Thursday, 26 December 2013

Reversing data to figure out the math behind generating values using Eureqa Pro

So I needed an easy way to get the formulars back from the data in a game.
For example to know how Damage and Chance to Hit are calculated so that I can emulate this server side.

I needed something simple to use, there was R which I learnt about at work but its unnessecarly complex.

Erueqa Pro has a spreadsheet interface to enter your data, you define var for each column.
dex hitrate
1 5
2 10
3 15
4 20
5 25
6 30
7 35
8 41
9 46
10 51
11 56
12 61
13 66
14 71
15 77
16 82
17 87
18 92
19 97
20 102

I then went to the Set Target area. I knew Floor, Ceil or Round must be used as the value is always a whole number but the total goes up in a pattern like 3 2 2 2 3 2 2 3 2 2 2 which tells me theres flooring or something going on.

Tuesday, 22 October 2013

Using Python in IDA Pro to iterate over functions and name them

The following code finds what calls the function GameSendPacket,
It then iterates through each function till it finds the opcode of mov with param of byte ptr[xxx]
It then reads the hex param which happens to be the packetID for what I am using this for.

Then it goes to the function and gets its name, if it starts with sub_ then its just been named automatically by IDA so then rename it to be SendXX where XX is the packetID woo!

for ref in CodeRefsTo(LocByName('GameSendPacket'), 1):
   E = list(FuncItems(ref))
   if len(E) == 0:
     print "ORPHAN CALL (NOT IN A FUNCTION)!!!!"
     print " at %X " % ref
   for e in E:
      if (GetMnem(e)=="mov"):
         p1 = GetOpnd(e,0)
         if (p1=="byte ptr [eax]" or p1=="byte ptr [ebx]" or p1=="byte ptr [ecx]" or p1=="byte ptr [edx]"):
            OpHex(e, 1)
            n = GetOpnd(e,1)[:2].zfill(2)
            OldName = GetFunctionName(ref)
            NewName = 'Send'+n;
            FuncAddr = PrevFunction(ref)
            print '%s NewName: %s OldName: %s' % (hex(FuncAddr), NewName, OldName)
            if (OldName.startswith('sub_')):
               print 'Rename %s to %s' % (OldName, NewName)


Now to make one for handling recv array.
And maybe later graphing GUI click events through to their packets they send.

Calling Functions and getting a String from the pointer of their input and also Javascript in IDA Pro

So I learnt about a thing in IDA pro called Appcall which allows you to call a function you have defined *Which can be done with N*

You have to pause in debugger before using this.

I found a function called it GetMessageFromID it was a this call with 1 argument So I needed to know the pointer. I breakpointed it and got it called once then put the argument in and it worked as expected. I got back an address.

I thought this is good but I want to see the string.

In IDC you can use

In Python

A loop in python printing out the String value :)
for x in xrange(0,1000):print GetString(Appcall.GetMessageFromID(0x00A59000,x))

Just printing out a string
print GetString(Appcall.GetMessageFromID(0x00A59000,10))

Also we can use javascript as a scripting language which is much nicer than python and quite similar to IDC.

I am installing it now hopefully it works great for me coding unpackers or bypassers or helper functions in js seems quite good.

Friday, 11 October 2013

node.js Load and execute code at runtime

This is usefull when you have scripts you want to reload and execute at runtime.

function LoadJS(file, callback) {
console.log('Trying to load: ' + file);
fs.readFile(file, function(err, data) {
if (err) {
if (callback) callback(err, file);
} else {
try {
} catch (exception) {
console.log('Error loading ' + file, exception);
if (callback) callback(exception, file);
if (callback) callback(null, file);

Remember the contents of eval will be executed in global scope.
If you were using it through an object like
this.LoadJS = function(file, callback) { ...

Then before you could do something like this
var Something = this;

and in the js file you load
Something.W/e you want.

Thursday, 3 October 2013

Using Virtual Box to emualte a Physical / Real hard drive.

I recently setup a new computer to use at work, moved the hard drive from my old one with Windows8 onto it. And decided to try to boot it from VirtualBox rather than having to dual boot when I needed to work on windows software. *using it for windows phone 8 development*

Turns out its possible,

An awesome guide here.

Windows 8 will notice your hardwares different and you will need to repair the bootloader and os with the cd.

Just use these commands which I found out about here:

bootrec /fixmbr (writes mbr but does not overwrite partition table)
bootrec /fixboot (writes new boot sector to system partition)

Then you will be able to use Windows8 from your operating system. In my case Linux Mint 15 Cinnamon.

Friday, 3 May 2013

View Chrome Web History without access to computers account

Something that was very helpfull to me recently was being able to access Chrome's web history and search terms of a computer that I didnt have the login for.

I was able to successfully work out the information I needed.

The files are located in the application data under Google then Chrome then User Data

Windows 7/vista:
C:\Users\<Username>\AppData\Local\Google\Chrome\User Data\Default

They are SQLite DB files.
See the History or any of the History Index files.

You can query them with any SQLite tool

The time format used in chrome is a bit weird heres how to get it into a usefull datetime.

SELECT id,title,url,datetime((last_visit_time/1000000)-11644473600, 'unixepoch', 'localtime') AS time FROM urls

Optionally tack on something to search for all titles that are like bus
 WHERE title LIKE '%bus%'

I was able to export csv and xls using this tool.

Tuesday, 16 April 2013

Extracting ZLIB compressed data from any file

This is very usefull for analysing file formats that contain compressed data.

You can use a handy tool by Luigi Auriemma found here

Extract it and put it in a directory somewhere, for example

Make sure you choose a drive with lots of space.

In the directory, make a bat file called extract.bat
With these contents

mkdir %1.out\
offzip -a %1 %1.out\ 0

this will make a directory for your extracted data to go into so things don't get messy it will be the file name with .out at the end of it.
Then it will instruct offzip to find all compressed data it can in your file and extract the parts out into the directory made. It will start from offset 0

You can see the address the compressed data was found at in its filename.

Quite handy.

I also came across a great blog here,
Which shows how you can, extract->Edit->pack back in to edit game save files.

Writing Node.js modules

So from making a server side emulator for a mmorpg in node.js I have learnt some ways to make modules.

Here I will be sharing some of the ways to write them

<script type="syntaxhighlighter" class="brush: js"><![CDATA[

(function() {
// Put any requires your module needs here

var YourObject = function(func) { // Has example of passing in a callback,
// Any private values you could put here
var something = 1;

// Here is where you can put public propertys and what not
   this.Something = 1; // public propertys here

   if (func) this.func = func; // Overrides the prototype func

// You can also put public/protected functions here using prototype
YourObject.prototype = {
        func: function() { console.log('Not yet implemented'); } // Used if func not passed in as paramater :)
getID: function() { return this.ID; },
getName: function() { return this.Name; },

module.exports = YourObject;

//To make it work on web client and node.js server
var obj = new YourObject();
//Or you could use reference to your object rather than an instance of it depending if you want to create more of it or only have 1

if(typeof module !== "undefined" && module.exports) {
    module.exports = obj;
if(typeof window !== "undefined") {
    window.YourObject = obj;

Simple eh. In node to have private functions I guess you could put them in the scope outside your object.
But in web browsers this may pollute the global scope.