Don't understand how to rebase OS X Memory Offsets menu

Shout-Out

User Tag List

Results 1 to 3 of 3
  1. #1
    bugs181's Avatar Member
    Reputation
    5
    Join Date
    Feb 2009
    Posts
    6
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Don't understand how to rebase OS X Memory Offsets

    Title: Don't understand how to rebase OS X Memory Offsets

    Okay, so I'm kind of back after almost a year. Once upon a time I was making an Lua Bot but since then decided of approaching this from a different way.

    I've also gained a little (not much!) knowledge on how assembly works, etc.

    The debugger of your choice makes ALL the difference in the world.

    For the beginners out there like me, if you find that your debugger is too "complicated" or has too many "moving parts" for you to understand right away,
    do yourself a favor and pick a lightweight debugger with as few of features as possible until you can learn the basics. For me, I suggest using Hopper Dissembler.
    I think I remember reading that Hopper is OSX and Windows.


    Back to the topic:

    All addresses relate to WoW client: 5.0.5.16135
    Using this thread we can gather some addresses: https://www.ownedcore.com/forums/wor...mp-thread.html ([WoW][5.0.5.16135] x86 Info Dump Thread)

    The problem here is that I am not quite sure how OSX rebases their addresses. I do think that it's not random, because I can write to the same exact address after every relaunch, with the same result. For example,

    Code:
    0x4fc900={0xb8,0x01,0x00,0x00,0x00,0xc3} (Places a MOV instruction at one of the checks.)

    #1
    So onto my first question, are the addresses in the info dump thread the actual addresses of the sub routine or of the definition?
    Since a lot of users here seem to point to RunMacroText for gaining an idea of the addresses, let's use that.

    Code:
    Searching for RunMacroText:
    00d9f99d                                 db         "RunMacroText", 0                     ; XREF=0x658fae
    This tells us that we can find the address of the routine at 0x658fae, let's jump to that.

    Now we are inside a function with a lot of calls to another subroutines. On this version they all seem to be leading to the same place.


    Code:
    00658fae C704249DF9D900                  mov        dword [ss:esp], 0xd9f99d              ; "RunMacroText"
    00658fb5 E8461A1600                      call       sub_7baa00
    The subroutine sub_7baa00 is at address:
    Code:
                                        sub_7baa00:
    007baa00 55                              push       ebp                                   ; XREF=0x1b193d, 0x1b1949, 0x1b1955, 0x1b1961, 0x1b196d, 0x1b1979, ...

    Is it safe to assume that the address: 007baa00 (sub_7baa00) is the one being used in the info dump thread or are they pointing to the "definition"?


    #2
    As you can tell these addresses don't collaborate with the info dump thread. What's going wrong here? Obviously some kind of "rebasing".

    I have tried to do as many calculations as humanly possible to find out if I could figure out how to rebase the addresses but no luck.

    At first I assumed that we could use the address of the start routine and subtract that from the RunMacroText subroutine address, but that didnt work.


    #3
    I have a piece of code, It's quite common on the forums, google, etc for unlocking Lua on OSX, I can't give credit because I'm not sure who the original author is.
    I would like to understand it a little more. I am really interesting in understanding ASM because the power of what you can do is pretty neat. If a person understands ASM, they could make practically any application (even not their own) behave the way they want. There are injections, jump replacements, etc.

    So let's dismantle this piece of code.
    Code:
    echo "set {char[6]}0x4fc900={0xb8,0x01,0x00,0x00,0x00,0xc3}" | gdb attach `ps ax|grep Warcraft|grep -v grep|awk '{print $1}'`
    Let's not worry about the first part yet, but we do know that we're telling console to set some bytes to a character array and output that to stdout.
    • gdb attach = Use gdb debugger and attach to the next part
    • ps ax|grep Warcraft - Find WoW processes and print out the PID of WoW
    • grep -v grep - Remove grep from the list of above processes.
    • awk '{print $1}'` - Prints the character array from stdout earlier



    Now onto the part I have the question, the character array from earlier is composed of 6 bytes.
    In ASM, the first byte 0xb8 represents a MOV instruction, followed by another 5 bytes.
    If you were to look at this in the debugger, something odd is happening.
    It get's translated into MOV EAX, 0x1

    Since my objective is to learn more about ASM, let's try to understand this a bit more.

    MOV is basically a misnomer because data isn't actually being moved, but actually copied from one place to another.
    What is EAX? I could only assume, it is the place to store the value 0x1.



    Basically the instructions
    Code:
    004fc900  push ebp
    004fc901  mov ebp, esp
    004fc903  push esi
    004fc904  sub esp, 0x14
    get replaced with:
    Code:
    004fc900  mov eax, 0x1  ; XREF=0x209c93, 0x2072ae, 0x5b4f30, 0x3256d0, 0x31f260, 0x646650, ...
    004fc905  db  0xc3 ; '.'
    004fc906  db  0x14

    What do the addresses 004fc905 & 004fc906 do?


    Another question that kind of ties into the first, since I'm not sure what this address IS without rebasing it.
    What subroutine is at the address 0x4fc900? Is it just a tainted check or is it CGGameUI__CanPerformAction?

    <br>
    Thanks for taking the time to read this and sorry for the long post.
    Last edited by bugs181; 12-23-2013 at 08:47 PM.

    Don't understand how to rebase OS X Memory Offsets
  2. #2
    Cypher's Avatar Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

  3. #3
    bugs181's Avatar Member
    Reputation
    5
    Join Date
    Feb 2009
    Posts
    6
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the link. Realistically I'm a fiddler though. I'm a college student with a full time job. I don't think it's possible for me to learn everything in that book any time soon. It's most likely an invaluable resource. I've seen you around on the forum quite a bit and I know you're a pretty smart person. Do you think you could perhaps at least answer the "rebase" question or is it something you don't know? Or perhaps don't care to know due to different OS or such.

    As a side note, I think I answered my first question as I sat here thinking.
    The address 007baa00 is the actual address of the subroutine for RunMacroText.
    The DB instruction at 00d9f99d is basically just a string value for lookup.
    The call at 00658fb5 is in another subroutine/function which we likely don't care about.

Similar Threads

  1. I really dont understand how people make money
    By raze1225 in forum World of Warcraft General
    Replies: 5
    Last Post: 06-23-2009, 05:04 AM
  2. I dont Understand how to get 5 reuptations????
    By TIMOTHYLEDERER in forum Community Chat
    Replies: 7
    Last Post: 08-23-2008, 10:08 PM
  3. need help (don't know how to get the edits to work in wow)
    By Daluur in forum WoW ME Questions and Requests
    Replies: 5
    Last Post: 01-07-2008, 10:16 AM
  4. I don't understand what's wrong?
    By karpis in forum World of Warcraft Emulator Servers
    Replies: 6
    Last Post: 11-27-2007, 12:37 PM
  5. I just don't understand...
    By Tory in forum Gaming Chat
    Replies: 6
    Last Post: 09-23-2006, 12:49 AM
All times are GMT -5. The time now is 05:47 PM. Powered by vBulletin® Version 4.2.3
Copyright © 2025 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Google Authenticator verification provided by Two-Factor Authentication (Free) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search