[ASM][General][WoW] GetMinimapZoneText and Understanding ASM

[J0llyGr33n]

So, I am doing my best here to stay within the rules and may be cutting it close to one or two. But I will do my best to stay within the lines aloud. To start I would like to stay what I do not want. I do not want you to spoon feed me, I enjoy learning and that is why I became a member of this form.

Knowledge Base:
C++ - Mid Level
Little bit of Security
5 years playing WoW
Googlefu

So on to what this post is really about. I had come to this forum wanting to learn and learn I have but I want to learn more and can use some help. Being 19 and 95% self taught on anything computer/Programming related has left room for not understanding and that is why I am coming to you today. I had successfully made a little fish bot for my Character and with much delight wanted to move on but I felt I lacked to much understanding of exactly what was going on so I looked towards the books and found Reverse Engineering: Secrets of the Reverse Engineer (may have miss quoted the title), but needless to say I was delighted with the book my first time through it and decided to attempt it with WoW but came to see I did not understand things as much as I wanted. I will be re-reading the book but I feel that someone here with more experience can help me.

Following a tutorial on Finding Easy things (specifically notes GetMinimapZoneText) I opened WoW in IDA & In Olly (I have more experience with olly then I do IDA although both are not perfected) and begin to look for GetMinimapZoneText in IDA. After I had found the GetMinimapZoneText address the tutorial had shown to I decided that it really didn't explain how we knew THAT was the address, so I wanted to break down the function and see if I could tell why it was.

Code:

.text:008C5F20                 push    ebp ; Pushes ebp onto stack to save pre-existing value and use ebp
.text:008C5F21                 mov     ebp, esp ; Moves the current stack pointer into ebp
.text:008C5F23                 mov     eax, dword_ED5C64 ; Moves the value of dword_ED5C64 into eax, ED5C64 is the address we want
.text:008C5F28                 test    eax, eax ; compares the two and sets the ZF flag 1 if value in EAX, 0 if nothing??
.text:008C5F2A                 jnz     short loc_8C5F31 ; jnz JUMP NOT ZERO with check the ZF flag and jump if it is not zero
.text:008C5F2C                 mov     eax, offset byte_B87CC3 ; so if the jump was not made, we move this value into EAX - looks to be a char variable
.text:008C5F31
.text:008C5F31 loc_8C5F31:                             ; CODE XREF: sub_8C5F20+Aj
.text:008C5F31                 push    eax ; Pushes EAX onto the stack, this looks like a variable
.text:008C5F32                 mov     eax, [ebp+arg_0] ; moves address of ebp+arg_0 (DWORD agr_0 = 8)
.text:008C5F35                 push    eax; pushes this on to the stack as the first variable
.text:008C5F36                 call    sub_42C1A0 ; calls the function located at 42C1A0
.text:008C5F3B                 add     esp, 8 ;adds 8 to esp (stack pointer)
.text:008C5F3E                 mov     eax, 1 ; moves 1 into eax
.text:008C5F43                 pop     ebp ; Pops the original store value of EBP off the stack at this time
.text:008C5F44                 retn ; function returns

so above is the code copied from IDA with my comments after it for how I understand whats going on. Please correct me if I am wrong on any of it.
So after going through each line then over looking the function again I feel that I am still unsure of how we know that ED5C64 is our value. According to IDA its void* DWORD so I think its a pointer to our MinimapZoneText, but if this is true: How can it ever be 0 on the zf flag after TEST?

Next thing that stands out is exactly past the jump, we see

Code:

mov     eax, offset byte_B87CC3

this is ran if the jump is not taken, so if somehow ZF Flags = 0 after the test is ran we move the value of B87CC3 into eax (the current register holding out minimap data). Looking into B87CC3 we see its a char

Code:

.rdata:00B87CC3 ; char byte_B87CC3
.rdata:00B87CC3 byte_B87CC3

so to me it seems like this would be the minimap zone text, am I wrong?

All Questions posted in one neat little section:

Code:

Questions:
1. test eax, eax sets ZF to 1 if there is a value in eax, and 0 if there is nothing correct?
2. ED5C64 appears to be a pointer to our minimap zone text. Is this true? If so, how can text ever be 0?(other than not logged in)
3. offset byte_B87CC3 looks like it would store our minimap zone text, I assume this because its moved into our eax value if zf is 0. Is this true?
4. At the end of the function, it shows us adding 8 to the stack pointer, why is this? I believe it has to do with undoring our pushes?
5. Why does it move 1 into EAX? Wouldnt the function want to return the value of EAX?

I would just like to note, I really am trying and if I have directly broken any rules please let me know so I can try harder not to next time. I like think think I have a decent understanding, and have researched this.

resources:
API GetMinimapZoneText - WoWWiki - Your guide to the World of Warcraft
http://www.ownedcore.com/forums/worl...ple-stuff.html
x86 Assembly question - x86 Assembly - Forums at ProgrammersHeaven.com
Assembly test eax,eax?
http://www.ownedcore.com/forums/worl...mp-thread.html

[_Mike]

All Questions posted in one neat little section:

Code:

Questions:
1. test eax, eax sets ZF to 1 if there is a value in eax, and 0 if there is nothing correct?
2. ED5C64 appears to be a pointer to our minimap zone text. Is this true? If so, how can text ever be 0?(other than not logged in)
3. offset byte_B87CC3 looks like it would store our minimap zone text, I assume this because its moved into our eax value if zf is 0. Is this true?
4. At the end of the function, it shows us adding 8 to the stack pointer, why is this? I believe it has to do with undoring our pushes?
5. Why does it move 1 into EAX? Wouldnt the function want to return the value of EAX?

1) No, it's the other way around. If eax is 0 then ZF gets set to 1. ZF = Zero Flag
2) It's a pointer to a pointer to the zone text. As for why/when it's zero, I don't know. I haven't seen it happen yet (although my testing is very limited). Maybe someone else can answer that.
3) I'm not sure what that offset contains. But you should copy the logic of the function (read ED5C64 and if zero read B87CC3) to be fully compatible.
4) Correct. The 2 pushes place 8 bytes on the stack so adding 8 (the stack grows downwards) to esp moves the stack pointer back to where it was before the pushes. And since the values aren't needed anymore it's more efficient to just move the stack pointer past them instead of pop'ing them off. As for when it's needed it depends on the calling convention used. In some cases the caller cleans up the stack and in others the callee does. x86 calling conventions - Wikipedia, the free encyclopedia
5) The string is returned on the top of the lua stack. sub_42C1A0 is lua_pushstring (Get TOM_RUS' IDA database from the info thread). All lua callback functions are of the type "int function_name(lua_state*);" and the return value is the number of items placed on the lua stack.

I hope this made some sense as I'm generally not very good at explaining things. And don't worry about asking questions, that's how you learn. The thing which we generally frown upon is when people just expect handouts without trying to learn for themselves first. You do not fit in to that category

[J0llyGr33n]

Thank you for your response _Mike, I did not even think of the LUA stack here so that makes a bit more sense to me now. Also thank you for setting me straight on test, having that wrong could have put me way off in the future.

I'm still rather curious about B87CC3 if anyone can clue some of us less informed people in. As far as I can tell they are the exact same thing and reading from either would work.

Here is the function in Olly where I set up a breakpoint on the function call. I NOP'd the JNZ to make sure I got to B87CC3

Code:

01875F20  /. 55             PUSH EBP
01875F21  |. 8BEC           MOV EBP,ESP
01875F23  |. A1 645CE801    MOV EAX,DWORD PTR DS:[1E85C64]
01875F28  |. 85C0           TEST EAX,EAX ; EAX=28CD4A18, (ASCII "The Drag")
01875F2A     90             NOP
01875F2B     90             NOP
01875F2C  |. B8 C37CB301    MOV EAX,WoW.01B37CC3; EAX=28CD4A18, (ASCII "The Drag")
01875F31  |> 50             PUSH EAX                                 ; /Arg2
01875F32  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]             ; |
01875F35  |. 50             PUSH EAX                                 ; |Arg1
01875F36  |. E8 6562B6FF    CALL WoW.013DC1A0                        ; \Wow.013FC1A0
01875F3B  |. 83C4 08        ADD ESP,8
01875F3E  |. B8 01000000    MOV EAX,1
01875F43  |. 5D             POP EBP
01875F44  \. C3             RETN