Trying to be self-sufficient, how to get memory offsets

[radarlove]

Hi there folks!

Every now and then I leech the new memory offsets from Ownedcore. As I want to be self-sufficient in gathering memory offsets, I wonder if there is any guide that tells how to retrieve the memory offsets? There probably is no guide, but can anyone point me in the right direction?? Whats the first step I should do? And what's the minimum tool I need? (I expect to be using IDA)

Thanks in advance,
RL

[Filint]

If it's just to update offsets between patches, the two most common methods are pattern scanning and diffing in IDA. With pattern scanning you figure out the bytes which aren't likely to change from the beginning of each function you want and then search for that byte pattern when the patch arrives. There are plugins for Ida pro that do this all for you. Diffing in Ida usually involves zynamics bindiff or, in the Old days, patchdiff2. It uses crazy complicated maths and other heuristics to try and determine the new locations of all the functions by comparing the two Ida databases.

If it's finding new offsets that you don't already have, it's usually dependent on exactly what you want. I think we'd probably need more info to talk more about that.

Note, I'm only talking about function offsets here. For things like structures there are other tools such as reclass. But I've less experience with these.

You're right, though, you'll probably need IDA. The good news is Ida 6.8 is now publicly available, if you know where to look

Good luck.

[lolp1]

You're right, though, you'll probably need IDA.

Not at all. There are perfectly reasonable ways besides using IDA to maintain and locate offsets.

As I want to be self-sufficient in gathering memory offsets, I wonder if there is any guide that tells how to retrieve the memory offsets?

There are dozens of valid guides when that give real information with in 10 seconds of my google search. To put it simply, just keep leeching unless you intend to spend at least a little effort on finding them.

[Filint]

Not at all. There are perfectly reasonable ways besides using IDA to maintain and locate offsets.

For finding established offsets, maybe. For generally reversing a program to find new offsets... Well, I'd be interested to see which ways you'd recommend that are as efficient and intuitive.

This is why I said "probably", because yes likely at some point that he will want to do more than just a pattern scan.

There are dozens of valid guides when that give real information with in 10 seconds of my google search. To put it simply, just keep leeching unless you intend to spend at least a little effort on finding them.

This attitude is very unhelpful and contributes nothing whatsoever to the discussion. If you have a problem with what he has posted - simply don't reply. The very fact that he is looking to stop leeching and start contributing should be applauded. Replies like yours don't make you look big or strong, and most certainly don't gain you any respect (the opposite, actually).

I notice you didn't bother to share your google search that yielded so many results. So you weren't actually trying to help at all, were you?

[Empted]

Use PatchDiff plugin for IDA. Then write your own plugin to export pointers and offsets values to txt or xml or whatever. Or just use Patchdiff only and update manually.

[-Ryuk-]

Hi there folks!

Every now and then I leech the new memory offsets from Ownedcore. As I want to be self-sufficient in gathering memory offsets, I wonder if there is any guide that tells how to retrieve the memory offsets? There probably is no guide, but can anyone point me in the right direction?? Whats the first step I should do? And what's the minimum tool I need? (I expect to be using IDA)

Thanks in advance,
RL

Its great that your looking to be an active part of the community instead of leeching, the best way to learn is from jumping in and trying.

Find an address in the info dump threads, place it in a notepad.
Then open up IDA or Cheat Engine and see if you can find it(on your own); either by knowing what should be at that address and scanning for a value or what other functions access it.

Don't worry about starting from scratch, take an IDB that someone has already named functions and start from there; diff it to the current patch which will give you lots of things you need, and then use hexrays to analyze what a function does.

Also feel free to ask questions here in this section, as long as you show you have tried to find something on your own or looked for old threads most people are happy to help.

Enjoy reversing and I personally look forward to seeing how you get on

[lolp1]

I don't disagree I replied poorly, so I apologize for sounding so harsh. Don't let me deter you from trying or asking questions.

When I said:

To put it simply, just keep leeching unless...

I said this because I think in a lot of cases people end up not realizing how much work really goes into becoming skilled at these things. I think if some ones personal goals and interest do not line up with the effort needed to start doing these things, then there is absolutely no shame in leeching and approaching it as more mild hobby.

I know personally I spent a short amount of time looking into the subject 2-3 times for a few weeks in the past 8ish years of my life I have gamed. I also in those times made threads similar to these. The problem is, each time I ended up slowly giving it up because no easy answers came. At the time I did not realize, the answer was not ask for answers to the basics, but to just start trying to do it. The information to start was never the problem, google and this very site has all you need and then some to start. It was me, my motivation,

The past 12 months, my interest finally shifted to really wanting to learn to program and since I had interest in game hacking before this is the route I took and I have really thoroughly enjoyed it, for every hardship there is a big grin when something finally clicks or works, or you have an idea that is clever even if only to you in your silly project. So if this is something you really want to do, do it. Just make sure unlike me you think about that answer a bit more before hand, to save a lot of time.