Gunz Olly Debugger Tutorial

[SpiderByte]

Utilities Needed

The Complete Package
The Complete Package
(This Contains (Olly Debugger w/ OllyDump, OllyHelper, and HideDebugger), (ImportReconstruction), (Signatures File), and (GunzRunnable [09-03-05]).)

Creating A Runnable

Step 1 - Open Olly and change your setting to the following:
https://img150.imageshack.us/img150/7...unnable9hj.jpg

Step 2 - Select Gunz.exe:
https://img249.imageshack.us/img249/4...unnable2ai.jpg

Step 3 - Let Olly find the Original Entry Point (OEP):
https://img355.imageshack.us/img355/5...unnable7xu.jpg

Step 4 - Under Plugin, choose OllyDump, and then Dump Debugged Process:
https://img137.imageshack.us/img137/5...unnable2wu.jpg

Step 5 - Uncheck Rebuild Import and Copy the Modified OEP:
https://img140.imageshack.us/img140/6...unnable6zq.jpg

Step 6 - Press Dump and Save As Dump:
https://img157.imageshack.us/img157/9...unnable5sj.jpg

Step 7 - Minimize Olly and Open ImpRec:
https://img458.imageshack.us/img458/7...unnable9ov.jpg

Step 8 - Select Gunz.exe in the drop-box:
https://img154.imageshack.us/img154/4...unnable5yj.jpg

Step 9 - In the box next to OEP, Paste the number you Copied:
https://img138.imageshack.us/img138/9...unnable8gk.jpg

Step 10 - Press IAT AutoSearch, if you get this result then move to Step 11:
https://img149.imageshack.us/img149/6...unnable8ed.jpg

Step 11 - Press Get Imports, if you get this result then move to Step 12:
https://img455.imageshack.us/img455/3...unnable3nv.jpg

Step 12 - Press Fix Dump and choose Dump:
https://img475.imageshack.us/img475/4...unnable0ak.jpg

Step 13 - If you see this result then you have made a runnable successfully:
https://img250.imageshack.us/img250/6...unnable2os.jpg

Making Your Runnable Run

Step 1 - Move Dump_ to your Gunz folder and open Olly:
https://img149.imageshack.us/img149/7...ablerun9ne.jpg

Step 2 - Select Dump_ in Olly:
https://img409.imageshack.us/img409/9...ablerun8on.jpg

Step 3 - Right-click and - Search For - All Referenced Text Strings:
https://img133.imageshack.us/img133/7...ablerun6fb.jpg

Step 4 - Right-click and - Search For Text - I_hate_hacker or I_love_MAIET:
https://img266.imageshack.us/img266/8...ablerun1wf.jpg

Step 5 - Right-click and - Follow In Disassembler:
https://img148.imageshack.us/img148/1...ablerun8dn.jpg

Step 6 - Scroll to the top of the function, click it, right-click, and Go To Local Call:
https://img403.imageshack.us/img403/3...ablerun9ey.jpg

Step 7 - NOP the CMP two lines under the CALL you arrived at:
https://img133.imageshack.us/img133/1...ablerun6vt.jpg



Name Hack

Step 1 - Right-click and Search For - All Referenced Text Strings - Search For Text - resultbackground.png:
https://img70.imageshack.us/img70/546...amehack5jx.jpg
https://img242.imageshack.us/img242/4...amehack2bz.jpg

Step 2 - Click on FONTa10_O2Wht, right-click, and Follow In Disassembler:
https://img138.imageshack.us/img138/9...amehack8ik.jpg

Step 3 - NOP the Jumps highlighted in red (they won't be highlighted for you):
https://img313.imageshack.us/img313/9...amehack1rk.jpg
https://img343.imageshack.us/img343/2...amehack7wx.jpg

Step 4 - If it looks like this then save it to your runnable and you will have Name Hack:
https://img494.imageshack.us/img494/9...amehack6il.jpg



Disable The Cuss Filter

55 8B 6C 24 0C 56 8B 74 24 0C 3B F5 74 2B 53

Step 1 - Open GunzRunnable [09-03-05], Copy the Binary, go back to Olly, press Ctrl+B, and Paste the Binary:
https://img153.imageshack.us/img153/3...sfilter2fj.jpg

Step 2 - Scroll up as many function as you need to until you see this chunk of code:

Code:

00505070  /$ 6A FF                PUSH -1
00505072  |. 68 E8EA5B00          PUSH GunzRunn.005BEAE8                   ;  SE handler installation
00505077  |. 64:A1 00000000       MOV EAX,DWORD PTR FS:[0]
0050507D  |. 50                   PUSH EAX
0050507E  |. 64:8925 00000000     MOV DWORD PTR FS:[0],ESP
00505085  |. 83EC 3C              SUB ESP,3C
00505088  |. 8B5424 4C            MOV EDX,DWORD PTR SS:[ESP+4C]
0050508C  |. A1 80596200          MOV EAX,DWORD PTR DS:[625980]
00505091  |. 53                   PUSH EBX
00505092  |. 56                   PUSH ESI
00505093  |. 33DB                 XOR EBX,EBX
00505095  |. 3BD3                 CMP EDX,EBX
00505097  |. 57                   PUSH EDI

https://img272.imageshack.us/img272/5...sfilter4rh.jpg

Step 3 - NOP the JNZ highlighted in red (won't be highlighted for you):
https://img154.imageshack.us/img154/9...sfilter9mr.jpg

Step 4 - If it looks like this then save it to your runnable and you will have Disabled Cuss Filter
https://img364.imageshack.us/img364/3...sfilter3zy.jpg



No Clip

83 EC 30 53 8B 5C 24 38 8B 43 14 85 C0 56 8B

Step 1 - Copy the Binary, press Ctrl+B, and Paste it:
https://img19.imageshack.us/img19/685...1noclip9gy.jpg

Step 2 - Scroll down two functions until you come to this chunk of code:

Code:

004CFED0  /$ 8B4424 1C            MOV EAX,DWORD PTR SS:[ESP+1C]
004CFED4  |. 8B5424 18            MOV EDX,DWORD PTR SS:[ESP+18]
004CFED8  |. 8B89 24020000        MOV ECX,DWORD PTR DS:[ECX+224]
004CFEDE  |. 50                   PUSH EAX
004CFEDF  |. 8B4424 18            MOV EAX,DWORD PTR SS:[ESP+18]
004CFEE3  |. 52                   PUSH EDX
004CFEE4  |. 8B5424 18            MOV EDX,DWORD PTR SS:[ESP+18]
004CFEE8  |. 50                   PUSH EAX
004CFEE9  |. 8B4424 18            MOV EAX,DWORD PTR SS:[ESP+18]
004CFEED  |. 52                   PUSH EDX
004CFEEE  |. 8B5424 18            MOV EDX,DWORD PTR SS:[ESP+18]
004CFEF2  |. 50                   PUSH EAX
004CFEF3  |. 8B4424 18            MOV EAX,DWORD PTR SS:[ESP+18]
004CFEF7  |. 52                   PUSH EDX
004CFEF8  |. 50                   PUSH EAX
004CFEF9  |. 51                   PUSH ECX
004CFEFA     E8 01190200          CALL GunzRunn.004F1800                   ;  No Clip [NOP]
004CFEFF  |. 83C4 20              ADD ESP,20
004CFF02  \. C2 1C00              RETN 1C

https://img143.imageshack.us/img143/5...2noclip5lq.jpg

Step 3 - NOP the CALL at the end of the function:
https://img404.imageshack.us/img404/5...3noclip3ip.jpg

Step 4 - If it looks like this then save it to your runnable and you will have No Clip:
https://img142.imageshack.us/img142/5...4noclip3rs.jpg



No Spread

Step 1 - Right-click and Search For - All Referenced Text Strings - Search For Text - iscashitem:
https://img306.imageshack.us/img306/9...ospread4hm.jpg
https://img408.imageshack.us/img408/7...ospread3pf.jpg

Step 2 - Right-click and Follow In Disassembler:
https://img135.imageshack.us/img135/8...ospread3od.jpg

Step 3 - Scroll down until you see ASCII "ctrl_ability":
https://img270.imageshack.us/img270/9...ospread4wq.jpg

Step 4 - NOP both of the CALL's highlighted in red (won't be highlighted fo you):
https://img307.imageshack.us/img307/7...ospread2ji.jpg
https://img311.imageshack.us/img311/2...ospread5nr.jpg

Step 5 - If it looks like this save it to your runnable and you will have No Spread:
https://img132.imageshack.us/img132/3...ospread3as.jpg



God Mode

Step 1 - Right-click and Search For - All Referenced Text Strings - Search For Text - iscashitem:
https://img306.imageshack.us/img306/9...ospread4hm.jpg
https://img408.imageshack.us/img408/7...ospread3pf.jpg

Step 2 - Scroll up until you see ASCII "damage" (it should be right above it...):
https://img404.imageshack.us/img404/7...godmode1mb.jpg

Step 3 - NOP the two CALL's in the function:
https://img285.imageshack.us/img285/4...godmode8eh.jpg
https://img255.imageshack.us/img255/7...godmode6wj.jpg

Step 4 - If it looks like this save it to your runnable and you will have God Mode:
https://img345.imageshack.us/img345/7...godmode2eu.jpg