Wow and IDA

**hypnodok** · 11-18-2008

I tried to reverse LootSlotIsItem(slot) today but IDA gave me alot of problems in the process.
Firstly I overwrote my IDA-DB with a new dump of the wow.exe to update to 3.0.3 after noticing I was doing my commenting on an outdated build. Then I tried to run Wow with the IDA-debugger, however it threw quite a bit of exceptions. When I told IDA not to pass them to the application I managed to get to the Login screen just to be prompted by a Cannot verify game version error. After a little experimenting (I disabled the breakpoint and logged in, then enabled it), I got to the debugger and it actually worked!
For some reason I closed Wow and IDA then, when I tried to repeat the process it gave me the Unable to verify game version error again, no matter what I did. I tried to overwrite my existing IDA-DB with a new dump but that didnt turn out so well either, take a look at this:

Code:

This is the function I looked at in IDA, it was pulled from 3.0.2
.text:004DDD70 ; =============== S U B R O U T I N E =======================================
.text:004DDD70
.text:004DDD70 ; Attributes: bp-based frame
.text:004DDD70
.text:004DDD70 sub_4DDD70      proc near               ; DATA XREF: .data:00FC825Co
.text:004DDD70
.text:004DDD70 var_18          = qword ptr -18h
.text:004DDD70 var_C           = qword ptr -0Ch
.text:004DDD70 var_2           = word ptr -2
.text:004DDD70 arg_0           = dword ptr  8
.text:004DDD70
.text:004DDD70                 push    ebp
.text:004DDD71                 mov     ebp, esp
.text:004DDD73                 sub     esp, 0Ch
.text:004DDD76                 push    esi
.text:004DDD77                 mov     esi, [ebp+arg_0]
.text:004DDD7A                 push    1
.text:004DDD7C                 push    esi
.text:004DDD7D                 call    sub_7AC610
.text:004DDD82                 add     esp, 8
.text:004DDD85                 test    eax, eax
.text:004DDD87                 jnz     short loc_4DDD9E ; Correct params?
.text:004DDD89                 push    offset aUsageLootsloti ; "Usage: LootSlotIsItem(slot)"
.text:004DDD8E                 push    esi
.text:004DDD8F                 call    sub_7ADE20
.text:004DDD94                 add     esp, 8          ; return false
.text:004DDD97                 xor     eax, eax
.text:004DDD99                 pop     esi
.text:004DDD9A                 mov     esp, ebp
.text:004DDD9C                 pop     ebp
.text:004DDD9D                 retn
.text:004DDD9E ; ---------------------------------------------------------------------------
.text:004DDD9E
.text:004DDD9E loc_4DDD9E:                             ; CODE XREF: sub_4DDD70+17j
.text:004DDD9E                 push    1
.text:004DDDA0                 push    esi
.text:004DDDA1                 call    sub_7AC720
.text:004DDDA6                 fnstcw  [ebp+var_2]     ; Store SW at ebp+var_2
.text:004DDDA9                 movzx   eax, [ebp+var_2] ; move SW to eax
.text:004DDDAD                 mov     ecx, dword_10B7020 ; move some pointer to ecx
.text:004DDDB3                 or      eax, 0C00h      ; binary compare SW with 0C00h and store in eax
.text:004DDDB8                 mov     dword ptr [ebp+var_C+4], eax ; store the result in epb+var_c+4
.text:004DDDBB                 add     esp, 8          ; 8 to stack pointer
.text:004DDDBE                 fldcw   word ptr [ebp+var_C+4] ; load (SW OR 0c00h) to control word
.text:004DDDC1                 fistp   [ebp+var_C]     ; store epb+var_c in ST(0)
.text:004DDDC4                 mov     eax, dword ptr [ebp+var_C] ; move epb+var_c to eax (possibly base address of mob)
.text:004DDDC7                 sub     eax, 1          ; subtract 1 from eax
.text:004DDDCA                 or      ecx, dword_10B7024 ; OR-compare ecx (contains some pointer now?) to another variable (GUID?)
.text:004DDDCA                                         ; if (result == 0) return true;
.text:004DDDD0                 fldcw   [ebp+var_2]     ; restore the old control word
.text:004DDDD3                 jz      short loc_4DDE11 ; return true
.text:004DDDD5                 cmp     dword_10B7018, 0
.text:004DDDDC                 jz      short loc_4DDDE5
.text:004DDDDE                 test    eax, eax
.text:004DDDE0                 jz      short loc_4DDE11 ; return true
.text:004DDDE2                 sub     eax, 1
.text:004DDDE5
.text:004DDDE5 loc_4DDDE5:                             ; CODE XREF: sub_4DDD70+6Cj
.text:004DDDE5                 cmp     eax, 10h
.text:004DDDE8                 jnb     short loc_4DDE11 ; return true
.text:004DDDEA                 shl     eax, 5
.text:004DDDED                 cmp     dword_10B6E1C[eax], 0
.text:004DDDF4                 jle     short loc_4DDE11 ; return true
.text:004DDDF6                 fld1
.text:004DDDF8                 sub     esp, 8
.text:004DDDFB                 fstp    [esp+18h+var_18]
.text:004DDDFE                 push    esi             ; int
.text:004DDDFF                 call    sub_7AC990
.text:004DDE04                 add     esp, 0Ch
.text:004DDE07                 mov     eax, 1
.text:004DDE0C                 pop     esi
.text:004DDE0D                 mov     esp, ebp
.text:004DDE0F                 pop     ebp
.text:004DDE10                 retn
.text:004DDE11 ; ---------------------------------------------------------------------------
.text:004DDE11
.text:004DDE11 loc_4DDE11:                             ; CODE XREF: sub_4DDD70+63j
.text:004DDE11                                         ; sub_4DDD70+70j ...
.text:004DDE11                 push    esi             ; return true
.text:004DDE12                 call    sub_7AC970
.text:004DDE17                 add     esp, 4
.text:004DDE1A                 mov     eax, 1
.text:004DDE1F                 pop     esi
.text:004DDE20                 mov     esp, ebp
.text:004DDE22                 pop     ebp
.text:004DDE23                 retn
.text:004DDE23 sub_4DDD70      endp

I pulled this from 3.0.3
0x004DE1BE
.text:004DE18D                 db 0CCh ; ¦
.text:004DE18E                 db 0CCh ; ¦
.text:004DE18F                 db 0CCh ; ¦
.text:004DE190 ; ---------------------------------------------------------------------------
.text:004DE190                 push    ebp
.text:004DE191                 mov     ebp, esp
.text:004DE193                 sub     esp, 0Ch
.text:004DE196                 push    esi
.text:004DE197                 mov     esi, [ebp+8]
.text:004DE19A                 push    1
.text:004DE19C                 push    esi
.text:004DE19D                 call    loc_7AD6D0
.text:004DE1A2                 add     esp, 8
.text:004DE1A5                 test    eax, eax
.text:004DE1A7                 jnz     short loc_4DE1BE
.text:004DE1A9                 push    offset aUsageLootsloti ; "Usage: LootSlotIsItem(slot)"
.text:004DE1AE                 push    esi
.text:004DE1AF                 call    loc_7AEEE0
.text:004DE1B4                 add     esp, 8
.text:004DE1B7                 xor     eax, eax
.text:004DE1B9                 pop     esi
.text:004DE1BA                 mov     esp, ebp
.text:004DE1BC                 pop     ebp
.text:004DE1BD                 retn
.text:004DE1BE ; ---------------------------------------------------------------------------
.text:004DE1BE
.text:004DE1BE loc_4DE1BE:                             ; CODE XREF: .text:004DE1A7j
.text:004DE1BE                 push    1
.text:004DE1C0                 push    esi
.text:004DE1C1                 call    loc_7AD7E0
.text:004DE1C6                 fnstcw  word ptr [ebp-2]
.text:004DE1C9                 movzx   eax, word ptr [ebp-2]
.text:004DE1CD                 mov     ecx, dword_10B9030
.text:004DE1D3                 or      eax, 0C00h
.text:004DE1D8                 mov     [ebp-8], eax
.text:004DE1DB                 add     esp, 8
.text:004DE1DE                 fldcw   word ptr [ebp-8]
.text:004DE1E1                 fistp   qword ptr [ebp-0Ch]
.text:004DE1E4                 mov     eax, [ebp-0Ch]
.text:004DE1E7                 sub     eax, 1
.text:004DE1EA                 or      ecx, dword_10B9034
.text:004DE1F0                 fldcw   word ptr [ebp-2]
.text:004DE1F3                 jz      short loc_4DE231
.text:004DE1F5                 cmp     dword_10B9028, 0
.text:004DE1FC                 jz      short loc_4DE205
.text:004DE1FE                 test    eax, eax
.text:004DE200                 jz      short loc_4DE231
.text:004DE202                 sub     eax, 1
.text:004DE205
.text:004DE205 loc_4DE205:                             ; CODE XREF: .text:004DE1FCj
.text:004DE205                 cmp     eax, 10h
.text:004DE208                 jnb     short loc_4DE231
.text:004DE20A                 shl     eax, 5
.text:004DE20D                 cmp     dword_10B8E2C[eax], 0
.text:004DE214                 jle     short loc_4DE231
.text:004DE216                 fld1
.text:004DE218                 sub     esp, 8
.text:004DE21B                 fstp    qword ptr [esp]
.text:004DE21E                 push    esi
.text:004DE21F                 call    loc_7ADA50
.text:004DE224                 add     esp, 0Ch
.text:004DE227                 mov     eax, 1
.text:004DE22C                 pop     esi
.text:004DE22D                 mov     esp, ebp
.text:004DE22F                 pop     ebp
.text:004DE230                 retn
.text:004DE231 ; ---------------------------------------------------------------------------
.text:004DE231
.text:004DE231 loc_4DE231:                             ; CODE XREF: .text:004DE1F3j
.text:004DE231                                         ; .text:004DE200j ...
.text:004DE231                 push    esi
.text:004DE232                 call    loc_7ADA30
.text:004DE237                 add     esp, 4
.text:004DE23A                 mov     eax, 1
.text:004DE23F                 pop     esi
.text:004DE240                 mov     esp, ebp
.text:004DE242                 pop     ebp
.text:004DE243                 retn
.text:004DE243 ; ---------------------------------------------------------------------------
.text:004DE244                 db 0CCh ; ¦
.text:004DE245                 db 0CCh ; ¦
.text:004DE246                 db 0CCh ; ¦
.text:004DE247                 db 0CCh ; ¦
.text:004DE248                 db 0CCh ; ¦
.text:004DE249                 db 0CCh ; ¦
.text:004DE24A                 db 0CCh ; ¦
.text:004DE24B                 db 0CCh ; ¦
.text:004DE24C                 db 0CCh ; ¦
.text:004DE24D                 db 0CCh ; ¦
.text:004DE24E                 db 0CCh ; ¦
.text:004DE24F                 db 0CCh ; ¦

Any help would be appreciated

**argh44z** · 11-18-2008

See the end of this thread:

http://www.mmowned.com/forums/wow-me...falldmg-3.html

**Cypher** · 11-18-2008

"Attach to process" ftw?

**hypnodok** · 11-19-2008

Yeah, attaching works. For some reason Im no longer getting any exceptions when doing that now either.
Also, next time Ill wait for the Autoanalysis to finish before doing anything :x
Thanks for the help.

**Nesox** · 11-19-2008

Tuts 4 You
lot's of tutts

and btw. tuts mean's boobs in sweedish!

Shout-Out

User Tag List

Thread: Wow and IDA

Thread Tools

Search Thread

Wow and IDA

Similar Threads

i quit wow and this is why!

Cheap WoW and BC Key

wow and ROFL .

some comics of wow and a guy mastubating on wow

How to get WoW and their Patches with Hack?

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino