Help tracing variable with disassembler

**ner0** · 02-15-2012, 01:12 AM

Hello,

I wanted to ask for some help on how to find a variable inside a program using a disassembler like OllyDbg or Win32Dasm. I'm trying to figure out how to manipulate that variable but my main problem is how to find it.
I have little experience with disassemblers but somehow I managed to crack a few things over the years.
Most of what I know by the basic tutorials that I've read take the same approach, you check the program's string references and search the section that means something in relation to what you need to find, then you start following jumps and calls until you get to the spot that you want to manipulate, I've done that on some occasions.
The task at hand is a bit different from what I'm used to, there are apparently no string references to the specific variable I need to find and so I don't know which way to go. I tried to follow the code but at some point I realized that even if I stepped on the code I was searching for I wouldn't know it. In more detail, it's a video game that upon launch checks if an external file is loaded, if that external file was loaded it displays an internal warning message (not your win32 popup) then exits. The game was built using a proprietary programming language based on Visual C++. I'm guessing the source-code for that portion should be something like this:

Code:

if (ExternalFileLoaded==1) {
    Display ("WARNING: An external file was loaded, bla, bla...");
    Exit(0);
}
else
{
...continue...
}

Can someone give me a hint to which approach I should use to find that specific variable set or variable check?

Thank you for your time.

**"vinnu"** · 02-16-2012, 03:11 PM

Welll there are several ways, and there is no way!?.
It all depends upon ur own practices and the code.
In OllyDbg u can press CTRL+A for default system api calls and their arguments. but for custom functions, u can check the esp, ebp and other register's references. Moreover, u can also search backwards, by noting the first byte's address of the argument (after u found it by searching) and then setting a breakpoint on its access or checking for its references in .text section. But remember there can be dynamic calls(Virtual functions and virtual references) which gets calculated at the runtime. So better if u are learning or practicing the cracking it can be better done in XP as ASLR is no issue there.
The best OS in windows I'll recoment only win XP for this purpose and avoid win7 /8, until u become expert.

"vinnu"

**"vinnu"** · 02-16-2012, 03:14 PM

One more thing, You can set the execution Origin at the start of the function or at the call instruction to the function, it will resolve the arguments on the stack.

"vinnu"

**ner0** · 02-16-2012, 04:55 PM

Originally Posted by "vinnu"

One more thing, You can set the execution Origin at the start of the function or at the call instruction to the function, it will resolve the arguments on the stack.

"vinnu"

Thank you for your answer. I achieved what I wanted but I guess I was lucky and I'm sure I didn't take the smart approach to this
I was able to find it because there was an ASCII reference which made me guess that was the right function being called (also because I read the programming documentation), but I could have been wrong. I destroyed the ability for the function's result to get stored hence always being 0 or null (lame, I know) but I think that if it was the other way around and I wanted it to store 1 I couldn't do it. I got to learn more about asm obviously.

Can you take a look at the bit bellow (hope it's enough) and tell me what approach I should have taken?

Function that I needed to trump:
00434D18 |. 68 60665700 PUSH GameFile.00576660 ; ASCII "ExternalFileLoaded"
00434D1D |. B8 90844000 MOV EAX,GameFile.00408490
00434D22 |. E8 99F20100 CALL GameFile.00453FC0

Stored value from function:
00408490 /> 33C0 XOR EAX,EAX
00408492 |. 3905 04957D00 CMP DWORD PTR DS:[7D9504],EAX
00408498 |. 0F95C0 SETNE AL
0040849B |. C3 RETN

What I did was NOP the address 00408498, that way the value never gets stored, it works but still leaves me a lot of doubts and curiosities.
I still think about other things that I don't grasp, for example:
- I did never find an address that calls the function for a result. Is it always outputted and stored without a call?
- If there is no call or jump to the address 00408490 how does the program always run it? Is it because of MOV EAX,GameFile.00408490 at 00434D1D?
- How would I proceed to find where in the program the function result is checked?
- How would I turn that SETNE to always set the value to 1 no matter what?
- If the function were to be used twice and I needed to manipulate the result only once, how would I do that?

Thank you for your help.

**"vinnu"** · 02-16-2012, 05:58 PM

The XOR and then a comparison, It is checking for a null in this way.Anyhow if at that address
DWORD PTR DS:[7D9504],
anything exists, the comparison will fail.

Its a pointer and u need to check for a null value there, in order to crack it, just patch the cmp and onwards instructions.

"vinnu"

**ner0** · 02-16-2012, 08:10 PM

Originally Posted by "vinnu"

The XOR and then a comparison, It is checking for a null in this way.Anyhow if at that address
DWORD PTR DS:[7D9504],
anything exists, the comparison will fail.

Its a pointer and u need to check for a null value there, in order to crack it, just patch the cmp and onwards instructions.

"vinnu"

Actually just patching the SETNE instruction works for this purpose.
I was interested in discovering what portion of the program uses it to display the warning message.
There are at least two approaches:
1. Patching the function itself;
2. Patching the portion that decides what to do depending on the result of the function;

I did the 1st, the easy way but I'm still trying to find a way to do the 2nd to give me a bit more understanding.

Thank you "vinnu".

**b0nd** · 02-17-2012, 01:31 AM

"vinnu" - the expert

ner0, probably you had been waiting for someone to look into your problem and help, and I was waiting for vinnu to come online and see your post. Probably none else could have helped you here on this topic in depth.

Cheers!

**"vinnu"** · 02-17-2012, 10:16 AM

Namaste
Yes there exists several ways. One i have mentined earlier but let me say again, just check the messages and search fr them in any of the data sections and then set the breakpoint on that address on access and thats it, it will make the process break execution right after the instructins u r searching for.

"vinnu"

Thread: Help tracing variable with disassembler

LinkBack

Thread Tools

Search Thread

Display