Jump to content

[help] Offsets


iCali

Recommended Posts

Just a quick question. How do you go by obtaining offsets from an address. I use TSearch and OllyDbg. Help would be appreciated. (I'm looking for the byte that looks like 0x14, 0x04, 0x0C and stuff like that).

~ iCali

Link to comment
Share on other sites

Just a quick question. How do you go by obtaining offsets from an address. I use TSearch and OllyDbg. Help would be appreciated. (I'm looking for the byte that looks like 0x14, 0x04, 0x0C and stuff like that).

~ iCali

It isn't hard to calculate an offset. Take the final address value and subtract the original address value and there you have your offset.

e.g.

0x0100 a
0x0101 b
.
.
.
0x0105 f
0x0106 g

To find the offset to g from a take 0x0106 and subtract 0x0100 which gives you an offset of 0x0006.

Link to comment
Share on other sites

It isn't hard to calculate an offset. Take the final address value and subtract the original address value and there you have your offset.

e.g.

0x0100 a
0x0101 b
.
.
.
0x0105 f
0x0106 g

To find the offset to g from a take 0x0106 and subtract 0x0100 which gives you an offset of 0x0006.

Thanks for the help but it's not like that. I'm using it to read memory from a program to send back information if a circumstance is met. like

$Health = _MemoryRead($ADDR_Health, $PROCESS_INFO)
if ($Health < $HEAL_Health) Then
...

so basically that one would be a start to an auto healer. If you haven't figured this out, I'm working on autos.

~iCali

Link to comment
Share on other sites

you need to be a little bit more descriptive. What you are trying to do and so on...

I'm looking for basically how to find the offset from where the programs memory is stored. I know it's dynamic, but I've taken that into account in the code. So basically, I need a way to find the offset "0xFF" from an address "FFFFFFFF" using a debugger (I use OllyDbg because it was recommended to me, if you have a better recommendation, I would love to check it out :D)

Link to comment
Share on other sites

I don't know anything about assembly, but sounds like you need to build an egg hunter. put something into an area that you can buffer overflow and check where it it, then work from there maybe. This is one of those times when I wish I took the offsec classes, cause Mati knows this stuff like the back of his hand. He speaks asm like a second language. Also, I think depending on the OS, such as XP, vs Vista, vs 7 and 32 vs 64 bit, its all going to be in different places, not to mention if the program uses ASLR it should be randomizing where its putting things in memory.

The guys over at Corelan also have a lot of material on their site for this sort of thing - https://www.corelan.be/index.php/forum/

Link to comment
Share on other sites

I don't know anything about assembly, but sounds like you need to build an egg hunter. put something into an area that you can buffer overflow and check where it it, then work from there maybe. This is one of those times when I wish I took the offsec classes, cause Mati knows this stuff like the back of his hand. He speaks asm like a second language. Also, I think depending on the OS, such as XP, vs Vista, vs 7 and 32 vs 64 bit, its all going to be in different places, not to mention if the program uses ASLR it should be randomizing where its putting things in memory.

The guys over at Corelan also have a lot of material on their site for this sort of thing - https://www.corelan.be/index.php/forum/

I have the memory problem controlled, it uses the process information to help construct the offset, I'm just looking for the place the memory is stored, I already have it statically laid out. Where do you take classes for this kind of stuff? I can't seem to find any good tutorials online, and my High School offers no coding classes, I've had to teach myself, which I've also herd, leads to bad coding habits.

- Edit -

Just looked at that website, it looks like they are focusing on "exploits" what I'm doing isn't exploiting, I just want to use memory that you already have access to like "HP", "MP", "EXP", "Level" and use them to construct some basic form of AI to send button pushes.

Edited by iCali
Link to comment
Share on other sites

I have the memory problem controlled, it uses the process information to help construct the offset, I'm just looking for the place the memory is stored, I already have it statically laid out. Where do you take classes for this kind of stuff? I can't seem to find any good tutorials online, and my High School offers no coding classes, I've had to teach myself, which I've also herd, leads to bad coding habits.

- Edit -

Just looked at that website, it looks like they are focusing on "exploits" what I'm doing isn't exploiting, I just want to use memory that you already have access to like "HP", "MP", "EXP", "Level" and use them to construct some basic form of AI to send button pushes.

I know you aren't developing exploits, but its essentially the same thing. Just exploits tend to do malicious things, and you are trying to just do another function that isn't malicious, which I think their site might help with getting down to that low level understanding of asm and how to access things in a debugger or such.

As far as classes, Offensive Security teaches classes on a number of subjects. One of their classes, AWE (Advanced Windows Exploitation) covers using debuggers and such, which might come in handy, but its high level stuff, not for someone at an introductory level, but if you know programming and how to write shell scripts somewhat, that would be something to check out. Their cracking the perimeter class also goes over egghunting which is probably going to give you a better understanding of asm and using a debugger.

I fail when it comes to using Olly, and know that I don't know enough, but if I wanted to dig into it, Corelan and Offsec would be the two places to study and learn from - http://www.offensive-security.com/

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...