Dia2Dump.exe is a program that will dump certain information from an .pdb, a file that is linked when you compile
something (if the compiler option is set). It contains a lot of information about the entire source.
Open up CMD.exe, navigate to the directory of Dia2Dump and your PDB, and type:
Dia2Dump -all PDB_NAME.pdb > "PDB_NAME_DUMPED.txt"
and it will dump the entire pdb. (Use the quotes around PDB_NAME_DUMPED)
After it's finished, open it up on WordPad and find your function, MMatchServer::OnUserWhisper.
Code:
PublicSymbol: [00012050][0001:00011050] ?OnUserWhisper@MMatchServer@@IAEXABUMUID@@PAD11@Z(protected: void __thiscall MMatchServer::OnUserWhisper(struct MUID const &,char *,char *,char *))
12050 - is the address, but you'll need to add the base. In this case, you'll just add "4", but in some, you'll need to add "40".
Before you open up OllyDbg, move the pdb to the same directory as the matching .exe so Olly can parse the .pdb and make it easier for you.
Open up the .exe in Olly, wait for it to finish analyzing, and press "CTRL + G" and type in:
412050 and hit enter. It'll bring you to MMatchServer::OnUserWhisper's function. It should look like this:
Code:
CPU Disasm
Address Hex dump Command Comments
00412050 Ú$ 6A FF PUSH -1 ; MatchServer.MMatchServer::OnUserWhisper(uidComm,pszSenderName,pszTargetName,pszMessage)
00412052 ³. 68 E10A4F00 PUSH MatchServer.004F0AE1
00412057 ³. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0041205D ³. 50 PUSH EAX
0041205E ³. 64:8925 000000 MOV DWORD PTR FS:[0],ESP ; Installs SE handler 4F0AE1
00412065 ³. 83EC 10 SUB ESP,10
00412068 ³. 8B4424 24 MOV EAX,DWORD PTR SS:[ARG.2]
(See the comments lane? Olly 2.1 anazlyed the pdb and helped a fuck load)
Now, open a new OllyDbg window and open the .exe you need the addresses for.
The key to finding new addresses is to copy unique information (NOT ADDRESSES AT ALL, example: JMP 42a230 || or MOV EAX, 42a230) from
the first OllyDbg you opened (see above) and binary search it in the .exe you need the address for.
So, go to the first OllyDbg window (where it says "; MatchServer.MMatchServer::OnUserWhisper(uidComm,pszSenderName,pszTargetName,pszMessage)")
and copy this:
Code:
CPU Disasm
Address Hex dump Command Comments
0041206C ³. 56 PUSH ESI
0041206D ³. 8BF1 MOV ESI,ECX
0041206F ³. 897424 04 MOV DWORD PTR SS:[LOCAL.6],ESI
00412073 ³. 8D50 01 LEA EDX,[EAX+1]
00412076 ³> 8A08 ÚMOV CL,BYTE PTR DS:[EAX]
00412078 ³. 40 ³INC EAX
00412079 ³. 84C9 ³TEST CL,CL
(right click -> edit -> binary copy)
Go to the other OllyDbg window (the one you need addresses for) and scroll ALL the way up. Make sure you untick "Entire block" and make sure "Forward" is ticked.
Press "CTRL + B" and paste it in the "HEX +00" box, then press "Search".
Good, it found something. Scroll up to the "PUSH -1" (this is the beginning of the function)
and look at all the instructions in BOTH OllyDbg windows. If it looks the same, chances are it is the same.
(HOWEVER, at times functions do look the same, so don't always blame your code, just go back into Olly and compare
the functions above, below and check out a few calls in the same place.)
Now:
Code:
CPU Disasm
Address Hex dump Command Comments
004219D0 Ú$ 6A FF PUSH -1 ; MatchServer.004219D0(guessed Arg1,Arg2,Arg3,Arg4)
It has 4 parameters, MMatchServer::OnUserWhisper has 4 parameters, we may have our address.
"0x004219D0" is the address. (REMEMBER, Ollydbg use Hexadecimal, so add the "0x00" infront of the address.
And that's how you find addresses. You can also do the same in Gunz.exe.
![[Tut]How to find addresses](http://ragezone.com/hyper728.png)
Originally Posted by skywind
