OllyDbg Tutorial: Updating Addresses

[OsQu]

Tools Needed: OllyDbg

Good evening/morning/or something between it/.. Today I'm going to show you a brilliant way to update addresses with OllyDbg. "What a.. I thought you'll need at least Cheat Engine or TSeach (or any other memory scanning software) to find addresses. Does Olly have built-in memory scanner in it??" you might ask. Well, the answer is no. Olly doesn't have any built-in memory scanner but it doesn't prevent us updating addresses. Read further!

Have you developed a Tibia cheat and when this new update came you don't have any idea how to get some addresses? Finding PlayerID and Hp is easy, but what about the Map Pointer? You don't have any clue how to look for it. Sounding familiar? Well, now I'm going to show you how to update that Map Pointer (and many other addresses) with only OllyDbg.

Theory:

The addresses we're using are not ment for us (hackers). Player's hitpoints for example. We can use it to do many funny things, but in fact it's just a variable declared in Tibia's code. We can hijack the variable by finding the memory address of that variable and then using WriteProcessMemory() function to change it. So when Tibia is declaring the player HP and later subtracting the hp by 50 it could look something like this:

C++

Code:

int PlayerHP = 0;
//Later..
PlayerHP -= 50;

ASM

Code:

MOV DWORD PTR DS:[PlayerHPAddress], 0
;Later..
SUB DWORD PTR DS:[PlayerHPAddress], 50

Then we could look for this PlayerHPAddress and use it to make our own healing bot. But as you can see, Tibia is using those addresses in its own procedures. This gives us a wonderful possibility to look for those addresses. In a nuthsell: We find a place where Tibia is accessing to the address (in our PlayerHP example it accessed to PlayerHP to subtract it by 50) and look for the code around that shouldn't change in update. Then we find the same code in updated version and look for the new address.

In our example again, Tibia could've instead of subtracting PlayerHP by 50, subtracting it by 10+30-20+80 (remember, this is just an example!). So codes again:

C++

Code:

int PlayerHP = 0;
int TempValue = 0; //Initialize Value
TempValue += 10; //+10
TempValue += 30; //+30
TempValue -= 20;  //-20
TempValue += 80;  //+80
PlayerHP -= TempValue //Subtract by TempValue

ASM

Code:

MOV, DWORD PTR DS:[PlayerHPAddress], 0
MOV EAX, 0 ;Initialize Value
ADD EAX, 10 ;+10
ADD EAX, 30 ;+30
SUB EAX, 20 ; -20
ADD EAX, 80 ; +80
SUB DWORD PTR DS:[PlayerHPAddress], EAX ;//Subtract Value

So now when the new update comes, PlayerHPAddress has changed but nothing else. Tibia is still using that same way to subtract the PlayerHP. So now when we compare the two versions in ASM it's looking like this:

Old Version:

Code:

MOV, DWORD PTR DS:[PlayerHPAddress], 0
MOV EAX, 0 ;Initialize Value
ADD EAX, 10 ;+10
ADD EAX, 30 ;+30
SUB EAX, 20 ; -20
ADD EAX, 80 ; +80
SUB DWORD PTR DS:[[color=Red]OldHPAddress[/color]], EAX ;//Subtract Value

New Version:

Code:

MOV, DWORD PTR DS:[PlayerHPAddress], 0
MOV EAX, 0 ;Initialize Value
ADD EAX, 10 ;+10
ADD EAX, 30 ;+30
SUB EAX, 20 ; -20
ADD EAX, 80 ; +80
SUB DWORD PTR DS:[[color=Green]NewHPAddress[/color]], EAX ;//Subtract Value

As you can see, only thing that changes is the address. So we look for the Address from Old Version, then we notice those computations that don't change in update, and look for them in new version and right below that we notice the new address which we can use. Simple . And now it's time to use this knowledge in practice. Ladies and gentlemans, Fire up your OllyDbg!

Practice

In general, Olly offers us everything we'll need to look for those addresses as I descriped earlier. We're going to use one plugin for Olly which copies assembly code to clipboard so we can easily just copy and paste the code instead of typing it (This speads up a process a lot). The plugin I'm talking about is called Asm2Clipboard and can be found for example here: http://www.tuts4you.com/request.php?30. Download the plugin and place it to your OllyDbg plugin directory (the default is the same directory where your OllyDbg.exe file is). Then restart Olly and you're ready to go.

It could be wise to make a copy from your Tibia.exe and rename it as Tibia<version>.exe to make recognization in Olly easier. I renamed my Tibia exes to Tibia811.exe and Tibia82.exe.

Next step is to start two OllyDbgs and load Tibia versions to them. Old one to another, and newer to another. You'll notice the titels are OllyDbg - Tibia811.exe and OllyDbg - Tibia82.exe

So let's get to the business. We know that Map pointer for 8.11 is 0x6234D8 (I took the address from 8.1 address list from tutorials section). So somewhere at the Tibia 8.11 code there's a place where Tibia is accessing to that. At the OllyDbg where Tibia 8.11 is loaded (later on the tutorial I'll use Olly8.11 and Olly8.2 to represent each Olly according which Tibia is loaded). Now right click on the CPU window (the big window full of ASM code) and select: Search for -> Constant. From the opening dialog put 6234D8 (Map Pointer address) to the Hexadecimal box and Olly will calculate the others. Make sure Entire block checkbox is checked and press OK. Olly will land to the first place it found that address to be used. At least I landed on the place like this:

Code:

596810    MOV EAX,DWORD PTR DS:[6234D8]
596815    PUSH EAX
596816    CALL Tibia811.00554FC8
59681B    POP ECX
59681C    RETN

Okey, I admit, it's not much. We can try to look for another place by right clicking -> Search for -> Next (or pressing Ctrl + L). But as we'll soon notice, this is the only place where map pointer is used. So the code that shouldn't change is only PUSH EAX and POP ECX. Everyone a bit familiar with ASM (and those who are not after a bit trying) will soon notice it's way too common command. So we have to improvise. I put a breakpoint to mark up the place where our address is accessed. (To put a breakpoint, either double click the hex codes in front of ASM-line or activate the line with left click to it and press F2) Now let's scroll down a bit and we'll find more short sequenses of commands. I found a lines like this

Code:

596850    MOV ECX,Tibia811.00768C78
596855    JMP Tibia811.0053A020

Now I wonder what's at the other side of that JMP call. Left click that call (to make it active) and press ENTER. This will take you to the address 53A020h (JMP <destination>). No dice, There's just MOV-command with an address so we can't use that. But a bit upper there's some other code which looks kind of promising. One XOR, one LEA and few MOV commands. Let's hope that's not too common.

Code:

543488    XOR ECX,ECX
54348A    LEA EDX,DWORD PTR DS:[EAX+4]
54348D    MOV DWORD PTR DS:[EDX],ECX
54348F    MOV DWORD PTR DS:[EDX+4],ECX
543492    MOV DWORD PTR DS:[EDX+8],ECX
543495    MOV DWORD PTR DS:[EDX+C],ECX

Select all of them (by left clicking and holding your mouse button while dragging your mouse downwards) and then right click your selection and press right mouse button -> Asm2Clipboard -> Rip code to clipboard (Inline ASM). It doesn't really matter which one of the code ripping syntaxes you choose (Inline ASM or MASM), Olly understands both. Now when we have the code in our clipboard, switch to another Olly (Olly8.2) and at the CPU window: right click -> Search for -> Sequenece of commands. At the opening dialog, paste your code to the text field (either right click -> Paste or Ctrl + V) and make sure Entire block is checked and Press OK.

Now if Olly found something it landed on the place where sequense of the code is used. We realize it's just like the code in 8.11, only the addresses have changed. (You can test this by scrolling the code in same position and then Alt+Tabbing between Ollys). So now we just have to follow the route back at the Olly8.2. Remember how we found that place? First we looked for the Map Pointer Address and after that we followed the JMP. Final step was to scroll a bit up to find the place we're now. If you can't remember what the place after the JMP looked liked you can always open Breakpoint window (View -> Breakpoints or Alt + B) from Olly8.11 and double click the breakpoint we set to mark the place where our map pointer is accessed. Then just scroll down again and follow that JMP. Now when you compare the views of Olly8.11 and Olly8.2 you'll see the MOV operand where the jump landed. (Below the place where the sequense of commands we looked for were).

Now at the Olly8.2 make the MOV-command active by left clicking it. (This line: MOV DWORD PTR DS:[ECX],Tibia82.005BE7F8). Now below the ASM window you see a narrow box with a text like this:

005BE7F8=Tibia82.005BE7F8 (ASCII "P7T")
Stack DS:[0013FFB0]=7C90E64E (ntdll.7C90E64E)
Jump from 005A2755

Left Click the line "Jmp from 005A2755" to make it active. Then right click it and select "Go to JMP from 005A2755". This will take us to the place where the JMP was called. Now when we remember that we had to scroll down a bit to find the that JMP in Olly8.11 we simply scroll up a bit to find the same place in Olly8.2. I did this step like this: I went to the place where the Map Pointer is accessed (via Breakpoint window) in Olly8.11 and from Olly8.2 I started slowly to scroll up. After each scroll I switched between 8.11 and 8.2 window by Alt+Tab to see if the code looked same. I saw a line "PUSH 200A8" at the both windows after scrolling up a bit so I scrolled a Olly8.2 view so the line was at the same place in both windows. Now when I Alt+Tabbed I noticed that only the addresses are changing anymore. And from the Red-bar (Marks Breakpoints) at the Olly8.11 I easily noticed where the code accessed to the Map Pointer. Then final step was to check what was the code in Olly8.2. A line that accessed to Map Pointer was:

In Olly8.11

Code:

596810    MOV EAX,DWORD PTR DS:[[color=Red]6234D8[/color]]

In Olly8.2

Code:

5A2710    MOV EAX,DWORD PTR DS:[[color=Green]631610[/color]]

So now we just compare the lines and notice (as I've highlighted) the new Map Pointer is 631610.

Last Words

This method I've shown has worked in every addresses I've been trying to find. Levelspy, Namespy, FPS, Map Pointer.. Of course while the versions change it is possible that the registers used changes or something like that. Then you just have to look another place which could've been remained same. All you need is just ability to follow your way back at the another version.

This time I'm dropping my Star wars jokes (reference to my earlier OllyDbg tutorial) and letting you to start updating addresses instead of screaming in agony because my (stupid) jokes.

And oh.. I almost forget: As always, Comments (Positive and Negative), Corrections, etcetc are highly welcome

To be seeing you,
OsQu

[Floppy]

Excellent Tutorial Qsqu! You didnt only explain how to find memory adresses you also explained WHY this works! i think its fantastic to know what we are doing!

I just tryed it with other adress and success!

Lots of thanks!

[L4K]

Karma to you OsQu ^^, just one word: Perfect!

[Dop]

Damn this tutorial is so well explained! Thanks for posting it!

[Jesper_Kladden]

Rep++++

[Cameri]

I have to say, in my own experience, that OsQu's method for finding new addresses is the fastest and most effective. But that's just me.

Thanks mate!

[Farsa]

godlike :o

[Ian]

Amazing tutorial, I must say. I was just thinking about how I did not know how to use OllyDbg to do anything...and here this is! I will give it a spin asap and give you some feedback on clarifying the tutorial or other comments. Thanks!

[moisesaugusto]

Hello. I found adress for 8.21 (using tutorial == $634610
I think it is correct, for Map pointer.

But I would like you to tell me how can I find another kind of addresses == I mean, I am trying to localize char ID , I have the adress in 7.92, and I could compare it with 8.21 (for example ). But sometimes there are a lot of lines, calling the same address --- that is my doubt --- how to filter the other adresses.

I found for example , capacity of char using Tsearch . Found the address $624C40 for 8.21.

In 7.92 it was 6059A0.

Thanks for explaining more about this , I think it is my major difficult..

[Jesper_Kladden]

<Making it a sticky, as it is one of the most important tutorials we've got here>