[IDA][mac] Finding lua functions - why the difference?

[Tanaris4]

So I feel that I have a decent knowledge of finding my way around in IDA, still re-learning assembly from school (been a few years), but one thing I've noticed when comparing the Windows binary to the mac binary is how the machine language is interpreted - it seems to be done differently?

Basically what I'm getting at - If I search for a string, say, GetQuestLogTitle, I get the following results on the windows binary:

Clearly it is within a function, as IDA has gone over the entire windows binary + found functions etc...

Now I know that these have to be functions, but I'm a bit confused. On the OS X binary I will get a result of:

This isn't pointing to a given function, instead I click through + have to dig through to understand what's going on. Is there an IDA setting I'm missing? Or is this just a limitation of it disassembling an OS X file.

(ideally I would like to view pseudocode for some of these functions, I've had to use the windows version then try to find the same offsets on the OS X version, which works most of the time, but it's VERY time consuming + confusing)

Thanks in advance!

[barthen]

IDA failed to recognize some functions, maybe they're not referenced in the executable. Try this IDA Python script from the Mac Hacker's Handbook:

Code:

#!/usr/bin/python
# -*- coding: latin-1 -*-

from idaapi import *

def rebuild_functions_from_prologues():
    seg_start = SegByName("__text")
    seg_end = SegEnd(seg_start)
    cursor = seg_start
    while cursor < seg_end:
        cursor = find_not_func(cursor, 0x1)
        # push EBP; mov EBP,ESP
        if (Byte(cursor) == 0x55 and Byte(cursor+1) == 0x89 and Byte(cursor+2)==0xE5):
            MakeFunction(cursor, BADADDR)
        else:
            cursor = FindBinary(cursor, 0x1, "55 89 E5", 16)
            if (GetFunctionName(cursor) == ""):
                MakeFunction(cursor, BADADDR)
rebuild_functions_from_prologues()

It will try to find the function prologues and identify the functions IDA missed.

[Tanaris4]

That did it, ty sir, thought it may be something like that :P

[flo8464]

Why don't you just hook lua_register to get all functions/addresses?

[Tanaris4]

I don't have all functions listed, how do I find lua_register? Have the address for 3.3.0a? I can hook it easily enough

[flo8464]

Not sure about WoW, but look for references to any Lua-Function.
The only reference to it should be a call to lua_register, which takes a function pointer and the name, which should be used inside lua as argument.
At least that was my attempt while reversing Runes of Magic, for WoW I just copied from the info dump.

This is how I did it half a year ago, yeah I know, the code is terrible and may cause bugs because it isn't threadsafe, but it never caused problems and I never had the urge to rewrite it:

C++ pastebin - collaborative debugging tool

The first wave of functions will be registered when the client starts, so start it suspended and inject before running it.
The other half will be registered while being in the loading screen entering the game.

[barthen]

flo you do realize that Tanaris is on a Mac, don't you?

Anyway, the function flo is talking about is Framescript_RegisterFunction. It takes two parameters: a function pointer and a string.

The current offsets for this function are as follows:

0x007F0CC0 for the Windows binary

0x007FC200 for the Mac binary


I hope Wardenguy stays away from the Mac for a little longer ;-P

[flo8464]

flo you do realize that Tanaris is on a Mac, don't you?

Did I say anything different?

[barthen]

Did I say anything different?

Of course not. I assumed that from your windows source code. Please forgive me. :angel:

[flo8464]

Of course not. I assumed that from your windows source code. Please forgive me. :angel:

Nah, it was more meant as "Look, that is how I did it".

I guess he knows that he can't fetch strings from the registry. :P

[Tanaris4]

Thanks guys :-) And yea, will be an interesting day when pocket gnome users get the ban hammer, still not sure why I publicly release it + have an SVN - does that happen often anymore?

[Tanaris4]

Any ideas on how I could also get IDA to recognize more cross references? Basically for strings it seems to be an issue, check out the windows binary:



For OS X, IDA doesn't detect any XREF for the same strings (which presents a problem when trying to find a lot of the functions):

[Tanaris4]

I eventually semi answered my own question here, so figured I would post. For whatever reason IDA is able to determine the XREF much better in the windows binary, which would make sense as I doubt OS X is a huge priority for IDA.

But if you hook FrameScript_RegisterFunction and bring out the name + addresses you can get them easier this way. In 3.3.3a it's located at 0x8032C0