[Help]OllyDbg

CGeorge · 01/30/2011, 23:15

Hi people, I'm having a question/problem while OllyDbg-ing Conquer.exe. I want to remove the MentorReward button (that one near ShoppingMall, ItemLock etc.). I've managed to remove the icon and not by deleting the icon files from the client, but I can't completly remove it from there. I think's a way cause, like they added it, they can remove it by reversing the steps or just delete some parts from that dissasembly code. What I'm asking for? Someone who's having a bit more knowledge about dissasembling than me, to tell where exactly to NOP or JMP over or w/e, or just to give me some hints about...Not asking for a spoonfeding here, just some tips. Thanks alot!

~~Syst3m_W1z4rd~~ · 01/31/2011, 11:49

Try resource hack. It can manage the interface.

CGeorge · 01/31/2011, 15:17

Thanks mate, I'll try that and edit here if it's working or not.
Umm...it's not working. Anyway, close the thread, I've solved my problem so I don't need to remove it anymore. Thanks alot.

*M* · 02/17/2011, 03:06

Has anyone used a resource hacker to successfully move buttons?

Nvm, Gui.ini does all this

shitboi · 02/17/2011, 13:27

i am wondering. how did you guys start conquer using ollydbg?
doesn't Conquer take "blacknull" as argument to start on it's own?
Is there something that i need to set before i invoke Conquer.exe using Olly?

Currently i can never start Conquer.exe using olly

~~Syst3m_W1z4rd~~ · 02/17/2011, 14:20

You should be able to just do it directly.

shitboi · 02/17/2011, 16:29

you mean attach instead of open?

EDIT: CO freezes upon attaching

~~Syst3m_W1z4rd~~ · 02/17/2011, 18:44

Dunno then. What version are you tried with? I haven't tried since 5200 and under.

shitboi · 02/17/2011, 18:46

Quote:

Originally Posted by Syst3m_W1z4rd

Dunno then. What version are you tried with? I haven't tried since 5200 and under.

I have been trying on newer versions. Since the first time i ever tried olly with conquer many patches ago, it didn't work for me.

*M* · 02/18/2011, 00:15

Quote:

Originally Posted by shitboi

i am wondering. how did you guys start conquer using ollydbg?
doesn't Conquer take "blacknull" as argument to start on it's own?
Is there something that i need to set before i invoke Conquer.exe using Olly?

Currently i can never start Conquer.exe using olly

Yes as running it in olly won't issue the blacknull command. You need to fool the code into thinking it has. You used to be able to just search for the blacknull string and patch a jump above it. TQ has made it a little more difficult for unknown reasons but here it is:

First patch:

Code:

CPU Disasm
Address   Hex dump          Command                                  Comments
00581D87    5E              POP ESI
00581D88    83C6 2B         ADD ESI,2B
00581D8B    83FE 00         CMP ESI,0
00581D8E    0F84 08000000   JE 00581D9C
00581D94    FFE6            JMP ESI
00581D96    0F85 11000000   JNE 00581DAD
00581D9C    813D 618D85E8 F CMP DWORD PTR DS:[E8858D61],50FFFFFC
00581DA6    8D85 64FCFFFF   LEA EAX,[EBP-39C]
00581DAC    50              PUSH EAX
00581DAD    8D85 70FFFFFF   LEA EAX,[EBP-90]
00581DB3    50              PUSH EAX
00581DB4    8D85 ECFDFFFF   LEA EAX,[EBP-214]
00581DBA    50              PUSH EAX
00581DBB    8D85 70FEFFFF   LEA EAX,[EBP-190]
00581DC1    50              PUSH EAX
00581DC2    68 D4558B00     PUSH OFFSET 008B55D4                     ; ASCII "%s %s %s %s %s"
00581DC7    8B85 4CFAFFFF   MOV EAX,DWORD PTR SS:[EBP-5B4]
00581DCD    FF70 74         PUSH DWORD PTR DS:[EAX+74]
00581DD0    FF15 94977D00   CALL DWORD PTR DS:[<&MSVCRT.sscanf>]
00581DD6    83C4 1C         ADD ESP,1C
00581DD9    8985 E8FDFFFF   MOV DWORD PTR SS:[EBP-218],EAX
00581DDF    83BD E8FDFFFF 0 CMP DWORD PTR SS:[EBP-218],5
00581DE6    0F94C0          SETE AL
00581DE9    A2 34828E00     MOV BYTE PTR DS:[8E8234],AL
00581DEE    83BD E8FDFFFF 0 CMP DWORD PTR SS:[EBP-218],1
00581DF5    0F8D B4000000   JGE 00581EAF
00581DFB    60              PUSHAD
00581DFC    E8 17000000     CALL 00581E18
00581E01    59              POP ECX
00581E02    5F              POP EDI
00581E03    5E              POP ESI
00581E04    5B              POP EBX
00581E05    C9              LEAVE
00581E06    51              PUSH ECX
00581E07    C3              RETN

Change the JGE @ 00581DF5 to JMP

Second patch:

Code:

CPU Disasm
Address   Hex dump          Command                                  Comments
00581ECD    59              POP ECX
00581ECE    83C1 2F         ADD ECX,2F
00581ED1    83F9 00         CMP ECX,0
00581ED4    0F84 08000000   JE 00581EE2
00581EDA    FFE1            JMP ECX
00581EDC    0F85 1B000000   JNE 00581EFD
00581EE2    8115 6168C055 8 ADC DWORD PTR DS:[55C06861],858D008B
00581EEC    70 FE           JO SHORT 00581EEC
00581EEE    FF              DB FF                                    ; Unknown command
00581EEF    FF50 FF         CALL DWORD PTR DS:[EAX-1]
00581EF2    15 2C987D00     ADC EAX,7D982C
00581EF7    59              POP ECX
00581EF8    59              POP ECX
00581EF9    85C0            TEST EAX,EAX
00581EFB    0F84 A1000000   JE 00581FA2
00581F01    60              PUSHAD
00581F02    E8 0E000000     CALL 00581F15
00581F07    83C4 24         ADD ESP,24
00581F0A    C3              RETN

Change the JE @ 00581EFB to JMP

*M*

ShinMiyazaki · 02/18/2011, 03:48

Nice *M*, Glad that you're back with some promising tutorials.
Why don't you make thread for reversing tutorial for dummies ?

Just a simple basic tutorial because i want to learn specially those code cave like making standalone speedhack.

*M* · 02/18/2011, 05:18

Conquer specific tuts don't really help give an understanding of the whole process, why x does y. I'd recommend doing general reversing tutorials, that way you can attack any piece of software.

The tutorials I studied are Lena's ones -

, if you can finish those you'll be prepared for anything, not just CO

~~IAmHawtness~~ · 03/06/2011, 18:53

Quote:

Originally Posted by *M*

Yes as running it in olly won't issue the blacknull command. You need to fool the code into thinking it has. You used to be able to just search for the blacknull string and patch a jump above it. TQ has made it a little more difficult for unknown reasons but here it is:

Why not just:

*M* · 03/10/2011, 02:00

Quote:

Originally Posted by IAmHawtness

Why not just:

Boring

~~IAmHawtness~~ · 03/10/2011, 07:28

Quote:

Originally Posted by *M*

Boring

Haha, I figured you'd say something like that