TOM_RUS

There's a flag in realm packet, that forces client to show "Enter pin" popup.

AuthSocket.cpp

pkt << uint8(securityFlags);            // security flags (0x0...0x04)

if(securityFlags & 0x01)                // PIN input (no idea wtf is that)
{
   pkt << uint32(0);
   pkt << uint64(0) << uint64(0);      // 16 bytes hash?
}

if(securityFlags & 0x02)                // Matrix input (The9 matrix cards)
{
   pkt << uint8(0);
   pkt << uint8(0);
   pkt << uint8(0);
   pkt << uint8(0);
   pkt << uint64(0);
}

if(securityFlags & 0x04)                // Security token input (aka authenticator)
{
   pkt << uint8(1);
}

The only way, for now to bypass this opcode is inject a dll ...

Or you can patch wow.exe directly...

Or you can make a loader, that will patch memory instead (looks more optimal)...

Dunno about so old client version, but some more recent IDB's are available:

3.3.3.11723 http://filebeam.com/3e0737d4a1cd992b89bce92fa4bc61b9

3.3.5.12213 http://filebeam.com/3aca0f7c41ea0ed6ba60a87a0d464fd4

3.3.5.12340 http://filebeam.com/19ba9a5a6a78045b5aee383bf88f9290

I guess that

SetDestroyAnim(true);

should be moved to

void Totem::UnSummon()

then.

I think you can use

    data << uint8(GetDestroyAnim());                            // WotLK (bool), may be despawn animation

instead off passing it as argument...

+            target->DestroyForPlayer(this, target->GetDestroyAnim());

actually opcodes were not randomized in 4.0.1, cata (the expansion, not patch) still hasnt hit release and it cannot be confirmed whether or not it will randomize them

Opcodes are randomized in both 4.0.1 and 4.0.3.

Those instances aren't 10 man, they are 5 ppl.

On my live character tooltip says "Cast time: 1.69 sec" with 20% haste buff.

I can't edit posts/threads at all. My moderator permissions seems to be fucked up. Can it be fixed? Also I have 2 "report" bottons on each post...

is there a possibility to re-add private messaging functionality? a forum without PM's is not really a forum, and for example I don't want to receive anything per email, because I don't even check that mail address very often...

those which don't want to receive PMs can still disable it

Agree.

- for instance, on Blizz when you enter a bound instance, a popup was sent to client to ask him if he wants to bind (if i can remember with 1 min remaining) to this instance. I search this popup to implement it on mangos.

SMSG_INSTANCE_LOCK_WARNING_QUERY is exactly what you looking for.

- second, when you fight Dreamwalker, Halion or Cannoneer Battle, a portrait of the boss appears like in arenas when you can always see the state (life, head and level) of the boss, like focus portrait when you left click on a mob and do focusing. I search to make this portrait appear for thoses bosses to be really blizzlike. Can you help me ?

I think I figured that out:

SMSG_GAMEOBJECT_SPAWN_ANIM_OBSOLETE - should be renamed to something more correct, like SMSG_UPDATE_INSTANCE_ENCOUNTER_UNIT. This opcode fires INSTANCE_ENCOUNTER_ENGAGE_UNIT script event on client side.

uint32 type;
switch(type)
{
   // I guess there's should be add/update/remove types below
   case 0: // ENCOUNTER_UNIT
   case 1: // ENCOUNTER_UNIT
   case 2: // ENCOUNTER_UNIT
       PGUID unitGuid;
       uint8 unk1;
       break;
   case 3: // ENCOUNTER_TIMER
   case 4: // ENCOUNTER_OBJECTIVE
   case 6: // ENCOUNTER_OBJECTIVE
       uint8 unk2;
       break;
   case 5: // ?
       uint8 unk3;
       uint8 unk4;
       break;
   case 7: // ?
       // clears stuff?
       break;
   default:
       break;
}

FF 3.6.10 Win/Lin/OSX: Dual Core 1.8GHz. No lagging at all. No JavaScript whatsoever except for wowhead tooltips here. Block it and see what happens

I've disabled js and all FF addons, still lags the same.

I've got my own IPB forum, so I've opened the most overloaded page of 30kb compressed (400kb uncompressed) html, and when I scroll rapidly through it trying to blow up my mouse I can only get FF to 15% CPU usage. A small scroll of the current page makes FF consume 25% CPU (1 core) and it lags. Really lags. IDK why. Probably an engine issue?

Thanks for the feedback.

Edit:

I've also tested other browsers on the same machine, scrolling through the current topic:

Opera 10.62 — almost no lags

Safari 5.02 — almost no lags

Google Chrome 6.0.472.63 — lags

IE 7 — no lags at all (what?)

I tested with:

Opera 10.70 build 9053 - works fine

Google Chrome 6.0.472.63 - lags

IE 8 - works fine

So I guess it's problem with Google Chrome, not forum engine.

Hello all,

im searching about informations about two packets not implemented in Mangos.

I know the first : SMSG_INSTANCE_LOCK_WARNING_QUERY

i think it's used to ask a client if he really want to bind to an instance, but after some tries i havent found any informations about this packet and sniffing with WPE dont return very good informations because of too many packets

The second question, i search the packet which permit to add the target to a mob in the interface like halion or cannoneer battle or dreamwalker. Somebody have an idea about this packet ? (sorry i havent any screen, i hope someone understand what i said)

SMSG_INSTANCE_LOCK_WARNING_QUERY opcode triggers following script events on client side:

(if timer <= 0)
   EVENT_INSTANCE_LOCK_STOP
else
   EVENT_INSTANCE_LOCK_START

Related lua functions:

lockTimeLeft, isExtended, encountersTotal, encountersComplete = GetInstanceLockTimeRemaining()

Packet structure:

uint32 lockTimeLeft; // in milliseconds
uint32 completedEncountersMask;
uint8 isExtended;

DungeonEncounter.dbc structure (in client memory)

struct DungeonEncounterEntry
{
 int id;
 int mapId;
 int instanceDifficulty;
 int noIdea;
 int encounterIndex;
 char *name;  // char* name[16]; int nameFlags;
 int noIdea2;
};

void __cdecl sub_553830(int mapId, int instanceDifficulty, int encountersCompletedMask, int *encountersTotal, int *encountersCompleted)
{
 int numRows; // eax@1
 int rowCounter; // edx@1
 int nextRow; // esi@2
 DungeonEncounterEntry *encounter; // eax@5

 *encountersTotal = 0;
 *encountersCompleted = 0;
 numRows = g_DungeonEncounterDB.numRows;
 rowCounter = 0;
 if ( g_DungeonEncounterDB.numRows > 0 )
 {
     nextRow = 0;
     do
     {
         if ( rowCounter < 0 || rowCounter >= numRows )
             encounter = 0;
         else
             encounter = (DungeonEncounterEntry *)((char *)g_DungeonEncounterDB.FirstRow + nextRow);
         if ( encounter->mapId == mapId )
         {
             if ( encounter->instanceDifficulty == instanceDifficulty )
             {
                 ++*encountersTotal;
                 if ( (1 << encounter->encounterIndex) & encountersCompletedMask )
                     ++*encountersCompleted;
             }
         }
         numRows = g_DungeonEncounterDB.numRows;
         ++rowCounter;
         nextRow += 28;                          // sizeof(DungeonEncounterEntry)
     }
     while ( rowCounter < g_DungeonEncounterDB.numRows );
 }
}

And for the rest - I have no idea what you talking about.

As far I know, they are using TIMING_CHECK for detecting speedhacks (I have no idea how...) It just returns client's tickcount to server.

                 case 8: // SPELL_AURA_PERIODIC_HEAL
                 case 20: // SPELL_AURA_OBS_MOD_HEALTH
                     CDataStore__GetInt32(a1, (int)&v55);
                     CDataStore__GetInt32(a1, (int)&v54);
                     CDataStore__GetInt32(a1, (int)&v56);
                     CDataStore__GetInt8(a1, (int)&v57);

• * Fixing and using Unit::SendMonsterMoveByPath() thanks to TOM_RUS and his detailed info on the structure.
  

According to http://mywowtools.googlecode.com/svn/trunk/WowTools/src/WoWPacketViewer/Parsers/MonsterMoveParser.cs Unit::SendMonsterMoveByPath() should look like this, or you will broke taxi fly paths:

   if(flags & SplineFlags(SPLINEFLAG_FLYING | SPLINEFLAG_CATMULLROM))
   {
       for(uint32 i = start; i < end; ++i)
       {
           data << float(path[i].x);
           data << float(path[i].y);
           data << float(path[i].z);
       }
   }
   else
   {
       // destination
       data << path[end-1].x;
       data << path[end-1].y;
       data << path[end-1].z;

       // all other points are relative
       float mid_X = (path[start].x + path[end-1].x ) * 0.5f;
       float mid_Y = (path[start].y + path[end-1].y ) * 0.5f;
       float mid_Z = (path[start].z + path[end-1].z ) * 0.5f;

       for(uint32 i = start; i < end-1; ++i)
           data.appendPackXYZ(mid_X - path[i].x, mid_Y - path[i].y, mid_Z - path[i].z);
   }

I was also trying to send the entire path at once, using the SMSG_MONSTER_MOVE packet, following the example in Unit::SendMonsterMoveByPath(), but as soon as I send path longer than single point, the movement gets totally screwed.

Either I'm doing something really wrong, or the format we have is outdated.

If anyone have some packet logs with SMSG_MONSTER_MOVE sending multiple points, and not for flight-path, please do post.

Is it even intended to be used for anything but flight-paths?

Some help appreciated on this subject.

There's a ByteBuffer method for writing packed vectors exists:

       // can be used in SMSG_MONSTER_MOVE opcode
       void appendPackXYZ(float x, float y, float z)
       {
           uint32 packed = 0;
           packed |= ((int)(x / 0.25f) & 0x7FF);
           packed |= ((int)(y / 0.25f) & 0x7FF) << 11;
           packed |= ((int)(z / 0.25f) & 0x3FF) << 22;
           *this << packed;
       }

All points should be written relative to middle of path:

mid.X = (curr.X + dest.X) * 0.5f;
mid.Y = (curr.Y + dest.Y) * 0.5f;
mid.Z = (curr.Z + dest.Z) * 0.5f;

float x = mid.X - waypoint[n].X;
float y = mid.Y - waypoint[n].Y;
float z = mid.Z - waypoint[n].Z;
packet.appendPackXYZ(x, y, z);

And full SMSG_MONSTER_MOVE structure: http://mywowtools.googlecode.com/svn/trunk/WowTools/src/WoWPacketViewer/Parsers/MonsterMoveParser.cs

Some packet examples: http://paste2.org/p/978981

But how it loads maiev.mod? I putted breakpoints on every loadlibrary and I didn't see it loading maiev.mod.

That module isn't actual module, it's part of wow.exe and all stuff called directly.

That is very good idea about getting the rc4 keys from memory, but that way I would have to use only one module with sending the same seed in 0x05. Defenetly gonna try that. Anyways I find maiev.mod string in battle.net.dll but wow runs and responses to warden packets without battle.net.dll, and I deleted cache too. Anyone can tell me how to get maiev.mod?

Thanks.

I looked in wow.exe by searching for strings maiev.mod and also putted breakpoints on every loadlibrary functions and didn't see it loading maiev.mod or battle.net.dll.

maiev.mod string is encrypted in wow.exe...

If I remember correct, amount of talent points is recalculated on login base on player level that makes this command useless.

Warden 2.0 is a lie.

Most likely just visual bug due to missed opcode changes...

Hmm, i check second patch at 3.3.5 client and client open empty vendor list instead show any messages...

in fact in same way as without patch... maybe client now not have error output mode for packet...

It still exist:

signed int __thiscall CGPlayer_C__OnListInventory(void *this, int a2)
{
 int v2; // eax@1
 signed int v3; // ecx@1
 int _packet; // edi@3
 unsigned __int8 v5; // bl@11
 int v6; // esi@12
 WGUID v8; // [sp+0h] [bp-10h]@3
 void *v9; // [sp+8h] [bp-8h]@1
 char error; // [sp+Fh] [bp-1h]@4

 v9 = this;
 v2 = &dword_C9D7D0;
 v3 = 150;
 do
 {
     *v2 = 0;
     v2 += 32;
     --v3;
 }
 while ( v3 );
 _packet = a2;
 CDataStore__GetInt64(a2, &v8);
 CDataStore__GetInt8(_packet, (&a2 + 3));
 if ( BYTE3(a2) > 150u )
     sub_8889B0(&byte_9E14FF, &byte_9E14FF, 0);
 dword_C9EA90 = v8.guid_low;
 dword_C9EA94 = v8.guid_high;
 error = -1;
 if ( BYTE3(a2) )
 {
     v5 = 0;
     if ( !BYTE3(a2) )
         return 1;
     do
     {
         v6 = 32 * v5;
         CDataStore__GetInt32(_packet, (&dword_C9D7D0 + v6));
         CDataStore__GetInt32(_packet, (&dword_C9D7D4 + v6));
         CDataStore__GetInt32(_packet, (&dword_C9D7D8 + v6));
         CDataStore__GetInt32(_packet, (&dword_C9D7DC + v6));
         CDataStore__GetInt32(_packet, (&dword_C9D7E0 + v6));
         CDataStore__GetInt32(_packet, (&dword_C9D7E4 + v6));
         CDataStore__GetInt32(_packet, (&dword_C9D7E8 + v6));
         CDataStore__GetInt32(_packet, (&dword_C9D7EC + v6));
         ++v5;
     }
     while ( v5 < BYTE3(a2) );
 }
 else
 {
     CDataStore__GetInt8(_packet, &error);
     switch ( error )
     {
         case 2:
             ConsoleWrite("You are too far away", 0);
             break;
         case 1:
             ConsoleWrite("I don't think he likes you very much", 0);
             break;
         case 0:
             ConsoleWrite("Vendor has no inventory", 0);
             break;
         case 3:
             ConsoleWrite("Vendor is dead", 0);
             break;
         case 4:
             ConsoleWrite("You can't shop while dead.", 0);
             break;
         default:
             break;
     }
 }
 if ( BYTE3(a2) || !error )
 {
     sub_6D1760(v9);
     sub_584500(v8.guid_low, v8.guid_high, &dword_C9D7D0, BYTE3(a2));
 }
 return 1;
}

May be fixed, who knows...

if ( vehicleSeatId < g_VehicleSeatDB.minIndex || vehicleSeatId > g_VehicleSeatDB.maxIndex )
   vehicleSeatEntry = 0;
else
   vehicleSeatEntry = g_VehicleSeatDB.Rows[vehicleSeatId - g_VehicleSeatDB.minIndex];
v7 = *(_DWORD *)(vehicleSeatEntry + 176);        // crash here!

.text:006182A2                 mov     eax, [eax+0B0h]   // 0xB0h=176

The instruction at "0x006182A2" referenced memory at "0x000000B0".
The memory could not be "read".

Hope you figured out what is wrong...