Recommended Debugger for Live Analysis?

[mongoosed]

Hello everyone, I would like to reverse the player pointer and some other things by myself, and am looking for advice on what the best tool for live analysis of the wow.exe would be. In the past I had used cheat engine and a little bit of Ollydbg, though using cheatengine was more effective. (perhaps I was just using olly in the wrong way?)

I will be blending my live analysis with some offline analysis through IDA pro.

What would be your recommendations?

[_Mike]

I used to use IDA's debugger almost exclusively because it integrates perfectly with the offline disassembler, but I'm leaning more and more towards windbg the more I use it and learn it.
It might be that I just don't know the IDA debugger well enough, but I feel windbg gives so much more control and a better overview of the target app. And windbg is so much faster.

[mongoosed]

Does windbg support successive searches and some of the more advanced field searches that cheatengine and MHS currently support? To find a value while doing live analysis requires a very good successive search ability as well as the ability to search very specifically, as well as very broadly what values you are searching for.. correct? I apologize if the usual process of doing a live analysis session with regards to WoW has already been covered on the forums here (i didn't turn anything up in my search).

[amadmonk]

Windbg isn't really designed the same way CE is, but it does have some search functions.

I agree with _Mike; although I like that IDA integrates the debugger, I find that IDA is so damned fragile -- it likes to crash and corrupt the IDB all the time, and seems much more prone to do so when debugging -- that I like the rock-solid nature of Windbg.

Of course the fact that I used to work with the windbg team at Microsoft may make me a little biased

[ddebug]

IDA supports multiple debuggers. I recommend using IDA Pro with Windbg debugger for dynamic analysis.

P.S. For people that are having problems with IDA and debugging WoW, disable ASLR and don't rebase. I too had instability problems before I did this.

Cheers.

[DrGonzo]

OllyDbg.
SoftIce if you want to go old school.

[mongoosed]

Isn't it much more difficult to isolate interesting variables without the additional search functions that CE/T-search would give you compared to winDBG, or are you all using a plugin/script that extends it to support progressive searches based on search fields?

[_Mike]

It sounds like what you really want is a memory scanner. A debugger is mainly targeted at analyzing code. While most can search for data I don't know of any that does it with the same ease as for example cheat engine.

[mongoosed]

Yes mike I believe that may indeed be what I am looking at moreso... because, I would like to go into this project initially without all of the information the community has already amassed, I will need to first identify interesting variables, which will lead me back to the functions and structures that they spring from, allowing me to begin my offline analysis in the correct locations.

Please correct me if I am wrong in thinking this is the best process to reverse functions and memory points of interest... as I am trying to learn as best I can.

[ddebug]

It sounds like what you really want is a memory scanner. A debugger is mainly targeted at analyzing code. While most can search for data I don't know of any that does it with the same ease as for example cheat engine.

this.

Each tool has its benefits. Though, you really shouldn't ever need to use Cheat Engine/T-Search/MHS/<insert memory scanner here>. Don't get me wrong: they are useful because of their simplicity for finding offsets and pointers in memory (rather quickly), but they aren't really "necessary" to use.

In fact, in most cases, using OllyDbg or a similar debugger is more beneficial to you. Once you find something you are interested in looking at and analyze the code in OllyDbg/whatever, you will usually be led to new discoveries. These new discoveries will help you learn more about the "target executable" and what you can do to exploit it/whatever.

Consider for a moment searching for player hitpoints in WoW. You can easily find the offsets using a memory scanner. Once you have these offsets, it's nice to trace them back to a static pointer and then analyze that code in OllyDbg. This could lead you to something such as the constructor for Units/Players/Local Player. With this, you could find the structure in memory that stores other fields (like mp, energy, rage, etc..).

[mongoosed]

ddebug, excellent reply, it illuminated the importance of OllyDBG to me in my tool chain. I sincerely hope this post will help other newer members put together their initial toolset.

Through using OllyDBG in combination with a memory scanner, I would follow this process:

First -> memory scanner to find dynamic variables that I am interested in reversing on (because they corrospond to the process in the game that I am interested in revving)

Second -> Open that memory address in ollyDBG to begin the process of tracking back to a static pointer (which will most likely reside in a function that includes much more information around what I initially search for).

Thirdly -> using the static pointer found from OllyDBG, open up IDA and perform my offline analysis to begin reversing the structure and signature of the function in which that static pointer resides.

At my current level of understanding, I believe that the key piece of knowledge I am missing right now is how to use OllyDBG to go from a dynamic value found in the memory scanner, to a static pointer that it originated from. Would reading through the OllyDBG help files illuminate how to perform this dynamic address -> static pointer analysis or is there a specific tutorial available that addresses this?

Thank you again to everyone who has pitched in their ideas here. I hope that it will help others as it has helped me.

[Cypher]

WinDbg for debugging. IDA for static analysis. MHS (memoryhacking.com) for memory scanning etc. (kind-of like Cheat Engine, but better imo).

OllyDbg is far too buggy for my liking (not to mention that whilst WinDbg has a steeper learning curve, it gives you far more control than OllyDbg does).

[mongoosed]

Thank you cypher.. from the preliminary reversing I have done on some random game exe's while reading through my material, i have found that the debugger in MHS is complete crap, so yea, windbg is definitely going to be the way to go there.

The three pronged toolset that you have mentioned is the one that I will use now. Thanks all for the recommendations and info.

[amadmonk]

Cypher: explain to me why I should use MHS. Sell me, baby.

[Cypher]

Cypher: explain to me why I should use MHS. Sell me, baby.

It has useful features which (last time I checked) CE does not:
L. Spiro's Memory Hacking Software

It's really ****ing hot today and I'm about to go for a swim, so you'll have to read that and 'sell yourself' until I get back.