So, I am doing my best here to stay within the rules and may be cutting it close to one or two. But I will do my best to stay within the lines aloud. To start I would like to stay what I do not want. I do not want you to spoon feed me, I enjoy learning and that is why I became a member of this form.
Knowledge Base:
C++ - Mid Level
Little bit of Security
5 years playing WoW
Googlefu
So on to what this post is really about. I had come to this forum wanting to learn and learn I have but I want to learn more and can use some help. Being 19 and 95% self taught on anything computer/Programming related has left room for not understanding and that is why I am coming to you today. I had successfully made a little fish bot for my Character and with much delight wanted to move on but I felt I lacked to much understanding of exactly what was going on so I looked towards the books and found Reverse Engineering: Secrets of the Reverse Engineer (may have miss quoted the title), but needless to say I was delighted with the book my first time through it and decided to attempt it with WoW but came to see I did not understand things as much as I wanted. I will be re-reading the book but I feel that someone here with more experience can help me.
Following a tutorial on Finding Easy things (specifically notes GetMinimapZoneText) I opened WoW in IDA & In Olly (I have more experience with olly then I do IDA although both are not perfected) and begin to look for GetMinimapZoneText in IDA. After I had found the GetMinimapZoneText address the tutorial had shown to I decided that it really didn't explain how we knew THAT was the address, so I wanted to break down the function and see if I could tell why it was.
Code:
.text:008C5F20 push ebp ; Pushes ebp onto stack to save pre-existing value and use ebp
.text:008C5F21 mov ebp, esp ; Moves the current stack pointer into ebp
.text:008C5F23 mov eax, dword_ED5C64 ; Moves the value of dword_ED5C64 into eax, ED5C64 is the address we want
.text:008C5F28 test eax, eax ; compares the two and sets the ZF flag 1 if value in EAX, 0 if nothing??
.text:008C5F2A jnz short loc_8C5F31 ; jnz JUMP NOT ZERO with check the ZF flag and jump if it is not zero
.text:008C5F2C mov eax, offset byte_B87CC3 ; so if the jump was not made, we move this value into EAX - looks to be a char variable
.text:008C5F31
.text:008C5F31 loc_8C5F31: ; CODE XREF: sub_8C5F20+Aj
.text:008C5F31 push eax ; Pushes EAX onto the stack, this looks like a variable
.text:008C5F32 mov eax, [ebp+arg_0] ; moves address of ebp+arg_0 (DWORD agr_0 = 8)
.text:008C5F35 push eax; pushes this on to the stack as the first variable
.text:008C5F36 call sub_42C1A0 ; calls the function located at 42C1A0
.text:008C5F3B add esp, 8 ;adds 8 to esp (stack pointer)
.text:008C5F3E mov eax, 1 ; moves 1 into eax
.text:008C5F43 pop ebp ; Pops the original store value of EBP off the stack at this time
.text:008C5F44 retn ; function returns
so above is the code copied from IDA with my comments after it for how I understand whats going on. Please correct me if I am wrong on any of it.
So after going through each line then over looking the function again I feel that I am still unsure of how we know that ED5C64 is our value. According to IDA its void* DWORD so I think its a pointer to our MinimapZoneText, but if this is true: How can it ever be 0 on the zf flag after TEST?
Next thing that stands out is exactly past the jump, we see
Code:
mov eax, offset byte_B87CC3
this is ran if the jump is not taken, so if somehow ZF Flags = 0 after the test is ran we move the value of B87CC3 into eax (the current register holding out minimap data). Looking into B87CC3 we see its a char
Code:
.rdata:00B87CC3 ; char byte_B87CC3
.rdata:00B87CC3 byte_B87CC3
so to me it seems like this would be the minimap zone text, am I wrong?
All Questions posted in one neat little section:
Code:
Questions:
1. test eax, eax sets ZF to 1 if there is a value in eax, and 0 if there is nothing correct?
2. ED5C64 appears to be a pointer to our minimap zone text. Is this true? If so, how can text ever be 0?(other than not logged in)
3. offset byte_B87CC3 looks like it would store our minimap zone text, I assume this because its moved into our eax value if zf is 0. Is this true?
4. At the end of the function, it shows us adding 8 to the stack pointer, why is this? I believe it has to do with undoring our pushes?
5. Why does it move 1 into EAX? Wouldnt the function want to return the value of EAX?
I would just like to note, I really am trying and if I have directly broken any rules please let me know so I can try harder not to next time. I like think think I have a decent understanding, and have researched this.
resources:
API GetMinimapZoneText - WoWWiki - Your guide to the World of Warcraft
http://www.ownedcore.com/forums/worl...ple-stuff.html
x86 Assembly question - x86 Assembly - Forums at ProgrammersHeaven.com
Assembly test eax,eax?
http://www.ownedcore.com/forums/worl...mp-thread.html