Post by £åߥ®Ñth on Apr 11, 2008 17:42:08 GMT -5
Ok, there are allot of people who really want to know how to use olly.
But to write tutorial for doing it takes allot of time. This is why you dont see very many, mostly crappy looking videos.
This tutorial is basic and is to get you into a games code using olly.
We wont be hacking a game, but more or less see and learn how we can get into a game with olly and look at the code.
Target: MineSweeper
Tools needed: Memory Scanner & Ollydbg *I used Cheat Engine
*You need to know how to use a memory scanner for this tutorial. And some basic knowledge of olldbg. Such as, the window names and how to attach or open a file.
1. Scan for the flags address for minesweeper.
2. Should come up with a single static address.
3. Also find what write to the address as well. *Im going to show you how to use these address's to get to code in olly.
4. Now lets start with the address found while doing your scans.
5. Open up ollydbg and attach to minesweeper or open minesweeper with olly. Your choice.
6. Once we have it loaded, click in your dump window and either right click and click Goto or hit "ctrl+g". Enter the address you found from your scan.
7. Now from here you can right click the address in dump and select "Find references" or hit "ctrl+r". You should see something like this.
And can get into the code from just a scan found address. But for the rest of the tutorial i will use the second address we found.
8. Now, lets use our address we found from what writes to this address.
9. In the CPU window right click or hit "ctrl+g and type in the address you have.
You will land here in the minesweeper code.
10. After analyzing the code, right click or "ctrl+A". You can see we are in a small loop.
11. So lets set a break point on the start of this loop. So on the first address of the loop double click it or select it and hit "F2". It should turn red and this means you have set a break point.
12. Now we hit "F9" to run the program, and will break soon as we run it.
*If you dont break, then go to minesweeper and right click to place a flag.
13. Ok lets look at this. We can see in the pain window that eax is = to A.
So whats this mean? Well A is hexadecimal for 10. The same number of flags we have. The instruction at this break is moving 0 into eax from [esp+04].
14. Now we step the code in olly with "F8" and land here. Yes we can see 0 was moved into eax because when we break here we see eax is 0. And the instruction has an address 1005194. Wow thats or flag address! It is = to A?
Remember "A" hexadecimal is 10 decimal. So the address has 10 flags.
But what this instruction doing? Adding 0 to the address?
Agh yes, we know why the first part of this loop moved 0 into eax.
Because if it moved something into it, then we would get more flags.
15. Now lets use a flag. And we break here again. But we see something diffrent. esp+4 is moved into eax. Look in the pain window and see the stack. So FFFFFFFF is moved to eax. Whats that mean?
16. Lets step again and see what happens. Yes, FFFFFFFF was moved into eax?
No we also see our address has "A" still. Basically 10 flags. So this instruction is going to add FFFFFFFF to our flag address.
17. Lets see what happens. Well now the address of the flags has dropped by 1. But how? eax = FFFFFFFF and it was added to A. Lets look at the register.
18. Right click on eax = FFFFFFFF in the pain window and click "modify"
19. Well, look what we see. eax = FFFFFFFF is -1. So -1 added to 10 would give us 9. Now it makes sense. So FFFFFFFF = -1. And this is how we decrease by 1 flag when we use it.
This tutorial is only to get you started into looking into game code with ollydbg and get a better picture of how the game handles the code.
You can take it even further then this if you go into the call of this loop and follow what it does. Also trace back how esp+4 gets it's value to mov into eax at the start of the loop. I hope you can see how you get a better look of the game code by doing this instead of sticking with a single instruction found in a memory scanner.
But to write tutorial for doing it takes allot of time. This is why you dont see very many, mostly crappy looking videos.
This tutorial is basic and is to get you into a games code using olly.
We wont be hacking a game, but more or less see and learn how we can get into a game with olly and look at the code.
Target: MineSweeper
Tools needed: Memory Scanner & Ollydbg *I used Cheat Engine
*You need to know how to use a memory scanner for this tutorial. And some basic knowledge of olldbg. Such as, the window names and how to attach or open a file.
1. Scan for the flags address for minesweeper.
2. Should come up with a single static address.
3. Also find what write to the address as well. *Im going to show you how to use these address's to get to code in olly.
4. Now lets start with the address found while doing your scans.
5. Open up ollydbg and attach to minesweeper or open minesweeper with olly. Your choice.
6. Once we have it loaded, click in your dump window and either right click and click Goto or hit "ctrl+g". Enter the address you found from your scan.
7. Now from here you can right click the address in dump and select "Find references" or hit "ctrl+r". You should see something like this.
And can get into the code from just a scan found address. But for the rest of the tutorial i will use the second address we found.
8. Now, lets use our address we found from what writes to this address.
9. In the CPU window right click or hit "ctrl+g and type in the address you have.
You will land here in the minesweeper code.
10. After analyzing the code, right click or "ctrl+A". You can see we are in a small loop.
11. So lets set a break point on the start of this loop. So on the first address of the loop double click it or select it and hit "F2". It should turn red and this means you have set a break point.
12. Now we hit "F9" to run the program, and will break soon as we run it.
*If you dont break, then go to minesweeper and right click to place a flag.
13. Ok lets look at this. We can see in the pain window that eax is = to A.
So whats this mean? Well A is hexadecimal for 10. The same number of flags we have. The instruction at this break is moving 0 into eax from [esp+04].
14. Now we step the code in olly with "F8" and land here. Yes we can see 0 was moved into eax because when we break here we see eax is 0. And the instruction has an address 1005194. Wow thats or flag address! It is = to A?
Remember "A" hexadecimal is 10 decimal. So the address has 10 flags.
But what this instruction doing? Adding 0 to the address?
Agh yes, we know why the first part of this loop moved 0 into eax.
Because if it moved something into it, then we would get more flags.
15. Now lets use a flag. And we break here again. But we see something diffrent. esp+4 is moved into eax. Look in the pain window and see the stack. So FFFFFFFF is moved to eax. Whats that mean?
16. Lets step again and see what happens. Yes, FFFFFFFF was moved into eax?
No we also see our address has "A" still. Basically 10 flags. So this instruction is going to add FFFFFFFF to our flag address.
17. Lets see what happens. Well now the address of the flags has dropped by 1. But how? eax = FFFFFFFF and it was added to A. Lets look at the register.
18. Right click on eax = FFFFFFFF in the pain window and click "modify"
19. Well, look what we see. eax = FFFFFFFF is -1. So -1 added to 10 would give us 9. Now it makes sense. So FFFFFFFF = -1. And this is how we decrease by 1 flag when we use it.
This tutorial is only to get you started into looking into game code with ollydbg and get a better picture of how the game handles the code.
You can take it even further then this if you go into the call of this loop and follow what it does. Also trace back how esp+4 gets it's value to mov into eax at the start of the loop. I hope you can see how you get a better look of the game code by doing this instead of sticking with a single instruction found in a memory scanner.