Ollydbg removing "wpe"

01/31/2009 00:25 Lemonadez#1
I tried to NOP's it, but then once i save it and run the game. the game it self cannot be run.

im trying to remove this word "wpe". u see this game detect a name 'wpe' when i tried to open wpe the game close it self automaticaly.

can someone help me how to remove that :O

[Only registered and activated users can see links. Click Here To Register...]
01/31/2009 01:04 Adroxxx#2
Then remove the ASCII or replace it.

Go into commandbar and type

Code:
dump 006AFF58
Hit Enter

Then u should see in the memory window, the hex codes and the ASCII. Then u can replace it maybe with AAA or something.


If u don't have the commandbar plugin, i've uploaded for u.
01/31/2009 01:28 Lemonadez#3
Yea I already did that.

After I attach the file to WPE it closes :P
01/31/2009 14:18 Adroxxx#4
Quote:
Originally Posted by Lemonadez View Post
Yea I already did that.

After I attach the file to WPE it closes :P
did you tried rPE , too ?

Is the game maybe protected with any Anti-Cheat Software like PB, GG or HShield?
01/31/2009 16:22 schlurmann#5
Have you tried NOPing the whole call and the pushed string?
02/01/2009 01:52 Lemonadez#6
Quote:
Originally Posted by Adroxxx View Post
did you tried rPE , too ?

Is the game maybe protected with any Anti-Cheat Software like PB, GG or HShield?
yea i rPE too, no there is no protected software on this game.

its .exe itself that when it attach to wpe it automaticaly close.

i just dont have that much of idea or know how to work it around.

Quote:
Originally Posted by schlurmann View Post
Have you tried NOPing the whole call and the pushed string?
i dont know exactly what you trying to say, but i did try NOP's on "wpe", it will just get an error when i launch the game.

K first here what i do.

I Search for "WPE".
Code:
00462327  |. BF 58FF6A00    MOV EDI,DarkEden.006AFF58                ;  ASCII "wpe"
I went to address "006AFF58"
Code:
006AFF58   77 70            JA SHORT DarkEden.006AFFCA
Now I went to this address "006AFFCA"
Code:
006AFFCA   72 61            JB SHORT DarkEden.006B002D
Now I went to this address "006B002D"
Code:
006B002D   47               INC EDI
So I dont know exactly what to do with it :P
02/03/2009 18:29 schlurmann#7
The string is moved into the EDI register and then EDI is pushed onto the stack. Then a function is called whereas EDI is a parameter of that function. So this function takes a string and probably searches Window Titles and whatnot.

So either try NOPing the call to the function and the pushed parameters or reverse the actual function and patch it.

Or as said before just change the string in memory.

Edit: Maybe there's also a simple conditional jump you can patch, that's often enough and might jump some other AntiCheat mechanisms too.
02/08/2009 05:46 wiz#8
Quote:
Originally Posted by Lemonadez View Post
I Search for "WPE".
Code:
00462327  |. BF 58FF6A00    MOV EDI,DarkEden.006AFF58                ;  ASCII "wpe"
I went to address "006AFF58"
Code:
006AFF58   77 70            JA SHORT DarkEden.006AFFCA
So I dont know exactly what to do with it :P
Don't jump to 0x6AFF58 in the code window. See the opcode for the "JA SHORT ..."? It is 0x77 0x70 and guess what these bytes are, "wp". First, click the dump window in the lower left corner of OllyDbg and then jump to 0x6AFF58. Then you should see 77 70, too but it is ASCII for "wp" again, just fill it with whatever you want.