Cheat Engine

tommmmmm

Ok, so there is big exe file (lets say abc.exe) that I would like to edit.
Lets assume that window's name is xyz.

Editing abc.exe with hex editor and changing all occurances of xyz to zyx didn't work - abc.exe crashes (no wonder - there were like 500 occurances of xyz)

I tried running ollydbg with it but I am kinda lost......

Any help please?

tombana · Posted: Tue Apr 21, 2009 3:59 am Post subject:

Try to set a breakpoint on CreateWindow. Then when the application calls it, find out where it gets the window name from.

tommmmmm · Posted: Wed Apr 22, 2009 2:16 pm Post subject:

ummm I am figuring it now... I somehow can't make it. Don't know why....

pkedpker · Posted: Wed Apr 22, 2009 2:52 pm Post subject:

SetWindowText
http://msdn.microsoft.com/en-us/library/ms633546(VS.85).aspx

shhac · Posted: Wed Apr 22, 2009 4:31 pm Post subject:

You could try opening it with a programme like this:
http://www.angusj.com/resourcehacker/

tommmmmm · Posted: Wed Jun 17, 2009 12:20 pm Post subject:

The resource hacker didn't help.
The breakpoint at CreateWindow didn't help.
Checking out SetWindowText helped. Kinda.

There is this
push ecx,
push eax,
<this funny call to setwindowtext>

so I wanted to edit the push ecx part for example with
add ecx, 8
push ecx
even that slight change (eating one letter) would satisfy me. However when I want to do this olly says there is not enough room for such change. When I uncheck keep size the next few lines of the code get messed up automatically.

I wonder what tremendous changes would it require to change that name title to something completly different....

Noz3001 · Posted: Wed Jun 17, 2009 12:25 pm Post subject:

Check up a bit and look where ecx has it's value set. I think it should be storing the address which the window title is stored at.

sponge · Posted: Wed Jun 17, 2009 1:07 pm Post subject:

&Vage · Posted: Thu Jun 18, 2009 11:40 am Post subject:

tommmmmm · Posted: Fri Sep 04, 2009 11:02 am Post subject:

I heard somewhere that you can't make jumps larger than set size, so editing the ecx at the end of the program is impossible.

I went back to idea of a constant - I found
MOV ECX,DWORD PTR SS:[ARG.7]
right before the function call

but wtf is ARG.7
I don't even know where to look for it......

-----
edit: when I clicked in olly it suddenly showed [ESP+6C]
I tried editing it to +75 or to +5A
In first case I got empty title in second some fancy letters.

ps: I presume it would be nice to see where esp leads, however it's not me who launches application (there is a launcher that launches launcher that launches application) so I have no idea what to do...

Slugsnack · Posted: Fri Sep 04, 2009 11:35 am Post subject:

tommmmmm · Posted: Fri Sep 04, 2009 12:12 pm Post subject:

I read a bit about code caving and I code caved
push ecx,
push eax,
<this funny call to setwindowtext>

to
add ecx, <insert some number here>
push ecx,
push eax,
<this funny call to setwindowtext>

Facts:
add ecx, 0 ; leaves old name of the program - which at least means code cave is correct and everything is working

add ecx, 8 ; gives empty one
sub ecx, 8 ; gives fancy letters

which all makes sense because we had
mov ecx, [esp+6c]
push ecx,
push eax
<call to function>

so editing esp+6c is same as editing ecx later on in the code cave.

Which leads me to the point that the mistake was at the very beginning of thoughtful process - ansi letter is not 8 bits..... but google says it is...
so I am stuck again...

ps: and the part about following esp in hex dump is a total mystery to me.... esp is set some time in the past - probably long ago in the code - so getting the esp value (then addig offset to get data string) is impossible....

Slugsnack · Posted: Fri Sep 04, 2009 12:18 pm Post subject:

hex dump window is the one at bottom left. ansi letter is 8 bits indeed

add ecx, 0 >> changes nothing
add ecx, 8 >> changes title pointer to 8 letters ahead. since it's blank i am guessing the title is 7 or shorter bytes and you have changed the pointer to the null terminator or something past that
sub ecx, 8 >> changes title pointer to whatever random data was 8 bytes before

here is how to change the title. breakpoint on the push ecx, check ecx's value in the registers window on top right. go to hex dump >> ctrl-g >> enter that address

edit the address there, save the change

otherwise find another codecave, write your new title and in your codecaved bit, do mov ecx, X where X is a pointer to your new title

tommmmmm · Posted: Fri Sep 04, 2009 12:27 pm Post subject:

hmmm you were right +8 pushes 8 letters not 1. Thus I have achieved partially solution. I can edit the title by eating letters.

The other thing is that making new title would be best to edit old global constant than create one from scratch - the "following in hex dump" idea sound very nice.

However as I said there's this problem with running application:
It is launched by launcher's launcher - double clicking results in an error - and attaching olly to already running process is kinds meaningless because the title was long ago set....

I might be wrong however - I'll test both ideas atm.

Slugsnack · Posted: Fri Sep 04, 2009 12:45 pm Post subject:

i see what you are saying. most likely, the executable with the title is the one that is setting that also though. also likely, is that the title is a static constant as opposed to created dynamically

case : static title

find buffer address, edit buffer, save changes. next time the app is loaded the new title will be used

case : dynamic title, unlikely

try to attach to process on creation. hardware breakpoint on buffer address to see what code is creating the title, we work from there

you seem to be missing the point that you can change the 'global constant' AND SAVE IT meaning next time the app loads up the 'global constant' that is accessed will be the new, modified one