Gamerz Online

ASM applied to hacking Part 1 : Cut the crap :p

Allright, in todays tutorial, i will explain how ASM is relavent to game hacking

There are a few things you should know before we start

1. The Stack

The stack is welll... a big... stack of numbers lol

like so


Bottom
FFFFFFFF
FFFFF234
304958309
3937F0300  
Top

Say we want to add a new number, we would "Push" one ontop the stack. lets push 108!

Bottom
FFFFFFFF
FFFFF234
304958309
3937F0300
     108  
TOP

but wait, how to take from the stack? we pop off from the top of the stack. i will explain this more later

2. Registers
There are lots of registers Cheesy
the main useful ones are
EAX. EBX, EDX, ECX, ESI, EDI, EBP, ESP

a register is a 32 bit number like 123F3CF0 << in hexidecimal lol

you can move things back and forth in registers like

say we want to move whats in eax to ebx

mov ebx, eax

or eax to ecx

mov ecx, eax

mov is what we call an instruction, it is the native codes ran by your computers Cheesy

we can apply the stack to registers, we can pop the top info off the stack like so :

pop eax


remember the stack is like this

Bottom
FFFFFFFF
FFFFF234
304958309
3937F0300
     108  
Top

so eax now == 108 and the stack now looks like

Bottom
FFFFFFFF
FFFFF234
304958309
3937F0300
Top


whenever we push or pop something, a reigster called ESP (the Stack Pointer) lol goes up or down 4 bytes

when we push, the pointer goes down 4. this is because what you push comes at a lower address because it is the lowest in the stack
the top dosnt really go up, but the bottom gets a lower address :]

Poping is the opisite, the stack pointer goes up 4 bytes.

3. Stack Frames (i think thats what they are called lol)

what is a function you ask? it is a segment of code that takes arguments, and does stuff with them
but how can you just shove stuff at it? a stack frame is the answer

for example the function GetModuleHanlde retrieves the address in memory of a DLL (Dynamic Link Library)
7C80B6A3   55               PUSH EBP Preserve EBP
7C80B6A4   8BEC             MOV EBP,ESP
.............. FUNCTION CODE
7C80B6C0   5D               POP EBP
7C80B6C1   C2 0400          RETN 4

What is happening is EBP (Stack Base Pointer) for the function is being preserved for the calling function.
then the base pointer is changed to the current stack pointer
any pushing or popping will not affect EBP, only ESP (which makes argument retrieval easy, which i will show next)

when a function is called, it looks like
PUSH ARG 3
PUSH ARG 2
PUSH ARG 1
Call Func (Push Address of Next Instruction and JMP Func)
Next Instruction

So lets look at the stack

Bottom
ARG 3
ARG 2
ARG 1
NEXT INSTRUCTION
Top

in functions these would be accessed like...
to get arg 3

mov eax, [EBP+12]

[] means its a pointer, so its pointing to the location and the [] retreives the info from the location

Each Entry on the stack is 4 bytes. therefore, the first entry is at 0, the next at 4, the next at 8, and so on

what would happen if we had to use ESP? whenever we pushed, it would go out of whack, and the stack would be a pain to access
But because of these "Frames" stack programing is simmple

ok , so we come to the end of a function

Pop EBP
Retn 4

well we need to fix the stack for the previous function that called me.

so we pop ebp from the original EBP
that fixes that
but now, how to get back to the original function?
what about the arguments that were pushed into the stack?

RETN fixes this

the RETN size should be RETN (Number of arguments * 4)

it will pop them all off the stack, and then return to [ESP]


Ok so a review of instructions we covered

MOV - move stuff lol
PUSH - Push stuff under the stack
POP - Pop stuff out from under the stack
Retn - Return control flow to Caller

TO BE CONTINUED WITH PART 2: Applications