This is a method for finding pointers in a non protected game with OllyDbg (HP in Knight Online “KO”)
1. Open your favorite memory editor and find your HP.
2. Open olly and attach it to KO.
3. Anywhere in the hex dump right click and choose "Go to" > "Expression".
4. Enter the address of your HP found by the memory editor and press OK.
This will take you to that address in the hex dump.
5. Right click on your HP in the hex dump and choose "Breakpoint" > "Hardware, on access" > "Dword".
What we're doing here is telling olly to break on any code that accesses a dword value at 0x02559A3C. (Your address will more than likely be different)
6. If KO is paused hit run then go ingame and do something that will affect your HP (get hit by a mob)
Olly will pause KO when you get hit or your HP is modified.
As you can see from the pic below olly breaks at 0x007A7ED7 however if you look at the bottom you'll see "Hardware breakpoint 1 at KnightOn.007A7ED7 - EIP points to next instruction", this is just olly's cryptic way of saying
that the previous instruction caused the break (0x007A7ED1).
So you can see the offset at 0x007A7ED1 straight away is 0x594 and whatever is in EAX is the pointer.
To find out what goes into EAX just read the instructions previous to 0x007A7ED1, you will find that
0x007A7EC8 - MOV EAX,DWORD PTR DS:[B6D38C] sets EAX.
So the pointer is 0x00B6D38C and the offset to current hp is +0x594
Notes:
Never add software (int3) breakpoints to data, this will cause the program to crash
To remove a hardware breakpoint choose "Debug" > "Hardware breakpoints" from the file menu.
Everything with olly is done with hex with the exception that the data dump window can be changed to what ever type you like by right clicking and choosing the appropriate type.
You can integrate Olly into windows to make it the Just-In-Time debugger. To do it go to "Options" then "Just-in-time debugging" then press "Make OllyDbg just-in-time debugger" (1).
This will allow you to attach Olly to a process via the Task Manager (2) and this will also let Olly debug a crashed program.
by frognik
0 comentarios:
Publicar un comentario