Title: Don't understand how to rebase OS X Memory Offsets
Okay, so I'm kind of back after almost a year. Once upon a time I was making an Lua Bot but since then decided of approaching this from a different way.
I've also gained a little (not much!) knowledge on how assembly works, etc.
The debugger of your choice makes ALL the difference in the world.
For the beginners out there like me, if you find that your debugger is too "complicated" or has too many "moving parts" for you to understand right away,
do yourself a favor and pick a lightweight debugger with as few of features as possible until you can learn the basics. For me, I suggest using Hopper Dissembler.
I think I remember reading that Hopper is OSX and Windows.
Back to the topic:
All addresses relate to WoW client: 5.0.5.16135
Using this thread we can gather some addresses: https://www.ownedcore.com/forums/wor...mp-thread.html ([WoW][5.0.5.16135] x86 Info Dump Thread)
The problem here is that I am not quite sure how OSX rebases their addresses. I do think that it's not random, because I can write to the same exact address after every relaunch, with the same result. For example,
Code:
0x4fc900={0xb8,0x01,0x00,0x00,0x00,0xc3} (Places a MOV instruction at one of the checks.)
#1
So onto my first question, are the addresses in the info dump thread the actual addresses of the sub routine or of the definition?
Since a lot of users here seem to point to RunMacroText for gaining an idea of the addresses, let's use that.
Code:
Searching for RunMacroText:
00d9f99d db "RunMacroText", 0 ; XREF=0x658fae
This tells us that we can find the address of the routine at 0x658fae, let's jump to that.
Now we are inside a function with a lot of calls to another subroutines. On this version they all seem to be leading to the same place.
Code:
00658fae C704249DF9D900 mov dword [ss:esp], 0xd9f99d ; "RunMacroText"
00658fb5 E8461A1600 call sub_7baa00
The subroutine sub_7baa00 is at address:
Code:
sub_7baa00:
007baa00 55 push ebp ; XREF=0x1b193d, 0x1b1949, 0x1b1955, 0x1b1961, 0x1b196d, 0x1b1979, ...
Is it safe to assume that the address: 007baa00 (sub_7baa00) is the one being used in the info dump thread or are they pointing to the "definition"?
#2
As you can tell these addresses don't collaborate with the info dump thread. What's going wrong here? Obviously some kind of "rebasing".
I have tried to do as many calculations as humanly possible to find out if I could figure out how to rebase the addresses but no luck.
At first I assumed that we could use the address of the start routine and subtract that from the RunMacroText subroutine address, but that didnt work.
#3
I have a piece of code, It's quite common on the forums, google, etc for unlocking Lua on OSX, I can't give credit because I'm not sure who the original author is.
I would like to understand it a little more. I am really interesting in understanding ASM because the power of what you can do is pretty neat. If a person understands ASM, they could make practically any application (even not their own) behave the way they want. There are injections, jump replacements, etc.
So let's dismantle this piece of code.
Code:
echo "set {char[6]}0x4fc900={0xb8,0x01,0x00,0x00,0x00,0xc3}" | gdb attach `ps ax|grep Warcraft|grep -v grep|awk '{print $1}'`
Let's not worry about the first part yet, but we do know that we're telling console to set some bytes to a character array and output that to stdout.
- gdb attach = Use gdb debugger and attach to the next part
- ps ax|grep Warcraft - Find WoW processes and print out the PID of WoW
- grep -v grep - Remove grep from the list of above processes.
- awk '{print $1}'` - Prints the character array from stdout earlier
Now onto the part I have the question, the character array from earlier is composed of 6 bytes.
In ASM, the first byte 0xb8 represents a MOV instruction, followed by another 5 bytes.
If you were to look at this in the debugger, something odd is happening.
It get's translated into MOV EAX, 0x1
Since my objective is to learn more about ASM, let's try to understand this a bit more.
MOV is basically a misnomer because data isn't actually being moved, but actually copied from one place to another.
What is EAX? I could only assume, it is the place to store the value 0x1.
Basically the instructions
Code:
004fc900 push ebp
004fc901 mov ebp, esp
004fc903 push esi
004fc904 sub esp, 0x14
get replaced with:
Code:
004fc900 mov eax, 0x1 ; XREF=0x209c93, 0x2072ae, 0x5b4f30, 0x3256d0, 0x31f260, 0x646650, ...
004fc905 db 0xc3 ; '.'
004fc906 db 0x14
What do the addresses 004fc905 & 004fc906 do?
Another question that kind of ties into the first, since I'm not sure what this address IS without rebasing it.
What subroutine is at the address 0x4fc900? Is it just a tainted check or is it CGGameUI__CanPerformAction?
<br>
Thanks for taking the time to read this and sorry for the long post.