Gimme a min or 5 i'll write up how to get it with ollydbg ^^
K here's what you'll need:
ResHacker
OllyDbg
I assume you'll have ollydbg already, reshacker is just the first result on google.
Load up sol.exe in ResHacker, and browse to the string table, under folder '7' click on 1033, and you'll end up with the following:
Code:
STRINGTABLE
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
{
100, "Solitaire"
101, "Score: "
102, "Time: "
103, "CardDraw"
104, "Deal Again?"
105, "sol.chm"
106, "Press Esc or a mouse button to stop..."
107, "Bonus: "
108, "Developed for Microsoft by Wes Cherry"
}
(
FFFUUUUUUU)
take note of the following:
Code:
101, "Score: "
102, "Time: "
We might need the following later as i'm writing this while debugging.
101 is 65 in hex
102 is 66 in hex
1033 is 409 in hex
from what I know if you're going to use resource files, you'll end up calling stuff from USER32.dll, so let's take a look at sol.exe's import table(ctrl+g to 1001000)
Some interesting stuff:
Code:
010010F8 > . 08C9427E DD USER32.LoadStringA
01001108 > . CB8C417E DD USER32.PostMessageW
01001174 > . 369E417E DD USER32.LoadStringW
01001190 > . E2D7427E DD USER32.DrawTextW
so what I do now is right click -> find all intermodular calls, and start typing DrawTextW, as it's probably important and followed the first one
Code:
01005269 |. 6A 50 PUSH 50
0100526B |. 6A 66 PUSH 66
0100526D |. 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
01005270 |. 50 PUSH EAX
01005271 |. E8 82D1FFFF CALL sol.010023F8
01005276 |. 8D7C45 B0 LEA EDI,DWORD PTR SS:[EBP+EAX*2-50]
0100527A |. 8B45 78 MOV EAX,DWORD PTR SS:[EBP+78]
0100527D |. 8B40 34 MOV EAX,DWORD PTR DS:[EAX+34]
01005280 |. C1F8 02 SAR EAX,2
01005283 |. 50 PUSH EAX ; /Arg2
01005284 |. 57 PUSH EDI ; |Arg1
01005285 |. E8 A1D0FFFF CALL sol.0100232B ; \sol.0100232B
0100528A |. 8D1C47 LEA EBX,DWORD PTR DS:[EDI+EAX*2]
0100528D |. 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
01005290 |. 3BD8 CMP EBX,EAX
01005292 |. 74 22 JE SHORT sol.010052B6
01005294 |. 68 22010000 PUSH 122 ; /Flags = DT_RIGHT|DT_TOP|DT_SINGLELINE|DT_NOCLIP
01005299 |. FF75 7C PUSH DWORD PTR SS:[EBP+7C] ; |pRect
0100529C |. 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50] ; |
0100529F |. 8BC3 MOV EAX,EBX ; |
010052A1 |. 2BC1 SUB EAX,ECX ; |
010052A3 |. D1F8 SAR EAX,1 ; |
010052A5 |. 50 PUSH EAX ; |Count
010052A6 |. 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50] ; |
010052A9 |. 50 PUSH EAX ; |Text
010052AA |. FF35 74710001 PUSH DWORD PTR DS:[1007174] ; |hDC = NULL
010052B0 |. FF15 90110001 CALL DWORD PTR DS:[<&USER32.DrawTextW>] ; \DrawTextW
I've highlighted push 66, which is 102 in decimal, remember above? 102 was "Time: ".
Follow the call below push 66:
Code:
010023F8 /$ FF7424 0C PUSH DWORD PTR SS:[ESP+C] ; /Count
010023FC |. 0FB74424 0C MOVZX EAX,WORD PTR SS:[ESP+C] ; |
01002401 |. FF7424 08 PUSH DWORD PTR SS:[ESP+8] ; |Buffer
01002405 |. 50 PUSH EAX ; |RsrcID
01002406 |. FF35 6C730001 PUSH DWORD PTR DS:[100736C] ; |hInst = NULL
0100240C |. FF15 74110001 CALL DWORD PTR DS:[<&USER32.LoadStringW>>; \LoadStringW
01002412 \. C2 0C00 RETN 0C
it calls LoadString, so we're on the right track

Go back to where we came from(01005271)
Code:
01005276 |. 8D7C45 B0 LEA EDI,DWORD PTR SS:[EBP+EAX*2-50]
0100527A |. 8B45 78 MOV EAX,DWORD PTR SS:[EBP+78]
0100527D |. 8B40 34 MOV EAX,DWORD PTR DS:[EAX+34]
01005280 |. C1F8 02 SAR EAX,2
01005283 |. 50 PUSH EAX ; /Arg2
01005284 |. 57 PUSH EDI ; |Arg1
01005285 |. E8 A1D0FFFF CALL sol.0100232B ; \sol.0100232B
Put a breakpoint on the first MOV EAX, since the call in the bottom adds "Time: " and the value(which is stored in EAX) together.
Now run the game and watch it break.
Stack SS:[0007FCE4] = 0x000BA808
Then it adds +0x34 to that and follows it again(0x000BA83C), which points to the value of time.
*(DWORD*)(0x000BA808+0x34) = 0;
Now for score, follow the 2nd call to drawtext, breakpoint on this:
Code:
01005348 |. 8B47 30 MOV EAX,DWORD PTR DS:[EDI+30]
DS:[0x000BA838] = 000000
but, they do EDI+0x30
So that means we can do the same as with Time:
*(DWORD*)(0x000BA808+0x30) = 1337;
Have fun I guess