[Tutorial] Search EDF structures in IDA Pro 7.0

[ivanlamega]

After several weeks examining with IDA Pro the binary DBO.exe I have managed to find structures of the edf tables for the Taiwan client.I have done this tutorial using IDA Pro 7.0 with Hex RaysTo find them yourself follow these steps:

1) Open IDA Pro and when a window appears choose the option "New" and find your DBO.exe, choose it and click on open.

Spoiler:

2) The following window will appear and you should leave the data as you see it in the image and then click on Ok (if a warning message appears just press Ok):

Spoiler:

IDA will start analyzing the binary, this may take a little time depending on your computer.You can see the progress here:

Spoiler:

3) Once IDA finishes analyzing we can start looking for the structures

Let's look for the structure of "table_world_data"

4) We go to Search -> sequence of bytes ... and look for "worldtable" without quotes and give ok and then yes

Spoiler:

5) Select the option that resembles the image and double click, this will lead to an address in memory:

Spoiler:

We will arrive at a place like this

Spoiler:

6) If we read right just above there is a function that looks a lot like what we are looking for "WorldTable":

Spoiler:

7) We select it and press the X key on the keyboard and a window like this will appear:

Spoiler:

8) In that same window we double-click the first option and it will take us to this address marked in gray:

Spoiler:

9) Select the option indicated by the red arrow and press the X key again:

Spoiler:

10) We double click on the option that appears and will take us to the following address:

Spoiler:

11) If we look above we will see the name of the structure:

Spoiler:

12) If we look below we will see a list of dd offset...

Spoiler:

13) If we count 5 from the bottom up, we will position ourselves in this function:

Spoiler:

14) We double click on the selected function and it will take us to its definition:

Spoiler:

15) Pressing F5 Hex rays will decompile the selected function:

Spoiler:

16) We will see a function automatically renamed by IDA and in it we will see its arguments, we select with a click the second argument (the one that indicates the red arrow in the image)we right click on the selected argument and click on Create new struct type

Spoiler:

17) And by magic we will obtain the structure of the EDF:

Spoiler:

To find the rest of the structures, repeat the steps with a new table.

I hope you find it helpful, it took me a long time to find this, I hope you get the most out of it. If you learn something new by following the tutorial, be kind and share it here to continue learning.




Note: If we go to Search -> sequence of bytes ... and type "table_" without quotes and mark the following options

Spoiler:

and then we give Ok and then yes we can see all the names of tables that load the game

Spoiler:

[MentaL]

[SSJGodHero]

Just one thing, the images don't work xD

Regardless, this was a great tutorial! Keep it up! :D

[ivanlamega]

The images do work, you must click on the "show" button of the spoiler.

[SSJGodHero]

Ah yeah sorry! It was a problem from my browser XD

[ivanlamega]

No problem

[SSJGodHero]

One thing I noticed when using this method to get the EDF structures is that when you decompile the assembly to get the structure, the structure includes the padding inside the EDF.