Hello !
long time didn't post topic or something into conquer sections but i hope this time its useful.
What is code cave:
A code-whoah ? Unless you have spent some time working in the area of reverse engineering, chances are you have not heard of the term codecave before.
A codecave can best be defined as a redirection of program execution to another location and then returning back to the area where program execution had previously left." In a sense, a codecave is no different in concept than a function call, except for a few minor differences. If a codecave and a function call are so similar, why do we need codecaves at all then ? The reason we need codecaves is because source code is rarely available to modify any given program. As a result, we have to physically (or virtually) modify the executable at an assembly level to make changes.
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
What you want is:
1: Assembly programming knowledge.
2: Ollydebug.
3: Logic.
4: Brain.
Lets start:
I will choose msgserver.exe for example but you can do that with any program that you want to modify.
I will target the BFK function into the msgserver for example
[Only registered and activated users can see links. Click Here To Register...]
I will see if the selected block is used by any other functions or no
[Only registered and activated users can see links. Click Here To Register...]
Seems its not used so that's ok and if it use by others address you will have to change the original address to your new memory address
[Only registered and activated users can see links. Click Here To Register...]
I will take copy of the selected block by binary copy
[Only registered and activated users can see links. Click Here To Register...]
Now i will go at the end of the msgserver.exe and i will choose some free memory address and past the copied binary there
[Only registered and activated users can see links. Click Here To Register...]
Its will looks like that
[Only registered and activated users can see links. Click Here To Register...]
If you found the call address changed like that at the pictures you have to re back them to the original address
call 005990E0 > call 004BB4C0
But for example i don't want the BFK to be the same static memory address
mov eax, 0x4EDF2C , i will go to 0x4EDF2C
Now i found that
That's equal
[Only registered and activated users can see links. Click Here To Register...]
Now i will go to my new memory address and write any 16 letter or numbers,
I will let some memory address and select some address then right click > binary > edit and write my 16 number or letters and at the end i will put 00 in hex then press ok.
[Only registered and activated users can see links. Click Here To Register...]
Now i will edit call 004BB4C0 to JMP into my new memory address like
[Only registered and activated users can see links. Click Here To Register...]
To
JMP 00581814
It will be like that and i fill the other 2 address with 00 because i don't need them anymore
[Only registered and activated users can see links. Click Here To Register...]
And this is my new memory address
[Only registered and activated users can see links. Click Here To Register...]
Now with at my new address i will edit
0058181C B8 2CDF4E00 mov eax, 004EDF2C
004EDF2C to my new BFK address the highlighted one
[Only registered and activated users can see links. Click Here To Register...]
Now at the end of my code i will JMP back to the next address after the address that i filled with 00 i will jump here the highlighted address
[Only registered and activated users can see links. Click Here To Register...]
So now my codecave looks like
[Only registered and activated users can see links. Click Here To Register...]
Now i will search if there is any other address use the old BFK and i found one
[Only registered and activated users can see links. Click Here To Register...]
If you want to codecave that one too make the above steps if you just want to use the new BFK address then edit it to the new BFK address so it will be like mov eax, 00581828
Now i will go back to the BFK old address and fill it with 00 and the address is 0x4EDF2C
It will looks like.
[Only registered and activated users can see links. Click Here To Register...]
Now i just codecave new BFK address and i fill the old with 00 because no use for them.
Notice: You can do that with for example new weapon type for conquer character and the client doesn't support the type of it so you will look at the function at the new conquer.exe and make jump from the function that responsible about reading weapons type and then jump back to the rest of the code so its will looks like you made the client read the code you add and make it continue execution for sure you will do that at the old conquer client
Thanks for reading hope i helped.
Because nTL3fTy mad : Draw graphic goes to [Only registered and activated users can see links. Click Here To Register...]
Greetings: Andrew.
long time didn't post topic or something into conquer sections but i hope this time its useful.
What is code cave:
A code-whoah ? Unless you have spent some time working in the area of reverse engineering, chances are you have not heard of the term codecave before.
A codecave can best be defined as a redirection of program execution to another location and then returning back to the area where program execution had previously left." In a sense, a codecave is no different in concept than a function call, except for a few minor differences. If a codecave and a function call are so similar, why do we need codecaves at all then ? The reason we need codecaves is because source code is rarely available to modify any given program. As a result, we have to physically (or virtually) modify the executable at an assembly level to make changes.
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
What you want is:
1: Assembly programming knowledge.
2: Ollydebug.
3: Logic.
4: Brain.
Lets start:
I will choose msgserver.exe for example but you can do that with any program that you want to modify.
I will target the BFK function into the msgserver for example
[Only registered and activated users can see links. Click Here To Register...]
I will see if the selected block is used by any other functions or no
[Only registered and activated users can see links. Click Here To Register...]
Seems its not used so that's ok and if it use by others address you will have to change the original address to your new memory address
[Only registered and activated users can see links. Click Here To Register...]
I will take copy of the selected block by binary copy
[Only registered and activated users can see links. Click Here To Register...]
Now i will go at the end of the msgserver.exe and i will choose some free memory address and past the copied binary there
[Only registered and activated users can see links. Click Here To Register...]
Its will looks like that
[Only registered and activated users can see links. Click Here To Register...]
If you found the call address changed like that at the pictures you have to re back them to the original address
call 005990E0 > call 004BB4C0
But for example i don't want the BFK to be the same static memory address
mov eax, 0x4EDF2C , i will go to 0x4EDF2C
Now i found that
Code:
004EDF2C 44 inc esp 004EDF2D 52 push edx 004EDF2E 36:35 34647433 xor eax, 0x33746434 004EDF34 34 74 xor al, 0x74 004EDF36 72 67 jb short 004EDF9F 004EDF38 34 55 xor al, 0x55 004EDF3A 49 dec ecx 004EDF3B 36:0000 add byte ptr ss:[eax], al
[Only registered and activated users can see links. Click Here To Register...]
Now i will go to my new memory address and write any 16 letter or numbers,
I will let some memory address and select some address then right click > binary > edit and write my 16 number or letters and at the end i will put 00 in hex then press ok.
[Only registered and activated users can see links. Click Here To Register...]
Now i will edit call 004BB4C0 to JMP into my new memory address like
[Only registered and activated users can see links. Click Here To Register...]
To
JMP 00581814
It will be like that and i fill the other 2 address with 00 because i don't need them anymore
[Only registered and activated users can see links. Click Here To Register...]
And this is my new memory address
[Only registered and activated users can see links. Click Here To Register...]
Now with at my new address i will edit
0058181C B8 2CDF4E00 mov eax, 004EDF2C
004EDF2C to my new BFK address the highlighted one
[Only registered and activated users can see links. Click Here To Register...]
Now at the end of my code i will JMP back to the next address after the address that i filled with 00 i will jump here the highlighted address
[Only registered and activated users can see links. Click Here To Register...]
So now my codecave looks like
[Only registered and activated users can see links. Click Here To Register...]
Now i will search if there is any other address use the old BFK and i found one
[Only registered and activated users can see links. Click Here To Register...]
If you want to codecave that one too make the above steps if you just want to use the new BFK address then edit it to the new BFK address so it will be like mov eax, 00581828
Now i will go back to the BFK old address and fill it with 00 and the address is 0x4EDF2C
It will looks like.
[Only registered and activated users can see links. Click Here To Register...]
Now i just codecave new BFK address and i fill the old with 00 because no use for them.
Notice: You can do that with for example new weapon type for conquer character and the client doesn't support the type of it so you will look at the function at the new conquer.exe and make jump from the function that responsible about reading weapons type and then jump back to the rest of the code so its will looks like you made the client read the code you add and make it continue execution for sure you will do that at the old conquer client
Thanks for reading hope i helped.
Because nTL3fTy mad : Draw graphic goes to [Only registered and activated users can see links. Click Here To Register...]
Greetings: Andrew.
