Reverse Engineering and Weaponizing XP Solitaire (Mini-Course)
Vložit
- čas přidán 22. 07. 2024
- As a beginner, reverse engineering can be a daunting and frustrating endeavor - But it's a lot more fun if you can learn via hacking and modding games to create your own cheats and maybe even inject a few (harmless) pranks into the code!
Whether you watch it all the way through, or just in bits and pieces, join me in this master (of none) class as we try to recapture the fun and amazement of being a first-time reverser exploring and testing the limits of software and our own creativity, while also taking our minds off of the curse of the headless twins which has plagued our times!
In this video, we will:
- Use Ghidra to look at the internals of the XP Solitaire binary
- Hack the gameplay to our own benefit using Ghidra and x64dbg
- Create our own card images to use in the game using Resource Hacker + Python and Pillow
- Write C++ code to perform DLL Hijacking/Proxying to run our own "weaponized" code when Solitaire runs
Please leave feedback and questions here as comments, or DM me on Mastodon (social links listed on the channel).
Check the pinned comment for any updates to the content.
Remember: Use your knowledge and skills for good and fun, not evil (not even evil fun).
Finally, let me know what you would like to see in future videos!
Project Homepage:
github.com/jeFF0Falltrades/Tu...
Resources and References:
- XP Solitaire Download: archive.org/details/ms_solita...
- Ghidra: github.com/NationalSecurityAg...
- x64dbg: x64dbg.com/
- Resource Hacker: www.angusj.com/resourcehacker/
- Format of Icons: devblogs.microsoft.com/oldnew...
- Two's Complement: www.rit.edu/academicsuccessce...
- Cutting Room Floor - Solitaire: tcrf.net/Solitaire_(Windows,_...
- x86 Opcodes: nets.ec/Shellcode/Appendix/Al...
- Structure Padding: www.javatpoint.com/structure-...
- Pixlr Photo Editor: pixlr.com/e/
- DLL Hijacking www.upguard.com/blog/dll-hija...
- MSYS2: www.msys2.org/
- cards.dll Function Descriptions: www.catch22.net/tuts/win32/usi...
- Writing DLLs: www.tutorialspoint.com/dll/dl...
- PE Resource Section Blog: blog.kowalczyk.info/articles/...
00:00:00 - Intro
00:03:46 - Important Notes
00:05:23 - Downloading XP Solitaire
00:07:00 - Starting a Ghidra Project
00:09:00 - Ghidra Familiarization
00:17:58 - Start Reversing: Examining Strings
00:21:41 - Patching Metadata Strings
00:25:33 - Loading/Patching Resource Strings
00:34:57 - Learning/Modding the ShellAbout Window
00:37:01 - Detour: Loading Icons from GroupIcon Resources
00:43:20 - Back to Modifying the ShellAbout Window
00:47:31 - Start Gameplay Hacking: Examining Scoring
00:59:56 - Finding the Score Value
01:03:03 - Scoring Options Parsed from the Registry
01:07:43 - Using x64dbg/x32dbg to Debug Scoring
01:22:45 - Detour: Two's Complement
01:26:06 - Back to Reversing the Scoring Function
01:30:37 - Found Score; Manually Modifying It
01:32:59 - Permanently Hacking the Scoring System and Timer
01:37:46 - Disabling the Game Timer Permanently
01:40:07 - Finding Score Value Tables
01:43:16 - Patching the Score Tables Permanently
01:49:55 - Testing Our Patched Program
01:52:16 - Creating Our Own Cheat Code
01:54:45 - Keyboard Accelerators Overview
02:00:16 - Detour: Structure Padding
02:01:41 - Back to Writing Our Own Cheat Code
02:04:03 - Testing Our Cheat Code
02:04:31 - End Gameplay Hacking; Start Modding Card Graphics
02:05:41 - Introducing Resource Hacker
02:06:46 - Examining Card Graphics in cards.dll
02:07:40 - Swapping in a Custom/Handsome Card Graphic
02:09:07 - Accidental Hilarity
02:09:50 - Formatting and Importing Our Graphic
02:11:05 - Overview: Using Python for Generating Custom Graphics
02:12:46 - Python Script Output
02:13:36 - Compiling .rc files to .res files
02:14:17 - Importing the .res file into Resource Hacker
02:14:58 - Playing with Our Custom Cards
02:15:19 - End Graphics Modding; Start Weaponization
02:16:23 - DLL Hijacking/Proxying Overview
02:18:55 - Downloading MSYS2/gcc
02:20:49 - Choosing a Function to Hijack
02:24:09 - Writing a DEF File
02:26:53 - Writing Our Weaponized DLL in C++
02:36:13 - Compiling the Weaponized DLL
02:41:09 - Wrap-Up
02:42:42 - Bonus Chapter: Manually Reversing PE Resource Trees
Music from Uppbeat:
uppbeat.io/t/dominique-charpe...
License code: QCOL8HO4IBFDSKTZ
uppbeat.io/t/ak/time-flies
License code: KA8ZAYC34IVTKIPS
Photos from Pexels:
www.pexels.com/
Get out of here, False Brian... - Věda a technologie
Thanks for being here! I hope you enjoy and get something out of this video.
I will be posting any edits/updates/corrections to this pinned comment.
The mistakes I've found already in post have already been marked in the video, aside from one:
It was a mistake to leave making my intro for last + making it in the middle of the night such that it became the fever dream that you see today.
If any other mistakes or updates are identified, I'll post them here - Thanks for watching!
1. H/T to Antoine Neuenschwander for explaining that the ‘&’ I talk about appearing in some strings at 58:36 in the video denotes which key to press when holding “Alt” to highlight or select an option. Thank you!
2. Not an error, but an update: A classmate of mine saw this video and was able to provide the name of the real Professor Brian! False Brian is reacting as you’d expect to the news…
Hi , can you please make also the font bigger for the decompiler (this on the right side, with source code) next time :) ?
Yes I will! Sorry about that. I probably need to bump it up in the debugger as well - I was noticing I didn’t do the same adjustment in x64dbg, and it’s needed there too. Thank you for the feedback!
Mdvo8y
@@jeFF0Falltrades hey, great work! two things: using dark mode would be nice! and second, xref doesn't appear on the score string, any ideas why? I tried looking it up but didnt find it
@@and_I_am_Life_the_fixer_of_all Thanks for watching and for the follow-ups!
1. I did start using dark mode in my later videos; Just took me a while to finally switch that on in my recordings.
2. You won’t see any Xrefs to strings loaded with “LoadStringW” because they are loaded by *ID*, not by address - so when a disassembler like Ghidra does the disassembling, it doesn’t recognize any cross-reference to the string address because there is no reference to the address itself; Instead the string is loaded by its resource ID.
3 hours... this is a gift... thank you
Haha I’m glad you think so!
I’ve found that some people really like the long form, and some people don’t, so I try to mix it up - I like doing these longer vids because I know if I was starting over again, I would want someone to walk me through step-by-step.
So I hope you enjoy, and don’t feel like you have to tackle it all at once ;-). Thanks for watching!
@@jeFF0Falltrades Please upload more videos
@@moviezbuzz77 The ideas are there! I have a few things in the chute that I just need to find time to put together. More is coming though :-). Thanks for watching!
Yup, it's a gift, and in video format
that's what she said
At 58:36 those ampersand characters are used to denote access keys shortcut. In the dialog, press the "Alt" key to reveal the access keys (underlined characters) and type "a" to switch to Standard mode.
demo: czcams.com/video/yu-aR3qZpMI/video.html
AHHH! Thank you so much! That makes perfect sense. I’m going to add this to the pinned comment as a correction. Thank you!
Really high quality content here... probably the best video on this platform for a beginner (me)... please continue making this kind of videos Jeff...
Love from Italy
Grazie mille, Gianbattista - You are too kind. I’m so glad to hear you enjoyed and I plan on making more content soon! Already have some ideas in mind for next time :-)
Happy New Year!
I am incredibly grateful for the good reverse engineering tutorials you create. Your detailed and slow-paced approach to teaching is really helpful. Please know that your work is highly appreciated, and I eagerly await each new tutorial. Keep up the fantastic work! Thank you!
Thank you so much and I’m so glad you enjoy!! More to come soon! Thank you for the kind words.
I think this is the video that makes me finally understand.
I like that this video is slower and explains each step plus the reasoning behind it, a lot of videos I've watched seem to just expect me to understand _why_ without explanation.
Thank you so much!
So good to hear! That’s why I started doing this series: I always had a hard time finding tutorials that took it slow and built upon concepts, so I’m at least trying to get something like that going in these.
Thanks for watching!
Thank you so much for taking the time to put this excellent resource together. You have a fantastic teaching style and my brain feels larger :)
Thanks for taking the time to watch it! So glad you got something out of it!
Hey ,just viewed your tutorial at work :). I think your teacher (Brian) would be proud of you. I ve been struggling to learn RE for years, always kept it for later.
I cant tell you, how much I appreciate that you found time for beginners like me, and explained it perfectly. Thanks !:)
That is so nice of you to say! I truly hope it was helpful and so glad you enjoyed, Patrick!
Absolutely the best intro to RE'ing I've ever seen! Directly thanks to you I've been able to crack some long-forgotten niche software my Dad uses on a regular basis. Cannot let abandoned software go to waste :) Thank you so much!
Outstanding job!!! Thanks so much for the kind words, and if you enjoy learning more, I have new vid planned for release hopefully by the end of this month/beginning of next :-). Thanks for watching!
Thank you so much for your time in making this video. It's priceless!
Thanks so much for watching and so glad you enjoyed!
We need you back dude.
Great work!
Thanks a lot for sharing your knowledge.
I highly appreciate that.
Hope to be back soon! Started researching the next vid a couple of months back but work/life (and some issues with YT that have since been resolved) have gotten in the way. I’ll be back soon enough though ;-) Thanks for watching!
This is a really good introduction to reverse engineering. After other tutorials I was always feeling lost and overwhelmed. Yours has really clear explanations and walk-through of the entire process. Thank you for your work. I am excited to learn more.
So happy to hear as this is what I strive for - so glad you are enjoying it and I hope you continue to learn!
From your experience, I myself am a beginner, how would you recommend me to start learning reverse engineering by myself. Should I first learn C or assembly or any other topics?
I loved the Rollercoaster Tycoon video! Will definitely watch this one too when I have some time :)
Thank you so much! Please take your time with it - As someone who had to watch through multiple times in post, it's best enjoyed in pieces ;-). I hope you enjoy!
This is really quality content. Thanks so much for putting it together. Subbed and looking forward to more tutorials like this!
So glad to hear you enjoyed! I look forward to making more soon! I think I already have a good subject for the next one :-)
Wow, I've just stumbled accross your channel. Def needs more views, it's insanely good!
Thx for the great content:)
Thanks so much for the kind words! I’m so happy to have you here.
Hoping to push out another one here in the next month or two (if things go to plan) :-). Thanks for watching and I hope it helped you.
Listen to me.... After 5 months of publishing this treasure of infos. And after about 10months for me learning.... 8 can say that u are walking in same road of your teacher.... God bless u both ❤❤
This channel should be my source Now
Aw thank you! That is so kind of you to say and I’m glad you’re enjoying these!
i didn't know that this was what i wanted. entertaining. goodish pace (i don't know what i would want different). thanks. very much NOW MOAR DO IT NAO
Hahaha so glad you enjoyed! More to come, but probably not right now, right now - got 2 videos in the works soon though… 👀
Thanks for watching!
Very cool, there were a lot of good tips in there. Thanks!
So glad you enjoyed!
Very high quality and interesting, thank you
Thanks so much for the kind words!
Hey, I'm a fourth year comp sci student and just wanted to say that I loved the series and the videos were really helpful. We used ARMv8 so I wasn't a beginner by any means, but I thought that your explanations were great and fit in well with my current knowledge base. You also really broke down the use of the tool chain well which allowed me to experiment on my own with your crackme challenge. This actually was a great exercise because it allowed me to see where my knowledge gaps were when I was trying it on my own and in turn i could go back and reference the video. I must admit that ghidra has some quarks compared to watching others use IDA, but 5k for the pro version that comes with a decompiler is too much for educational exploration. Thank you so much for this.
Thanks so much for this incredible feedback! So glad to hear you enjoyed this one (I also really enjoyed making this one - it was a ton of fun), and I wish you all the best as a fellow CS grad.
Hope some of the other videos here and future videos we do will also help along, and never hesitate to ask questions if you have them.
Lastly: Very agreed on the IDA pricing and why I pretty much switched to being all in for Ghidra and (occasionally) IDA free :-)
Thanks for the video, I really enjoyed it!!
So glad to hear, Hans!
Before I start watching that video I would like to thank you for Rollercoaster Tycoon video I learned a lot Keep going bro :)
Thank you so much for sharing! I love hearing this because this is the reason I enjoy making these videos - So glad to hear the video helped and hope you enjoy this one too! Thanks for the kind words and motivation.
@@jeFF0Falltrades I appreciate that, one day youtube will choice your videos and showing them to people who interested in reverse eng and Binary analysis and I'm sure they will be happy as me :)
Thank you, my friend - That means a lot :-)
Your channel is awesome! Hope there will be more videos :)
You’re awesome! Thanks so much - and yes, on the tail end of a new one now, in fact. Stay tuned ;-)
Great Video on Reverse Engineering
Thank you! So glad you enjoyed!
A useful tool for you to add to your arsenal might be Cheat Engine (A memory scanner). Can really aid in finding how various values are stored, what code they're accessed by, etc.
Great video
Thanks so much, John!
Very familiar with Cheat Engine, and I would also recommend it to anyone wanting a smooth intro to patching/RE.
I’ve thought about including it in some future videos, but I’ve had issues with YT flagging videos for any mention of it previously.
I’ll say here though: A great tool for beginners (when used for good)!
You cannot import as PE, and export as PE. You have to import as RAW, then export as PE. At least in my case I had no PE option when exporting.
The score_base_minus_0x30 is probably a pointer to a struct if I had to take a guess. And the score field is stored 48 bytes into the struct, hence adding 0x30.
I believe Ghidra has the ability to handle structs if you tell it that something is a struct.
Yep, that makes sense - I don’t think I had seen the auto-variable rename like that in Ghidra before, but I like it!
Thanks for that clarification and thanks for watching!
Thanks Jeffo, I hope your Fall Trades go well!
They’d be going a lot better if stupid Diane Sweeney wasn’t taking attention away from my beautiful gourds with her glow-in-the-dark pumpkins - It’s nothing but a party trick, but people are too busy gawking over that spectacle to notice the quality of these gourds!
Really impressive! Thanks for this HUGE info. I'm/was looking for info to reverse engineer an old Fortran program of 140kb. Those programs might help a lot.
That’s awesome! Would love to hear you how make out with that Fortran program - that sounds like fun
1:37:39 well that's easy: all you really had to do was so set up a WRITE breakpoint on the SCORE (its address you did figure out and that was a hard part), so the timer would decrease the SCORE and hit your breakpoint on doing so.
After building the DLL i keep getting 0x7b error. Couldn't find out why and was slowly losing it. Pulled it into ghidra and found out it was a 64bit. Builed again with MinGW x86 and succsefully got rick rolled . Finally, i was sane again.
Thank you for this wonderful course.
"Successfully got rick rolled. Finally, I was sane again" - The universe in balance once again. Haha, thanks so much for watching and so glad you enjoyed! Great troubleshooting, too.
Nice content, thank you for sharing
Thank you for watching!
Best video on YT
Thank you 🙏 And thank you for watching!
great job keep going
Thanks for the kind words!
Thank you! I'm learning a lot.
I wanted to ask, how the functions addresses in ghidra and in the x32dbg are the same?
The addresses are predefined in build time?
This can depend on if your system has ASLR enabled and a few other factors - Most executables have a preferred base address, which is what Ghidra goes off of, and - if ASLR is not enabled - x32dbg will also load the PE at that preferred address. And that base address can indeed be set at compile time, but it may not be respected by the OS (that’s why it’s called “preferred”). Hope that helps!
58:40 The '&' in the strings are probablly accelerator key markers. Those are the underlined letters in the menu, for example 'F' for File, E for Edit,...
Thanks! Someone else also pointed this out and I’ve added a note in the pinned comment - nice spot.
ur a really good teacher
Thank you, and thank you for watching!
58:30 -ish the ampersand (&) is used to tell the window system that it should listen for that key as a shortcut for the menu option
Correct - I edited my pinned comment to reflect this as others have pointed it out, and that makes perfect sense. Thank you!
I wonder if you have Svenska classes, Jeff.
The way you explain I might even get it 😊
@@b213videoz Nej det vill du inte 😉😂 There are much better Swedish teachers, I’ll just stick to my machine languages thanks 😆
Thanks for watching as always!
The ampersand may mark the next character to be underlined when text is printed
Yep - I marked it in the pinned comment as well, but as others have said - it actually designates which character in the string will be used for keyboard shortcuts/access keys (which are the same ones that are underlined)! Which made a ton of sense in retrospect.
Thanks for watching!
Hey ! Thanks for the video, I think the ampersand is for keyboard shortcut
Yes! I saw another comment about this and you are correct; I made an edit to the pinned comment to reflect this. That makes perfect sense in hindsight. Thanks for watching!
Thanks a lot!
This is a very clear and easy-to-understand explanation.
Is there any x32debugger alternatives for mac?
So glad you enjoyed!
Debugging software for Macs is tricky - I think the only GUI debugger that works on Mac and comes close to x64dbg is gdbgui. Others may have different options, but that’s the one I’ve seen used most often.
this is a really great video but near the end i thought you were going todo something like, an exe that if you launch it apply the patches to the game but don't make permanent changes to the original exe. i don't know if you already have a video on your channel but it would be great for modding
Yeah I think I get what you’re saying - we didn’t do that as much in this video/script, but if you check out my RollerCoaster Tycoon videos, those scripts do exactly that - take patches and apply them to a copy of the original EXE while leaving the original intact. This one just happened to be more focused on the DLL injection. Thanks for the feedback and for watching!
Really enjoying this course. I’m trying to apply it to an old application (Delta Force 2 Mission Editor), and I started very similarly with trying to patch a string in the About dialog. However, I hit a weird roadblock where I would change the string and export the program, but the text in the application didn’t change.
I later found that the app actually uses text from a text.bin file, so I can change the text there and see the result in the app. I’m curious why the text shows up in a Ghidra search of the .exe file if it’s read in from an external file at runtime. Is that a pattern you’re familiar with?
Nice job!
As far as the text, when you search it in Ghidra, where exactly is it showing - i.e. what section is it showing in?
Knowing that can help shed some light on what exactly is going on.
You make great ghidra tuts
45:50 this exception you get when patching in ghidra, i think is because you are overwriting with longer string and the data is static thus constant space and what you did with hex editor is basically fixed you mistake.
Thanks so much! And yes, I think you’re right - You would think Ghidra could detect that and print an error to let you know the same, but idk - maybe it’s a more difficult problem to account for than I think.
Thanks for watching!
Why does my Ghidra export sol.exe not have PE in the format selection box when I try to export sol.exe? I have "original file."
If I understand correctly, you’re trying to export a PE from the original sol.exe?
If that’s the case, then “original file” is what you want, since sol.exe should also be a PE.
Nice video! I wonder why the proxied dll (@2:40:!3) suddenly get that big from merely 352kb to a whopping 2,3 MB. Is there anything we can do to keep it small or it's just an inevitable proxy side effect?
Keep in mind the cards.dll file that was 352kb was the original one (that was packaged with solitaire) so there are a number of reasons it could have been that much smaller (e.g. it was made for compatibility with a far older OS and so used much more memory efficient code/compilation flags) - we could work at reducing the size of our proxied DLL by toying with a few efficiency flags in gcc or using a packer to have it “blend in” a bit better - good spot and good question!
& is used to denote the shortcut key in Windows menus. It converts to an underlined character when displayed.
Yep, exactly - others have pointed out the same, so I updated the pinned comment to denote this. Thanks, and thanks for watching!
@@jeFF0FalltradesSorry, I got excited because I was able to contribute something I knew that you didn't... not very common when you're watching something like a training video. I was already familiar with reversing and cracking generically, but I enjoyed watching your specific breakdown vis-à-vis Solitaire and I definitely don't know everything, so there's always something to be learned by observing others. Thanks for the content.
@@Salsuero Not a problem at all! You should be excited 😃 Thanks for sharing that knowledge forward!
great video. I've decided to watch other videos (like this one) of yours after finishing the x86 assembly class you recently uploaded.
I have one question though, why do you use PascalCase for variables and function names?
Thank you! And to your question - Where do you mean? Because I usually use snake case for functions and variables when writing my own stuff?
@@jeFF0Falltrades I'm talking about the labels you assign to local variables and parameters of functions in ghidra. For example, you set the variable of the score mode, to "ScoreMode" (PascalCase), instead of "scoreMode" (camelCase) or "score_mode" (snake_case)
@@Proferk Ahhh I see. TBH, I have no idea hahaha. I didn’t even realize I was using a different style in Ghidra vs VS Code until you pointed it out. I probably started doing it to differentiate my named variables vs Ghidra’s or something and it just stuck. Usually I prefer snake case for vars and functions and PascalCase for class names. Good spot haha
Hey, how do you do that the x32dbg when dragged sol.exe on it opens the actual game window, on my side nothing happens. The process itself (the solitaire game) exists within x32dbg's process but there is no window for it.
Hey! Make sure that your debugger is not stopping on a breakpoint (check the bottom-left corner of the debugger which will say “Paused”).
If it is Paused, hit the “Run” button or press F9 to get the program to proceed; That should pop up the game window and let the program proceed, assuming there are no other breakpoints or exceptions taking place (the debugger will let you know in the bottom-left and bottom pane if there are any breakpoints or exceptions).
Hope this helps, and if not, let me know so we can troubleshoot further
@@jeFF0Falltrades Thanks, it worked. But still pretty weird that i got some entry breakpoint and 1 exception.
Hey, just throwing this out since you mentioned the confusion with the '&' inside of some of the strings. Having done development with Windows forms, which are like a complex wrapper for low-level C++ GUI development, the '&' is a symbol used by Windows for shortcut keys. I'm not sure when this feature was used the most, but you can still use it today by pressing Alt in a program, and then looking at the menu items that have a character with an underscore. The underscored characters are hints for what menu item you want, if you press the same letter as the underscored character, it will open that menu item.
Thank you! Yes a few others chimed in to explain that and I appreciate it - I hadn’t seen that syntax before, but it’s kind of a neat way to denote shortcut keys! Thanks so much and thanks for watching!
@@jeFF0Falltrades No problem. Love the videos. I actually found the usage in the strings to be a little funny as I didn't know that C++'s Windows GUI API used the same syntax for that feature. I thought it was a quirk with the C# Windows Forms, so it was entertaining to see it 😄
@@bug1083 Hahaha yeah, I’ve really had a laugh at some of the things that come out as happening “under the hood” when reversing software - Lots of “Wait…*that’s* how they made that work?” moments 😆
@@jeFF0Falltrades Yeah haha. I only recently discovered your channel, and not sure how much you dabble in languages and asm optimization, but it might be cool to see you reverse engineer code relating to some of the more lesser known assembly calls, big ones being "vmovupd", "vmaxpd", and "vzeroupper" which are robust vector calls. I'm actually curious how often those keywords appear out in the wild with modern programs today, and what exactly they do in the context they appear in. They are more complicated and require a lot of work on my part when using GCC, you have to almost directly tell the compiler to use them when optimizing sometimes, so it's be interesting to see.
@@bug1083 That’s a good idea! I’ll have to see what kind of programs I can find (or make) that would be good for something like that.
Thanks ❤
Thanks for watching!
1:42:02, It is being called from 6 sides, could get a little **dicey** lmao, unintended pun?
HA! How did I manage to miss this - I would have ridden the high of making that pun all throughout the rest of the video.
hey :) what is this theme you use in vs code? I love it
Synthwave ‘84 by Robb Owen! I also love it and have had it for years now. Can’t tear myself from it haha.
@@jeFF0Falltrades Nice, Thanks :D
What VS Code theme do you use? I really like the bloom effect going on
That would be Robb Owen’s “Synthwave ‘84”! And I don’t know if I’ll ever be able to switch from it because I love it so much.
@@jeFF0Falltrades Thanks! I'll look it up
The & symbol you are asking about in "st&andard" means that the next letter in this case a will be underlined and if you press a on your keyboard it will select that item. So it provides a quick way to navigate the menu with the keyboard. Although I see it doesn't seem to underline on your end. That said pressing a inside that menu should still work but it could be broken. Select vegas first so the submenu is active, it only works within an active menu so this isn't global. You don't seem to use windows very often which is a good thing I suppose, to refresh the registry or any window for that matter just press F5. 😉
Thanks! Others have mentioned that and I updated the pinned comment with the correction - makes perfect sense in retrospect!
I don't have the Portable Executable format. Could someone help me?
You figure it out Im having the same issue
Hermit status ftw!
👏👏👏
University offers Reverse Engineering courses? Where is that? Which one? I’m interested.
In the case I’m talking about in the video, it was a course taught by an adjunct professor at the university I went to, but these days, I know of several university computer science departments who now offer reverse engineering courses (at least in the US) - a friend of mine has his own course lectures on the topic online for free at class.malware.re if you’re interested !
can you reverse engineer a slot machine if you know how much its programmed to pay out and know the seed is constantly changing for time of day
You can RE just about anything! But it probably wouldn’t gain much in the way of winnings or anything but knowledge of how the machine works. Would be really fun to do - most modern ones work similarly and are pretty much just based in stats and probability.
@@jeFF0Falltrades i was thinking about the russian hacker dude who did it on older ish machines still prng. had his phone buzz before payouts after filming twenty or so spins. as well as this video czcams.com/video/JyIWQIdxaOA/video.htmlsi=9Apc9MAR9z_NgSL8 that machines have to leave the factory paying out exact amount and that the seed is constantly changing every second but somehow someone figured out when and programmed it into a phone. it just interested me if i could figure out when it hits postive payouts or a minigame but not further . im not smart enough to understand the prngs yet though.
I dont know English very well and I spent a lot of time learning these and Im tired
Thank you very much for your video very nice video :}
but can you briefly hack a simple game as a tutorial?
I really need this
1:37:56 - How did you find the timer in this part?
I cant find it if it were me and I want to learn about it, but unfortunately I couldn't understand it.
Sir can we predict the result of game by previous results in card games
The game state is only tracked per game, so you could potentially predict the result of the game for the *current* game based on moves (some games of Solitaire actually do this and end the game when it is unwinnable), but I do not think you could do any prediction based on past games’ results in this case.
Can you help me to predict game result
And can you teach me how to predict the result please
sorry, but why did you use msys2 instead of wsl?
I could have used WSL, but I wanted to try to account for folks who probably didn’t want to set WSL up if they hadn’t already just for the tutorial, so MSYS2 seemed like a lightweight solution for Windows users who don’t have WSL already ready to go to quickly follow the build process without configuring a bunch of options.
the god is back
Nic Cage never left us ❤️
So I took on my first reverse engineering project to reverse a bootloader. I'm proud to say I'm very successful in my project! It's shockingly fun too haha
That’s awesome!!! Many wouldn’t think it, but RE can be a blast under the right circumstances. Thanks for watching!
How did you add nullbytes in 45:46?
Same I did as the other bytes in that section! Just put 00 in for their values as opposed to any other value, and you have a null byte.
If you have questions on how to modify the bytes in general or if I can explain better, let me know!
EDIT: And to be clear, I added the extra null bytes to make the string size the same as it was before we modified it, to ensure the modification wouldn’t cause issues elsewhere.
@@jeFF0Falltrades I dont think I understood, when I try to add 00 in the byte edit window, it becomes another value in the program...
@@gabrielgoncalvesazevedo9114 Hm, one thing to watch out for is what text encoding is being used - in the video, this is a Unicode string, so each character is 2 bytes - so in order to make a null char, both bytes need to be 0 (so 00 00 is one null char, in other words).
Not sure if you are looking at the same program or a different one, but that is the first place I would check. If that isn’t it, let me know and we can chat more.
@@jeFF0Falltrades Thanks, that actually helped me to understand! Im following along with same software.
@@gabrielgoncalvesazevedo9114 Excellent! If you have any other questions, feel free to let me know! Hope you enjoy!
Show the intro to professor true brian
Heya JeFF! This tutorial is a real gem! you helped me get better at my hobby and that is modding :). I have a couple advanced questions. I have a game injected with a DLL file by replacing existing one - just like the way you do it this tutorial.
When the injection is loaded i want to run a code that make code of the binary between two addresses become NOPs.
I created this function:
void SetNop(const char* address, const int length) {
char* startAddress = address;
const int numNops = length;
for (int i = 0; i < numNops; i++) {
*(startAddress + i) = 0x90; // Set the byte to the NOP opcode
}
INFO
Nice!!! One place to start to look is to see if the memory is writeable - typically it won’t be by default. You can get around this by using a function like VirtualProtect() or WriteProcessMemory() to set the permissions on the section where the code you’re trying to modify is to be writeable.
@@jeFF0Falltrades it took many hours, sweat and blood... but i did it. Thank you so much! :)
@@jordankostov7581 Congratulations on persisting! You should be proud!
Thank you Jeff!
With my newly acquired knowledge i was thinking how much can be accomplished in terms of migrating my assembly patches to the DLL injection and i got some design questions in mind. If you have any tips regarding them it will be great.
Questions:
1. In the video above you impersonate the existing DLL by bypassing it. However the bypass requires the original DLL 4 functions to be defined in the export file so they are still available for the binary to use.
What if the original exe had 400 functions? Do you have to define them all manually or there is another approach?
2. I do noticed that you can do the following type of patches quite easily the DLL injection:
- change existing binary variables
- complete rewrite of existing binary functions
But what if there is function that is very large in size and i want to modify just part of it? What will be the most common-sense way approach that? Will I have to use assembly again or there is a better way to modify in C++?
What if i want to add the function code ? With normal assembly a jump is done to a empty space at the end of the binary where the new code resides, then after it is executed it goes back to the function. Is there a better approach with the DLL injection where the new code is kept at the DLL instead?
3. What are your thoughts on going around Windows 10 D.E.P. ? As the game we mod gets more (and more complex) patches, player with D.E.P. enabled had their game crashing and even refusing to start. This behaviour is of course based on pure assembly patching with hooks. Will the DLL injection method help me go around that issue?
May be questions are not defined really well. :)
You didn't patch out the -100 after explaining that it was hard-coded.
At which timestamp?
@@jeFF0Falltrades1:49:32
Hello, I really liked your video although I'm not experienced at all in RE, but I'm certainly willing to learn more about it!
Quick question, could you reverse a game dll file? It's needed for modding a game called Duke Nukem: Manhattan Project, because it's really restricted now. The file is called "duke_base.dll". Would really appreciate it if you could help in any way.
I spent 30 seconds searching: Brian Deep
Nice! I should have known to enlist another Brian in his search…a classmate of mine also saw this vid and let me know the day after it was published, too. Thanks to you both for that, so I can find him and let him know just how much he inspired me (and hope he never watches the other insanity of my videos…).
Thanks for watching!
I would be suprised if [User/System]32 has a key mask for the registry functions at all... its bad practice to use the registry for storing non-persistent user space values like that... a better way to do this would be to use a binary encoded (most likely a .cfg or .ini) file to store the settings. that way you don't need to run it with elevated perms. Or at least it wouldn't if you don't have it installed in the system files [I think that when it came with windows it was installed in the C:\windows\[games\] folder..] but even then I think that they could've saved to %appdata%\games\solitaire which you would have ring 3 write access [as that is the reason for the %appdata% file after all]..... now that I think of it IDK if fopen can resolve path envar ejections [ie the %% in "%appdata%\games\solitaire"] though I think that User32 has a function for that if it doesn't do it on fopen call... working with system32 in general is kina stupid because there is 2 versions of each function an ascii version (as denoted by the "A" postfix on the system call) and the 16 bit Unicode version (as denoted by the "W" [standing wide because it it uses WCHAR_t (aka short) as its string type] postfix on the system call)
hiii i need help is there i way to change a game that isn't been made in my language (italian), this is a word game that has ofc english vocabulary, i just want to put the italian vocabulary to play in italian. I dont care if the graphic is in english, just want to put italian words... is that possible with ghidra... the game is Bookworm Adventures deluxe... pls if you dont how to do it PLS can you give me a contact of a person that can teach me how to do it.... o am trying this form 4 years.... thanks...
:(
Thanks for video but the XP solitaire sourcecode is in the leaked XP sources available from internet.
Im not promoting it but just telling the fact
You didn't waste your time, it's cool for different reasons than you said, you don't sell you acting jokes very well, they're bad to begin with. I can't believe people still think rick rolling is a thing in 2023. See ya round!