[TEC] *.exe Reverse-Engineering

TheDarkWraith · 06-14-11, 04:56 PM

Quote:

Originally Posted by reaper7

Well I've been trying to delve into this Reverse Engineering - since TDW mentioned ollydbg. Wow its complex stuff.
But I've managed to track down the stadimeter bug - locations in memorry.
I've managed to find the Base Address for the Stadimeter Range, that is the one that is linked to Sh5 memory address on loading and so is available always.
And also both of the Offset routes the stadimeter uses for that value (These use RVA address so change every time on game load - but I have the Base address and offsets).

Now of the 2 routes one is the Correct value and one is the bugged 20M value.

So I can see in the Bugged one.
That SH5 gets the range when using the stadimeter but on mouse release does not change to relflect the mast height - this value is then displayed in the XO Dialogue.

Now the working value.
Sh5 gets the range when using the stadimeter but on mouse release does update the Range to reflect the correct mast height.
(I also noticed that when I click The Stadimeter Fix icon from my Mod it - updates the incorrect value to the correct value - So this 100% confirms my fix is correct, But it would be great to fix the Stock Stadimeter bug in code.)
But the XO Dialogue does not update this value. So the correct value is never used by SH5 just sits in memory - This is most likely SH4 code

Now as my programming skills are very little - I do not know how to redirect the value from the Base Address of the correct value into the pointer of the incorrect value (That SH5 is using).
Don't know how to use Assembly to do the code inject or whatever is nedded to achieve this.

TDW any ideas on how this can be done

I can give you the address for the relevant data, but would like to learn how to do this also - by tutorial or whatever means

tell me what the addresses (RVAs) are and I'll view them ingame and tell you how

I have to see if they are pointers to pointers or are the actual memory being used or if the memory is actually a stack address (temp variable) which then I'll have to track down when that value got pushed onto the stack so I can find it's true memory address.

reaper7 · 06-14-11, 06:13 PM

Quote:

Originally Posted by TheDarkWraith

tell me what the addresses (RVAs) are and I'll view them ingame and tell you how

I have to see if they are pointers to pointers or are the actual memory being used or if the memory is actually a stack address (temp variable) which then I'll have to track down when that value got pushed onto the stack so I can find it's true memory address.

These are the Addresses i found

SH5.exe+47D740 (This gave me a Base Address of 005ED740 with my game)
Sh5.exe Process was at 000014B0.

second one had a Base Address of 005EE290

Hope I've done it right and found the static ones and not false pointers.

Obelix · 06-14-11, 06:29 PM

Yes, the question is twofold. When thinking sensibly, in this case, no immorality and illegality there. Indeed, the only benefit that we derive from reverse-engineering is the only higher quality game

. Ie. Exe cracked for improving the program, which has already purchased. Discussions on how to turn off DRM is not being conducted

.
But it could conceivably come to the ridiculous: in 2006 in Russia happened is that (probably Russia and abroad, the case made a splash)

: the headmaster had bought for school computers, which had been pre-installed pirated windows. The prosecutor's office seized the director of a stranglehold with a determination to defend the interests of Microsoft. Investigators were trying to close the deal "In the absence of a guilty person," and Bill Gates understand the situation refused to support a lawsuit against the director

. Persistence prosecution is simply amazing. The first time it stopped "in connection with minor damage" but the prosecution insisted on a new consideration, the court did not want to sit for a long time Director awarded 5000 rub. (~ $ 180) against the alleged 262,000 rubles. (~ 9500 $)

I am confident of the correctness of TheDarkWraith - who no matter how he knows all the pitfalls in this process.

TheDarkWraith · 06-14-11, 06:53 PM

@ Obelix - interestingly I learned the majority of my 'specialized' skills from you Russians

You all have people that blow me away with their RE skills and what they can do with software

No matter how many books I read on the subject I'm always two steps behind you all

@ Reaper7 - I'll look into those addresses tonight

It's nice to see someone taking interest into RE. Let me warn you though that once you start down this path you'll probably never stop

If you like puzzles and things that make you think then this will suit you well

For me it's the whole challenge thing, the let's see if I can make it do this or that.....A great book on the subject is Hacking 2nd Edition - The Art of Exploitation by Jon Erickson. This book is more of an intermediate's book. A good beginner's book is Reversing - Secrets of Reverse Engineering by Elded Eilam

After some years of this you'll see just how 'bad' windows is. It still amazes me how easy it is to take control of any process running on any computer running Windows

EDIT:
@ Reaper7 - not sure how you found that address....were you using Olly Debug? If so, what was the base address, size, and entry point of your SH5.exe?

Anvart · 06-15-11, 05:32 AM

Quote:

Originally Posted by TheDarkWraith

...- interestingly I learned the majority of my 'specialized' skills from you Russians...

maybe... but I also noticed the familiar words of Jeffrey Richter from his famous book Programming Applications for Microsoft Windows... in your famous thread...

BigBANGtheory · 06-15-11, 09:22 AM

Where does one start on such a vast topic?

If you read guides about it like 2 sentances in it goes off on one about pointers, assembler, hex, debuggers without actually explaining anything

or worse still explaining it with even more specialist terms

TorpX · 06-15-11, 10:35 AM

Quote:

Originally Posted by BigBANGtheory

Where does one start on such a vast topic?

If you read guides about it like 2 sentances in it goes off on one about pointers, assembler, hex, debuggers without actually explaining anything

or worse still explaining it with even more specialist terms

I agree. Many of us did not grow up with computers, and have only learned how to use them with some difficulty. Not everyone is an expert.

reaper7 · 06-15-11, 03:11 PM

Quote:

Originally Posted by TheDarkWraith

@ Reaper7 - not sure how you found that address....were you using Olly Debug? If so, what was the base address, size, and entry point of your SH5.exe?

Redid the entries to show all the Information I could. Values have changed due to sh5.exe using different loading memory location.

But hopefully all the relevant info is here to get the Stadimeter.

In the Following Pic You can see the Base, Size and Module name thats loaded for SH5.
I'm using Cheat Engine 6.1 to find my addresses and pointers within the sh5.exe code and memory thats used.

Also took 2 more pics to show whats happening with regards the Stadimeter and the 2 pointer branches that are used.

There are a total of 16 addresses that hold the stadimeter values (Both SH5 and Sh4) of these 2 are writeable the rest read only.
I only worked with these 2 to bac track thru all the pointers to get to the Base Address (Cheat Engine shows this value as green to show its a static address).

One thing I noticed that both code sets used are very similar except for the offsets used in the last pointers code for both.

One has its offset at 00000084 the other at 00000094 as can be seen in the Memory viewer in first pic - maybe this is the problem

Hope that this info is good to get you going TDW

EDIT: Still not Sure this is the Base Address - Need to find how to do this in Ollydbg

Here is the Op, Assembly code you can search for - maybe that will help to find it
00412FF5 - F3 0F11 81 84000000 - movss [ecx+00000084],xmm0

reaper7 · 06-15-11, 05:13 PM

Yes, I got it working - gave up on cheat Engine and went back to Ollydbg

Found the Memeory address via TSearch and added breakpoint on memory access to find whats writing to it.

Found the same commands I had found in Cheat Engine.

But was able to see the jumps and run routine in Olly. Could see the The offset 84 line was being jumped over to the offset 94 line.
So Manually edited the line to change the offset from 94 to 84 for both the original address and the one calling it.

What do you know it works. Now just need to figure out how to add the fix or maybe you could add it to your Reverse Engineer Patch file TDW

Next on the List has to be the Reset to Zero Bug.

DrJones · 06-15-11, 05:28 PM

Quote:

Originally Posted by reaper7

Yes, I got it working - gave up on cheat Engine and went back to Ollydbg

Found the Memeory address via TSearch and added breakpoint on memory access to find whats writing to it.

Found the same commands I had found in Cheat Engine.

But was able to see the jumps and run routine in Olly. Could see the The offset 84 line was being jumped over to the offset 94 line.
So Manually edited the line to change the offset from 94 to 84 for both the original address and the one calling it.

What do you know it works. Now just need to figure out how to add the fix or maybe you could add it to your Reverse Engineer Patch file TDW

Next on the List has to be the Reset to Zero Bug.

Congratulations reaper7

Now it is still getting more and more interessting....i think i should also keep an eye on cheat Engine and Ollydbg.

Keep on your good working...

Best Regard and Wishes

DrJones

06-14-11, 06:29 PM	#3
Obelix Seasoned Skipper Join Date: Aug 2010 Location: 49°44´N 129°40´E Posts: 665 Downloads: 124 Uploads: 7	Yes, the question is twofold. When thinking sensibly, in this case, no immorality and illegality there. Indeed, the only benefit that we derive from reverse-engineering is the only higher quality game. Ie. Exe cracked for improving the program, which has already purchased. Discussions on how to turn off DRM is not being conducted. But it could conceivably come to the ridiculous: in 2006 in Russia happened is that (probably Russia and abroad, the case made a splash): the headmaster had bought for school computers, which had been pre-installed pirated windows. The prosecutor's office seized the director of a stranglehold with a determination to defend the interests of Microsoft. Investigators were trying to close the deal "In the absence of a guilty person," and Bill Gates understand the situation refused to support a lawsuit against the director. Persistence prosecution is simply amazing. The first time it stopped "in connection with minor damage" but the prosecution insisted on a new consideration, the court did not want to sit for a long time Director awarded 5000 rub. (~ $ 180) against the alleged 262,000 rubles. (~ 9500 $) I am confident of the correctness of TheDarkWraith - who no matter how he knows all the pitfalls in this process. __________________ Speed squadron is the speed of the slowest ship ... but only so long as on the trail of the squadron did not sit submarines ...

06-14-11, 06:53 PM	#4
TheDarkWraith Black Magic Join Date: Jun 2007 Posts: 11,962 Downloads: 147 Uploads: 5	@ Obelix - interestingly I learned the majority of my 'specialized' skills from you Russians You all have people that blow me away with their RE skills and what they can do with software No matter how many books I read on the subject I'm always two steps behind you all @ Reaper7 - I'll look into those addresses tonight It's nice to see someone taking interest into RE. Let me warn you though that once you start down this path you'll probably never stop If you like puzzles and things that make you think then this will suit you well For me it's the whole challenge thing, the let's see if I can make it do this or that.....A great book on the subject is Hacking 2nd Edition - The Art of Exploitation by Jon Erickson. This book is more of an intermediate's book. A good beginner's book is Reversing - Secrets of Reverse Engineering by Elded Eilam After some years of this you'll see just how 'bad' windows is. It still amazes me how easy it is to take control of any process running on any computer running Windows EDIT: @ Reaper7 - not sure how you found that address....were you using Olly Debug? If so, what was the base address, size, and entry point of your SH5.exe? Last edited by TheDarkWraith; 06-14-11 at 07:47 PM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

06-15-11, 09:22 AM	#6
BigBANGtheory Officer Join Date: Dec 2009 Location: British Waters Posts: 243 Downloads: 98 Uploads: 0	Where does one start on such a vast topic? If you read guides about it like 2 sentances in it goes off on one about pointers, assembler, hex, debuggers without actually explaining anything or worse still explaining it with even more specialist terms

06-15-11, 05:13 PM	#9
reaper7 sim2reality Join Date: Jun 2007 Location: AM 82 Posts: 2,280 Downloads: 258 Uploads: 30	Yes, I got it working - gave up on cheat Engine and went back to Ollydbg Found the Memeory address via TSearch and added breakpoint on memory access to find whats writing to it. Found the same commands I had found in Cheat Engine. But was able to see the jumps and run routine in Olly. Could see the The offset 84 line was being jumped over to the offset 94 line. So Manually edited the line to change the offset from 94 to 84 for both the original address and the one calling it. What do you know it works. Now just need to figure out how to add the fix or maybe you could add it to your Reverse Engineer Patch file TDW Next on the List has to be the Reset to Zero Bug.