Some help needed with reversing

[L33ch]

Right, this must be really stupid and everything, but i'm stuck.

I've done some research in IDA pro, i know how to make patterns.
I've followed several tutorials on finding memory addresses.

I know how to debug with ollydbg, i can open a program, rewrite it so i can bypass security ( crack it,)

I know some assembler and started working on the Intel® 64 and IA-32 Architectures Software Developer's Manuals

Also going to redo lena151's reversing tutorial in case I missed something...

but the silly thing is..

i can't map what i find to a memory address... more exact, i can't compare what i find to the wow offsets and wow info dump thread i find here..

I don't know if I'm on the right track or what, it's confusing the hell out of me.

I did a small tutorial where you get the MiniMapZoneText from IDA (Tutorial - Find simple stuff)
I got to the MiniMapZoneText, went to Data -> SubData (not completely sure what i'm doing there, started on IDA last friday, read a book about it (Reverse Engineering With IDA Pro) also downloaded : Reversing - Secrets Of Reverse Engineering (2005) as shynd mentioned that....
Anyway, back to the story, I foud the GetMiniMapZoneText, followed the instructions, but the value turned out to now work.

Using the wow 4.0.1. bot base as i didn't update my old bot for a while (WoW 3.3.# i think)

I use this for the MiniMapZoneText :
String MiniMapZoneText = Memory.Read<string>(Memory.Read<uint>(0xD90684));

So i thought, i'd go and see if i can do it the other way around : I went and found that clientConnection = 0x8B2F78 (on the forums) and was hoping i could find it in IDA, but.. no luck..

haven't tried offset finding (based on patterns) but that might work for me (as i know how to make patterns), but still... i feel... as if I'm not progressing at all, any pointers in what to read/what to do would be awsome.

also, i've got no knowledge of C++ (full time programmer in C# though).

This feels really awkward, as I get the feeling I'm not that far off >.<

Regards, Setzo

[Flowerew]

Did you consider that most addresses you find here are rebased to 0x1000? So you have to adjust these memory locations to your wow module base. That's the first thing that came to my mind after reading your post.

[caytchen]

If you can't even find the correct offsets, how are you going to create patterns?
Stop blindly following tutorials, start understanding assembly. http://imgur.com/5e3oP.png is related.

[L33ch]

Thanks for teh responce Flowerew,

Entrypoint = 0x401000, rebase that to 0x1000 ? or is "rebase to 0x1000" equal to 0x401000 ? (as image base starts at 0x400000).

I did consider this, but.. as this is not completely my cup of tea, i'm not sure what i'm doing...

In short, I did not try :
String MiniMapZoneText = Memory.Read<string>(Memory.Read<uint>(Memory.BaseAddress + 0xD90684));
and
String MiniMapZoneText = Memory.Read<string>(Memory.Read<uint>(Memory.BaseAddress + 0xD90684 + 0x1000)); // 0x1000 for rebase?
(I saw Memory.BaseAddress being used in some other methods, not sure if it's actually a good reference or what it actually references to...)

will try this at home tonight.

[Flowerew]

Thanks for teh responce Flowerew,

Entrypoint = 0x401000, rebase that to 0x1000 ? or is "rebase to 0x1000" equal to 0x401000 ? (as image base starts at 0x400000).

I did consider this, but.. as this is not completely my cup of tea, i'm not sure what i'm doing...

In short, I did not try :
String MiniMapZoneText = Memory.Read<string>(Memory.Read<uint>(Memory.BaseAddress + 0xD90684));
and
String MiniMapZoneText = Memory.Read<string>(Memory.Read<uint>(Memory.BaseAddress + 0xD90684 + 0x1000)); // 0x1000 for rebase?
(I saw Memory.BaseAddress being used in some other methods, not sure if it's actually a good reference or what it actually references to...)

will try this at home tonight.

Since some time, WoW uses ASLR on Windows Vista/7, so most addresses you find here are relative and have been rebased as if there image base is at 0x0 and their code section starts at 0x1000. So for WoW processes running on systems without/disabled ASLR you would read game state (for example) like this: [0x99069A+0x400000]. Hope that helps.

[Millow]

Since some time, WoW uses ASLR on Windows Vista/7, so most addresses you find here are relative and have been rebased as if there image base is at 0x0 and their code section starts at 0x1000. So for WoW processes running on systems without/disabled ASLR you would read game state (for example) like this: [0x99069A+0x400000]. Hope that helps.

If I may ask, this whole rebasing thing confuses me and the info about it is scarce. What is the 0x400000 ? I know that ASLR is just so that data is not always at the same spot in memory. I thought rebasing was just adding the new base address to the offset to get the exact location in memory. I'm missing something about why some people post data that is rebased, others do not, different rebasing. Because when I use TOM_RUS data that is not rebased, plug it in IDA I find the function that I'm looking for....

Anyhow, main question why do we rebase and why do we rebase with 0x1000 and where does the 0x40000000 comes from. It really slows down my progress all this and I've looked around to no avail. Figured I'd ask.

[-Ryuk-]

If I may ask, this whole rebasing thing confuses me and the info about it is scarce. What is the 0x400000 ? I know that ASLR is just so that data is not always at the same spot in memory. I thought rebasing was just adding the new base address to the offset to get the exact location in memory. I'm missing something about why some people post data that is rebased, others do not, different rebasing. Because when I use TOM_RUS data that is not rebased, plug it in IDA I find the function that I'm looking for....

Anyhow, main question why do we rebase and why do we rebase with 0x1000 and where does the 0x40000000 comes from. It really slows down my progress all this and I've looked around to no avail. Figured I'd ask.

I may be wrong but, we rebase to 0x1000 because the baseaddress of wow is always minus 0x1000 to what the addresses really are.

0x1000 is the in the PE header.
0x401000 is what IDA bases to.

So it you find the offset "0xD90684" you need to - 0x400000 (this leaves the 0x1000 on the address) to get the real offset. (0x990684 I think :S)

Now to read it try this
String MiniMapZoneText = Memory.Read<string>(Memory.Read<uint>(Memory.BaseAddress + 0x990684));

I think that would work.

Oh and I didnt test this, I just used the addresses that you posted.

[2briards]

I know how you feel L33ch.
I also started my first baby steps in ida today because I thought it would be easy to find the PerformanceCounter and GlobalCooldown offsets.
No way, chapeau for you guys who manage to dig pointers up time over time. But I'm not giving up and will continue tomorrow :-)

[L33ch]

I may be wrong but, we rebase to 0x1000 because the baseaddress of wow is always minus 0x1000 to what the addresses really are.

0x1000 is the in the PE header.
0x401000 is what IDA bases to.

So it you find the offset "0xD90684" you need to - 0x400000 (this leaves the 0x1000 on the address) to get the real offset. (0x990684 I think :S)

Now to read it try this
String MiniMapZoneText = Memory.Read<string>(Memory.Read<uint>(Memory.BaseAddress + 0x990684));

I think that would work.

Oh and I didnt test this, I just used the addresses that you posted.

Awsome, that worked!
THANKS A LOT Ryuk

Totally slapping myself in the face for not seeing this...

I feel so stupid, but i'm so relieved right now

+ rep

and many more thanks ;D

btw, it was 990690 :P but 990684 wasn't far off (and also worked actually)


---------- Post added at 03:13 PM ---------- Previous post was at 03:11 PM ----------


2briards, maybe I can help you and we can walk the road to reversing ;-)

any indication as to what you can and can't do? I might be able to help you now that i found a solution to this silly goof I missed.

[-Ryuk-]

Awsome, that worked!
THANKS A LOT Ryuk

Totally slapping myself in the face for not seeing this...

I feel so stupid, but i'm so relieved right now

+ rep

and many more thanks ;D

btw, it was 990690 :P but 990684 wasn't far off (and also worked actually)


---------- Post added at 03:13 PM ---------- Previous post was at 03:11 PM ----------


2briards, maybe I can help you and we can walk the road to reversing ;-)

any indication as to what you can and can't do? I might be able to help you now that i found a solution to this silly goof I missed.

Here you go, you were reading the RealZone, and not the MiniMapZone, but heres the offsets!

MiniMapZoneText = 0x990684,//Updated 4.0.3a
ZoneText = 0x990690,//Updated 4.0.3a
SubZoneText = 0x99068C, //Updated 4.0.3a


Glad I could help

[MaiN]

You rebase to 0x1000 because the first segment has the virtual address 0x1000. That means it starts at 0x1000 into the image (it does this to start on a new page - the page size is (usually) 0x1000). When you rebase to 0x1000 you will have the very first segment (the code segment) starting at 0x1000 in IDA. Because its virtual address is 0x1000 in the image, you get the segments in IDA aligned as if the module base address is 0.

[Millow]

All right, thanx Main and Ryuk for the insight, I finally get it I think. Let's see.

To sum things up, when I disassemble the file in IDA, it will by itself add (rebase) 0x401000 to all the addresses it finds. (anyway to change this ?). So then, for every address I find, I subtract 0x400000, this gives me the "real" offset which I can then add to the Base Address to read the memory, right ?

Is there a way to just tell IDA to rebase to 0x1000 instead of 0x401000, would save some trouble ? Also, when TOM_RUS says they are not rebased, in fact, I could use his offsets and add 0x1000 to all of them to get the real ones because they are 0x0 based, or not rebased means he did not subtract 0x400000 from them ?

If any of you answer these questions, I will finally understand rebasing almost perfectly !
You guys are awesome
Cheers

Edit: Nevermind one of my questions, Edit -> Segment -> Rebase Program

[JuJuBoSc]

Also, when TOM_RUS says they are not rebased, in fact, I could use his offsets and add 0x1000 to all of them to get the real ones because they are 0x0 based

No, If he say not rebased, it's *usually* with the default IDA settings, so just substract 0x400000

[_Mike]

The reason IDA loads the image at 0x400000 is because there's a field in the PE header of the image that says it should be loaded at that address by windows. However when running on an OS that supports ASLR that base address is overridden by a randomized one.

[jjaa]

VA (Virutual Adress) & RVA (relative virtual address) - Stack Overflow