Reverse Engineering and Weaponizing XP Solitaire (Mini-Course)
Рет қаралды 52,353
Күн бұрынAs a beginner, reverse engineering can be a daunting and frustrating endeavor - But it's a lot more fun if you can learn via hacking and modding games to create your own cheats and maybe even inject a few (harmless) pranks into the code!
Whether you watch it all the way through, or just in bits and pieces, join me in this master (of none) class as we try to recapture the fun and amazement of being a first-time reverser exploring and testing the limits of software and our own creativity, while also taking our minds off of the curse of the headless twins which has plagued our times!
In this video, we will:
- Use Ghidra to look at the internals of the XP Solitaire binary
- Hack the gameplay to our own benefit using Ghidra and x64dbg
- Create our own card images to use in the game using Resource Hacker + Python and Pillow
- Write C++ code to perform DLL Hijacking/Proxying to run our own "weaponized" code when Solitaire runs
Please leave feedback and questions here as comments, or DM me on Mastodon (social links listed on the channel).
Check the pinned comment for any updates to the content.
Remember: Use your knowledge and skills for good and fun, not evil (not even evil fun).
Finally, let me know what you would like to see in future videos!
Project Homepage:
github.com/jeFF0Falltrades/Tu...
Resources and References:
- XP Solitaire Download: archive.org/details/ms_solita...
- Ghidra: github.com/NationalSecurityAg...
- x64dbg: x64dbg.com/
- Resource Hacker: www.angusj.com/resourcehacker/
- Format of Icons: devblogs.microsoft.com/oldnew...
- Two's Complement: www.rit.edu/academicsuccessce...
- Cutting Room Floor - Solitaire: tcrf.net/Solitaire_(Windows,_...
- x86 Opcodes: nets.ec/Shellcode/Appendix/Al...
- Structure Padding: www.javatpoint.com/structure-...
- Pixlr Photo Editor: pixlr.com/e/
- DLL Hijacking www.upguard.com/blog/dll-hija...
- MSYS2: www.msys2.org/
- cards.dll Function Descriptions: www.catch22.net/tuts/win32/usi...
- Writing DLLs: www.tutorialspoint.com/dll/dl...
- PE Resource Section Blog: blog.kowalczyk.info/articles/...
00:00:00 - Intro
00:03:46 - Important Notes
00:05:23 - Downloading XP Solitaire
00:07:00 - Starting a Ghidra Project
00:09:00 - Ghidra Familiarization
00:17:58 - Start Reversing: Examining Strings
00:21:41 - Patching Metadata Strings
00:25:33 - Loading/Patching Resource Strings
00:34:57 - Learning/Modding the ShellAbout Window
00:37:01 - Detour: Loading Icons from GroupIcon Resources
00:43:20 - Back to Modifying the ShellAbout Window
00:47:31 - Start Gameplay Hacking: Examining Scoring
00:59:56 - Finding the Score Value
01:03:03 - Scoring Options Parsed from the Registry
01:07:43 - Using x64dbg/x32dbg to Debug Scoring
01:22:45 - Detour: Two's Complement
01:26:06 - Back to Reversing the Scoring Function
01:30:37 - Found Score; Manually Modifying It
01:32:59 - Permanently Hacking the Scoring System and Timer
01:37:46 - Disabling the Game Timer Permanently
01:40:07 - Finding Score Value Tables
01:43:16 - Patching the Score Tables Permanently
01:49:55 - Testing Our Patched Program
01:52:16 - Creating Our Own Cheat Code
01:54:45 - Keyboard Accelerators Overview
02:00:16 - Detour: Structure Padding
02:01:41 - Back to Writing Our Own Cheat Code
02:04:03 - Testing Our Cheat Code
02:04:31 - End Gameplay Hacking; Start Modding Card Graphics
02:05:41 - Introducing Resource Hacker
02:06:46 - Examining Card Graphics in cards.dll
02:07:40 - Swapping in a Custom/Handsome Card Graphic
02:09:07 - Accidental Hilarity
02:09:50 - Formatting and Importing Our Graphic
02:11:05 - Overview: Using Python for Generating Custom Graphics
02:12:46 - Python Script Output
02:13:36 - Compiling .rc files to .res files
02:14:17 - Importing the .res file into Resource Hacker
02:14:58 - Playing with Our Custom Cards
02:15:19 - End Graphics Modding; Start Weaponization
02:16:23 - DLL Hijacking/Proxying Overview
02:18:55 - Downloading MSYS2/gcc
02:20:49 - Choosing a Function to Hijack
02:24:09 - Writing a DEF File
02:26:53 - Writing Our Weaponized DLL in C++
02:36:13 - Compiling the Weaponized DLL
02:41:09 - Wrap-Up
02:42:42 - Bonus Chapter: Manually Reversing PE Resource Trees
Music from Uppbeat:
uppbeat.io/t/dominique-charpe...
License code: QCOL8HO4IBFDSKTZ
uppbeat.io/t/ak/time-flies
License code: KA8ZAYC34IVTKIPS
Photos from Pexels:
www.pexels.com/
Get out of here, False Brian...
@jeFF0Falltrades Жыл бұрын
Thanks for being here! I hope you enjoy and get something out of this video. I will be posting any edits/updates/corrections to this pinned comment. The mistakes I've found already in post have already been marked in the video, aside from one: It was a mistake to leave making my intro for last + making it in the middle of the night such that it became the fever dream that you see today. If any other mistakes or updates are identified, I'll post them here - Thanks for watching! 1. H/T to Antoine Neuenschwander for explaining that the ‘&’ I talk about appearing in some strings at 58:36 in the video denotes which key to press when holding “Alt” to highlight or select an option. Thank you! 2. Not an error, but an update: A classmate of mine saw this video and was able to provide the name of the real Professor Brian! False Brian is reacting as you’d expect to the news…
@patrickborys3490 Жыл бұрын
Hi , can you please make also the font bigger for the decompiler (this on the right side, with source code) next time :) ?
@jeFF0Falltrades Жыл бұрын
Yes I will! Sorry about that. I probably need to bump it up in the debugger as well - I was noticing I didn’t do the same adjustment in x64dbg, and it’s needed there too. Thank you for the feedback!
@kxa5540 Жыл бұрын
Mdvo8y
@and_I_am_Life_the_fixer_of_all 5 ай бұрын
@@jeFF0Falltrades hey, great work! two things: using dark mode would be nice! and second, xref doesn't appear on the score string, any ideas why? I tried looking it up but didnt find it
@jeFF0Falltrades 5 ай бұрын
@@and_I_am_Life_the_fixer_of_all Thanks for watching and for the follow-ups! 1. I did start using dark mode in my later videos; Just took me a while to finally switch that on in my recordings. 2. You won’t see any Xrefs to strings loaded with “LoadStringW” because they are loaded by *ID*, not by address - so when a disassembler like Ghidra does the disassembling, it doesn’t recognize any cross-reference to the string address because there is no reference to the address itself; Instead the string is loaded by its resource ID.
@antoineneuenschwander8353 Жыл бұрын
At 58:36 those ampersand characters are used to denote access keys shortcut. In the dialog, press the "Alt" key to reveal the access keys (underlined characters) and type "a" to switch to Standard mode.
@antoineneuenschwander8353 Жыл бұрын
demo: kzbin.info/www/bejne/r6aQkoVppr-jg6s
@jeFF0Falltrades Жыл бұрын
AHHH! Thank you so much! That makes perfect sense. I’m going to add this to the pinned comment as a correction. Thank you!
@gianbattistavivolo7449 Жыл бұрын
Really high quality content here... probably the best video on this platform for a beginner (me)... please continue making this kind of videos Jeff... Love from Italy
@jeFF0Falltrades Жыл бұрын
Grazie mille, Gianbattista - You are too kind. I’m so glad to hear you enjoyed and I plan on making more content soon! Already have some ideas in mind for next time :-) Happy New Year!
@user-wu2dk6jv6y Жыл бұрын
3 hours... this is a gift... thank you
@jeFF0Falltrades Жыл бұрын
Haha I’m glad you think so! I’ve found that some people really like the long form, and some people don’t, so I try to mix it up - I like doing these longer vids because I know if I was starting over again, I would want someone to walk me through step-by-step. So I hope you enjoy, and don’t feel like you have to tackle it all at once ;-). Thanks for watching!
@moviezbuzz77 Жыл бұрын
@@jeFF0Falltrades Please upload more videos
@jeFF0Falltrades Жыл бұрын
@@moviezbuzz77 The ideas are there! I have a few things in the chute that I just need to find time to put together. More is coming though :-). Thanks for watching!
@kevinquintana3085 7 ай бұрын
Yup, it's a gift, and in video format
@user-zo1kn8ob7h 3 ай бұрын
that's what she said
@cochaviz 6 ай бұрын
Absolutely the best intro to RE'ing I've ever seen! Directly thanks to you I've been able to crack some long-forgotten niche software my Dad uses on a regular basis. Cannot let abandoned software go to waste :) Thank you so much!
@jeFF0Falltrades 6 ай бұрын
Outstanding job!!! Thanks so much for the kind words, and if you enjoy learning more, I have new vid planned for release hopefully by the end of this month/beginning of next :-). Thanks for watching!
@patrickslomian7423 Жыл бұрын
Hey ,just viewed your tutorial at work :). I think your teacher (Brian) would be proud of you. I ve been struggling to learn RE for years, always kept it for later. I cant tell you, how much I appreciate that you found time for beginners like me, and explained it perfectly. Thanks !:)
@jeFF0Falltrades Жыл бұрын
That is so nice of you to say! I truly hope it was helpful and so glad you enjoyed, Patrick!
@ashleybyrd2015 Жыл бұрын
I think this is the video that makes me finally understand. I like that this video is slower and explains each step plus the reasoning behind it, a lot of videos I've watched seem to just expect me to understand _why_ without explanation. Thank you so much!
@jeFF0Falltrades Жыл бұрын
So good to hear! That’s why I started doing this series: I always had a hard time finding tutorials that took it slow and built upon concepts, so I’m at least trying to get something like that going in these. Thanks for watching!
@Autom_te Жыл бұрын
This is a really good introduction to reverse engineering. After other tutorials I was always feeling lost and overwhelmed. Yours has really clear explanations and walk-through of the entire process. Thank you for your work. I am excited to learn more.
@jeFF0Falltrades Жыл бұрын
So happy to hear as this is what I strive for - so glad you are enjoying it and I hope you continue to learn!
@user-ni9ck8iv1b 26 күн бұрын
From your experience, I myself am a beginner, how would you recommend me to start learning reverse engineering by myself. Should I first learn C or assembly or any other topics?
@MidtownMadness1 Жыл бұрын
I loved the Rollercoaster Tycoon video! Will definitely watch this one too when I have some time :)
@jeFF0Falltrades Жыл бұрын
Thank you so much! Please take your time with it - As someone who had to watch through multiple times in post, it's best enjoyed in pieces ;-). I hope you enjoy!
@cashgarman Жыл бұрын
Thank you so much for taking the time to put this excellent resource together. You have a fantastic teaching style and my brain feels larger :)
@jeFF0Falltrades Жыл бұрын
Thanks for taking the time to watch it! So glad you got something out of it!
@rednibcoding3412 10 ай бұрын
I am incredibly grateful for the good reverse engineering tutorials you create. Your detailed and slow-paced approach to teaching is really helpful. Please know that your work is highly appreciated, and I eagerly await each new tutorial. Keep up the fantastic work! Thank you!
@jeFF0Falltrades 10 ай бұрын
Thank you so much and I’m so glad you enjoy!! More to come soon! Thank you for the kind words.
@nickthomsen 9 ай бұрын
We need you back dude. Great work! Thanks a lot for sharing your knowledge. I highly appreciate that.
@jeFF0Falltrades 9 ай бұрын
Hope to be back soon! Started researching the next vid a couple of months back but work/life (and some issues with YT that have since been resolved) have gotten in the way. I’ll be back soon enough though ;-) Thanks for watching!
@mkausch1336 Ай бұрын
Hey, I'm a fourth year comp sci student and just wanted to say that I loved the series and the videos were really helpful. We used ARMv8 so I wasn't a beginner by any means, but I thought that your explanations were great and fit in well with my current knowledge base. You also really broke down the use of the tool chain well which allowed me to experiment on my own with your crackme challenge. This actually was a great exercise because it allowed me to see where my knowledge gaps were when I was trying it on my own and in turn i could go back and reference the video. I must admit that ghidra has some quarks compared to watching others use IDA, but 5k for the pro version that comes with a decompiler is too much for educational exploration. Thank you so much for this.
@jeFF0Falltrades Ай бұрын
Thanks so much for this incredible feedback! So glad to hear you enjoyed this one (I also really enjoyed making this one - it was a ton of fun), and I wish you all the best as a fellow CS grad. Hope some of the other videos here and future videos we do will also help along, and never hesitate to ask questions if you have them. Lastly: Very agreed on the IDA pricing and why I pretty much switched to being all in for Ghidra and (occasionally) IDA free :-)
@fallenangel4620 Жыл бұрын
Listen to me.... After 5 months of publishing this treasure of infos. And after about 10months for me learning.... 8 can say that u are walking in same road of your teacher.... God bless u both ❤❤ This channel should be my source Now
@jeFF0Falltrades Жыл бұрын
Aw thank you! That is so kind of you to say and I’m glad you’re enjoying these!
@user-zo1kn8ob7h 3 ай бұрын
i didn't know that this was what i wanted. entertaining. goodish pace (i don't know what i would want different). thanks. very much NOW MOAR DO IT NAO
@jeFF0Falltrades 3 ай бұрын
Hahaha so glad you enjoyed! More to come, but probably not right now, right now - got 2 videos in the works soon though… 👀 Thanks for watching!
@moe42937 Жыл бұрын
Before I start watching that video I would like to thank you for Rollercoaster Tycoon video I learned a lot Keep going bro :)
@jeFF0Falltrades Жыл бұрын
Thank you so much for sharing! I love hearing this because this is the reason I enjoy making these videos - So glad to hear the video helped and hope you enjoy this one too! Thanks for the kind words and motivation.
@moe42937 Жыл бұрын
@@jeFF0Falltrades I appreciate that, one day youtube will choice your videos and showing them to people who interested in reverse eng and Binary analysis and I'm sure they will be happy as me :)
@jeFF0Falltrades Жыл бұрын
Thank you, my friend - That means a lot :-)
@terminaltears Жыл бұрын
This is really quality content. Thanks so much for putting it together. Subbed and looking forward to more tutorials like this!
@jeFF0Falltrades Жыл бұрын
So glad to hear you enjoyed! I look forward to making more soon! I think I already have a good subject for the next one :-)
@BryanChance 4 ай бұрын
Thank you so much for your time in making this video. It's priceless!
@jeFF0Falltrades 4 ай бұрын
Thanks so much for watching and so glad you enjoyed!
@xore_1798 Жыл бұрын
Wow, I've just stumbled accross your channel. Def needs more views, it's insanely good! Thx for the great content:)
@jeFF0Falltrades Жыл бұрын
Thanks so much for the kind words! I’m so happy to have you here. Hoping to push out another one here in the next month or two (if things go to plan) :-). Thanks for watching and I hope it helped you.
@TomStorey96 Жыл бұрын
The score_base_minus_0x30 is probably a pointer to a struct if I had to take a guess. And the score field is stored 48 bytes into the struct, hence adding 0x30. I believe Ghidra has the ability to handle structs if you tell it that something is a struct.
@jeFF0Falltrades Жыл бұрын
Yep, that makes sense - I don’t think I had seen the auto-variable rename like that in Ghidra before, but I like it! Thanks for that clarification and thanks for watching!
@maximood-tired Жыл бұрын
Very high quality and interesting, thank you
@jeFF0Falltrades Жыл бұрын
Thanks so much for the kind words!
@thebillpepper Жыл бұрын
Very cool, there were a lot of good tips in there. Thanks!
@jeFF0Falltrades Жыл бұрын
So glad you enjoyed!
@JohnSmith-he5xg 11 ай бұрын
A useful tool for you to add to your arsenal might be Cheat Engine (A memory scanner). Can really aid in finding how various values are stored, what code they're accessed by, etc. Great video
@jeFF0Falltrades 11 ай бұрын
Thanks so much, John! Very familiar with Cheat Engine, and I would also recommend it to anyone wanting a smooth intro to patching/RE. I’ve thought about including it in some future videos, but I’ve had issues with YT flagging videos for any mention of it previously. I’ll say here though: A great tool for beginners (when used for good)!
@CrusaderMen Жыл бұрын
Thank you! I'm learning a lot. I wanted to ask, how the functions addresses in ghidra and in the x32dbg are the same? The addresses are predefined in build time?
@jeFF0Falltrades Жыл бұрын
This can depend on if your system has ASLR enabled and a few other factors - Most executables have a preferred base address, which is what Ghidra goes off of, and - if ASLR is not enabled - x32dbg will also load the PE at that preferred address. And that base address can indeed be set at compile time, but it may not be respected by the OS (that’s why it’s called “preferred”). Hope that helps!
@hanshansli2238 Жыл бұрын
Thanks for the video, I really enjoyed it!!
@jeFF0Falltrades Жыл бұрын
So glad to hear, Hans!
@ThaLiquidEdit 7 ай бұрын
Your channel is awesome! Hope there will be more videos :)
@jeFF0Falltrades 7 ай бұрын
You’re awesome! Thanks so much - and yes, on the tail end of a new one now, in fact. Stay tuned ;-)
@rbt-0007 7 ай бұрын
Best video on YT
@jeFF0Falltrades 7 ай бұрын
Thank you 🙏 And thank you for watching!
@Proferk Жыл бұрын
great video. I've decided to watch other videos (like this one) of yours after finishing the x86 assembly class you recently uploaded. I have one question though, why do you use PascalCase for variables and function names?
@jeFF0Falltrades Жыл бұрын
Thank you! And to your question - Where do you mean? Because I usually use snake case for functions and variables when writing my own stuff?
@Proferk Жыл бұрын
@@jeFF0Falltrades I'm talking about the labels you assign to local variables and parameters of functions in ghidra. For example, you set the variable of the score mode, to "ScoreMode" (PascalCase), instead of "scoreMode" (camelCase) or "score_mode" (snake_case)
@jeFF0Falltrades Жыл бұрын
@@Proferk Ahhh I see. TBH, I have no idea hahaha. I didn’t even realize I was using a different style in Ghidra vs VS Code until you pointed it out. I probably started doing it to differentiate my named variables vs Ghidra’s or something and it just stuck. Usually I prefer snake case for vars and functions and PascalCase for class names. Good spot haha
@xM0nsterFr3ak Жыл бұрын
58:40 The '&' in the strings are probablly accelerator key markers. Those are the underlined letters in the menu, for example 'F' for File, E for Edit,...
@jeFF0Falltrades Жыл бұрын
Thanks! Someone else also pointed this out and I’ve added a note in the pinned comment - nice spot.
@clovis-2557 3 ай бұрын
Really impressive! Thanks for this HUGE info. I'm/was looking for info to reverse engineer an old Fortran program of 140kb. Those programs might help a lot.
@jeFF0Falltrades 3 ай бұрын
That’s awesome! Would love to hear you how make out with that Fortran program - that sounds like fun
@fernandoz6329 Жыл бұрын
Nice video! I wonder why the proxied dll (@2:40:!3) suddenly get that big from merely 352kb to a whopping 2,3 MB. Is there anything we can do to keep it small or it's just an inevitable proxy side effect?
@jeFF0Falltrades Жыл бұрын
Keep in mind the cards.dll file that was 352kb was the original one (that was packaged with solitaire) so there are a number of reasons it could have been that much smaller (e.g. it was made for compatibility with a far older OS and so used much more memory efficient code/compilation flags) - we could work at reducing the size of our proxied DLL by toying with a few efficiency flags in gcc or using a packer to have it “blend in” a bit better - good spot and good question!
@Kavukamari 8 ай бұрын
Thanks Jeffo, I hope your Fall Trades go well!
@jeFF0Falltrades 8 ай бұрын
They’d be going a lot better if stupid Diane Sweeney wasn’t taking attention away from my beautiful gourds with her glow-in-the-dark pumpkins - It’s nothing but a party trick, but people are too busy gawking over that spectacle to notice the quality of these gourds!
@majed3469 Жыл бұрын
Nice content, thank you for sharing
@jeFF0Falltrades Жыл бұрын
Thank you for watching!
@tylerdaniels4601 11 ай бұрын
Really enjoying this course. I’m trying to apply it to an old application (Delta Force 2 Mission Editor), and I started very similarly with trying to patch a string in the About dialog. However, I hit a weird roadblock where I would change the string and export the program, but the text in the application didn’t change. I later found that the app actually uses text from a text.bin file, so I can change the text there and see the result in the app. I’m curious why the text shows up in a Ghidra search of the .exe file if it’s read in from an external file at runtime. Is that a pattern you’re familiar with?
@jeFF0Falltrades 11 ай бұрын
Nice job! As far as the text, when you search it in Ghidra, where exactly is it showing - i.e. what section is it showing in? Knowing that can help shed some light on what exactly is going on.
@tomkuijer494 7 ай бұрын
58:30 -ish the ampersand (&) is used to tell the window system that it should listen for that key as a shortcut for the menu option
@jeFF0Falltrades 7 ай бұрын
Correct - I edited my pinned comment to reflect this as others have pointed it out, and that makes perfect sense. Thank you!
@williefleete 2 ай бұрын
The ampersand may mark the next character to be underlined when text is printed
@jeFF0Falltrades 2 ай бұрын
Yep - I marked it in the pinned comment as well, but as others have said - it actually designates which character in the string will be used for keyboard shortcuts/access keys (which are the same ones that are underlined)! Which made a ton of sense in retrospect. Thanks for watching!
@DomeF. Жыл бұрын
Shame on you youtube for giving this video only the 360p resolution!
@jeFF0Falltrades Жыл бұрын
It's coming! HD takes forever to finish processing - I'm waiting to post about this elsewhere until it does haha. EDIT: Looks like it should be available now!
@DomeF. Жыл бұрын
@@jeFF0Falltrades then it's finally time to view it!
@jeFF0Falltrades Жыл бұрын
@@DomeF. I hope you enjoy - thanks so much for taking the time!
@mariusz7238 3 ай бұрын
Hey, how do you do that the x32dbg when dragged sol.exe on it opens the actual game window, on my side nothing happens. The process itself (the solitaire game) exists within x32dbg's process but there is no window for it.
@jeFF0Falltrades 3 ай бұрын
Hey! Make sure that your debugger is not stopping on a breakpoint (check the bottom-left corner of the debugger which will say “Paused”). If it is Paused, hit the “Run” button or press F9 to get the program to proceed; That should pop up the game window and let the program proceed, assuming there are no other breakpoints or exceptions taking place (the debugger will let you know in the bottom-left and bottom pane if there are any breakpoints or exceptions). Hope this helps, and if not, let me know so we can troubleshoot further
@mariusz7238 3 ай бұрын
@@jeFF0Falltrades Thanks, it worked. But still pretty weird that i got some entry breakpoint and 1 exception.
@yunusaydin5177 10 ай бұрын
great job keep going
@jeFF0Falltrades 10 ай бұрын
Thanks for the kind words!
@user-il5pt2qd4h Жыл бұрын
After building the DLL i keep getting 0x7b error. Couldn't find out why and was slowly losing it. Pulled it into ghidra and found out it was a 64bit. Builed again with MinGW x86 and succsefully got rick rolled . Finally, i was sane again. Thank you for this wonderful course.
@jeFF0Falltrades Жыл бұрын
"Successfully got rick rolled. Finally, I was sane again" - The universe in balance once again. Haha, thanks so much for watching and so glad you enjoyed! Great troubleshooting, too.
@aa898246 Жыл бұрын
ur a really good teacher
@jeFF0Falltrades Жыл бұрын
Thank you, and thank you for watching!
@Salsuero 7 ай бұрын
& is used to denote the shortcut key in Windows menus. It converts to an underlined character when displayed.
@jeFF0Falltrades 7 ай бұрын
Yep, exactly - others have pointed out the same, so I updated the pinned comment to denote this. Thanks, and thanks for watching!
@Salsuero 7 ай бұрын
@@jeFF0FalltradesSorry, I got excited because I was able to contribute something I knew that you didn't... not very common when you're watching something like a training video. I was already familiar with reversing and cracking generically, but I enjoyed watching your specific breakdown vis-à-vis Solitaire and I definitely don't know everything, so there's always something to be learned by observing others. Thanks for the content.
@jeFF0Falltrades 7 ай бұрын
@@Salsuero Not a problem at all! You should be excited 😃 Thanks for sharing that knowledge forward!
@salesv Жыл бұрын
What VS Code theme do you use? I really like the bloom effect going on
@jeFF0Falltrades Жыл бұрын
That would be Robb Owen’s “Synthwave ‘84”! And I don’t know if I’ll ever be able to switch from it because I love it so much.
@salesv Жыл бұрын
@@jeFF0Falltrades Thanks! I'll look it up
@bug1083 Жыл бұрын
Hey, just throwing this out since you mentioned the confusion with the '&' inside of some of the strings. Having done development with Windows forms, which are like a complex wrapper for low-level C++ GUI development, the '&' is a symbol used by Windows for shortcut keys. I'm not sure when this feature was used the most, but you can still use it today by pressing Alt in a program, and then looking at the menu items that have a character with an underscore. The underscored characters are hints for what menu item you want, if you press the same letter as the underscored character, it will open that menu item.
@jeFF0Falltrades Жыл бұрын
Thank you! Yes a few others chimed in to explain that and I appreciate it - I hadn’t seen that syntax before, but it’s kind of a neat way to denote shortcut keys! Thanks so much and thanks for watching!
@bug1083 Жыл бұрын
@@jeFF0Falltrades No problem. Love the videos. I actually found the usage in the strings to be a little funny as I didn't know that C++'s Windows GUI API used the same syntax for that feature. I thought it was a quirk with the C# Windows Forms, so it was entertaining to see it 😄
@jeFF0Falltrades Жыл бұрын
@@bug1083 Hahaha yeah, I’ve really had a laugh at some of the things that come out as happening “under the hood” when reversing software - Lots of “Wait…*that’s* how they made that work?” moments 😆
@bug1083 Жыл бұрын
@@jeFF0Falltrades Yeah haha. I only recently discovered your channel, and not sure how much you dabble in languages and asm optimization, but it might be cool to see you reverse engineer code relating to some of the more lesser known assembly calls, big ones being "vmovupd", "vmaxpd", and "vzeroupper" which are robust vector calls. I'm actually curious how often those keywords appear out in the wild with modern programs today, and what exactly they do in the context they appear in. They are more complicated and require a lot of work on my part when using GCC, you have to almost directly tell the compiler to use them when optimizing sometimes, so it's be interesting to see.
@jeFF0Falltrades Жыл бұрын
@@bug1083 That’s a good idea! I’ll have to see what kind of programs I can find (or make) that would be good for something like that.
@CrusaderMen Жыл бұрын
Thanks a lot! This is a very clear and easy-to-understand explanation. Is there any x32debugger alternatives for mac?
@jeFF0Falltrades Жыл бұрын
So glad you enjoyed! Debugging software for Macs is tricky - I think the only GUI debugger that works on Mac and comes close to x64dbg is gdbgui. Others may have different options, but that’s the one I’ve seen used most often.
@davidmichaels307 8 ай бұрын
Why does my Ghidra export sol.exe not have PE in the format selection box when I try to export sol.exe? I have "original file."
@jeFF0Falltrades 8 ай бұрын
If I understand correctly, you’re trying to export a PE from the original sol.exe? If that’s the case, then “original file” is what you want, since sol.exe should also be a PE.
@citizen1791 Ай бұрын
this is a really great video but near the end i thought you were going todo something like, an exe that if you launch it apply the patches to the game but don't make permanent changes to the original exe. i don't know if you already have a video on your channel but it would be great for modding
@jeFF0Falltrades Ай бұрын
Yeah I think I get what you’re saying - we didn’t do that as much in this video/script, but if you check out my RollerCoaster Tycoon videos, those scripts do exactly that - take patches and apply them to a copy of the original EXE while leaving the original intact. This one just happened to be more focused on the DLL injection. Thanks for the feedback and for watching!
@pizsx69 5 ай бұрын
hey :) what is this theme you use in vs code? I love it
@jeFF0Falltrades 5 ай бұрын
Synthwave ‘84 by Robb Owen! I also love it and have had it for years now. Can’t tear myself from it haha.
@pizsx69 5 ай бұрын
@@jeFF0Falltrades Nice, Thanks :D
@duckie4670 Жыл бұрын
You make great ghidra tuts 45:50 this exception you get when patching in ghidra, i think is because you are overwriting with longer string and the data is static thus constant space and what you did with hex editor is basically fixed you mistake.
@jeFF0Falltrades Жыл бұрын
Thanks so much! And yes, I think you’re right - You would think Ghidra could detect that and print an error to let you know the same, but idk - maybe it’s a more difficult problem to account for than I think. Thanks for watching!
@mrpvr 11 ай бұрын
Thanks ❤
@jeFF0Falltrades 11 ай бұрын
Thanks for watching!
@khneo Жыл бұрын
Hey ! Thanks for the video, I think the ampersand is for keyboard shortcut
@jeFF0Falltrades Жыл бұрын
Yes! I saw another comment about this and you are correct; I made an edit to the pinned comment to reflect this. That makes perfect sense in hindsight. Thanks for watching!
@maratmkhitaryan9723 7 ай бұрын
You cannot import as PE, and export as PE. You have to import as RAW, then export as PE. At least in my case I had no PE option when exporting.
@googleaccountuser3116 6 ай бұрын
The & symbol you are asking about in "st&andard" means that the next letter in this case a will be underlined and if you press a on your keyboard it will select that item. So it provides a quick way to navigate the menu with the keyboard. Although I see it doesn't seem to underline on your end. That said pressing a inside that menu should still work but it could be broken. Select vegas first so the submenu is active, it only works within an active menu so this isn't global. You don't seem to use windows very often which is a good thing I suppose, to refresh the registry or any window for that matter just press F5. 😉
@jeFF0Falltrades 6 ай бұрын
Thanks! Others have mentioned that and I updated the pinned comment with the correction - makes perfect sense in retrospect!
@yolamontalvan9502 2 ай бұрын
University offers Reverse Engineering courses? Where is that? Which one? I’m interested.
@jeFF0Falltrades 2 ай бұрын
In the case I’m talking about in the video, it was a course taught by an adjunct professor at the university I went to, but these days, I know of several university computer science departments who now offer reverse engineering courses (at least in the US) - a friend of mine has his own course lectures on the topic online for free at class.malware.re if you’re interested !
@Emmet_v15 Жыл бұрын
1:42:02, It is being called from 6 sides, could get a little **dicey** lmao, unintended pun?
@jeFF0Falltrades Жыл бұрын
HA! How did I manage to miss this - I would have ridden the high of making that pun all throughout the rest of the video.
@outkast9882 Жыл бұрын
the god is back
@jeFF0Falltrades Жыл бұрын
Nic Cage never left us ❤️
@NetworkITguy Жыл бұрын
Hermit status ftw!
@alexandrohdez3982 Жыл бұрын
👏👏👏
@uzisquad6568 9 ай бұрын
I don't have the Portable Executable format. Could someone help me?
@zer0k4ge 20 күн бұрын
You figure it out Im having the same issue
@gabrielgoncalvesazevedo9114 2 ай бұрын
How did you add nullbytes in 45:46?
@jeFF0Falltrades 2 ай бұрын
Same I did as the other bytes in that section! Just put 00 in for their values as opposed to any other value, and you have a null byte. If you have questions on how to modify the bytes in general or if I can explain better, let me know! EDIT: And to be clear, I added the extra null bytes to make the string size the same as it was before we modified it, to ensure the modification wouldn’t cause issues elsewhere.
@gabrielgoncalvesazevedo9114 2 ай бұрын
@@jeFF0Falltrades I dont think I understood, when I try to add 00 in the byte edit window, it becomes another value in the program...
@jeFF0Falltrades 2 ай бұрын
@@gabrielgoncalvesazevedo9114 Hm, one thing to watch out for is what text encoding is being used - in the video, this is a Unicode string, so each character is 2 bytes - so in order to make a null char, both bytes need to be 0 (so 00 00 is one null char, in other words). Not sure if you are looking at the same program or a different one, but that is the first place I would check. If that isn’t it, let me know and we can chat more.
@gabrielgoncalvesazevedo9114 2 ай бұрын
@@jeFF0Falltrades Thanks, that actually helped me to understand! Im following along with same software.
@jeFF0Falltrades 2 ай бұрын
@@gabrielgoncalvesazevedo9114 Excellent! If you have any other questions, feel free to let me know! Hope you enjoy!
@manishtanwar989 Жыл бұрын
Sir can we predict the result of game by previous results in card games
@jeFF0Falltrades Жыл бұрын
The game state is only tracked per game, so you could potentially predict the result of the game for the *current* game based on moves (some games of Solitaire actually do this and end the game when it is unwinnable), but I do not think you could do any prediction based on past games’ results in this case.
@manishtanwar989 Жыл бұрын
Can you help me to predict game result And can you teach me how to predict the result please
@tiernanmorgan 2 ай бұрын
can you reverse engineer a slot machine if you know how much its programmed to pay out and know the seed is constantly changing for time of day
@jeFF0Falltrades 2 ай бұрын
You can RE just about anything! But it probably wouldn’t gain much in the way of winnings or anything but knowledge of how the machine works. Would be really fun to do - most modern ones work similarly and are pretty much just based in stats and probability.
@tiernanmorgan 2 ай бұрын
@@jeFF0Falltrades i was thinking about the russian hacker dude who did it on older ish machines still prng. had his phone buzz before payouts after filming twenty or so spins. as well as this video kzbin.info/www/bejne/gKqsiIR_md2UhaMsi=9Apc9MAR9z_NgSL8 that machines have to leave the factory paying out exact amount and that the seed is constantly changing every second but somehow someone figured out when and programmed it into a phone. it just interested me if i could figure out when it hits postive payouts or a minigame but not further . im not smart enough to understand the prngs yet though.
@damicore Жыл бұрын
sorry, but why did you use msys2 instead of wsl?
@jeFF0Falltrades Жыл бұрын
I could have used WSL, but I wanted to try to account for folks who probably didn’t want to set WSL up if they hadn’t already just for the tutorial, so MSYS2 seemed like a lightweight solution for Windows users who don’t have WSL already ready to go to quickly follow the build process without configuring a bunch of options.
@jordankostov7581 Жыл бұрын
Heya JeFF! This tutorial is a real gem! you helped me get better at my hobby and that is modding :). I have a couple advanced questions. I have a game injected with a DLL file by replacing existing one - just like the way you do it this tutorial. When the injection is loaded i want to run a code that make code of the binary between two addresses become NOPs. I created this function: void SetNop(const char* address, const int length) { char* startAddress = address; const int numNops = length; for (int i = 0; i < numNops; i++) { *(startAddress + i) = 0x90; // Set the byte to the NOP opcode } INFO
@jeFF0Falltrades Жыл бұрын
Nice!!! One place to start to look is to see if the memory is writeable - typically it won’t be by default. You can get around this by using a function like VirtualProtect() or WriteProcessMemory() to set the permissions on the section where the code you’re trying to modify is to be writeable.
@jordankostov7581 Жыл бұрын
@@jeFF0Falltrades it took many hours, sweat and blood... but i did it. Thank you so much! :)
@jeFF0Falltrades Жыл бұрын
@@jordankostov7581 Congratulations on persisting! You should be proud!
@jordankostov7581 Жыл бұрын
Thank you Jeff! With my newly acquired knowledge i was thinking how much can be accomplished in terms of migrating my assembly patches to the DLL injection and i got some design questions in mind. If you have any tips regarding them it will be great. Questions: 1. In the video above you impersonate the existing DLL by bypassing it. However the bypass requires the original DLL 4 functions to be defined in the export file so they are still available for the binary to use. What if the original exe had 400 functions? Do you have to define them all manually or there is another approach? 2. I do noticed that you can do the following type of patches quite easily the DLL injection: - change existing binary variables - complete rewrite of existing binary functions But what if there is function that is very large in size and i want to modify just part of it? What will be the most common-sense way approach that? Will I have to use assembly again or there is a better way to modify in C++? What if i want to add the function code ? With normal assembly a jump is done to a empty space at the end of the binary where the new code resides, then after it is executed it goes back to the function. Is there a better approach with the DLL injection where the new code is kept at the DLL instead? 3. What are your thoughts on going around Windows 10 D.E.P. ? As the game we mod gets more (and more complex) patches, player with D.E.P. enabled had their game crashing and even refusing to start. This behaviour is of course based on pure assembly patching with hooks. Will the DLL injection method help me go around that issue? May be questions are not defined really well. :)
@he1817 Жыл бұрын
I dont know English very well and I spent a lot of time learning these and Im tired Thank you very much for your video very nice video :} but can you briefly hack a simple game as a tutorial? I really need this 1:37:56 - How did you find the timer in this part? I cant find it if it were me and I want to learn about it, but unfortunately I couldn't understand it.
@Lorendrawn 2 ай бұрын
Show the intro to professor true brian
@Salsuero 7 ай бұрын
You didn't patch out the -100 after explaining that it was hard-coded.
@jeFF0Falltrades 7 ай бұрын
At which timestamp?
@Salsuero 7 ай бұрын
@@jeFF0Falltrades1:49:32
@brianredbeard 7 ай бұрын
I spent 30 seconds searching: Brian Deep
@jeFF0Falltrades 6 ай бұрын
Nice! I should have known to enlist another Brian in his search…a classmate of mine also saw this vid and let me know the day after it was published, too. Thanks to you both for that, so I can find him and let him know just how much he inspired me (and hope he never watches the other insanity of my videos…). Thanks for watching!
@themaniacboy 10 ай бұрын
Hello, I really liked your video although I'm not experienced at all in RE, but I'm certainly willing to learn more about it! Quick question, could you reverse a game dll file? It's needed for modding a game called Duke Nukem: Manhattan Project, because it's really restricted now. The file is called "duke_base.dll". Would really appreciate it if you could help in any way.
@skeleton_craftGaming Жыл бұрын
I would be suprised if [User/System]32 has a key mask for the registry functions at all... its bad practice to use the registry for storing non-persistent user space values like that... a better way to do this would be to use a binary encoded (most likely a .cfg or .ini) file to store the settings. that way you don't need to run it with elevated perms. Or at least it wouldn't if you don't have it installed in the system files [I think that when it came with windows it was installed in the C:\windows\[games\] folder..] but even then I think that they could've saved to %appdata%\games\solitaire which you would have ring 3 write access [as that is the reason for the %appdata% file after all]..... now that I think of it IDK if fopen can resolve path envar ejections [ie the %% in "%appdata%\games\solitaire"] though I think that User32 has a function for that if it doesn't do it on fopen call... working with system32 in general is kina stupid because there is 2 versions of each function an ascii version (as denoted by the "A" postfix on the system call) and the 16 bit Unicode version (as denoted by the "W" [standing wide because it it uses WCHAR_t (aka short) as its string type] postfix on the system call)
@jw200 3 ай бұрын
Thanks for video but the XP solitaire sourcecode is in the leaked XP sources available from internet. Im not promoting it but just telling the fact
@Nunya58294 Жыл бұрын
So I took on my first reverse engineering project to reverse a bootloader. I'm proud to say I'm very successful in my project! It's shockingly fun too haha
@jeFF0Falltrades Жыл бұрын
That’s awesome!!! Many wouldn’t think it, but RE can be a blast under the right circumstances. Thanks for watching!
@raffaelemormile9199 Жыл бұрын
hiii i need help is there i way to change a game that isn't been made in my language (italian), this is a word game that has ofc english vocabulary, i just want to put the italian vocabulary to play in italian. I dont care if the graphic is in english, just want to put italian words... is that possible with ghidra... the game is Bookworm Adventures deluxe... pls if you dont how to do it PLS can you give me a contact of a person that can teach me how to do it.... o am trying this form 4 years.... thanks... :(
@adamrushford Жыл бұрын
You didn't waste your time, it's cool for different reasons than you said, you don't sell you acting jokes very well, they're bad to begin with. I can't believe people still think rick rolling is a thing in 2023. See ya round!
jeFF0Falltrades
Рет қаралды 4,9 М.
jeFF0Falltrades
Рет қаралды 16 М.
НОВОСТНИЧОК
Рет қаралды 16 МЛН
Winderton
Рет қаралды 281 М.
stacksmashing
Рет қаралды 1,3 МЛН
GS PACKER
Рет қаралды 32 МЛН