其中新手反汇编疑问
我相对(读:愚蠢的新手)熟悉反汇编,但这一点难倒了我: 我有一组用 zlib 压缩的保存文件和一个加载它们的游戏。它们的结构是已知的,一旦加载,内存中的结构与其相应的保存文件相同。问题在于,游戏是用一种倒退的、仅脚本语言编写的,不知何故设法不留下静态指针。完全没有。几十个人尝试过,在同一台机器上进行微小的更改后,看似静态的指针路径就会中断。一个简单的解决方案是仅在进程的内存中搜索文件的内容,但这是一个相当暴力的解决方案,我宁愿避免出于教育目的。
问题:
- 我正在尝试使用 OllyDBG。我在这方面很糟糕,但仍然设法制作了一些实际有效的简单代码库。我是否使用了正确的工具来完成这项工作,或者我是一个愚蠢的新手?现代反向器的套件中有哪些工具?
- 与此相关的是,我必须求助于使用 Cheat Engine(或其表兄弟 MHS)进行内存搜索。这似乎有点违反直觉。 OllyDBG 真的无法让您搜索值并优化结果吗?还是我遗漏了一些东西?
- 如何在WINAPI上设置断点?天哪,WINAPI 在程序集级别看起来是什么样子?这是我还没有找到任何像样的信息,我很确定谷歌有足够的信息,但我似乎无法输入正确的单词。
- 扩展上面的内容,一个人如何设置动态断点?如果我对一个特定的、经常被调用的函数感兴趣,但仅如果 EAX 在该点等于特定值,那么我将如何让 Olly(或其他任何东西)在该条件下中断?
- 任何有关反汇编或面向破坏事物的低级编程的一般书籍/建议/资源。
免责声明:所讨论的游戏是免费软件,单人游戏,作者并不反对,项目的目的是扩展功能。也是第一篇文章,希望我没有太笨拙。 :(
I'm relatively(read: stupid newbie) familiar with disassembly but this bit stumped me:
I have a set of save files compressed with zlib and a game that loads them. Their structure is known and once loaded, the structs in memory are identical to their corresponding save files. The issue is that the game was written in an ass-backwards, scripting-only-not language that somehow manages to leave no static pointers. At all. Several dozen people tried, and seemingly static pointer paths would break after minor changes on the same machine. An easy solution would be to just search the process' memory for the contents of the files, but this is a pretty bruteforce solution which I would rather avoid for educational purposes.
The Questions:
- I'm trying to use OllyDBG. I am terrible at it, but nevertheless managed to make some trivial codecaves that actually worked. Am I using the right tool for the job or am I a stupid newbie? What tools does the modern reverser have in their kit?
- On a related note, I have to resort to using Cheat Engine(or its cousin MHS) for memory searches. This seems a bit counterintuitive. Does OllyDBG really give you no way to search for values and refine results or am I missing something?
- How do you set breakpoints on WINAPI? Hell, how does WINAPI look like at assembly level? This is something I haven't managed to find any decent information about and I'm pretty sure that Google has more than enough of it but I just can't seem to type the right words in.
- Expanding on the above, how does one set dynamic breakpoints? If I am interested in a specific, often called function but only if EAX at that point is equal to a specific value, how would I get Olly(or anything else) break on that condition?
- Any general books/suggestions/resources on disassembly or low level programming oriented at breaking things.
Disclaimer: game in question is freeware, single-player, author does not disapprove, project intended to extend functionality more than anything. Also first post, hopefully I haven't fumbled too badly. :(
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
你有很多问题集中在一个问题上。我会尝试回答一些。
OllyDBG 是一个优秀的免费反汇编程序。专业人士可能会购买 IDA-Pro,但这是一种昂贵的产品。
关于搜索内存,OllyDBG 确实提供了该功能。在任何内存转储窗口(例如,CPU 窗口的内存转储窗格)中,您可以:右键单击,从上下文菜单中选择“搜索”,然后选择“整数”或“二进制字符串”。与 Cheat Engine 不同,您无法使用 OllyDBG 搜索近似值。您可能会寻找一个可以执行此操作的插件,但据我所知,没有一个插件。
我认为“WINAPI”可能是指 Win32 API。您正在研究的游戏中可能有一个名为 WINAPI 的组件。为了在各种 Windows API 上设置断点(游戏客户端扩展程序喜欢这样做),您需要知道实际的 Windows API 在哪里。这些功能并非全部集中在一个“位置”。有多种 DLL 模块可以“导出”构成 Win32 API 的函数。例如,
MessageBox()是从USER32.DLL导出的,而ExitProcess()是从KERNEL32.DLL导出的。要在 OllyDBG 中的 Windows API 调用上设置断点,您可以:查看菜单、可执行模块以查看内存中的所有模块。右键单击 USER32.DLL 模块,然后从上下文菜单中选择“查看名称”。在那里您将看到从 USER32 导出的所有函数。
如果游戏客户端是用 C 语言编写的,那么就会有一个所谓的“导入表”中使用的 API 函数列表。这可以在内存中加载的 .EXE 模块中找到,也可以使用
link /dump /imports在磁盘上的 EXE 文件中查看。对于脚本语言,通常没有导入表,或者即使有导入表,它也会导入可通过脚本引擎访问的大量功能。
不幸的是,我认为 OllyDBG 不支持条件断点。
关于从哪里开始学习反汇编,最好的指导无疑是在您自己的代码中使用大量汇编。即使编写仅显示带有“Hello World”消息框的 Windows 应用程序,也需要您了解导入表才能访问 MessageBox() API。事实上,用 C 语言编写这样的应用程序也可以为您提供丰富的信息。但是,我建议您仅使用命令行工具而不是 GUI 环境来编译代码。 GUI会对你隐藏太多信息并干扰学习。为了访问 USER32.DLL API,您需要通知链接器您希望使用 USER32.LIB“导入库”,以便您的 C 代码可以透明地调用
MessageBox()。You have a lot of questions rolled into one. I'll try to answer some.
OllyDBG is a fine free disassembler. Professionals may pay for IDA-Pro, but that's an expensive product.
Regarding searching memory, OllyDBG does provide that feature. In any memory dump window (for example, the memory dump pane of the CPU window), you can: right-click, select "Search for" from the context menu, and then choose either Integer or Binary String. Unlike Cheat Engine, you cannot search for an approximate value with OllyDBG. You might seek a plug-in which does this, not that I am aware of one.
By "WINAPI" I think you might mean the Win32 API. There is probably a component in the game you are looking into named WINAPI. In order to set breakpoints on various Windows APIs, which is what game-client-extenders like to do, you will want to know where the actual Windows API is, so to speak. The functions are not all in one "place." There are various DLL modules which "export" the functions that comprise the Win32 API. For example,
MessageBox()is exported fromUSER32.DLLbutExitProcess()is exported fromKERNEL32.DLL.To set breakpoints on Windows API calls in OllyDBG, you can: View menu, Executable Modules to see all the modules in memory. Right click the USER32.DLL module and select "View Names" from the context menu. There you will see all of the functions exported from USER32.
If the game client were written in C, there would be a list of API functions used in what is called the "import table." This would be found in the .EXE module loaded in memory, or also viewable in the on-disk EXE file using
link /dump /imports.In the case of a scripting language, there is usually not an import table, or if there is an import table, it imports a vast range of functionality that is accessible via the script engine.
I do not think OllyDBG supports conditional breakpoints, unfortunately.
Regarding where to begin learning disassembly, surely the best instruction is to utilize quite a bit of assembly on your own code. Even writing a Windows application which displays only a Message Box bearing "Hello World" will require you to learn about import tables in order to access the MessageBox() API. In fact, writing such an application in C could also be informative to you. However, I recommend you compile the code using only the command-line tools and not the GUI environment. The GUI will hide too much information from you and interfere with the learning. In order to access the USER32.DLL API, you will need to inform the linker that you wish to use the USER32.LIB 'import library' so your C code can transparently call
MessageBox().