Target

Our target in this lesson will be Wesnoth 1.14.9.

Identify

Our goal in this lesson is to change Wesnoth’s code so that recruiting units does not decrease our gold.

Understand

To modify the game’s code, we will need to use a debugger. To locate the game code to modify, we will set a breakpoint on our gold address and then recruit a unit. Our debugger will pop at the code responsible for decreasing our gold. We can then nop out the sub instruction.

Locating Gold

Our first step is opening up Wesnoth and creating a local game. Then you can follow the steps in the Memory Hack lesson to find your gold address. Due to a process called Dynamic Memory Allocation (or DMA), it will be at a different address than before. We will cover DMA in a future lesson. Once you have found your new gold address, close down Cheat Engine but keep Wesnoth open. In this lesson, we will use the value of 0x051D875C as our gold address.

Attaching the Debugger

Next, start the 32-bit version of x64dbg. It can be found at C:\ProgramData\chocolatey\lib\x64dbg.portable\tools\release\x32\x32dbg.exe. Once started, open the File menu and choose Attach.

x64dbg's Attach Feature

In the attach dialog that opens up, choose the Wesnoth process and hit Attach. This will attach our debugger to the Wesnoth process.

Select Wesnoth in x64dbg's Process List

Upon attaching, x64dbg will pop in a module called ntdll.dll and display a lot of information.

x64dbg Full Display and Sections

Before we dive into reversing, let’s quickly cover the major components in any debugger. The highlighted section contains the code being executed. The dump section directly below displays the memory of the application in its hexadecimal (hex) and ASCII representation. To the right of the code section is a list of all registers and their values. Below the registers is the application’s stack.

In this lesson, we will only be using the code section and the dump section. For more complex hacks, understanding all these sections will be necessary. Different debuggers will always contain all of this information, but they will often arrange them in different ways.

We are currently viewing the ntdll.dll module. This is not our target, but it’s a common module loaded into all Windows executables. To view the game’s code, we need to navigate to the Symbols tab and double-click on wesnoth.exe.

x64dbg's Symbol Tab and Feature

This will switch our view to the game’s code and memory space.

Setting Up the Debugger

Certain default settings in x64dbg will make it pop when we do not want it to. To make reversing in this lesson and future lessons easier, we will disable these settings.

In the top menu, choose Options -> Preferences.

x64dbg's Preferences Option

In the modal that opens, uncheck the TLS Callbacks option and select Save. This will disable x64dbg from automatically popping when receiving a TLS callback.

Disable Breakpoints on TLS Callbacks in x64dbg

Setting a Breakpoint

Next, we will set a breakpoint on our gold location. After we set this breakpoint, we will go into Wesnoth and recruit a unit. Doing so will cause the breakpoint to pop and pause execution at the location responsible for subtracting gold.

Right-click in the dump section and choose Go to -> Expression:

Navigating to an Address in x64dbg's Dump

In the dialog that opens, type in our gold address and hit OK.

Entering the Player's Gold Address in x64dbg's Navigation Feature

The dump will then show the address we just typed in. The data displayed is in hexadecimal format. In the target game, the player had 100 gold. 100 in hexadecimal format is 0x64. This is the value displayed in the dump.

x64dbg's Dump Displaying the Player's Gold Address

Right-click on the value and choose Breakpoint -> Hardware, Write -> DWORD. This will set a conditional breakpoint on this memory address. The condition for popping is any modification of the memory address.

Setting a Hardware Breakpoint on the Player's Gold Address

With our breakpoint set, we will now resume execution of the program. This can be done by pressing the Play button until the Paused status disappears and the game resumes. You will have to do this several times due to the several breakpoints that x64dbg automatically creates.

x64dbg's Resume Feature

Locating Code

Once the game resumes, go back into Wesnoth and recruit a unit. You will notice that Wesnoth will freeze due to our breakpoint popping and pausing execution. Navigate back to x64dbg to see where it popped.

x64dbg Displaying the Function Used to Change Player Gold

The highlighted EIP represents the current location of execution within the program. EIP stands for Extended Instruction Pointer and is a special register used by programs to understand the current execution location.

From our last lesson, we know that conditional breakpoints are triggered after the operation that affected the memory in question. Scroll up in the code window to see the previous instructions.

x64dbg Displaying the Line of Code Used to Change Player Gold

The highlighted sub instruction was responsible for modifying our gold value. As we remember from previous lessons, sub stands for subtract and is responsible for subtracting two numbers. In this case, it is subtracting the value held in the memory location stored in edx + 4 and eax. The exact specifics of these values are not necessary to know now. All we need to know is that this operation is affecting our gold in some way.

Change

Finally, we will change this code and finish our hack. To do this, we will replace the sub instruction with the nop instruction. This will replace the subtraction with an operation that does nothing. As a result, our gold will no longer decrease. Luckily, x64dbg contains a built-in way to automatically nop out an instruction. Right-click on the line with the subtract instruction and choose Binary -> Fill with NOPs.

Using x64dbg's Fill Feature to Change an Instruction to NOPs

x64dbg will populate the next values for you automatically. Just select OK on the next screen.

x64dbg's Fill Feature Options

If done correctly, the code should now look like the image below. You will notice there are three nop instructions. We will cover why in a future lesson.

The Change Gold Code Changed After Filling the sub Instruction With NOPs

Before we can verify that our change has worked, we need to disable our breakpoint so that it doesn’t pop again. To do this, first go to the Breakpoints tab. This tab contains a list of all the breakpoints we have set in the application.

x64dbg's Breakpoints Tab

Right-click on the breakpoint you have set and choose Remove.

Removing a Breakpoint in x64dbg

With the breakpoint removed and the code changed, we can now go back into Wesnoth and observe our changes. Recruit a few units and observe that your gold no longer goes down.

 

results matching ""

    No results matching ""