Some help needed with reversing

[Millow]

This thread really helped me get a good understanding of the whole rebase thing, it's not very complicated once you understand it ! Thank you again to everyone who posted, much appreciated.
Now truly one last thing,

Code:

Memory.Read<string>(Memory.Read<uint>(Memory.BaseAddress + 0x990684));

Why can't we just do

Code:

Memory.Read<string>(Memory.BaseAddress + 0x990684);

The read uint part gets a pointer I suppose, this pointer points to an address which contrains data, couldn't we just feed the address instead of the pointer to the address of the data ?
I'm missing something crucial here, I've seen it covered before, but I couldn't quite grasp it, it seems counterintuitive to me.
Thx !

Edit -> Idea: Is it because the pointer "knows" to what kind of data he's pointing to ?

[Scorpiona]

This thread really helped me get a good understanding of the whole rebase thing, it's not very complicated once you understand it ! Thank you again to everyone who posted, much appreciated.
Now truly one last thing,

Code:

Memory.Read<string>(Memory.Read<uint>(Memory.BaseAddress + 0x990684));

Why can't we just do

Code:

Memory.Read<string>(Memory.BaseAddress + 0x990684);

The read uint part gets a pointer I suppose, this pointer points to an address which contrains data, couldn't we just feed the address instead of the pointer to the address of the data ?
I'm missing something crucial here, I've seen it covered before, but I couldn't quite grasp it, it seems counterintuitive to me.
Thx !

Edit -> Idea: Is it because the pointer "knows" to what kind of data he's pointing to ?

I knew I'd have a use for this video someday!

The pointer doesn't know the kind of the data it points to. All it does is store (point to) another address in memory.

The reason why you can't just do this:

Code:

Memory.Read<string>(Memory.BaseAddress + 0x990684);

is because Memory.BaseAddress + 0x990684 is the address of a pointer to a string, not a string itself.

The reason why this works:

Code:

Memory.Read<string>(Memory.Read<uint>(Memory.BaseAddress + 0x990684));

is because you're reading from the pointer to get the address of its pointee, where a string is stored, and then reading a string from there.

[L33ch]

Awsome video

In short : (correct me if I'm wrong)

you have a pointer, that points to a pointee.
A pointee has value : "Tirisfal Glades", 12300, "last message from messagebox", etc...

The IDA addresses are the pointers, and you need to find the pointee, problem with WoW is, every time you start it, the pointee is a different memory address.

i.e. :
Value - Address

"Hi" = 0x405012;

Restart WoW and ...

"Hi" = 0x406054;

but the pointer is always static (just a different value if updated (new wow patch))

so 0x405000 could be pointing to 0x405012 or 0x406054 or even a complete new value (if wow restarted again!)

so you read the value (pointer location) from 0x405000 and read the value from there:
resulting in (pointee location value's (memory addresses) are always uint):

Memory.Read<string>(Memory.Read<uint>(0x405000));

Example has not been rebased as it's completely fake...

Memory.BaseAddress would be the RVA for WoW, that's why you rebase (but you understood that already)

the big difference is, you can find the static pointers while not running wow, and the pointee's ONLY if wow's running, and only for that instance, if you have a second wow running, the pointee's are different again)...

I used to make trainers based on pointee's, they didn't last very long... :P

[miceiken]

The pointer changes because WoW's basemodule changes, or it's relative to an object in the memory. You simply read the pointer, which gives you another pointer that leads you to the string. That's my impression of this. And yes, you can read it directly, if you read from the same process as you're in (afaik).

Code:

**(string*)0xDEADBEEF

Where * represents the amount of pointers to read before you are at the wanted result.

All of this Scorpiona already stated, just put it in other words :P

[caytchen]

This is obviously the wrong section to learn pointers. Also, "**(string*)0xDEADBEEF" is obviously illegal.

[jjaa]

I think if your struggling with pointer you need to do a bit more reading....However your just doing this:
char* test = *(char**) 0x00D90684;

[L33ch]

Right, lets go one step further.

lets find a Pattern!

Code:

.text:00423950                               sub_423950      proc near               ; DATA XREF: .data:008071ACo
.text:00423950
.text:00423950                               arg_0           = dword ptr  8
.text:00423950
.text:00423950 55                                            push    ebp
.text:00423951 8B EC                                         mov     ebp, esp
.text:00423953 A1 84 06 99 00                                mov     eax, dword_990684
.text:00423958 85 C0                                         test    eax, eax
.text:0042395A 75 05                                         jnz     short loc_423961
.text:0042395C B8 83 01 6B 00                                mov     eax, offset unk_6B0183
.text:00423961
.text:00423961                               loc_423961:                             ; CODE XREF: sub_423950+Aj
.text:00423961 50                                            push    eax
.text:00423962 8B 45 08                                      mov     eax, [ebp+arg_0]
.text:00423965 50                                            push    eax
.text:00423966 E8 15 21 C1 FF                                call    sub_35A80
.text:0042396B 83 C4 08                                      add     esp, 8
.text:0042396E B8 01 00 00 00                                mov     eax, 1
.text:00423973 5D                                            pop     ebp
.text:00423974 C3                                            retn
.text:00423974                               sub_423950      endp

Suppose we have this (the GetMiniMapZoneText function) and we'd like to get the pattern.
Enable opcodes first ((Options/General/Number of opcode bytes = 10)) (I already did that).

Just stick all Opcodes in a string, seperated by "\x"

sooo...
that would get me to...
pattern :"\x55\x8B\x8C\xA1\x84\x06\x99\x00\x85\xC0\x75\x05\xB8\x83\x01\x6b\x00"
mask ( xxxxxxxxxxxxxxxxx )

now we want to change the .. "probbably changing values" to unknowns '?'
"probbably changing values" because they can be changed next patch

that would be :

Code:

\xA1 \x84 \x06 \x99 \x00    	dword_990684 (yes, current minimapzonetext address)

and, but not sure about this as i'm still learning :P

Code:

\x75 \x05        		short loc_423961
\xB8 \x83 \x01 \x6B \x00  	offset unk_6B0183

that would make
pattern :"\x55\x8B\x8C\xA1\x84\x06\x99\x00\x85\xC0\x75\x05\xB8\x83\x01\x6b\x00"
mask ( xxxxxxxxxxxxxxxxx )

to
pattern : "\x55\x8B\x8C_____\x85\xC0_______"
mask (xxx?????xx???????)

now this address is probbably to small, but, lets say, if we'd use FindPattern()

we'll find a value...
if we'd look for "dword_990684 "
that would be [the FindPattern value + 3], why +3 ..
FindPatter returns the first byte location, but the dword starts 3 bytes from there:
(\x55\x8B\x8C) -> start \xA1\x84\x06\x99\x00 <- end (\x85\xC0\x75\x05\xB8\x83\x01\x6b\x00)

can anyone verify if this is the correct way to get patterns? :P
I'll verify if this works when i get home, can't do it at work as I don't have WoW here nor my code :P