Noob questions

[chaosrage]

Hey all, i recently have gotten interested in memory reading for WoW classic (anniversary) and im working on a small project. I have done the following:

used GitHub - scizzydo/memdump: Windows x64 PE process memory dumper to disk to dump the wow client (just drag and dropped wowclassic.exe onto memdump)
opened the dump file in ida 9.0 pro
found a few 60663 offsets manually with the help of old ownedcore posts.

my main question is this:
i see a lot of people using hex patterns to find offsets quickly instead of going byte by byte in IDA. however..
when i look at hex view for some of the offsets i have confirmed are correct, the hex view will show '? ? ? ? ? '.

i have been looking around for the answer, but i cant find exactly how to use the hex patterns if the hex values arent populated in the dumps, and using a debugger or cheat engine closes wow immediately with a crash.

all that being said, i know there is probably an obvious answer but im tearing my hair out trying to understand how people even find these patterns. it shows that my dump differs from theirs greatly and i cant help but feel like im missing something very important.

my theories are that this memory is only visible when the game is running, but if thats true how are other people finding the pattern?

thank you for any help you can offer me

[joshi205]

Hi, i'm not sure what exactly you are asking, so my answer might be missing the point.

Pattern used for pattern matching are the bytes that make up the assembly instructions of specific code, so they can be used to locate that code in the binary dump of code.
what you do with the location of the code once you found it depends on what you want to achieve, sometimes you need the offset of the code, so you can call into it from your own code, effectively executing the original function code.
Sometimes you just need to confirm an assumption you made about how a function works, so you can rebuild it.
Sometimes you already know what the function does from prior research, say for example it returns the health value of a unit, so you know somewhere in that function, the unit struct will be accessed at an offset that stores the health.
For examples sake, lets say the unit struct has a few fields before the health, and the health is stored at 0xC

These offsets can change from version to version of the game, maybe the devs introduced a new field in the unit struct, and the health now moved to another offset.. to 0x10. If you were to use the offset of your old reversed function, you would now read incorrect data, thats where the pattern can help you. You make a pattern that has a few of the instructions that are before the actual offset and a few after it. At the location of the offsett, you need a placeholder, since it can change from version to version, ida uses ?? for these. And ida can also search for them, you can just put ?? in your pattern and ida will still find the matches.
Heres what that looks like very simplified..

Code:

struct unit {
    char* name;     // A pointer to a character string (8 bytes on 64-bit systems)
    int mana;       // Integer value (4 bytes)
    int health;     // Integer value (4 bytes)
    int GetHealth() { return health; } // Simple method that returns the health value
};

unit::GetHealth():
    ; Function prologue
    55                          push    rbp                 ; Save base pointer
    48 89 E5                    mov     rbp, rsp            ; Set new base pointer
    48 83 EC 20                 sub     rsp, 20h            ; Allocate shadow space (Windows x64 requires this)
    
    48 89 4D 10                 mov     QWORD PTR [rbp+10h], rcx  ; Save 'this' pointer (again, look up win64 calling convention)
    
    ; Get health field
    48 8B 45 10                 mov     rax, QWORD PTR [rbp+10h]  ; Load 'this' pointer into RAX
    8B 40 0C                    mov     eax, DWORD PTR [rax+0Ch]  ; Load health value (offset 0xc) into EAX, this is where the wildcard would go
    
    ; Function epilogue
    48 83 C4 20                 add     rsp, 20h            ; Release shadow space
    5D                          pop     rbp                 ; Restore base pointer
    C3                          ret                         ; Return with health value in EAX

Complete pattern for this would be 55 48 89 E5 48 83 EC 20 48 89 4D 10 48 8B 45 10 8B 40 0C 48 83 C4 20 5D C3. See the 0C in that? this would break if the unit struct changes, so you replace that with the wildcard placeholder, if the struct changes, all surrounding bytes would still be the same (assuming the function in cpp would not change, which it doesnt if only the struct is updated), and you can still locate the pattern.

This is a pretty barebones example, if you want to dive deeper, there are plenty of resources how pattern scanning works, I can suggest hacking acacemy, this whole site is a fairly good introduction to everything you need to dip your toes into hacking games.
Can also suggest this book its a bit dated and mostly covers 32bit, but the foundations are very solid.
Also, for the windows calling convention, msdn is always a good resource.

[chaosrage]

This is a pretty barebones example, if you want to dive deeper, there are plenty of resources how pattern scanning works, I can suggest hacking acacemy, this whole site is a fairly good introduction to everything you need to dip your toes into hacking games.
Can also suggest this book its a bit dated and mostly covers 32bit, but the foundations are very solid.
Also, for the windows calling convention, msdn is always a good resource.

thanks, this was really helpful understanding how the patterns work! im definitely lacking in knowledge when it comes to the basic foundations as i just started a week or two ago learning about all this.

as for my initial question, it was this:
a user here provided me with a hex pattern, and it was my understanding that i would be able to search for this pattern in IDA using 'segment of bytes' search. simply copy and paste in the pattern and it would bring me to the relevant address. however, this hasn't worked for me. ill show you what i mean..

the pattern was for the zone_text offset in build 1.15.7.60277. the offset is confirmed as
zone_text = 0x398DCA0.

Makkah gave me this pattern:

Code:

E8 ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? 48 89 45 18 33 D2 48 8B CB E8 ?? ?? ?? ?? 4C 8B 45 08 84 C0 0F 84 86 05 00 00 66 0F 1F 44 00 00 90 EB 5B

Which as a understand it, should land me directly on or near 0x398DCA0 when i search for it in IDA using segment of bytes search or any other search. (ive tried everything).
but the search has 0 results.

Code:

Searching down CASE-INSENSITIVELY for binary pattern:
    E8 ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? 48 89 45 18 33 D2 48 8B CB E8 ?? ?? ?? ?? 4C 8B 45 08 84 C0 (...) 5B
Search failed.
Command "AskBinaryText" failed

and, if i go to the address where the offset is located 0X398DCA0, here is what i see:
https://imgur.com/a/LEV8gT1

and the hex view for this same address:
https://imgur.com/a/DYp8c1A

so..my real question is.. is my fundamental understanding of how i can use the hex pattern incorrect, or is there something wrong with my dump file im viewing in IDA?
or some other 3rd thing that i dont see? i made sure to use the same build, same offset, same everything. but i cant find that pattern anywhere in IDA.

[ncxzxcfdb8112]

.data section will always be ?? ?? , you can try taking a look at hex view of anything from .text segment

[joshi205]

Ah, now I understood what you meant. Atleast part of my answer is still relevant then. The ?? in the patterns are as I explained earlier offsets or addresses to load, in the case of your function that basically means, look at this address, you will find what you need here when the game is running and has loaded the value there. This means if you would read that area in memory while the game is running, it would have the data you are looking for.

As for the question why you cant find the pattern, that i cannot answer, I dont have that client handy atm, there could be several reasons... the pattern could be made for another architecture (mac), the pattern could also have been made with another dumper than you used, since the binary is obfuscated, id ask makkah what tools they used to get the pattern, so you can replicate that.
Your other question, or remark that this pattern would bring you to 0x398dca0 is incorrect. The function is somewhere in memory, but it would reference that location, because it will try to read whats at that address.
Your first screeshot hints at that, see the xref at the end? that means this location is referenced in that function (or functions, if there are more than one references to it)

[chaosrage]

i think i understand now!..hopefully. the reason the pattern works in any build (in theory) is because its looking for a specific CODE pattern, not an exact address. hoping thats right lol

and i think the reason behind me not being able to use the pattern has to deal with exactly what you said.. either @Makkah uses this in a runtime situation, or his dump is a memory dump while the game was running (or just maybe he rebuilt his own?). if its the latter it would be awesome to have an up to date guide on how to achieve that.

as the other user pointed out, my ENTIRE .data section is all ???'s which is im guessing where the pattern would lead me if this section was readable. im going to try writing a program that uses the pattern while the game is running instead of trying to find it in IDA and see if it works. if it does, that means the issue is the difference in his dump file and mine.

[Makkah]

[chaosrage]

ive never been more confused.

[chaosrage]

[Makkah]

try -> E8 ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? 48 89 45 18 33 D2 48 8B CB E8 ?? ?? ?? ?? 4C 8B 45 08 84 C0 0F 84 86 05 00 00 66 0F 1F 44 00 00 90 7B 5B

here a copy of my idb file download link

[chaosrage]

try -> E8 ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? 48 89 45 18 33 D2 48 8B CB E8 ?? ?? ?? ?? 4C 8B 45 08 84 C0 0F 84 86 05 00 00 66 0F 1F 44 00 00 90 7B 5B

yep, this one works. looks like its getting me to 1 byte before GetZoneText. so i land on 1415D6FE4 instead of 1415D6FE9.

Thank you for the idb! ill try yours instead. should i not be using memdump?

[Makkah]

i use memdump, drag and drop it.

[chaosrage]

okay cool, thats what ive been doing too. thanks for your help!

[ncxzxcfdb8112]

maybe you didnt check "find all occurrences" 😁