IDA pro can't disassemble Ghosts. How do you guys do it?

[LastLegend]

Hello everyone,

When it comes to reverse engineering Ghosts, or any COD game for that matter, I've been really late to the train as I just started doing it. I was able to use some of the posted addresses to make simple programs that can read the game's state (e.g., IsInGame, CGS, etc).

Now I'm trying to disassemble Ghosts to find some addresses myself using IDA v6.1. However, it seems Ghosts (v3.13) is using some kind of obfuscation that prevents IDA from doing its job. Here are some of the errors I get when I try to open Ghosts in IDA:



(until the attachment is approved, the image url: oi62.tinypic.com/10n8ihl.jpg)

When IDA is done analysing the binary, it barely finds any routines inside:



(until the attachment is approved, the image url: oi61.tinypic.com/2rm8gn6.jpg)

I opened both MW2 and BO2 in IDA and it worked without any problems. Is this happening because Ghosts is 64bit while the other two games were 32bit (i.e., does IDA 64bit support sucks?)? Any help would be appreciated.

[cardoow]

Best way is to dump the exe and then open the dump file with IDA x64.

[LastLegend]

Thanks cardoow for your reply Do you recommend any tool to create the dump?

[NightmareTX_RETIRED]

CHimpREC 64

[LastLegend]

Aw man NightmareTX where were you two days ago? Thank you so much for pointing me to that application. I've spent the last two days working on determining the IAT and OEP of Ghosts using this tutorial:
hex-rays.com/products/ida/support/tutorials/unpack_pe/manual.shtml. I found them eventually, but with your program it literally was a few clicks! Now I'm back to finding addresses