IDA locks up on Rebasing.

[cenron]

I am a total noob with this stuff so thanks for being patient with me, but IDA is the tool I am most comfortable with, and everytime I try to Attach the debugger or Create the process with IDA attached, both WOW and IDA lock up on "Please Wait Rebasing"

Anyone run into this issue or have any recommendations? I tried using CheatEngine and Immunity Debugger and they both work fine, but I have a hard time finding stuff in it ( for example the LUA functions )

I even tried finding the address I want in IDA static view and trying to get Immunity debugger to goto the same address but its not valid, probably because it been rebased.

I am kinda stuck because I am trying to follow functions to figure out how they work, because I am to much of a noob to figure out what something does without knowing the values that are being moved around....

[xalcon]

IDA isnt that well written (in the case of "responsiveness"). It takes quite a bit of time and in the meantime, IDA just dont responds to input :/ (even on my i7 2nd gen it takes up to 15 minutes to rebase the wow executable beforehand). I dont know if there is a workaround to this :/

I dont know the "immunity debugger" but I've used CheatEngine for some debugging stuff. In order to find a static address in memory, like 0x00523456, you need to remove the IDA Base (which is 0x400000 by default) and then add the the wow base address. In CheatEngine you could type someting like this:

Code:

wow.exe + 523456 - 400000

[JuJuBoSc]

I'd go for disabling the ASLR and let IDA based at 0x400000 so no more problem

[cenron]

IDA isnt that well written (in the case of "responsiveness"). It takes quite a bit of time and in the meantime, IDA just dont responds to input :/ (even on my i7 2nd gen it takes up to 15 minutes to rebase the wow executable beforehand). I dont know if there is a workaround to this :/

I dont know the "immunity debugger" but I've used CheatEngine for some debugging stuff. In order to find a static address in memory, like 0x00523456, you need to remove the IDA Base (which is 0x400000 by default) and then add the the wow base address. In CheatEngine you could type someting like this:

Code:

wow.exe + 0x523456 - 0x400000

I think I gave my self a concussion when I face palmed my self right now. You just blew my mind and I am totally gonna try that when I get home....

So if i have a LUA function @ sub_8A0CD5, I can do a manuel add in CheatEngine of Wow.exe + 0x8A0CD5 - 0x400000 then once that is set right click and goto "View Memory Region", and that should hopfully take me to the start of the function which then I can apply breakpoints and everything else?

Also immunity debugger is a clone of Olly and the guys at OpenRCE recommend it ( I try to mimic the greats until i become great lol )

I'd go for disabling the ASLR and let IDA based at 0x400000 so no more problem

When you say disable ASLR do you mean a setting in IDA or patch Wow to disable ASLR like described here

http://www.ownedcore.com/forums/worl...aft-patch.html (Disable ASLR in World of Warcraft (patch))


P.S. I also wouldnt mind waiting on IDA, but it takes sooooooo long that I am worried about being DCed, or some GM wondering why my character is locked up...I know they can see debugger attached if they choose to.


P.S.S Face palm again! I can attach it at the login screen give it 15 min to rebase and once thats done login!? I read somewhere on here that they don't actively scan for debugger, but have the ability to see them if then want.

[para_]

I don't claim to know the ramifications but you can disable ASLR across all Windows exes and dlls via a hack to the registry.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]

“MoveImages”=dword:00000000

[xalcon]

I don't claim to know the ramifications but you can disable ASLR across all Windows exes and dlls via a hack to the registry.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]

“MoveImages”=dword:00000000

Yes, you can do this... but ASLR is there for a reason. Disabling it for the whole system, even for a short period of time, might be risky... especially if you forget to turn it back on
Patching the binary is the better solution IMO.

So if i have a LUA function @ sub_8A0CD5, I can do a manuel add in CheatEngine of Wow.exe + 0x8A0CD5 - 0x400000 then once that is set right click and goto "View Memory Region", and that should hopfully take me to the start of the function which then I can apply breakpoints and everything else?

Actually, "View Memory Region" only lets the memory view jump to given location. But you can click inside the instruction listing and hit CTRL+G and copy'n'paste the address manually in there. After that you should be able to set breakpoints and stuff

I also found an error on my side :P you need to remove the 0x from the addresses, otherwise cheat engine slaps you in the face :P jfi

Code:

Wow.exe + 8A0CD5 - 400000

[cenron]

Yes, you can do this... but ASLR is there for a reason. Disabling it for the whole system, even for a short period of time, might be risky... especially if you forget to turn it back on
Patching the binary is the better solution IMO.


Actually, "View Memory Region" only lets the memory view jump to given location. But you can click inside the instruction listing and hit CTRL+G and copy'n'paste the address manually in there. After that you should be able to set breakpoints and stuff

I also found an error on my side :P you need to remove the 0x from the addresses, otherwise cheat engine slaps you in the face :P jfi

Code:

Wow.exe + 8A0CD5 - 400000

I ended up reading the whole thread about disabling ASLR and there is a lot of back and forth about ASLR. So I am thinking that should be kind of the last resort type thing. I really like the cheat engine method you just showed me. I just want to know what the register values are, so if I can do some static reversing in IDA then move to cheat engine to find the values then its a wonderful day! lol

Also if I really want to use IDA and willing to wait I can load ida on the login page, then login when it's ready?

I can't wait to get home so I can try this out!!!!!

[fieldmedic]

I believe you shouldn't need to wait for it to rebase, or even rebase at all for that matter if you're just interested in a few adresses. In olly you can see what base each loaded image has, just subtract that from the adress you got via IDA during a debug run (IDA should be able to show the base addr when attached as a debugger as well). If you're doing it statically though just doing a rebase seems the easiest.