Creating an update.lua for addresses (How??)

[MiesterMan]

Ok, been finding addresses alright but once they put out a patch everything goes to crap. What I've seen is the offsets stay the same but the base addresses change. What do you look for when finding patterns around or in the addresses that contain the pointers you're looking for?

Any tips you have would be great. Right now I'm surviving with pointer scans using known offsets.

[Administrator]

Download OllyDbg. Open up the process, make sure that the executable is selected (as, under 64-bit OSes, it runs through a compatibility layer) and search for a constant (right click in the CPU menu). Search for the static address you've found. Hopefully you will find something. Now, you construct a pattern out of the code in that area.

[MiesterMan]

Cool, just to clarify that is from http://www.ollydbg.de/?

[Administrator]

That should do it, yeah.

[lisa]

Download OllyDbg. Open up the process, make sure that the executable is selected (as, under 64-bit OSes, it runs through a compatibility layer) and search for a constant (right click in the CPU menu). Search for the static address you've found. Hopefully you will find something. Now, you construct a pattern out of the code in that area.

Ok well I have the first bits no worries but just trying to construct a pattern.
Can't find any options for doing that.

[Administrator]

There is no option. You do it yourself. First, you should (but don't necessarily need to) have Olly analyze the code (CTRL+A). Find the section you want to construct a pattern for. For example, you'll get something like this:

Code: Select all

0074D530  /$ 51             PUSH ECX
0074D531  |. 8379 0C 00     CMP DWORD PTR DS:[ECX+C],0
0074D535  |. 890C24         MOV DWORD PTR SS:[ESP],ECX
0074D538  |. 0F84 86000000  JE Client.0074D5C4
0074D53E  |. 53             PUSH EBX
0074D53F  |. 55             PUSH EBP
0074D540  |. 8B2D B8F58C00  MOV EBP,DWORD PTR DS:[<&MSVCR80._invalid>;  MSVCR80._invalid_parameter_noinfo
0074D546  |. 56             PUSH ESI
0074D547  |. 8BB1 00010000  MOV ESI,DWORD PTR DS:[ECX+100]

Write out the bytes to form a pattern:
0x51, 0x83, 0x79, 0x0C, 0x00, 0x89, 0x0C, 0x24, 0x0F, 0x84, 0x86, 0x00, 0x00, 0x00, 053...you get the point.

Now form a mask. Just put an 'x' on what you want to match, and '?' for what will change.
"xxx??xxxxx????x"

And that's it.

[lisa]

Ahh ok now I understand what you mean, ai also had a look in your update.lua for rombot, made it alot easier to understand =)

I think the trouble I am having is this.
in Olly top left window shows addresses to 008C8FFF
bottom left shows addresses from 00998000 to 00A6FFF0
The addresses I am searching for are after the 008C8FFF so when I do a search in that section I don't get the actual address I get what I guess are pointers that use the address. So the bytes I see arn't for the actual address.

an example would be

actionBarPtr = 0xA09390,
at address 006294FF i get this
8B0D 9093A000 | MOV ECX,DWORD PTR DS:[0A09390]

so would be bytes of
0x8B, 0x0D, 0x90, 0x93, 0xA0, 0x00
mask of
xxxxx?

And doing a search for this after an update wouldn't work as those bytes are made up from the address A0 93 90 just in reverse 90 93 A0 and since the address would have changed then searching for this wouldn't do any good lol

but like I said that's not the actual address, was just showing I knew what you meant with the bytes and mask =)

I think I must be loading file wrong? or have some settings wrong?

[Administrator]

an example would be

actionBarPtr = 0xA09390,
at address 006294FF i get this
8B0D 9093A000 | MOV ECX,DWORD PTR DS:[0A09390]

so would be bytes of
0x8B, 0x0D, 0x90, 0x93, 0xA0, 0x00
mask of
xxxxx?

Somewhat right. As you've seen, the address is there, but backwards. That's actually normal. I forgot to mention endianness.

Your mask is off. the address (the last 4 bytes) are dynamic; we expect them to change. Since they change, you don't want to match them, and should use the wildcard(?).
That would also be a bad pattern. There's going to be thousands of instances of 0x8B 0x0D in the client. You've got to include additional lines to make sure it will be unique.

[lisa]

yeah I figured I would need a longer list of bytes and mask to match, just did the 1 line as an example.

I thought I got the mask right hmm

0x8B, 0x0D, 0x90, 0x93, 0xA0, 0x00
x x x x x ?
5 x and last 1 is ?

I think I should have put quotes

"xxxxx?"

[Administrator]

No. 4 bytes there are dynamic. The address, the information we want, is going to change. That's why we're looking for it. If it never changed, we wouldn't need a pattern. You want "xx????".

[lisa]

ahh of course =)