📚
OpenRCE
is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.
About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
RabidCicada
's Blog
Created: Wednesday, April 2 2008 15:42.40 CDT
Modified: Wednesday, April 2 2008 15:43.08 CDT
Printer Friendly ...
Second Round-More Neocron2 client.exe reversing
Author:
RabidCicada
# Views:
1597
Well,
So far so good. I've continued to reverse the game client but haven't made much progress recently(lack of time and complications). Remember I'm new.
I have continued trudging through the main client.exe(out of stubborness) instead of following my intuition that I should be looking else-where for the meat of the logic I want to alter(character data).
My initial thoughts were to track button presses/other character alterations while in game. The only problem is that i don't have a code coverage tool yet and am using an out of date IDA Pro(I'll be getting the newest one soon :) ). I would find where, say, UP was handled to move the character foward(and hopefully alter character data). Then start tracking things nearby(probably character data).
An additional complication is that there are multiple threads( about 5 if I remember right) and I think all the important game logic occurs in another thread(other than the main one) started as part of a "game" object (what I believe to be all the important stuff, or at least have a lot of the important stuff).
The Client loads a couple DLLs made for the game and one of them is the "game" from gamebase.dll built on top of a game engine(from another DLL). I finally left behind client.exe and am beginning to deadlist gamebase.dll. It looks like the one of interest.
My plan so far is that I'm going to deadlist a little to reverse some data structures. I'll port any gleaned information over to client.exe.
Here's where I'd appreciate some comments and advice on the blog entry.
My intention all along was to track character data alteration from keypresses. The problem is that that data is handled(I think) in something from a dll(gamebase) in another thread.
I'd like to continue with the original plan to track character data alteration but I'm now unsure as to how to track the keypress data. I'm familiar with the windows paradigm of passing messages to/from windows. I'm familiar with the peek/get, translate, dispatch loop and the WndProc callback.
One thing I'm not sure about is whether each thread will get it's own or if all that data has to go through Client.exe (only one with a window). I think it has to go through Client.exe. If thats the case then I will need to finish tracing the path of a keypress through the system in client.exe (I've already started).
From what I see they create and inputobject then I need to find out how they pass it to the other thread.
On a side note I found a funny little easteregg that I haven't tried yet. Among many other commands they accept at the commend line when calling client.exe they accept one particular switch "hubbletubblewubble". I wonder what it does?....Only one way to find out:).
~hopes for god mode in online play~
Oh,
Any advice on debugging threads in an executable would be great. I have yet to read up on it but I assume that there are some gotcha's when you want to debug some code that is run in a spawned thread off of the main executable(as is the case here with the game object).
Add New Comment
Comment:
There are
31,328
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
Printer Friendly ...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}