[Tutorial] How to find TW client structs (Improved)

[ivanlamega]

Well this is a tutorial in which I make an improvement of a tutorial already created by @weertoopFor this tutorial I used Cheat Engine 6.7 and IDA Pro 7.0

To begin they must follow the entire @weertoop tutorial, until step 8 and then until step 5 of the update (we will use the same package as seen in the GU_SKILL_LEARN_RES tutorial)
http://forum.ragezone.com/f881/tutorial-tw-client-structs-1165376/

Once we have copied the address of the opcode of which we want to know its structure you have to follow my tutorial until step 2:

http://forum.ragezone.com/f881/search-edf-structures-ida-pro-1165810/

1) Now with the address in copied memory and IDA Pro open, we go to IDA and press the G keyA window will open where we must paste the previously copied address and press OK

Spoiler

2) We will arrive at the beginning of the function that contains the package:

Spoiler

3) Press F5 to decompile the function, when finished we will see that the function has an argument (it can have more than one)

Spoiler

4) Select the function argument and right click and then click on Create new struct type

Spoiler

6) And we will get the package structure:

Spoiler

I hope the tutorial helps you, this has also taken me time to discover, to enjoy it.
Note: Unfortunately with this method you cannot find all the packages, they only serve for most packages sent by the server (there are server packages that do not appear).

Update:

This is another way to find opcodes through their value, this will require a little more effort on your part.
There are opcodes that appear through this search, which do not appear in the previous one. That's why I do this tutorial.
Even so, there are still opcodes that don't appear.The values that interest us are those that say "push (hexadecimal code op) h", in this case "push 0x13D1h"What we will do is double click on each value until we find something like what appears in the image:

Again we will be using in this tutorial the opcode GU_SKILL_LEARN_RES, anyway you can use the same method for any other opcode that you want

1) To start we must know the value of the opcode, GU_SKILL_LEARN_RES has the opcode number 5073. At the bottom of IDA we can see the Python console, we convert the opcode that is in decimal to hexadecimal by writing this in the console "hex(5073)"

Spoiler

Press enter and we will see its hexadecimal value

2) We select it and copy it

Spoiler

3) Then we click on Search -> immediate value...

Spoiler

4) A window will open, we paste the copied value and select the same options that appear in the image and click Ok, we hope you finish searching.

Spoiler

5) When finished searching a tab like the one in the image will open

Spoiler

6) The values that interest us are those that say "push (hexadecimal opcode)h", in this case "push 0x13D1h"
What we will do is double click on each value until we find something like what appears in the image:

Spoiler

The value that is highlighted in yellow is the same value that we are looking for

7) Without touching anything else, press F5 to decompile and we should see something like this:

Spoiler

As we can see, if we leave the pointer in an assembler section (in this case in the value we are looking for) when decompiling IDA automatically takes us to the line that represents that code

8) Now we see that IDA takes us to a function with two arguments, the second argument is another function, we click on that function (ie in the second argument)

Spoiler

9) We will arrive at a tab like the one in the image and the second argument contains the structure we are looking for

Spoiler

10) Now we follow the first tutorial, from step 4

 

[weertoop]

wow i see u've done some work . great, keep it up.

 

[SSJGodHero]

You both wrote some great tutorials on this! Keep up the good work!

 

[ivanlamega]

I have updated the tutorial.