With this post i will start a series of howtos, what you have to do if you want to write a bot or tool for a
MMORPG. This should give you an inside view to reverse engineering programs.
Needed:
The most beginners have the problem not to know how to start. With a program like the selected mmorpg its really a hard task, cause its binary is 13MB large and is protected with hackshield.
First of all we will start the client and attach ollyDbg to it. (in olly File->Attach and select the process) Then we will see hackshield in action. It prevents from attaching a debugger to the given process. Hackshield does that with a kernel driver that is loaded by ehsvc.dll during sro_client.exe startup.
[Only registered and activated users can see links. Click Here To Register...]
-32Bit they hook NtOpenProcess and return ACCESS_DENIED if someone tries to open Silkroad.
-64Bit they load a so called filterdriver (ObRegisterCallbacks) these callbacks will be called if someone tries to open or copy a handle to the specified process.
Another trick of hackshield is a cyclic scan of the loaded executable for changes.
If we start sro_client.exe without the loader we will get:
[Only registered and activated users can see links. Click Here To Register...]
What to do next:
1. read the start parameters for the executable
Thats an easy task with the help of mmBBQ.
- Start Silkroad.exe
- use START.bat from out zip file for mmBBQ
- because we already have done most of silkroad
it will automatically injects into the process.
now just type
in the mmBBQ console and you will see something like this:
If you have opened the sro_client.exe in ollydbg youre easy able to set the command line with
File -> Set new arguments...
2. Make sro_client.exe startable without the loader
We know the message that will occur when we try to start sro_client.exe directly.
- So we open the executable in ollyDbg (File -> Open)
- Then we will search for all referenced Strings (right click -> Search for -> All referenced strings)
- In the new window we will search for the text "Please Execute" (right click -> Search for text)
[Only registered and activated users can see links. Click Here To Register...]
- a double click on that line later we jump to the position where the string is used:
[Only registered and activated users can see links. Click Here To Register...]
As we can see, right before the parameters for the call of MessageBoxA theres a conditional jump (JNE)
If we change this one to a unconditional one (JMP) (double click on the line)
3. get rid of hackshield
Searching for strings i a executable is not the most professional way of reverese engineering, but in the case of silkroad it will work really often :)
So simply search for HackShield like you search before.
[Only registered and activated users can see links. Click Here To Register...]
At this point scroll a bit up to get to
the beginning of that function.
[Only registered and activated users can see links. Click Here To Register...] In the window under the code section
we can see
Double click on that
and the same in the new occuring window to get to the position where our function is called. [Only registered and activated users can see links. Click Here To Register...]
At the position where our function will be called till before the line with
is the startup part for hackshield.
[Only registered and activated users can see links. Click Here To Register...]
right click -> Edit -> Fill with NOPs
[Only registered and activated users can see links. Click Here To Register...]
Maybe i will add a detailed description why i choose this block but i want to move on to more interesting stuff :)
After all the hard work youre able to save the edited binary to another executable. right click -> Edit -> Select all, right click -> Edit -> Copy to executable and in the new window right Click -> Save to file. Choose another name then sro_client.exe (its cool to have a original backup :D)
So every time you want to live debug the client, just open the saved executable in olly (dont forget to set the arguments before you run run :D) and then klick run.
What comes next:
- Networking (Packet read, write)
- Detecting events (monster/player/user move, attack ...)
- Initiating events (attack, move)
- Inventory
Greetz defragger
[Only registered and activated users can see links. Click Here To Register...]
MMORPG. This should give you an inside view to reverse engineering programs.
Needed:
- Silkroad Online
- OllyDbg
- mmBBQ
- editor of your choice (mine is vim ;) )
The most beginners have the problem not to know how to start. With a program like the selected mmorpg its really a hard task, cause its binary is 13MB large and is protected with hackshield.
First of all we will start the client and attach ollyDbg to it. (in olly File->Attach and select the process) Then we will see hackshield in action. It prevents from attaching a debugger to the given process. Hackshield does that with a kernel driver that is loaded by ehsvc.dll during sro_client.exe startup.
[Only registered and activated users can see links. Click Here To Register...]
-32Bit they hook NtOpenProcess and return ACCESS_DENIED if someone tries to open Silkroad.
-64Bit they load a so called filterdriver (ObRegisterCallbacks) these callbacks will be called if someone tries to open or copy a handle to the specified process.
Another trick of hackshield is a cyclic scan of the loaded executable for changes.
If we start sro_client.exe without the loader we will get:
[Only registered and activated users can see links. Click Here To Register...]
What to do next:
1. read the start parameters for the executable
Thats an easy task with the help of mmBBQ.
- Start Silkroad.exe
- use START.bat from out zip file for mmBBQ
- because we already have done most of silkroad
it will automatically injects into the process.
now just type
Code:
str(asmcall.cdecl(getProcAddress("kernel32", "GetCommandLineA")))
Code:
str(asmcall.cdecl(getProcAddress("kernel32", "GetCommandLineA")))
'"C:\Program Files (x86)\Silkroad\sro_client.exe" 1967664 /18 0 3'
File -> Set new arguments...
2. Make sro_client.exe startable without the loader
We know the message that will occur when we try to start sro_client.exe directly.
- So we open the executable in ollyDbg (File -> Open)
- Then we will search for all referenced Strings (right click -> Search for -> All referenced strings)
- In the new window we will search for the text "Please Execute" (right click -> Search for text)
[Only registered and activated users can see links. Click Here To Register...]
- a double click on that line later we jump to the position where the string is used:
[Only registered and activated users can see links. Click Here To Register...]
As we can see, right before the parameters for the call of MessageBoxA theres a conditional jump (JNE)
If we change this one to a unconditional one (JMP) (double click on the line)
3. get rid of hackshield
Searching for strings i a executable is not the most professional way of reverese engineering, but in the case of silkroad it will work really often :)
So simply search for HackShield like you search before.
[Only registered and activated users can see links. Click Here To Register...]
At this point scroll a bit up to get to
the beginning of that function.
[Only registered and activated users can see links. Click Here To Register...] In the window under the code section
we can see
Code:
Local call from 8BDC20.
and the same in the new occuring window to get to the position where our function is called. [Only registered and activated users can see links. Click Here To Register...]
At the position where our function will be called till before the line with
Code:
PUSH EBX
[Only registered and activated users can see links. Click Here To Register...]
right click -> Edit -> Fill with NOPs
[Only registered and activated users can see links. Click Here To Register...]
Maybe i will add a detailed description why i choose this block but i want to move on to more interesting stuff :)
After all the hard work youre able to save the edited binary to another executable. right click -> Edit -> Select all, right click -> Edit -> Copy to executable and in the new window right Click -> Save to file. Choose another name then sro_client.exe (its cool to have a original backup :D)
So every time you want to live debug the client, just open the saved executable in olly (dont forget to set the arguments before you run run :D) and then klick run.
What comes next:
- Networking (Packet read, write)
- Detecting events (monster/player/user move, attack ...)
- Initiating events (attack, move)
- Inventory
Greetz defragger
[Only registered and activated users can see links. Click Here To Register...]