Some stupid questions

**tcpa252** · 08-10-2011

Hello everyone, I'm sorry in advance if this is not the right place to ask for such help but I'm an newbie w/o any previous disassembler experience seeking for any knowledge on how to extract opcodes from World of Warcraft game client.
As far as I read to achieve what I want there are some things needed:
1. Ida disassembler (got v6.1)
2. Ida db for particular wow client ver. (got one by TOM_RUS for client 14480)
3. Ofsets at which handler functions are located in game client executable (Paste2: Next Generation Pastebin - Viewing Paste 1572547 by TOM_RUS for client ver 14480.)

Now, the stupid question part.
1. What does mean "offsets are not rebased"? That is, I did a full decompile of game executable in ida and then searched for any of those handler function fuctions using the TOM_RUS offsets. Ida finds everything correctly, so why should people be warned that ofsets are not rebased?
2. Whats the process of sniffing SMSG opcodes? For eg. I want to sniff opcode for SMSG_AUTH_CHALLENGE? In TOM_RUS offset list I see 3 occurences of *_SMSG_AUTH_CHALENGE function, because SMSG is server->client i should probably look into "6B47C0 PacketRead_SMSG_AUTH_CHALLENGE"? From full decompile i get this function:

Code:

char __thiscall PacketRead_SMSG_AUTH_CHALLENGE(void *this, int a2)
{
  void *v2; // esi@1

  v2 = this;
  CDataStore::GetInt32((char *)this + 16);
  CDataStore::GetInt32((char *)v2 + 24);
  CDataStore::GetInt32((char *)v2 + 44);
  CDataStore::GetInt32((char *)v2 + 28);
  CDataStore::GetInt32((char *)v2 + 52);
  CDataStore::GetInt8(a2, (int)((char *)v2 + 48));
  CDataStore::GetInt32((char *)v2 + 32);
  CDataStore::GetInt32((char *)v2 + 20);
  CDataStore::GetInt32((char *)v2 + 36);
  CDataStore::GetInt32((char *)v2 + 40);
  return 1;
}

Now the question is, how I can find what opcode this function expects?
I will be extremely grateful to whomever teaches me how to do this black magic.

**Jens** · 08-10-2011

#1. World of Warcraft uses ASLR, so in IDA you end up with all the addresses + 0x00400000 IIRC, if you want to use the addresses you find in IDA you will have to subtract that, and then add the address of the main module of the wow.exe process.

**tcpa252** · 08-10-2011

Okay, ty for pointing it out, one question is partially answered, btw how do you get the address of the main module of wow.exe process? And why should we do(what does it give us) :
offset - 0x00400000 + main module of wow.exe based address?

Edit:
to get base address something like this could be used?

Code:

IntPtr wowBase = wow.MainModule.BaseAddress;

**namreeb** · 08-10-2011

Cast the result of GetModuleHandle("WoW.exe") to a numeric value of your choice (assuming you're in process).

**tcpa252** · 08-10-2011

Ok, so it looks like that base address base address is: 0x400000
So, know as i understand the non rebased offset transformation look like:
offset - 0x00400000 + 0x400000 --- what does is give us?? Sorry if i sound stupid

Edit: this transformation does not make any sense, we get the start value in the end, any ideas??