• Welcome to Valhalla Legends Archive.
 

Finding offsets in battle.snp [new title; split from old thread]

Started by Banana fanna fo fanna, July 24, 2004, 10:21 PM

Previous topic - Next topic
Print
|
Go Down Pages1 2
User actions

Banana fanna fo fanna

July 24, 2004, 10:21 PM Last Edit: July 25, 2004, 11:28 AM by Kp
Quote from: UserLoser. on July 24, 2004, 11:41 AM
Quote from: $t0rm on July 24, 2004, 09:49 AMsemi-OT, but how did you find the offset in battle.snp?
disassembly.
never thought of that :P

But seriously, what tools did you use? Did you just breakpoint CreateFile on stardat.mpq and trace from there?

[Kp edit: no change to the original post, just changed title and an explanation here.  This thread was originally a side discussion in z-stars request for assistance.  However, the subject matter deserves its own thread free from newbie debugging, and so was split to become this thread.]

dxoigmn

#1
July 24, 2004, 11:29 PM
Quote from: $t0rm on July 24, 2004, 10:21 PM
Quote from: UserLoser. on July 24, 2004, 11:41 AM
Quote from: $t0rm on July 24, 2004, 09:49 AM
semi-OT, but how did you find the offset in battle.snp?

disassembly.

never thought of that :P

But seriously, what tools did you use? Did you just breakpoint CreateFile on stardat.mpq and trace from there?

For HashData you could find the init values and trace back from there.  For the cdkey decode you could find the unique dword is uses (0x13AC9741) and trace back from there.

UserLoser.

#2
July 24, 2004, 11:57 PM Last Edit: July 24, 2004, 11:57 PM by UserLoser.
Quote from: $t0rm on July 24, 2004, 10:21 PM
Quote from: UserLoser. on July 24, 2004, 11:41 AM
Quote from: $t0rm on July 24, 2004, 09:49 AM
semi-OT, but how did you find the offset in battle.snp?

disassembly.

never thought of that :P

But seriously, what tools did you use? Did you just breakpoint CreateFile on stardat.mpq and trace from there?

All starts from send.  You find the call to send used for BNCS related packets.  You then trace it back to 0x51. Then you go back on each call and see what they do and what's being passed into it.  So setting some breakpoints would help.  Or, just search for mov     cl and find mov     cl, 51h

TheMinistered

#3
July 25, 2004, 11:45 AM
I would follow UserLoser's advice and trace from  send.  I say this because it's a sure-win situation.  You might want to bring some popcorn and a coke though, might take you a while :P

Adron

#4
July 25, 2004, 12:39 PM
Tracing from send works in many cases. By "stepping out", you can do it pretty quickly too.

The wt command in windbg seems useful as well. Does anyone have experience with that?


What are your ways for finding out how you got to a certain place, in greater detail than just function calls (think of a really big function with a lot of jumps) ?

UserLoser.

#5
July 25, 2004, 01:36 PM
Quote from: Adron on July 25, 2004, 12:39 PM
... What are your ways for finding out how you got to a certain place ...

In IDA, using jump xref to operand

Quote from: Adron on July 25, 2004, 12:39 PM
... in greater detail than just function calls (think of a really big function with a lot of jumps) ?
Take an attempt to figure out what each function does, then give a name or leave comments.  Or skip it :)

Adron

#6
July 25, 2004, 01:42 PM
Quote from: UserLoser. on July 25, 2004, 01:36 PM
Quote from: Adron on July 25, 2004, 12:39 PM
... What are your ways for finding out how you got to a certain place ...

In IDA, using jump xref to operand

Ah, you're working in IDA, not in an actual debugger? I read it as setting a breakpoint on send, waiting for it to be called with the right packet, and then tracing back up. Re-reading your post, I realize that that's probably not what you meant.


Quote from: UserLoser. on July 25, 2004, 01:36 PM
Quote from: Adron on July 25, 2004, 12:39 PM
... in greater detail than just function calls (think of a really big function with a lot of jumps) ?
Take an attempt to figure out what each function does, then give a name or leave comments.  Or skip it :)

That works in some cases. The scenario I was thinking of was setting a breakpoint on a messagebox saying "authentication failed" or "insert the correct cd and try again", and then trying to figure out how you got there, particularly if there are many jumps leading to the same point.

Maddox

#7
July 25, 2004, 03:42 PM
Quote from: Adron on July 25, 2004, 01:42 PM
Ah, you're working in IDA, not in an actual debugger?

IDA is a debugger.
asdf.

Adron

#8
July 25, 2004, 04:23 PM
Quote from: Maddox on July 25, 2004, 03:42 PM
Quote from: Adron on July 25, 2004, 01:42 PM
Ah, you're working in IDA, not in an actual debugger?

IDA is a debugger.

It's primarily a disassembler though. In the same way as windbg does have a disassembler, but is primarily a debugger. And "jump xref to operand" is a disassembler thing to do, not a debugger thing to do.

Eibro

#9
July 26, 2004, 12:18 AM
Quote from: dxoigmn on July 24, 2004, 11:29 PM
Quote from: $t0rm on July 24, 2004, 10:21 PM
Quote from: UserLoser. on July 24, 2004, 11:41 AM
Quote from: $t0rm on July 24, 2004, 09:49 AM
semi-OT, but how did you find the offset in battle.snp?

disassembly.

never thought of that :P

But seriously, what tools did you use? Did you just breakpoint CreateFile on stardat.mpq and trace from there?

For HashData you could find the init values and trace back from there.  For the cdkey decode you could find the unique dword is uses (0x13AC9741) and trace back from there.
And if you didn't know these values to start with?
Eibro of Yeti Lovers.

Arta

#10
July 26, 2004, 08:45 AM
I found the key in memory and used break on access.

dxoigmn

#11
July 26, 2004, 12:41 PM Last Edit: July 26, 2004, 12:42 PM by dxoigmn
Quote from: Eibro[yL] on July 26, 2004, 12:18 AM
Quote from: dxoigmn on July 24, 2004, 11:29 PM
Quote from: $t0rm on July 24, 2004, 10:21 PM
Quote from: UserLoser. on July 24, 2004, 11:41 AM
Quote from: $t0rm on July 24, 2004, 09:49 AM
semi-OT, but how did you find the offset in battle.snp?

disassembly.

never thought of that :P

But seriously, what tools did you use? Did you just breakpoint CreateFile on stardat.mpq and trace from there?

For HashData you could find the init values and trace back from there.  For the cdkey decode you could find the unique dword is uses (0x13AC9741) and trace back from there.
And if you didn't know these values to start with?

Well that's the dilema.  I got into all of this after a lot of source was released but before Diablo 2 (SID_AUTH_CHECK/SID_LOGONRESPONSE2) sequence was figured out.  Using prior code I figured out a lot of stuff just by comparing the assembly with the c source.  For something that you have no knowledge of then you have to fish around looking for strings or other things.  It seems most of the people here (except Adron) had prior knowledge of what they were looking for already (i.e. a sha-1 hash function, a cdkey decode routine, a checkrevision rountine, etc).  It's much easier to work that way IMO if you do have that resource.  I forgot how I stumbled upon the mov cl, SID thing.  I think I searched for 51h set a bp then waited it for it to break.  Then I noticed this with other packets and from there search for other things because I had some knowledge of the protocol.

Banana fanna fo fanna

#12
July 26, 2004, 04:32 PM
How'd you find the cdkey in memory?

Maddox

#13
July 26, 2004, 05:07 PM
Quote from: $t0rm on July 26, 2004, 04:32 PM
How'd you find the cdkey in memory?

Using a program like tsearch or something similar.
asdf.

Newby

#14
July 26, 2004, 09:29 PM
Tsearch can be found here for those who want to try it out. :)
- Newby

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote<TehUser> Man, I can't get Xorg to work properly.  This sucks.
<torque> you should probably kill yourself
<TehUser> I think I will.  Thanks, torque.
Print
|
Go Up Pages1 2
User actions