Czarman
Well-known member
- Joined
- Apr 28, 2005
- RedCents
- 1,381¢
Not gonna be too many people that follow this, but figured JMO maybe could use, or any other hacker wannabes....
You kinda need to know your way around IDA 5.0+ to use do this, but it really is almost as easy as finding offsets each patch, it also helps to know how to use PATCHDAY, which can be gotten from http://www.forever-hacking.com/viewtopic.php?f=15&t=1057 (get the version all the way at the bottom of the page and you need to be a registered user to have access -- make sure to grab dumpxrefs also on that page). You want to make an IDC file which makes reading some of the code in IDA much easier. This is easy, all you need is eqgame.h (can add more offsets inside it too, hint, hint). Command prompt:
Patchday h2idc eqgameyyyymmdd.h eqgameyyyymmdd.idc
Then load the IDC file corresponding to the EXE you are decompiling.
I generally name them like this :
eqgame20080903.h and eqgame20080903.IDC
eqgame20081021.h and eqgame20081021.IDC
This way you can store all the past ones, etc in one subdirectory.
Next step it helps to have a POINT OF REFERENCE. Say you know that the OpCode for September 9, 2008 (and earlier) was 0x102F and it changed with the October 21, 2008 patch. If you do not have this, you pretty much will need a packet sniffer or try and OLD opcode from even earlier perhaps.
Lets look at where "102fH" pops up inside IDA on 09/03/2008
We really want to look at 0x4d86c2 (the 3rd one down) :
09/03/2008 EXE:
Ok so above it is indeed the OpCode, since right after it is being scrambled (CObfuscator__doit). Now the fun part of finding it in the NEW EXE. Now take the 10/21/08 version and also make an IDC file.
Next we want to JUMP approximately where the last Opcode was found so inside IDA with the 10/21/08 version, JUMP to address, and put in "4d86c2". This will just take us to an area close to where it could be, but not the same. We need to do a SEARCH next. But first make a few reference points at what else is NEAR the Opcode above. If you click Search TEXT and put in "CObfuscator__doit" it will bring up quite a few, but none that look like the above till we get to :
10/21/2008 EXE:
This should be the new opcode. It looks just like the previous patch with only that small change. Hope this helps for future. I don't always have time to do offsets/opcodes. Figure I would share what I know. Leave questions here.
You kinda need to know your way around IDA 5.0+ to use do this, but it really is almost as easy as finding offsets each patch, it also helps to know how to use PATCHDAY, which can be gotten from http://www.forever-hacking.com/viewtopic.php?f=15&t=1057 (get the version all the way at the bottom of the page and you need to be a registered user to have access -- make sure to grab dumpxrefs also on that page). You want to make an IDC file which makes reading some of the code in IDA much easier. This is easy, all you need is eqgame.h (can add more offsets inside it too, hint, hint). Command prompt:
Patchday h2idc eqgameyyyymmdd.h eqgameyyyymmdd.idc
Then load the IDC file corresponding to the EXE you are decompiling.
I generally name them like this :
eqgame20080903.h and eqgame20080903.IDC
eqgame20081021.h and eqgame20081021.IDC
This way you can store all the past ones, etc in one subdirectory.
Next step it helps to have a POINT OF REFERENCE. Say you know that the OpCode for September 9, 2008 (and earlier) was 0x102F and it changed with the October 21, 2008 patch. If you do not have this, you pretty much will need a packet sniffer or try and OLD opcode from even earlier perhaps.
Lets look at where "102fH" pops up inside IDA on 09/03/2008
We really want to look at 0x4d86c2 (the 3rd one down) :
09/03/2008 EXE:
Rich (BB code):
.text:004D869F loc_4D869F: ; CODE XREF: sub_4D84E0+16Bj
.text:004D869F ; sub_4D84E0+18Fj
.text:004D869F mov eax, pinstLocalPlayer
.text:004D86A4 mov edi, [eax+148h]
.text:004D86AA mov eax, __gWorld
.text:004D86AF test eax, eax ; Logical Compare
.text:004D86B1 mov esi, [esi+148h]
.text:004D86B7 jz short loc_4D872B ; Jump if Zero (ZF=1)
.text:004D86B9 mov ecx, dword_7B8440
.text:004D86BF push ebx
.text:004D86C0 push 0
.text:004D86C2 push 102Fh
.text:004D86C7 call CObfuscator__doit ; Call Procedure
.text:004D86CC mov ecx, __gWorldOk so above it is indeed the OpCode, since right after it is being scrambled (CObfuscator__doit). Now the fun part of finding it in the NEW EXE. Now take the 10/21/08 version and also make an IDC file.
Next we want to JUMP approximately where the last Opcode was found so inside IDA with the 10/21/08 version, JUMP to address, and put in "4d86c2". This will just take us to an area close to where it could be, but not the same. We need to do a SEARCH next. But first make a few reference points at what else is NEAR the Opcode above. If you click Search TEXT and put in "CObfuscator__doit" it will bring up quite a few, but none that look like the above till we get to :
10/21/2008 EXE:
Rich (BB code):
.text:004DB55F loc_4DB55F: ; CODE XREF: sub_4DB3A0+16Bj
.text:004DB55F ; sub_4DB3A0+18Fj
.text:004DB55F mov eax, pinstLocalPlayer
.text:004DB564 mov edi, [eax+148h]
.text:004DB56A mov eax, __gWorld
.text:004DB56F test eax, eax
.text:004DB571 mov esi, [esi+148h]
.text:004DB577 jz short loc_4DB5EB
.text:004DB579 mov ecx, dword_7D1588
.text:004DB57F push ebx
.text:004DB580 push 0
.text:004DB582 push 47AEh
.text:004DB587 call CObfuscator__doit
.text:004DB58C mov ecx, __gWorldThis should be the new opcode. It looks just like the previous patch with only that small change. Hope this helps for future. I don't always have time to do offsets/opcodes. Figure I would share what I know. Leave questions here.
