Where should I start to understand all those things?

[Cypher]

Cypher gets the offset from his dump app. All it does is scan the memory for "UNIT_FIELD_CHARM"...etc. The class/enum members go upward in IDA, just search for the name. The CreatedBy and SumonedBy, etc. are all 2, not one. That's how he gets the 17.

No it doesn't scan for a string. It scans for the function that references the data I want to dump then loops over it ripping out the pointers. Once it does that it loops through that pulling out the strings and their index.

[mordok]

Lanman if I was Angelina jolie would marry you.(thanks like always). I c what you say cypher(thanks I feel like you are going to turn into a charmelon soon). Ill try to do somthing simillar, looping fuction to strip offsets(but i have to do research on how to do this).


Cool...whem i get this right maby i could update old kynox dumper.

[mordok]

Cypher gets the offset from his dump app. All it does is scan the memory for "UNIT_FIELD_CHARM"...etc. The class/enum members go upward in IDA, just search for the name. The CreatedBy and SumonedBy, etc. are all 2, not one. That's how he gets the 17.

can u explain a bit more...please.... like whats the math? or where exactly i do look for the 0x17, screencapture maby(that would be g???

[Cypher]

can u explain a bit more...please.... like whats the math? or where exactly i do look for the 0x17, screencapture maby(that would be g???

Did you even read my reply to that post?

[mordok]

Did you even read my reply to that post?

I did cypher... Thanks to you I know what I have to do but the problem isnt knowing what to do. The problem is how. How do I that with IDA (or others), i really would apreciate help on the how part. Eg go to ida search for the string you then click on blablabla.....I NEED THE RETARDED VERSION coz my first time with IDA. Sorry if Im cousing you too much truble with my noob questions... but you are the only one I can ask for help.

[Cypher]

I did cypher... Thanks to you I know what I have to do but the problem isnt knowing what to do. The problem is how. How do I that with IDA (or others), i really would apreciate help on the how part. Eg go to ida search for the string you then click on blablabla.....I NEED THE RETARDED VERSION coz my first time with IDA. Sorry if Im cousing you too much truble with my noob questions... but you are the only one I can ask for help.

Learn to walk before you try to run.

Do you know the basics at least currently?

[=sinister=]

Cypher, I think you should write a tutorial/ebook on memory editing/scripting. Shit, i'd pay to read it.

[mordok]

Learn to walk before you try to run.

Do you know the basics at least currently?

I think I know the basics to understand It, how bin/hex works, how memory works, I love to code apps in any languague and currently Im trying to learn ASM. So more or less I think If you explain in a "simple way" I would be able to follow your master class.


so im here:

.rdata:0093FCC4 aUnit_field_hea db 'UNIT_FIELD_HEALTH',0

how do I trace back to the function.

[kynox]

You don't. That is a string used for lua events.

[mordok]

so the interesting ones are the .text¿?
so how about this:

.text:00560B30 mov dword_1177E5C, offset aUnit_health ; "UNIT_HEALTH"

O MIGHTY KYNOX I LOVEEEE YOU

5C and 4 bytes

5C / 4 = 0x17

no ill try to learn IDA-C script so I can make a nice dumper. THNX



Now just to make me the most happy man in the WORLD ill just need to find
how to get from g_clientconnection(how to find the static adress) to CG_Object_C & Object base (offsets from start to this point.) If you could paste the strings with each a bit explainded, THAT WOULD BE TOOOOO GOOOOD FOR THE BODY, better than a morning full dump XD.

KYNOX FOR PRESIDENT!!!!!!:bowand cypher too)

[Cypher]

You don't understand what you're asking, its obvious from both the request and its wording. Go back to reading, plskthx.

[mordok]

that didnt helped me a lot but thanks anyway ill try to reread some posts. Is true I dont understand fully what Im doing thats why asking. Im really trying hard, if not my best.

[mordok]

Code:

.text:0046FD17 ; ---------------------------------------------------------------------------
.text:0046FD17
.text:0046FD17 loc_46FD17:                             ; CODE XREF: sub_46FCD0+3Aj
.text:0046FD17                 xor     eax, eax
.text:0046FD19
.text:0046FD19 loc_46FD19:                             ; CODE XREF: sub_46FCD0+45j
.text:0046FD19                 mov     ecx, TlsIndex
.text:0046FD1F                 mov     edx, large fs:2Ch
.text:0046FD26                 mov     esi, [edx+ecx*4]
.text:0046FD29                 mov     ecx, dword_11CA260
.text:0046FD2F                 mov     [ecx+2864h], eax
.text:0046FD35                 mov     edx, dword_11CA260
.text:0046FD3B                 mov     [esi+8], eax
.text:0046FD41                 mov     [eax+0D0h], edx
.text:0046FD47                 call    sub_46FC60
.text:0046FD4C                 mov     eax, [esi+8]
.text:0046FD52                 mov     [eax+0CCh], edi
.text:0046FD58                 pop     edi
.text:0046FD59                 pop     esi
.text:0046FD5A                 pop     ebp
.text:0046FD5B                 retn
.text:0046FD5B sub_46FCD0      endp
.text:0046FD5B
.text:0046FD5B ; ---------------------------------------------------------------------------

Bingooo! there is the Object manger.


So now im working on the values of this part...

Code:

        public static uint GetObjectByGUID(IntPtr hProcess, uint s_curMgr, UInt64 objGUID)
        {
            if (s_curMgr == 0)
                return 0;

            uint curObj, nextObj;
            curObj = Memory.ReadUInt(hProcess, (s_curMgr + 0xAC));
            nextObj = curObj;

            while (curObj != 0 && (curObj & 1) == 0)
            {
                UInt64 cGUID = Memory.ReadUInt64(hProcess, (curObj + 0x30));

                if (cGUID == objGUID)
                    return curObj;

                nextObj = Memory.ReadUInt(hProcess, (curObj + 0x3C));
                if (nextObj == curObj)
                    break;
                else
                    curObj = nextObj;
            }

            return 0;
        }

for now i can see that the 3C is taken from the distance between to UNIT_**** eg
the distance from
.text:00560B26 __cfltcvt_init_12: ; "UNIT_TARGET"
to the next
.text:00560B62 __cfltcvt_init_13: ; "UNIT_HAPPINESS"

distance = B62 - B26 = 3C
and 3C is the constant distance between all UNIT_***** so in understand why nextObj = 3C

But im having truble finding where 30 and AC came from....since 30 is inside a while I asume its a constant distance...but still dunno from where to where....and the AC no idea at all.

[kynox]

You're doing EVERYTHING wrong. the AC and 3C are values in the Linked List.

0x3C is not the constant between Descriptors, its the size of the Descriptor structure.

[mordok]

Linked List? can you explain more pliz....<3 ??? how about a pasted exaple in a simillar way im doing but with the correct way to do it?