[Classic] 1.13.3.32836 - CorpsePosition?

[NoxiaZ]

The reason for adding 0x4 to the offset in my dumper (previously, fixed in latest push) was because it reads from memory and I believe relative offsets are calculated from the end of the instruction but my dumper reads from the beginning. So it needs to add 1 (for the mnemonic) and 4 for the 32-bit relative offset.

Take this as an example
.text:0000000000FF9B5A | E8 61 22 C1 FF

My dumper reads relative offset FFC12261 from FF9B5A but the FFC12261 is actually relative to FF9B5A+5.

I could be wrong, still a noob in asm and such, feel free to correct me.

IDA is much better at offset dumping and all that good stuff, anything having to do with parsing the binary and getting juicy information. However this require you to dump the binary every patch, this is why dumping from memory is smoother if you just want your offsets.

I'm not totally sure what you saying, but are there anyways that this pattern can get to work with you dumper? Would be nice to provide more patterns to it, so everyone always have new fresh pointers.
I tried the new release from git, but still the same

I added the pattern like this:

Code:

{ "CorpsePosition", { "48 C7 05 ? ? ? ? FF FF FF FF 0F 57 C0 89 05 ? ? ? ? 0F 14 C6 F2 0F 11 05 ? ? ? ? ?", clepta::pattern::deference, 0x3 } }

[ejt]

I'm not totally sure what you saying, but are there anyways that this pattern can get to work with you dumper? Would be nice to provide more patterns to it, so everyone always have new fresh pointers.
I tried the new release from git, but still the same

I added the pattern like this:

Code:

{ "CorpsePosition", { "48 C7 05 ? ? ? ? FF FF FF FF 0F 57 C0 89 05 ? ? ? ? 0F 14 C6 F2 0F 11 05 ? ? ? ? ?", clepta::pattern::deference, 0x3 } }

I'm not exactly sure why it dumps the wrong offset with that specific pattern, because I'm to tired and don't have time to debug, here's a pattern that gets the correct offset and looks to be working cross-patch (tested with 31650 and 32836)

Code:

{ "CorpsePosition", { "49 8B F8 48 8D 0D ? ? ? ? 48 8B DA E8 ? ? ? ?", clepta::pattern::deference, 0x6 } }

EDIT: As a side note, I accidentally misspelled 'dereference'

[NoxiaZ]

I'm not exactly sure why it dumps the wrong offset with that specific pattern, because I'm to tired and don't have time to debug, here's a pattern that gets the correct offset and looks to be working cross-patch (tested with 31650 and 32836)

Code:

{ "CorpsePosition", { "49 8B F8 48 8D 0D ? ? ? ? 48 8B DA E8 ? ? ? ?", clepta::pattern::deference, 0x6 } }

EDIT: As a side note, I accidentally misspelled 'dereference' :(

Thank you, i'm trying to figure out how you came up with that, as totally different place and bytes. :D
I see there are a long way ahead for me.


Again, both of you, thank you for you time.

[ejt]

I just checked the x-refs for the offset (select the offset in IDA and press X) then checked where it was used and tried patterns for each location until I found something, this time I was lucky and got a good pattern on the first try, sometimes it takes some work to get a good pattern because you get multiple matches and such.

[Geneditor]

Hello, just wanted to mention the following that will most likely answer your question about how to get from CE to a pointer in the WowClassic.exe.

When you scan your WoW memory with CE while it is running, make sure you are only scanning the WowClassic.exe (can be selected in the drop down menu).
Then you will probably run into the problem that CE tells you that it cannot find any readable memory. To solve this issue, in CE, go to Edit -> Settings -> Extra and check "Query Memory Region Routines."
Now you should be able to scan the WowClassic.exe, and viola, you get your static pointers.

At this point you can go to IDA and sig it, etc. etc.

[SailorMars]

Depending on what I need, I use a combination of IDA (static analysis,) Cheat Engine (simple live analysis) and x64dbg (intricate live analysis.)

For corpse position I found it easily through Cheat Engine taking note of my position, dying and releasing. From there I sigged it and added it to my IDA pattern scan script.

What anti-debug measures that we have do bypass in order to attach x64dbg to the live client w/o getting banned? I have no idea where to start