IDA: Log all Method Calls?

[berlinermauer]

Hey Guys!

I am in need of the CGGameUI__Target. As it is not posted I wanted to contribute to the community
I know the adress roughly by adding the offset (address-difference of the other methods) to it.

Now I wanted to search for it, I also know the calling convention a bit.

My Idea was: Pressing Start in IDA or OllyDBG (As I heard IDA-Debugger is a bit complicated with WoW (ASLR))
Then targeting some Target (__Target is called) and then pressing stop.

Filtering the List with calls (mostly D3DX) to find it. What would you say/do?


Or: How would you do, when analyzing any other game without having some hint?

[Frosttall]

I would use Cheat Engine if I would search for that in another game.

Target something -> search for unknown value -> target something else -> search for changed value -> search for unchanged value -> target something else -> changed value and so on..

If only a few values are left would I keep track of their values and look if they stay the same if I switch to the same target twice (and the time it takes to change).

In case you've succeeded could you do a write-hook and then analyze the functions which change this value and you would be fine.


Here a small pattern to find CGGameUI__Target: '55 8b ec 81 ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 85 c0 74 ?? 80'

[berlinermauer]

Thank you When I get the ObjectManager running, I'll try to implement a basic pattern scanner

[dan934]

why not just use the pattern in IDA?

IDA View-A -> Search -> Sequence of Bytes

search for 55 8b ec 81 ? ? ? ? ? e8 ? ? ? ? 85 c0 74 ? 80 (assuming frostfalls information is correct).

as for ASLR being complicated, just subtract 0x400000(the imagebase) from whatever address your working with in ida.

[berlinermauer]

Is there a way to do this automatic? I heard of some kind of Script files?
Maybe like "sub_test:FF FF FF" that it names every sub, beginning with FF FF FF like this?

Or is this a Problem as it cannot search for the matching sub at the Position or maybe if the pattern is not at the sub_start?

And: How do you create those pattern? When do you use "?" and how do you make it unique as 55 8b ec is comonly for every sub!

[dan934]

I think you're looking for something like this: IDC-Scripts

The patterns are a mask of bytes from the first section of this function.

Code:

.text:009A4020 55                                      push    ebp
.text:009A4021 8B EC                                   mov     ebp, esp
.text:009A4023 81 EC EC 00 00 00                       sub     esp, 0ECh
.text:009A4029 E8 02 A5 E6 FF                          call    ClntObjMgrGetCurrent
.text:009A402E 85 C0                                   test    eax, eax
.text:009A4030 74 21                                   jz      short loc_9A4053
.text:009A4032 80 3D F8 9E 0C 01 00                    cmp     byte_10C9EF8, 0

to make the pattern manually you would ignore bytes likely to change when its re-compiled by marking then as '?'.

An example of this would be something like this line:

Code:

.text:009A4029 E8 02 A5 E6 FF                          call    ClntObjMgrGetCurrent

Where the first byte E8 is the call instruction which *isnt* likely to change and the last 4 bytes are an address that is most likely going to change when its re-compiled, So you would mask these 4 bytes.

You're right about 55 8b ec being very common, This is because these instructions are important to setting up the stack for the function and is why you would use the first ~20 bytes rather than the first ~3 as this would keep it unique.

Alternatively, If you like being lazy, Just go grab the SigMaker(also somewhere on GameDeception) plugin for IDA and it will do all of this for you automatically.

hope this helps.