Need Help with GetBattlefieldWinner

[0_00_0]

I've been searching for the static addy for GetBattlefieldWinner but I've had no luck. I've also heard that it may be broken now. I'm going to keep searching, but I only found the 3.1.2 address. This project doesn't use BlackMagic so please don't point me in that direction. Alternativly, I can find another method to determine if the BG is finished. If anyone has any ideas that would be great!

[ramey]

Hook lua_Register, and find it yourself.

Pattern the 3.1.2 address, and apply that to the new WoW.exe.

Lua functions are _easy_ to get.

[SKU]

0x726C70

What does BlackMagic have to do with using vfuncs?

[0_00_0]

Quote:

Originally Posted by SKU

0x726C70

What does BlackMagic have to do with using vfuncs?

Sorry I haven't worked with BlackMagic yet i assumed that's how it worked.

So that address doesn't work for me. I tried reading as a bool in C++ and tried monitoring on CE as a 1 byte. Am I supposed to be reading it differently?

[ramey]

Quote:

Originally Posted by 0_00_0

Sorry I haven't worked with BlackMagic yet i assumed that's how it worked.

So that address doesn't work for me. I tried reading as a bool in C++ and tried monitoring on CE as a 1 byte. Am I supposed to be reading it differently?

Lol. It is a lua function.

[flo8464]

Thats a really easy function to reverse. Have fun.

Code:

.text:00726C70 sub_726C70      proc near               ; DATA XREF: .data:00A42BECo
.text:00726C70
.text:00726C70 var_C           = qword ptr -0Ch
.text:00726C70 arg_0           = dword ptr  8
.text:00726C70
.text:00726C70                 push    ebp
.text:00726C71                 mov     ebp, esp
.text:00726C73                 push    ecx
.text:00726C74                 cmp     dword_11DA88C, 0
.text:00726C7B                 jnz     short loc_726C92
.text:00726C7D                 mov     eax, [ebp+arg_0]
.text:00726C80                 push    eax
.text:00726C81                 call    lua_pushnil
.text:00726C86                 add     esp, 4
.text:00726C89                 mov     eax, 1
.text:00726C8E                 mov     esp, ebp
.text:00726C90                 pop     ebp
.text:00726C91                 retn
.text:00726C92 ; ---------------------------------------------------------------------------
.text:00726C92
.text:00726C92 loc_726C92:                             ; CODE XREF: sub_726C70+Bj
.text:00726C92                 mov     ecx, dword_11DA890
.text:00726C98                 fild    dword_11DA890
.text:00726C9E                 test    ecx, ecx
.text:00726CA0                 jge     short loc_726CA8
.text:00726CA2                 fadd    ds:dbl_9876D8
.text:00726CA8
.text:00726CA8 loc_726CA8:                             ; CODE XREF: sub_726C70+30j
.text:00726CA8                 mov     edx, [ebp+arg_0]
.text:00726CAB                 sub     esp, 8
.text:00726CAE                 fstp    [esp+0Ch+var_C]
.text:00726CB1                 push    edx             ; int
.text:00726CB2                 call    lua_pushnumber
.text:00726CB7                 add     esp, 0Ch
.text:00726CBA                 mov     eax, 1
.text:00726CBF                 mov     esp, ebp
.text:00726CC1                 pop     ebp
.text:00726CC2                 retn
.text:00726CC2 sub_726C70      endp

Second hint:

Quote:

Result: Integer - Faction/team that has won the battlefield. Results are: nil if nobody has won, 0 for Horde and 1 for Alliance in a battleground, 0 for Green Team and 1 for Yellow in an arena.

[kynox]

Code:

signed int __cdecl lua_GetBattlefieldWinner(int a1)
{
  signed int result; // eax@2

  if ( dword_11DA88C )
  {
    lua_pushnumber(a1, (long double)(unsigned int)dword_11DA890);
    result = 1;
  }
  else
  {
    sub_91AF60(a1);
    result = 1;
  }
  return result;
}

Hexrays really shines in situations like these.

[flo8464]

We are talking about the same function?
And which version are you using? For me it looks like:

Code:

signed int __thiscall sub_726C70(int this, int a2)
{
  signed int result; // eax@2
  double v3; // ST04_8@5
  int v4; // [sp+8h] [bp-4h]@1

  v4 = this;
  if ( dword_11DA88C )
  {
    __asm { fild    dword_11DA890 }
    if ( dword_11DA890 < 0 )
      __asm { fadd    ds:dbl_9876D8 }
    __asm { fstp    [esp+0Ch+var_C] }
    lua_pushnumber(a2, v3);
    result = 1;
  }
  else
  {
    lua_pushnil(a2);
    result = 1;
  }
  return result;
}

[kynox]

The latest, with FPU support. That double you see, 9876D8(4.294967296e9) is used for casting an integer into a double if it exceeds 2^32 from my understanding.

[Cypher]

Quote:

Originally Posted by kynox

The latest, with FPU support. That double you see, 9876D8(4.294967296e9) is used for casting an integer into a double if it exceeds 2^32 from my understanding.

Inb4 "where do I download it".

I still get people asking me where I downloaded the latest version of IDA (5.5), and they're shocked when I say "I bought it".

[jjaa]

Quote:

Originally Posted by Cypher

Inb4 "where do I download it".

I still get people asking me where I downloaded the latest version of IDA (5.5), and they're shocked when I say "I bought it".

Well IDA 5.5 isn't that expensive. But Hex-Rays is like $2299 USD, i would buy it.. if i had that much money to spend on a hobby.

[Apoc]

Quote:

Originally Posted by Cypher

Inb4 "where do I download it".

I still get people asking me where I downloaded the latest version of IDA (5.5), and they're shocked when I say "I bought it".

Did you buy HexRays too!?!?!?!!!

[Cypher]

Quote:

Originally Posted by Apoc

Did you buy HexRays too!?!?!?!!!

Nah. I intend to eventually though. Currently I don't use it very much, I prefer converting the code from ASM to C myself.

[jjaa]

Quote:

Originally Posted by Cypher

Nah. I intend to eventually though. Currently I don't use it very much, I prefer converting the code from ASM to C myself.

One thing i found useful for hex-rays but is when a structure is referenced it will automatically detect (providing it has enough information, form return types ect.) and name it accordingly in the C code.