Posted: Sat Aug 24, 2019 6:44 pm Post subject: Quick 64 Bit Tutorial Question
I'm hell bent on hacking Oniken so...I'm tryin to git down n durty.
So in the built in tutorial, I made it to Step 6. I'm wondering if I'm missing something, or if there was just a typo.
In the previous step, it said to "Find what writes to this address" & everything went fine there.
In Step 6, it asks to find out what "accesses" this address. I was wondering if this is a typo, because it says "a" item will show on the list.
Well, I get 4 items. In Step 5 when I looked for what "writes" to the address, I got "a" item.
Every time I click Change Value, it raises the counter of all 4 items, so I can't tell which one I'm supposed to be dealing with. They all have [something] in the brackets, 3 rax's & 1 rdx. I tried to use the one rdx line, & I couldn't pass. This is my first time trying today, but I couldn't tackle this yesterday after a few hours. I read that basic assembler tutorial (suggested by Cheat The Game) but I don't "know" assembler.
Is there a typo there or am I missing something?
-
I would guess to use the rdx line:
10002CB3C - 89 02 - mov [rdx],eax
since in Cheat The Games tutorial, he said what's on the right side of the comma gets the action performed on what's in the brackets.
mov is the action taken.
The other 3 are all the same except for the address being slightly different.
10002CAC4 - 8B 00 - mov eax,[rax]
So if I'm assuming that one with rdx in the middle, rdx isn't a hex value.
"do a 4 byte scan in hexadecimal for the value the extra info told you."
There's a lot of info in the bottom part of the debugger window
5 addresses with info similar to the top half of the window,
& then a list going from RAX to R15 with long strings like "000000010002CB3E" after them.
I'm not sure which hex value the tutorial is talking about since it doesn't specify where to look.
-
If it helps, this is everything shown in the bottom part of the window when 10002CB3C - 89 02 - mov [rdx],eax is selected on the top.
Holy cow is it infuriating when I watch someone go through the tutorial, & they don't follow the directions but they pass the step.
In this video youtube /watch?v=yjdSxL2DWfE
He doesn't find what addresses the value, he finds what writes to the value.
Joined: 09 May 2003 Posts: 25806 Location: The netherlands
Posted: Sun Aug 25, 2019 12:13 am Post subject:
Find what accesses is correct
also, all 4 results should be similar. all have [reg] without offset
let's look at mov eax,[rax] (the worst of them)
you can read that as mov eax,[rax+0000000000000] , so the offset is 0. And that's all you really need but let's continue anyhow
as mentioned the registerstate is shown after execution so rax is useless
But since you did a find out what accesses on address XXXXXXXX , you know that RAX used to be XXXXXXXX-0
So the 8 byte value to scan for is XXXXXXXX-0. n and NO, this will NOT make you go in an infinite loop because here you are looking for the value, not address
Posted: Sun Aug 25, 2019 8:08 am Post subject: Thanks
OOF, I had to read that a few times but I'm crawling closer to understanding this. The only thing I'm not 100% clear on is
But since you did a find out what accesses on address XXXXXXXX , you know that RAX used to be XXXXXXXX-0
I kept switching between writing & accessing but, I'll give this some more time today using the writes option only.
AAAAAAAAAGH almost there. I'm guessing Step 6 is such a beotch because it's the most valuable. Most of the tables I see have some sort of P-> value, so it looks like that's where the magic starts.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Reputation: 470
