Help with finding zone address with Olly please

[Overflow]

Hello pros!

I'm in need of some help figuring out how to find the address of the pointer to the zone text or sub zone text. I have been trying for quite some time now but I'm seriously stuck.

What I have tried:

setting break points on the referenced strings ZONE_CHANGED and all like that one but no hits at all :confused:

searching for current xone text in memory, putting whatches on all and change zone to filter out all whatches that don't change. From there I put BP on mem access and the Olly breaks when I'm changing zone, bellow is long dump of function the breaks:

00539E40 /$ 55 PUSH EBP ; where is ESP set?
00539E41 |. 8BEC MOV EBP,ESP
00539E43 |. 56 PUSH ESI
00539E44 |. 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
00539E47 |. 85F6 TEST ESI,ESI
00539E49 |. 74 07 JE SHORT WoW.00539E52
00539E4B |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
00539E4E |. 85D2 TEST EDX,EDX
00539E50 |. 75 0E JNZ SHORT WoW.00539E60
00539E52 |> 6A 57 PUSH 57 ; /Arg1 = 00000057
00539E54 |. E8 D7230000 CALL WoW.0053C230 ; \WoW.0053C230
00539E59 |. 33C0 XOR EAX,EAX
00539E5B |. 5E POP ESI
00539E5C |. 5D POP EBP
00539E5D |. C2 0C00 RETN 0C
00539E60 |> 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00539E63 |. 3D FFFFFF7F CMP EAX,7FFFFFFF
00539E68 |. 57 PUSH EDI
00539E69 |. 74 2A JE SHORT WoW.00539E95
00539E6B |. 803A 00 CMP BYTE PTR DS:[EDX],0
00539E6E |. 8D7C06 FF LEA EDI,DWORD PTR DS:[ESI+EAX-1]
00539E72 |. 8BC6 MOV EAX,ESI
00539E74 |. 74 37 JE SHORT WoW.00539EAD
00539E76 |. 2BD6 SUB EDX,ESI
00539E78 |> 3BC7 /CMP EAX,EDI
00539E7A |. 73 31 |JNB SHORT WoW.00539EAD
00539E7C |. 8A0C02 |MOV CL,BYTE PTR DS:[EDX+EAX]
00539E7F |. 8808 |MOV BYTE PTR DS:[EAX],CL
00539E81 |. 83C0 01 |ADD EAX,1
00539E84 |. 803C02 00 |CMP BYTE PTR DS:[EDX+EAX],0
00539E88 |.^75 EE \JNZ SHORT WoW.00539E78
00539E8A |. C600 00 MOV BYTE PTR DS:[EAX],0
00539E8D |. 5F POP EDI
00539E8E |. 2BC6 SUB EAX,ESI
00539E90 |. 5E POP ESI
00539E91 |. 5D POP EBP
00539E92 |. C2 0C00 RETN 0C
00539E95 |> 8A0A MOV CL,BYTE PTR DS:[EDX]
00539E97 |. 84C9 TEST CL,CL
00539E99 |. 8BC6 MOV EAX,ESI
00539E9B |. 74 10 JE SHORT WoW.00539EAD
00539E9D |. 2BD6 SUB EDX,ESI
00539E9F |. 90 NOP
00539EA0 |> 8808 /MOV BYTE PTR DS:[EAX],CL <----- Olly breaks here
00539EA2 |. 8A4C02 01 |MOV CL,BYTE PTR DS:[EDX+EAX+1]
00539EA6 |. 83C0 01 |ADD EAX,1
00539EA9 |. 84C9 |TEST CL,CL
00539EAB |.^75 F3 \JNZ SHORT WoW.00539EA0
00539EAD |> C600 00 MOV BYTE PTR DS:[EAX],0
00539EB0 |. 5F POP EDI
00539EB1 |. 2BC6 SUB EAX,ESI
00539EB3 |. 5E POP ESI
00539EB4 |. 5D POP EBP
00539EB5 \. C2 0C00 RETN 0C


From BP I try to track the pointer, but I always end up at the top of the function:

00539E40 /$ 55 PUSH EBP ; where is ESP set?
00539E41 |. 8BEC MOV EBP,ESP
00539E43 |. 56 PUSH ESI
00539E44 |. 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
00539E47 |. 85F6 TEST ESI,ESI
00539E49 |. 74 07 JE SHORT WoW.00539E52
00539E4B |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]

Here I can see that EBP+0xC is pointer to the mem address where the zone text is stored. But... how can I keep following the pointer. EBP is set by:

00539E41 |. 8BEC MOV EBP,ESP

but where is ESP set?

Please help me with this one any comments welcome. Also other approaches etc, thanks!

[barthen]

Did you try the searching the forums?

Anyway, take a look at the GetZoneText and GetSubZoneText Lua functions and you'll find what you're looking for.

[Overflow]

Thank you for the input. I did look at the LUA functions but I guess I'm not seeing what you do. The only usefull info I saw was that the events: zone_changed etc is triggered. I put BP on them in Olly but they never hit..

You are refering to API GetSubZoneText - WoWWiki - Your guide to the World of Warcraft for example right?

Edit:
Also looked at API GetMinimapZoneText, which say MINIMAP_ZONE_CHANGED is triggered, that one Olly can't find at all so I wonder how acurate it really is.

[barthen]

Take a look at the code that implements that functions:

0x6DDC50 GetZoneText
0x6DDCB0 GetSubZoneText

Browse those with Olly or IDA

[Overflow]

Thanks will do. How did you know whoch address they start at? Must be missing something.. :/

Edit found it, thanks, +rep for beeing helpfull. Question on how to know where the LUA functions are remains.. I think I saw a LUA dump for 3.0.9 but since I only can search one time every 45 sec it kind of sucks.

To attach back to my original question about the function (probably a string handling function)

00539E40 /$ 55 PUSH EBP ; where is ESP set?
00539E41 |. 8BEC MOV EBP,ESP
00539E43 |. 56 PUSH ESI
00539E44 |. 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
00539E47 |. 85F6 TEST ESI,ESI
00539E49 |. 74 07 JE SHORT WoW.00539E52
00539E4B |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]

Is there a way to see what set the ESP register? I mean I can get a list of all calling functions but it is hundereds...

I also tried to trace and to set cond. BP, but I can still don't see any way to find out which function called this one when EBP+8 = pointer to what I want. Hope you understand what I mean, I'm trying to learn as much as I can of Olly atm.

[lanman92]

If you have IDA it's very easy(even without...). Just search for names for the first few letters of the function and then right below the name you searched for(and found), there will be a pointer. This is the array that LUA maintains and has pointers to each function. Go to this pointer and reverse away.

[Cursed]

Where is the problem? In IDA, just go to the strings table, search for GetZoneText and double click. Follow the xRef and the next one too. There's the function oO

0x006DDC50 is the start address for GetZoneText, like Barthen already said.

[Overflow]

The problem? The problem was that I wanted to see which funtion called a specific function that I had a BP in. Just read my last post before this and it might clear up for you.. I wanted to know if there is any way to do that with Olly specifically.

However. I wouldn't use that function, It looks like 006DDC80 is better. The other mentioned can be blank at times and have something similar to a sub zone but still not in it. 006DDC80 yields a pointer in 11CCF0C which always seems to point to the zone string, even in BG's

[Overflow]

If you have IDA it's very easy(even without...). Just search for names for the first few letters of the function and then right below the name you searched for(and found), there will be a pointer. This is the array that LUA maintains and has pointers to each function. Go to this pointer and reverse away.

Thank you, I will check that out in IDA should be good to know for future patches, +rep.

[0_00_0]

0x0129F5E8 - zoneID

this is 3.1.1`s zoneID address if your interested. im not sure if its the same thing.

[deCutter]

The problem was that I wanted to see which funtion called a specific function that I had a BP in. Just read my last post before this and it might clear up for you.. I wanted to know if there is any way to do that with Olly specifically.

If you are debugging WoW and stopped at breakpoint, you can look at wow`s stack to see a chain of calls, that took you to your breakpoint.

[Overflow]

Thank you, what I was looking for +rep