FANDOM


Statedef Overflow Tutorial

E3304cc2d5628535361ed16894ef76c6a6ef6359

For the statedef overflow tutorial, you will need cheat engine and ollydbg and a hex editor like HxD.

Statedef overflow is a statedef that a long string after it.

That cover the return address and how long is it?

At least 57 characters to 60 characters.

The address is contain in the last 4 characters of the overflow.

like this:


[statedef 1234567890123456789012345678901234567890123456789012345abcd]

Also to note the space is considered as a character and ! too

abcd is a temporary address but you can use this:


This is a Jump instruction that will make Mugen jump to your ASM code

so it can be read.


23456789012345678901234567890123456789012345678901234This is just the typical overflow just to overflow the uneed part.

F2@ This is the pointer

Make sure after the statedef, there is at least one state controller so I won't give a state controller error

Like this:

[State ]  

type = assertspecial

trigger1 = 0

flag= timerfreeze

 or anything else

type=null work too

and any state controller

It's better to write Statedef overflow in a ST then a CNS

Because CNS have two return values

but ST only have one

And we only need one return value.

As for the pointer

It does not change much if you use v-@

instead of F2@

But I will say using F2@ is better.

[Statedef ë:23456789012345678901234567890123456789012345678901234F2@]

[State ]  

type = assertspecial

trigger1 = 0

flag= timerfreeze


But we don't have our ASM code yet.

Well do a quick search.

Open Cheat Engine.


Then find me the address of lifeset and ctrlset.

then tell me, if you found them.


Memory view

then find me the character lifeset and ctrlset.

004AB2A4

004AB1D0

Well now open notepad

take a look closely at address 004AB2A4

You know how %n work, it change value of memory address.

Statedef Overflow can do the same


Most %n can be convert in to Statedef Overflow

like the parentbug etc.


One of the most important instruction in ASM is the MOV


MOV DWORD instruction mean it's move or change 4 values from a certain address


MOV DWORD PTR DS:[4AB2A4],6C727463


Yeah it change the life to ctrl


You see same address but using the MOV DWORD

You can change value

4 value from the initial address

Which mean the MOV DWORD change the values of

4AB2A4

4AB2A5

4AB2A6

4AB2A7

Sense we change lifeset to ctrlset

we need to ctrlset to lifeset to avoid error.

Can you write me the next MOV DWORD


That will change ctrl*set to life*set

ctrlset to lifeset


You write ASM instruction from right to left.


Like the first MOV

MOV DWORD PTR DS:[4AB2A4],6C727463


63= c

74= t

72= r

6C= l


That's why it good you have to think from right to left instead of left to right when writing ASM.


MOV DWORD PTR DS:[4AB1D0],6566696C


This the second MOV need to change the ctrlset to lifeset so there will be no error.

Finally, we are almost finish with the ASM code


The three instructions need to finish the ASM code are:

SUB ESP,18


MOV DWORD PTR SS:[ESP],47EB31

RETN


SUB ESP,18

Mean because we use 18 spaces for our ASM code so we need to decrease the ESP to 0

MOV DWORD PTR SS:[ESP],47EB31

We need to change back the ESP value to the original value

which is that

This is the most important instruction

RETN

It return your ASM Code, it's like the return code in C or any programming language.

So it can validate your code

So our full ASM code is this:

MOV DWORD PTR DS:[4AB2A4],6C727463

MOV DWORD PTR DS:[4AB1D0],6566696C

SUB ESP,18

MOV DWORD PTR SS:[ESP],47EB31

RETN


Now open Ollydbg


and find me a code cave

which mean an area fill with 00

That is where we will translate our ASM Code to ASCII


Open Winmugen.exe with Ollydbg


Good make sure you paste the code right

You can paste your code


But with your memory address


Ok now copy the ASCII


Ǥ²J.ctrlÇбJ.lifeƒìÇ$1ëG.Ã.


You see

.

that's a spacing

that you need to do


Ǥ²J

ctrlÇбJ

lifeƒìÇ$1ëG

Ã


That's the ASM code


Now put a ctrlset state controller

So we can test if it work


[State ]

type = ctrlset

trigger1 = 1

value = 1


[Statedef ë:23456789012345678901234567890123456789012345678901234F2@]

Ǥ²J

ctrlÇбJ

lifeƒìÇ$1ëG

Ã

[State ]  

type = ctrlset

trigger1 = 1

value = 1

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.