NOTE* Addresses change at almost every update on the Conquer.exe, These addresses might not work on the new patch. This code is written for 5068 patch.
I know some people have had trouble reading HP from Conquers memory so, here's a little "tutorial" how to save the real hp value to a static location. I'm not going much to depth how I found the places I'm using in this tutorial.
First of all, you need a OllyDBG. (Well that's what this tutorial is written for) Next thing we do is, open Conquer in OllyDBG and let it analyze the code. Now we need to find a place where the Conquer processes the current hp value. You don't have to worry about this, I've already got it for you. :P
In that piece of ASM the EDX contains current hp. (It's updated or accessed all the time) Next thing we need to do is find a place that has about 20 free bytes. Usually this is at the end of the .exe file. We also need two bytes free somewhere in Conquer.exe so we can save the HP value there for easier access.
Anyways, I found the 20 bytes free at end of the exe so -> (Ctrl + G) -> 5302D1; That is the address where we shall start re-generating the old code that is going to be replaced in the original place. So next thing we need to do is to replace the code that is going to get overwritten by our jmp to this codecave.
What this code does is that, it saves the value of EDX to a static location (569070, hex). So now we can later on read the hp value from that address.
So what we need to do now? We need to make the original code to jump to this our little piece of code :P Lets go back to the codeblock :
Remember what code we did manually ? That's right we did these :
So now we need to replace the
With the JMP to our codecave. So now the code should look like this :
So now the original code :
Should look like this :
If you did everything correctly you can now read the HP from address 569070h and the Conquer shouldn't crash.
If you have any comments or questions. Please ask.
I know some people have had trouble reading HP from Conquers memory so, here's a little "tutorial" how to save the real hp value to a static location. I'm not going much to depth how I found the places I'm using in this tutorial.
First of all, you need a OllyDBG. (Well that's what this tutorial is written for) Next thing we do is, open Conquer in OllyDBG and let it analyze the code. Now we need to find a place where the Conquer processes the current hp value. You don't have to worry about this, I've already got it for you. :P
Code:
004ECEF1 FF75 0C PUSH DWORD PTR SS:[EBP+0C] 004ECEF4 52 PUSH EDX 004ECEF5 E8 2EDF0000 CALL <JMP.&MSVCRT._rotl> 004ECEFA 59 POP ECX 004ECEFB 8906 MOV DWORD PTR DS:[ESI],EAX
Anyways, I found the 20 bytes free at end of the exe so -> (Ctrl + G) -> 5302D1; That is the address where we shall start re-generating the old code that is going to be replaced in the original place. So next thing we need to do is to replace the code that is going to get overwritten by our jmp to this codecave.
Code:
005302D1 FF75 0C PUSH DWORD PTR SS:[EBP+0C] 005302D4 8915 70905600 MOV DWORD PTR DS:[569070],EDX 005302DA 52 PUSH EDX 005302DB E8 48ABFCFF CALL <JMP.&MSVCRT._rotl> ; CALL 004FAE28 005302E0 ^ E9 15CCFBFF JMP 004ECEFA
So what we need to do now? We need to make the original code to jump to this our little piece of code :P Lets go back to the codeblock :
Code:
004ECEF1 FF75 0C PUSH DWORD PTR SS:[EBP+0C] 004ECEF4 52 PUSH EDX 004ECEF5 E8 2EDF0000 CALL <JMP.&MSVCRT._rotl> 004ECEFA 59 POP ECX 004ECEFB 8906 MOV DWORD PTR DS:[ESI],EAX
Code:
004ECEF1 FF75 0C PUSH DWORD PTR SS:[EBP+0C] 004ECEF4 52 PUSH EDX 004ECEF5 E8 2EDF0000 CALL <JMP.&MSVCRT._rotl>
Code:
004ECEF1 FF75 0C PUSH DWORD PTR SS:[EBP+0C]
Code:
004ECEF1 E9 DB330400 JMP 005302D1
Code:
004ECEF1 \FF75 0C PUSH DWORD PTR SS:[EBP+0C] 004ECEF4 52 PUSH EDX 004ECEF5 E8 2EDF0000 CALL <JMP.&MSVCRT._rotl> ; Jump to msvcrt._rotl
Code:
004ECEF1 E9 DB330400 JMP 005302D1 004ECEF6 90 NOP 004ECEF7 90 NOP 004ECEF8 90 NOP 004ECEF9 90 NOP
If you have any comments or questions. Please ask.
