[mac][3.1.2] Guide: Finding object list pointer + more!

[Tanaris4]

So for once I thought I would try to contribute :-) I've noticed there are a lot of similarities in b/t mac + windows - but this may be a tad bit different.

Guide is located on PG forums since the majority of users are there (if you'd prefer I don't link to another forum + put it here let me know and I'll edit post, i didn't see a policy on this)

Pocket Gnome Forums • View topic - Guide for finding offsets

[jjaa]

Personally I don’t think that using a memory scanner to update your offsets is a very good way

I will give you a quick example of how I would look for the OBJECT_LIST_PTR_STRUCT_ID, I am going to use 3.1.2 -> 3.1.1b but it would work fine updating. If there were no significant changes.

First open up IDA jump to 0xAED328
Bad news, its not referenced directly (Show by all of those ugly bytes :P)

Code:

     __const_coal:00AED320 unk_AED320      db    0                 ; DATA XREF: __pointers:off_149A64Co
  __const_coal:00AED321                 db    0
  __const_coal:00AED322                 db    0
  __const_coal:00AED323                 db    0
  __const_coal:00AED324                 db  40h ; @
  __const_coal:00AED325                 db 0D3h ; +
  __const_coal:00AED326                 db 0AEh ; «
  __const_coal:00AED327                 db    0
  __const_coal:00AED328                 db 4
  __const_coal:00AED329                 db  0Eh
  __const_coal:00AED32A                 db  83h ; â
  __const_coal:00AED32B                 db    0
  __const_coal:00AED32C                 db  6Ch ; l
  __const_coal:00AED32D                 db  12h

But we have unk_AED320, it must be an array or something :P
Look at the cross references, we only have one. 0x0149A64C
Jump to 0x0149A64C

Code:

  __pointers:0149A64C off_149A64C     dd offset unk_AED320    ; DATA XREF: sub_A71E2+55r
  __pointers:0149A64C  

Hmm it’s a pointer. So look at the cross references for 0x0149A64C.
7 cross references. I’m not particularly fussed about what address (I just want to see some code using it) I want so I pick one randomly.

Now I see:

Code:

  __text:000AA09C                 mov     eax, ds:off_149A64C
  __text:000AA0A1                 add     eax, 8
  __text:000AA0A4                 mov     edx, [ebp+var_70]
  __text:000AA0A7                 mov     [edx+28h], eax
  __text:000AA0AA                 mov     dword ptr [ebx+10h], 0
  __text:000AA0B1                 mov     esi, edx
  __text:000AA0B3                 add     esi, 2Ch
  __text:000AA0B6                 mov     eax, [esi+8]

I fire up an IDA Plug-in for generating patterns, (I forgot who made it, I got it from these forums but) if you don’t know how patterns work here a good explanation, http://www.mmowned.com/forums/wow-me...ml#post1319334. Simply put, it’s using wild-cards for bytes that will change. For example, “call 0xDEADBEEF”, 0xDEADBEEF and the bytes representing it will change each patch.

Pattern generator tells me our pattern is,
A1 ? ? ? ? 83 C0 08 8B 55 90 89 42 28 C7 43 10 00 00 00 00 89 D6 83 C6 2C

The ? are obviously the wild cards.

Open up the 3.1.1 binary and search for a sequence of bytes (Alt+B on PC). Search for our pattern. We get 0x000A6750 follow our variables 0x 0146E644 to 0xAC6F00. Now remember back at the start, we had the array starting at 00AED320 but we wanted the entry at 0xAED328, 8 bytes in.

So 0x00AC6F00 + 8 = 00AC6F08

0x00AC6F08 is our object list for 3.1.1b (can’t check but it should be correct).

If you make a good pattern you rarely need to update it.

[Tanaris4]

Excellent post - thanks so much for taking the time to find this - I really appreciate it.

I assume to find other static values, (lets say where combo points are stored) - i'll want to search for that memory location and find functions that reference it - then create another byte signature?

+rep

[jjaa]

Exactly, and the thing to remember is that not all of them will be in arrays some will be very easy to update.
For example, PLAYER_NAME_STATIC(139FEC8) is referenced directly at

Code:

 00191E41                 cmp     ds:byte_139FEC8, 0

[Tanaris4]

The IDA plugin for others:

http://www.mmowned.com/forums/wow-me...-patterns.html

Thanks again for this post jja - VERY helpful

Edit: It has expired - can anyone post the PatternMaker.plw file again?