Where do newbies parse queries get done?
I'm relatively (read: stupid newbie) familiar with disassembly, but this bit put me on my guard: I have a set of saved files compressed with zlib and a game that loads them. Their structure is known and once loaded, the structures in memory are identical to the corresponding save files. The problem is that the game was written in a back-end, scripting language, not a language that somehow leaves no static pointers. At all. Several dozen people tried, and seemingly static pointer paths would break after minor changes on one machine. An easy solution would be to just search process memory for the contents of the files, but this is a rather crude solution that I would rather avoid for educational purposes.
Questions:
- I am trying to use OllyDBG. I'm terrible at this, but still managed to make some trivial codecs that actually worked. Am I using the right tool for the job or am I a dumb newbie? What instruments does a modern reverser have in its kit?
- On a related note, I have to resort to using the Cheat Engine (or its MHS cousin) to search in memory. This seems a bit contradictory. Does OllyDBG really give you no way to find values ββand improve results, or am I missing something?
- How do I set breakpoints in WINAPI? Heck, what does WINAPI look like at the assembly level? This is something that I haven't been able to find any decent information, and I'm sure Google has more than enough, but I just can't get the right words in.
- Expanding above, how do I set dynamic breakpoints? If I am interested in a specific, often called function, but only if EAX at that point is equal to a certain value, how would I get Ollie (or whatever) to violate that condition?
- Any general disassembly or low-level programming books / suggestions / resources focused on breaking things.
Disclaimer: The game in question is free, single-player, author not rejected, the project is intended to expand functionality more than anything else. Also the first post, I hope I didn't wobble too much. :(
source to share
You have many questions related to one. I will try to answer some questions.
OllyDBG is a great free disassembler. Professionals can pay for IDA-Pro, but it's an expensive product.
In terms of search memory, OllyDBG provides this feature. In any memory dump window (for example, in the memory dump pane of the CPU window) you can: right-click, select Search from the context menu, and then select either an integer or a binary string. Unlike Cheat Engine, you cannot find an approximate value with OllyDBG. You may be looking for a plugin that does this, not what I know about it.
In response to "WINAPI" I think you may be referring to the Win32 API. There is probably a component in the game you are looking at named WINAPI. To set breakpoints in various Windows APIs, which you need to do, like game producers do, you need to know where the Windows API actually works. The functions are not all in one "place". There are various DLLs that "export" the functions that make up the Win32 API. For example, MessageBox()
exported from USER32.DLL
, but ExitProcess()
exported from KERNEL32.DLL
.
To set breakpoints in Windows API calls in OllyDBG, you can: Open Menu, Executables to see all modules in memory. Right-click the USER32.DLL module and select View Names from the context menu. There you will see all the functions exported from USER32.
If the game client was written in C, there would be a list of API functions used in the so-called "import table". This can be found in the .EXE module loaded into memory, or also mapped to an EXE file on disk with link /dump /imports
.
In the case of a scripting language, there is usually no import table, or if there is an import table, it imports a wide range of functions available through the script engine.
I don't think OllyDBG supports conditional breakpoints, unfortunately.
Regarding where to start learning disassembly, by far the best guideline is to use quite a bit of assembly in your own code. Even if you are writing a Windows application that only displays a message box with "Hello World", you need to know about the import tables to access the MessageBox () API. In fact, such a C application can also be informative for you. However, I recommend that you compile your code using only command line tools and not a GUI environment. The graphical interface will hide too much information from you and interfere with the training. To access the USER32.DLL API, you need to tell the linker that you want to use the USER32.LIB import library so that your C code can call transparently MessageBox()
.
source to share