|
You last visited: Today at 08:39
Advertisement
Reverse engineering
Discussion on Reverse engineering within the Need for Speed World forum part of the Other Online Games category.
10/12/2016, 00:30
|
#1
|
elite*gold: 0 
Join Date: Mar 2016
Posts: 174
Received Thanks: 265
|
Reverse engineering
So, I didn't really expect to make this thread. But, in case anyone cares, I've decided to try and reverse engineer specific parts of the NFS:W executable, including:
- UDP checksum validation (unless someone figured that out)
- WTH do the different values in the freeroam packets mean?
- How does the P2P system that is mentioned in the code work? (If there is one)
This is the first thing I've ever tried to reverse engineer, and it's going fairly well so far. I'm finding a bunch of debugging statements, which leads me to think that I can find the actual code near them.
This is also my first time using IDA on an actual executable. I'd say I'm doing fairly well for a newbie.
I'm not sure if anyone actually cares anymore. I just figured I'd let people know what I'm up to (because I remember I was talking about my freeroam project a few months ago; this has to do with that, and yes, i'm still working on it)
TL;DR I'm trying to figure out various parts of the game, and see if I can make any important discoveries.
~ Leo
EDIT ONE: Found some debugging statements, NFS:W's custom networking library seems to be called PacMan; handles races, P2P, and some other stuff, it seems like.
|
|
|
|
10/12/2016, 03:38
|
#2
|
elite*gold: 0
Join Date: Jun 2015
Posts: 331
Received Thanks: 608
|
Nice. I do care about it.
Once you get the info, I will help to make it happen.
|
|
|
|
|
10/12/2016, 12:56
|
#3
|
elite*gold: 0
Join Date: Mar 2016
Posts: 174
Received Thanks: 265
|
Alright, thanks! Maybe I'll actually find something useful 
Sorry for the double post, but I'm not sure if mentions are processed when a post is edited.
@  I know that you have some experience with reverse engineering, perhaps you could help me with a little problem I'm having. I know about the IsDebuggerPresent calls, and I attempted to disable them, but once I try to run the game, it just exits and IDA says that a bunch of messages with a % were logged.
I'm using the local Win32 debugger. How did you get it to run? I'm sort of stuck.
|
|
|
|
|
10/13/2016, 22:19
|
#4
|
elite*gold: 0
Join Date: Mar 2016
Posts: 174
Received Thanks: 265
|
Alright, just a little update. I've been messing around with the current UDP server, and it appears that the game will not display players on the map or in the world if the freeroam packets take too long to come.
Basically:
> put a very short delay between packets, the game sees the data and accepts it, but lags a bit
> put a slightly longer delay, lags a bit less
> put a delay longer than, say, 450-500ms, and the game just ignores the packets
I'm not quite sure why this is. If anyone can provide some input or advice, it would be greatly appreciated.
Update: it seems like all freeroam UDP packets from C->S start with the same three hexadecimal numbers/bytes: 78, 31, c1; content varies
server responses seem to start with 40, 8d, 5c; content varies
|
|
|
|
|
10/14/2016, 12:31
|
#5
|
elite*gold: 0
Join Date: Jun 2015
Posts: 371
Received Thanks: 321
|
That guy deserves a some likes atleast! So, all that people, who get a working online, have a ping less than 400ms...
|
|
|
|
|
10/14/2016, 23:32
|
#6
|
elite*gold: 0
Join Date: Mar 2016
Posts: 174
Received Thanks: 265
|
The latest: I think I've managed to collect a few examples of freeroam packets that are delivered to the server. I'm not completely sure, but based on what I saw, they do appear to have something to do with the player.
What I've been able to figure out: - the game sometimes won't send freeroam packets for a little while. I might just be forgetting to turn on the server though.
- Pretty much every packet the client sends starts with the same bytes: 78 31 c1 be 3d 16 40 8d 5c
I'm going to try sending fake packets to the client, with dummy data, to see what happens.
Anyway, have a few pictures!
(If you don't see anything special in the picture above, look at the highlighted area + the arrows. That data is most likely a free-roam packet.)
|
|
|
|
|
10/15/2016, 10:53
|
#7
|
elite*gold: 0
Join Date: Jun 2015
Posts: 331
Received Thanks: 608
|
This: 78 31 c1 be 3d 16 40 8d 5c is part of hello packet. Game start sending position packets when server send hello-ok.
|
|
|
|
|
10/15/2016, 13:43
|
#8
|
elite*gold: 0
Join Date: Mar 2016
Posts: 174
Received Thanks: 265
|
@ that's what i figured. it seems to send quite a few hello packets though before the server finally accepts it, not sure why.
I still have to figure out why players will sometimes totally vanish from the map if you move them.
|
|
|
|
|
10/16/2016, 23:55
|
#9
|
elite*gold: 0
Join Date: Mar 2016
Posts: 174
Received Thanks: 265
|
The latest: I'm going to try a slightly different approach at this; instead of rebroadcasting every single packet, make it random. To do that, I'm just generating a random number out of 1000, and if it's divisible by 10, send the packet back.
Let's see if this works.
|
|
|
|
|
10/17/2016, 11:54
|
#10
|
elite*gold: 15
Join Date: Aug 2012
Posts: 3,041
Received Thanks: 6,397
|
UDP checksum is a pain in the ***.
ASLR address: 767B80 -> almost always ends up on:
.text:00767BF4 jmp .text:00767BFF // modified for no checksum
There are at least 3 gateways, which I presume to be a fast-fetch type of structure (a.k.a. a switch in modern languages). This part of NFS:W has proper language semantics implemented and probably was mangled by hand. Odds are they are left over from BlackBox beta times, as almost everything is.
I was gone for a while because of, well, Turkey. Even GitHub was blocked for like a week recently, don't know what the **** is even going on to be honest.
If you want to debug NFS:W with flashtraces or local debug lines, find and disable: - Injection check loops (there are 2)
- WinVerifyTrust
- CheckRemoteDebuggerPresent
- IsDebuggerPresent
- Module name check (EnumProcessModules)
You can disable interference checks (2, 3, and 4) by just nulling their imports. When you are done, modify the assembly to make it "BuildType.Debug;NotOptimized;Level.Debug", then you can read everything with Dbgview.
|
|
|
|
|
10/17/2016, 12:42
|
#11
|
elite*gold: 0
Join Date: Mar 2016
Posts: 174
Received Thanks: 265
|
@ Might need help finding the loops but everything else I should be able to do. Thanks
|
|
|
|
|
10/19/2016, 00:19
|
#12
|
elite*gold: 15
Join Date: Aug 2012
Posts: 3,041
Received Thanks: 6,397
|
I don't have my notes around since I left my other desktop back at home. I won't be able to assist you with the hook detection, sorry. Focus on UDP, game doesn't log anything about it so just try to understand the code. Disassemble->Decompile->Refactor->Try repeat until you reach the final working code, that's how I did it with the xmpp packet validation.
|
|
|
|
|
10/19/2016, 12:48
|
#13
|
elite*gold: 0
Join Date: Mar 2016
Posts: 174
Received Thanks: 265
|
Alright, thanks anyway! I think I'm close to removing the hook detection anyway.
|
|
|
|
|
10/20/2016, 22:23
|
#14
|
elite*gold: 0
Join Date: Mar 2016
Posts: 174
Received Thanks: 265
|
@ What exactly do you mean by:
Quote:
|
When you are done, modify the assembly to make it "BuildType.Debug;NotOptimized;Level.Debug"...
|
I don't know what you mean by "BuildType.Debug", "Level.Debug", etc. I looked around a bit and can't find anything referencing "BuildType" or whatever. I'm new to this, so I might be missing something obvious.
|
|
|
|
|
10/22/2016, 01:52
|
#15
|
elite*gold: 0
Join Date: Mar 2016
Posts: 174
Received Thanks: 265
|
Alright everyone...
I'm looking for some volunteers to help out. This isn't an easy thing to do alone, so if anyone wants to help, that would be appreciated.
Volunteers need to have experience with:
- networking/multiplayer games
- reverse engineering (I'm still learning, so that's the reason for this requirement)
- Wireshark (to watch the packets that are being sent)
- Know how to use IDA effectively (same reason as "reverse engineering", I'm still learning how to use it)
Additionally, if anyone happens to have a modified version of the NFSW executable that removes the anti-debugger code, PM me.
Anyone who's interested, please PM me!
|
|
|
|
 |
|
Similar Threads
|
Reverse Engineering
09/06/2016 - General Coding - 6 Replies
Hey,
German:
Hab gerade angefangen die Tutorialreihe von Lena 151 zu machen, nun bin ich schon beim 4 Tutorial auf ein Problem gestoßen, obwohl ich exakt das selbe wie Lena mache habe es mir auch schon 3 mal erneut angeschaut und dennoch nicht den Fehler gefunden.
Da ich denke, dass keiner so hilfsbereit ist und das Tutorial extra nochmal anschaut: Es wird auf gedrückt und dann kommt die Fehlermeldung "You've reached the limit..." anschließend drückt man auf den Pause-Button in Ollydbg ->...
|
Looking for some reverse engineering help
12/19/2014 - Main - 3 Replies
I am looking for someone with knowledge in reverse engineering and creating a full emulator of Reel Deal Casino Live. I believe the task should be relatively simple but we shall see. I know it's not a well known game but its an online 3D casino world.
|
[Help] Getting into ASM/reverse engineering
12/11/2014 - SRO Private Server - 0 Replies
delete this topic please, found what I asked for.
|
[Buying] Reverse engineering
06/25/2014 - Coders Trading - 1 Replies
Hello everybody,
I am searching for a reverse engineer+coder to help me out with something.
We're paying a good amount of money if you're able to do the job. For more information PM me or add me on skype : jaxallods
Thanks,
- Jax
|
Reverse Engineering...
07/11/2011 - SRO Coding Corner - 5 Replies
Hi,
I just wanted to ask, if those guides, on this web:
Reverse Engineering | malprogramming.net
are enough to learn about reverse engineering, or a bit, or atleast, as much as that, that I as example, can do later something with it.
Or its just crap and some infos about reverse engineering on that website?
Because I dont want read 3hours of something wrong.
|
All times are GMT +1. The time now is 08:39.
|
|
