Ollydbg removing "wpe"

Lemonadez · 01/31/2009, 00:25

I tried to NOP's it, but then once i save it and run the game. the game it self cannot be run.

im trying to remove this word "wpe". u see this game detect a name 'wpe' when i tried to open wpe the game close it self automaticaly.

can someone help me how to remove that :O

Adroxxx · 01/31/2009, 01:04

Then remove the ASCII or replace it.

Go into commandbar and type

Code:

dump 006AFF58

Hit Enter

Then u should see in the memory window, the hex codes and the ASCII. Then u can replace it maybe with AAA or something.

If u don't have the commandbar plugin, i've uploaded for u.

Lemonadez · 01/31/2009, 01:28

Yea I already did that.

After I attach the file to WPE it closes :P

Adroxxx · 01/31/2009, 14:18

Quote:

Originally Posted by Lemonadez

Yea I already did that.

After I attach the file to WPE it closes :P

did you tried rPE , too ?

Is the game maybe protected with any Anti-Cheat Software like PB, GG or HShield?

~~schlurmann~~ · 01/31/2009, 16:22

Have you tried NOPing the whole call and the pushed string?

Lemonadez · 02/01/2009, 01:52

Quote:

Originally Posted by Adroxxx

did you tried rPE , too ?

Is the game maybe protected with any Anti-Cheat Software like PB, GG or HShield?

yea i rPE too, no there is no protected software on this game.

its .exe itself that when it attach to wpe it automaticaly close.

i just dont have that much of idea or know how to work it around.

Quote:

Originally Posted by schlurmann

Have you tried NOPing the whole call and the pushed string?

i dont know exactly what you trying to say, but i did try NOP's on "wpe", it will just get an error when i launch the game.

K first here what i do.

I Search for "WPE".

Code:

00462327  |. BF 58FF6A00    MOV EDI,DarkEden.006AFF58                ;  ASCII "wpe"

I went to address "006AFF58"

Code:

006AFF58   77 70            JA SHORT DarkEden.006AFFCA

Now I went to this address "006AFFCA"

Code:

006AFFCA   72 61            JB SHORT DarkEden.006B002D

Now I went to this address "006B002D"

Code:

006B002D   47               INC EDI

So I dont know exactly what to do with it :P

~~schlurmann~~ · 02/03/2009, 18:29

The string is moved into the EDI register and then EDI is pushed onto the stack. Then a function is called whereas EDI is a parameter of that function. So this function takes a string and probably searches Window Titles and whatnot.

So either try NOPing the call to the function and the pushed parameters or reverse the actual function and patch it.

Or as said before just change the string in memory.

Edit: Maybe there's also a simple conditional jump you can patch, that's often enough and might jump some other AntiCheat mechanisms too.

wiz · 02/08/2009, 05:46

Quote:
Originally Posted by Lemonadez
I Search for "WPE".
Code:
00462327  |. BF 58FF6A00    MOV EDI,DarkEden.006AFF58                ;  ASCII "wpe"
I went to address "006AFF58"
Code:
006AFF58   77 70            JA SHORT DarkEden.006AFFCA
So I dont know exactly what to do with it :P

Don't jump to 0x6AFF58 in the code window. See the opcode for the "JA SHORT ..."? It is 0x77 0x70 and guess what these bytes are, "wp". First, click the dump window in the lower left corner of OllyDbg and then jump to 0x6AFF58. Then you should see 77 70, too but it is ASCII for "wp" again, just fill it with whatever you want.