First Round-Rabid
 RabidCicada <RabidCicada gmail com> |
Monday, March 17 2008 10:28.41 CDT |
Righto,
So my first real foray into reversing just went down. With the help of this site and it's people I won the round and am back in the ring for round 2. The Neocron2 game client is going down:).
Deadlisting is easy for me but getting into debugging was a tiny bit tricky:).
Problem was I couldn't debug the application and have it work correctly. It kept breaking on certain breakpoints in ntdll.dll and then when I overcame that it kept failing to open an ini file.
Solution was to alter the "events of interest" for IDA pro and set the working directory in the debugger for the executable.
Doh. Now I sure felt like an idiot but, hey, eveyrone's gotta learn somehow. I had assumed that that the working directory only needed to be set if it was supposed to be different than the "default" of the exe's current directory. That's not the case, and I hadn't actually really thought about troubleshooting that. I assumed it was a problem elsewhere in my setup.
The other issue was to do with what events the debugger was interested in. I now realize that it was probably stopping on every dll load and that would explain why I had to pass on a couple the first few times. Then I found the settings for events of interest and played with them till the program loaded all the way and hit winmain.
I think I may have chosen a large project, being that the exe imports a crap load of stuff from other game dlls but I liked the game when I played it and figure I'll actually expend the effort to take a look at it from the inside.
One lesson that was reinforced here was to think about the simple/obvious things. I initially had a suspicion that the problem was anti-debug (having a security focused job). I spent time looking for it and ruled it out after some investigation. The actual problem was staring me in the face the whole time "It can't find the file you idiot". And I overlooked it for a small time:).
Comments
 Raindog |
Posted: Friday, March 21 2008 20:43.00 CDT |
| So something that is always helpful is to look at the callstack and the exception id. The call stack will give you an idea as to what conditions made the app go down the error path, and the exception id or error code will potentially give you more clues. If you looked at the error code you would have immediately seen ERROR_FILE_NOT_FOUND =\ | |