Basic Asm and Introduction to W32Dasm
deathrabbit's introduction to gamehacking 5:
Basic Asm and Introduction to W32Dasm
Hey i'm back, it's been a while since I wrote one of these, but anyway, lets start. In the previous tutorials, I talked about editing variables. This is effective but very limited. Now i'll talk about modifying the game's code. This allows you to have about unlimited possibilities on what you can do. Unfortunatly, compiled code cannot be decompiled into original code, so we have to dissassemble it. Disassemblers turn programs into code in assembly launguage. Assembly launguage(asm) is very basic code which is directly 'translated' from the hex in the program. For example, when there are the hex digits 0x90, there is the nop command, which is put right into the dissassembly. Some commands are just a byte(2 hex digits), but others are more, since they need to use more information, like a jump(jmp) command needs to say where to jump to. First il cover some asm basics.
Asm always deals with registers. The registers use the data and the memory is copied to and from the registers and used there. eax is the most used register.
nop - One of the most important commands in cracking. nop does absolutly nothing. nop is just 1 byte so it can be used to overwrite any command or more easily without having to worry to much about if it matches up with the lengnth of the previous code.
mov - Copies the value stored in what is on the right to what is on the left.
ex. mov ebx, eax
ex. mov eax, 42CC003A
cmp - Compares the 2 values specified and stores the results in comparison flags. For example, if they are equal, the equal flag is set. The comparison flags are used for jump statements, talked about later.
ex. cmp esi, eax
call - Runs the code at the specified location. When data is returned, it is usually stored in eax.
ex. call 00400F6A
ret - Reterns to where that section of code was called from.
push - 'Push'es a registers value onto the 'stack' so it can be used later. Arguments to a sub program or function are usually pushed in the opposite order of what the subprogram's arguments are before calling it.
ex. push eax
pop - Takes the top value off of the stack and stores it into the register specified.
ex. pop eax
inc - Increases the specified register's value by 1.
ex. inc eax
dec - Decreases the specified register's value by 1.
ex. dec eax
add - Adds the values specified and stores them in the register specified first.
ex. add eax, ebx
sub - Subtract the 2nd value from the first and stores the answer in the register specified first.
Next we'll get into the jump commands. The jump commands look at the comparison flags from cmp, and split the path of execution. They always look at the flags set from the last comparison. All jump commands specify where it should jump to if it should jump.
jmp - Always jump to the specified location.
je - Jump if the values compared were equal.
jne - Jump if the values compared were not equal.
jg - Jump if the first value was greater than the second.
jge - Jump if the first value is greater than or equal to the second.
jl - Jump if the first value is less than the second.
jle - Jump if the first value is less than or eaqual to the second.
There are many other jump commands, but those are the main ones.
Jumps all start with 1 byte saying what type of jump they are, then the relative location to go to, so a jump can be changed to another type of jump by changing 1 byte.
Now, i'll talk a little about W32Dasm.
W32Dasm is a disassembler. It is the one I use most often. Heres a picture of it.
From here you have to select the file to disassemble. You click the button near the upper left hand corner to open a file select dialog and select a file. When it finishes, it will look something like this.
Now heres a numbered version so I can refer to things easily.
1. Open a new file to disassemble.
2. Save disassembly, helpful sometimes if you don't want to disassemble it each time or if you want to copy code out.
3. Find text, helpful sometimes.
4. Goto program entry point. Goes to where the program starts executing. Normally isn't needed but useful sometimes.
5. Goto code location. You can enter an offset and it goes there. Very useful.
6. Imports, shows what windows funtions it uses, you can double click them to show where they are used. Only useful when a strange funtion is used.
7. String reference, shows all of the text that is used, you can double click it to show where that text is used.
8. Window, shows data, mostly disassembly.
When using W32Dasm, it usuall looks something more like this.
1. The hex at a location.
2. The offset.
3. The command in asm.
4. Shows that a string is being used in the next command, in this case 00455410 is refering to the string.
5. Shows that the next command is an api call.
6. Shows the locations of code that can(or always do) jump to that point.
I think thats about it for this tutorial, and il show you how to do something next tutorial.