Hi! I've done a decent amount of research and have become stuck, so hopefully one of you can help me?
I'm trying to understand why IDA cannot understand a subroutine.
I'm disasembling WoW 8.3.6 (35662), and have used Overwatch dump fix to de-obfuscate (also Jadd's lua function renaming + offset finder just to help a bit (thanks for script btw m
)
Now I'm comparing the two side by side, using the lua function 'JumpOrAscendStart()' as an example.
Searching the Strings, I can find the offset
Code:
.data:000000014282AF90 F0 AD 2C 42 01 00+ dq offset aJumporascendst ; "JumpOrAscendStart"
.data:000000014282AF98 60 AC 63 41 01 00+ dq offset qword_14163AC60
Now, jumping to that offset, I see that IDA is not able to disassemble:
Code:
.text:000000014163AC60 6D 88 A9 F8 D4 4D+qword_14163AC60 dq 21AF4DD4F8A9886Dh, 62722451E4589271h, 164A19B420A5658Bh
.text:000000014163AC60 AF 21 71 92 58 E4+ ; DATA XREF: .rdata:0000000142542EB4↓o
.text:000000014163AC60 51 24 72 62 8B 65+ ; .rdata:0000000142542EEC↓o ...
.text:000000014163AC60 A5 20 B4 19 4A 16+ dq 13E28A8D542AB2A1h, 19F5B4E1F40B1C9Dh, 48898C76CBB74A53h
However, comparing my de-obfuscated client, IDA manages to cleanly disassemble that location:
Code:
.text:00007FF6A036AC60 40 53 push rbx
.text:00007FF6A036AC62 48 83 EC 20 sub rsp, 20h
.........
What I'm totally confused about, the contents at that address is totally different between the original and de-obfuscated client. E.G at AC60, we have 6D 88... compared to 40 53... for both clients respectively. How is that possible?
From what I understand, most anti-disassembly techniques involve tricking the disassembler into misinterpreting the data/code. How is it possible for me to understand what's going on here without the help of a tool such as the dump fix??
Cheers
[bonus question if you're feeling super helpful: how do I find click to move offset lol]