About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Store Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> GynvaelColdwind's Blog

Created: Tuesday, January 26 2010 19:26.05 CST Modified: Tuesday, January 26 2010 19:26.51 CST
Direct Link, View / Make / Edit Comments
The tale of Syndicate Wars Port
Author: GynvaelColdwind # Views: 1075

As promised, It's time to reveal the technical story behind the Syndicate Wars Port. The story is divided into two parts - the first, and the second attempt to port this game. Comments are welcomed!

Read more... (be warned that the story is long :)

Created: Monday, January 25 2010 17:20.35 CST Modified: Monday, January 25 2010 17:28.55 CST
Direct Link, View / Make / Edit Comments
Syndicate Wars - a reverse-engineering tale
Author: GynvaelColdwind # Views: 1527

Syndicate Wars is a game published in 1996, created by Bullfrog. The game was written in C (Watcom) for the DOS4GW DOS extender. And of course it has stopped working natively (i.e. without emulators like DOSBox) when the modern operating systems, like GNU/Linux or Windows NT series, emerged.

A few years ago my friend, Unavowed, told me about proposition of a project to create a port of Sydicate Word for modern OS'es like the two previous one I've mentioned. The port was to be done by decompiling the original executable file, locating all the functions from the standard C library, locating the DOS4GW and I/O (sound, keyboard, gfx, mouse, etc) dependencies, replacing them with modern native libc function call and libSDL/OpenAL libraries (sometimes using simple wrappers, other times by creating converters), and finally, recompiling it all to form native executables for the modern systems.

Yesterday, we've finished this project, and we've published executables, not only for GNU/Linux and Windows, but also for Mac OSX :)

Project site (screens, downloads, even a video):
http://swars.vexillium.org/

As for the technical side of the project, I'll describe everything in the next post - it was the biggest reverse-engineering project I've took part in, and I hope you'll too find something interesting in the details for yourselves :)

GNU/Linux:


Mac OSX 10.5:


Windows Vista:

Created: Monday, January 11 2010 16:22.07 CST  
Direct Link, View / Make / Edit Comments
Exception detection on Windows and HITB ezine
Author: GynvaelColdwind # Views: 1148

The Hack In The Box ezine, which was published in the years 2000-2005 (37 issues total) has been revived!
The newest issue contains 6 articles (including mine), which gives 44 pages of text, in PDF (link below). Imho it's worth taking a look. It's very possible your find something interesting for yourself there :)

Article list:
- p. 03 - Exception Detection on Windows (by me)
- p. 07 - The Art of DLL Injection (by Christian Wojner, CERT.at)
- p. 09 - LDAP Injection. Attack and Defense Techniques (cover story, by Esteban Guillardoy, Facundo de Guzman, Hernan Abbamonte)
- p. 18 - Xprobe2-NG. Low Volume Remote Network Information Gathering Tool (by Fedor V. Yarochkin. Ofir Arkin (Insightix), Meder Kydyraliev (Google), Shih-Yao Dai, Yennun Huang (Vee Telecom) and Sy-Yen Kyo)
- p. 25 - Malware Obfuscation. Tricks and Traps (by Wayne Huang, Armorize Technologies)
- p. 39 - Reconstructing Dalvik Applications Using UNDX (by Marc Schönefeld)

Download: HITB-Ezine-Issue-001.pdf

Comments about my article are mostly welcomed :)

Created: Tuesday, January 5 2010 13:33.31 CST  
Direct Link, View / Make / Edit Comments
DR6 may or may not be useful for bochs/VirtualPC detection
Author: GynvaelColdwind # Views: 1127

This post will be similar to the previous one, and will be about small, but interesting, details of x86 architecture, that might be (and sometimes are) easily overlooked by creators of emulators and virtual machines. The hero of today's post is the DR6 debug register, or, to be more precise, the four least significant bits of this register - B0 to B3 (breakpoint condition detected flags). Please read the whole post before jumping into any conclusions :)

Read the full post...

Created: Tuesday, December 29 2009 10:54.50 CST  
Direct Link, View / Make / Edit Comments
BSWAP + 66h prefix (bochs, QEMU detection)
Author: GynvaelColdwind # Views: 1516

In the last few days I've been playing with osdev again (last time I've coded something more than a boot menu, was in 2003), so expect a few posts about assembler, x86 emulators and similar institutions. Today's post will be about the bswap reg16 instruction, running in protected mode - which, as one will find out, can be used, for example, to detect bochs or QEMU.

The bswap reg16 instruction is in fact a bswap reg32 with the 66h prefix, also known as the operand-size override prefix (it switches the operands between 32 and 16 bits, where 32 is the default in PMODE of course). As one can read in the Intel manuals, using bswap with the 66h prefix will result in getting an undefined behavior.

Read the full post...


Archived Entries for GynvaelColdwind
Subject # Views Created On
A thought about drivers\etc\hosts file 1591     Friday, August 7 2009
Another file visualizations 1933     Wednesday, May 27 2009
CONFidence conference ESET crackme solution 1864     Tuesday, May 26 2009
Ent 0.0.3 and a post about entropy in RCE 1875     Sunday, March 8 2009
ExcpHook 0.0.5-rc2 released 2076     Tuesday, February 3 2009
Difference between exports in DLLs - Vista SP 1 vs Windows 7 Beta 1768     Tuesday, January 20 2009
LOOP vs. default Mac OS X assembler 1794     Sunday, December 7 2008
Freedom for everything - total annihilation of process memory 2044     Thursday, November 27 2008
Google Chrome Sandbox 2291     Thursday, September 4 2008
ExcpHook 0.0.4 released 3257     Tuesday, January 22 2008
Exception monitor 3539     Sunday, January 13 2008
Windows Vista environment variables 3415     Friday, August 3 2007
Looking for a job... 2651     Tuesday, December 12 2006
Hello World! 2255     Thursday, September 7 2006
Active in Last 5 Minutes
HellScream

There are 16,670 total registered users.


Recently Created Topics
Process Snapshot
Mar/16
SSL keyfindert plugi...
Mar/15
ApiHooks.com down
Mar/15
how to crate a PATC...
Mar/10
wsnpoem audio.dll
Mar/09
suggestions - RE tra...
Mar/09
Requesting Suggestio...
Mar/06
Force enable debug p...
Mar/05
upgrading new image ...
Mar/03
upgrading new image ...
Mar/03


Recent Forum Posts
ApiHooks.com down
hkjack
how to crate a PATC...
comrade
ApiHooks.com down
comrade
suggestions - RE tra...
enm16
wsnpoem audio.dll
zhane
suggestions - RE tra...
Silkut
how to crate a PATC...
Silkut
suggestions - RE tra...
RolfRolles
wsnpoem audio.dll
debbie
Requesting Suggestio...
secursig


Recent Blog Entries
RolfRolles
Mar/08
Compiler Optimizations for ...
ReWolf
Mar/04
When memory management goes...
thesprawler
Feb/20
log1949.txt -- Wondering ho...
thesprawler
Feb/20
log1949.log -- created on C...
thesprawler
Feb/17
Trying to reverse the firmw...
More ...


Recent Blog Comments
Boken on:
Mar/12
Compiler Optimizations for ...
wildinto on:
Mar/10
Compiler Optimizations for ...
Orr on:
Mar/10
Compiler Optimizations for ...
bughoho on:
Mar/09
Compiler Optimizations for ...
cliffwolf on:
Mar/08
Compiler Optimizations for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit