[STUPID QUESTION] How to find stuff while reversing.

[cenron]

So I am very new to the actual act of reversing programs. I have managed to be able to get address's people have posted and figure out how to make them work.

For example I created a wow bot that did the work I wanted. The problem I ran into was I always had to wait on other people to release offset. With Diablo 3, I think there is a great opportunity for me to really increase my skills in this.

So I am looking to learn how to find stuff from scratch. I want to learn how to get a new binary and without the help of others others find what I need. I know this is probably very far away but I guess its as good of any place to start.

So my question is:

How can you find the function that controls movement, I assume its a function you call within the player class that you pass POSITION info. So how do you go about finding this function?

Second is how do you find the function that prints to the chat window? Someone else posted the function at 0x00A4F190, but how did this person find this?

I can find stuff like health and stuff like that cause it has changing values you can look for but how do you find functions like these?

[moletas]

helth based on color in most cases pixel detection.
position on screen just use any macro recorder or autoit

[DrakeFish]

So I am very new to the actual act of reversing programs. I have managed to be able to get address's people have posted and figure out how to make them work.

For example I created a wow bot that did the work I wanted. The problem I ran into was I always had to wait on other people to release offset. With Diablo 3, I think there is a great opportunity for me to really increase my skills in this.

So I am looking to learn how to find stuff from scratch. I want to learn how to get a new binary and without the help of others others find what I need. I know this is probably very far away but I guess its as good of any place to start.

So my question is:

How can you find the function that controls movement, I assume its a function you call within the player class that you pass POSITION info. So how do you go about finding this function?

Second is how do you find the function that prints to the chat window? Someone else posted the function at 0x00A4F190, but how did this person find this?

I can find stuff like health and stuff like that cause it has changing values you can look for but how do you find functions like these?

If you want a good base to start with Diablo 3, I suggest you read a bit about the different "names" the game uses (i.e. ACD, RActor, SNO, Scenes, ect.) As you can easily recover info about those via the Debug Strings the game uses. If you open up the game with any disassembler, you will easily find all these strings and the functions that use it.

Here's a simple example:

Code:

if ( *(v5 + 0x6C) == 0xFFFFFFFF )
    {
      v7 = sub_8269C0(&v14, 1, *(v3 + 0x90), 0);
      LOBYTE(v17) = 1;
      v8 = *(v3 + 0x90);
      v9 = sub_F0FCC0(v7);
      OutputDebug(
        5,
        3,
        0,
        "AttributesGetPower: Actor %s:%s (%d) says it is a monster, but doesn't have a valid monster SNO!\n",
        v3 + 4,
        v9,
        v8);
      LOBYTE(v17) = 0;
      sub_F103D0(&v14);
      v6 = v16;
    }

There is additional code but I just wanted to show this one. Here we can see that the condition for this string to be printed is that the Actor contains a monster SNO. What is checked is for *(Actor + 0x6C) not to be -1, which means the Monster SNO is located there and an invalid SNO value is probably -1. There are a LOT of these strings.

Now of course if you're looking for a function it is possible that it doesn't have such a string in it, those strings are just there because they were used by blizzard for debugging at some point. Finding a function such as the one that prints to chat usually require a bit of research and analyze. I'm sure you could attempt to search for the actually "printed" chat messages and see what references them.

This was recovered with IDA. I know you said you were new to the scene but this information is very good to know if you want to reverse D3.

[cenron]

If you want a good base to start with Diablo 3, I suggest you read a bit about the different "names" the game uses (i.e. ACD, RActor, SNO, Scenes, ect.) As you can easily recover info about those via the Debug Strings the game uses. If you open up the game with any disassembler, you will easily find all these strings and the functions that use it.

Here's a simple example:

Code:

if ( *(v5 + 0x6C) == 0xFFFFFFFF )
    {
      v7 = sub_8269C0(&v14, 1, *(v3 + 0x90), 0);
      LOBYTE(v17) = 1;
      v8 = *(v3 + 0x90);
      v9 = sub_F0FCC0(v7);
      OutputDebug(
        5,
        3,
        0,
        "AttributesGetPower: Actor %s:%s (%d) says it is a monster, but doesn't have a valid monster SNO!\n",
        v3 + 4,
        v9,
        v8);
      LOBYTE(v17) = 0;
      sub_F103D0(&v14);
      v6 = v16;
    }

There is additional code but I just wanted to show this one. Here we can see that the condition for this string to be printed is that the Actor contains a monster SNO. What is checked is for *(Actor + 0x6C) not to be -1, which means the Monster SNO is located there and an invalid SNO value is probably -1. There are a LOT of these strings.

Now of course if you're looking for a function it is possible that it doesn't have such a string in it, those strings are just there because they were used by blizzard for debugging at some point. Finding a function such as the one that prints to chat usually require a bit of research and analyze. I'm sure you could attempt to search for the actually "printed" chat messages and see what references them.

This was recovered with IDA. I know you said you were new to the scene but this information is very good to know if you want to reverse D3.

Hmm I def need to do read around here and another couple forums. I guess I am asking to much of myself to go from a programmer to a talented reverse, this quickly.

So about the "printed" chat message you were talking about, I think I tried something like that. While I was in game I attached a memory scanner and scanned for the string in the chat window. Now I found this string in heap memory, what I think is heap memory, but the issue I ran into was once I found this string in memory the function had done its job and that section of memory was not written into anymore so I couldn't watch what access's this area.

From what I can tell is there is an array/container that gets added to every time a string is written and at the top the string is removed once it reaches a set limit, almost kinda like a FILO stack.

So I guess the problem I am having is I am not finding any strings that are written into the binary that are printed to the chat window. I cant seem to find any kind of a hint that points to this function.The messages in the window are either sent by the server or pulled out of a MPQ as an error string. I know for a fact that I am not doing something right.

Man I dont even know if I am making any sense. Pretty much my long term goal is to get good enough to be able to contribute to this forum, when new patches or games come out. Thanks for any help.

P.S. Because I knew the print chat function was at: 0x00A4F190, I was able to find that the string "ChatLink_YouWhisperedTo" is whinin the same scope of function as print chat. So in the future if I want to find the function again I just search for "ChatLink_YouWhisperedTo" and look at the second to last function call, but I guess this would defeat the purpose and still relied on someone else doing the hard work and its also going backwards.

[zdud]

For the chat, I would do it like this: get cheatengine, write something to chat (or search for those initial strings "welcome to battle.net", its important to not be in any chat channel, so the array is the same between sessions), then search for it, once you find it, do a pointer scan for it (find a chain of pointers that starts on a static address) and save the results. close D3. re-open D3 and re-do the thing, but this time load the pointer scan you already had.

if you want you can do this as many times as you want until you are sure you got the right pointers (note that many places can point at the chat text). Write stuff to chat or enter some channel and observe the values. From observing the values changing (or not) you may understand how the thing works. Once you find out how it works just use the pointer chain that most suites you (probably one that points to the most recent chat text, and iterate through the others).

I haven't tested any of this to know if it actually gives you the chat text, but I would start by doing this.