Post: In-depth tutorial: How to find G_Client
Options
11-06-2015, 03:22 AM
#1
John
skid
And next we wait for IDA to finish analyzing our ELF, this can take a few minutes, once done you'll see "idle" at the bottom left
After that is done, you'll go into Views, Open sub views, then click "Strings"
Once it's done loading the strings you need to press ALT+T or go to Search, then Search
And in that dialog box that will open you up, we will write "numPlayers" then hit enter or OK
It should then bring you to a string which contains numPlayers, but that's not what we want, we want just the whole string.
So, to get there, all you have to do is press CTRL+T or go to Search, then Search again, until you see just the whole string.
Once found, double click it. You'll then see something like this
Double click the sub_* on the right of your string (numPlayers), should bring you to something like this.
Once done, you'd want to scroll up until you see something like(Doesn't have to be exactly the same) this..
But what if you when you scroll up, it doesn't look similar to that? What do you do then?
You'll go back to the string, and click the part on the left near the address, then press X or right click and click "Jump to xref to operand"
After that, you'll get a dialog with all of these places where the string was referenced, we'd simply click each of them
and check to see if they look similar to that other screen shot from above. Luckily here it was the second one.
Once you find the correct one which looks similar to the one above, you found your address.
The first part that is highlighted is the size of G_Client (interval) and the second is the actual address.
And that's all for now!
Last edited by
John ; 11-06-2015 at 03:26 AM.
The following 25 users say thank you to John for this useful post:
11-06-2015, 03:38 AM
#2
SC58
Former Staff
Originally posted by John
So we start by opening IDA and loading our ELF for BO3 (any update should work)
And next we wait for IDA to finish analyzing our ELF, this can take a few minutes, once done you'll see "idle" at the bottom left
You must login or register to view this content.
After that is done, you'll go into Views, Open sub views, then click "Strings"
You must login or register to view this content.
Once it's done loading the strings you need to press ALT+T or go to Search, then Search
You must login or register to view this content.
And in that dialog box that will open you up, we will write "numPlayers" then hit enter or OK
You must login or register to view this content.
It should then bring you to a string which contains numPlayers, but that's not what we want, we want just the whole string.
So, to get there, all you have to do is press CTRL+T or go to Search, then Search again, until you see just the whole string.
You must login or register to view this content.
Once found, double click it. You'll then see something like this
You must login or register to view this content.
Double click the sub_* on the right of your string (numPlayers), should bring you to something like this.
You must login or register to view this content.
Once done, you'd want to scroll up until you see something like(Doesn't have to be exactly the same) this..
You must login or register to view this content.
But what if you when you scroll up, it doesn't look similar to that? What do you do then?
You'll go back to the string, and click the part on the left near the address, then press X or right click and click "Jump to xref to operand"
You must login or register to view this content.
After that, you'll get a dialog with all of these places where the string was referenced, we'd simply click each of them
and check to see if they look similar to that other screen shot from above. Luckily here it was the second one.
You must login or register to view this content.
Once you find the correct one which looks similar to the one above, you found your address.
You must login or register to view this content.
The first part that is highlighted is the size of G_Client (interval) and the second is the actual address.
And that's all for now!
And next we wait for IDA to finish analyzing our ELF, this can take a few minutes, once done you'll see "idle" at the bottom left
After that is done, you'll go into Views, Open sub views, then click "Strings"
Once it's done loading the strings you need to press ALT+T or go to Search, then Search
And in that dialog box that will open you up, we will write "numPlayers" then hit enter or OK
It should then bring you to a string which contains numPlayers, but that's not what we want, we want just the whole string.
So, to get there, all you have to do is press CTRL+T or go to Search, then Search again, until you see just the whole string.
Once found, double click it. You'll then see something like this
Double click the sub_* on the right of your string (numPlayers), should bring you to something like this.
Once done, you'd want to scroll up until you see something like(Doesn't have to be exactly the same) this..
But what if you when you scroll up, it doesn't look similar to that? What do you do then?
You'll go back to the string, and click the part on the left near the address, then press X or right click and click "Jump to xref to operand"
After that, you'll get a dialog with all of these places where the string was referenced, we'd simply click each of them
and check to see if they look similar to that other screen shot from above. Luckily here it was the second one.
Once you find the correct one which looks similar to the one above, you found your address.
The first part that is highlighted is the size of G_Client (interval) and the second is the actual address.
And that's all for now!
i still don't understand video tut plsss
11-06-2015, 04:13 AM
#4
Devious
Treasure hunter
Originally posted by John
So we start by opening IDA and loading our ELF for BO3 (any update should work)
And next we wait for IDA to finish analyzing our ELF, this can take a few minutes, once done you'll see "idle" at the bottom left
You must login or register to view this content.
After that is done, you'll go into Views, Open sub views, then click "Strings"
You must login or register to view this content.
Once it's done loading the strings you need to press ALT+T or go to Search, then Search
You must login or register to view this content.
And in that dialog box that will open you up, we will write "numPlayers" then hit enter or OK
You must login or register to view this content.
It should then bring you to a string which contains numPlayers, but that's not what we want, we want just the whole string.
So, to get there, all you have to do is press CTRL+T or go to Search, then Search again, until you see just the whole string.
You must login or register to view this content.
Once found, double click it. You'll then see something like this
You must login or register to view this content.
Double click the sub_* on the right of your string (numPlayers), should bring you to something like this.
You must login or register to view this content.
Once done, you'd want to scroll up until you see something like(Doesn't have to be exactly the same) this..
You must login or register to view this content.
But what if you when you scroll up, it doesn't look similar to that? What do you do then?
You'll go back to the string, and click the part on the left near the address, then press X or right click and click "Jump to xref to operand"
You must login or register to view this content.
After that, you'll get a dialog with all of these places where the string was referenced, we'd simply click each of them
and check to see if they look similar to that other screen shot from above. Luckily here it was the second one.
You must login or register to view this content.
Once you find the correct one which looks similar to the one above, you found your address.
You must login or register to view this content.
The first part that is highlighted is the size of G_Client (interval) and the second is the actual address.
And that's all for now!
And next we wait for IDA to finish analyzing our ELF, this can take a few minutes, once done you'll see "idle" at the bottom left
After that is done, you'll go into Views, Open sub views, then click "Strings"
Once it's done loading the strings you need to press ALT+T or go to Search, then Search
And in that dialog box that will open you up, we will write "numPlayers" then hit enter or OK
It should then bring you to a string which contains numPlayers, but that's not what we want, we want just the whole string.
So, to get there, all you have to do is press CTRL+T or go to Search, then Search again, until you see just the whole string.
Once found, double click it. You'll then see something like this
Double click the sub_* on the right of your string (numPlayers), should bring you to something like this.
Once done, you'd want to scroll up until you see something like(Doesn't have to be exactly the same) this..
But what if you when you scroll up, it doesn't look similar to that? What do you do then?
You'll go back to the string, and click the part on the left near the address, then press X or right click and click "Jump to xref to operand"
After that, you'll get a dialog with all of these places where the string was referenced, we'd simply click each of them
and check to see if they look similar to that other screen shot from above. Luckily here it was the second one.
Once you find the correct one which looks similar to the one above, you found your address.
The first part that is highlighted is the size of G_Client (interval) and the second is the actual address.
And that's all for now!
Nice tut johnnyboi =3
nice tut anyways
11-06-2015, 05:18 AM
#8
RF0oDxM0Dz
You talkin to me?
Copyright © 2024, NextGenUpdate.
All Rights Reserved.
