Second Round-More Neocron2 client.exe reversing

Wed, 02 Apr 2008 15:42:40 -0500

Well,
So far so good.  I've continued to reverse the game client but haven't made much progress recently(lack of time and complications). Remember I'm new.

I have continued trudging through the main client.exe(out of stubborness) instead of following my intuition that I should be looking else-where for the meat of the logic I want to alter(character data).

My initial thoughts were to track button presses/other character alterations while in game.  The only problem is that i don't have a code coverage tool yet and am using an out of date IDA Pro(I'll be getting the newest one soon :) ).  I would find where, say, UP was handled to move the character foward(and hopefully alter character data).  Then start tracking things nearby(probably character data).

An additional complication is that there are multiple threads( about 5 if I remember right) and I think all the important game logic occurs in another thread(other than the main one) started as part of a "game" object (what I believe to be all the important stuff, or at least have a lot of the important stuff).

The Client loads a couple DLLs made for the game and one of them is the "game" from gamebase.dll built on top of a game engine(from another DLL).  I finally left behind client.exe and am beginning to deadlist gamebase.dll.  It looks like the one of interest.

My plan so far is that I'm going to deadlist a little to reverse some data structures.  I'll port any gleaned information over to client.exe.

Here's where I'd appreciate some comments and advice on the blog entry.

My intention all along was to track character data alteration from keypresses.  The problem is that that data is handled(I think) in something from a dll(gamebase) in another thread.

I'd like to continue with the original plan to track character data alteration but I'm now unsure as to how to track the keypress data.  I'm familiar with the windows paradigm of passing messages to/from windows.  I'm familiar with the peek/get, translate, dispatch loop and the WndProc callback.

One thing I'm not sure about is whether each thread will get it's own or if all that data has to go through Client.exe (only one with a window).  I think it has to go through Client.exe.  If thats the case then I will need to finish tracing the path of a keypress through the system in client.exe  (I've already started).

From what I see they create and inputobject then I need to find out how they pass it to the other thread.

On a side note I found a funny little easteregg that I haven't tried yet.  Among many other commands they accept at the commend line when calling client.exe they accept one particular switch "hubbletubblewubble".  I wonder what it does?....Only one way to find out:).
~hopes for god mode in online play~

Oh,
Any advice on debugging threads in an executable would be great.  I have yet to read up on it but I assume that there are some gotcha's when you want to debug some code that is run in a spawned thread off of the main executable(as is the case here with the game object).

First Round-Rabid

Mon, 17 Mar 2008 10:28:41 -0500

Righto,

So my first real foray into reversing just went down.  With the help of this site and it's people I won the round and am back in the ring for round 2.  The Neocron2 game client is going down:).

Deadlisting is easy for me but getting into debugging was a tiny bit tricky:).

Problem was I couldn't debug the application and have it work correctly.  It kept breaking on certain breakpoints in ntdll.dll and then when I overcame that it kept failing to open an ini file.

Solution was to alter the "events of interest" for IDA pro and set the working directory in the debugger for the executable.

Doh.  Now I sure felt like an idiot but, hey, eveyrone's gotta learn somehow.  I had assumed that that the working directory only needed to be set if it was supposed to be different than the "default" of the exe's current directory.  That's not the case, and I hadn't actually really thought about troubleshooting that.  I assumed it was a problem elsewhere in my setup.

The other issue was to do with what events the debugger was interested in.  I now realize that it was probably stopping on every dll load and that would explain why I had to pass on a couple the first few times.  Then I found the settings for events of interest and played with them till the program loaded all the way and hit winmain.

I think I may have chosen a large project, being that the exe imports a crap load of stuff from other game dlls but I liked the game when I played it and figure I'll actually expend the effort to take a look at it from the inside.

One lesson that was reinforced here was to think about the simple/obvious things.  I initially had a suspicion that the problem was anti-debug (having a security focused job).  I spent time looking for it and ruled it out after some investigation.  The actual problem was staring me in the face the whole time "It can't find the file you idiot".  And I overlooked it for a small time:).

OpenRCE: Blog

Second Round-More Neocron2 client.exe reversing

First Round-Rabid