Welcome
Ladies and Gents:

These forums are now closed and registration disabled.

Please join us at our new forum on Proboards. Our hope is that these new forums are more stable, provide more and better features, and allow continuation of the project forums in a safer, more secure, long term environment.

me3explorer.proboards.com

--The ME3Explorer Team

How to use OllyDbg as Memory Hexeditor

Coder-centric area for programming advice and questions.

How to use OllyDbg as Memory Hexeditor

Postby WarrantyVoider » 16 Mar 2013, 18:59

*edit:moved from secret forum ;p*
First start an instance of ME3.exe (no matter what version), Ill will show how you can quickly find the GObj Table and browse the memory like a hexeditor.
Image

Now start OllyDbg and select File/Attach, where you then select the MassEffect.exe

Image
Image

now wait a few seconds for OllyDbg to attach to the process and reading it out. Now press the "M" button the see the memory layout:

Image

you can see that the main mass effect exe is copied very close to the start, the first column is the absolute adress of the beginning of a memory segment, and the second its size. ".data" is where all the "current" variable and stuff is stored ".rdata" is all the resource data (like namelist) that is loaded from within the exe, ".text" is where code is stored.

For now we search for a segment of size 0x00072000 , because I know from my research that for GObj Table always a segment with that fixed size is created (malloc!), and the owner is the process itself (so ignore the segment from the dll). You can double click it and see a segment full Int32 pointers! congratz, you found the GObj Table
Image

now we want to find the pointer to this table (the actual adress of the table object, which is just a pointer to the table and a count int), we note down the adress 0x07CA0000, now because of endianess we need to search for following 4 bytes: 0x00 0x00 0xCA 0x07 and do this in masseffects data segement. for this we right click and select search/binary string

Image
Image

now this search should only find one occurence (search next with ctrl-L) and voila, this is you GObj object!! this adress will not change for this exe over any time, the segment (of the table) on the otherhand can be allocated different (but usually wont), so you need to lookup this pointer to find it.

greetz
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section

WarrantyVoider has been thanked by:
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: How to use OllyDbg as Memory Hexeditor

Postby Renmiri » 18 Mar 2013, 15:29

Renmiri
Emeritus
 
Posts: 207
Joined: 31 Aug 2012, 20:42
Has thanked: 141 time
Have thanks: 37 time

Re: How to use OllyDbg as Memory Hexeditor

Postby WarrantyVoider » 18 Mar 2013, 19:52

cool thanks, I didnt knew that, but I guess Ill stick to 1.1 for now... ;p

greetz
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time


Return to Coders' Help

Who is online

Users browsing this forum: No registered users and 1 guest

suspicion-preferred