Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Changing addresses
(07-16-2012, 08:10 PM)Silverthorn Wrote:  2.0a should have the title at address 0x00047620.

Note that longer messages require extra-allocation of memory for which you'll need to get into debugging.

Is what I'm trying to do.
I'm looking for stuff I want to change with hex editor.

That gives me an offset which I'm typing into ollydbg and then trying to change the command, so it JMPs into an empty address, where I will be able to write new path, but it won't let me.

Also the JB SHORT isn't pointing to the proper address "data\stage.dat", but to "ta\stage.dat"

Not that I know anything about hexing, but it used to work some years ago, I was able to change some stuff for my stage

Anyone can correct what I'm doing wrong here?
Thanks given by:
You're mixing up data and code.

I was tempted to stop here but I guess I can spare a few more mins writing this Wobble

Without a specific educational workflow, though. Just writing this up as I go along. Recommended to read through first before following.

Tool: OllyDbg and some generic hex editor
Exe: 2.0a
The mission: Change "data\stage.dat" to something wonky

Step 1: find the address of the string
Open the hex editor of your choice and search for the string. As you have found yourself, it's 47be0. We're going to remember that address.

Step 2: find the command accessing that memory portion
This is where you are struggling. Going to give you a quick rundown: LF2 loads strings by their addresses (probably other apps as well but I don't feel enough criminal incentive to test). Or, more properly, their offsets. The data located at this offset is put onto the stack and another routine is called. You can imagine this like a high-level function that needs additional parameters. Those are grabbed from the stack.
So, we're looking for the command that pushes this address onto the stack: "push offset 00447be0".
Notice the leading "004", that's always needed.
You should find something like this (copypasting Olly):
CPU Disasm
Address  Hex dump          Command                                  Comments
0040C932  |.  68 E07B4400  PUSH OFFSET 00447BE0                    ; ASCII "data\stage.dat"
0040C937  |.  8BD9          MOV EBX,ECX
0040C939  |.  E8 F2800000  CALL 00414A30

Step 3: insert wondrous text and note address
Find an unused portion (look for a bunch of 00) and insert your new string there:
[Image: FGcO2q0.png]
As you can see, my accuracy is bad and I missed the beginning of the line. Doesn't matter, we're just going to use the correct offset then. In my case, that's 4c741.
For reference, the character that tells LF2 to stop pushing letters onto the stack is the hex-character "00", so make sure to have at least one of them between each string you add.

Step 4: change the PUSH
At address 0040C932 (in Olly, use Ctrl+G for "go to address"), replace the offset with the new one, in my case "push offset 0044c741". Olly will automagically show the new string that's going to be pushed onto the stack ("data\hello_look_at_my_marvelous_stage.dat").

Step 5: save your changes
I personally find it not too user-friendly, so here's how to produce an exe from the disassembled Olly-mess.
- Select all (Ctrl+A)
- Right click > Edit > Copy to executable
- In the new window > Right click > Save file

Step 6: Wobble
You're done.


As you can see, JMPs are not necessary here. If you were using a DLL, you might have to. If you plan on changing or adding new functionalities, you definitely should. However, because JMPs occupy a large block, you'll usually overwrite a couple of the following lines, so you better have a backup ready (which is also why I pasted a few more lines than the one we were interested in). The basic procedure in that case would be: JMP to unused section, add the lines that were overwritten by the JMP, continue with your own code, JMP back to where applicable.


Alternative, super-short step
Because this is a rather simple thing, you could directly change a few bytes using your hex editor of choice.
  • search for the hex dump written in step 2: "68 E0 7B 44 00"
    This is essentially the machine code for "PUSH OFFSET" (68) "00 44 7b e0" (byte-order reversed). Address should be c932h (notice how small the number is, we're now in the "do stuff"-region of the exe instead of "hardcoded data"-region).
  • after having inserted your fantastic string, change the bytes accordingly. For me, it'd read "68 41 c7 44 00".
  • since most of the string-operations work like this, you'll just have to hunt for the address inside the exe first, then look for the byte pattern "68 xx xx 4x 00" and change that one accordingly.
That's it, you're done Wobble
Silverthorn / Blue Phoenix
~ Breaking LFE since 2008 ~

"Freeze, you're under vrest!" - Mark, probably.

» Gallery | » Sprites | » DeviantArt
Thanks given by: STM1993 , The_Hari , darkfiren

Users browsing this thread: 1 Guest(s)