Lets make a memory based bot [T-1][Disabling the client protection]

00:42:02
https://www.youtube.com/watch?v=WMlkC5L4UZk

概要

TLDRAngelos from Elite PVP covers the process of configuring ODbg to disable decline protection in Conquer Online. The tutorial involves detailed steps for downloading and installing ODbg, setting hardware breakpoints, and modifying assembly instructions to bypass anti-debugging features of the game. After the configuration, users are able to run the game without it terminating due to protective measures, and are prepared for future tutorials on finding necessary function addresses.

収穫

  • 👨‍💻 Learn to use ODbg for debugging.
  • 🔍 Set hardware breakpoints to control execution.
  • 🛠️ Modify assembly instructions to bypass protections.
  • 💾 Always back up your files before modifying DLLs.
  • 🥇 Understand the stack and its significance in debugging.

タイムライン

  • 00:00:00 - 00:05:00

    Introduction by Angelos from Elite PVP, discussing the disabling of decline protection with ODbg.

  • 00:05:00 - 00:10:00

    Detailed instructions on downloading and installing ODbg for debugging purposes, including configuration settings.

  • 00:10:00 - 00:15:00

    Explanation of opening the Conquer.exe within ODbg, and the importance of analyzing debug modules and their processes.

  • 00:15:00 - 00:20:00

    Steps to set breakpoints and analyze the stack to trace the source of process termination within Conquer.exe.

  • 00:20:00 - 00:25:00

    Use of hardware breakpoints to monitor the exit process call, leading to understanding anti-debugging measures in the program.

  • 00:25:00 - 00:30:00

    Instructions on altering assembly code to bypass the exit process function for successful debugging without termination.

  • 00:30:00 - 00:35:00

    Explanation of saving modifications to the executable and setting the correct directory for ud files for ongoing debugging.

  • 00:35:00 - 00:42:02

    Closing remarks on successfully entering the game and preparing for the next tutorial focusing on memory-based address finding.

もっと見る

マインドマップ

ビデオQ&A

  • What is ODbg?

    ODbg is a debugger used for analyzing and modifying the behavior of applications.

  • How do I disable decline protection in Conquer Online?

    You can disable decline protection by using a debugger like ODbg to analyze and modify specific assembly instructions.

  • What are hardware breakpoints?

    Hardware breakpoints are triggers set within the debugger that pause execution when the specified condition is met.

  • Why do I need to back up my files when modifying DLLs?

    Backing up files prevents loss if modifications cause issues, allowing for easy restoration.

  • Can I skip certain segments of the tutorial?

    Yes, you can skip segments if you're already familiar with certain steps or concepts.

ビデオをもっと見る

AIを活用したYouTubeの無料動画要約に即アクセス!
字幕
en
オートスクロール:
  • 00:00:00
    hello Geeks this is Angelos from Elite
  • 00:00:02
    PVP recording tutorial one of the
  • 00:00:05
    tutorial series let's make a memory
  • 00:00:07
    based
  • 00:00:08
    bar so disabling decline protection
  • 00:00:11
    that's the subject of this
  • 00:00:13
    tutorial probably it'll extend to part
  • 00:00:16
    two maybe I'm not sure we'll we'll
  • 00:00:18
    figure it out anyway so the first thing
  • 00:00:21
    I'm going to do is to disable decline
  • 00:00:24
    protection how to do so we're going to
  • 00:00:27
    do that uh we're gonna like do it step
  • 00:00:30
    by step and we're GNA do it using o
  • 00:00:33
    debug AKA o
  • 00:00:36
    dbg now for you for those who doesn't
  • 00:00:40
    know what ol debug is all you got to do
  • 00:00:43
    is simply Google it Google is your
  • 00:00:46
    friend
  • 00:00:48
    however now uh I uh I already have it
  • 00:00:53
    installed on my PC but I'm just going to
  • 00:00:56
    download it now and show you
  • 00:01:00
    how to install it and do all that crap
  • 00:01:03
    and we'll get started so I'm going to
  • 00:01:06
    open my web browser and I'm going to
  • 00:01:08
    type O dbg
  • 00:01:11
    2.0 and I'm going to open the first link
  • 00:01:15
    and I'm going to now if you can find
  • 00:01:18
    your way around on this page all you got
  • 00:01:20
    to do basically is just click right here
  • 00:01:22
    where it says all the dbg and your
  • 00:01:24
    download should start okay now that
  • 00:01:28
    consider that I did hit okay and I saved
  • 00:01:31
    it somewhere on my desktop on in a new
  • 00:01:34
    folder
  • 00:01:35
    whatever which
  • 00:01:38
    is basically what I did I already have
  • 00:01:40
    it downloaded in ready right here I'm
  • 00:01:43
    just going to right click extract it to
  • 00:01:45
    this folder I'm just going to rename it
  • 00:01:47
    real quick and I'm going to call it ol
  • 00:01:50
    and then I'm going to open this folder
  • 00:01:52
    I'm going to right click on uh all uh
  • 00:01:56
    dbg exe go to properties and go to
  • 00:02:01
    compatibility and make sure it's running
  • 00:02:04
    as an administrator under the prevent
  • 00:02:07
    level that's important so you got to do
  • 00:02:10
    that and before you even start all the
  • 00:02:13
    de however now that I've done that let
  • 00:02:17
    me just fix my uh toolbar so it Go of
  • 00:02:22
    HIDs
  • 00:02:24
    okay now that that I've done that I'm
  • 00:02:26
    going to launch all the debug and I'm
  • 00:02:30
    going to go to you can either click this
  • 00:02:33
    button here or you can just hit alt o on
  • 00:02:37
    your keyboard and it'll open the same
  • 00:02:40
    dialogue you can also access it under
  • 00:02:42
    options here anyways we're going to go
  • 00:02:45
    under exceptions Tab and we're going to
  • 00:02:48
    hit or check this check box right here
  • 00:02:51
    where it says ignore also the following
  • 00:02:53
    custom exceptions or ranges and I'm
  • 00:02:56
    going to add
  • 00:02:58
    range now we're going going to leave
  • 00:03:00
    this box as As and we're going to change
  • 00:03:03
    this to uh we can probably select from
  • 00:03:07
    this list which is we're going to select
  • 00:03:11
    the last exception in this list and
  • 00:03:15
    we're going to hit
  • 00:03:17
    okay and I'm going
  • 00:03:20
    to actually delete this I'll just add
  • 00:03:24
    range and also leave this box as is and
  • 00:03:28
    just type f f FF FF FF so you got to
  • 00:03:34
    type f eight times I'm not going to
  • 00:03:36
    explain what that mean or does however
  • 00:03:39
    you got to figure it out on your own you
  • 00:03:41
    have a brain so now that I've done that
  • 00:03:45
    I'm going to go under the directories
  • 00:03:48
    Tab
  • 00:03:50
    and as you can see it has already copied
  • 00:03:54
    the directory where we have uh o
  • 00:03:58
    installed or extracted
  • 00:04:00
    so I'm just going to go to that
  • 00:04:02
    directory which is right here and I'm
  • 00:04:05
    going to right click create new folder
  • 00:04:08
    and I'm going to call this
  • 00:04:11
    UDS and uh a new folder and I'm going
  • 00:04:16
    call it
  • 00:04:18
    plugins now we're not going to be using
  • 00:04:21
    plugins in this tutorial we're going to
  • 00:04:23
    do it all
  • 00:04:24
    manual and we're just going to do it
  • 00:04:27
    ourselves but the UDS folder what the
  • 00:04:32
    udds folder is needed for is just just
  • 00:04:35
    basically for o to install all the ud
  • 00:04:38
    files that'll create and what those
  • 00:04:40
    files contain is a lot of helpful
  • 00:04:43
    information that all day is going to
  • 00:04:46
    collect uh along the line while you
  • 00:04:49
    debug programs or attach to programs and
  • 00:04:52
    so basically the purpose of these
  • 00:04:56
    files to make your life easier so just
  • 00:04:58
    hit okay
  • 00:05:00
    now that we've done that uh I think
  • 00:05:02
    we're all set yeah so the first step is
  • 00:05:08
    to uh open conquer. exe before we open
  • 00:05:14
    conquer. exe now for those who had never
  • 00:05:18
    worked with all debug I will not explain
  • 00:05:22
    what all these button does and whatever
  • 00:05:24
    all you got to do simply is keep your
  • 00:05:26
    mouse long enough on each button and
  • 00:05:30
    it'll show you a helpful t as to what
  • 00:05:33
    that button does
  • 00:05:37
    so if you still don't understand stuff
  • 00:05:41
    all you got to do is also Google it
  • 00:05:43
    Google and again is your friend so I'll
  • 00:05:47
    just click file open and I have a clean
  • 00:05:51
    installation of conquer. Conquer Online
  • 00:05:54
    and uh it'll it already took me to that
  • 00:05:58
    folder already I think because I've
  • 00:06:02
    opened it earlier anyway and I'm going
  • 00:06:05
    to navigate to my Conquer Online client
  • 00:06:07
    folder and I'm going to find conquer.
  • 00:06:09
    exe and then I'm going to head open now
  • 00:06:14
    you can see it analyzing down here
  • 00:06:17
    all these modules that the that o is
  • 00:06:21
    analyzing it'll just collect as much
  • 00:06:24
    data as it needs and it'll save it in
  • 00:06:26
    the ud files when you CL close uh allb
  • 00:06:29
    so I would recommend that you let it
  • 00:06:31
    finish it'll make your life easier
  • 00:06:34
    so uh while it's doing that
  • 00:06:38
    crap
  • 00:06:40
    uh I forgot what I was going to explain
  • 00:06:44
    never mind that anyway I'll just pause
  • 00:06:46
    the video until it's done okay now that
  • 00:06:49
    all is done analyzing the
  • 00:06:52
    models we uh if if you look at the lower
  • 00:06:56
    right corner you'll notice that it says
  • 00:06:58
    terminated basically all the bug is
  • 00:07:01
    telling you this process was terminated
  • 00:07:04
    somehow so to figure out what terminated
  • 00:07:08
    the process we're going to have to uh
  • 00:07:10
    find our way around and find out what
  • 00:07:13
    really uh terminated the process and
  • 00:07:18
    uh to do so before we do so uh this
  • 00:07:25
    is uh just uh another check to stop you
  • 00:07:30
    from opening conquer. exe in olug even
  • 00:07:35
    though if we go to view executable
  • 00:07:37
    models or hit
  • 00:07:40
    L like this you can see that we have
  • 00:07:46
    basically uh all the models needed to uh
  • 00:07:52
    start Conquer Online or conquer. exe and
  • 00:07:56
    if we select conquer. exe double click
  • 00:07:58
    on it you can see that all take us
  • 00:08:01
    really to inside the uh conquer exe and
  • 00:08:04
    you can see the assembly
  • 00:08:06
    code that's not a really helpful thing
  • 00:08:10
    because as long as we can see the code I
  • 00:08:13
    can find my way way around and find out
  • 00:08:16
    what really has
  • 00:08:17
    changed but for you maybe there's some
  • 00:08:20
    people out there that doesn't know what
  • 00:08:22
    to do or where to go or what to look for
  • 00:08:26
    that's going to be kind of like annoying
  • 00:08:28
    however let's figure out what really uh
  • 00:08:31
    killed our process so first thing I like
  • 00:08:33
    to do is to analyze the stack and see
  • 00:08:37
    what was the last thing that this
  • 00:08:39
    program uh did before it it terminates
  • 00:08:43
    so we're this is again for those who
  • 00:08:46
    doesn't know what uh these all this
  • 00:08:50
    nonsense on the screen is this is your
  • 00:08:52
    main CPU window and this is the
  • 00:08:54
    registered window this is the stack
  • 00:08:56
    window and this is the uh memory View or
  • 00:08:59
    me the memory dump so we're going to
  • 00:09:03
    head to the stack window and we're going
  • 00:09:05
    to scroll down and see if we can find
  • 00:09:07
    something helpful all right now
  • 00:09:11
    that I scroll down a little and I can
  • 00:09:14
    see uh a call
  • 00:09:16
    to Kernel
  • 00:09:18
    32. exit process so I need to know what
  • 00:09:23
    the exit process function does basically
  • 00:09:27
    uh I I I already know that the exit
  • 00:09:30
    process function is to kill the the
  • 00:09:32
    current process so that's useful and I
  • 00:09:35
    can like start here so what I'm going to
  • 00:09:39
    do is just select this line where it
  • 00:09:41
    says return from Red dll blah blah blah
  • 00:09:45
    this is just a return address so if I
  • 00:09:47
    select it click on it left click on it
  • 00:09:51
    and then click enter it'll take you
  • 00:09:52
    straight into this function and if you
  • 00:09:54
    notied now we're inside the kernel 32
  • 00:09:57
    model and uh
  • 00:10:00
    straight inside the exit process
  • 00:10:03
    function so what I'm going to do is just
  • 00:10:06
    I'm going to right click and I'm going
  • 00:10:08
    to go breakpoint hardware breakpoint and
  • 00:10:12
    I'm going to make sure it's on execution
  • 00:10:14
    and I'm going to select slot two and
  • 00:10:16
    then I'm going to hit okay what that
  • 00:10:18
    does is is just simply place a hardware
  • 00:10:22
    breakpoint on the this certain address
  • 00:10:25
    that we right clicked on so now that
  • 00:10:29
    I've have done that uh we need to make
  • 00:10:32
    sure that we can actually hit this break
  • 00:10:35
    point before the process exits or else
  • 00:10:39
    it's useless so let's just click on this
  • 00:10:42
    button here it'll restart the the corent
  • 00:10:47
    process and the break point was
  • 00:10:50
    triggered and it right now we are at the
  • 00:10:55
    top of the exit process function now
  • 00:11:00
    now that uh my breakpoint was triggered
  • 00:11:02
    I'm going to go back to the stack and
  • 00:11:04
    I'm going to check what really call this
  • 00:11:07
    function the stack uh really can really
  • 00:11:10
    help me so I'll just go back to this
  • 00:11:12
    stack and I'm going to click on the very
  • 00:11:15
    first return address and if you notice
  • 00:11:17
    it says return from TQ and P to TQ and P
  • 00:11:21
    TQ and P is basically another D file
  • 00:11:25
    that TQ team decided to add and it to
  • 00:11:28
    put some trap and anti-debugging shed
  • 00:11:31
    inside it we're going to Simply bypass
  • 00:11:34
    that so I'm just going to click on it
  • 00:11:35
    left click on it and then hit enter
  • 00:11:38
    it'll take me straight into tq& model
  • 00:11:40
    because this return address returns to
  • 00:11:43
    this address which is the which is
  • 00:11:45
    inside the
  • 00:11:47
    tq& so to analyze this model here which
  • 00:11:52
    is tq& p and uh I'll just click I'll
  • 00:11:56
    just hit control a on my keyboard board
  • 00:12:00
    now what this dialogue box is telling
  • 00:12:02
    you basically is that this model
  • 00:12:05
    contains sections of code that are
  • 00:12:07
    either compressed or encrypted we don't
  • 00:12:09
    really care about that right now just
  • 00:12:11
    hit
  • 00:12:12
    yes as you can see the helpful stuff
  • 00:12:15
    showed up after the analysis
  • 00:12:18
    so now this return address returns to
  • 00:12:21
    pop ECX at this address here so Above It
  • 00:12:26
    Right Above It one line it says it it
  • 00:12:29
    calls a certain address and this address
  • 00:12:32
    is also inside tq&
  • 00:12:35
    so basically this return address is to
  • 00:12:38
    return from this call to this address
  • 00:12:41
    here so the program continues executing
  • 00:12:44
    at from this address here so what I'm
  • 00:12:48
    going to do is one line above that
  • 00:12:50
    return address and I'm going to right
  • 00:12:52
    click uh and I'm going to place a
  • 00:12:54
    hardware break point again but I'm going
  • 00:12:56
    to make sure the slot one selected also
  • 00:13:00
    on execution and I'm going to hit
  • 00:13:02
    okay now I'm going to restart the
  • 00:13:05
    program and hope that this breakpoint
  • 00:13:08
    will trigger will be triggered so
  • 00:13:11
    restart yeah I know
  • 00:13:15
    okay and it did however let's click
  • 00:13:20
    let's hit contrl a again to analyze the
  • 00:13:23
    process and what I'm going to do now is
  • 00:13:26
    I'm going to hit f8 so f8 what what f8
  • 00:13:30
    basically does is step over the function
  • 00:13:33
    F7 to step into the function it's
  • 00:13:35
    mentioned right here if
  • 00:13:37
    you keep your mouse long enough it'll
  • 00:13:40
    show you what these buttons does
  • 00:13:44
    so get used to using the shortcuts
  • 00:13:46
    because it's really uh useful it'll make
  • 00:13:51
    everything faster you don't have to keep
  • 00:13:53
    clicking buttons here and
  • 00:13:56
    however now uh when I have
  • 00:13:59
    f8 basically the program is going to is
  • 00:14:02
    going to go inside this call execute
  • 00:14:05
    this C code right here and then return
  • 00:14:08
    at this this uh return address here
  • 00:14:11
    return here anyway so if somewhere along
  • 00:14:17
    any of these lines the exit process
  • 00:14:19
    function was uh
  • 00:14:22
    called what basically is going to happen
  • 00:14:25
    is that my second break point which is
  • 00:14:28
    now placed on the exit process function
  • 00:14:30
    will be triggered but if nothing
  • 00:14:32
    happened and the program executed all
  • 00:14:36
    this code and then returned and the
  • 00:14:38
    break point was not triggered I know
  • 00:14:41
    that it did not call it so I'm going to
  • 00:14:44
    hit the star button on my keyboard to go
  • 00:14:48
    back to where the current pointer for
  • 00:14:51
    the debugger
  • 00:14:53
    is and uh I'm going to hit
  • 00:14:56
    f8 now as you can see no break points
  • 00:15:01
    were triggered nothing happened so I
  • 00:15:02
    know it did not really call that exit
  • 00:15:05
    process function so I right click here
  • 00:15:08
    breakpoint and I can safely delete this
  • 00:15:10
    Hardware breakpoint so I can use it
  • 00:15:12
    somewhere else because all you can use
  • 00:15:14
    is four Hardware break points you can't
  • 00:15:16
    set more than four so we got to keep it
  • 00:15:19
    like
  • 00:15:20
    limited anyway so I'm going to keep uh
  • 00:15:25
    keep on the f8 right now I'm going to
  • 00:15:28
    hit f 8 f8 and continue with the process
  • 00:15:32
    until I find something interesting
  • 00:15:34
    something useful so continue now it
  • 00:15:38
    decided to jump and discard all of this
  • 00:15:41
    ignore it just jump now it's in the the
  • 00:15:44
    process of returning now it
  • 00:15:47
    returns okay now this function did not
  • 00:15:50
    really call the exit
  • 00:15:52
    process now remember that we were
  • 00:15:55
    tracing the process execution backwards
  • 00:15:59
    the stack Works backwards if you're
  • 00:16:01
    going to use the stack to analyze stuff
  • 00:16:04
    you can't go upwards and start from here
  • 00:16:07
    no because the stack address imagine the
  • 00:16:10
    stack address like a I don't know how to
  • 00:16:12
    give you an example for that but it's
  • 00:16:15
    like
  • 00:16:16
    um it's like a a stack of of
  • 00:16:20
    towels if you if you to like if you have
  • 00:16:24
    a stack of towels and you keep stacking
  • 00:16:26
    towels on top of each other you're not
  • 00:16:28
    not just going to go into the middle of
  • 00:16:32
    that stack and just pull one towel
  • 00:16:34
    because it'll all fall apart it you're
  • 00:16:37
    just going to have to grab the first one
  • 00:16:40
    on top so basically that's what the
  • 00:16:43
    stack is uh first in first out
  • 00:16:48
    so now that we know that that's the
  • 00:16:52
    reason that we supposed to trace
  • 00:16:54
    backwards anyway so I'm going to
  • 00:16:57
    continue with the f 8 again f8 F now
  • 00:17:03
    it's pushing the arguments I know that
  • 00:17:06
    with these arguments the function can do
  • 00:17:07
    something but I don't know what that
  • 00:17:09
    thing is so what I'm going to do is just
  • 00:17:12
    right click again break Point Hardware
  • 00:17:15
    breakpoint and I'm going to make sure on
  • 00:17:17
    execution slot one and I'm going to hit
  • 00:17:20
    okay
  • 00:17:22
    now if I hit f8 again if the exit
  • 00:17:26
    process function was called
  • 00:17:29
    my second breakpoint will be triggered
  • 00:17:31
    so let's hit
  • 00:17:34
    f8 now we can see that it did trigger
  • 00:17:38
    that breakpoint and the exit process
  • 00:17:40
    function was called so now we know that
  • 00:17:45
    the the this call here where my second
  • 00:17:48
    Hardware breakpoint is really calls exit
  • 00:17:52
    process somewhere along the line so I'll
  • 00:17:55
    restart my
  • 00:17:57
    process and a will take me straight back
  • 00:18:00
    to this break point here which is really
  • 00:18:04
    useful and it'll keep you on track
  • 00:18:07
    without having to retrace the whole
  • 00:18:10
    thing from uh from uh square one or
  • 00:18:14
    Square zero whatever the term is anyway
  • 00:18:18
    so now that I'm here I'm going to H F7
  • 00:18:23
    to step into this function but before I
  • 00:18:26
    do that I'm going to write click
  • 00:18:30
    breakpoint hardware breakpoint and
  • 00:18:32
    delete this breakpoint so we can use it
  • 00:18:35
    somewhere else and I'm going to hit
  • 00:18:38
    F7 now I'm inside that call okay so what
  • 00:18:43
    this call does basically is it moves a
  • 00:18:46
    deward value from the uh
  • 00:18:50
    stack which is the argument to argument
  • 00:18:53
    to Value right now equals one so it
  • 00:18:56
    movees it's going to be it's going to
  • 00:18:59
    move one into eax which is currently one
  • 00:19:02
    so nothing will
  • 00:19:04
    change and then it'll subtract it by one
  • 00:19:07
    subtract ex ex by one and then this
  • 00:19:11
    subtracting
  • 00:19:13
    process it sets the BET Flags here I
  • 00:19:17
    don't really recall which bet Flags I
  • 00:19:21
    think it's p or Z and then it checks
  • 00:19:25
    whether P or and or or Z equals one or
  • 00:19:30
    zero and it jumps
  • 00:19:32
    accordingly so we're not going to really
  • 00:19:35
    bother with that you can Google it if
  • 00:19:38
    you want to really know what that does
  • 00:19:42
    but let's uh sorry let's continue with
  • 00:19:46
    the f8 now ex still one nothing has
  • 00:19:50
    changed now subtract ex by one ex
  • 00:19:53
    becomes zero and then as you can see
  • 00:19:57
    here it says jump is not
  • 00:20:00
    taken
  • 00:20:02
    so with the jump not taken g&z basically
  • 00:20:06
    stands for jump not zero jump not zero
  • 00:20:10
    again like I said it compares the bed
  • 00:20:13
    Flags here I'm not sure whether it's b
  • 00:20:15
    or Z but it checks whether it's one or
  • 00:20:18
    zero and it jumps accordingly
  • 00:20:22
    so what we understand from this process
  • 00:20:25
    here from this few uh these six lines
  • 00:20:30
    that
  • 00:20:32
    uh it either jumps to this adjust here
  • 00:20:38
    you can see this little
  • 00:20:40
    arrow right here it either jumps or it
  • 00:20:46
    doesn't and it calls this address this
  • 00:20:49
    address and then it continues and
  • 00:20:52
    returns so what we're going to do is
  • 00:20:55
    right underneath this jump right here
  • 00:20:58
    we're going going to set a hardware
  • 00:21:00
    breakpoint
  • 00:21:02
    again make sure it's on execution slot
  • 00:21:06
    one hit okay and the reason we did that
  • 00:21:09
    and we didn't set the break point here
  • 00:21:11
    or here is to make sure that it really
  • 00:21:14
    it's really executing or calling these
  • 00:21:17
    two addresses if it's not then it's
  • 00:21:20
    useless and like for me right now I'm
  • 00:21:24
    sure that it's calling this or this
  • 00:21:26
    called or both of them actually because
  • 00:21:29
    if it didn't there's nothing else to
  • 00:21:31
    call the exit process function so what
  • 00:21:35
    I'm going to do is I'm going to hit f8
  • 00:21:38
    and I'm going to hit f8 again boom the
  • 00:21:41
    exit process function did really was
  • 00:21:44
    really called so let's restart our
  • 00:21:49
    process it'll take us
  • 00:21:52
    oops what just happened okay I think our
  • 00:21:56
    breakpoint or our Hardware break point
  • 00:21:59
    went
  • 00:22:01
    poof yes it did anyway I'm going to
  • 00:22:04
    delete
  • 00:22:07
    this
  • 00:22:09
    uh okay
  • 00:22:11
    delete and I'm going
  • 00:22:14
    to return here and this one returns okay
  • 00:22:18
    I'll fix this
  • 00:22:21
    by tracing the whole thing all over
  • 00:22:24
    again I guess I'm going to have to do
  • 00:22:26
    that I don't know why
  • 00:22:29
    did that break point disappear but oh
  • 00:22:33
    well so I'm going to do the whole
  • 00:22:35
    process all over again you don't have to
  • 00:22:38
    watch this you can skip this if
  • 00:22:41
    you are not interested so again I'm
  • 00:22:43
    going to set a break point actually yes
  • 00:22:47
    I can set it here power break point okay
  • 00:22:51
    and I'm going to restart the
  • 00:22:56
    process my breake point was trigger I
  • 00:22:58
    can right click delete and then continue
  • 00:23:03
    executing this function until return and
  • 00:23:06
    if you remember this is the function
  • 00:23:10
    that really that we were inside right
  • 00:23:14
    now I'm going to hit F7 it'll take me
  • 00:23:16
    inside that
  • 00:23:18
    call and then again I'm right where we
  • 00:23:23
    left off
  • 00:23:26
    so now that we know that this call right
  • 00:23:29
    here called the exit process function
  • 00:23:33
    we're going to try and do what the
  • 00:23:36
    program does sometimes which is
  • 00:23:39
    discarding these two calls and jumping
  • 00:23:41
    straight to move ex1 and then return so
  • 00:23:45
    how do we do that we do that by simply
  • 00:23:48
    double clicking this line right here the
  • 00:23:50
    g&z uh instruction and then we're going
  • 00:23:53
    to change it from gnz into GMP GMP start
  • 00:23:58
    it stands for uh jump jump doesn't check
  • 00:24:02
    check for any conditions any bet Flags
  • 00:24:05
    it just jumps wherever you tell it to
  • 00:24:07
    jump so with that said we're going to
  • 00:24:10
    assemble that will uh edit the code
  • 00:24:14
    modify it to what we tell told tell it
  • 00:24:17
    to
  • 00:24:18
    do and then we are going to test this
  • 00:24:21
    program and see if it'll terminate or
  • 00:24:24
    not and we do that by simply heading the
  • 00:24:29
    play button here which will continue
  • 00:24:31
    executing our process normally so let's
  • 00:24:35
    click that or before we click that uh
  • 00:24:40
    you might want to just right highlight
  • 00:24:43
    this right click edit and then copy it
  • 00:24:46
    as a table and you can then open a
  • 00:24:49
    notepad and then you can paste it here
  • 00:24:54
    and as you can see It'll uh copy the
  • 00:24:57
    address
  • 00:24:59
    of each instruction and the co the
  • 00:25:04
    the the assembly
  • 00:25:07
    instructions and
  • 00:25:09
    the uh binary code for each assembly
  • 00:25:13
    instruction so you can keep that for uh
  • 00:25:17
    like later use or maybe if you lost your
  • 00:25:21
    way or if you're tracing it and your
  • 00:25:24
    break point was gone just like what
  • 00:25:26
    happened to us right now you can
  • 00:25:28
    go back to
  • 00:25:30
    this uh model here
  • 00:25:33
    tq& and find this function based on the
  • 00:25:36
    address right here or you can simply
  • 00:25:40
    right click search for and you're going
  • 00:25:42
    to search for a sequence of commands so
  • 00:25:45
    what we're going to do is simply play
  • 00:25:48
    the program boom as you can see right
  • 00:25:52
    here it says conquer the model entry
  • 00:25:56
    point so we are inside the model entry
  • 00:25:58
    point and the process did not really
  • 00:26:00
    terminate so that's really good and what
  • 00:26:05
    that tells us is that we did really
  • 00:26:07
    bypass that exit process function and
  • 00:26:10
    what it
  • 00:26:11
    did so as long as that works let's just
  • 00:26:16
    restart our process and we want to make
  • 00:26:19
    that those changes that we just made
  • 00:26:22
    permanent so now that I know what to
  • 00:26:25
    change and where to change it I can
  • 00:26:27
    simply go to view executable models or
  • 00:26:31
    hit alt e on your keyboard it'll open
  • 00:26:34
    this dialogue for you this window and
  • 00:26:37
    you're going to select instead of
  • 00:26:39
    conquer. exe you're going to go to TQ
  • 00:26:42
    and
  • 00:26:43
    P.D you hit enter it'll take you inside
  • 00:26:46
    this model click hitr a to analyze it
  • 00:26:50
    retrace it back that's really
  • 00:26:53
    easier to
  • 00:26:57
    do so we're at the exit process function
  • 00:26:59
    again we click right here it'll take us
  • 00:27:02
    back back here I'm going to straight set
  • 00:27:06
    the breakpoint on the return address
  • 00:27:08
    right here so breakpoint Hardware
  • 00:27:12
    breakpoint slot one okay
  • 00:27:19
    restart and then I'm going to trace it
  • 00:27:23
    back again okay this is the function
  • 00:27:27
    that we need to edit now I'm going to
  • 00:27:31
    double click on this again change it to
  • 00:27:35
    GMP instead of g&z and I'm going to
  • 00:27:38
    click
  • 00:27:39
    assemble and with that done I'm going to
  • 00:27:42
    click on that left click on that line
  • 00:27:45
    that we just changed I'm going to right
  • 00:27:47
    click edit and I'm going to copy to
  • 00:27:51
    executable
  • 00:28:04
    so that's just going to tell you to that
  • 00:28:08
    you did some modifications and you need
  • 00:28:10
    to save them I'm going to ignore this
  • 00:28:12
    box and I'm not going to display it
  • 00:28:14
    anymore I'm hit okay and right now what
  • 00:28:17
    we're doing is we're saving our work
  • 00:28:20
    we're saving our edits and modifications
  • 00:28:23
    so to save that you're going to click
  • 00:28:25
    the x button right here it'll ask you if
  • 00:28:27
    you want to save save it hit yes it'll
  • 00:28:29
    open the same directory where your
  • 00:28:31
    conquer exe exists so all you need to do
  • 00:28:35
    is hit save and as you can see it'll
  • 00:28:37
    give it the same name too so excuse
  • 00:28:41
    me we're just going to hit save It'll
  • 00:28:45
    ask you if you if you want to replace
  • 00:28:48
    the current dll file and you're going to
  • 00:28:50
    H yes so with that done let's try and
  • 00:28:54
    restart our process and see what's going
  • 00:28:56
    to happen
  • 00:28:59
    okay this is because I didn't delete my
  • 00:29:03
    break point which is stupid so let's
  • 00:29:05
    just delete it and continue running the
  • 00:29:09
    process as you can see everything worked
  • 00:29:12
    just fine and right now we're inside
  • 00:29:15
    we're at the uh model entry point so if
  • 00:29:18
    we hit play and continue running the
  • 00:29:21
    process it'll finish analyzing those uh
  • 00:29:23
    models inside this process and it should
  • 00:29:27
    pop the
  • 00:29:28
    dialogue that asks us to run play. exe
  • 00:29:32
    that's only in case if everything worked
  • 00:29:35
    as
  • 00:29:37
    intended so we're waiting for that
  • 00:29:40
    message
  • 00:29:42
    box there it is which is cool now I'm
  • 00:29:47
    going to
  • 00:29:49
    terminate conqueror exe as you can see
  • 00:29:52
    it'll
  • 00:29:53
    still do that crap and then it'll save
  • 00:29:56
    all the the ud files so if we go back
  • 00:29:59
    into o UD files oh
  • 00:30:03
    why did it save them
  • 00:30:06
    here it was supposed to save them inside
  • 00:30:09
    this
  • 00:30:11
    folder so let's go back and check it
  • 00:30:16
    out oh I'm
  • 00:30:18
    sorry the reason
  • 00:30:21
    is that I did
  • 00:30:24
    not set the directories and we're going
  • 00:30:28
    to set them
  • 00:30:30
    now we're going to set the ud files
  • 00:30:35
    directory we're going to click here
  • 00:30:37
    select the the the udds file that we
  • 00:30:40
    created earlier hit okay and then we're
  • 00:30:43
    going to select the plugins folders that
  • 00:30:45
    we created earlier hit okay then hit
  • 00:30:48
    okay which what what that will do is
  • 00:30:52
    though all these UD files were supposed
  • 00:30:56
    to be inside uh
  • 00:30:59
    theud files folder or the folder that we
  • 00:31:02
    just created so I'll just move them
  • 00:31:05
    inside that folder now we're
  • 00:31:09
    done okay with that done there's uh a
  • 00:31:14
    second uh problem that we're going to
  • 00:31:17
    face which is if we run or play Conquer
  • 00:31:23
    Online and then we try to attach to it
  • 00:31:26
    and then log into the game
  • 00:31:30
    uh what will happen is that it'll also
  • 00:31:34
    terminate the process so if we play
  • 00:31:37
    conquer. XE go to file attach and then
  • 00:31:41
    you're going to to find conquer. exe
  • 00:31:44
    head
  • 00:31:46
    attach and then it'll probably load all
  • 00:31:51
    the way and I'm going to pause the video
  • 00:31:54
    until it's done
  • 00:32:00
    okay now that o is done analyzing those
  • 00:32:05
    models as you can see It'll uh break
  • 00:32:09
    somewhere inside the process and now it
  • 00:32:12
    chose to break inside the user 32 so
  • 00:32:17
    what I'm going to do is I'm just going
  • 00:32:19
    to hold the shift button and I'm going
  • 00:32:22
    to hit F9 and it'll it'll it should
  • 00:32:26
    continue running the process and as you
  • 00:32:28
    can see It'll say running right here so
  • 00:32:33
    ignore those access violations uh uh
  • 00:32:38
    exceptions because as you can see if you
  • 00:32:40
    open the log here it'll just keep on and
  • 00:32:44
    on and on and on it'll never stop
  • 00:32:47
    however I don't know why but it's just
  • 00:32:50
    doing it I don't really care anyway if
  • 00:32:53
    we switch to conquer. exe you can see
  • 00:32:56
    that the process is running and
  • 00:32:58
    everything works just fine so let's try
  • 00:33:00
    and log
  • 00:33:02
    in let me check I can I can remember an
  • 00:33:08
    account okay
  • 00:33:13
    live oh my God this annoying
  • 00:33:17
    message it's just it pops up
  • 00:33:20
    every single time I try to log
  • 00:33:26
    in okay now it's trying to log
  • 00:33:29
    in and
  • 00:33:32
    again as you can see we uh our breako on
  • 00:33:38
    exit process the exit process function
  • 00:33:41
    was triggered meaning this process is
  • 00:33:44
    trying to terminate
  • 00:33:46
    itself so again we're going to go back
  • 00:33:50
    to my favorite thing which is this
  • 00:33:54
    tack as you can see another call into to
  • 00:33:58
    Kernel 32 exit process and stried from
  • 00:34:01
    or called from anti-rot client blah blah
  • 00:34:05
    blah so the exit code is zero we don't
  • 00:34:08
    care about that
  • 00:34:11
    now what this tells us that somewhere
  • 00:34:14
    inside this uh dll file here the anti
  • 00:34:18
    robot
  • 00:34:20
    client the exit process function is
  • 00:34:23
    being called for some reason probably it
  • 00:34:25
    detected that uh we're using in a
  • 00:34:27
    debugger or something like that and it
  • 00:34:29
    wants to terminate the process so what
  • 00:34:31
    we're going to do is
  • 00:34:32
    just uh basically go to this line here
  • 00:34:37
    and as you can see it says return from
  • 00:34:39
    anti-root client to anti-root client so
  • 00:34:42
    what that tells us is that anti Rob
  • 00:34:44
    client is calling function inside itself
  • 00:34:47
    and let's go and check what that
  • 00:34:48
    function is so select it and hit enter
  • 00:34:52
    and it'll take you straight into enti
  • 00:34:54
    blah blah blah so as you can see uh I
  • 00:35:00
    mean like I said earlier this address
  • 00:35:03
    here right here is the the address as to
  • 00:35:07
    where this stack address here will
  • 00:35:10
    return so as you can see it it says
  • 00:35:13
    return to blah blah blah from blah blah
  • 00:35:15
    blah so if you compare those addresses
  • 00:35:18
    this address is equal to this address so
  • 00:35:21
    we know that it'll return into this uh
  • 00:35:25
    instruction here and then execute it in
  • 00:35:27
    then continue ex executing these uh
  • 00:35:31
    instructions and then return so now that
  • 00:35:34
    now that we know it's return it's return
  • 00:35:37
    it's supposed to return to this uh
  • 00:35:41
    instruction uh we know that the function
  • 00:35:44
    the call above it is what call this
  • 00:35:47
    function so this is the return address
  • 00:35:49
    for this call so we go one line up right
  • 00:35:54
    click breakpoint hardware breakpoint
  • 00:35:58
    slot one on execution
  • 00:36:00
    okay now let's
  • 00:36:04
    uh you can either restart the whole
  • 00:36:08
    process restart Conquer Online and then
  • 00:36:11
    reattach it and then uh let it run and
  • 00:36:15
    log in until this breakpoint hits and
  • 00:36:18
    then we can go inside this function and
  • 00:36:20
    see what it's doing or we can simply
  • 00:36:23
    just uh click on that function let's
  • 00:36:27
    let's go back to it click on that this
  • 00:36:29
    call and then hit to enter it'll take
  • 00:36:32
    you inside this function right here
  • 00:36:36
    so if you look
  • 00:36:38
    closely this function is calling this
  • 00:36:42
    address here ENT robot client blah blah
  • 00:36:45
    blah we don't know what it does and then
  • 00:36:47
    right after it calls that address and
  • 00:36:50
    returns eight pops is ECX pushes the
  • 00:36:54
    exit Cod which code which is the and
  • 00:36:57
    then kills the process so basically this
  • 00:37:00
    function is a a a certain kill for the
  • 00:37:04
    process it this function will never
  • 00:37:07
    return any other results uh other than
  • 00:37:11
    killing the process so this is bad we
  • 00:37:14
    don't want this function at all so again
  • 00:37:17
    click on this line go back so we're here
  • 00:37:21
    and I don't want to restart the whole
  • 00:37:23
    thing so I'll just delete this break
  • 00:37:25
    point here
  • 00:37:28
    and what I'll do is check what called
  • 00:37:32
    this whole function here right here from
  • 00:37:35
    the the start of the function
  • 00:37:39
    until the return so we need to know what
  • 00:37:42
    called it to know that all we do is just
  • 00:37:45
    go back to the stack and find the second
  • 00:37:49
    return address un underneath this which
  • 00:37:52
    will be this address as you can see
  • 00:37:55
    return also from tqp to
  • 00:38:00
    tq& so let's select this line left click
  • 00:38:03
    on it and then hit enter it'll take you
  • 00:38:06
    to the function where it's been called
  • 00:38:09
    what I'm going to do I'm going to take a
  • 00:38:10
    wild guess and and and I don't recommend
  • 00:38:14
    that you do that every time but I'm just
  • 00:38:17
    guessing that this function right here
  • 00:38:20
    goes in checks for the processes checks
  • 00:38:23
    maybe for this debugger present uh
  • 00:38:26
    function and then if yes it kills the
  • 00:38:28
    process no it returns and it continues
  • 00:38:31
    so what I'm going to do is just right
  • 00:38:33
    click on it edit fill with n Ops and
  • 00:38:38
    then I'm going to save this permanently
  • 00:38:41
    and then try and run the
  • 00:38:43
    process so one thing that I've never
  • 00:38:46
    mentioned back up your files back up
  • 00:38:49
    your dlls now you know you're inside
  • 00:38:52
    anti-robot do uh anti-robot
  • 00:38:56
    client. all you got to do is go into
  • 00:39:00
    your client folder copy anti-root DL
  • 00:39:03
    somewhere else and then uh paste it so
  • 00:39:08
    you can replace this file if you damage
  • 00:39:11
    it
  • 00:39:13
    so that's what I would do because if you
  • 00:39:16
    don't know what you're doing you can't
  • 00:39:18
    really restore this stuff and unless
  • 00:39:21
    you're going to rep patch your client
  • 00:39:22
    from I don't know which version anyway
  • 00:39:28
    so now that I've set this NS I want to
  • 00:39:31
    save it permanently so right click edit
  • 00:39:35
    copy the
  • 00:39:36
    executable and I'm going to hit the x
  • 00:39:38
    button here and it'll ask me if I want
  • 00:39:40
    to save it I'll hit yes and again into
  • 00:39:44
    your it'll take you into your conquer CL
  • 00:39:48
    directory and it'll give you the name of
  • 00:39:50
    the model just hit save replace it yes
  • 00:39:55
    and then I'm going to kill the process
  • 00:39:58
    and all the book yes I know
  • 00:40:01
    that now if we try and
  • 00:40:04
    run conquer.
  • 00:40:09
    exe and then we go
  • 00:40:12
    back and run all the debug and then file
  • 00:40:19
    attach um conquer exe
  • 00:40:24
    attach hit shift F9 continue running the
  • 00:40:31
    process wait until it's all the way in
  • 00:40:34
    okay it's running as you can see now I
  • 00:40:37
    can go back switch to conquer and try
  • 00:40:39
    and log
  • 00:40:48
    in okay let's hope it'll
  • 00:40:52
    work boom everything works just as
  • 00:40:56
    intended and we're inside the game so
  • 00:41:00
    that's
  • 00:41:02
    cool oh
  • 00:41:05
    boy oh
  • 00:41:09
    boy this game is it went it
  • 00:41:14
    went it's just horrible nothing is
  • 00:41:17
    playable in that game anymore
  • 00:41:20
    anyway now that we've done that we have
  • 00:41:24
    all the access we need to
  • 00:41:27
    modify Conquer Online to uh find the
  • 00:41:30
    functions that we want to find and to
  • 00:41:33
    build our memory base spot so in the
  • 00:41:36
    next tutorial we'll be uh dealing with
  • 00:41:40
    finding the addresses maybe and finding
  • 00:41:42
    the addresses of functions that you need
  • 00:41:44
    to use in your uh memory based B so I
  • 00:41:49
    think that's it for this tutoral and I
  • 00:41:52
    hope I didn't uh make it very long I
  • 00:41:55
    think it's very long by now so until the
  • 00:41:58
    next tutorial be safe
タグ
  • conquer online
  • debugging
  • ODbg
  • anti-debugging
  • memory editing
  • gaming
  • tutorial
  • DLL
  • hardware breakpoints
  • assembly instructions