Skip to content

Instantly share code, notes, and snippets.

@Zeffuro

Zeffuro/FFXIVIdaGuide.md

Last active November 15, 2024 22:35
Download ZIP
FFXIV IDA Bruteforce Guide
Raw
FFXIVIdaGuide.md

IDA Bruteforce Guide (written by someone who is totally clueless and just wanted to get stuff working)

How to set up the environment.

  1. Get IDA Pro from somewhere, in this "guide" I use IDA Pro 7.5
  2. Install Python 3.5 or newer, in this "guide" I use Python 3.8.5
  3. Download pySigMaker.py or SigMaker, in this "guide" I use pySigMaker.
  4. Clone or download latest FFXIVClientStructs
  5. Copy pySigMaker.py in IDA Install Directory\Plugins

Dissassembling FFXIV

You will need to disassemble FFXIV every time patch if ffxiv_dx11.exe is updated.

  1. Open IDA Install Directory\ida64.exe

image

  1. Click New
  2. Choose the file FFXIV Install Directory\game\ffxiv_dx11.exe

image

  1. Choose the default options and hit OK

image

  1. When it asks for the input file with debug information hit yes in the hopes SE published their pdb by accident (thanks KazWolfe).

image

  1. Wait for IDA to be done disassembling, check the bottom left of IDA to see if it's still busy.
  2. Meanwhile, run python -m pip install pyyaml in any command prompt that has access to the installed Python

image

  1. When you see AU: idle in the bottom left corner of IDA you'll know when IDA is done disassembling.

image

  1. Hit File -> Script File -> Open FFXIVClientStructs\ida\ffxiv_idarename.py
  2. Let the script run, IDA might be unresponsive while it's doing this, you might get some errors which is totally fine.
  3. Now IDA should be set up to do some basic stuff.

Making a signature for a function and finding the arguments

  1. Find the function you want to make a signature for, either through browsing through some of the renamed functions or through an offset somebody has given you and open it.
  2. In this "guide" I'll make a signature for Client__UI__Agent__AgentHUD_OpenContextMenuFromTarget
  3. Go to Edit -> Plugins -> pySigMaker (or hit CTRL-ALT-S).

image

  1. Click "Sig for current function", this will copy the signature for use into your clipboard.
  2. In this example the signature we got is: 48 85 D2 74 7F 48 89 5C 24, if your signature has question marks in them like 00 ? 34 FC ? add extra question marks like: 00 ?? 34 FC ??.

image

  1. We still need to figure out the arguments we want need to use, either read the assembly if you can understand it or hit tab (or hit Jump -> Jump to Pseudocode).
  2. In this example we see the call needs 2 arguments which are both IntPtr. Knowing what arguments to use will need some experience/help.

For now this concludes this shitty bruteforce guide. Any changes and recommendations to this file are welcome.

Zeffuro

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment