Getting Started With Disassembly

R.a.B.B.i.T · June 16, 2005, 10:31 PM

<newbishrant>Alrighty, I've read a bit about this so far, but I'm gonna ask anyway: how should I go about disassembling things? Specifically, at the moment, such things as storm.dll. I am deeply interested this now (mostly because of the text-display thread in botdev), and I'm curious. I've got what I need (or so Google says), but I still don't know where to start. Sooooo, any help?</newbishrant>

Blaze · June 16, 2005, 11:44 PM

I would suggest IDA as your disassembler. Its the best I've ever seen.

Eric · June 17, 2005, 01:58 AM

Quote from: rabbit on June 16, 2005, 10:31 PM
<newbishrant>Alrighty, I've read a bit about this so far, but I'm gonna ask anyway: how should I go about disassembling things? Specifically, at the moment, such things as storm.dll. I am deeply interested this now (mostly because of the text-display thread in botdev), and I'm curious. I've got what I need (or so Google says), but I still don't know where to start. Sooooo, any help?</newbishrant>

It depends on what exactly it is that you're attempting to reverse.

OnlyMeat · June 17, 2005, 08:44 AM

Quote from: rabbit on June 16, 2005, 10:31 PM
I am deeply interested this now (mostly because of the text-display thread in botdev), and I'm curious.

Well if you want to find the function that displays text in sc for example, you could follow a procedure like this:-

(1) Download/install tools. softice(debugger) + memory searcher tool - TSearch/Cheat-o-matic (just something simple to search for strings in sc's address space).

(2) Run starcraft and load [memory searcher tool] attaching to Starcraft.exe. Now type in a string of text in a sc game, then quicky alt+tab to [memory searcher tool] and search for the string you just typed.

Once you find it make a note of the address. Note searching for values can give multiple candidate addresses sometimes so you might need to do it a few times and test the various result addresses.

In theory the address should point to the memory location where the string is being stored.

(3) Load up softice(ctrl+d), bpm(break-point memory access) [address] then type X to continue execution. You then need to type another string into sc. If everything went well softice should popup a break point on the address you specified in the bpm command.

(4) Now if you get that far, you are in business because you can now trace the call stack for that memory address access. Softice has various tracing commands and a call stack display, to display the call stack type STACK. From there you can find out exactly what calls where made.

(5) After doing some call stack tracing you should beable to find the function ordinals you want for displaying text in sc.

This is just off the top of my head remember. It may not be the exact procedure, but it will be something like this. Atleast thats how i would approach it.

R.a.B.B.i.T · June 17, 2005, 06:31 PM

I'm using IDA, WinDbg, and TSearch. SoftICE is....hard to obtain. And yes, atm I'm focusing on doing some reversing on Starcraft, mostly because help is so redily available for that specific project (ie: here).

NicoQwertyu · June 17, 2005, 08:20 PM

I just got Softice today. My computer locks up when running it, however. Softice works though -- regardless of if Windows does!

OnlyMeat · June 17, 2005, 11:12 PM

Quote from: rabbit on June 17, 2005, 06:31 PM
I'm using IDA, WinDbg, and TSearch. SoftICE is....hard to obtain. And yes, atm I'm focusing on doing some reversing on Starcraft, mostly because help is so redily available for that specific project (ie: here).

If you really want softice, i can send you the numega suite. I think it's like 150mb or something.

Kp · June 17, 2005, 11:15 PM

Start at 401000.

OnlyMeat · June 18, 2005, 12:08 AM

Quote from: Kp on June 17, 2005, 11:15 PM
Start at 401000.

I think he wants to learn to disassemble, not just given the offsets.

Warrior · June 18, 2005, 12:21 AM

Nothing wrong with a gentle shove

tA-Kane · June 18, 2005, 02:01 AM

I use IDA + OllyDbg + Notepad.

In my opinion, your best bet to "getting started with disassembly" is to write a small program (hello world should work fine). Open it in IDA and go from there. If you've written other small programs, open them up as well and see if you can make heads or tails out of it.

If you're going more for the ... ermm ... devious ... side of things, you could get a buddy of yours to write a small program and have you try to crack it. I found that to be an excellent jump-start into being ... devious.

R.a.B.B.i.T · June 18, 2005, 02:42 PM

I found the offsets in Starcraft (Warrior said "search for stuff you type", then I found the GameThread tut, why'd I have to do it the hard way?). I was also changing the text using TSearch, but the tut talked about timers and shit...and I don't want to deal with them yet. I do want SoftICE, but couldn't you just F3 the numega site for the installer/download w/e?

Soul Taker · June 18, 2005, 03:41 PM

Last I knew, they it cost money to obtain it from their site.

R.a.B.B.i.T · June 18, 2005, 07:44 PM

Hence the old saved site....

Darkness · June 23, 2005, 01:43 PM

I found this website, might be interesting to you:
http://members.home.nl/code.inside/tutorials.html

Getting Started With Disassembly

R.a.B.B.i.T

OnlyMeat

R.a.B.B.i.T

OnlyMeat

OnlyMeat

R.a.B.B.i.T

R.a.B.B.i.T

Darkness