[Help] EXE files

Lanayru · 08/24/2010, 03:56

I am asking if someone can help/teach me about how to edit them properly
or give me some links to help me
i am going to be editing all the exe's in server and client
all help is appreciated
Ty in advance

[DEV]Harmony · 08/24/2010, 04:19

Quote:

Originally Posted by Lanayru

I am asking if someone can help/teach me about how to edit them properly
or give me some links to help me
i am going to be editing all the exe's in server and client
all help is appreciated
Ty in advance

Good luck in finding help zombe and bottomy might be able to give u some links.

bottomy · 08/24/2010, 11:47

Somethings you can do:
1) Learn assembly (x86 32 bit)
2) Learn how to use reversing tools, such as debuggers/disassemblers (IDA Pro, OllyDbg, etc.). You won't need to get a kernel level debugger, an application level (ring3) one is enough for what you want to do.
3) Learn another programming language, if you wish. Though you will need to research before you go ahead and learn the language, to see if it's even possible to link it up with the executable. Some languages I think could be used are C/C++/Obj-C/Obj-C++, delphi, maybe C#/VB (probably without .net?), not sure about java since it runs in the JVM. Anyways just a matter of searching to see if it could be implemented easily, otherwise you could still just rely on assembly. Just think of it as finding the right tool for the job.
4) Learn the API's dekaron uses, so things like becoming familiar with Windows API, DirectX, etc.

It's pretty much the more you learn the easier it will be for you to implement certain features. Even if you learn things that aren't to do with the features you wish to implement, the knowledge can still help you either in the reversing stage, or maybe help you think about a different/better way of implementing such a feature.

Lanayru · 08/24/2010, 23:22

I have the a6 dekaron.exe i'm pretty sure it is unpacked because it has alot of the codes just understanding the stuff is hard for me but this is some of what it has for aloken

0048C690 /$ 81EC 00020000 SUB ESP,200
0048C696 |. 56 PUSH ESI
0048C697 |. 68 A4DDA400 PUSH dekaron.00A4DDA4 ; ASCII "SWD"
0048C69C |. 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
0048C6A0 |. 68 40DBA400 PUSH dekaron.00A4DB40 ; ASCII "%s"
0048C6A5 |. 50 PUSH EAX
0048C6A6 |. E8 8562FCFF CALL dekaron.00452930
0048C6AB |. 8BB424 1402000>MOV ESI,DWORD PTR SS:[ESP+214]
0048C6B2 |. 83C4 0C ADD ESP,0C
0048C6B5 |. 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4]
0048C6B9 |. 51 PUSH ECX
0048C6BA |. 8BCE MOV ECX,ESI
0048C6BC |. E8 4F6DFCFF CALL dekaron.00453410
0048C6C1 |. 84C0 TEST AL,AL
0048C6C3 |. 0F85 6C010000 JNZ dekaron.0048C835
0048C6C9 |. 68 A0DDA400 PUSH dekaron.00A4DDA0 ; ASCII "ARC"
0048C6CE |. 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
0048C6D2 |. 68 40DBA400 PUSH dekaron.00A4DB40 ; ASCII "%s"
0048C6D7 |. 52 PUSH EDX
0048C6D8 |. E8 5362FCFF CALL dekaron.00452930
0048C6DD |. 83C4 0C ADD ESP,0C
0048C6E0 |. 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
0048C6E4 |. 50 PUSH EAX
0048C6E5 |. 8BCE MOV ECX,ESI
0048C6E7 |. E8 246DFCFF CALL dekaron.00453410
0048C6EC |. 84C0 TEST AL,AL
0048C6EE |. 74 0C JE SHORT dekaron.0048C6FC
0048C6F0 |. B0 01 MOV AL,1
0048C6F2 |. 5E POP ESI
0048C6F3 |. 81C4 00020000 ADD ESP,200
0048C6F9 |. C2 0400 RETN 4
0048C6FC |> 68 9CDDA400 PUSH dekaron.00A4DD9C ; ASCII "SOR"
0048C701 |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
0048C705 |. 68 40DBA400 PUSH dekaron.00A4DB40 ; ASCII "%s"
0048C70A |. 51 PUSH ECX
0048C70B |. E8 2062FCFF CALL dekaron.00452930
0048C710 |. 83C4 0C ADD ESP,0C
0048C713 |. 8D5424 04 LEA EDX,DWORD PTR SS:[ESP+4]
0048C717 |. 52 PUSH EDX
0048C718 |. 8BCE MOV ECX,ESI
0048C71A |. E8 F16CFCFF CALL dekaron.00453410
0048C71F |. 84C0 TEST AL,AL
0048C721 |. 74 0C JE SHORT dekaron.0048C72F
0048C723 |. B0 02 MOV AL,2
0048C725 |. 5E POP ESI
0048C726 |. 81C4 00020000 ADD ESP,200
0048C72C |. C2 0400 RETN 4
0048C72F |> 68 98DDA400 PUSH dekaron.00A4DD98 ; ASCII "SUM"
0048C734 |. 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
0048C738 |. 68 40DBA400 PUSH dekaron.00A4DB40 ; ASCII "%s"
0048C73D |. 50 PUSH EAX
0048C73E |. E8 ED61FCFF CALL dekaron.00452930
0048C743 |. 83C4 0C ADD ESP,0C
0048C746 |. 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4]
0048C74A |. 51 PUSH ECX
0048C74B |. 8BCE MOV ECX,ESI
0048C74D |. E8 BE6CFCFF CALL dekaron.00453410
0048C752 |. 84C0 TEST AL,AL
0048C754 |. 74 0C JE SHORT dekaron.0048C762
0048C756 |. B0 03 MOV AL,3
0048C758 |. 5E POP ESI
0048C759 |. 81C4 00020000 ADD ESP,200
0048C75F |. C2 0400 RETN 4
0048C762 |> 68 94DDA400 PUSH dekaron.00A4DD94 ; ASCII "SEG"
0048C767 |. 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
0048C76B |. 68 40DBA400 PUSH dekaron.00A4DB40 ; ASCII "%s"
0048C770 |. 52 PUSH EDX
0048C771 |. E8 BA61FCFF CALL dekaron.00452930
0048C776 |. 83C4 0C ADD ESP,0C
0048C779 |. 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
0048C77D |. 50 PUSH EAX
0048C77E |. 8BCE MOV ECX,ESI
0048C780 |. E8 8B6CFCFF CALL dekaron.00453410
0048C785 |. 84C0 TEST AL,AL
0048C787 |. 74 0C JE SHORT dekaron.0048C795
0048C789 |. B0 04 MOV AL,4
0048C78B |. 5E POP ESI
0048C78C |. 81C4 00020000 ADD ESP,200
0048C792 |. C2 0400 RETN 4
0048C795 |> 68 90DDA400 PUSH dekaron.00A4DD90 ; ASCII "WAR"
0048C79A |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
0048C79E |. E8 5D6EFCFF CALL dekaron.00453600
0048C7A3 |. 50 PUSH EAX
0048C7A4 |. 8BCE MOV ECX,ESI
0048C7A6 |. E8 656CFCFF CALL dekaron.00453410
0048C7AB |. 84C0 TEST AL,AL
0048C7AD |. 74 0C JE SHORT dekaron.0048C7BB
0048C7AF |. B0 05 MOV AL,5
0048C7B1 |. 5E POP ESI
0048C7B2 |. 81C4 00020000 ADD ESP,200
0048C7B8 |. C2 0400 RETN 4
0048C7BB |> 68 8CDDA400 PUSH dekaron.00A4DD8C ; ASCII "ALO"
0048C7C0 |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
0048C7C4 |. E8 376EFCFF CALL dekaron.00453600
0048C7C9 |. 50 PUSH EAX
0048C7CA |. 8BCE MOV ECX,ESI
0048C7CC |. E8 3F6CFCFF CALL dekaron.00453410
0048C7D1 |. 84C0 TEST AL,AL
0048C7D3 |. 74 0C JE SHORT dekaron.0048C7E1
0048C7D5 |. B0 06 MOV AL,6
0048C7D7 |. 5E POP ESI
0048C7D8 |. 81C4 00020000 ADD ESP,200
0048C7DE |. C2 0400 RETN 4
0048C7E1 |> 56 PUSH ESI
0048C7E2 |. 8D8C24 0801000>LEA ECX,DWORD PTR SS:[ESP+108]
0048C7E9 |. 68 74DDA400 PUSH dekaron.00A4DD74 ; ASCII "Wrong PC Class : %s
"
0048C7EE |. 51 PUSH ECX
0048C7EF |. C68424 1001000>MOV BYTE PTR SS:[ESP+110],0
0048C7F7 |. E8 3461FCFF CALL dekaron.00452930
0048C7FC |. 8D9424 1001000>LEA EDX,DWORD PTR SS:[ESP+110]
0048C803 |. 52 PUSH EDX
0048C804 |. E8 97E83A00 CALL dekaron.0083B0A0
0048C809 |. 68 5E020000 PUSH 25E
0048C80E |. 68 68DBA400 PUSH dekaron.00A4DB68 ; ASCII ".\Loader\Article\Skill.cpp"
0048C813 |. 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C]
0048C817 |. 68 DC69A400 PUSH dekaron.00A469DC ; ASCII "File: %s, Line: %d
"
0048C81C |. 50 PUSH EAX
0048C81D |. C64424 24 00 MOV BYTE PTR SS:[ESP+24],0
0048C822 |. E8 0961FCFF CALL dekaron.00452930
0048C827 |. 50 PUSH EAX
0048C828 |. E8 73E83A00 CALL dekaron.0083B0A0
0048C82D |. 83C4 24 ADD ESP,24
0048C830 |. E8 2BE73A00 CALL dekaron.0083AF60
0048C835 |> 32C0 XOR AL,AL
0048C837 |. 5E POP ESI
0048C838 |. 81C4 00020000 ADD ESP,200
0048C83E \. C2 0400 RETN 4

sry for the copy paste of the stuff from a6 exe

i don't know how to actually add this class in but is someone wants to work with me that knows we could add a hell of alot new things but bottomy ty for the guide you made on how to increase the size of the exe for new data if there is anything else you could help me understand on how to link this stuff into it would be wonderful.

i'm wanting basically a crash course in this stuff

bottomy · 08/25/2010, 04:30

Quote:

Originally Posted by Lanayru

i don't know how to actually add this class in but is someone wants to work with me that knows we could add a hell of alot new things but bottomy ty for the guide you made on how to increase the size of the exe for new data if there is anything else you could help me understand on how to link this stuff into it would be wonderful.

i'm wanting basically a crash course in this stuff

Although it's hard to really say what the point of this function is without debugging it. You can still break it down and get a general idea of what it's doing. Like here's just examining the first part
NOTE: Whenever I say pushing a "" string to the stack I mean it's pushing the address to the string, not the actual strings characters.

Code:

0048C690  /$ 81EC 00020000  SUB ESP,200				;Setting up the stack
0048C696  |. 56             PUSH ESI				;Saving a value
0048C697  |. 68 A4DDA400    PUSH dekaron.00A4DDA4                    ;  ASCII "SWD"  Pushing the string "SWD" to the stack
0048C69C  |. 8D4424 08      LEA EAX,DWORD PTR SS:[ESP+8]		;Loading a pointer to the stack, this would be a variable passed into the function
0048C6A0  |. 68 40DBA400    PUSH dekaron.00A4DB40                    ;  ASCII "%s"  Pushing the string "%s" to the stack, %s used when wanting to reference a string of characters
0048C6A5  |. 50             PUSH EAX 				;Pushes eax to the stack, so the pointer to the stack that was loaded into eax
0048C6A6  |. E8 8562FCFF    CALL dekaron.00452930		;Calls some function passing 3 arguments 
0048C6AB  |. 8BB424 1402000>MOV ESI,DWORD PTR SS:[ESP+214]		;Moves dword value at that point on the stack into esi
0048C6B2  |. 83C4 0C        ADD ESP,0C					;Adds 12 onto esp
0048C6B5  |. 8D4C24 04      LEA ECX,DWORD PTR SS:[ESP+4]	;Loads a pointer to the stack into ecx, probably was passed into this function too since it's close to the stack but not sure
0048C6B9  |. 51             PUSH ECX				;Pushes that pointer to the stack
0048C6BA  |. 8BCE           MOV ECX,ESI				;Moves esi into ecx
0048C6BC  |. E8 4F6DFCFF    CALL dekaron.00453410		;Calls another function passing 1 argument, though 
0048C6C1  |. 84C0           TEST AL,AL				;Tests al with al
0048C6C3  |. 0F85 6C010000  JNZ dekaron.0048C835		;Jumps if not zero, so will be taken only if al != 0

0048C835  |> 32C0           XOR AL,AL				;Jumps to here, and xor's al with al, so just make al = 0
0048C837  |. 5E             POP ESI 				;Restoring that value
0048C838  |. 81C4 00020000  ADD ESP,200				;Fixing the stack back
0048C83E  \. C2 0400        RETN 4				;return

Here's part of it roughly in C

Code:

char Func(void *Unknown, char *String)
{
	((void(*)(char *, char *, char *))0x00452930)(String, "%s", "SWD");
	//Don't really have a clue about the next part
	/*asm("movl 214(%esp),%esi\n"
		"\taddl $12,%esp\n"
		"\tleal 4(%esp),%ecx\n"
		"\tpushl %ecx\n"
		"\tmovl %esi,%ecx\n");*/
	int OtherUnknown;
	asm("movl 214(%%esp),%%esi" : "=S" (OtherUnknown));
	//I'm guessing ecx is going to be used by the function so using 'thiscall' moves first argument into ecx
	if (!((char __attribute__ ((thiscall))(*)(int, void *))0x00453410)(OtherUnknown, Unknown)) 
	{
		((void(*)(char *, char *, char *))0x00452930)(String, "%s", "ARC");
		/*asm("addl $12,%esp\n"
			"\tleal 4(%esp),%eax\n"
			"\tpushl %eax\n"
			"\tmovl %esi,%ecx\n");*/
		if (((char __attribute__ ((thiscall))(*)(int, void *))0x00453410)(OtherUnknown, Unknown))
		{
			return 1;
		}
		
		((void(*)(char *, char *, char *))0x00452930)(String, "%s", "SOR");
		/*asm("addl $12,%esp\n"
			"\tleal 4(%esp),%edx\n"
			"\tpushl %edx\n"
			"\tmovl %esi,%ecx\n");*/
		if (((char __attribute__ ((thiscall))(*)(int, void *))0x00453410)(OtherUnknown, Unknown))
		{
			return 2;
		}
		
		//etc.
	}
	
	else
	{
		return 0;
	}
}

Anyways just from the way it looks, I think what's happening is it's comparing some string with each classes title, to find out what class it belong to and returning which one it belongs to.

SWD (AK) returns 0
ARC (Hunt) returns 1
SOR (Mage) returns 2
SUM (Sum) returns 3
SEG (Seg) returns 4
WAR (Bagi) returns 5
ALO (Alo) returns 6

So instead of just returning char type, it's probably an enum.

So if this function is in the current exe pservers use, then your probably just missing the check for ALO also it wouldn't know the return type. So you would add the code to check for ALO, and then the function that calls this function, make sure it handles it's return type properly. Also if you wanted you could rewrite the entire function, because it's written fairly poorly (not terrible but could be written much better), it's as if it's crying out desperately to be optimized xD.

Zombe · 08/25/2010, 08:24

Lena will help you with everything you might need to know about ASM

HellSpider · 08/25/2010, 20:42

If you really want to understand ASM and other valuable skills I suggest you read through what Zombe linked. Those were the first tutorials I base my knowledge on

.

Zombe · 08/26/2010, 08:08

I have to warn you though, if you are using any 64-bit platform, ollydbg 1.10 will not work, and you'll have to use ollydbg 2.00, which is very buggy and will have a lot of problems when doing even the simplest tasks, like pausing a process...
That's why I use olly 1.10 in wmware XD

Lanayru · 08/26/2010, 11:17

Quote:

Originally Posted by Zombe

I have to warn you though, if you are using any 64-bit platform, ollydbg 1.10 will not work, and you'll have to use ollydbg 2.00, which is very buggy and will have a lot of problems when doing even the simplest tasks, like pausing a process...
That's why I use olly 1.10 in wmware XD

don't worry i still use windows xp 32bit but is there any way you could narrow my study search on those tuts? or anyway you could help me out yourself?