Seeking for Retail reverse engineering advices

[r3b007]

Hi, this is my first time trying to do some game hacking, I am taking this as a studying experience, so I wish I can get some recommendations about WoW-Retail reverse engineering workflow or maybe the game reverse engineering workflow.

For the couple of weeks, I was working on the Retail client to bypass the anti-debug to make my x64debug attach to it.

Recently, I have at least part of success, I can attach the x64dbg to the game and do some single step execution, although It still occasional crash.

So, now I decide to move on, like use CE to search some value (like user's current target, I do not even know what It should looks like in memory).

My mind is in chaos, like If I want to find the code that use to set the current target, use the CE to search a lot of value doesn't seems to be a efficient way (I don't know value looks like, I don't how much data need to search).

Maybe I should go to reverse engineering the network protocol? or go back try to figure out the unpack procedure of the game client and use IDA to static analyze (dynamic debug looks inefficiency) the unpacked client, cause looks like use Lua API would be a good idea than to find some calling code snippets.

I watched some other game hacking tutorial before, they just almost only use CE, but when It comes to WoW I have seen many posts that contain deep game data structures that seem impossible to understand through CE or dynamic analysis alone.

I actually work mostly in the other field of software security, and I'm new to game hacking. So what you guys would do? Keep using CE to find code snippets? Reverse engineering the client to figure out the Lua API? Analyze the network protocol to fake the network packet? What is the more “standard” workflow about game reverse engineering?

[dreadcraft]

or go back try to figure out the unpack procedure of the game client and use IDA to static analyze (dynamic debug looks inefficiency) the unpacked client, cause looks like use Lua API would be a good idea than to find some calling code snippets.

You can use namreeb's dumper or x64dbg with Scylla/ScyllaHide/OverwatchDumpFix to dump WoW from memory for static analysis with IDAPro, IDAFree, Ghidra, etc. I would recommend IDA products because Ghidra takes like 3 days to complete analysis of the Wow binaries on my machine.

I watched some other game hacking tutorial before, they just almost only use CE, but when It comes to WoW I have seen many posts that contain deep game data structures that seem impossible to understand through CE or dynamic analysis alone.

I used to use CE exclusively myself. There are smarter alternatives like ReClass.NET. I don't find these methods to be as effective as they used to be due to instability and WoW's debug protections but that's just me.

I actually work mostly in the other field of software security, and I'm new to game hacking. So what you guys would do? Keep using CE to find code snippets? Reverse engineering the client to figure out the Lua API? Analyze the network protocol to fake the network packet? What is the more “standard” workflow about game reverse engineering?

Using static analysis and lua api is very commonly discussed here.
Other bots have functioned on packet reading/manipulation. SNORT was one posted here recently.

[r3b007]

Thanks for share!

It is not easy to catch up a game that has been in operation for years, especially after the game team has started to deploy security measures.

And looks like there are a lot of informations cames from the old version client which carries the debug information.

As part of my learning process, I'm trying to "reproduce" the procedure of the offset finding or data structure analyzing.

I'm planning to find some player's attributes and check it in IDA to reverse engineering the data structure.