-
Member
(Question) Getting addresses.
Hey, I'm a CS student with some free time to spare during the summer.
I recently dwelved into writing a very simple software which reads and shows some data from the WoW classic client.
while I do have some previous experience with CE and OlyDbg (for much, much smaller endavours - mainly courses), I was not able to extract the latest offsets \ base adresses from the WoW client with olyDbg (After researching a bit online it seems the code is obfuscated using opaque predicates) and I'm scared scanning for memory on runtime using CE since Warden will probably not like me doing it.
any tips or techniques for extracting said addresses with out getting flagged instantly?
Thanks in advance!
Last edited by tomer121233; 08-02-2022 at 11:56 AM.
-
You could dump it using dumpwow and then look at things in IDA or Ghidra.
-
Post Thanks / Like - 2 Thanks
-
Contributor
Avid Ailurophile
Originally Posted by
tomer121233
Hey, I'm a CS student with some free time to spare during the summer.
I recently dwelved into writing a very simple software which reads and shows some data from the WoW classic client.
while I do have some previous experience with CE and OlyDbg (for much, much smaller endavours - mainly courses), I was not able to extract the latest offsets \ base adresses from the WoW client with olyDbg (After researching a bit online it seems the code is obfuscated using opaque predicates) and I'm scared scanning for memory on runtime using CE since Warden will probably not like me doing it.
any tips or techniques for extracting said addresses with out getting flagged instantly?
Thanks in advance!
As Namreeb suggested, use his dumper if you want to manually find each and every offset. I use it whenever I have to dump wow, and it works perfectly 100% of the time.
Alternatively, You could check out my dumper (just resolve packages and re-build) that gets some offsets I have pre-saved, and use those as a starting point to look at how functions access the data at said addresses.
Fair warning, some of the patterns are fairly outdated and I have little to no interest sharing my updated patterns.
As for looking through values on running client, I use a renamed cheat engine and the struct viewer + custom ReClass build to poke around occasionally. Afaik neither of those have caused a ban on my account as of yet.
If you're truly scared about losing your account... this kind of stuff will not be for you. Bans happen when fucking with memory/unlocking, it is what it is.
"May all your bacon burn"
-
Post Thanks / Like - 3 Thanks
-
Member
I use a Windows kernel driver and inject a DLL into my memory reading application - the DLL requests a handle from the kernel driver and the driver happily provides it without the application being none the wiser.
Or depending on your disposable income and how much game hackin' you plan to do as a hobby, you could use a PCIScreamer (Screamer PCIe Squirrel). I use both!
-
Post Thanks / Like - 1 Thanks
tomer121233 (1 members gave Thanks to jnco for this useful post)
-
Active Member
Originally Posted by
jnco
I use a Windows kernel driver and inject a DLL into my memory reading application - the DLL requests a handle from the kernel driver and the driver happily provides it without the application being none the wiser.
Or depending on your disposable income and how much game hackin' you plan to do as a hobby, you could use a PCIScreamer (
Screamer PCIe Squirrel). I use both!
These techniques are complete overkill for any personal project that involves wow.
-
Member
Thanks everyone for your help!!
Using @namreeb's and @Razzue's unpacker helped tremendously.
I'm currently trying to do the unpacking myself, So final question \ recommendation regarding that -
Does MANUALLY patching the the code in IDA a good idea? or an never-ending task?
-
Contributor
Avid Ailurophile
Originally Posted by
tomer121233
Thanks everyone for your help!!
Using @
namreeb's and @
Razzue's unpacker helped tremendously.
I'm currently trying to do the unpacking myself, So final question \ recommendation regarding that -
Does MANUALLY patching the the code in IDA a good idea? or an never-ending task?
If by "patching" you mean renaming/editing crap so you can follow it better, do just that and tuck that Ida file somewhere in the deepest depths of your folder space.
Then the next time the game updates you can dump the patch, load it up and re-base, Ctrl+6 to open bindif (install if you don't have it) and run a bindif against your saved build.
Once bindif is complete, Ctrl+6 -> Import strings, and away you go!
That's how I like to do it anyway š¤·*āļø I personally have a super old classic build I like to bindif against good luck!
(Though not "everything" will be there, or have a good similarity %)
"May all your bacon burn"
-
Post Thanks / Like - 1 Thanks
tomer121233 (1 members gave Thanks to Razzue for this useful post)
-
Member
Originally Posted by
Razzue
If by "patching" you mean renaming/editing crap so you can follow it better, do just that and tuck that Ida file somewhere in the deepest depths of your folder space.
Then the next time the game updates you can dump the patch, load it up and re-base, Ctrl+6 to open bindif (install if you don't have it) and run a bindif against your saved build.
Once bindif is complete, Ctrl+6 -> Import strings, and away you go!
That's how I like to do it anyway š¤·*āļø I personally have a super old classic build I like to bindif against
good luck!
(Though not "everything" will be there, or have a good similarity %)
Thanks for the tip, I'll surely do that once the game updates.
I meant patching the "faulty" jumps though, used to obfuscate and confuse IDA
-
Member
Originally Posted by
scimmy
These techniques are complete overkill for any personal project that involves wow.
These were my solutions to the anti-debug tricks and had them already available from other game hacking projects. I missed the part where OP asked for the most elegant solution that has scimmy's approval.
-
Post Thanks / Like - 1 Thanks
tomer121233 (1 members gave Thanks to jnco for this useful post)
-
Active Member
Originally Posted by
jnco
These were my solutions to the anti-debug tricks and had them already available from other game hacking projects. I missed the part where OP asked for the most elegant solution that has scimmy's approval.
Perhaps you should have been more clear, as you only mention supporting a simple handle elevation request. I would say your answer is confusing and provides little value to what the OP actually wants.
-
Originally Posted by
tomer121233
Thanks everyone for your help!!
Using @
namreeb's and @
Razzue's unpacker helped tremendously.
I'm currently trying to do the unpacking myself, So final question \ recommendation regarding that -
Does MANUALLY patching the the code in IDA a good idea? or an never-ending task?
If you're talking about removing opaque predicates, doing it manually is going to be tedious, time-consuming, and error prone. I've been experimenting lately with doing it automatically using symbolic execution with Triton (GitHub - JonathanSalwan/Triton: Triton is a dynamic binary analysis library. Build your own program analysis tools, automate your reverse engineering, perform software verification or just emulate code.) and the preliminary results are encouraging. Once an opaque predicate is identified, I patch out the jumps and garbage/dead basic blocks with NOPs. This has a nice effect when Hexrays tries to decompile it.
Example from the Wrath beta:
Before:
Code:
void sub_141E4B000()
{
JUMPOUT(0x141E4B012i64);
}
After:
Code:
void __fastcall sub_141E4B000(SIZE_T a1)
{
VirtualAlloc(0i64, a1, 0x1000u, 0x40u);
}
-
Post Thanks / Like - 2 Thanks
-
Member
Originally Posted by
namreeb
Thank you. Thatās exactly what I was asking.
Iāll give the repository a look, as I started manually patching the jumps and it just seem to never end.
-
Contributor
Thereās a few ida scripts that remove this i made a modified one that does the function I want to see Vers doing the whole idb file what I found to be very long especially for things I have no need for