Personally I don’t think that using a memory scanner to update your offsets is a very good way
I will give you a quick example of how I would look for the OBJECT_LIST_PTR_STRUCT_ID, I am going to use 3.1.2 -> 3.1.1b but it would work fine updating. If there were no significant changes.
First open up IDA jump to 0xAED328
Bad news, its not referenced directly (Show by all of those ugly bytes :P)
Code:
__const_coal:00AED320 unk_AED320 db 0 ; DATA XREF: __pointers:off_149A64Co
__const_coal:00AED321 db 0
__const_coal:00AED322 db 0
__const_coal:00AED323 db 0
__const_coal:00AED324 db 40h ; @
__const_coal:00AED325 db 0D3h ; +
__const_coal:00AED326 db 0AEh ; «
__const_coal:00AED327 db 0
__const_coal:00AED328 db 4
__const_coal:00AED329 db 0Eh
__const_coal:00AED32A db 83h ; â
__const_coal:00AED32B db 0
__const_coal:00AED32C db 6Ch ; l
__const_coal:00AED32D db 12h
But we have unk_AED320, it must be an array or something :P
Look at the cross references, we only have one. 0x0149A64C
Jump to 0x0149A64C
Code:
__pointers:0149A64C off_149A64C dd offset unk_AED320 ; DATA XREF: sub_A71E2+55r
__pointers:0149A64C
Hmm it’s a pointer. So look at the cross references for 0x0149A64C.
7 cross references. I’m not particularly fussed about what address (I just want to see some code using it) I want so I pick one randomly.
Now I see:
Code:
__text:000AA09C mov eax, ds:off_149A64C
__text:000AA0A1 add eax, 8
__text:000AA0A4 mov edx, [ebp+var_70]
__text:000AA0A7 mov [edx+28h], eax
__text:000AA0AA mov dword ptr [ebx+10h], 0
__text:000AA0B1 mov esi, edx
__text:000AA0B3 add esi, 2Ch
__text:000AA0B6 mov eax, [esi+8]
I fire up an IDA Plug-in for generating patterns, (I forgot who made it, I got it from these forums but) if you don’t know how patterns work here a good explanation, http://www.mmowned.com/forums/wow-me...ml#post1319334. Simply put, it’s using wild-cards for bytes that will change. For example, “call 0xDEADBEEF”, 0xDEADBEEF and the bytes representing it will change each patch.
Pattern generator tells me our pattern is,
A1 ? ? ? ? 83 C0 08 8B 55 90 89 42 28 C7 43 10 00 00 00 00 89 D6 83 C6 2C
The ? are obviously the wild cards.
Open up the 3.1.1 binary and search for a sequence of bytes (Alt+B on PC). Search for our pattern. We get 0x000A6750 follow our variables 0x 0146E644 to 0xAC6F00. Now remember back at the start, we had the array starting at 00AED320 but we wanted the entry at 0xAED328, 8 bytes in.
So 0x00AC6F00 + 8 = 00AC6F08
0x00AC6F08 is our object list for 3.1.1b (can’t check but it should be correct).
If you make a good pattern you rarely need to update it.