loadlib fails and manualmapping seems like doesnt execute the entrypoint so this fails aswell
anyone in here noticed the same? or is it just me or cause of the weird baseAdr of mainModule compared to live build?
loadlib fails and manualmapping seems like doesnt execute the entrypoint so this fails aswell
anyone in here noticed the same? or is it just me or cause of the weird baseAdr of mainModule compared to live build?
I don't do injection, but I noticed that the exe is now packed and there's some antidebugger protection.
In memory the structure didn't change much, I didn't go deeper for now.
packed mhh ? so this "new" modulebase would make sense yeah. but still it doesnt make any sense that i cant inject into it.
I'm not an expert tho, I'm trying to dump D3 memory and work on it with IDA, for the bindiff.
If you have any tips I'll be glad to ear it
i just loaded Diablo III64.exe into IDA and analyzed it. no success yet with IDA 7.0 and a dump of running x64 client
or do u mean u wanna diff several memory sections with previous dumps?
lel with build 49286 it looks like they added even more antidebug stuff
it insta crashes the x64 client when i attach x64dbg(with scylla anti-antidebug patch)
my pattern scan for objMgr and localData is fucked up with latest build. tried several byte patterns from old binary but i cant find anything in latest build. what have they done ^^ =?
- atleast not in the x64 binary. if its packed somehow it would make sense that i cant find it. i mean i scan for like 50 addresses and 10 of them cant be found
Last edited by R3peat; 02-16-2018 at 06:34 AM.
yeah I scanned the objectmanager, no static ptr from Diablo III.exe module.
The structure inside the objman is almost the same tho.
For now i'll go with a sig scan for objman, i'll see later how I handle this issue
maybe THUD dead?
I'm pretty sure that R3peat/KillerJohn/Enigma will figure it out
I didn't go deeper, but for now I found the location, objmanager (with sig scan), and actors, acd, quests etc. are working.
the objman is smaller by 0x30 I think, I will try to finish this week end.
and the locations u found are static? or do u have to run a pattern scan every startup ?
dont rly have time currently to reverse the stuff they added cause i have to work on another project
this is what my generator spit out//Bases
const __int64 ObjectManager = 0x0; //
const __int64 LevelArea = 0x0; //
const __int64 LocalData = 0x7FF692622138; //
const __int64 PowerDef = 0x7FF6926CACC0; //
const __int64 AttributeDescriptors = 0x7FF692695D70; //
const __int64 AttributeDescriptorsCount = 0x7FF691277F7F; //
const __int64 UI_Interact_Functions = 0x7FF692321008; //
const __int64 ParagonPointWindowStats = 0x7FF6925F4CA0; //
const __int64 SelectedSkillSlot = 0x7FF6925F4C78; //
const __int64 SelectedActiveSkill = 0x7FF6925E1290; //
const __int64 SelectedPassiveSkills = 0x7FF6925E1280; //
const __int64 SNOGroups = 0x7FF692622040; //
const __int64 TrickleManager = 0x0; //
const __int64 PlayerStashBase = 0x7FF6925A1E78; //
const __int64 UIEnchantBase = 0x0; //
const __int64 MessageDescriptors = 0x7FF692734398; //
const __int64 NetBase = 0x7FF6925F5570; //
Last edited by R3peat; 02-16-2018 at 04:09 PM.
I run in x86, but yes, location seems static (what you call LevelArea ? Location + 0x44 = Area)
For ObjMan, I have a "pattern" to find it, there's also static path with other modules, but i'm not sure it's reliable from one computer to another.
I'll update this thread as soon I've done with my update
Thanks for the updates
x86 ^^ i just work on x64 binaries
I have to work in x86 to be compatible with every user, but yes, I would like to migrate to x64.