(Question) Getting addresses.

[tomer121233]

Hey, I'm a CS student with some free time to spare during the summer.
I recently dwelved into writing a very simple software which reads and shows some data from the WoW classic client.
while I do have some previous experience with CE and OlyDbg (for much, much smaller endavours - mainly courses), I was not able to extract the latest offsets \ base adresses from the WoW client with olyDbg (After researching a bit online it seems the code is obfuscated using opaque predicates) and I'm scared scanning for memory on runtime using CE since Warden will probably not like me doing it.

any tips or techniques for extracting said addresses with out getting flagged instantly?
Thanks in advance!

[namreeb]

You could dump it using dumpwow and then look at things in IDA or Ghidra.

[Razzue]

Hey, I'm a CS student with some free time to spare during the summer.
I recently dwelved into writing a very simple software which reads and shows some data from the WoW classic client.
while I do have some previous experience with CE and OlyDbg (for much, much smaller endavours - mainly courses), I was not able to extract the latest offsets \ base adresses from the WoW client with olyDbg (After researching a bit online it seems the code is obfuscated using opaque predicates) and I'm scared scanning for memory on runtime using CE since Warden will probably not like me doing it.

any tips or techniques for extracting said addresses with out getting flagged instantly?
Thanks in advance!

As Namreeb suggested, use his dumper if you want to manually find each and every offset. I use it whenever I have to dump wow, and it works perfectly 100% of the time.
Alternatively, You could check out my dumper (just resolve packages and re-build) that gets some offsets I have pre-saved, and use those as a starting point to look at how functions access the data at said addresses.
Fair warning, some of the patterns are fairly outdated and I have little to no interest sharing my updated patterns.

As for looking through values on running client, I use a renamed cheat engine and the struct viewer + custom ReClass build to poke around occasionally. Afaik neither of those have caused a ban on my account as of yet.
If you're truly scared about losing your account... this kind of stuff will not be for you. Bans happen when fucking with memory/unlocking, it is what it is.

[jnco]

I use a Windows kernel driver and inject a DLL into my memory reading application - the DLL requests a handle from the kernel driver and the driver happily provides it without the application being none the wiser.

Or depending on your disposable income and how much game hackin' you plan to do as a hobby, you could use a PCIScreamer (Screamer PCIe Squirrel). I use both!

[scimmy]

I use a Windows kernel driver and inject a DLL into my memory reading application - the DLL requests a handle from the kernel driver and the driver happily provides it without the application being none the wiser.

Or depending on your disposable income and how much game hackin' you plan to do as a hobby, you could use a PCIScreamer (Screamer PCIe Squirrel). I use both!

These techniques are complete overkill for any personal project that involves wow.

[tomer121233]

Thanks everyone for your help!!
Using @namreeb's and @Razzue's unpacker helped tremendously.
I'm currently trying to do the unpacking myself, So final question \ recommendation regarding that -
Does MANUALLY patching the the code in IDA a good idea? or an never-ending task?

[Razzue]

Thanks everyone for your help!!
Using @namreeb's and @Razzue's unpacker helped tremendously.
I'm currently trying to do the unpacking myself, So final question \ recommendation regarding that -
Does MANUALLY patching the the code in IDA a good idea? or an never-ending task?

If by "patching" you mean renaming/editing crap so you can follow it better, do just that and tuck that Ida file somewhere in the deepest depths of your folder space.

Then the next time the game updates you can dump the patch, load it up and re-base, Ctrl+6 to open bindif (install if you don't have it) and run a bindif against your saved build.
Once bindif is complete, Ctrl+6 -> Import strings, and away you go!

That's how I like to do it anyway 🤷*♂️ I personally have a super old classic build I like to bindif against good luck!
(Though not "everything" will be there, or have a good similarity %)

[tomer121233]

If by "patching" you mean renaming/editing crap so you can follow it better, do just that and tuck that Ida file somewhere in the deepest depths of your folder space.

Then the next time the game updates you can dump the patch, load it up and re-base, Ctrl+6 to open bindif (install if you don't have it) and run a bindif against your saved build.
Once bindif is complete, Ctrl+6 -> Import strings, and away you go!

That's how I like to do it anyway 🤷*♂️ I personally have a super old classic build I like to bindif against good luck!
(Though not "everything" will be there, or have a good similarity %)

Thanks for the tip, I'll surely do that once the game updates.
I meant patching the "faulty" jumps though, used to obfuscate and confuse IDA

[jnco]

These techniques are complete overkill for any personal project that involves wow.

These were my solutions to the anti-debug tricks and had them already available from other game hacking projects. I missed the part where OP asked for the most elegant solution that has scimmy's approval.

[scimmy]

These were my solutions to the anti-debug tricks and had them already available from other game hacking projects. I missed the part where OP asked for the most elegant solution that has scimmy's approval.

Perhaps you should have been more clear, as you only mention supporting a simple handle elevation request. I would say your answer is confusing and provides little value to what the OP actually wants.

[namreeb]

Thanks everyone for your help!!
Using @namreeb's and @Razzue's unpacker helped tremendously.
I'm currently trying to do the unpacking myself, So final question \ recommendation regarding that -
Does MANUALLY patching the the code in IDA a good idea? or an never-ending task?

If you're talking about removing opaque predicates, doing it manually is going to be tedious, time-consuming, and error prone. I've been experimenting lately with doing it automatically using symbolic execution with Triton (GitHub - JonathanSalwan/Triton: Triton is a dynamic binary analysis library. Build your own program analysis tools, automate your reverse engineering, perform software verification or just emulate code.) and the preliminary results are encouraging. Once an opaque predicate is identified, I patch out the jumps and garbage/dead basic blocks with NOPs. This has a nice effect when Hexrays tries to decompile it.

Example from the Wrath beta:

Before:

Code:

void sub_141E4B000()
{
  JUMPOUT(0x141E4B012i64);
}

After:

Code:

void __fastcall sub_141E4B000(SIZE_T a1)
{
  VirtualAlloc(0i64, a1, 0x1000u, 0x40u);
}

[tomer121233]

If you're talking about removing opaque predicates, doing it manually is going to be tedious, time-consuming, and error prone. I've been experimenting lately with doing it automatically using symbolic execution with Triton (GitHub - JonathanSalwan/Triton: Triton is a dynamic binary analysis library. Build your own program analysis tools, automate your reverse engineering, perform software verification or just emulate code.) and the preliminary results are encouraging. Once an opaque predicate is identified, I patch out the jumps and garbage/dead basic blocks with NOPs. This has a nice effect when Hexrays tries to decompile it.

Example from the Wrath beta:

Before:

Code:

void sub_141E4B000()
{
  JUMPOUT(0x141E4B012i64);
}

After:

Code:

void __fastcall sub_141E4B000(SIZE_T a1)
{
  VirtualAlloc(0i64, a1, 0x1000u, 0x40u);
}

Thank you. That’s exactly what I was asking.
I’ll give the repository a look, as I started manually patching the jumps and it just seem to never end.

[charles420]

There’s a few ida scripts that remove this i made a modified one that does the function I want to see Vers doing the whole idb file what I found to be very long especially for things I have no need for