[TEC] *.exe Reverse-Engineering

[TheDarkWraith]

Quote:

Originally Posted by raymond6751

Quote: I do not know anything about this, but would love to learn more. The topic is totally new for me, as for many others here as well. Could the people who have experience in this, post their knowledge and share it to all of us?

This is illegal, regardless of your opinion. It is also morally wrong, just as pirating copies of discs and hacking.

That's an incorrect statement. The process of RE is legal as long as one does not redistribute the copyrighted software with changes. Your big name anti-virus companies, the government (US), and many large corporations use RE to learn how to use others software or to discover 'hidden' features not documented from the software manufacturer (anti-virus companies use it to learn how the virus, worm, etc. works and/or transmits itself). If this was really illegal then the US government and anti-virus companies would have thousands, if not millions, of lawsuits filed against them (not to mention those who made the virus, worm, etc. could file lawsuits against those who used RE to mitigate their creation).
Let me cite one example of RE that benefited everyone. Microsoft's Word format was a 'closed' format that only Microsoft's Word could read/create. Third party companies used RE to figure out the word format and they created software that could read/write the word format. Did you see Microsoft filing any lawsuits on this? No. There was nothing they could do about it because those third party companies created their own unique software that didn't use any of Microsoft's libraries or modules. Who was the winner in this? Everyone.
Check your local Borders, Amazon.com, etc. to see what they offer book wise on the subject. You'll see there are MANY books on it. They are EXCELLENT reading for those that have an interest in learning. Sadly the average person's knowledge in RE dwindles every day because of 'false fear' everyone tries to raise about it. Companies/corporations try to instill this 'fear' as a scare tactic and sadly it works on the majority of people.
The best defense is knowing the ways/tactics of your potential attacker/foe

[reaper7]

Well I've been trying to delve into this Reverse Engineering - since TDW mentioned ollydbg. Wow its complex stuff.
But I've managed to track down the stadimeter bug - locations in memorry.
I've managed to find the Base Address for the Stadimeter Range, that is the one that is linked to Sh5 memory address on loading and so is available always.
And also both of the Offset routes the stadimeter uses for that value (These use RVA address so change every time on game load - but I have the Base address and offsets).

Now of the 2 routes one is the Correct value and one is the bugged 20M value.

So I can see in the Bugged one.
That SH5 gets the range when using the stadimeter but on mouse release does not change to relflect the mast height - this value is then displayed in the XO Dialogue.

Now the working value.
Sh5 gets the range when using the stadimeter but on mouse release does update the Range to reflect the correct mast height.
(I also noticed that when I click The Stadimeter Fix icon from my Mod it - updates the incorrect value to the correct value - So this 100% confirms my fix is correct, But it would be great to fix the Stock Stadimeter bug in code.)
But the XO Dialogue does not update this value. So the correct value is never used by SH5 just sits in memory - This is most likely SH4 code


Now as my programming skills are very little - I do not know how to redirect the value from the Base Address of the correct value into the pointer of the incorrect value (That SH5 is using).
Don't know how to use Assembly to do the code inject or whatever is nedded to achieve this.


TDW any ideas on how this can be done
I can give you the address for the relevant data, but would like to learn how to do this also - by tutorial or whatever means

[TheDarkWraith]

Quote:

Originally Posted by reaper7

Well I've been trying to delve into this Reverse Engineering - since TDW mentioned ollydbg. Wow its complex stuff.
But I've managed to track down the stadimeter bug - locations in memorry.
I've managed to find the Base Address for the Stadimeter Range, that is the one that is linked to Sh5 memory address on loading and so is available always.
And also both of the Offset routes the stadimeter uses for that value (These use RVA address so change every time on game load - but I have the Base address and offsets).

Now of the 2 routes one is the Correct value and one is the bugged 20M value.

So I can see in the Bugged one.
That SH5 gets the range when using the stadimeter but on mouse release does not change to relflect the mast height - this value is then displayed in the XO Dialogue.

Now the working value.
Sh5 gets the range when using the stadimeter but on mouse release does update the Range to reflect the correct mast height.
(I also noticed that when I click The Stadimeter Fix icon from my Mod it - updates the incorrect value to the correct value - So this 100% confirms my fix is correct, But it would be great to fix the Stock Stadimeter bug in code.)
But the XO Dialogue does not update this value. So the correct value is never used by SH5 just sits in memory - This is most likely SH4 code


Now as my programming skills are very little - I do not know how to redirect the value from the Base Address of the correct value into the pointer of the incorrect value (That SH5 is using).
Don't know how to use Assembly to do the code inject or whatever is nedded to achieve this.


TDW any ideas on how this can be done
I can give you the address for the relevant data, but would like to learn how to do this also - by tutorial or whatever means

tell me what the addresses (RVAs) are and I'll view them ingame and tell you how I have to see if they are pointers to pointers or are the actual memory being used or if the memory is actually a stack address (temp variable) which then I'll have to track down when that value got pushed onto the stack so I can find it's true memory address.

[reaper7]

Quote:

Originally Posted by TheDarkWraith

tell me what the addresses (RVAs) are and I'll view them ingame and tell you how I have to see if they are pointers to pointers or are the actual memory being used or if the memory is actually a stack address (temp variable) which then I'll have to track down when that value got pushed onto the stack so I can find it's true memory address.

These are the Addresses i found

SH5.exe+47D740 (This gave me a Base Address of 005ED740 with my game)
Sh5.exe Process was at 000014B0.

second one had a Base Address of 005EE290

Hope I've done it right and found the static ones and not false pointers.

[Obelix]

Yes, the question is twofold. When thinking sensibly, in this case, no immorality and illegality there. Indeed, the only benefit that we derive from reverse-engineering is the only higher quality game. Ie. Exe cracked for improving the program, which has already purchased. Discussions on how to turn off DRM is not being conducted.
But it could conceivably come to the ridiculous: in 2006 in Russia happened is that (probably Russia and abroad, the case made a splash): the headmaster had bought for school computers, which had been pre-installed pirated windows. The prosecutor's office seized the director of a stranglehold with a determination to defend the interests of Microsoft. Investigators were trying to close the deal "In the absence of a guilty person," and Bill Gates understand the situation refused to support a lawsuit against the director. Persistence prosecution is simply amazing. The first time it stopped "in connection with minor damage" but the prosecution insisted on a new consideration, the court did not want to sit for a long time Director awarded 5000 rub. (~ $ 180) against the alleged 262,000 rubles. (~ 9500 $)

I am confident of the correctness of TheDarkWraith - who no matter how he knows all the pitfalls in this process.

[TheDarkWraith]

@ Obelix - interestingly I learned the majority of my 'specialized' skills from you Russians You all have people that blow me away with their RE skills and what they can do with software No matter how many books I read on the subject I'm always two steps behind you all

@ Reaper7 - I'll look into those addresses tonight It's nice to see someone taking interest into RE. Let me warn you though that once you start down this path you'll probably never stop If you like puzzles and things that make you think then this will suit you well For me it's the whole challenge thing, the let's see if I can make it do this or that.....A great book on the subject is Hacking 2nd Edition - The Art of Exploitation by Jon Erickson. This book is more of an intermediate's book. A good beginner's book is Reversing - Secrets of Reverse Engineering by Elded Eilam After some years of this you'll see just how 'bad' windows is. It still amazes me how easy it is to take control of any process running on any computer running Windows

EDIT:
@ Reaper7 - not sure how you found that address....were you using Olly Debug? If so, what was the base address, size, and entry point of your SH5.exe?

[Anvart]

Quote:

Originally Posted by TheDarkWraith

...- interestingly I learned the majority of my 'specialized' skills from you Russians...

maybe... but I also noticed the familiar words of Jeffrey Richter from his famous book Programming Applications for Microsoft Windows... in your famous thread...

[reaper7]

Quote:

Originally Posted by TheDarkWraith

@ Reaper7 - not sure how you found that address....were you using Olly Debug? If so, what was the base address, size, and entry point of your SH5.exe?

Redid the entries to show all the Information I could. Values have changed due to sh5.exe using different loading memory location.

But hopefully all the relevant info is here to get the Stadimeter.


In the Following Pic You can see the Base, Size and Module name thats loaded for SH5.
I'm using Cheat Engine 6.1 to find my addresses and pointers within the sh5.exe code and memory thats used.



Also took 2 more pics to show whats happening with regards the Stadimeter and the 2 pointer branches that are used.






There are a total of 16 addresses that hold the stadimeter values (Both SH5 and Sh4) of these 2 are writeable the rest read only.
I only worked with these 2 to bac track thru all the pointers to get to the Base Address (Cheat Engine shows this value as green to show its a static address).

One thing I noticed that both code sets used are very similar except for the offsets used in the last pointers code for both.

One has its offset at 00000084 the other at 00000094 as can be seen in the Memory viewer in first pic - maybe this is the problem

Hope that this info is good to get you going TDW


EDIT: Still not Sure this is the Base Address - Need to find how to do this in Ollydbg

Here is the Op, Assembly code you can search for - maybe that will help to find it
00412FF5 - F3 0F11 81 84000000 - movss [ecx+00000084],xmm0