PDA

View Full Version : OllyDbg Question


DaHexor
May 1st, 2007, 14:53
Hi everyone I hope i posting this in right spot. I'm Trying to Reverse Enginer a Game.exe File.

What i'm trying to find is Everytime the Game loads in OllyDbg it Changes Address's

But Oddly Enff if i Load Game outside of OllyDbg the Address Stay the Same.
(So some File on Computer/Registry Has to be hold this information right?)

And to Add a Twist to this Each Game Client Address are Different. I installed this to my other computer and all the address i found are different on that one.

One more thing Each Time This Game gives an Update the Address Rotate Also.

Example: (when loaded in OllyDbg)

09A32660 - Start here first loading
09A12710 - Second Time it loaded
09a12880 - Third time it loaded

This Address is the Username/Password you type to sign into game but it keep changing. is there a Certian Code i can search for that Rotates The Address.?

If anyone Has Any Idea to Help me Narrow Down where this Might be Changing the Address Please Post Back

Thanks, DaHexor

naides
May 1st, 2007, 15:44
Quote:
[Originally Posted by DaHexor;65320]Hi everyone I hope i posting this in right spot. I'm Trying to Reverse Enginer a Game.exe File.

What i'm trying to find is Everytime the Game loads in OllyDbg it Changes Address's

I need some clarification here: What changes address? The entry point where Olly stops? a piece of data that you monitor/search/follow?
A pattern in the code?


But Oddly Enff if i Load Game outside of OllyDbg the Address Stay the Same.
(So some File on Computer/Registry Has to be hold this information right?)

Same question: The address of what? And how do you "read that address if olly is not working? have you tried loading the file first and then attaching olly?

And to Add a Twist to this Each Game Client Address are Different. I installed this to my other computer and all the address i found are different on that one.

One more thing Each Time This Game gives an Update the Address Rotate Also.

Example: (when loaded in OllyDbg)

09A32660 - Start here first loading
09A12710 - Second Time it loaded
09a12880 - Third time it loaded

This Address is the Username/Password you type to sign into game but it keep changing. is there a Certian Code i can search for that Rotates The Address.?

This part of your question is clearer.
The address of a piece of data (The password) may exist on the stack or in the heap. Ergo its position in the memory space is decided at run time. This does not require any specific code trick, is part of the memory dynamics integral to the operating system. On the other hand the program my have some "randomizer" attached to the creation of the variables (Pointers) that hold your username/password variables in order to protect the code from trainers that read and write to specific addresses in memory.


If anyone Has Any Idea to Help me Narrow Down where this Might be Changing the Address Please Post Back

I think you need to give a little more detail


Thanks, DaHexor


In blue.

DaHexor
May 1st, 2007, 15:53
Okay the Address are Certian things in Game i found IE.

Speed of Shooting
Runing Faster
Losing Monsters
Fly
Hide/Show Pet

Not Relvanet but i Found these Address using T-search. and i would like to Share my findings with other people but i have found Each Computer the game is installed to that client gets Different Address for List Above.

I Want to edit the Game.exe file to Skip Changing The Address so there always same if i send person the edited file.

The Address Are not really in OllyDbg per Say just trying to Find where in the Game.exe file it Rotate's all the Address so i can Skip that line in Olly

Quote:
[Originally Posted by naides;65321]On the other hand the program my have some "randomizer" attached to the creation of the variables (Pointers) that hold your username/password variables in order to protect the code from trainers that read and write to specific addresses in memory.


i'm about 95% sure this is the Case the Game has a Randomizer that Rotates the Address on Runtime is there anyway to Skip this so address always the Same?


Does that help any?

FrankRizzo
May 1st, 2007, 19:27
OK, here's how I would attack it. First, find out why it doesn't like Olly. It might be as simple as a check for IsDebuggerPresent. Once you can debug it, you're most of the way home. Then, find your data in memory, and set a WRITE breakpoint on it. Then, play the game, and when something changes, and it writes to that address, you should get a breakpoint that will show you where it's being written from. Examining that code should help you see their randomization/obfuscation techniques, and neuter it. (Say, find the routine that computes the offset to add to the bytes, and change it to always return 0).

If you need help with the Olly thing, just tell us what it's doing to stop it from working.

DaHexor
May 2nd, 2007, 00:09
Alrighty First off i have an AntiDetectOlly2 so OllyDbg loads game Fine all the way into game.

I'm just not sure when Game Assigns the Address would it Do it first Few codes or Once the Window Apears or when what Values in olly do i look for.

Hmm so you think if i Edit the Address and Find the in olly that will find me where the Games Randmoizes the Address you think?

FrankRizzo
May 2nd, 2007, 21:31
In your previous post you stated that you found the address, and it was all over the place. Using whatever technique you used to find it, well, find it, and set a breakpoint on that location being READ, or WRITTEN for that matter, just break on the program accessing that location. Then, by looking at the code there, you should be able to determine their method of moving it around, and disable it.

DaHexor
May 3rd, 2007, 15:16
Can Anyone just Tell me in OllDbg what Code i Look for that Change's or Inserts Address.

Code:
013B5EE4 04 00 ADD AL,0
013B5EE6 0000 ADD BYTE PTR DS:[EAX],AL
013B5EE8 A9 B82B0018 TEST EAX,18002BB8
013B5EED 1E PUSH DS
013B5EEE 0000 ADD BYTE PTR DS:[EAX],AL
013B5EF0 F4 HLT ; Privileged command
013B5EF1 1F POP DS ; Modification of segment register
013B5EF2 0000 ADD BYTE PTR DS:[EAX],AL
013B5EF4 0000 ADD BYTE PTR DS:[EAX],AL
013B5EF6 C03F 00 SAR BYTE PTR DS:[EDI],0 ; Shift constant out of range 1..31
013B5EF9 00E0 ADD AL,AH
013B5EFB 40 INC EAX
013B5EFC 0000 ADD BYTE PTR DS:[EAX],AL
013B5EFE A0 410C0000 MOV AL,BYTE PTR DS:[C41]
013B5F03 0000 ADD BYTE PTR DS:[EAX],AL
013B5F05 0000 ADD BYTE PTR DS:[EAX],AL
013B5F07 0012 ADD BYTE PTR DS:[EDX],DL
013B5F09 93 XCHG EAX,EBX
013B5F0A 0000 ADD BYTE PTR DS:[EAX],AL
013B5F0C 0000 ADD BYTE PTR DS:[EAX],AL
013B5F0E 0000 ADD BYTE PTR DS:[EAX],AL
013B5F10 0F05 SYSCALL
013B5F12 E7 02 OUT 2,EAX ; I/O command


The Line In Red Above is the Address That Changes when i Change Attack Speed in Game i do not see anything Near that Address that sugests a Randomization of it's Creation What Kinda of Code would i be looking for that Made 013b5efe

blabberer
May 4th, 2007, 00:51
the code you posted doesnt make any sense at all you are barking up the wrong tree

it might be part of a a self modifiying run time decryption section and if it is polymorphic metamorphic whatever morphic they will be differnent every time

many of the snippets like hlt, out 2,eax ,syscall etc
can never execute in ring3 thay will all produce exception and crash unless there are exception handlers that trap those exceptions and act accordingly

this code section simply is not the place to find answers to your questions

you need to do a better analysis and break some where else

fr33ke
May 4th, 2007, 03:56
Are you looking at the data or something? You need to find the code that uses that location, so set a hardware or memory breakpoint on read or write on that location (you have to follow it in the data window and right click).

cyphunk
May 4th, 2007, 05:41
When you say Ollydbg changes the address and when loading outside of olly it does not do you mean inside another disassembler? Ollydbg is a debugger and as such you see address after the runtime has been loaded into memory. I suspect that your issue is the same as the thread posted directly after yours ("http://woodmann.com/forum/showthread.php?t=10055"), RVA. See that thread for clues. Or perhaps I didn't understand your problem?

blurcode
May 4th, 2007, 06:47
I suspect it creates objects at runtime. Thats why offsets are random.

DaHexor
May 4th, 2007, 12:16
Wow you Guys are Way over looking this and not listening to me Or i'm not understanding One of the Two.

Blurcode Below i Bleave your Right It Creats a Object at Runtime with Random Value to Hold Data Infomation.

But is there a Way to Go to where it Makes this Random Data for Each Object and Make it a Specific Address

I know my Coding Wrong lol but

Function CreatObject () {
Character = Random(01210000, 01810000)
}

Can't i just make it

Function CreatObject () {
Character = 01210000-01410000
}

Cause out of the Random

it only Makes 3 Types of Random Address But it Can Be Anywhere From 012 - 018

And it Only Us's 1,409,879 Address for The Game Each Random Creation or About that Can't i Just say what i want them Address to be

This is my Question: (Just as Simple as a state it.)
1. I Want to Find Where in OllyDbg It Makes the Random Address Creation for the Object.

I'm Useing T-Search (Memory Editor) thats How i know the Address are Rotating.


Is there a Certian Type of Code i should be Looking for that Makes Random Address in OllyDbg in General.

I've Tryed Following It with F8 and F7 and right when i Think i'm Close i F2 the spot Click Restart and Play and it Moves it aint at that Spot no more then when it Moves its BAck at the Spot again i Can't Figure it out I'm A Noob at OllyDbg Still so my Follow Skills aint the Best.

I Would Ask someone to take a look at the Exe for me but it's a 400mb Download and i doubt anyways would want to Download it just to help me.

Unless Someone Likes MMORPGS Then I pm you Game Name

Quote:
[Originally Posted by blurcode;65399]I suspect it creates objects at runtime. Thats why offsets are random.

JMI
May 4th, 2007, 12:56
DaHexor:

You haven't been here nearly long enough to be posting things in "bold 4 Point type" simply because you don't think people understand your question!

If you can't be mature enough to control your impatience and demonstrate some "impulse control," we have a place where we can put your Threads and a "special" usergroup you can "involuntarily" join, known as the "Goners."

I have edited your Post to remove the "offending" demonstration of your lack of "self-control". Make sure you do not repeat it.



Regards,

squidge
May 4th, 2007, 16:29
There's lot of implementations of something that can make a random address (or apparent random address). IDA can spot quite a few of them, and even show you the x-refs, so go from there and work backwards if that's what you want to do.

However, you might find out it's dynamic memory allocation (or the 'offending' code is inside a dll which is thrown away and reloaded as and when required) rather than an attempt to randomize addresses.

In either case, have fun

DaHexor
May 4th, 2007, 21:49
WTH JMI i was Just Made it Big And Bold so People can See what i was Asking The Text All Blinds together for me and when it's Bold i Tend to Read that First. sorry if you got Some Sorta Problem with that

Maybe you Should Make that a Topic and List Form Rules and Make it a Sticky Board and NO Bold or Size 4 point Font......

Hmm Intersing Squidge but i do beleave it's attempting to Randmoize Addresses Because it's a MMO Game and They don't Want Hackers

Squidge Can You list a Few of the implementations of something that can make a random address?

JMI
May 4th, 2007, 22:08
DaHexor:

It wasn't "just" because you made it "4 point" and "bold", it was the "REASON" you made it "4 point and bold" and you did so because you concluded the other posters just were not paying enough attention to what "YOU" want them to answer.

I do not consider that a "valid" reason, and it will not do you much good to argue with that conclusion or make smartass suggestions about modifying the rules to make something "obvious" to YOU that you should have assumed by simply looking around these forums for any reasonable length of time.

You resorted to the large type and bold because you were annoyed that you believed people were not understanding your question and you were impatient with YOUR need to solve YOUR problem. That also is not a sufficient reason.

Do you want to try for Three Strikes??? Or do you just want to be quite and follow the directions you have received? I would "recommend" you just be quite, but there are other alternatives if you can't take a "hint."

Regards,

DaHexor
May 5th, 2007, 10:12
Whatever JMI you have me all Wrong but Fine Arrgoring with you i don't want aint helping my subject anyways. Sorry my English aint so good and maybe i word things wrong looking like i'm annoyying and just want question Answered. i was just Simple Stating in Bold what my Real Question was cause i felt i was Going Off in LaLa Land and not really just asking the Question.

But If We are a Free Country And you Can Take what i say however you Wish Thats Freedom of Speach.

squidge
May 5th, 2007, 10:47
Note that this is a learning board, not a quick question and answer board.

So, with that in mind, I would suggest you think about what you can do to make a random address and then apply that knowledge to the problem in question. Computers in general are very bad at thinking up random numbers, so just think for a moment how programmers get around that kind of thing...

All you seem to be doing is upsetting the regulars and mods, which simply means that people will either ignore you or get fedup with your tone and ban you. Perhaps an apology is in order?

naides
May 5th, 2007, 10:48
Quote:
[Originally Posted by DaHexor;65434]. . .
But If We are a Free Country And you Can Take what i say however you Wish Thats Freedom of Speach.


Oh Fuck!

JMI
May 5th, 2007, 13:44
I guess DaHexor believes that his use of "artificially broken English" will somehow excuse his behaviour. Reading his first couple of post in this Thread, it is "obvious" that his professed difficulties with "English" only surfaced when his was challenged on his behaviour.

Unfortunately, his IP is from Colorado, USA and his grasp of the American Idiom, intersperced with what appears to be purposeful misspelling, strongly suggest his "English" is much better than he is now trying to "portray."

But he doesn't want to be told what he can or can not do and will not follow simple directions, so this Thread is "closed" and he, and his IP are now on a watch list.



Regards,