Am I doing this correctly... (IDA)

[MyNewName]

Ok I figured out how to find my own offsets. So now im trying to learn to rebase them. Most of them are simple enough. But ones with "extra" digit are giving me hell.

What I am working with is 10992B8 Now do I go back from 10 four times. Being F, E, D, C? and it becomes C992B8? I have googled myself to death and cannot find anything telling you how to add or subtract to these adresses.

[Frosttall]

Ok I figured out how to find my own offsets. So now im trying to learn to rebase them. Most of them are simple enough. But ones with "extra" digit are giving me hell.

What I am working with is 10992B8 Now do I go back from 10 four times. Being F, E, D, C? and it becomes C992B8? I have googled myself to death and cannot find anything telling you how to add or subtract to these adresses.

Open your calculator, switch to 'programmer' view-mode, set the decimal type to HEX on the left side and paste your current value.
Now press minus '-' to subtract and enter 400000 (that's the base-address if you haven't rebased the program in IDA).

Means: 0x10992B8 - 0x400000 = 0xC992B8
Now add this value to the base address of Wow.exe and you have the position you've been looking for.

More informations about base address and ASLR here: Address Space Layout Randomization ? Wikipedia

[Robske]

Hexadecimal - Wikipedia, the free encyclopedia

[Jadd]

Use Windows calculator if you get stuck.

For rebasing 0x00400000 all you need to remember is this:
0x13 -> 0x0F
0x12 -> 0x0E
0x11 -> 0x0D
0x10 -> 0x0C
0x0F -> 0x0B
0x0E -> 0x0A
0x0D -> 0x09
0x0C -> 0x08
0x0B -> 0x07
0x0A -> 0x06

If you're constantly rebasing addresses at 0x00400000, eventually you will be able to do it in your head. It's really nothing you need to worry about.

[VesperCore]

Ok I figured out how to find my own offsets. So now im trying to learn to rebase them. Most of them are simple enough. But ones with "extra" digit are giving me hell.

What I am working with is 10992B8 Now do I go back from 10 four times. Being F, E, D, C? and it becomes C992B8? I have googled myself to death and cannot find anything telling you how to add or subtract to these adresses.

You can also directly work with rebased addresses:
"Edit" => "Segments" => "Rebase Program..."
Value: 0x0 instead of 0x400000

no need to change the rest

if your PC don't support the rebase stuff, just follow the previously posted advises

[MyNewName]

I thank you all for the help.

[MyNewName]

Ok this is were I am. I am able to track down the signatures "blah" to what I am looking for. Is there a easier way to make a mask and search for it in IDA Pro FREE? example. Old client I can come up with a sig lets just say it is x55/x8B/xEC/x83/x7D/08/x00/x6A/x00/x74/x1E. How do I know the difference between the Dynamic and Static ones? I heard there is a plugin to create mask for you, but I seem to be unable to find one that actually loads. Is there a library I can use or something on Dyn vs Stat?

Once again all help is much appreciated.

[Empted]

You'll need some basic opcode knowledge. Operand fields are variable, so if you'll look into disassembly you will notice something like:

PHP Code:

68 A0453600      PUSH firefox.003645A0 


You can see that 0x68 is instruction code, 0xa0453600 is operand value (it's also in little-endian). So you can make sign for these bytes as 0x68 ?? ?? ?? ??.
Probably there are lots of instruments that can do that thing for you, but it's rather useful to be able to do without them.

In your case:

PHP Code:

55               PUSH EBP
8BEC             MOV EBP,ESP
837D 08 00       CMP DWORD PTR SS:[EBP+8],0
6A 00            PUSH 0
74 1E            JE SHORT Wow.Somewhere (JUMP instruction usually uses relative offsets) 


So the sign can be like 55 8B EC 83 7D 08 ?? 6A ?? 74 ??
First 3 bytes are very common for functions, those instructions form stack frame, so it's not very wise to include them into signature.