(I tried posting on various forums such as mpc and ce but no replies to my question. Yes I used search function on this forum)



0043302F > 68 E4B55900 PUSH Tibia.0059B5E4 ; ASCII "Mana"




I think I figured out how to use OllyDbg, I was playing around with it on a basic online game called Tibia. And I found that line of code/adress up there.

What exactly did I find?
What do I do next to edit it?
Do I take the code 004302F and do something with it on cheat engine?
Or the code 68 E4B55900?
Are most codes that are received from OllyDbg go well with cheat engine?

I would love for someone please to explain me on what to do next. Or answer any of those questions.



P.S. I just want to learn I am trying my best to not be a leecher. Thanks!

Learn ASSembly language,win32 api

What you found was a reference within the code to Mana.

Whatever you want to do, (cheat), you will need to do a ton more work.
You will need to post more code and hope that someone here
has some knowlege of that online game.

If no one here has played that game online, you are out of luck.

Woodmann

I'm writing this because I need a break from what I'm doing. If it's too long, or out of context, feel free to axe it or edit it. I see a lot of questions like this and maybe a very simple explanation like mine may help some people get started. Also, it might add some assembler references to our database that will show up in a search.

Olly or any other debugger doesn't care about cheat engines, I don't even know what one is. If your focus is on cheat engines, your wasting your time and the time of others here. Unless, of course, you can present a coherent analysis of what you need to learn. If you want to learn assembler, I'll give you a push (no pun intended), just to whet your appetite. I'm no expert, however.

The 43302f to the left of the > is an address in your computer's memory. The 'bytes' after it, '68' and 'E4' and 'B5' and '59' and '00' is code, and it's found in memory at that address. The code is in a mathematical code called hexadecimal (Google it), which was developed to avoid writing long strings of binary like 0111 0001 1011. The equivalent of that in hexadecimal is 71B, which is infinitely more readable.

For example, the hexadecimal value 68 (written 0x68) is made up of the binary digits, 0110 = 6 and 1000 = 8. So, 68 = 01101000. If those binary digits are represented by voltages, like 1 = 5 volts, and 0 = zero volts, a computer can understand them. 'Code' is used in general to refer to instructions to the processor, but the word means what it says. Computer (processor) instructions and data are binary codes. A processor only understand two things: a 1 and a 0. How do you talk to it about the alphabet and numbers, or give it instructions, when it has such a limited vocabulary? You form the 1's and 0's into codes.

Here's a real-life example from a test I had to write once. A guy lives on the 15th floor of an apartment with his wife. Each night he comes home, she wants him to go to the store and pick something up. His apartment has 5 windows side by side with blinds. (If a blind is shut it could mean 1, and if it's open it could mean 0). Using those 5 windows, where the blinds can be open or shut in different combinations, how many codes can be formed, hence how many things can she send him to buy? (the answer will be in next weeks supplement) HINT: there's an easy way which you learn after the hard way. All blinds open = 00000, all blinds shut = 11111. Fill in the codes in between.

One of the basic computer (digital) chips is a decoder. If several 1's and 0's are presented to it in parallel (on a buss), to form a code, the decoder will select a specific output line. If the code put into the decoder, for example, is 0000, the decoder selects output 0. If the code is 1111, the decoder selects output line 15. This is oversimplified, but it is still the basis on which a CPU works. When the CPU receives the hex code 0x68, made up of 01101000 as voltage levels in it's decoding unit, it knows to perform the equivalent of a PUSH instruction. It does that by using the selected output line to turn on a circuit that performs the electronic equivalent of a PUSH.

If you study an ASCII chart ( http://www.pcguide.com/res/tablesASCII-c.html ), you will see columns of hexadecimal numbers with their decimal equivalent. For example, the hexadecimal (abbreviated hex, or sometimes Hx) number 0x40 has the decimal equivalent of 64. This is an important relationship. Hexadecimal 0x41 is decimal 65, but that's not so important in an ASCII table. 0x41 also represents the capital letter A. 0x42 is B, 0X42 is C, etc. A = 0x41 is also 01000001 in binary. Remember, the computer processor only understands binary...1's and 0's.

Binary combinations are formed in extended ASCII from 00000000 to 11111111 (256 different codes, or combinations of 1's and 0's). In hexadecimal that is 0x00 to 0xFF. All the alphanumeric characters are represented by 'codes' and are contained between 0x30 = 00110000 = 0 (zero) to 0x7A = 01111010 = z (small z). In fact every key on a keyboard has a code. There's no point starting into assembler unless you have a decent grasp of this because the assembler language uses hexadecimal codes that are abbreviations of the binary code the processor understands. In other words, assembler opcodes are instructions to the processor.

The English equivalent (mneumonic) of the opcode is written to the right of it. So, 68 E4 B5 59 00 means PUSH 0059B5E4 in assembler. 'PUSH' is an instruction to the computer's central processing unit (CPU) to move a value onto the Stack, an area of memory reserved for a process, like Tibia. Maybe someone could clarify whether the stack itself is formed by the compiler, and what the relationship is to the CPU.

You don't need to know that at this point, but if you watch what comes right after one or more PUSH instructions, you'll see a 'function', signified by a CALL instruction. That's why you were told to include more code. The PUSH by itself doesn't say a lot but the CALL might, especially if it's a system function and Olly is setup to interpret it into English.

The PUSH statement puts values on the Stack for the function to use. In this case, it's putting the memory address 0059B5E4 onto the stack, and at that address there is a 'string' of ASCII hexadecimal characters that spell Mana (actually, in real memory, Mana would be represented by the electrical equivalent of binary 1's and 0's). The function that follows, at the CALL statement 'might' be a 'string' function, and it's job 'might' be to count the length of the string, move it somewhere, copy it, or whatever. The 'Tibia' part is meaningless to the code...it was put there by Olly to help you out. Also, the ; at the end of the line signifies the end of the code and was put there by Olly. Anything after that is a comment put there by the debugger as well.

One last thing, Look at the code 68E4B55900. It's made up of two parts. There is a 68, which is the actual opcode (operation code), and E4B55900 which is the operand it operates on. Rearrange E4B55900 and you get 0059B5E4. Sound familiar?? It's the address in memory holding the string Mana. The hex 68 represents the binary code for PUSH. The instruction puts the address of mana onto the Stack. Later, the code called by the CALL will do something with it.

OK...this is all Greek right now, and if you're Greek, it might not necessarily help. Before you jump into this, you need to know about bits, bytes, words, doublewords, binary and hexadecimal. Then you need to know some basic assembler instructions like MOV, PUSH, CALL, CMP, JMP, JE, etc., and the effect they have on the flow of the program. You also need to learn how a central processing unit is made up, the registers, etc. Intel has free information on this at their site. You will also need to learn something about the basic structure of the program you're working on. Usually that's a PE file with Windows apps.

A week or two of serious study will get you to the point where you'll begin to understand assembler at a very basic level. We have all been there. If you don't have the time or interest to do that, you won't get any help on boards like this. I learned most about assembler by doing what you're doing now. I wanted to 'fix' something, and one thing lead to another.

I got a book on assembler opcodes that had a handy ASCII table. Everytime I came to an instruction I didn't understand, I stopped, got out the book, and tried to figure it out. There are a lot of seriously good reversers on this board who will occasionally stop by and give you some real insight if they think you have done your homework. At worst, someone like me can help. If you're just looking for a hack for a game, forget it.

BTW...Olly is a disassembler as well as a debugger. When programs are written, they are usually written in a high level language, meaning the interface is more human friendly. One high level instruction may contain several hundred assembler instructions, but assembler is about the lowest level of interface to a processor that a human can understand easily. The lowest level is machine language, and you don't want to go there.

When a high level language is 'compiled' it is converted from the human level to the machine level. It is stored on a hard disk in a sequence of 'bytes' that is not legible to the average human mind. A disassembler/debugger like Olly, reads that jumble and attaches human words to it like PUSH, JMP (jump), MOV (move), etc. In other words, it brings order to the mess. Using Olly, you can step (trace) through a disassembly one step at a time. You are actually seeing the program code as it is executed by the processor. It's not quite as a simple, but that gives you the idea.

Jeesh, Waxford!

Whatever you were doing is got to be the most painful job in the world, for you to take such a long and excruciatingly detailed "break"

I would normally recommend you take a CS course either at your local post-secondary institution or do the research yourself online, but seeing as your goal is to "cheat" in a game and not develop a deeper understanding of the Art this is likely not the forum for you.

0043302F > 68 E4B55900 PUSH Tibia.0059B5E4 ; ASCII "Mana"
00433034 . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00433037 . 50 PUSH EAX
00433038 . E8 F5061100 CALL Tibia.00543732
0043303D . 83C4 08 ADD ESP,8
00433040 . E8 5BE60100 CALL Tibia.004516A0
00433045 . 8907 MOV DWORD PTR DS:[EDI],EAX

This is what the whole code looks like. I am guessing If I NOP 00433038 . E8 F5061100 CALL Tibia.00543732. It should do something to my mana.

And what you mean OllyDbg has nothing to do with cheat engine? That is what most people do they find codes from OllyDbg and use them on a cheat table by freezing or changing the value of the address they found.

Thanks for taking a break from your time to explain to me Waxford.

I would prefer All blinds open= 11111, and all blinds shut= 00000. 1 means on and 0 means off.

BTW, what do you think of this site on learning ASM http://video.reverse-engineering.net/thumbnails.php?album=4 is it good to start there? The site has a tutorial that comes with a application.

First of all "HI" guys!

and YES Sanelb, Lena151's Series are the best newbie tutorials I've ever seen!
It would be the best start for you..

Very good site that I recommend to everybody!
There are some good videos too about IDA made by some other guy.
I always forget his name.

NO! What makes you think that the mere presence of the letters 'M', 'a', 'n', and 'a' in that order in some code you found, would "do something to [your] mana"? Let's draw an analogy:
Now, if I NOP out 00401105-00401109, would it do something to my Hello?!?! What YOU need to do is think more deeply and learn about how the computer works, as you seem to have no clue at all.
One is a debugger, the other is a memory editor.
What do I think? "patch this patch that blah blah blah"... it isn't hard to see that someone who bases his study of reversing on such material will never truly become enlightened in the Art.

I was working feverishly trying to get Paimei working on my system. How about hopping over to Our Tools and checking out the Paimei thread by Ricardo? I'd appreciate your expertise. I've had pains trying to get sice up, but nothing like this.

Actually, writing the blurb was relaxing compared to the frustration of the past few days. I'm an electronics tech and I like to visualize reversing from both the hardware and software perspective. I started with a simple, short reply but started to see that a concise reply was not that easy. That's probably why most people don't get into it. In the end, it did a lot for me to write it because I was a bit bleary on certain aspects. I was hoping it might do some good for a newbie down the road who was groping in the codewoods. Then again, I may put him/her right off reversing.

the whole point of my long reply to you was to take a couple of weeks and figure out why your guess would be dumb. You'd probably get a nice blue screen and your computer would need to be rebooted. If your hard drives were configured so important data was in a cache, you might not even be able to reboot. Then you'd be obliged to do the next dumb thing most newbies do: reformat and reload Windows. I have never, ever had to reformat and reload windows because I figure out what happened and fix it.

anyone who plays just games and knows nothing about reversing is just toying with Olly. If your interest is just games, there are plenty of forums dealing with that. The reason you received no replies at the other two boards you visited has to do with the contempt most reversers have for people using them to get hacks, cracks and cheats. From what I do understand about cheats, you could probably do it with a straight disassembly.

no problem...now go read it and understand it. Games will eventually make you go blind.

you're guessing again.

No blinds shut is 00000, one blind shut is 00001, 00010, 00100, 01000, and 10000. Two blinds shut is 00011, 00110, 01100, 11000, 00101, 01010 and so on. Each one of those is a unique combination of 1's and 0's, hence a unique code. If you listed those codes with their decimal representation, they'd be 0,1,2,4,8,16,3,6,12,24,5 and 10. Find which combinations are missing and total them.

Hey man...if you can't do this in your sleep, forget about Olly!! This is about as easy as it gets. If you start learning, it will all make sense. Like I said, there's a really easy solution to this problem which will let you figure it out in two seconds. What this board is about is groping in the dark, then coming back and asking what is wrong. Without the basics, even if we gave you a solution, you still wouldn't understand.

Contrarily to what LLXX said, not all tutorials are evil.
You actually need to start getting knowledge from somewhere in the beginning, like tutorials.

To get a good idea of the process involved, you could start with a TrainerMe:
http://www.crackmes.de/users/daxxor_101/trainerme_1.0/

It is an over-simplified fake game with (non-evil) tutorials on how to make a trainer.
If this sounds too complicated or confusing then you can forget about the latest game where they actually try to make cheating harder to almost impossible.

There never will be a flashing neon sign saying: "Modify this byte to cheat".
Text is usually handled separately than numerical values since the text doesn't need to be "recalculated" every time the value changes.

Every game will handle those values differently, it could be:
Single current value
Max value and current value
Max value - Spent value
Unrelated value to what is displayed

Like WaxfordSqueers said, opening all the blinds would not be a good solution in the third case as it would freeze the value to 0.

I'm having flashbacks of the old GameWizard for Dos days.
Also, saved games are often a direct dump of memory values.

TiGa

LLXX (RCHN, DESUForever, ...) is just a pathetic dried up cunt, just ignore her. She's been banned forever now.

Carry on.

Yeah that series Too
yet I don't know why "he" didn't release any new tutorials lately, after the last(8th) one, as he promised us with more tutorials ("Don't miss my next Tutorial" ) to come..

Thanks TiGa!! really!
Dedicating that much time to make such ORGANIZED series is really appreciated!
and I'm really glad that you can read my words, even though you are not waiting someone to thank you for your great work!, and I hope that Lena151 would read my words some day!

Keep up the good work guys, and wait me after my graduation(after couple of months) so I could find some time to read and work harder to reach your level and even more!(I hope )

and I know I should have opened a new thread for this boring speech but i guess that's ok..

SnD, woodmann, ARTeam, TiGa and the RCE Community thanks guys and KEEP UP THE GOOD WORK!

LLXX/whatever, I do really hope you have NEVER to teach something to anyone.
Really. You have no IDEA at all of what teaching something is/can be.

I invite you to try doing it. Hell, I laugh alot when I see ppl like you go try teaching. The result is... a total disaster, in my experience.

[alot of offensive stuff removed]

Well, ask a refund from "TiGa's Video of the Month Club".

In the time it would have taken me to make 2 or 3 new videos, I was able to add more than 200 videos from other authors to the site.
If you still consider yourself short-changed, thank you.
Don't worry, I plan to make others really soon.

Lena seems to be back amongst the living lately.
She's not making tutorials yet but is working on a new packer.

TiGa

Yeah I can see that you are doing a great job with your Video Portal.
Even though I didn't understand what does "short-changed" really mean here but no problem

and the news about Lena is great, I'm wondering what kind of packer such minds would make?
(By the way, it's a nice idea for a graduation project (Making of a packer) )

...i think it means something like 'cheated' or 'robbed by something more valuable than that you got' etc.

(i feel like it should be short-charged? dunno, really, not my primary tongue :-P )

Literally, "short changed" means that you bought something, paid for it with currency greater than the cost, and you were given back less than the difference between the cost and the amount of money you handed over to pay for it. Thereby, the amount of "change" you received was "short" of the "correct" amount.

It is used as an expression for "getting less than you paid for."

Regards,

When in doubt, Google:
http://www.thefreedictionary.com/short-change

The extended version in the context would be:
"In the remote case that you would have preferred 2 or 3 of my videos to 200 from other authors, thank you "

'Twas a joke!
Maybe short-change is slang or a localized expression... but it's in the free dictionary and in JMI's vocabulary.

TiGa

damn

I mastered the tough art of google search, but yet i forget to use it sometime

...I saved it time ago, but never thought to use it the first time on.. myself

It's definately an "American" slang expression which has it's origin in real life situations of buying something, paying for it, and getting some "change" back in less than the correct amount.

Now it is more generally used in the way of being "cheated" (in almost any way), as Maximus said.

And we know TiGa was just being humorous with his comment.

Wasn't it Kayaker who first posted the "I will google" chalkboard???

Regards.

"short changed".........

In American slang it means to feel cheated,
Like you didnt get your moneys worth.

When getting something for nothing, if you
complain you are viewed as a whiny pussy.

So to say "short changed" when getting something
for free, you should keep your mouth shut.

I hope this has cleared up nothing .

Woodmann

I would not be as blunt as Woodmann but as the saying goes:
"Don't look a gift horse in the mouth unless it is to search for hidden trojan soldiers".

I've started making a new video anyway.
At least, now I know somebody is waiting for it with impatience.

TiGa

And some of us are waiting very patiently and with hope and anticipation of further good works!

Regards,

I'm sure that's a mixed metaphor, or at least a mixed adage...

Updated for 2008:
"Don't look an eDonkey client in the mouth unless it is to search for hidden trojan software"

Just to keep this thread focused and "on issue": the soldiers in the mouth of the E-donkey were Spartan, not Trojan. . .

Did I mix things a little more??

Hehe, I googled it(and entered the site u referred to up there) but it confused me even more :P
The extended version explains everything
And YES, I prefer your series(and obviously Lena's one) over the 200 videos, because most of these videos is what LLXX called "patch this patch that blah blah blah" style, SURE they are good for practical education(if I can call it that!) yet the series style is very informative or it's not about unpacking/unprotect specific packer/protector it's more about how to use the REAL potential of the program(in your case IDA) or to understand the logic behind the packing/protector world(or ART?)

Thanks for all tutorials' author for providing them for FREE!!.

Potential "mixed-metaphors" aside, lets not forget that the larger part of the army which was involved in this battle at Troy was Mycenae, led by Agamemnon, whose sister-in-law, wife of his brother Menelaus, came to be called "Helen of Troy," after she was kidnapped by Paris, a Prince of Troy.

Menelaus was the King of Starta. Odysseus (Ulysses) was the king of Ithaca.

So it is probably more correct to say:

"the soldiers in the mouth of the E-donkey were Spartan, Mycenaen, and Ithacan."



Regards,

Achilles was Brad Pitt.

Who could trust Homer anyway to accurately report historical events?
He probably wrote this on a napkin at Moe's Tavern.

If I make too many videos, I'll have to change my signature to quote Silver quoting Disavowed.

TiGa

Reverse engineering tutorial 1, part 1: how to successfully turn a legitimate question into an off-topic thread on Woodmann's forum.

Manage that and you're already a serious contributor here