Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Changing the argument

Support forums for OllyDbg 32-bit Assembler-Level Debugger.
Developed by Oleh Yuschuk (http://www.ollydbg.de)
Locked
maslo

Changing the argument

Post by maslo »

Hi, I am having a little problem with Ollydbg as I have no idea of how to change "Arg2" to specific string.
There is "Arg1" and "Arg2". Arg1 is the name in the windows registry and Arg2 is the data. Arg2 is somehow produced and is being checked if it's right at every app launch. Therefore if I change manually these 2 values in windows registry and start application then these values will change back.
Could you provide with some help or a hint of how to change Arg2 to a desired string, or how to 'hack' 'Arg2 value generating system' ?

Regards :)

[IMG]http://i48.tinypic.com/654msh.jpg[/IMG]





This is what I get if I Step Into: PUSH ECX "Arg2" :



[IMG]http://i46.tinypic.com/1e56pl.jpg[/IMG]
naides
Posts: 1655
Joined: Sat Jan 12, 2002 12:00 pm
Location: Planet Earth

Post by naides »

This would be a quick and dirty.

Somwhere in the executable, find a 00 filled cave, write there the string you want to spoof as arg2. Needs to be null terminated. For extra precaution, make it d-word aligned. Note the address:
for instance
01268000: "MyCheatString0x00"

Now, change your code from

012639FF: LEA ECX, [ESP+64]
01263A03 PUSH ECX

to

012639FF: MOV ECX, 01268000
01263A03 PUSH ECX

Now the program will read your "MYCheatString" instead of the legit generated string, and hopefully swallow it.
But I would bet there are more checks the you'll have to neutralize. . .
Locked