Page 1 of 3 123 LastLast
Results 1 to 15 of 32

Thread: After finding a address with OllyDbg how exactly do I use it?

  1. #1
    Sanelb
    Guest

    After finding a address with OllyDbg how exactly do I use it?

    (I tried posting on various forums such as mpc and ce but no replies to my question. Yes I used search function on this forum)



    0043302F > 68 E4B55900 PUSH Tibia.0059B5E4 ; ASCII "Mana"




    I think I figured out how to use OllyDbg, I was playing around with it on a basic online game called Tibia. And I found that line of code/adress up there.

    What exactly did I find?
    What do I do next to edit it?
    Do I take the code 004302F and do something with it on cheat engine?
    Or the code 68 E4B55900?
    Are most codes that are received from OllyDbg go well with cheat engine?

    I would love for someone please to explain me on what to do next. Or answer any of those questions.



    P.S. I just want to learn I am trying my best to not be a leecher. Thanks!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Learn ASSembly language,win32 api
    esther


    Reverse the code,Reverse Your Minds First

  3. #3
    What you found was a reference within the code to Mana.

    Whatever you want to do, (cheat), you will need to do a ton more work.
    You will need to post more code and hope that someone here
    has some knowlege of that online game.

    If no one here has played that game online, you are out of luck.

    Woodmann

  4. #4
    Quote Originally Posted by Sanelb View Post
    0043302F > 68 E4B55900 PUSH Tibia.0059B5E4 ; ASCII "Mana"

    What exactly did I find?
    What do I do next to edit it?
    Do I take the code 004302F and do something with it on cheat engine?
    Or the code 68 E4B55900?
    Are most codes that are received from OllyDbg go well with cheat engine?
    I'm writing this because I need a break from what I'm doing. If it's too long, or out of context, feel free to axe it or edit it. I see a lot of questions like this and maybe a very simple explanation like mine may help some people get started. Also, it might add some assembler references to our database that will show up in a search.

    Olly or any other debugger doesn't care about cheat engines, I don't even know what one is. If your focus is on cheat engines, your wasting your time and the time of others here. Unless, of course, you can present a coherent analysis of what you need to learn. If you want to learn assembler, I'll give you a push (no pun intended), just to whet your appetite. I'm no expert, however.

    The 43302f to the left of the > is an address in your computer's memory. The 'bytes' after it, '68' and 'E4' and 'B5' and '59' and '00' is code, and it's found in memory at that address. The code is in a mathematical code called hexadecimal (Google it), which was developed to avoid writing long strings of binary like 0111 0001 1011. The equivalent of that in hexadecimal is 71B, which is infinitely more readable.

    For example, the hexadecimal value 68 (written 0x68) is made up of the binary digits, 0110 = 6 and 1000 = 8. So, 68 = 01101000. If those binary digits are represented by voltages, like 1 = 5 volts, and 0 = zero volts, a computer can understand them. 'Code' is used in general to refer to instructions to the processor, but the word means what it says. Computer (processor) instructions and data are binary codes. A processor only understand two things: a 1 and a 0. How do you talk to it about the alphabet and numbers, or give it instructions, when it has such a limited vocabulary? You form the 1's and 0's into codes.

    Here's a real-life example from a test I had to write once. A guy lives on the 15th floor of an apartment with his wife. Each night he comes home, she wants him to go to the store and pick something up. His apartment has 5 windows side by side with blinds. (If a blind is shut it could mean 1, and if it's open it could mean 0). Using those 5 windows, where the blinds can be open or shut in different combinations, how many codes can be formed, hence how many things can she send him to buy? (the answer will be in next weeks supplement) HINT: there's an easy way which you learn after the hard way. All blinds open = 00000, all blinds shut = 11111. Fill in the codes in between.

    One of the basic computer (digital) chips is a decoder. If several 1's and 0's are presented to it in parallel (on a buss), to form a code, the decoder will select a specific output line. If the code put into the decoder, for example, is 0000, the decoder selects output 0. If the code is 1111, the decoder selects output line 15. This is oversimplified, but it is still the basis on which a CPU works. When the CPU receives the hex code 0x68, made up of 01101000 as voltage levels in it's decoding unit, it knows to perform the equivalent of a PUSH instruction. It does that by using the selected output line to turn on a circuit that performs the electronic equivalent of a PUSH.

    If you study an ASCII chart ( http://www.pcguide.com/res/tablesASCII-c.html ), you will see columns of hexadecimal numbers with their decimal equivalent. For example, the hexadecimal (abbreviated hex, or sometimes Hx) number 0x40 has the decimal equivalent of 64. This is an important relationship. Hexadecimal 0x41 is decimal 65, but that's not so important in an ASCII table. 0x41 also represents the capital letter A. 0x42 is B, 0X42 is C, etc. A = 0x41 is also 01000001 in binary. Remember, the computer processor only understands binary...1's and 0's.

    Binary combinations are formed in extended ASCII from 00000000 to 11111111 (256 different codes, or combinations of 1's and 0's). In hexadecimal that is 0x00 to 0xFF. All the alphanumeric characters are represented by 'codes' and are contained between 0x30 = 00110000 = 0 (zero) to 0x7A = 01111010 = z (small z). In fact every key on a keyboard has a code. There's no point starting into assembler unless you have a decent grasp of this because the assembler language uses hexadecimal codes that are abbreviations of the binary code the processor understands. In other words, assembler opcodes are instructions to the processor.

    The English equivalent (mneumonic) of the opcode is written to the right of it. So, 68 E4 B5 59 00 means PUSH 0059B5E4 in assembler. 'PUSH' is an instruction to the computer's central processing unit (CPU) to move a value onto the Stack, an area of memory reserved for a process, like Tibia. Maybe someone could clarify whether the stack itself is formed by the compiler, and what the relationship is to the CPU.

    You don't need to know that at this point, but if you watch what comes right after one or more PUSH instructions, you'll see a 'function', signified by a CALL instruction. That's why you were told to include more code. The PUSH by itself doesn't say a lot but the CALL might, especially if it's a system function and Olly is setup to interpret it into English.

    The PUSH statement puts values on the Stack for the function to use. In this case, it's putting the memory address 0059B5E4 onto the stack, and at that address there is a 'string' of ASCII hexadecimal characters that spell Mana (actually, in real memory, Mana would be represented by the electrical equivalent of binary 1's and 0's). The function that follows, at the CALL statement 'might' be a 'string' function, and it's job 'might' be to count the length of the string, move it somewhere, copy it, or whatever. The 'Tibia' part is meaningless to the code...it was put there by Olly to help you out. Also, the ; at the end of the line signifies the end of the code and was put there by Olly. Anything after that is a comment put there by the debugger as well.

    One last thing, Look at the code 68E4B55900. It's made up of two parts. There is a 68, which is the actual opcode (operation code), and E4B55900 which is the operand it operates on. Rearrange E4B55900 and you get 0059B5E4. Sound familiar?? It's the address in memory holding the string Mana. The hex 68 represents the binary code for PUSH. The instruction puts the address of mana onto the Stack. Later, the code called by the CALL will do something with it.

    OK...this is all Greek right now, and if you're Greek, it might not necessarily help. Before you jump into this, you need to know about bits, bytes, words, doublewords, binary and hexadecimal. Then you need to know some basic assembler instructions like MOV, PUSH, CALL, CMP, JMP, JE, etc., and the effect they have on the flow of the program. You also need to learn how a central processing unit is made up, the registers, etc. Intel has free information on this at their site. You will also need to learn something about the basic structure of the program you're working on. Usually that's a PE file with Windows apps.

    A week or two of serious study will get you to the point where you'll begin to understand assembler at a very basic level. We have all been there. If you don't have the time or interest to do that, you won't get any help on boards like this. I learned most about assembler by doing what you're doing now. I wanted to 'fix' something, and one thing lead to another.

    I got a book on assembler opcodes that had a handy ASCII table. Everytime I came to an instruction I didn't understand, I stopped, got out the book, and tried to figure it out. There are a lot of seriously good reversers on this board who will occasionally stop by and give you some real insight if they think you have done your homework. At worst, someone like me can help. If you're just looking for a hack for a game, forget it.

    BTW...Olly is a disassembler as well as a debugger. When programs are written, they are usually written in a high level language, meaning the interface is more human friendly. One high level instruction may contain several hundred assembler instructions, but assembler is about the lowest level of interface to a processor that a human can understand easily. The lowest level is machine language, and you don't want to go there.

    When a high level language is 'compiled' it is converted from the human level to the machine level. It is stored on a hard disk in a sequence of 'bytes' that is not legible to the average human mind. A disassembler/debugger like Olly, reads that jumble and attaches human words to it like PUSH, JMP (jump), MOV (move), etc. In other words, it brings order to the mess. Using Olly, you can step (trace) through a disassembly one step at a time. You are actually seeing the program code as it is executed by the processor. It's not quite as a simple, but that gives you the idea.
    Last edited by WaxfordSqueers; January 19th, 2008 at 04:08.

  5. #5
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by WaxfordSqueers View Post
    I'm writing this because I need a break from what I'm doing. . .
    Jeesh, Waxford!

    Whatever you were doing is got to be the most painful job in the world, for you to take such a long and excruciatingly detailed "break"

  6. #6
    I would normally recommend you take a CS course either at your local post-secondary institution or do the research yourself online, but seeing as your goal is to "cheat" in a game and not develop a deeper understanding of the Art this is likely not the forum for you.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Sanelb
    Guest
    Quote Originally Posted by Woodmann View Post
    What you found was a reference within the code to Mana.

    Whatever you want to do, (cheat), you will need to do a ton more work.
    You will need to post more code and hope that someone here
    has some knowlege of that online game.

    If no one here has played that game online, you are out of luck.

    Woodmann
    0043302F > 68 E4B55900 PUSH Tibia.0059B5E4 ; ASCII "Mana"
    00433034 . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
    00433037 . 50 PUSH EAX
    00433038 . E8 F5061100 CALL Tibia.00543732
    0043303D . 83C4 08 ADD ESP,8
    00433040 . E8 5BE60100 CALL Tibia.004516A0
    00433045 . 8907 MOV DWORD PTR DS:[EDI],EAX

    This is what the whole code looks like. I am guessing If I NOP 00433038 . E8 F5061100 CALL Tibia.00543732. It should do something to my mana.

    And what you mean OllyDbg has nothing to do with cheat engine? That is what most people do they find codes from OllyDbg and use them on a cheat table by freezing or changing the value of the address they found.

    Thanks for taking a break from your time to explain to me Waxford.

    All blinds open = 00000, all blinds shut = 11111
    I would prefer All blinds open= 11111, and all blinds shut= 00000. 1 means on and 0 means off.

    BTW, what do you think of this site on learning ASM http://video.reverse-engineering.net/thumbnails.php?album=4 is it good to start there? The site has a tutorial that comes with a application.
    Last edited by Sanelb; January 19th, 2008 at 12:04.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    XhacK
    Guest
    First of all "HI" guys!

    and YES Sanelb, Lena151's Series are the best newbie tutorials I've ever seen!
    It would be the best start for you..
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Registered User
    Join Date
    Jul 2007
    Posts
    107
    Blog Entries
    6
    Very good site that I recommend to everybody!
    There are some good videos too about IDA made by some other guy.
    I always forget his name.
    Programming today is a race between software engineers to build bigger and better idiot-proof programs and the Universe trying to produce bigger and better idiots.
    So far, the Universe is winning.

  10. #10

    MPC et al is that way, don't let the door hit you on the way out! ---->

    Quote Originally Posted by Sanelb View Post
    0043302F > 68 E4B55900 PUSH Tibia.0059B5E4 ; ASCII "Mana"
    00433034 . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
    00433037 . 50 PUSH EAX
    00433038 . E8 F5061100 CALL Tibia.00543732
    0043303D . 83C4 08 ADD ESP,8
    00433040 . E8 5BE60100 CALL Tibia.004516A0
    00433045 . 8907 MOV DWORD PTR DS:[EDI],EAX

    This is what the whole code looks like. I am guessing If I NOP 00433038 . E8 F5061100 CALL Tibia.00543732. It should do something to my mana.
    NO! What makes you think that the mere presence of the letters 'M', 'a', 'n', and 'a' in that order in some code you found, would "do something to [your] mana"? Let's draw an analogy:
    Code:
    00401100 push something.00401050 ; ASCII "Hello"
    00401105 call something.00401337
    0040110a add esp, 4
    Now, if I NOP out 00401105-00401109, would it do something to my Hello?!?! What YOU need to do is think more deeply and learn about how the computer works, as you seem to have no clue at all.
    And what you mean OllyDbg has nothing to do with cheat engine? That is what most people do they find codes from OllyDbg and use them on a cheat table by freezing or changing the value of the address they found.
    One is a debugger, the other is a memory editor.
    BTW, what do you think of this site on learning ASM http://video.reverse-engineering.net/thumbnails.php?album=4 is it good to start there? The site has a tutorial that comes with a application.
    What do I think? "patch this patch that blah blah blah"... it isn't hard to see that someone who bases his study of reversing on such material will never truly become enlightened in the Art.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Quote Originally Posted by naides View Post
    Jeesh, Waxford! Whatever you were doing is got to be the most painful job in the world, for you to take such a long and excruciatingly detailed "break"
    I was working feverishly trying to get Paimei working on my system. How about hopping over to Our Tools and checking out the Paimei thread by Ricardo? I'd appreciate your expertise. I've had pains trying to get sice up, but nothing like this.

    Actually, writing the blurb was relaxing compared to the frustration of the past few days. I'm an electronics tech and I like to visualize reversing from both the hardware and software perspective. I started with a simple, short reply but started to see that a concise reply was not that easy. That's probably why most people don't get into it. In the end, it did a lot for me to write it because I was a bit bleary on certain aspects. I was hoping it might do some good for a newbie down the road who was groping in the codewoods. Then again, I may put him/her right off reversing.

  12. #12
    Quote Originally Posted by Sanelb View Post
    This is what the whole code looks like. I am guessing If I NOP 00433038 . E8 F5061100 CALL Tibia.00543732. It should do something to my mana.
    the whole point of my long reply to you was to take a couple of weeks and figure out why your guess would be dumb. You'd probably get a nice blue screen and your computer would need to be rebooted. If your hard drives were configured so important data was in a cache, you might not even be able to reboot. Then you'd be obliged to do the next dumb thing most newbies do: reformat and reload Windows. I have never, ever had to reformat and reload windows because I figure out what happened and fix it.

    And what you mean OllyDbg has nothing to do with cheat engine? That is what most people do they find codes from OllyDbg and use them on a cheat table by freezing or changing the value of the address they found.
    anyone who plays just games and knows nothing about reversing is just toying with Olly. If your interest is just games, there are plenty of forums dealing with that. The reason you received no replies at the other two boards you visited has to do with the contempt most reversers have for people using them to get hacks, cracks and cheats. From what I do understand about cheats, you could probably do it with a straight disassembly.

    Thanks for taking a break from your time to explain to me Waxford.
    no problem...now go read it and understand it. Games will eventually make you go blind.

    I would prefer All blinds open= 11111, and all blinds shut= 00000. 1 means on and 0 means off.
    you're guessing again.

    No blinds shut is 00000, one blind shut is 00001, 00010, 00100, 01000, and 10000. Two blinds shut is 00011, 00110, 01100, 11000, 00101, 01010 and so on. Each one of those is a unique combination of 1's and 0's, hence a unique code. If you listed those codes with their decimal representation, they'd be 0,1,2,4,8,16,3,6,12,24,5 and 10. Find which combinations are missing and total them.

    Hey man...if you can't do this in your sleep, forget about Olly!! This is about as easy as it gets. If you start learning, it will all make sense. Like I said, there's a really easy solution to this problem which will let you figure it out in two seconds. What this board is about is groping in the dark, then coming back and asking what is wrong. Without the basics, even if we gave you a solution, you still wouldn't understand.

  13. #13
    Registered User
    Join Date
    Jul 2007
    Posts
    107
    Blog Entries
    6
    Contrarily to what LLXX said, not all tutorials are evil.
    You actually need to start getting knowledge from somewhere in the beginning, like tutorials.

    To get a good idea of the process involved, you could start with a TrainerMe:
    http://www.crackmes.de/users/daxxor_101/trainerme_1.0/

    It is an over-simplified fake game with (non-evil) tutorials on how to make a trainer.
    If this sounds too complicated or confusing then you can forget about the latest game where they actually try to make cheating harder to almost impossible.

    There never will be a flashing neon sign saying: "Modify this byte to cheat".
    Text is usually handled separately than numerical values since the text doesn't need to be "recalculated" every time the value changes.

    Every game will handle those values differently, it could be:
    Single current value
    Max value and current value
    Max value - Spent value
    Unrelated value to what is displayed

    Like WaxfordSqueers said, opening all the blinds would not be a good solution in the third case as it would freeze the value to 0.

    I'm having flashbacks of the old GameWizard for Dos days.
    Also, saved games are often a direct dump of memory values.

    TiGa
    Programming today is a race between software engineers to build bigger and better idiot-proof programs and the Universe trying to produce bigger and better idiots.
    So far, the Universe is winning.

  14. #14
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    LLXX (RCHN, DESUForever, ...) is just a pathetic dried up cunt, just ignore her. She's been banned forever now.

    Carry on.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  15. #15
    XhacK
    Guest
    Quote Originally Posted by TiGa View Post
    Very good site that I recommend to everybody!
    There are some good videos too about IDA made by some other guy.
    I always forget his name.
    Yeah that series Too
    yet I don't know why "he" didn't release any new tutorials lately, after the last(8th) one, as he promised us with more tutorials ("Don't miss my next Tutorial" ) to come..

    Thanks TiGa!! really!
    Dedicating that much time to make such ORGANIZED series is really appreciated!
    and I'm really glad that you can read my words, even though you are not waiting someone to thank you for your great work!, and I hope that Lena151 would read my words some day!

    Keep up the good work guys, and wait me after my graduation(after couple of months) so I could find some time to read and work harder to reach your level and even more!(I hope )

    and I know I should have opened a new thread for this boring speech but i guess that's ok..

    SnD, woodmann, ARTeam, TiGa and the RCE Community thanks guys and KEEP UP THE GOOD WORK!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. help on finding kernel32.dll
    By dacid in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: August 15th, 2008, 10:40
  2. Help finding the algorithm
    By linkstations in forum The Newbie Forum
    Replies: 4
    Last Post: September 26th, 2007, 03:38
  3. OllyDbg API finding address of symbols
    By BuschnicK in forum OllyDbg Support Forums
    Replies: 6
    Last Post: April 8th, 2007, 03:16
  4. finding a a function by name
    By hernan in forum Plugins (General)
    Replies: 5
    Last Post: January 14th, 2005, 20:37
  5. Problems finding OEP
    By magistral in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: August 22nd, 2002, 19:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •