Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  Help tracing program variable

Topic created on: February 14, 2012 14:26 CST by ner0 .

Hello,

I wanted to ask for some help on how to find a variable inside a program using a disassembler like OllyDbg or Win32Dasm. I'm trying to figure out how to manipulate that variable but my main problem is how to find it.
I have little experience with disassemblers but somehow I managed to crack a few things over the years.
Most of what I know by the basic tutorials that I've read take the same approach, you check the program's string references and search the section that means something in relation to what you need to find, then you start following jumps and calls until you get to the spot that you want to manipulate, I've done that on some occasions.
The task at hand is a bit different from what I'm used to, there are apparently no string references to the specific variable I need to find and so I don't know which way to go. I tried to follow the code but at some point I realized that even if I stepped on the code I was searching for I wouldn't know it. In more detail, it's a video game that upon launch checks if an external file is loaded, if that external file was loaded it displays an internal warning message (not your win32 popup) then exits. The game was built using a proprietary programming language based on Visual C++. I'm guessing the source-code for that portion should be something like this:

if (ExternalFileLoaded==1) {
    Display ("WARNING: An external file was loaded, bla, bla...");
    Exit(0);
}
else
{
...continue...
}


Can someone give me a hint to which approach I should use to find that specific variable set or variable check?

Thank you for your time.

  NirIzr     February 15, 2012 11:06.53 CST
I guess that the tool you really  want is one of those memory monitors\manipulators like CheatEngine.
they let you input the current value of a variable at a specific moment and search for it in the entire memory space of the program, and then imput another value for the same variable and search only those found with the first value and further filter the variables until you find the specific one your looking for.

this is just one of the basic features these tool supply... and are really useful for manipulating specific values in entire programs.

they are usually embedded within game cheating tools since these areas are where you usually want that kind of tools (i.e. modify your current health  or EXP in RPGs etc..)

good luck!

  Olivier   February 15, 2012 16:10.48 CST
From a debugger perspective, there's a couple of options I can think of that might help I hope:
- memory search, and BPM if from a debugger (search for the filename if you know it, or the warning)
- BPX on OpenFile or FindFirstFile functions and related
- BPX on Exit / Terminate functions
- Look for the list of functions (given the list of strings isn't useful)

Let us know how it goes ner0.

  tosanjay     March 4, 2012 05:47.09 CST
> ner0: Hello,
Hi,
look at the tool Flayer [code.google.com/p/flayer/] which should be helpful. I have few remarks on your query (inlined below)
>
> I wanted to ask for some help on how to find a variable inside a program using a disassembler like OllyDbg or Win32Dasm. I\'m trying to figure out how to manipulate that variable but my main problem is how to find it.
> I have little experience with disassemblers but somehow I managed to crack a few things over the years.
> Most of what I know by the basic tutorials that I\'ve read take the same approach, you check the program\'s string references and search the section that means something in relation to what you need to find, then you start following jumps and calls until you get to the spot that you want to manipulate, I\'ve done that on some occasions.
> The task at hand is a bit different from what I\'m used to, there are apparently no string references to the specific variable I need to find and so I don\'t know which way to go.
Remember, if the binary is compiled with NO DEBUGGING, you will not find the variable by name. So string search will not help. Variables are referenced w.r.t. EBP (or ESP) in the procedure that declares them. If it is a global var, you will see its address only.

> I tried to follow the code but at some point I realized that even if I stepped on the code I was searching for I wouldn\'t know it. In more detail, it\'s a video game that upon launch checks if an external file is loaded, if that external file was loaded it displays an internal warning message (not your win32 popup) then exits. The game was built using a proprietary programming language based on Visual C++. I\'m guessing the source-code for that portion should be something like this:
>
> if (ExternalFileLoaded==1) {
>     Display (\"WARNING: An external file was loaded, bla, bla...\");
>     Exit(0);
> }
> else
> {
> ...continue...
> }
>

>
> Can someone give me a hint to which approach I should use to find that specific variable set or variable check?
>
> Thank you for your time.

I would try it like this:
1. search for the string that is thrown back as WARNING and find the function that contains that.
2. Put BP on cmp type instruction and check the variable that is used in this instruction.
3. check if this variable is the one you are interested in.

Note: Registration is required to post to the forums.

There are 30,629 total registered users.


Recently Created Topics
t fight for direct f...
Apr/21
second sip of footba...
Apr/21
ram¨Žn cabrero said ...
Apr/21
the first football c...
Apr/21
the best team of col...
Apr/21
south america shows ...
Apr/21
ronaldo dunga sees a...
Apr/21
ocean' of speculatio...
Apr/21
Question about debbu...
Apr/16
IDA PRO Struct Point...
Apr/15


Recent Forum Posts
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin
Pydbg load() issue
phreak
Pydbg load() issue
netw0rm
How would you interp...
mbin
Pydbg load() issue
phreak


Recent Blog Entries
Joearias
Apr/21
Make A Long Braid With No H...

arlenecarter
Apr/21
Easy And Safe Reduction Of ...

oleavr
Apr/17
frida.re 1.2.0 is out, with...

gareebnavas
Jan/21
Android Malware Analysis

oleavr
Dec/21
frida.github.io: scriptable...

More ...


Recent Blog Comments
pedram on:
Dec/21
frida.github.io: scriptable...

NeOXQuiCk on:
Nov/26
DONGLE

maharlee on:
Nov/21
Cheap Nike Shoes NZ,Nike Sh...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

newlulu on:
Jun/10
Branch tracing and LBR acce...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit