📚
OpenRCE
is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.
About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
RabidCicada
's Blog
Created: Wednesday, April 2 2008 15:42.40 CDT
Modified: Wednesday, April 2 2008 15:43.08 CDT
Direct Link, View / Make / Edit Comments
Second Round-More Neocron2 client.exe reversing
Author:
RabidCicada
# Views:
1596
Well,
So far so good. I've continued to reverse the game client but haven't made much progress recently(lack of time and complications). Remember I'm new.
I have continued trudging through the main client.exe(out of stubborness) instead of following my intuition that I should be looking else-where for the meat of the logic I want to alter(character data).
My initial thoughts were to track button presses/other character alterations while in game. The only problem is that i don't have a code coverage tool yet and am using an out of date IDA Pro(I'll be getting the newest one soon :) ). I would find where, say, UP was handled to move the character foward(and hopefully alter character data). Then start tracking things nearby(probably character data).
An additional complication is that there are multiple threads( about 5 if I remember right) and I think all the important game logic occurs in another thread(other than the main one) started as part of a "game" object (what I believe to be all the important stuff, or at least have a lot of the important stuff).
The Client loads a couple DLLs made for the game and one of them is the "game" from gamebase.dll built on top of a game engine(from another DLL). I finally left behind client.exe and am beginning to deadlist gamebase.dll. It looks like the one of interest.
My plan so far is that I'm going to deadlist a little to reverse some data structures. I'll port any gleaned information over to client.exe.
Here's where I'd appreciate some comments and advice on the blog entry.
My intention all along was to track character data alteration from keypresses. The problem is that that data is handled(I think) in something from a dll(gamebase) in another thread.
I'd like to continue with the original plan to track character data alteration but I'm now unsure as to how to track the keypress data. I'm familiar with the windows paradigm of passing messages to/from windows. I'm familiar with the peek/get, translate, dispatch loop and the WndProc callback.
One thing I'm not sure about is whether each thread will get it's own or if all that data has to go through Client.exe (only one with a window). I think it has to go through Client.exe. If thats the case then I will need to finish tracing the path of a keypress through the system in client.exe (I've already started).
From what I see they create and inputobject then I need to find out how they pass it to the other thread.
On a side note I found a funny little easteregg that I haven't tried yet. Among many other commands they accept at the commend line when calling client.exe they accept one particular switch "hubbletubblewubble". I wonder what it does?....Only one way to find out:).
~hopes for god mode in online play~
Oh,
Any advice on debugging threads in an executable would be great. I have yet to read up on it but I assume that there are some gotcha's when you want to debug some code that is run in a spawned thread off of the main executable(as is the case here with the game object).
Created: Monday, March 17 2008 10:28.41 CDT
Direct Link, View / Make / Edit Comments
First Round-Rabid
Author:
RabidCicada
# Views:
2137
Righto,
So my first real foray into reversing just went down. With the help of this site and it's people I won the round and am back in the ring for round 2. The Neocron2 game client is going down:).
Deadlisting is easy for me but getting into debugging was a tiny bit tricky:).
Problem was I couldn't debug the application and have it work correctly. It kept breaking on certain breakpoints in ntdll.dll and then when I overcame that it kept failing to open an ini file.
Solution was to alter the "events of interest" for IDA pro and set the working directory in the debugger for the executable.
Doh. Now I sure felt like an idiot but, hey, eveyrone's gotta learn somehow. I had assumed that that the working directory only needed to be set if it was supposed to be different than the "default" of the exe's current directory. That's not the case, and I hadn't actually really thought about troubleshooting that. I assumed it was a problem elsewhere in my setup.
The other issue was to do with what events the debugger was interested in. I now realize that it was probably stopping on every dll load and that would explain why I had to pass on a couple the first few times. Then I found the settings for events of interest and played with them till the program loaded all the way and hit winmain.
I think I may have chosen a large project, being that the exe imports a crap load of stuff from other game dlls but I liked the game when I played it and figure I'll actually expend the effort to take a look at it from the inside.
One lesson that was reinforced here was to think about the simple/obvious things. I initially had a suspicion that the problem was anti-debug (having a security focused job). I spent time looking for it and ruled it out after some investigation. The actual problem was staring me in the face the whole time "It can't find the file you idiot". And I overlooked it for a small time:).
Archived Entries for RabidCicada
Subject
# Views
Created On
No archived blog entries found.
There are
31,328
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}