[help]Proof of Concept: dwFindPattern TLS

[babodx]

thanks all!
i am chinese player
wow in chinese version is 3.05

i can't run shynd's code

cant' find EB 02 33 00 64 8B 15 2C 00 00 00 8B 0D 00 00 00 00 8B 0C 8A

shynd said

This searches for what I've determined to be the easiest portion of WoW game code from which to glean the largest amount of information. In 2.4.2, it looks a bit like this:

Code:

00778D1B  |. 6A 00              PUSH 0                                   ; /Arg1 = 00000000
00778D1D  |. 8BC8               MOV ECX,EAX                              ; |
00778D1F  |. E8 ECE8FFFF        CALL <Wow.CGCurMgr_C>                    ; Wow.00777610
00778D24  |. EB 02              JMP SHORT Wow.00778D28
00778D26     33C0               XOR EAX,EAX
00778D28     64:8B15 2C000000   MOV EDX,DWORD PTR FS:[2C]
00778D2F  |. 8B0D 84AAE800      MOV ECX,DWORD PTR DS:[E8AA84]
00778D35  |. 8B0C8A             MOV ECX,DWORD PTR DS:[EDX+ECX*4]
00778D38  |. 8B15 B095D400      MOV EDX,DWORD PTR DS:[D495B0]
00778D3E  |. 8981 10000000      MOV DWORD PTR DS:[ECX+10],EAX
00778D44  |. 8982 18220000      MOV DWORD PTR DS:[EDX+2218],EAX
00778D4A  |. A1 B095D400        MOV EAX,DWORD PTR DS:[D495B0]

but in chinese version 3.05 how to find these code?

use CE? IDA? OllyDBG?

now i use IDA find

Code:

.text  00401000 0092B400 R . X . L para 0001 public CODE 32 0000 0000 0003 FFFFFFFF FFFFFFFF 
.idata 0092C000 0092C708 R . . . L para 0002 public DATA 32 0000 0000 0003 FFFFFFFF FFFFFFFF 
.rdata 0092C708 009BBA00 R . . . L para 0002 public DATA 32 0000 0000 0003 FFFFFFFF FFFFFFFF 
.data  009BC000 01383800 R W . . L para 0003 public DATA 32 0000 0000 0003 FFFFFFFF FFFFFFFF 
.zdata 01384000 01385000 R W X . L para 0004 public CODE 32 0000 0000 0003 FFFFFFFF FFFFFFFF 
.tls   01385000 01385200 R W . . L para 0005 public DATA 32 0000 0000 0003 FFFFFFFF FFFFFFFF

Code:

.tls:01385000 TlsStart        db    0                 ; DATA XREF: .rdata:TlsDirectoryo

Code:

.rdata:009B5D8C TlsDirectory    dd offset TlsStart
.rdata:009B5D90 TlsEnd_ptr      dd offset TlsEnd
.rdata:009B5D94 TlsIndex_ptr    dd offset TlsIndex
.rdata:009B5D98 TlsCallbacks_ptr dd offset TlsCallbacks

Code:

.text:0046B920                 push    ebp
.text:0046B921                 mov     ebp, esp
.text:0046B923                 cmp     dword_10160E4, 0
.text:0046B92A                 jnz     short loc_46B954
.text:0046B92C                 mov     ecx, large fs:2Ch
.text:0046B933                 mov     eax, TlsIndex
.text:0046B938                 mov     eax, [ecx+eax*4]
.text:0046B93B                 mov     ecx, [eax+8]
.text:0046B941                 mov     edx, [ebp+arg_0]
.text:0046B944                 cmp     edx, ecx
.text:0046B946                 jz      short loc_46B954
.text:0046B948                 mov     dword_10160E4, ecx
.text:0046B94E                 mov     [eax+8], edx

how to find CALL <Wow.CGCurMgr_C> get "EB 02 33 00 64 8B 15 2C 00 00 00 8B 0D 00 00 00 00 8B 0C 8A " string

[schlumpf]

I thought there was no difference between the binaries. Oo

On the thing: You will need a plugin to get you the pattern. Or increase the "opcode bytes shown" in the settings to 5. That should show most opcodes. If not, increase it more.

The pattern is those opcodes without the information being variable. This is dword_10160E4, TlsIndex and dword_10160E4 in your code posted.

Those bytes should be set to ignore in the mask for the pattern.

You will get something like the string you posted and a pattern with some wildcards.

You then have to add * bytes to get to the TlsIndex part. Then you will have to get the content of that address. Like:

Code:

int loc = findpattern(pattern, mask);
loc += 20; // this is the value you will have to add (* bytes)
int pointer = *reinterpret_cast<int*>(loc);

You then have the address of TlsIndex in "pointer".