[Windows] Debugging - Getting Started

[Tanaris4]

So I'm used to using GDB on OS X to tinker w/wow, and I'm just starting to do the same on windows.

I actually installed GDB and am able to hook the process just fine. Now what I realized is that I can't just break on a function address, since the binary's start address is always different.

Just curious how I should go about hooking functions etc...

Thanks!

[Verletzer]

Your enemy has a name, "Address Space Layout Randomization"

Luckily your enemy has a weakness. ASLR is enabled by a single byte (well the field is two bytes) in the PE header. Specifically, IMAGE_NT_HEADERS -> IMAGE_OPTIONAL_HEADER -> DllCharacteristics. The flag is named, "IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE" and has a value of 0x40.

To disable ASLR, you can parse the PE header to get the location of this field; although I think it will almost always be in the same place. Fire up a hex editor and go to file offset 0x17E - you should see 0x40 0x81 - change the first byte from 0x40 to 0x00. ASLR has now been disabled and WoW should always load at the default address of 0x400000. If you use the launcher instead of running WoW.exe directly, it might hash WoW and complain about the change; I never use the launcher so I cannot confirm if it will complain or even notice. I have run with ASLR disabled for quite some time and have never drawn any attention from Blizzard (as far as I know). Have fun!

[Jadd]

Your enemy has a name, "Address Space Layout Randomization"

Luckily your enemy has a weakness. ASLR is enabled by a single byte (well the field is two bytes) in the PE header. Specifically, IMAGE_NT_HEADERS -> IMAGE_OPTIONAL_HEADER -> DllCharacteristics. The flag is named, "IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE" and has a value of 0x40.

To disable ASLR, you can parse the PE header to get the location of this field; although I think it will almost always be in the same place. Fire up a hex editor and go to file offset 0x17E - you should see 0x40 0x81 - change the first byte from 0x40 to 0x00. ASLR has now been disabled and WoW should always load at the default address of 0x400000. If you use the launcher instead of running WoW.exe directly, it might hash WoW and complain about the change; I never use the launcher so I cannot confirm if it will complain or even notice. I have run with ASLR disabled for quite some time and have never drawn any attention from Blizzard (as far as I know). Have fun!

Totally unnecessary, just add the offset to the base module address.

Process.MainModule.BaseAddress

[sitnspinlock]

Totally unnecessary, just add the offset to the base module address.

Process.MainModule.BaseAddress

I think you might be missing the point slightly , haven't used gdb but if he is trying to break on a location with an imagebase of 00400000, he is either going to have to rebase the entire program or disable aslr. most go with the latter. rebasing with ida on my craptop takes almost 15 minutes.