← Back to DevelopmentAging & Mixing viewer.dll generatorProgramsClan filesInternet Information ServiceOllyDbg tutorialsMiscellaneousSkinsLinks / Files

Firing up OllyDbg for the first time

← Back to OllyDbg tutorials1. Analyze and .udd files2. Memory map3. Searching for text or values inside the client4. Launching the client inside the debugger4.1. Exiting the client4.2. Attaching the debugger to the client5. A simple case of hexadecimal edition : the window caption5.1. Saving your modifications6. A simple case of assembly edition : removing the timeout message6.1. References7. An advanced case of hexadecimal edition : a pointer7.1. Memory breakpoints7.2. Execution stack7.3. Memory pointers8. Don't forget to save your modifications

1. Analyze and .udd files

The first time you open an executable file inside OllyDbg, it does a thorough analysis of your file.

File analysis

Doing that, it locates specific file structures : switch, jumps, loops, procedures (I'm not detailing this here to keep it simple, if you are curious, google it). This process can take some time. Fortunately, when you close the program, it saves all the analysis data in a .udd file, located inside your OllyDbg folder.
The next time you open the same file, it'll load the .udd data instead of doing the analysis again, it's faster.
The .udd files have the same name as your .exe file. If you edit your client and save it with the same name, the next time you open the file in OllyDbg, it'll notice the difference and ask you if you want to redo the analysis. I suggest you say yes.
Once the analysis is over, it opens the CPU window, which are basically the assembly commands of our program.

CPU window

You can notice on the bottom right corner of the OllyDbg window that the program is paused. Our client isn't running yet, we just have opened it inside OllyDbg.

2. Memory map

The memory map contains alot of information, but we'll focus on our client dump. The memory dump is the same thing as you would obtain if you had opened the client in an hexadecimal editor.
To identifiy our client memory section, we just have to look inside the owner column and find our .exe name.

Memory map

This is where we are going to search for text strings, or specific values.

3. Searching for text or values inside the client

You can search inside the client all the time, whether it is running or not.
For instance, if we are looking for text inside the client, like SGPT, we :

  • Open the memory map, and select the first section of our client :

  • Press Control + B to open the search form. We are looking for text, so we will use the ASCII field (Important: Remember that the search is case sensitive !) :

  • After pressing Search the first result will quickly show up in a Dump window. The window title indicates us that the result was found in the rdata section of our client :

  • To advance to the next result, press Control + L. If there's no more result in the section, OllyDbg will display Item not found at the bottom of its window :

  • If you close that Dump window, you'll return to the Memory map. If you press Control + L again, you'll continue the search in the following sections of your code. In our client, the next result is located in the KPTTrans section :

4. Launching the client inside the debugger

To run the client after you opened it in OllyDbg, simply press F9 or the blue arrow in the toolbar. The client may run slower than usual depending on your configuration.
You'll notice that Running is now written in the bottom right corner of OllyDbg.

4.1. Exiting the client

When you press Exit ingame, you'll see that the client window doesn't entirely close, and that OllyDbg window pops up with written Terminated in red in the bottom right corner.

At this point, you can either "rewind" the client to the beginning by pressing Control + F2 or the rewind button in the toolbar, or close the client by pressing Alt + F2 or the close button in the toolbar.

4.2. Attaching the debugger to the client

Attaching the debugger directly to the client or the server is a way to load it faster. You first launch the client normaly. Then you launch your debugger and select the attach action:

Then select the process to attach and press Attach:

When the debugger attaches itself, it stops the program execution. Once it's done attaching, simply press F9 or the blue arrow in the toolbar to resume the program execution.

Let's get to the exercises now, our very first modifications :) !

5. A simple case of hexadecimal edition : the window caption

When you launch the PT client, in the window caption you can see SGPT PRISTONTALE CLIENT 1873 -----Thanks Sandurr^^. Let's try to edit that to something else.

Original window caption

  • Our first step is to locate the text string inside our client with a search :

  • Ah, the text string seems to be located in the KPTTrans section :

  • Let's select the whole caption text and edit it by pressing Control + E. You can see that the selected string in the Dump window appears in the edition form. If you uncheck the little checkbox Keep size you will be able to add more characters than the selected string :

    Important : Avoid replacing a text with a longer one. You could put characters in a area dedicated to another text string or used by something else. Important 2 : When it loads a text string, the program stops fetching characters when it encounters 00 (zero zero, in hexadeicmal).
  • Now we edit the text in the ASCII field with something more apropriate, let's say iLoveKirbyPT (>^_^)> . The new text is shorter than the previous one. To remove all the superfluous characters, I switched to the HEX field and filled it with zeros :

  • When you press OK, you can see the modification in your Dump window :

  • If you launch the client inside the debugger now, you'll see the modification. But if you leave OllyDbg, or if you restart the client, it wont be saved. To save your modification, you must copy them to the executable.

5.1. Saving your modifications

To do that, you must :

  • Select your modification
  • Do a right click on it and select Edit > Copy to executable in the contextual menu :

  • This will open a new File window, where you can see your modifications :

  • If you want to save your modifications to a file, simply do a right click and select Save file... I'll save mine as 1873_quantumfusion_kirby_caption.exe.
  • When you launch your newly created client .exe, you can see the result of your hard work 8) :

6. A simple case of assembly edition : removing the timeout message

When you are connected to your server with the GM client, your chat box may be spammed with alot of useless Recv Timeout Message messages.

Spam (x_x)

In this exercise we will try to remove that annoying message.

  • Our first step is to find the text string of the message inside the client. We already know how to make a search. The text string is located in the rdata section :

  • Now that we have selected the message from the beggining (%s included), we are going to search for the references to that string. That will tell us when the string is used (not all the time thought).

6.1. References

To do so, press Control + R. After the search, it opens a References window :

  • By double-clicking on the first (and only) reference, the CPU window will open and you'll be moved to the command address. Let's explain (really simply) what's happening in that part of the code (I added color, it's easier to understand this way) :

    • First there's some processing we don't really understand, but it will eventually lead to...
    • A test that will determine the action to do on the...
    • Jump. It's a JE, which means Jump Equal : we only jump to the given address if the result of the test is an equalty.
    • In red is the part that loads the text string Recv TimeOut Message and then calls the procedure that is probably displaying the text inside the chatbox.
    • In green is some code that is executed after and we don't care about it.
    We can easily deduce that if the jump isn't taken, the part of code that calls the annoying message will be read and executed. If the jump is taken everytime, no matter what the result of the test is, the message will disappear. Let's do this.
  • We are going to replace the instruction JE with the instruction JMP. JMP is a jump that is always taken, no matter what. To do so, focus click on the jump instruction line and press Space :

  • Replace JE by JMP and press Assemble. The modification is done :

  • Save your modification like we've seen previously :

  • Job's done 8) :

You can see that the Recv Timeout Message is gone. However I received a couple Scoop Recv Route(Main) messages while I was editing my client. You can try to remove them yourself now that you know how to !

7. An advanced case of hexadecimal edition : a pointer

In this last exercise, we will see that changing a simple text string isn't that easy.
For instance, if you cruised a bit inside the client, especially inside the KPTTrans section, you might have noticed that there's a complete translation for the item details.

Unfortunately, when you look at your item details inside your client, it looks a bit different and ugly...

Yuck...

You might wonder why it displays a different text than the one from the KPTTrans section. And why that new translation is inside that section, and not at the original location ?
We'll see that later, for now let's try to change this ! First of all, ATKPow.
We just have to follow the steps we've seen previously :

  • Searching for the text string inside the client

  • Found it ! And it seems like there's all the item details text strings here :

    As you can see, there isn't much space to put text. There's isn't enough to change ATKPow into Attack Power. The reason is simple, it's a translated version of the Korean client, and korean characters take less space than latin ones.
    What we can do though, is telling the client to use another text string, somewhere else... What a coincidence ! We have a nice translation ready to use inside the KPTTrans section !
  • Our next step is to find references (Control + R, see below) to the text string to see which command loads it, easy :

    What the... no result ?! How am I supposed to know which command loads the text string then ?
    Don't panic, we have a solution to this problem : the Memory Breakpoint.

7.1. Memory breakpoints

Memory breakpoints are a mechanism that allows us to stop the execution of a program when a specific area of the memory is read, or written.
It's quite easy to set : select the memory area you want to control and set the breakpoint.
In our case, we'll put a memory breakpoint on ATKPow, when the memory is read :

Now that your breakpoint is set, you just have to run the game, and put your mouse over a weapon to trigger the breakpoint.
Important: I suggest you set your memory breakpoints after the game is launched because they can slow down a lot the execution.

If you want to see all your memory breakpoint, click on the yellow M in the toolbar.
Here you can see the memory breakpoint we just set :

When you select one of the breakpoints, you can disable it (Space) or delete it (Del).

  • Now let's trigger our breakpoint ! Gently put your mouse over the weapon of your choice and... *ding* the execution is stopped, OllyDbg pops up and shows you where the memory was read.
    It should look like this :

  • Well it doesn't help much to be honest. But if you see what's written on the bottom of the window, you can see that the execution was stopped at kernel32.7C80BEB7. When the execution is stopped in that section, kernel32, it's more likely that the program called a system procedure, like a string copy or something like that.
    If you look at the bottom right part of the window(it's the execution stack), you can see kernel.lstrcpyA.

7.2. Execution stack

The execution stack is very important concerning procedure calls. Before a procedure is called, the return address is pushed inside the stack so that the program knows where to return when the procedure execution is finished. The return address is usually the address of the command just after the call. That will help us pin-point where to look.

  • Now that we know a bit about the stack, let's go to the return address we see in red the stack Return to 1873_quantumfusion.0048EC36. To do so, press Control + G in your CPU window and enter the address you want to go to :

  • Ah now it looks better, we now which command load our text string :

    But wait a minute, if I remember correctly (and I do !), my text string was at the address 005CB31F or after (check the reference window screen shot, you'll see that the selected string started at 005CB31F and ended a 005CB329). How come it loads the text string ? If I go at the address 67FAE0 like written in the command, here's what I see (you can go to a specific memory address by pressing Control + G in a Dump window) :

    If you look closer to the command description, you can see that it contains the keyword PTR, which means that it's not loading data, but a Memory pointer.

7.3. Memory pointers

To make it simple, a memory pointer is an memory address leading to another memory address.

So, if we change the address at the pointer's destination, we will change the text displayed ingame. Pretty easy. In our KPTTrans section (see below), we can see that the address for Attack Power is 04410821.
Tip: You can shift the data to the right or to the left using Control + Wheelup or Control + Wheeldown.

  • We just have to replace the old address with the new one.
    Important: Don't forget to reverse it : 04410821 -> 21084104

  • Job's done (don't forget to save your modification !) 8) :

You can find a table with some translation pointers referenced in the Miscellaneous section : here

8. Don't forget to save your modifications

This concludes our second part. We did great so far, we learn the basics of editing.
Oh and I wont repeat it enough but never forget to save your modifications !