Tools Needed: OllyDbg
Good evening/morning/or something between it/.. Today I'm going to show you a brilliant way to update addresses with OllyDbg. "What a.. I thought you'll need at least Cheat Engine or TSeach (or any other memory scanning software) to find addresses. Does Olly have built-in memory scanner in it??" you might ask. Well, the answer is no. Olly doesn't have any built-in memory scanner but it doesn't prevent us updating addresses. Read further!
Have you developed a Tibia cheat and when this new update came you don't have any idea how to get some addresses? Finding PlayerID and Hp is easy, but what about the Map Pointer? You don't have any clue how to look for it. Sounding familiar? Well, now I'm going to show you how to update that Map Pointer (and many other addresses) with only OllyDbg.
Theory:
The addresses we're using are not ment for us (hackers). Player's hitpoints for example. We can use it to do many funny things, but in fact it's just a variable declared in Tibia's code. We can hijack the variable by finding the memory address of that variable and then using WriteProcessMemory() function to change it. So when Tibia is declaring the player HP and later subtracting the hp by 50 it could look something like this:
C++
ASMCode:int PlayerHP = 0; //Later.. PlayerHP -= 50;
Then we could look for this PlayerHPAddress and use it to make our own healing bot. But as you can see, Tibia is using those addresses in its own procedures. This gives us a wonderful possibility to look for those addresses. In a nuthsell: We find a place where Tibia is accessing to the address (in our PlayerHP example it accessed to PlayerHP to subtract it by 50) and look for the code around that shouldn't change in update. Then we find the same code in updated version and look for the new address.Code:MOV DWORD PTR DS:[PlayerHPAddress], 0 ;Later.. SUB DWORD PTR DS:[PlayerHPAddress], 50
In our example again, Tibia could've instead of subtracting PlayerHP by 50, subtracting it by 10+30-20+80 (remember, this is just an example!). So codes again:
C++
ASMCode:int PlayerHP = 0; int TempValue = 0; //Initialize Value TempValue += 10; //+10 TempValue += 30; //+30 TempValue -= 20; //-20 TempValue += 80; //+80 PlayerHP -= TempValue //Subtract by TempValue
So now when the new update comes, PlayerHPAddress has changed but nothing else. Tibia is still using that same way to subtract the PlayerHP. So now when we compare the two versions in ASM it's looking like this:Code:MOV, DWORD PTR DS:[PlayerHPAddress], 0 MOV EAX, 0 ;Initialize Value ADD EAX, 10 ;+10 ADD EAX, 30 ;+30 SUB EAX, 20 ; -20 ADD EAX, 80 ; +80 SUB DWORD PTR DS:[PlayerHPAddress], EAX ;//Subtract Value
Old Version:
New Version:Code:MOV, DWORD PTR DS:[PlayerHPAddress], 0 MOV EAX, 0 ;Initialize Value ADD EAX, 10 ;+10 ADD EAX, 30 ;+30 SUB EAX, 20 ; -20 ADD EAX, 80 ; +80 SUB DWORD PTR DS:[OldHPAddress], EAX ;//Subtract Value
As you can see, only thing that changes is the address. So we look for the Address from Old Version, then we notice those computations that don't change in update, and look for them in new version and right below that we notice the new address which we can use. SimpleCode:MOV, DWORD PTR DS:[PlayerHPAddress], 0 MOV EAX, 0 ;Initialize Value ADD EAX, 10 ;+10 ADD EAX, 30 ;+30 SUB EAX, 20 ; -20 ADD EAX, 80 ; +80 SUB DWORD PTR DS:[NewHPAddress], EAX ;//Subtract Value. And now it's time to use this knowledge in practice. Ladies and gentlemans, Fire up your OllyDbg!
Practice
In general, Olly offers us everything we'll need to look for those addresses as I descriped earlier. We're going to use one plugin for Olly which copies assembly code to clipboard so we can easily just copy and paste the code instead of typing it (This speads up a process a lot). The plugin I'm talking about is called Asm2Clipboard and can be found for example here: http://www.tuts4you.com/request.php?30. Download the plugin and place it to your OllyDbg plugin directory (the default is the same directory where your OllyDbg.exe file is). Then restart Olly and you're ready to go.
It could be wise to make a copy from your Tibia.exe and rename it as Tibia<version>.exe to make recognization in Olly easier. I renamed my Tibia exes to Tibia811.exe and Tibia82.exe.
Next step is to start two OllyDbgs and load Tibia versions to them. Old one to another, and newer to another. You'll notice the titels are OllyDbg - Tibia811.exe and OllyDbg - Tibia82.exe
So let's get to the business. We know that Map pointer for 8.11 is 0x6234D8 (I took the address from 8.1 address list from tutorials section). So somewhere at the Tibia 8.11 code there's a place where Tibia is accessing to that. At the OllyDbg where Tibia 8.11 is loaded (later on the tutorial I'll use Olly8.11 and Olly8.2 to represent each Olly according which Tibia is loaded). Now right click on the CPU window (the big window full of ASM code) and select: Search for -> Constant. From the opening dialog put 6234D8 (Map Pointer address) to the Hexadecimal box and Olly will calculate the others. Make sure Entire block checkbox is checked and press OK. Olly will land to the first place it found that address to be used. At least I landed on the place like this:
Okey, I admit, it's not much. We can try to look for another place by right clicking -> Search for -> Next (or pressing Ctrl + L). But as we'll soon notice, this is the only place where map pointer is used. So the code that shouldn't change is only PUSH EAX and POP ECX. Everyone a bit familiar with ASM (and those who are not after a bit trying) will soon notice it's way too common command. So we have to improvise. I put a breakpoint to mark up the place where our address is accessed. (To put a breakpoint, either double click the hex codes in front of ASM-line or activate the line with left click to it and press F2) Now let's scroll down a bit and we'll find more short sequenses of commands. I found a lines like thisCode:596810 MOV EAX,DWORD PTR DS:[6234D8] 596815 PUSH EAX 596816 CALL Tibia811.00554FC8 59681B POP ECX 59681C RETN
Now I wonder what's at the other side of that JMP call. Left click that call (to make it active) and press ENTER. This will take you to the address 53A020h (JMP <destination>). No dice, There's just MOV-command with an address so we can't use that. But a bit upper there's some other code which looks kind of promising. One XOR, one LEA and few MOV commands. Let's hope that's not too common.Code:596850 MOV ECX,Tibia811.00768C78 596855 JMP Tibia811.0053A020
Select all of them (by left clicking and holding your mouse button while dragging your mouse downwards) and then right click your selection and press right mouse button -> Asm2Clipboard -> Rip code to clipboard (Inline ASM). It doesn't really matter which one of the code ripping syntaxes you choose (Inline ASM or MASM), Olly understands both. Now when we have the code in our clipboard, switch to another Olly (Olly8.2) and at the CPU window: right click -> Search for -> Sequenece of commands. At the opening dialog, paste your code to the text field (either right click -> Paste or Ctrl + V) and make sure Entire block is checked and Press OK.Code:543488 XOR ECX,ECX 54348A LEA EDX,DWORD PTR DS:[EAX+4] 54348D MOV DWORD PTR DS:[EDX],ECX 54348F MOV DWORD PTR DS:[EDX+4],ECX 543492 MOV DWORD PTR DS:[EDX+8],ECX 543495 MOV DWORD PTR DS:[EDX+C],ECX
Now if Olly found something it landed on the place where sequense of the code is used. We realize it's just like the code in 8.11, only the addresses have changed. (You can test this by scrolling the code in same position and then Alt+Tabbing between Ollys). So now we just have to follow the route back at the Olly8.2. Remember how we found that place? First we looked for the Map Pointer Address and after that we followed the JMP. Final step was to scroll a bit up to find the place we're now. If you can't remember what the place after the JMP looked liked you can always open Breakpoint window (View -> Breakpoints or Alt + B) from Olly8.11 and double click the breakpoint we set to mark the place where our map pointer is accessed. Then just scroll down again and follow that JMP. Now when you compare the views of Olly8.11 and Olly8.2 you'll see the MOV operand where the jump landed. (Below the place where the sequense of commands we looked for were).
Now at the Olly8.2 make the MOV-command active by left clicking it. (This line: MOV DWORD PTR DS:[ECX],Tibia82.005BE7F8). Now below the ASM window you see a narrow box with a text like this:
005BE7F8=Tibia82.005BE7F8 (ASCII "P7T")
Stack DS:[0013FFB0]=7C90E64E (ntdll.7C90E64E)
Jump from 005A2755
Left Click the line "Jmp from 005A2755" to make it active. Then right click it and select "Go to JMP from 005A2755". This will take us to the place where the JMP was called. Now when we remember that we had to scroll down a bit to find the that JMP in Olly8.11 we simply scroll up a bit to find the same place in Olly8.2. I did this step like this: I went to the place where the Map Pointer is accessed (via Breakpoint window) in Olly8.11 and from Olly8.2 I started slowly to scroll up. After each scroll I switched between 8.11 and 8.2 window by Alt+Tab to see if the code looked same. I saw a line "PUSH 200A8" at the both windows after scrolling up a bit so I scrolled a Olly8.2 view so the line was at the same place in both windows. Now when I Alt+Tabbed I noticed that only the addresses are changing anymore. And from the Red-bar (Marks Breakpoints) at the Olly8.11 I easily noticed where the code accessed to the Map Pointer. Then final step was to check what was the code in Olly8.2. A line that accessed to Map Pointer was:
In Olly8.11
In Olly8.2Code:596810 MOV EAX,DWORD PTR DS:[6234D8]
So now we just compare the lines and notice (as I've highlighted) the new Map Pointer is 631610.Code:5A2710 MOV EAX,DWORD PTR DS:[631610]
Last Words
This method I've shown has worked in every addresses I've been trying to find. Levelspy, Namespy, FPS, Map Pointer.. Of course while the versions change it is possible that the registers used changes or something like that. Then you just have to look another place which could've been remained same. All you need is just ability to follow your way back at the another version.
This time I'm dropping my Star wars jokes (reference to my earlier OllyDbg tutorial) and letting you to start updating addresses instead of screaming in agony because my (stupid) jokes.
And oh.. I almost forget: As always, Comments (Positive and Negative), Corrections, etcetc are highly welcome
To be seeing you,
OsQu
Reply With Quote
