[Tutorial] How to find simple stuff

[nopz]

Hello,

I'm here for some time now and I have decided to start learning things instead of asking for offsets or stuff.
I have found a very good topic on GD forums "How to find stuff" [Only registered and activated users can see links. ] by bobbysing.

Today I have decided to take the time to make a short tutorial with my level of knowledge speaking about how to find something with IDA.
For those who knows IDA this thread will talk about the String window and how to read subs.

Most of you already know the things I'm going to explain but this thread is mostly for all of the users that are/was like me, searching for things here and not doing by there own.

It is my contribution to 'wraithZX' alert about peoples here.

Quote from wraithZX ([Only registered and activated users can see links. ])

Quote:

what I'd like to see in the forum is more questions about how to find them yourself, not just what the actual values are. Those sorts of questions do a lot more for the community as a whole, in the sense that they end up spreading knowledge, compared to threads continually asking for stuff that changes patch after patch.

So here we go, what you need is :

- Ida Pro ([Only registered and activated users can see links. ])
- Hex-Rays ([Only registered and activated users can see links. ]) <- facultative
- wow.exe .. 3.2.2 here


Step 1 - Opening "wow.exe" with IDA.
First thing is to open 'ida pro', do not forget to run as administrator if you're using windows vista or seven.
We'll have to open wow with IDA to tell ida that we want to disassemble the file to start searching for stuff.
Here you just have to click "File..Open.." select the binary 'wow.exe' and Open.

If you've got a popup after clicking Open, select Portable Executable File (PE).
It takes a certain time for ida to disassemble the binary, so go take a cup of coffee and wait.




Step 2 - The strings window.
So at this point you should have an IDA pro opened with an analyzed wow.exe. What we want is search for something, at this point the easiest way to find something with our poor knowledge is looking at the 'Strings Window'.

- Hit "Shift + F12", wait a moment. This will generate what we call strings.
We will use that window to search for something.

So what you'll do is locate the string "GetMinimapZoneText"

- Hit "Alt + T" type "GetMinimapZoneText".
- Ctrl + T if you want to move to the next occurrence.

You should obtain something like this.




Step 3 - Where is dA c0d3 ?.
Well double click the "GetMinimapZoneText" line, this will bring you to the ida "View-A" of the code.
To access the sub view of the code you will have to click on the .data address.




Step 4 - Show me dA c0d3 !!.
So know you have your IDA pointing on "GetMinimapZoneText" the .data:address.
To view the asm code and start working by your own you will have to click on the "sub_ADDRESS".




Step 5 - What now ?!?.
Well in the View-A of IDA you have the ASM code representing our function.
You have to start reversing by your own now. In this example with have our "GetMinimapZoneText" function located at 0x113D778. I have the "Hex-Rays" plug-in so hitting "F5" show me the pseudocode C.



And finally in C# :

Code:

string minimapZoneText = SMemory.ReadASCIIString(mp.WindowHandle, SMemory.ReadUInt(mp.WindowHandle,0x113D778), 30);
Console.WriteLine("GetMinimapZoneText : " + minimapZoneText);

Credits goes to all of you who want to learn things like me the other are not smart enough to understand things...
I'm pretty sure this thread is not perfect, feel free to edit / discuss / comment.

Special thanks :
Apoc (because it's an awesome guy)
kynox (his blog / work is also awesome)
Cypher (love the blog)
wraithZX
unkn0wn0x (because i'm sure the Aion bot is going to be good)

[-Jebus Fist-]

Looking good. +rep x3

[Viano]

Quote:

Originally Posted by Cypher

Please don't encourage people to pirate IDA and Hex-rays.

Please use your powers to produce tutorials like that. Thank you.

@nopz:

Awesome. Thank you very much .

[lanman92]

A quick way to find lua_DoString:

Go to the lua function "RunScript". The last call made by this function is DoString(basically...).

[Ohsnap]

Easy to understand language;
Listed commands with step by step instructions;
Descriptive pictures regarding topic.

Two words Nopz, "High Five".

[grosfilsdepute]

Thanks man,

[GordonGekko]

Hi,
first of all thx a lot. This is a very helpful for me as a beginner. I hope it is fine if i ask for one more example in addition.

Well what I try to do is to find the memory location where the string of the "ingame group chsat" is stores. So finally my target is to read the last line of the group chat and write it into a .txt file. Unfortunately I am not really sure where i have to start. So yould somebody be so kind and explain to me how i can achieve that with IDA?

Sorry for those basic question but I am just starting with IDA.

Thanks a lot
Gordon

[blackmagic45]

Great work nopz, people might actually learn something.

[lon3vman]

This is one of the best posts I've come across for IDA so far. Much appreciated. Simple, clear, concise.

[Tanaris4]

@nopz great post - any idea why on the mac binary I get nothing in the strings list? [Only registered and activated users can see links. ]

Edit: Where can I purchase the Hex-rays IDA plugin that shows pseudocode?

Edit 2: Found it, yea can't afford that lol, but looks nice

[b0t001]

great post, easy to follow and explains everything well. thanks!

[hestas]

Thank you! Helped me tons ^^

[zutto]

not bad at all

[Flowerew]

This tutorial helped me alot to figure out stuff on my own (i guess). Now I'm trying to dig a little deeper and looked for GetPlayerMapPosition. I tried to find the function that actually returns the position values. The following pictures show about everything i've "discovered" during my investigation:

[Only registered and activated users can see links. ]

So my question now is: Am I going in the right direction or is that complete bs. If I'm totally wrong please tell me. Best regards.

edit: Further testing
[Only registered and activated users can see links. ]