WaxfordSqueers
December 7th, 2008, 03:08
Quote:
[Originally Posted by unix;78045]I am still trying to analyzing the game, however, havent made much progress so far. But wont give up..  |
If you're really into it, try loading it in IDA. If it complains about a missing import section, you know it is protected. If it loads fine, look for references in the "strings' section. Now for the fun.
Load it in your favourite debugger and stop it at the first byte of execution code. Even if it is protected, there will always be a first byte, which should show up in IDA as a confirmation. Start single-stepping the first few bytes to see if it behaves. If the code starts changing as you type, you need to look up a tute on obfuscation. You could do it yourself, but there are principles involved in knowing which bytes can be jumped over and those which can't. Sometimes protections are checking for single-stepping.
If the code is clean, you'll be in an initialization phase in which you can pretty will jump over functions. The init section sets up memory, parses command lines, etc., for the app. No windows work is done here. Using IDA, find where the jump off point is to winproc. That's the function called where the actual windows work is done. If it's not obvious in IDA, you can trace through the init section by jumping over functions till you see a call to exitprocess, or similar, is called. winproc is usually the last function call before that, or close to it.
If the app is protected, there will be a wrapper around this init code but the start of code will now be the wrapper's SOC. The difficulty in tracing through it will depend on which wrapper it is and how recent it is. In any case, you are trying to get through this wrapper to the apps OEP (original entry point) which is the start of code I mentioned before. When you reach that, start over where my mini sermon started. To get there, you will probably have to identify the protection and get some help to reach the OEP. Since your object is to modify text, you may want to bypass the protection, if you can, using a previously worked out method.
It's important to keep notes. Before you jump a function, take down it's address. That way, if something goes wrong during the call and you get lost, when you restart and go to start of code, you can simply set a BPX on that address and go straight there. Or, if you're even smarter, you'll take down addresses on the other side of the call and jump to that. Also, look for proper function names along the way that you can set a bpx on. If a protection is looking for single-stepping alone, and you bypass that section with a bpx, it wont detect that unless it's looking for a bpx as well.
If you make it to winproc, you are normally in a loop from which all the rest of the app operates. The windows are built here and calls to any protection usually reside here. This loop only exits for program termination.
Since you're dealing with a game, there may be directx involved, and that's another kettle of fish. Check in the RCE search engine for some of Silver's stuff on DX or try to find my explanation of a directx crackme of his. The call to directx will come from within winproc, and in my experience, it came after ShowWindow, after the last window was registered. Reversing directx is not rocket science but it requires a different way of thinking.
If DX is involved, you will reach a point where it takes control and shuts out your debugger. You have to learn how to put it in a window rather than letting it take fullscreen, then your debugger will work again. You may need a debugger like softice, however, since in my experience, I needed to access ring 0 so I could break on functions in ring 0. Worry about that when you get there, if you do.
Although this is painstaking, slow work, it will teach you a lot about how apps work. The better you get at it, the better you get at knowing where to jump to avoid situations, and the better you get at recognizing how the app is implementing its resources. If you have to eventually modify the text, you are most likely going to need a detailed layout of the app's structure anyway. If there are CRC checks, you are going to have to deal with them, and the process I have described may be your only alternative.