASE_ADDRESS, (void*)&baseTemp, 4, NULL); if(((baseTemp & 0xFFFF) == 0x8008) || ((baseTemp & 0xFFFF) == 0x8)) { base = baseTemp; g_Base = baseTemp; return base; } return NULL; } int _tmain(int argc, _TCHAR* argv[]) { if(g_Base==NULL){ FindBaseAddress(); printf("base address: 0x%X\n", g_Base); } WalkLinkedList(); //printf("Current Continent: %d\n", GReadInt(CONTINENT)); system("pause"); return 0; }