# Forum > World of Warcraft > World of Warcraft Bots and Programs > WoW Memory Editing >  [Tutorial] How to find simple stuff

## nopz

Hello,

I'm here for some time now and I have decided to start learning things instead of asking for offsets or stuff.
I have found a very good topic on GD forums "How to find stuff" How to find stuff - Game Deception - Forums by *bobbysing*.

Today I have decided to take the time to make a short tutorial with my level of knowledge speaking about how to find something with IDA.
For those who knows IDA this thread will talk about the String window and how to read subs.

Most of you already know the things I'm going to explain but this thread is mostly for all of the users that are/was like me, searching for things here and not doing by there own.

It is my contribution to '*wraithZX*' alert about peoples here.

Quote from wraithZX (http://www.mmowned.com/forums/wow-me...ml#post1687462)



> what I'd like to see in the forum is more questions about how to find them yourself, not just what the actual values are. Those sorts of questions do a lot more for the community as a whole, in the sense that they end up spreading knowledge, compared to threads continually asking for stuff that changes patch after patch.




So here we go, what you need is :

- *Ida Pro* (IDA Pro Disassembler - multi-processor, windows hosted disassembler and debugger)
- *Hex-Rays* (Hex-Rays Decompiler) <- facultative
- *wow.exe* .. 3.2.2 here


Step 1 - Opening "wow.exe" with IDA.
First thing is to open 'ida pro', do not forget to run as administrator if you're using windows vista or seven.
We'll have to open wow with IDA to tell ida that we want to disassemble the file to start searching for stuff.
Here you just have to click "File..Open.." select the binary 'wow.exe' and Open.

If you've got a popup after clicking Open, select Portable Executable File (PE).
It takes a certain time for ida to disassemble the binary, so go take a cup of coffee and wait.




Step 2 - The strings window.
So at this point you should have an IDA pro opened with an analyzed wow.exe. What we want is search for something, at this point the easiest way to find something with our poor knowledge is looking at the 'Strings Window'.

- Hit "Shift + F12", wait a moment. This will generate what we call strings.
We will use that window to search for something.

So what you'll do is locate the string "GetMinimapZoneText"

- Hit "Alt + T" type "GetMinimapZoneText".
- Ctrl + T if you want to move to the next occurrence.

You should obtain something like this.




Step 3 - Where is dA c0d3 ?.
Well double click the "GetMinimapZoneText" line, this will bring you to the ida "View-A" of the code.
To access the sub view of the code you will have to click on the .data address.




Step 4 - Show me dA c0d3 !!.
So know you have your IDA pointing on "GetMinimapZoneText" the .data:address.
To view the asm code and start working by your own you will have to click on the "sub_ADDRESS".




Step 5 - What now ?!?.
Well in the View-A of IDA you have the ASM code representing our function.
You have to start reversing by your own now. In this example with have our "GetMinimapZoneText" function located at 0x113D778. I have the "Hex-Rays" plug-in so hitting "F5" show me the pseudocode C.



And finally in C# :



```
string minimapZoneText = SMemory.ReadASCIIString(mp.WindowHandle, SMemory.ReadUInt(mp.WindowHandle,0x113D778), 30);
Console.WriteLine("GetMinimapZoneText : " + minimapZoneText);
```

Credits goes to all of you who want to learn things like me the other are not smart enough to understand things...
I'm pretty sure this thread is not perfect, feel free to edit / discuss / comment.

Special thanks :
Apoc (because it's an awesome guy)
kynox (his blog / work is also awesome)
Cypher (love the blog)
wraithZX
unkn0wn0x (because i'm sure the Aion bot is going to be good)

----------


## P1raten

Looking good. +rep x3

----------


## Viano

> Please don't encourage people to pirate IDA and Hex-rays.


Please use your powers to produce tutorials like that. Thank you.

@nopz:

Awesome. Thank you very much +Rep.

----------


## lanman92

A quick way to find lua_DoString:

Go to the lua function "RunScript". The last call made by this function is DoString(basically...).

----------


## Ohsnap

Easy to understand language;
Listed commands with step by step instructions;
Descriptive pictures regarding topic.

Two words Nopz, "High Five".

----------


## grosfilsdepute

Thanks man, +Rep

----------


## GordonGekko

Hi,
first of all thx a lot. This is a very helpful for me as a beginner. I hope it is fine if i ask for one more example in addition. 

Well what I try to do is to find the memory location where the string of the "ingame group chsat" is stores. So finally my target is to read the last line of the group chat and write it into a .txt file. Unfortunately I am not really sure where i have to start. So yould somebody be so kind and explain to me how i can achieve that with IDA? 

Sorry for those basic question but I am just starting with IDA. 

Thanks a lot
Gordon

----------


## blackmagic45

Great work nopz, people might actually learn something.

----------


## lon3vman

This is one of the best posts I've come across for IDA so far. Much appreciated. Simple, clear, concise. +Rep

----------


## Tanaris4

@nopz great post - any idea why on the mac binary I get nothing in the strings list? http://dump.ifeedr.com/WoWBinaries/W...t%203.2.2a.zip

Edit: Where can I purchase the Hex-rays IDA plugin that shows pseudocode?

Edit 2: Found it, yea can't afford that lol, but looks nice  :Wink:

----------


## b0t001

great post, easy to follow and explains everything well. thanks!

----------


## hestas

Thank you! Helped me tons ^^

----------


## zutto

not bad at all

----------


## Flowerew

This tutorial helped me alot to figure out stuff on my own (i guess). Now I'm trying to dig a little deeper and looked for *GetPlayerMapPosition*. I tried to find the function that actually returns the position values. The following pictures show about everything i've "discovered" during my investigation:



So my question now is: Am I going in the right direction or is that complete bs. If I'm totally wrong please tell me. Best regards.

edit: Further testing

----------


## Krinje

You've let me get my foot in the door so-to-speak, with out asking those "broad" questions that are annoying for mods and such. This made lots of general concepts make sense to me. Thanks.

----------


## SuperRomu

Hello, i wrong something, this is what i see

How i can andvance to step 3? I'm stucked!

----------


## Krillere

I would like to know if this reqiures BlackMagic? And will it work in C++/CLI ?

----------


## flo8464

-- Sorry double --

----------


## flo8464

> I would like to know if this reqiures BlackMagic? And will it work in C++/CLI ?


What the **** .. ?
All he does is using a normal disassembler.

And why should anyone use C++/CLI except for integrating .NET-code into your C++-application? Go C++ or go C#.

----------


## Krillere

> What the **** .. ?
> All he does is using a normal disassembler.


I was thinking about the code..

----------


## SuperRomu

noone can help me?? plzz

----------


## nitrogrlie

> noone can help me?? plzz


Your IDA analysis didn't understand that data as a null-terminated string for some reason. Not sure.. you using the free version 4.9 or what?

----------


## flo8464

> I was thinking about the code..


ReadProcessMemory Function (Windows)

----------


## SuperRomu

> Your IDA analysis didn't understand that data as a null-terminated string for some reason. Not sure.. you using the free version 4.9 or what?


i tryed with 4.9 and 5.1 but get always same... tryed on 2 different PCs with Win xp sp3

----------


## Krillere

> ReadProcessMemory Function (Windows)


Basicly: Search the minimaptext address, and i'll get the minimap name? I already know the ReadProcessMemory, i just didn't know that i should use it in this case.

----------


## lanman92

Just ignore that, unless your whole code block+data is like that. There are some sections of it like that in mine as well.

----------


## attn

Really good tutorial. I wish more similar stuff here. Can't give rep but voting with 2 hands for "Sticky"  :Smile:  ... just can't find "Vote" button  :Frown:

----------


## nopz

Thank you for replies, i thought this thread was forgotten ^^, I'm happy to see that it helped people to learn to disassemble things by themselves.

----------


## DragonWaxter

simple yet very educative and usefull +rep for me you should write more guides (it was very clear and well written guides are awesome)

----------


## kolis764

mp.OpenProcessAndThread(SProcess.GetProcessFromProcessName("wow.exe")); 

string minimapZoneText = SMemory.ReadASCIIString(mp.WindowHandle, SMemory.ReadUInt(mp.WindowHandle, 0xB6854C), 30);

Console.WriteLine("GetMinimapZoneText : " + minimapZoneText);

i have no idea why but am getting an null exception out of ReadASCIIString.
The only thing i've found out is that i have half a byte than he has, i have 6 and he has 7.

----------


## xwinterx

yeah, this helped me alot. By using this and another pic of the client connection, I am atleast able to get my clientconnection and objmgr offset as well as the addresses I use for the mouse over interact. I don't have alot of time to do stuff like this, but it seems this pointed me in the right direction. Now I just need to learn to use CE or something to help find offsets like animation state and player GUID info.

----------


## mongoosed

To the OP, a good followup would be describing a good way to evaluate unknown calls and see what they are doing. For example, using run until return and inserting code into the function to test variables (i'm actually not sure how one would test calls to be honest ^^).

----------


## wormuz

Hello,i got some problem to find some offsets. Which string names may I use to find offsets for ClientConnection, ObjectManager, FirstObjectOffset and LocalGuidOffset.

Thanks

----------


## Crotaphytus112

> mp.OpenProcessAndThread(SProcess.GetProcessFromProcessName("wow.exe")); 
> 
> string minimapZoneText = SMemory.ReadASCIIString(mp.WindowHandle, SMemory.ReadUInt(mp.WindowHandle, 0xB6854C), 30);
> 
> Console.WriteLine("GetMinimapZoneText : " + minimapZoneText);
> 
> i have no idea why but am getting an null exception out of ReadASCIIString.
> The only thing i've found out is that i have half a byte than he has, i have 6 and he has 7.


Got the same adress and the same problem  :Frown:

----------


## kolis764

post here if you or anyone else finds out, thanks : )

----------


## mnbvc

i just tried it, for me its actually working
maybe you read too many bytes? try something shorter than 30, 16 or whatever

----------


## JuJuBoSc

> Got the same adress and the same problem


Not sure but you try to pass WindowHandle, try with process handle

----------


## kolis764

wow that was actually pretty bad, thx bro : )

----------


## Grape

> Hello, i wrong something, this is what i see
> 
> How i can andvance to step 3? I'm stucked!


You need to wait a while for IDA To load up :]

----------


## WannaBeProgrammer

Sticky this  :Smile:

----------


## Screamer2010

Excellent, really helped push me in the right direction..

Many Thanks!!

----------


## theGardener

I'm broke, but not stupid.

Any other creative ways to do this if you don't have the $$$$$$$ to lay down for IDA, etc?

Anyone know of a student version or ??

thanks,

tG

----------


## Cypher

> I'm broke, but not stupid.
> 
> Any other creative ways to do this if you don't have the $$$$$$$ to lay down for IDA, etc?
> 
> Anyone know of a student version or ??
> 
> thanks,
> 
> tG


There is a free version of IDA available from the Hex-Rays website from memory.

There are also lots of other free disassemblers and debuggers. Just pick one!

----------


## barathrumm

Not one of the newest threads here, but a very nice tutorial indeed, thanks for the effort, gonne try this out asap

----------


## landon2051

Very nice job man +rep to this tut

----------


## NightZ

thanks helped me a lot

----------


## Jackie Moon

Looks good man +Rep x2

----------


## wormuz

Step #5 IDA Pro 5.2

What have i done wrong ?

----------


## ezqu24

oh my god, this what i finding ! very very nice post + rep

----------


## Unl3asehd

very nice tutorial but i have an proplem i have no idea what code i should use to read the memory or select the proces sory for my bad english but i hope anyone understand my proplem and i hope that anyone can give me a example  :Smile:

----------


## L33ch

better late...

this is AWSOME!
HOW!? could I have missed this?? >.<

thanks a lot  :Big Grin:  + rep

----------


## Neffarian

uhh so this mean that in the 4.0.3 patch the offset for


minimapzonetext


eax, dword_D8167C

//how come this wont work...
the offsets, that were listed, in another post, state that the address im looking for is this one.
However, via ida, D8167C Says that this is the correct address
0x98F68C


is there, some algorithm to calculate the Address?

----------


## cvccbum

IDA's address is 0x00400000 over the address the forum members give you because the BaseAddress is different when running the program. I'm not sure in your case though.

----------


## Syltex

> is there, some algorithm to calculate the Address?


Sort of.. Just do "THE OFFSET YOU FOUND" - 40000 and you will get you working offset.

----------


## Nextlive

Very Nice Tutorial especially for me as a beginner  :Big Grin:  I have only one question to your c# code. +Rep


```
SMemory.ReadUInt(mp.WindowHandle,0x113D778), 30);
```

i cannot code a lot in c# so.. why do you write a "30" at the end of SMemory.ReadUInt? How do i know what number i have to enter there because i already read another tutorial about memory editing with c# an there was a 12.
Command in the other tut was a little bit different


```
string Name = WoW.ReadASCIIString(0xAdress, 12);
```

Maybe anyone can explain it to me or give me a reference that i can look it up / learn it on my own ?
Would be nice

----------


## namreeb

With all due respect, you need to learn to program before you will be ready to enter this part of the forum.

----------


## sucu

Thanks but I would like to learn about offset-base relation of address. What the offsets are, what the base is, what operation is required to find the data. If someone could enlight me, I'll be appriciated. It may be simple for an expert, but hard at first time.

(In before nerd rage, Im not a programming newbie. Just new on memory editting)

----------


## namreeb

> Thanks but I would like to learn about offset-base relation of address. What the offsets are, what the base is, what operation is required to find the data. If someone could enlight me, I'll be appriciated. It may be simple for an expert, but hard at first time.
> 
> (In before nerd rage, Im not a programming newbie. Just new on memory editting)


My comment was directed at "Nextlive", not you. His post clearly indicates he is in over his head here.

----------


## ShadeTeK

Awesome! This is a great tutorial! Hopefully now I can know how to do this kind of stuff! Rep+

----------


## Flushie

Thank you guys, your are all awesome, I appreciate your help to the Newbs!!!

---------- Post added at 05:44 AM ---------- Previous post was at 05:42 AM ----------




> Step #5 IDA Pro 5.2
> 
> What have i done wrong ?


That is because the function called does not return to the caller, we atleast from what I read... Its not IDA screwing up, this feature was introduced in 5.1, hxxp://www.datarescue.com/idabase/ida51news.pdf 




> NORET-ANALYSIS
> IDA performs the “no-return” analysis for all functions. It finds out if a particular function returns to the caller or not. This analysis greatly improves the listing quality because many wrong execution paths are detected and truncated at early stages. The user can use the Edit Function dialog box to assist IDA in difficult cases.
> 
> This analysis option can be turned on or off in the IDA.CFG file using the AF2_ANORET bit. By default it is active for the x86 processor.




---------- Post added at 05:52 AM ---------- Previous post was at 05:44 AM ----------




> Sort of.. Just do "THE OFFSET YOU FOUND" - 40000 and you will get you working offset.


Well, the base address you gave (not exactly the Base Address *but close*) is not always going to be 400000, it all depends on the compiler, and mostly on the the PE loader, the loader decides where it will be mapped in. This is why we have 2 types of Addresses, VA(On disk/file) and RVA(In memory). I believe (correct me if I am wrong) RVA = VA-BASE ADDRESS

---------- Post added at 05:54 AM ---------- Previous post was at 05:52 AM ----------




> You need to wait a while for IDA To load up :]


Is he in the Resource section (or is that what they call the data section (.rdata)



Where is the C decompilation plugin?

----------


## sucu

> My comment was directed at "Nextlive", not you. His post clearly indicates he is in over his head here.


I already did not say for you. Many ppl prefer raging before helping. And my question is still up to date.

----------


## net7

Hey, I have a quick question. I'm looking at GetCorpseMapPosition



```
; sub_873A80
; Attributes: bp-based frame

//Start Method

var_28= qword ptr -28h
var_1C= qword ptr -1Ch
var_14= dword ptr -14h
var_10= byte ptr -10h
var_C= dword ptr -0Ch
var_8= dword ptr -8
var_4= dword ptr -4
arg_0= dword ptr  8

push    ebp
mov     ebp, esp
sub     esp, 1Ch
xorps   xmm0, xmm0
push    esi
lea     eax, [ebp+var_10]
push    eax
lea     ecx, [ebp+var_1C]
push    ecx             ; double
lea     edx, [ebp+var_4]
push    edx
movss   dword ptr [ebp+var_1C], xmm0
movss   dword ptr [ebp+var_1C+4], xmm0
movss   [ebp+var_14], xmm0
;Call to fnc(dword*,qword*,char*)
call    sub_82D640
mov     edx, [ebp+var_4]
push    0
push    0
push    0
lea     eax, [ebp+var_C]
push    eax
lea     ecx, [ebp+var_8]
push    ecx
push    edx
lea     eax, [ebp+var_1C]
push    eax
call    sub_871D50
fld     [ebp+var_8]
mov     esi, [ebp+arg_0]
fstp    [esp+48h+var_28]
add     esp, 20h
push    esi             ; int
call    sub_4359D0
fld     [ebp+var_C]
add     esp, 4
fstp    [esp+28h+var_28]
push    esi             ; int
call    sub_4359D0
add     esp, 0Ch
mov     eax, 2
pop     esi
mov     esp, ebp
pop     ebp
retn
//End method
```

Hex-rays


```

signed int __cdecl sub_873A80(int a1)
{
  double v3; // [sp+Ch] [bp-1Ch]@1
  char v5; // [sp+18h] [bp-10h]@1
  float v6; // [sp+1Ch] [bp-Ch]@1
  float v7; // [sp+20h] [bp-8h]@1
  int v8; // [sp+24h] [bp-4h]@1

 ;Zero the floats/double
  __asm
  {
    xorps   xmm0, xmm0
    movss   dword ptr [ebp+var_1C], xmm0    
    movss   dword ptr [ebp+var_1C+4], xmm0
    movss   [ebp+var_14], xmm0
  }
 //Calls a function fnc(dword *,qword*,char*)
  sub_82D640(&v8, &v3, &v5);
//What does this do?
  sub_871D50(&v3, v8, &v7, &v6, 0, 0, 0);
  ;Put Y on the return value?
  sub_4359D0(a1, v7);
  ;Put X on the return value?
  sub_4359D0(a1, v6);
  return 2;
}
```

I dont understand exactly where or what function could possibly retrieve the x/y/z of the corpse. It seems to be sub_871D50 but when I looked at that, it was a veeeeery long function. Not much I could understand from it.
Any help please?

Thank you!

----------


## Flushie

> Hey, I have a quick question. I'm looking at GetCorpseMapPosition
> 
> 
> 
> ```
> ; sub_873A80
> ; Attributes: bp-based frame
> 
> //Start Method
> ...


Looks confusing. Question answered.

----------


## simplecan

Very usefull for me. Thank you!

----------


## ezqu24

very nice guide +rep! however how to find stuff like isingame? chatbuffer etc? :]

----------


## para_

> And finally in C# :
> 
> 
> 
> ```
> string minimapZoneText = SMemory.ReadASCIIString(mp.WindowHandle, SMemory.ReadUInt(mp.WindowHandle,0x113D778), 30);
> Console.WriteLine("GetMinimapZoneText : " + minimapZoneText);
> ```


Sorry for bumping this old thread, but I'm having trouble understanding how this C# code was gleaned. Any help is appreciated.

----------

