[Tutorial] Search EDF structures in IDA Pro 7.0

[ivanlamega]

After several weeks examining with IDA Pro the binary DBO.exe I have managed to find structures of the edf tables for the Taiwan client.I have done this tutorial using IDA Pro 7.0 with Hex RaysTo find them yourself follow these steps:

1) Open IDA Pro and when a window appears choose the option "New" and find your DBO.exe, choose it and click on open.

Spoiler

2) The following window will appear and you should leave the data as you see it in the image and then click on Ok (if a warning message appears just press Ok):

Spoiler

IDA will start analyzing the binary, this may take a little time depending on your computer.You can see the progress here:

Spoiler

3) Once IDA finishes analyzing we can start looking for the structures

Let's look for the structure of "table_world_data"

4) We go to Search -> sequence of bytes ... and look for "worldtable" without quotes and give ok and then yes

Spoiler

5) Select the option that resembles the image and double click, this will lead to an address in memory:

Spoiler

We will arrive at a place like this

Spoiler

6) If we read right just above there is a function that looks a lot like what we are looking for "WorldTable":

Spoiler

7) We select it and press the X key on the keyboard and a window like this will appear:

Spoiler

8) In that same window we double-click the first option and it will take us to this address marked in gray:

Spoiler

9) Select the option indicated by the red arrow and press the X key again:

Spoiler

10) We double click on the option that appears and will take us to the following address:

Spoiler

11) If we look above we will see the name of the structure:

Spoiler

12) If we look below we will see a list of dd offset...

Spoiler

13) If we count 5 from the bottom up, we will position ourselves in this function:

Spoiler

14) We double click on the selected function and it will take us to its definition:

Spoiler

15) Pressing F5 Hex rays will decompile the selected function:

Spoiler

16) We will see a function automatically renamed by IDA and in it we will see its arguments, we select with a click the second argument (the one that indicates the red arrow in the image)we right click on the selected argument and click on Create new struct type

Spoiler

17) And by magic we will obtain the structure of the EDF:

Spoiler

To find the rest of the structures, repeat the steps with a new table.

I hope you find it helpful, it took me a long time to find this, I hope you get the most out of it. If you learn something new by following the tutorial, be kind and share it here to continue learning.




Note: If we go to Search -> sequence of bytes ... and type "table_" without quotes and mark the following options

Spoiler

and then we give Ok and then yes we can see all the names of tables that load the game

Spoiler

 

[SSJGodHero]

Just one thing, the images don't work xD

Regardless, this was a great tutorial! Keep it up!

 

[ivanlamega]

The images do work, you must click on the "show" button of the spoiler. :

 

[SSJGodHero]

Ah yeah sorry! It was a problem from my browser XD

 

[ivanlamega]

No problem

 

[SSJGodHero]

One thing I noticed when using this method to get the EDF structures is that when you decompile the assembly to get the structure, the structure includes the padding inside the EDF.

 

[chusski02]

Congrats and thx for sharing ^^