Statedef Overflow

Statedef Overflow Tutorial



To preform statedef overflow, you will need cheat engine, ollydbg, and a hex editor like HxD.

Statedef overflow is a statedef that has a long string after it.

What covers the return address and how long is it?

At least 57 characters to 60 characters.

The address is contained in the last 4 characters of the overflow.

like this:

[statedef 1234567890123456789012345678901234567890123456789012345abcd]

Also note that the space is considered as a character and ! too

abcd is a temporary address but you can use this:

This is a Jump instruction that will make Mugen jump to your ASM code

so it can be read as.

23456789012345678901234567890123456789012345678901234

This is just the typical overflow just to overflow the uneed part.

F2@ This is the pointer

Make sure after the statedef, there is at least one state controller so it won't give you a state controller error

Like this:

[State ]

type = assertspecial

trigger1 = 0

flag= timerfreeze

or anything else

type=null works too

and any other state controller

It's better to write Statedef overflow in a ST then a CNS

Because CNS has two return values

but ST only has one

And we only need one return value.

As for the pointer

It does not change much if you use v-@

instead of F2@

But I will say using F2@ is better.

[Statedef ë:23456789012345678901234567890123456789012345678901234F2@]

[State ]

type = assertspecial

trigger1 = 0

flag= timerfreeze

But we don't have our ASM code yet.

We'll do a quick search.

Open Cheat Engine.

Then find the address of lifeset and ctrlset.

Then tell me, if you found them.

Memory view

Then find the character lifeset and ctrlset.

004AB2A4

004AB1D0

Well now open notepad

take a close look at address 004AB2A4

You know how %n works, it changes the value of the memory address.

Statedef Overflow can do the same

Most %n can be convert included into Statedef Overflow

like the parentbug.

One of the most important instructions in ASM is the MOV

MOV DWORD instruction mean it's movef or changed 4 values from a certain address

MOV DWORD PTR DS:[4AB2A4],6C727463

It changed the life to ctrl

You see same address but using the MOV DWORD

You can change the values

4 values from the initial address

Which means the MOV DWORD changed the values of

4AB2A4

4AB2A5

4AB2A6

4AB2A7

Since we changed lifeset to ctrlset,

we need to change ctrlset to lifeset to avoid an error.

Can you write me the next MOV DWORD

That will change ctrl*set to life*set

ctrlset to lifeset

You need to write ASM instruction from right to left.

Like the first MOV

MOV DWORD PTR DS:[4AB2A4],6C727463

63= c

74= t

72= r

6C= l

That's why it's good to think from right to left instead of left to right when writing ASM.

MOV DWORD PTR DS:[4AB1D0],6566696C

This the second MOV, change the ctrlset to lifeset so there will be no errors.

Finally, we are almost finished with the ASM code

The three instructions we need to finish the ASM code are:

SUB ESP,18

MOV DWORD PTR SS:[ESP],47EB31

RETN

SUB ESP,18

Meaning, because we use 18 spaces for our ASM code, we need to decrease the ESP to 0

MOV DWORD PTR SS:[ESP],47EB31

We need to change the ESP value back to the original value

This is the most important instruction

RETN

It returns your ASM Code, it's like the return code in C or any programming language.

Use it so it can validate your code

So our full ASM code is this:

MOV DWORD PTR DS:[4AB2A4],6C727463

MOV DWORD PTR DS:[4AB1D0],6566696C

SUB ESP,18

MOV DWORD PTR SS:[ESP],47EB31

RETN

Now open Ollydbg

and find me a code cave

which is an area fill with 00

That is where we will translate our ASM Code to ASCII

Open Winmugen.exe with Ollydbg

Make sure you paste the code right

You can paste your code

But with your memory address

Ok now copy the ASCII

Ç¤²J.ctrlÇÐ±J.lifeƒìÇ$1ëG.Ã.

You see

.

that's a spacing

that you need to do

Ç¤²J

ctrlÇÐ±J

lifeƒìÇ$1ëG

Ã

That's the ASM code

Now put a ctrlset state controller

So we can test to see if it works

[State ]

type = ctrlset

trigger1 = 1

value = 1

 [Statedef ë:23456789012345678901234567890123456789012345678901234F2@]

Ç¤²J

ctrlÇÐ±J

lifeƒìÇ$1ëG

Ã

[State ]

type = ctrlset

trigger1 = 1

value = 1