ODbg is a debugger used for analyzing and modifying the behavior of applications.

How do I disable decline protection in Conquer Online?

You can disable decline protection by using a debugger like ODbg to analyze and modify specific assembly instructions.

What are hardware breakpoints?

Hardware breakpoints are triggers set within the debugger that pause execution when the specified condition is met.

Why do I need to back up my files when modifying DLLs?

Backing up files prevents loss if modifications cause issues, allowing for easy restoration.

Can I skip certain segments of the tutorial?

Yes, you can skip segments if you're already familiar with certain steps or concepts.

Lets make a memory based bot [T-1][Disabling the client protection]

00:42:02

https://www.youtube.com/watch?v=WMlkC5L4UZk

Resumo

TLDRAngelos from Elite PVP covers the process of configuring ODbg to disable decline protection in Conquer Online. The tutorial involves detailed steps for downloading and installing ODbg, setting hardware breakpoints, and modifying assembly instructions to bypass anti-debugging features of the game. After the configuration, users are able to run the game without it terminating due to protective measures, and are prepared for future tutorials on finding necessary function addresses.

Conclusões

👨‍💻 Learn to use ODbg for debugging.
🔍 Set hardware breakpoints to control execution.
🛠️ Modify assembly instructions to bypass protections.
💾 Always back up your files before modifying DLLs.
🥇 Understand the stack and its significance in debugging.

Linha do tempo

00:00:00 - 00:05:00
Introduction by Angelos from Elite PVP, discussing the disabling of decline protection with ODbg.
00:05:00 - 00:10:00
Detailed instructions on downloading and installing ODbg for debugging purposes, including configuration settings.
00:10:00 - 00:15:00
Explanation of opening the Conquer.exe within ODbg, and the importance of analyzing debug modules and their processes.
00:15:00 - 00:20:00
Steps to set breakpoints and analyze the stack to trace the source of process termination within Conquer.exe.
00:20:00 - 00:25:00
Use of hardware breakpoints to monitor the exit process call, leading to understanding anti-debugging measures in the program.
00:25:00 - 00:30:00
Instructions on altering assembly code to bypass the exit process function for successful debugging without termination.
00:30:00 - 00:35:00
Explanation of saving modifications to the executable and setting the correct directory for ud files for ongoing debugging.
00:35:00 - 00:42:02
Closing remarks on successfully entering the game and preparing for the next tutorial focusing on memory-based address finding.

Mostrar mais

Mapa mental

Vídeo de perguntas e respostas

What is ODbg?
ODbg is a debugger used for analyzing and modifying the behavior of applications.
How do I disable decline protection in Conquer Online?
You can disable decline protection by using a debugger like ODbg to analyze and modify specific assembly instructions.
What are hardware breakpoints?
Hardware breakpoints are triggers set within the debugger that pause execution when the specified condition is met.
Why do I need to back up my files when modifying DLLs?
Backing up files prevents loss if modifications cause issues, allowing for easy restoration.
Can I skip certain segments of the tutorial?
Yes, you can skip segments if you're already familiar with certain steps or concepts.

Ver mais resumos de vídeos

Obtenha acesso instantâneo a resumos gratuitos de vídeos do YouTube com tecnologia de IA!

Legendas

Rolagem automática:

00:00:00
hello Geeks this is Angelos from Elite
00:00:02
PVP recording tutorial one of the
00:00:05
tutorial series let's make a memory
00:00:07
based
00:00:08
bar so disabling decline protection
00:00:11
that's the subject of this
00:00:13
tutorial probably it'll extend to part
00:00:16
two maybe I'm not sure we'll we'll
00:00:18
figure it out anyway so the first thing
00:00:21
I'm going to do is to disable decline
00:00:24
protection how to do so we're going to
00:00:27
do that uh we're gonna like do it step
00:00:30
by step and we're GNA do it using o
00:00:33
debug AKA o
00:00:36
dbg now for you for those who doesn't
00:00:40
know what ol debug is all you got to do
00:00:43
is simply Google it Google is your
00:00:46
friend
00:00:48
however now uh I uh I already have it
00:00:53
installed on my PC but I'm just going to
00:00:56
download it now and show you
00:01:00
how to install it and do all that crap
00:01:03
and we'll get started so I'm going to
00:01:06
open my web browser and I'm going to
00:01:08
type O dbg
00:01:11
2.0 and I'm going to open the first link
00:01:15
and I'm going to now if you can find
00:01:18
your way around on this page all you got
00:01:20
to do basically is just click right here
00:01:22
where it says all the dbg and your
00:01:24
download should start okay now that
00:01:28
consider that I did hit okay and I saved
00:01:31
it somewhere on my desktop on in a new
00:01:34
folder
00:01:35
whatever which
00:01:38
is basically what I did I already have
00:01:40
it downloaded in ready right here I'm
00:01:43
just going to right click extract it to
00:01:45
this folder I'm just going to rename it
00:01:47
real quick and I'm going to call it ol
00:01:50
and then I'm going to open this folder
00:01:52
I'm going to right click on uh all uh
00:01:56
dbg exe go to properties and go to
00:02:01
compatibility and make sure it's running
00:02:04
as an administrator under the prevent
00:02:07
level that's important so you got to do
00:02:10
that and before you even start all the
00:02:13
de however now that I've done that let
00:02:17
me just fix my uh toolbar so it Go of
00:02:22
HIDs
00:02:24
okay now that that I've done that I'm
00:02:26
going to launch all the debug and I'm
00:02:30
going to go to you can either click this
00:02:33
button here or you can just hit alt o on
00:02:37
your keyboard and it'll open the same
00:02:40
dialogue you can also access it under
00:02:42
options here anyways we're going to go
00:02:45
under exceptions Tab and we're going to
00:02:48
hit or check this check box right here
00:02:51
where it says ignore also the following
00:02:53
custom exceptions or ranges and I'm
00:02:56
going to add
00:02:58
range now we're going going to leave
00:03:00
this box as As and we're going to change
00:03:03
this to uh we can probably select from
00:03:07
this list which is we're going to select
00:03:11
the last exception in this list and
00:03:15
we're going to hit
00:03:17
okay and I'm going
00:03:20
to actually delete this I'll just add
00:03:24
range and also leave this box as is and
00:03:28
just type f f FF FF FF so you got to
00:03:34
type f eight times I'm not going to
00:03:36
explain what that mean or does however
00:03:39
you got to figure it out on your own you
00:03:41
have a brain so now that I've done that
00:03:45
I'm going to go under the directories
00:03:48
Tab
00:03:50
and as you can see it has already copied
00:03:54
the directory where we have uh o
00:03:58
installed or extracted
00:04:00
so I'm just going to go to that
00:04:02
directory which is right here and I'm
00:04:05
going to right click create new folder
00:04:08
and I'm going to call this
00:04:11
UDS and uh a new folder and I'm going
00:04:16
call it
00:04:18
plugins now we're not going to be using
00:04:21
plugins in this tutorial we're going to
00:04:23
do it all
00:04:24
manual and we're just going to do it
00:04:27
ourselves but the UDS folder what the
00:04:32
udds folder is needed for is just just
00:04:35
basically for o to install all the ud
00:04:38
files that'll create and what those
00:04:40
files contain is a lot of helpful
00:04:43
information that all day is going to
00:04:46
collect uh along the line while you
00:04:49
debug programs or attach to programs and
00:04:52
so basically the purpose of these
00:04:56
files to make your life easier so just
00:04:58
hit okay
00:05:00
now that we've done that uh I think
00:05:02
we're all set yeah so the first step is
00:05:08
to uh open conquer. exe before we open
00:05:14
conquer. exe now for those who had never
00:05:18
worked with all debug I will not explain
00:05:22
what all these button does and whatever
00:05:24
all you got to do simply is keep your
00:05:26
mouse long enough on each button and
00:05:30
it'll show you a helpful t as to what
00:05:33
that button does
00:05:37
so if you still don't understand stuff
00:05:41
all you got to do is also Google it
00:05:43
Google and again is your friend so I'll
00:05:47
just click file open and I have a clean
00:05:51
installation of conquer. Conquer Online
00:05:54
and uh it'll it already took me to that
00:05:58
folder already I think because I've
00:06:02
opened it earlier anyway and I'm going
00:06:05
to navigate to my Conquer Online client
00:06:07
folder and I'm going to find conquer.
00:06:09
exe and then I'm going to head open now
00:06:14
you can see it analyzing down here
00:06:17
all these modules that the that o is
00:06:21
analyzing it'll just collect as much
00:06:24
data as it needs and it'll save it in
00:06:26
the ud files when you CL close uh allb
00:06:29
so I would recommend that you let it
00:06:31
finish it'll make your life easier
00:06:34
so uh while it's doing that
00:06:38
crap
00:06:40
uh I forgot what I was going to explain
00:06:44
never mind that anyway I'll just pause
00:06:46
the video until it's done okay now that
00:06:49
all is done analyzing the
00:06:52
models we uh if if you look at the lower
00:06:56
right corner you'll notice that it says
00:06:58
terminated basically all the bug is
00:07:01
telling you this process was terminated
00:07:04
somehow so to figure out what terminated
00:07:08
the process we're going to have to uh
00:07:10
find our way around and find out what
00:07:13
really uh terminated the process and
00:07:18
uh to do so before we do so uh this
00:07:25
is uh just uh another check to stop you
00:07:30
from opening conquer. exe in olug even
00:07:35
though if we go to view executable
00:07:37
models or hit
00:07:40
L like this you can see that we have
00:07:46
basically uh all the models needed to uh
00:07:52
start Conquer Online or conquer. exe and
00:07:56
if we select conquer. exe double click
00:07:58
on it you can see that all take us
00:08:01
really to inside the uh conquer exe and
00:08:04
you can see the assembly
00:08:06
code that's not a really helpful thing
00:08:10
because as long as we can see the code I
00:08:13
can find my way way around and find out
00:08:16
what really has
00:08:17
changed but for you maybe there's some
00:08:20
people out there that doesn't know what
00:08:22
to do or where to go or what to look for
00:08:26
that's going to be kind of like annoying
00:08:28
however let's figure out what really uh
00:08:31
killed our process so first thing I like
00:08:33
to do is to analyze the stack and see
00:08:37
what was the last thing that this
00:08:39
program uh did before it it terminates
00:08:43
so we're this is again for those who
00:08:46
doesn't know what uh these all this
00:08:50
nonsense on the screen is this is your
00:08:52
main CPU window and this is the
00:08:54
registered window this is the stack
00:08:56
window and this is the uh memory View or
00:08:59
me the memory dump so we're going to
00:09:03
head to the stack window and we're going
00:09:05
to scroll down and see if we can find
00:09:07
something helpful all right now
00:09:11
that I scroll down a little and I can
00:09:14
see uh a call
00:09:16
to Kernel
00:09:18
32. exit process so I need to know what
00:09:23
the exit process function does basically
00:09:27
uh I I I already know that the exit
00:09:30
process function is to kill the the
00:09:32
current process so that's useful and I
00:09:35
can like start here so what I'm going to
00:09:39
do is just select this line where it
00:09:41
says return from Red dll blah blah blah
00:09:45
this is just a return address so if I
00:09:47
select it click on it left click on it
00:09:51
and then click enter it'll take you
00:09:52
straight into this function and if you
00:09:54
notied now we're inside the kernel 32
00:09:57
model and uh
00:10:00
straight inside the exit process
00:10:03
function so what I'm going to do is just
00:10:06
I'm going to right click and I'm going
00:10:08
to go breakpoint hardware breakpoint and
00:10:12
I'm going to make sure it's on execution
00:10:14
and I'm going to select slot two and
00:10:16
then I'm going to hit okay what that
00:10:18
does is is just simply place a hardware
00:10:22
breakpoint on the this certain address
00:10:25
that we right clicked on so now that
00:10:29
I've have done that uh we need to make
00:10:32
sure that we can actually hit this break
00:10:35
point before the process exits or else
00:10:39
it's useless so let's just click on this
00:10:42
button here it'll restart the the corent
00:10:47
process and the break point was
00:10:50
triggered and it right now we are at the
00:10:55
top of the exit process function now
00:11:00
now that uh my breakpoint was triggered
00:11:02
I'm going to go back to the stack and
00:11:04
I'm going to check what really call this
00:11:07
function the stack uh really can really
00:11:10
help me so I'll just go back to this
00:11:12
stack and I'm going to click on the very
00:11:15
first return address and if you notice
00:11:17
it says return from TQ and P to TQ and P
00:11:21
TQ and P is basically another D file
00:11:25
that TQ team decided to add and it to
00:11:28
put some trap and anti-debugging shed
00:11:31
inside it we're going to Simply bypass
00:11:34
that so I'm just going to click on it
00:11:35
left click on it and then hit enter
00:11:38
it'll take me straight into tq& model
00:11:40
because this return address returns to
00:11:43
this address which is the which is
00:11:45
inside the
00:11:47
tq& so to analyze this model here which
00:11:52
is tq& p and uh I'll just click I'll
00:11:56
just hit control a on my keyboard board
00:12:00
now what this dialogue box is telling
00:12:02
you basically is that this model
00:12:05
contains sections of code that are
00:12:07
either compressed or encrypted we don't
00:12:09
really care about that right now just
00:12:11
hit
00:12:12
yes as you can see the helpful stuff
00:12:15
showed up after the analysis
00:12:18
so now this return address returns to
00:12:21
pop ECX at this address here so Above It
00:12:26
Right Above It one line it says it it
00:12:29
calls a certain address and this address
00:12:32
is also inside tq&
00:12:35
so basically this return address is to
00:12:38
return from this call to this address
00:12:41
here so the program continues executing
00:12:44
at from this address here so what I'm
00:12:48
going to do is one line above that
00:12:50
return address and I'm going to right
00:12:52
click uh and I'm going to place a
00:12:54
hardware break point again but I'm going
00:12:56
to make sure the slot one selected also
00:13:00
on execution and I'm going to hit
00:13:02
okay now I'm going to restart the
00:13:05
program and hope that this breakpoint
00:13:08
will trigger will be triggered so
00:13:11
restart yeah I know
00:13:15
okay and it did however let's click
00:13:20
let's hit contrl a again to analyze the
00:13:23
process and what I'm going to do now is
00:13:26
I'm going to hit f8 so f8 what what f8
00:13:30
basically does is step over the function
00:13:33
F7 to step into the function it's
00:13:35
mentioned right here if
00:13:37
you keep your mouse long enough it'll
00:13:40
show you what these buttons does
00:13:44
so get used to using the shortcuts
00:13:46
because it's really uh useful it'll make
00:13:51
everything faster you don't have to keep
00:13:53
clicking buttons here and
00:13:56
however now uh when I have
00:13:59
f8 basically the program is going to is
00:14:02
going to go inside this call execute
00:14:05
this C code right here and then return
00:14:08
at this this uh return address here
00:14:11
return here anyway so if somewhere along
00:14:17
any of these lines the exit process
00:14:19
function was uh
00:14:22
called what basically is going to happen
00:14:25
is that my second break point which is
00:14:28
now placed on the exit process function
00:14:30
will be triggered but if nothing
00:14:32
happened and the program executed all
00:14:36
this code and then returned and the
00:14:38
break point was not triggered I know
00:14:41
that it did not call it so I'm going to
00:14:44
hit the star button on my keyboard to go
00:14:48
back to where the current pointer for
00:14:51
the debugger
00:14:53
is and uh I'm going to hit
00:14:56
f8 now as you can see no break points
00:15:01
were triggered nothing happened so I
00:15:02
know it did not really call that exit
00:15:05
process function so I right click here
00:15:08
breakpoint and I can safely delete this
00:15:10
Hardware breakpoint so I can use it
00:15:12
somewhere else because all you can use
00:15:14
is four Hardware break points you can't
00:15:16
set more than four so we got to keep it
00:15:19
like
00:15:20
limited anyway so I'm going to keep uh
00:15:25
keep on the f8 right now I'm going to
00:15:28
hit f 8 f8 and continue with the process
00:15:32
until I find something interesting
00:15:34
something useful so continue now it
00:15:38
decided to jump and discard all of this
00:15:41
ignore it just jump now it's in the the
00:15:44
process of returning now it
00:15:47
returns okay now this function did not
00:15:50
really call the exit
00:15:52
process now remember that we were
00:15:55
tracing the process execution backwards
00:15:59
the stack Works backwards if you're
00:16:01
going to use the stack to analyze stuff
00:16:04
you can't go upwards and start from here
00:16:07
no because the stack address imagine the
00:16:10
stack address like a I don't know how to
00:16:12
give you an example for that but it's
00:16:15
like
00:16:16
um it's like a a stack of of
00:16:20
towels if you if you to like if you have
00:16:24
a stack of towels and you keep stacking
00:16:26
towels on top of each other you're not
00:16:28
not just going to go into the middle of
00:16:32
that stack and just pull one towel
00:16:34
because it'll all fall apart it you're
00:16:37
just going to have to grab the first one
00:16:40
on top so basically that's what the
00:16:43
stack is uh first in first out
00:16:48
so now that we know that that's the
00:16:52
reason that we supposed to trace
00:16:54
backwards anyway so I'm going to
00:16:57
continue with the f 8 again f8 F now
00:17:03
it's pushing the arguments I know that
00:17:06
with these arguments the function can do
00:17:07
something but I don't know what that
00:17:09
thing is so what I'm going to do is just
00:17:12
right click again break Point Hardware
00:17:15
breakpoint and I'm going to make sure on
00:17:17
execution slot one and I'm going to hit
00:17:20
okay
00:17:22
now if I hit f8 again if the exit
00:17:26
process function was called
00:17:29
my second breakpoint will be triggered
00:17:31
so let's hit
00:17:34
f8 now we can see that it did trigger
00:17:38
that breakpoint and the exit process
00:17:40
function was called so now we know that
00:17:45
the the this call here where my second
00:17:48
Hardware breakpoint is really calls exit
00:17:52
process somewhere along the line so I'll
00:17:55
restart my
00:17:57
process and a will take me straight back
00:18:00
to this break point here which is really
00:18:04
useful and it'll keep you on track
00:18:07
without having to retrace the whole
00:18:10
thing from uh from uh square one or
00:18:14
Square zero whatever the term is anyway
00:18:18
so now that I'm here I'm going to H F7
00:18:23
to step into this function but before I
00:18:26
do that I'm going to write click
00:18:30
breakpoint hardware breakpoint and
00:18:32
delete this breakpoint so we can use it
00:18:35
somewhere else and I'm going to hit
00:18:38
F7 now I'm inside that call okay so what
00:18:43
this call does basically is it moves a
00:18:46
deward value from the uh
00:18:50
stack which is the argument to argument
00:18:53
to Value right now equals one so it
00:18:56
movees it's going to be it's going to
00:18:59
move one into eax which is currently one
00:19:02
so nothing will
00:19:04
change and then it'll subtract it by one
00:19:07
subtract ex ex by one and then this
00:19:11
subtracting
00:19:13
process it sets the BET Flags here I
00:19:17
don't really recall which bet Flags I
00:19:21
think it's p or Z and then it checks
00:19:25
whether P or and or or Z equals one or
00:19:30
zero and it jumps
00:19:32
accordingly so we're not going to really
00:19:35
bother with that you can Google it if
00:19:38
you want to really know what that does
00:19:42
but let's uh sorry let's continue with
00:19:46
the f8 now ex still one nothing has
00:19:50
changed now subtract ex by one ex
00:19:53
becomes zero and then as you can see
00:19:57
here it says jump is not
00:20:00
taken
00:20:02
so with the jump not taken g&z basically
00:20:06
stands for jump not zero jump not zero
00:20:10
again like I said it compares the bed
00:20:13
Flags here I'm not sure whether it's b
00:20:15
or Z but it checks whether it's one or
00:20:18
zero and it jumps accordingly
00:20:22
so what we understand from this process
00:20:25
here from this few uh these six lines
00:20:30
that
00:20:32
uh it either jumps to this adjust here
00:20:38
you can see this little
00:20:40
arrow right here it either jumps or it
00:20:46
doesn't and it calls this address this
00:20:49
address and then it continues and
00:20:52
returns so what we're going to do is
00:20:55
right underneath this jump right here
00:20:58
we're going going to set a hardware
00:21:00
breakpoint
00:21:02
again make sure it's on execution slot
00:21:06
one hit okay and the reason we did that
00:21:09
and we didn't set the break point here
00:21:11
or here is to make sure that it really
00:21:14
it's really executing or calling these
00:21:17
two addresses if it's not then it's
00:21:20
useless and like for me right now I'm
00:21:24
sure that it's calling this or this
00:21:26
called or both of them actually because
00:21:29
if it didn't there's nothing else to
00:21:31
call the exit process function so what
00:21:35
I'm going to do is I'm going to hit f8
00:21:38
and I'm going to hit f8 again boom the
00:21:41
exit process function did really was
00:21:44
really called so let's restart our
00:21:49
process it'll take us
00:21:52
oops what just happened okay I think our
00:21:56
breakpoint or our Hardware break point
00:21:59
went
00:22:01
poof yes it did anyway I'm going to
00:22:04
delete
00:22:07
this
00:22:09
uh okay
00:22:11
delete and I'm going
00:22:14
to return here and this one returns okay
00:22:18
I'll fix this
00:22:21
by tracing the whole thing all over
00:22:24
again I guess I'm going to have to do
00:22:26
that I don't know why
00:22:29
did that break point disappear but oh
00:22:33
well so I'm going to do the whole
00:22:35
process all over again you don't have to
00:22:38
watch this you can skip this if
00:22:41
you are not interested so again I'm
00:22:43
going to set a break point actually yes
00:22:47
I can set it here power break point okay
00:22:51
and I'm going to restart the
00:22:56
process my breake point was trigger I
00:22:58
can right click delete and then continue
00:23:03
executing this function until return and
00:23:06
if you remember this is the function
00:23:10
that really that we were inside right
00:23:14
now I'm going to hit F7 it'll take me
00:23:16
inside that
00:23:18
call and then again I'm right where we
00:23:23
left off
00:23:26
so now that we know that this call right
00:23:29
here called the exit process function
00:23:33
we're going to try and do what the
00:23:36
program does sometimes which is
00:23:39
discarding these two calls and jumping
00:23:41
straight to move ex1 and then return so
00:23:45
how do we do that we do that by simply
00:23:48
double clicking this line right here the
00:23:50
g&z uh instruction and then we're going
00:23:53
to change it from gnz into GMP GMP start
00:23:58
it stands for uh jump jump doesn't check
00:24:02
check for any conditions any bet Flags
00:24:05
it just jumps wherever you tell it to
00:24:07
jump so with that said we're going to
00:24:10
assemble that will uh edit the code
00:24:14
modify it to what we tell told tell it
00:24:17
to
00:24:18
do and then we are going to test this
00:24:21
program and see if it'll terminate or
00:24:24
not and we do that by simply heading the
00:24:29
play button here which will continue
00:24:31
executing our process normally so let's
00:24:35
click that or before we click that uh
00:24:40
you might want to just right highlight
00:24:43
this right click edit and then copy it
00:24:46
as a table and you can then open a
00:24:49
notepad and then you can paste it here
00:24:54
and as you can see It'll uh copy the
00:24:57
address
00:24:59
of each instruction and the co the
00:25:04
the the assembly
00:25:07
instructions and
00:25:09
the uh binary code for each assembly
00:25:13
instruction so you can keep that for uh
00:25:17
like later use or maybe if you lost your
00:25:21
way or if you're tracing it and your
00:25:24
break point was gone just like what
00:25:26
happened to us right now you can
00:25:28
go back to
00:25:30
this uh model here
00:25:33
tq& and find this function based on the
00:25:36
address right here or you can simply
00:25:40
right click search for and you're going
00:25:42
to search for a sequence of commands so
00:25:45
what we're going to do is simply play
00:25:48
the program boom as you can see right
00:25:52
here it says conquer the model entry
00:25:56
point so we are inside the model entry
00:25:58
point and the process did not really
00:26:00
terminate so that's really good and what
00:26:05
that tells us is that we did really
00:26:07
bypass that exit process function and
00:26:10
what it
00:26:11
did so as long as that works let's just
00:26:16
restart our process and we want to make
00:26:19
that those changes that we just made
00:26:22
permanent so now that I know what to
00:26:25
change and where to change it I can
00:26:27
simply go to view executable models or
00:26:31
hit alt e on your keyboard it'll open
00:26:34
this dialogue for you this window and
00:26:37
you're going to select instead of
00:26:39
conquer. exe you're going to go to TQ
00:26:42
and
00:26:43
P.D you hit enter it'll take you inside
00:26:46
this model click hitr a to analyze it
00:26:50
retrace it back that's really
00:26:53
easier to
00:26:57
do so we're at the exit process function
00:26:59
again we click right here it'll take us
00:27:02
back back here I'm going to straight set
00:27:06
the breakpoint on the return address
00:27:08
right here so breakpoint Hardware
00:27:12
breakpoint slot one okay
00:27:19
restart and then I'm going to trace it
00:27:23
back again okay this is the function
00:27:27
that we need to edit now I'm going to
00:27:31
double click on this again change it to
00:27:35
GMP instead of g&z and I'm going to
00:27:38
click
00:27:39
assemble and with that done I'm going to
00:27:42
click on that left click on that line
00:27:45
that we just changed I'm going to right
00:27:47
click edit and I'm going to copy to
00:27:51
executable
00:28:04
so that's just going to tell you to that
00:28:08
you did some modifications and you need
00:28:10
to save them I'm going to ignore this
00:28:12
box and I'm not going to display it
00:28:14
anymore I'm hit okay and right now what
00:28:17
we're doing is we're saving our work
00:28:20
we're saving our edits and modifications
00:28:23
so to save that you're going to click
00:28:25
the x button right here it'll ask you if
00:28:27
you want to save save it hit yes it'll
00:28:29
open the same directory where your
00:28:31
conquer exe exists so all you need to do
00:28:35
is hit save and as you can see it'll
00:28:37
give it the same name too so excuse
00:28:41
me we're just going to hit save It'll
00:28:45
ask you if you if you want to replace
00:28:48
the current dll file and you're going to
00:28:50
H yes so with that done let's try and
00:28:54
restart our process and see what's going
00:28:56
to happen
00:28:59
okay this is because I didn't delete my
00:29:03
break point which is stupid so let's
00:29:05
just delete it and continue running the
00:29:09
process as you can see everything worked
00:29:12
just fine and right now we're inside
00:29:15
we're at the uh model entry point so if
00:29:18
we hit play and continue running the
00:29:21
process it'll finish analyzing those uh
00:29:23
models inside this process and it should
00:29:27
pop the
00:29:28
dialogue that asks us to run play. exe
00:29:32
that's only in case if everything worked
00:29:35
as
00:29:37
intended so we're waiting for that
00:29:40
message
00:29:42
box there it is which is cool now I'm
00:29:47
going to
00:29:49
terminate conqueror exe as you can see
00:29:52
it'll
00:29:53
still do that crap and then it'll save
00:29:56
all the the ud files so if we go back
00:29:59
into o UD files oh
00:30:03
why did it save them
00:30:06
here it was supposed to save them inside
00:30:09
this
00:30:11
folder so let's go back and check it
00:30:16
out oh I'm
00:30:18
sorry the reason
00:30:21
is that I did
00:30:24
not set the directories and we're going
00:30:28
to set them
00:30:30
now we're going to set the ud files
00:30:35
directory we're going to click here
00:30:37
select the the the udds file that we
00:30:40
created earlier hit okay and then we're
00:30:43
going to select the plugins folders that
00:30:45
we created earlier hit okay then hit
00:30:48
okay which what what that will do is
00:30:52
though all these UD files were supposed
00:30:56
to be inside uh
00:30:59
theud files folder or the folder that we
00:31:02
just created so I'll just move them
00:31:05
inside that folder now we're
00:31:09
done okay with that done there's uh a
00:31:14
second uh problem that we're going to
00:31:17
face which is if we run or play Conquer
00:31:23
Online and then we try to attach to it
00:31:26
and then log into the game
00:31:30
uh what will happen is that it'll also
00:31:34
terminate the process so if we play
00:31:37
conquer. XE go to file attach and then
00:31:41
you're going to to find conquer. exe
00:31:44
head
00:31:46
attach and then it'll probably load all
00:31:51
the way and I'm going to pause the video
00:31:54
until it's done
00:32:00
okay now that o is done analyzing those
00:32:05
models as you can see It'll uh break
00:32:09
somewhere inside the process and now it
00:32:12
chose to break inside the user 32 so
00:32:17
what I'm going to do is I'm just going
00:32:19
to hold the shift button and I'm going
00:32:22
to hit F9 and it'll it'll it should
00:32:26
continue running the process and as you
00:32:28
can see It'll say running right here so
00:32:33
ignore those access violations uh uh
00:32:38
exceptions because as you can see if you
00:32:40
open the log here it'll just keep on and
00:32:44
on and on and on it'll never stop
00:32:47
however I don't know why but it's just
00:32:50
doing it I don't really care anyway if
00:32:53
we switch to conquer. exe you can see
00:32:56
that the process is running and
00:32:58
everything works just fine so let's try
00:33:00
and log
00:33:02
in let me check I can I can remember an
00:33:08
account okay
00:33:13
live oh my God this annoying
00:33:17
message it's just it pops up
00:33:20
every single time I try to log
00:33:26
in okay now it's trying to log
00:33:29
in and
00:33:32
again as you can see we uh our breako on
00:33:38
exit process the exit process function
00:33:41
was triggered meaning this process is
00:33:44
trying to terminate
00:33:46
itself so again we're going to go back
00:33:50
to my favorite thing which is this
00:33:54
tack as you can see another call into to
00:33:58
Kernel 32 exit process and stried from
00:34:01
or called from anti-rot client blah blah
00:34:05
blah so the exit code is zero we don't
00:34:08
care about that
00:34:11
now what this tells us that somewhere
00:34:14
inside this uh dll file here the anti
00:34:18
robot
00:34:20
client the exit process function is
00:34:23
being called for some reason probably it
00:34:25
detected that uh we're using in a
00:34:27
debugger or something like that and it
00:34:29
wants to terminate the process so what
00:34:31
we're going to do is
00:34:32
just uh basically go to this line here
00:34:37
and as you can see it says return from
00:34:39
anti-root client to anti-root client so
00:34:42
what that tells us is that anti Rob
00:34:44
client is calling function inside itself
00:34:47
and let's go and check what that
00:34:48
function is so select it and hit enter
00:34:52
and it'll take you straight into enti
00:34:54
blah blah blah so as you can see uh I
00:35:00
mean like I said earlier this address
00:35:03
here right here is the the address as to
00:35:07
where this stack address here will
00:35:10
return so as you can see it it says
00:35:13
return to blah blah blah from blah blah
00:35:15
blah so if you compare those addresses
00:35:18
this address is equal to this address so
00:35:21
we know that it'll return into this uh
00:35:25
instruction here and then execute it in
00:35:27
then continue ex executing these uh
00:35:31
instructions and then return so now that
00:35:34
now that we know it's return it's return
00:35:37
it's supposed to return to this uh
00:35:41
instruction uh we know that the function
00:35:44
the call above it is what call this
00:35:47
function so this is the return address
00:35:49
for this call so we go one line up right
00:35:54
click breakpoint hardware breakpoint
00:35:58
slot one on execution
00:36:00
okay now let's
00:36:04
uh you can either restart the whole
00:36:08
process restart Conquer Online and then
00:36:11
reattach it and then uh let it run and
00:36:15
log in until this breakpoint hits and
00:36:18
then we can go inside this function and
00:36:20
see what it's doing or we can simply
00:36:23
just uh click on that function let's
00:36:27
let's go back to it click on that this
00:36:29
call and then hit to enter it'll take
00:36:32
you inside this function right here
00:36:36
so if you look
00:36:38
closely this function is calling this
00:36:42
address here ENT robot client blah blah
00:36:45
blah we don't know what it does and then
00:36:47
right after it calls that address and
00:36:50
returns eight pops is ECX pushes the
00:36:54
exit Cod which code which is the and
00:36:57
then kills the process so basically this
00:37:00
function is a a a certain kill for the
00:37:04
process it this function will never
00:37:07
return any other results uh other than
00:37:11
killing the process so this is bad we
00:37:14
don't want this function at all so again
00:37:17
click on this line go back so we're here
00:37:21
and I don't want to restart the whole
00:37:23
thing so I'll just delete this break
00:37:25
point here
00:37:28
and what I'll do is check what called
00:37:32
this whole function here right here from
00:37:35
the the start of the function
00:37:39
until the return so we need to know what
00:37:42
called it to know that all we do is just
00:37:45
go back to the stack and find the second
00:37:49
return address un underneath this which
00:37:52
will be this address as you can see
00:37:55
return also from tqp to
00:38:00
tq& so let's select this line left click
00:38:03
on it and then hit enter it'll take you
00:38:06
to the function where it's been called
00:38:09
what I'm going to do I'm going to take a
00:38:10
wild guess and and and I don't recommend
00:38:14
that you do that every time but I'm just
00:38:17
guessing that this function right here
00:38:20
goes in checks for the processes checks
00:38:23
maybe for this debugger present uh
00:38:26
function and then if yes it kills the
00:38:28
process no it returns and it continues
00:38:31
so what I'm going to do is just right
00:38:33
click on it edit fill with n Ops and
00:38:38
then I'm going to save this permanently
00:38:41
and then try and run the
00:38:43
process so one thing that I've never
00:38:46
mentioned back up your files back up
00:38:49
your dlls now you know you're inside
00:38:52
anti-robot do uh anti-robot
00:38:56
client. all you got to do is go into
00:39:00
your client folder copy anti-root DL
00:39:03
somewhere else and then uh paste it so
00:39:08
you can replace this file if you damage
00:39:11
it
00:39:13
so that's what I would do because if you
00:39:16
don't know what you're doing you can't
00:39:18
really restore this stuff and unless
00:39:21
you're going to rep patch your client
00:39:22
from I don't know which version anyway
00:39:28
so now that I've set this NS I want to
00:39:31
save it permanently so right click edit
00:39:35
copy the
00:39:36
executable and I'm going to hit the x
00:39:38
button here and it'll ask me if I want
00:39:40
to save it I'll hit yes and again into
00:39:44
your it'll take you into your conquer CL
00:39:48
directory and it'll give you the name of
00:39:50
the model just hit save replace it yes
00:39:55
and then I'm going to kill the process
00:39:58
and all the book yes I know
00:40:01
that now if we try and
00:40:04
run conquer.
00:40:09
exe and then we go
00:40:12
back and run all the debug and then file
00:40:19
attach um conquer exe
00:40:24
attach hit shift F9 continue running the
00:40:31
process wait until it's all the way in
00:40:34
okay it's running as you can see now I
00:40:37
can go back switch to conquer and try
00:40:39
and log
00:40:48
in okay let's hope it'll
00:40:52
work boom everything works just as
00:40:56
intended and we're inside the game so
00:41:00
that's
00:41:02
cool oh
00:41:05
boy oh
00:41:09
boy this game is it went it
00:41:14
went it's just horrible nothing is
00:41:17
playable in that game anymore
00:41:20
anyway now that we've done that we have
00:41:24
all the access we need to
00:41:27
modify Conquer Online to uh find the
00:41:30
functions that we want to find and to
00:41:33
build our memory base spot so in the
00:41:36
next tutorial we'll be uh dealing with
00:41:40
finding the addresses maybe and finding
00:41:42
the addresses of functions that you need
00:41:44
to use in your uh memory based B so I
00:41:49
think that's it for this tutoral and I
00:41:52
hope I didn't uh make it very long I
00:41:55
think it's very long by now so until the
00:41:58
next tutorial be safe

Etiquetas

conquer online
debugging
ODbg
anti-debugging
memory editing
gaming
tutorial
DLL
hardware breakpoints
assembly instructions