Monday, January 24, 2011
iwan RFID
Hello all
Me, and and my friend T3rm1 have also Hacked a little Game called "Blobby Volley"
Used Programms : Tsearch and Borland Delphi.
I first played the game a bit. It is a Volley Ball Game with 2 Slimy Blobbs.
You can download the game from:
http://ftp.freenet.de./pub/filepilot/windows/spiele/blobby.zip
If u play the game, u will notice, that u can touch (as player) the ball 3 times, until it is an foul.
I have tried to find the memory address, where the value is stored, which checks how many times u have touched the ball.
First, dl blobby volley, and Tsearch.
1. Unpack blobby volley, and start it.
2. Start Tsearch.
3. In Tsearch, click "Open Process", select "volley.exe" (1)
4. In Tsearch, click "Search". (2)
5. In Tsearch, click on the lens, "init new search" (3)
6. Choose "Unknown Value" Click OK
7. Tsearch has now found 128xxxxxx Values
8. Click again OK.
9. Now, switch to "blobby volley", choose "Spiel starten", and hope, that u start with the match (ball over your head). If not so, press ESC and press J to stop the actuall round. Do this, until you have the ball over your head to start.
10. Hm we have a problem now, ball contact changes so fast, that we dont have time to switch to windows, so lets make a Hotkey in Tsearch.
11. in Tsearch click : VIEW - OPTIONS - HOTKEYS.
12. Click on the Empy sheet (create new hotkey)
13. Click on "Click here to set". I have used CTRL-D
14. Click on Action, select : "Has increased by" And on the field Value, insert "1"
---
15. Go to your icebox, and get some cold coke.
16. Switch to Blobby Volley, and hit the ball with your left mouse button.
17. Try to be exactly under the ball, so u can hit him as much as possible. (the ball has to go straight up in the sky)
18. If u had hit the ball 1 time, press CTRL-D (remember this shortcut stands for "Has incresed by 1."
19. Hit the ball again, and press CTRL-D
20. Hit the ball a last time, press CTRL-D. We have now touched the ball 3 times, which is maximum. the next touch will be a foul.
21. Switch back to Tsearch. Uhh, wtf, we have exactly 1 Value left
22. Now, lets try to verify this value. Select the lines with the Address, and click on the green + sign to move it to the Description field.
23. Double click the Value field in the Description box, and insert a "0" (zero). This means, if we hit the ball, the value increased by 1, but the programm Tsearch sets it back to 0.
24 Left to the Description field is a check box, click it until u see a green/blue smilee. (same like on the last picture).
24. Switch back to Blobby Volley, to test if it works. Try to hit the ball in your field more than 3 times. If suceeded, u can hit him unlimited times.
---
---
25. Next step is : Go to Tsearch. Click on [AUTOHACK]. Choose ENABLE DEBUGGER. Click again on AUTOHACK. Choose [AUTO HACK WINDOW].
26. Right click your Hack like on the picture and choose [AUTO HACK].
27. Switch back to Blobby Volley, hit the ball a few times, so Blobby Volley increased the value for the Ball Counter.
28. Tsearch has now found the Assembler Code, which checks, if the Ball Counter has increased.
29. Like u see on the picture, we have 4 times mov, and 1 time inc. inc stands for increase, mov stands for move.
30. Click on the line with the "inc dword ptr[edi+0x3C]"
31. In the bottom window u will see now a memory dump. Select the line with the "inc dword ptr[edi+0x3C]", right click it and choose NOP. NOP means that there will be "NO oPeration" taken, which means that the value for our ball counter will be not increased. We have now hacked the programm in memory instead of just overwriting the variable.
Now we know both addresses for the ball counter.
The address for the variable is : $017282CC
The address for the programm code is : $00444fb6 inc dword ptr [edi+0x3C]
Now we have 3 options. We can chance the varible only (which i have choosen), or we can chance the programm code in memory ( overwriting 6 bytes with 909090 which means NOP, or we can crack the exe file, and search for FF473C and overwrite this with 909090.
I have choosen method 1, to overwrite the variable.
Here is my programm code for this :
(written in borland delphi)
var
WindowName,ProzessID,buf,HandleWindow:Integer;
write:cardinal;
//
const
Address = $017282CC;
NumberOfBytes = 2; // Anzahl bytes
begin
WindowName := FindWindow(NIL,'Blobby Volley');
If WindowName = 0 then
begin
MessageDlg('anwendung nicht da!/programm not running',mtwarning,[mbOK],0);
Timer1.Enabled:=False;
end else
begin
GetWindowThreadProcessId(WindowName,@ProzessId);
HandleWindow := OpenProcess(PROCESS_ALL_ACCESS,False,ProzessId);
buf := 00; // 00 = value ball contacts
WriteProcessMemory(HandleWindow,ptr(Address),@buf,SizeOf(buf),write);
closehandle(HandleWindow);
Timer1.Enabled:=True;
end;
end;
----------------------------------------------------------------------------------------------------------
Just place a timer and a checkbox on a form.
If u dont have Delphi, u can download the compiled exe here :
http://www.seite815.de/blobbytut/blobby_trainer.zip
If u have any suggestions, feel free to write me a mail : buddypop at gmx.de or visit me on quakenet #delphi.de
Bigs thx goes out to T3rmi, who helped me to find addresses in many programs
Source : http://www.blizzhackers.cc/viewtopic.php?t=322175
