Welcome to the new Woodmann RCE Messageboards Regroupment

This Forum is now strictly read-only. New Memberships and Postings have stopped.

Remember that under the RCE Links tab are the classic sites:

Fravia's Archive of Reverse Engineering
Fravia's Searchlores
CrackZ's Reverse Engineering Page
Yates - Reverse-Engineering.info

Enjoy 20+ years of Reverse Engineering discussions!
So Long.

Changing the argument

Support forums for OllyDbg 32-bit Assembler-Level Debugger.
Developed by Oleh Yuschuk (http://www.ollydbg.de)
Locked
maslo

Changing the argument

Post by maslo »

Hi, I am having a little problem with Ollydbg as I have no idea of how to change "Arg2" to specific string.
There is "Arg1" and "Arg2". Arg1 is the name in the windows registry and Arg2 is the data. Arg2 is somehow produced and is being checked if it's right at every app launch. Therefore if I change manually these 2 values in windows registry and start application then these values will change back.
Could you provide with some help or a hint of how to change Arg2 to a desired string, or how to 'hack' 'Arg2 value generating system' ?

Regards :)

[IMG]http://i48.tinypic.com/654msh.jpg[/IMG]





This is what I get if I Step Into: PUSH ECX "Arg2" :



[IMG]http://i46.tinypic.com/1e56pl.jpg[/IMG]
naides
Posts: 1655
Joined: Sat Jan 12, 2002 12:00 pm
Location: Planet Earth

Post by naides »

This would be a quick and dirty.

Somwhere in the executable, find a 00 filled cave, write there the string you want to spoof as arg2. Needs to be null terminated. For extra precaution, make it d-word aligned. Note the address:
for instance
01268000: "MyCheatString0x00"

Now, change your code from

012639FF: LEA ECX, [ESP+64]
01263A03 PUSH ECX

to

012639FF: MOV ECX, 01268000
01263A03 PUSH ECX

Now the program will read your "MYCheatString" instead of the legit generated string, and hopefully swallow it.
But I would bet there are more checks the you'll have to neutralize. . .
Locked