MMORPG. This should give you an inside view to reverse engineering programs.
Needed:
- Silkroad Online
- OllyDbg
- mmBBQ
- editor of your choice (mine is vim )
The most beginners have the problem not to know how to start. With a program like the selected mmorpg its really a hard task, cause its binary is 13MB large and is protected with hackshield.
First of all we will start the client and attach ollyDbg to it. (in olly File->Attach and select the process) Then we will see hackshield in action. It prevents from attaching a debugger to the given process. Hackshield does that with a kernel driver that is loaded by ehsvc.dll during sro_client.exe startup.
-32Bit they hook NtOpenProcess and return ACCESS_DENIED if someone tries to open Silkroad.
-64Bit they load a so called filterdriver (ObRegisterCallbacks) these callbacks will be called if someone tries to open or copy a handle to the specified process.
Another trick of hackshield is a cyclic scan of the loaded executable for changes.
If we start sro_client.exe without the loader we will get:
What to do next:
1. read the start parameters for the executable
Thats an easy task with the help of mmBBQ.
- Start Silkroad.exe
- use START.bat from out zip file for mmBBQ
- because we already have done most of silkroad
it will automatically injects into the process.
now just type
Code:
str(asmcall.cdecl(getProcAddress("kernel32", "GetCommandLineA")))
Code:
str(asmcall.cdecl(getProcAddress("kernel32", "GetCommandLineA"))) '"C:\Program Files (x86)\Silkroad\sro_client.exe" 1967664 /18 0 3'
File -> Set new arguments...
2. Make sro_client.exe startable without the loader
We know the message that will occur when we try to start sro_client.exe directly.
- So we open the executable in ollyDbg (File -> Open)
- Then we will search for all referenced Strings (right click -> Search for -> All referenced strings)
- In the new window we will search for the text "Please Execute" (right click -> Search for text)
- a double click on that line later we jump to the position where the string is used:
As we can see, right before the parameters for the call of MessageBoxA theres a conditional jump (JNE)
If we change this one to a unconditional one (JMP) (double click on the line)
3. get rid of hackshield
Searching for strings i a executable is not the most professional way of reverese engineering, but in the case of silkroad it will work really often
So simply search for HackShield like you search before.
At this point scroll a bit up to get to
the beginning of that function.
In the window under the code section
we can see
Code:
Local call from 8BDC20.
and the same in the new occuring window to get to the position where our function is called.
At the position where our function will be called till before the line with
Code:
PUSH EBX
right click -> Edit -> Fill with NOPs
Maybe i will add a detailed description why i choose this block but i want to move on to more interesting stuff
After all the hard work youre able to save the edited binary to another executable. right click -> Edit -> Select all, right click -> Edit -> Copy to executable and in the new window right Click -> Save to file. Choose another name then sro_client.exe (its cool to have a original backup )
So every time you want to live debug the client, just open the saved executable in olly (dont forget to set the arguments before you run run ) and then klick run.
What comes next:
- Networking (Packet read, write)
- Detecting events (monster/player/user move, attack ...)
- Initiating events (attack, move)
- Inventory
Greetz defragger