Reverse Engineering Techniques for Game Hacking
Show transcript [en]
my name is the network at HCC group as a security consultant it's really cool that is when we are not happening on clients Tuttle my company gives me time to perform research and show my interests and that like some of that free time I'll produce this presentation and the work within it so yeah it's a really cool place to be our booth is literally right outside the doors there in the back so the word if you want your more maneuver check us out stop by the booth now we were really friendly in recruiter and all the other to talk to us well few of us here so anyway yes how many people have been playing their favorite first-person
shooter for doing really well you know this is fun and then BAM you just like from across the map right this is probably had knows how it means probably happens it does - yeah this person that's like Julie there's no way they can even see you there on the other side of the map there's too much fog they're obviously cheating so feeling mean you know that's like oh that's really lame like I was doing it on speed guys she took me now how it's pretty dead girl so they probably thought you know that's kind of cool like from a technical standpoint that kind of possibly come up with that and like maybe she liked that word so you know
when you're talking about today is a little bit about how reverse-engineered assisted you know step one right in the ass since our develop now how you might reverse engineer and I also want to talk about a tool that I go to ought to be part of this recursive process that saves hours of time and makes things a lot easier so first of all we're getting max I mean I'm sure you guys have all seen before I want to show up an example of the impact that I wrote personally it's a spirit named Koh Falcon to talk about ten years ago so my point of view is in a helicopter on a to Boyd that's a
helicopter piloted by and and I control player pop open this YouTube video see how it's like pretty good yeah so one with your gear is uh in second I'm going to switch to the gunner seat and have to make my TV guided missile which is a particular weapon that this attack helicopter has the hacked other Otis actually didn't aim at for that missile so normally the way that you would use the TV in this little it is once you switch into TV screen so they're nominally now I'm about to fire off my TV missile you choose across there activated my little red thing how it goes away anyway so this crossover is what what normally you
use not cheating you normally just click on the screen where you want the missile to go to do that keep your other missiles polite I didn't want to do that so I've got cheap to do it for me so see you in a second that crosshair is going to be moving around as the missiles fly and it's going to be whoops it's not gonna aim directly at the enemy helicopter because I programmed the g2 to aim slightly ahead so you can see that the missiles been fired as a enemy helicopter right there and then the krauser is here and it's aiming headwords gonna be leading him a little bit so that's better chance of idioms
you see us it's flying to target and takes him out all I was doing there was clicking the mouse was ahead of the program the g2 click Mouse for me but all the evenings all the controlling where the crosshair goes it's done half speed let's see that again I'll switch over to the TV missile mode now the aimbot is controlling where that crosshair is so it's speaking out you know my position it's figuring out the position of the helicopter and then it knows exactly where to aim so cool how something like this done so how does it how does the chief work so typical cheetah architecture not all sheets are made this way but something you see a
lot is to develop already a DLL it's gonna get injected into the game process so in the spaces made out go to this tol gets injected and then from there chief logic that it's going and it might be this is kind of like pseudocode it might look something like this where it's saying okay to each player if they're an enemy than you are that their coordinates and also this imaginary have this type of ethical hat it's gonna be like an extra sensory perception hat where it might show you you know where on your app or whatever where your and players are some of you might not you have normally be able to see this you
know where my tongue is located this cheats gonna reveal their locations for you I'm just so hypothetical chief demonstrate touch architecture so to take this little into a little more detail at this so for example that get player by index function it's got a you know figure out where in memory the enemy players are or else how is it going to be able to you know determine if they're in a player or figure out their their position that's going to court inside of memory so how does it do that so if you have a hypothetical function that's get player by index what it's going to do is read some of it some some values and predictable address
might need static memory and then I might dereference that to get a pointer to some some key management object let's say and then at some offset within the game object there might be a pointer to a linked list which then contains so each node in the linked list might contain points to player objects and then you get the coordinates where you can see this debt coordinates method it's part of a no player like an enemy object and then from there I can you know get the player position of the player object so that's how these functions might work basically the key concept here is that we're starting a predictable how to us and performing a
bit of a sequence of offsets and dereferences down to date of their actions in which in this case is our players position so I'll put some text on the slide because it's absolutely a key concept when the rest until the sequence here the pattern Austin's offsets and references is as crucial to making this work an interesting thing is that the sequence you know you know the specifics of that is formed by the structure of and relationships between the game objects so these are objects of course that you know I'm in programs like game developers talk Java server surgeon us to figure out specifics of how those objects have been implemented so then we can traverse them ourselves
to get the data that we're interested so this orange thing all these orange squares are just kind of like a little more detail prism the bolts on the previous slide so these little orange rectangles of expanded to Google permission on this side so here's my deal like our first predictable address so let's say you know some predictable address that's you know a stack offset from the executable base image and memory this pretty cool address was always going to contain the game object pointer you know pointer houses points to chemo which out let's say in this example at an offset of zero exp needs a pointer to a linked list and then from there we can
traverse that linked list as we do you'll notice that each node has no point you to a player object that an offset of zero explored so now we can go through predictable address the traversal you know the sequence of offsets to get to you know didn't clear how the seven stood in and once we got the player objects let's say for example we know that players positions in data that's at 0 x4 0 this is making sense so far any questions or anything ok so how do we find the sequences and step 1 I guess there's probably one way to prove I do is I start by finding that the address of the date of interest so
in this video I'm going to show see that's pretty enough so what we've got to do this is Falcon to one part of the screen and then over here this is a program called cheetah which is just a memory standard it's all job is just a memory for you unless you search for certain values and then try to find parts of memory that have data you're interested so I'm going to use that Belton to try to basically where the team is storing the coordinates of our TV missile Procera so what I'm going to do is person that I will do an initial scan of memory and that's just going to record all the values my brain has Spencer dependence bloke
employee floating-point types and also recorded you know whatever value is to start then I'm going to start moving the TV missile crosshair around in the game you'll notice now that I've moved it off to the right here and I'm kind of making an assumption that the TV missile crossfader coordinates are on in such a way that when you move the TV missile crosshair to the right the export has to be increasing and when you move back to the lacked the the export is going to be increasing so as this video is playing I'm running scans I did a little bit small I may just be a phenomenal you can see okay so now you see I'm searching
for values that an increase on the specific azam to decrease that's because I lose the prosthetic back over to the left so since you've got developed it to your TV missile prosperity more to the left and they're looking for values that have further decreased since the last and so on until we finally narrowed down a reasonable amount a reasonable number of addresses that could potentially so I don't know I have found they would notice we first started out we'll go back there that the number of a Justice found started 272 million that's way too many to go through manually and even after the first couple scans we perform or stood of 70,000 potential addresses of the David that's a switchman
go through Batman so I do thinness I keep the crosshair back and forth and then Reaper formerly Sandra ballots that have changed accordingly eventually it down to about twenty one potential values now this is really manageable so notice company's values changes and we remove the tumor suppression routes let's see the top so you notice where the t muscles Krishna's over here and I had like move it over you see these values increasing so tell us around something we have a lot of expanded addresses seem to correspond to the movement or Themis of prostate and that's good so I want to do Tessa sympathises is I'm going to select some of these addresses from up here it's my
little sandbox and then I'm gonna double click on the value column and it's feeling a change the value of the data a bit address whatever I want so if you're only changing from 226 to negative 50 now watch as soon as I click OK watch what happens right about here that TV missile crossovers snapped over and that tells us that now you're in control of you know the coordinate yes so now so now we've isolated you know where to remember in the game is is storing this information and if we find that we write to these dresses we control the dignity missile cross area that's really good because obviously we're running it you know to
missile the missile had all the things gonna have to do is control that cross out for us so now we have AB which is an interest what do we do from there some of the nice if we were done there like okay we have our address is like we could just start writing up chief fortunately usually not face that's cause I didn't think about how you know this application Mikoto is you know objects allocated dynamically keep every time you start that name ever said being that address that stores the data that we're interested in them in this case the accordance to the TV missile across there it's gonna be completely different so they're kind of like kids story hands
up we think about what we might do next and that would be to think okay so how does the game figure out how does the game keep track of where that is like obviously crashing every time you try to move the crosshair it must have a way of determining you know how to access that so what we can do is we can observe the execution of game and learn what it's doing and then try to copy later on when we read our cheat so so instead of you know cheat deal appeared this could be you know this is the game executable this is the game code writers you know hypothetical function that we're gonna use in our cheat that we want to copy
maybe starting at some predictable dress performing students of offsets and dereferences in order to definitely the players coordinates so this hypothetical you don't mean to be code dude it's it's going to be checking that you know players are in bounds so so after we determine the the others that were interested in in a particular day to the point of time it's a memory breakpoint on that address so this is using a holly debug bugger that if you're not really familiar with I think general that's just the same sort of thing I want to go to the address that we found last time so that address on the Presidio cheat engine but the others who came up here
for this 460 force of course so we're gonna go to that memory address and are debuggers a hex top window it's not but this right here we're gonna use LED fog to put in memory a great point on address so now anytime alpha 2 attempts to read or write from that address that memory which need to trigger the evening stop so you can see as soon as i said that actually execute pauses and this would because the game is frequently read and write to this address ok so that's that's how you might set breakpoints you so now step 3 once we hit that that memory great point and might want to set us off breakpoint kind
of before the the point that's triggered this is uh remember great points done this will get triggered by a specific location in the code that no should before is kind of fuzzy you kind of have to do a little guesswork to decide you know where you're not assault great point go but the point is you want to put another great point just prior to the instructions that causing memory breakpoint to get triggered because that you can see what the gain was doing just prior to accessing the data that were interested in in this case the accordance of the crossover so I'm gonna let the light let the Quran Kitab so it's still getting up every break point every time I let the
games on so here's an instruction that is triggering our access violation and sitting on my break point so you can see that at this time of ECX register it contains the address TV missile crosshairs x-coordinate and then when it in the references that and trust to read from it that's country the member great point that's cool let's uh let's put a breakpoint on that and then let's put a breakpoint right above it really where you see what happens when this function gets called now this calls i'm subroutine and no idea what those let's find out it's happening right before the access of the data published in so maybe it's something that we're interested so once
we set that breakpoint but that the game we run until the exhalation stops on the we just set and then we're going to reuse the trace functionality to record every instruction that's executed between our first breakpoint our second break point so I'm gonna trace into the debugger that's going to snap down right away to the breakpoint that's just below it and now when you go over and you the countries that was just generated by Janus see here five instructions happens between that's the call to that subroutine and then the the actual reading of the data that were interested in so this kind of interesting you have to just sleep insight into what the game is doing and how things actually gonna
access the data that were interested in so you can see that PC X contains the pointer to the date that we're interested in that pointer came from EC execute instructions right about here at whose value day X and the ECX if you look up you you can see okay well where the DX come from we've got two more instructions and here we are learning he had address that is the value ECX at this time adding 38 dereference in and then store 92 X so this is kind of a first peek into what those sequences those offsets and references look like in terms of actual execution of instructions so you can see here that the game is is controversy a
small segment of estimates that we're interested in so that's awesome we don't have the complete picture yet obviously it seems like it kind of we work our way up to here you know you see X plus 38 but what does that really does I mean all we know is that at the end of the Archean and of our sequence we have to dereference and then that gives us a point into our to the brending like what is you know what was here what was ECX we had 38 to us we don't know at this point but if you continue this process of kind of creatively dusting you know where should I set my breakpoints to
Missouri what's was executing in the game prior to this point you might be able to see you know where it's called pretty cool as you step forward and backward in the execution how probably really useful for something like this they were the death though but since if we're not gonna use App Engine to just keep saying breakpoints above above and potato marks kind of like a nut buzzing notion but I guess prior to the execution you know the code that we've already observed to see you know more about how teens Traverse and a sequence of instructions so yes no before is basically just repeat that process until predictable addresses it use so you can see in the screenshot
that [ __ ] here thinking isn't reading from a register this is a static address this is a constant value of a 0 8 FC 0 that's what does important memory address and development to a lot of a lot of things can be accessed that you start there but anyway I didn't see that the image is dereference in this is constant value store unit and gcx dereferencing a story didn't Dax that looks like it's calling a virtual function there anyway yep so you can kind of just see you know what the game is doing and how its your the pattern of offsets and references that it's following in order to start from particular just like this one to get all
the way down to the data that you're actually interested in so that you can acess it later on so some of the problems of this approach as far as as many members it is it's time consuming very tedious and and frequently run dead ends we're going to get lost are some some common stack for a really long time like I did I mean maybe something a little bit sign but I find that it can be frustrating at times and a really long time you don't come up with any results so doing them doing you know what I described manually might take me somewhere you know between hours or days or minutes if I did lucky but
the hours so let's write a program reduced instead on that programs actually tool that I wrote then we'll talk about Nicole slides with bristles customer eyes the approach that we're following because we're gonna you know distill the universe an algorithm out of that bridge and then implement that in our tool so basically it works something like this we observe that registered X was the access to this so enact a semi PC X is our register X and then through that the value of registered X was calculated by adding an offset to register Y and then indeed reference again this is register why would be you see X again I mean you can see that you
know the instructions are kind of juggling that value around here it goes you know yeah yeah it's back nice to X but yeah this is kind of register you know why then you can observe that you know the value register why was I had an offset to register Z I'm in this example we don't have registered yet because we didn't record enough of the execution prior to this code here but if we did and you know if we work that way back up there's not many more person process so much needed so see you know register see and so on and so forth up to a point where you get to your static value that's being the reference and then you
can stop okay so here's a two-lane road and basically just implements this approach it does that understand that reversing algorithm it sets memory great points and reports the execution in order to perform that analysis I mean they're executing so here is an action it's larger so all you have to do is you can sir in the process ID of target you know in this case of balconies that's what we're interested in and then you enter the the others have interest so if you remember this is not actually the same address of our missile units will across their cornets this is something this is another day member that I that I selected out of the player object just
random a because I figured it might get read through a written to more often than the Prospero so that might be better for demonstration purposes just because can actually pass there but so once a don't miss it the Kings then so it set a breakpoint and then I just started recording execution see here that pretty quickly that memory breakpoint gets hit and now like what's going to do is it's going to take all the instructions that it reported the execution of and it's going to start getting analysis on those to see that out figure okay so like where this value come from and can I work my way back up to a static address so we can see pretty
quickly here it's about some output I this is this is kind of nonsense if you notice its output the same story over and over again which I mean customs like I think this might have a look that I had recently introduced anything into right now but that's all right think about this tools it's not designed to be accurate percent of the time I just want to give me the right answer faster than it would be for me to do it on my own so we'll see yeah did you do it more time to you know let the game execute and make four more instructions and perform analysis that the Opera starts getting more experience so so if
you this we're starting to see stuff that makes some sense so if you see this you see that this is the average that we plugged in that's what we're interested in we can see was obtained by taking something and ECX and I think they're into it and then dereferencing we can see the development is the addresses ECX came from adding 82 ESI load effective address we're actually referencing so do you think if this is adding just ECX plus these two put together not that important but detail you know they're looking up further we can see it okay you know where didn't es I come from company as I came from easy access in from psi here elected in
from DC X DX do you see another instruction that's kind of relevant to us understand this okay somebody X + 4 + something yes I possibly these are all you know offsets that were interested in but again it doesn't give us all the way back to predictable static address so let's so they keep running I can see we get some useful because ultimately you know with no idea you know what yes I is well actually do it tells you right here what I mean that's gonna be different I'm stuck the game so it's not particularly useful to us live another minute or two we're going to at the end of the video and this is a middle time by the way so
C++ yeah it's not using to be different people are actually this slide talks about like how people make is accessing yeah yeah so this actually we think your house is doing so this is external yeah it's actually using read process memory for most of the reads from memory
yeah okay so here we can see it it spit out something that is really interesting to us because look at this this value remember this is easy to rate of 60 which is a static address so what this is telling us is if you started easy to rate of 60 and the reference at 62 that value T reference at the end to that but I ended up and so on and so forth you get down to the value that you're interested in now looking at this trace right here this is kind of confusing see what's going on and there's a lot of instructions there's a lot of additions and new references kind of follow and
notice something I'm not stopping school is that sometimes that's just how the analysis gets performed but it's not obviously entirely relevant to you so if you look at this second trace here you can see this is actually an analysis performed this is this this treasure here on the bottom is just a minimized version of what's up time so this contains this bottle traces is just this trace with some processing performed on and this one contains kind of wait just just the information on our initiative so we analyzed this one instead we can speed that we go from you know a zero at f6 Neustadt address we had 60 and dereference add ATT reference at foreign
key reference at 88 and then at 30 and dereference and that gives us a pointer to the data that we collected I should have mentioned this earlier but because I forgot this address here is the value just the address of our players coordinates in memory you know to do the time for understanding so now you can see you know with this to output and it tells us exactly got to go over a predictable address like this give me the same every time you see it's a static value and it's gonna work its way down in this series of offsets and dereferences and it gets us to our players position every time so it's really cool so now we can
see exactly how gene is traversing in state of structures to access I did that we're interested so we don't know exactly what those instructors are yet you know we have to probably take a little bit of time to you know reverse those themselves we don't necessarily even really need to know that to be able to access our by the data that were interested in which was in this case was the position of our player in memory that's pretty cool so something that I used to take me hours to do I can now get out of this school in a couple of minutes so do you know highlight the relevant output from this tool we went
over that's waiting and Steve Gadd this is this is the sequence that's necessary to go from no predictable location area to you know the location of memory that stores your players position that's really cool so this is the sequence that we need to follow does that make sense question yeah that's a good question welcome to his super old game it's not doesn't support opposition independent execution so that's one of the things that my tool I hope will address and support in the future so probably I'd be looking for instructions that and get a that start with you know certified be referencing a value that is an offset to our IP or you know the instruction pointer I think
that's the approach will involve an ostrich question now so this comes the pelvic to sleep in my sandbox because it's um it's not reveal you know it's a fully fledged where's Bridget shooters but it's also not you know modern enough to support position and execution so kind of a nice testing ground for this sort of thing so you're bringing back the cheat engine this is like the different aspect of functional each engine lets you peruse memory and what I might do is I'm going to plug in that's easier we f60 you know what address this is inside the games memory I'm gonna go down sixty dereference as just following the sequence here then go down eighty the
dereference do it on four and dereference i'm gonna go down b8 and see what's there so as well what you can see there it's what that's pointing to is this value that we told you that's what you interpret as a float is negative 284 this is actually you know are important to me so another thing we need to know right for nothing you need to know we read a lot sheets clean boxes the positions of players in memory this is awesome like we go to static addresses same in time right down to our players coordinates in memory that's pretty convenient all right so now it's these two limitation questions or in C++ top of widows it done I used
the capstone this assembly engine in order to do some of the analysis on the instructions mostly reported if you might be morning and why didn't I just you know do some Python like that easier right and I write this as a point in to some people here that might've been easier that's definitely true however I was looking for a good partner to write on I couldn't find one that kind of checked all the boxes the house looking for which word I want something I had you know a well-documented future belated I and supported 32 and 64-bit applications I couldn't find one that really fit the bill of maybe it's the top deck now you're gonna be cool to
implement this tool there but another thing was I kinda wanted to just do this myself in the ground and learn a little bit about how to infinity butter and just to donate more experience with with the windows 8 July in singles plus kind of took the heartburn and did it myself and the tool basically features two classes that versus a department class the second is a tracer class so the debugger class is in charge of setting the memory breakpoint on the hours of interest and then also reporting the execution as that happens as the game execute those if I said it would be the trap lag in the CPU basically tells it to you you know after every single instructions
executed stop executing and let you know at which point the debugger reports the instruction that was just executed and then it stores you know all of those instructions until the member great point gets hit at which point the tracer class takes over and then it analyzes the reported execution using the capstan engine and then when it's analyzing you might say analyze I mean it's implementing that algorithm that we talked about earlier where I've seen okay so like the date of the rotor spin was read from yes which you know yeah yeah X is a pointer to our data we're worth the value names come from and so on and so forth until you get all the
way back up to where did our we're not value come from I was like a static address in memory so every break point is kind of cool I'm not sure there's other ways that basically what I found is that the way to do it is through H protection and then house validation so here we tell windows and this is sustainably ransom in a code but this do we're telling Windows okay like don't let anybody read or break to the page that contains their apps of interest when this is okay so every single time the game or whatever it started by never studied Festa to practice this is an interest on accepting its Tyrone at which point the debugger class then in
Shuksan ceases the habits that was access is actually more interesting because when there's you know a pages can contain more than just status that when she's in so it's not on our debugger class to that check and see if you have this that triggers the access to the APIs that trigger the attacks violation is actually the one that were tryna set the memory breakpoint on so yeah and then the instruction the execution that record let's talk about earlier is done by single stepping using the CPH a play so here we just kind of look at the CPU blanks for that thread context and we just set a bit less if you say they like don't ask you any more
than one instruction at a time and let me know every time you do so I can record that and then the tracer class was penalized run traits one of those steps of the reversing out of them and then when it's done to do not its Eve's and prints developing instructions so the trace of Costas actually was showing us that useful output and one last you know the the other useful features talking about that the tracer class does is it removes redundant instructions from the output so here again this is the same earlier this one the top is not reduced it's not minimized at all and this one is so you can see that they have some
instructions in common I mean this is from the same you know recorded blood trace but the one on here is just the leaving outs in the mean to be irrelevant instructions I mean for example we don't really care that ECX and EDX here that yes I was wounded exe oh this isn't really relevant to us we just wanna we only care about the instructions that were used to different point A to point B and that's what the trace of the position does so this is a lot easier for us to look at and interpret okay one other thing it does I haven't touched on this and all that is B table identification so if we go back
and look at our output you see this last column here this is outputting the B table a potential v table pointer that's going to be inside of it that's going to be located at these values along the trace so all right it does that by checking the memory protections of values that are present in the trace of sending in my reg reflections you know on the the these addresses and also the addresses those are point two okay so what are the tables and why do we care about this all the tables are waiting for there implementation their compilers to support virtual classes so virtual classes process that will be evening implementation of their methods up to
their subclasses so for example with usually reading an application that you want to have a different types animals you might make an animal base object that can do things like move and Eve [Music] but since the different kinds of animals different ways they don't need different ways when you're you know you can't just implement those methods in the animal based class you leave that up the subclasses so when you have like a cat animal or a bird animal that's what you define how those camels those types of animals those so facets of animals would actually move around and stuff so the difficulty without earlier time isn't always good to know you know what's happening when you're dealing with let's
say you're calling the mood method awesome pointer to an animal object in your code shows an animal object doesn't know which method to call you know which implementation of the method call because it doesn't know what type of animal you're dealing with actually so are those it hides a pointer inside here inside the instituted object in memory and that pointer points to what's called a key table change for the virtual method table and the be table contains function pointers to those to the correct implementation so all cat objects will say are going to share this indie table second point is to attack specific implementations of the movements in these methods and the same for all other objects are all gonna
every bird objects pointer at the start of its memory to birdie tables I mean the Britney table contains the winners to you know the correct bird specific methods so still okay why don't we care about this well one of the reasons is leave a trace because he you know where certain objects might be research versus engineering life so I know time I had an ADC five-30 a typical response to player object so now as soon as I see this trace I can kind of put it into context a little bit I can say oh I get it I see here it's uh we're dealing you know this this was a pointer to a player object i metric so
he'll she make a little bit of sense of you know what you're looking at more familiar with a super binary most intentionally maybe you just know where where you know what's a virtual object and what's not with some other kind of data structure and from maybe kind of get you know clever to use other types of clues based on your behave without used to try other or whatever reverse engineering so for example if you let's say you're playing a game about go to with 32 players or loaded into your knife and then you do a memory scan for this value of a the ADC five-30 which is the point to the detail for a player of it you'll get exactly 32
bits of memory so that way not necessarily always you know it'd be true for all different kinds of objects there might not always be a one-to-one correspondence between the number of you know those objects in the number of that value number of times that value comes up a memory but sometimes things like that the weight does the adaptation of the tables is it looks at the age protections or you know the potential be table so whatever this is pointing to it looks at you know what's the big protection here and then whatever this is pointing to it looks at what's the you know paid attention here so V tables are going to be in read-only memory so
if if whatever's at the start of the you know some value in our sequence thanks to read only memory like okay we might have a it was my baby table so then we take a look at where this is one segment this points into X cube elaborate it's pretty good indication that we need to come across the feed table because obviously our virtual methods and executable memory so it was kind of judge based on whether or not to look beyond the detail pointer I set up perfect heuristic but I've never seen a false positive or negative with this technique so it seems to work fairly fairly well fairly heavily so house performs this thing you've seen it in action it's not
exactly fast it might spell garbage before it gets to the you know the correct answer but it's with us the Midland crystalline and it's also that's a little more accurate than cheat engine this pointer scanner it's kind of funny because I was setting out to make this tool at first I want to check and see if son hadn't already done this work out you know I don't want to spend all this time doing something that's already been been done in one implementation this already exists okay well I'm gonna start doing this hopefully I'll discover this once I've done this better than me about halfway through coding it I realized that Sheen Engine which is a
program that I've used before not used a bunch actually contains a feature I didn't I hadn't known about bulk pointer scanner weights dinner attempts to cheat the exact same thing that my tool does which is just came from a predictable you know location of memory down to and unpredictable you know location of memory you know where this or whatever maybe you're interested in it is hi Vinnie but she's the point scanner does that actually in the complete opposite way that my tool though so my tool works its way up a report and instruction change so it observes the execution memory and then it's way up to go from the madness that you're interested in that's their static
address and Jesus points can actually works its way down by forcing all the potential point chains that possibly exist so it starts by looking at all of the the values that are contained in static memory and then just starts with reporting pointer chains through you know some configurable level so it might jump down you know five levels of the referencing and each time try you know doing offsets of up to 2048 or something like that so it's going to do a lot of reporting and hopefully one of those tunes is going to actually you know by chance and up pointing to the address that you're interested in so it's conscious approach found in my experience that the tool that I wrote
luckily for me is faster and more accurate than the pointer scanner I don't know maybe it's just my own attitude when it comes to using this particular feature I haven't used it too much admittedly but in my experience the pointer scanner takes forever you know except you know a ton of I think it use of memory and I don't know it's just really performance intensive takes a long time and it's not that accurate for relaxing do they ever do any useful results so so this stuff I want to make this better to support for 64-bit applications right now the only necessary to bid so not super useful for the real world like a bet no also support for a position
independent code that's going to be good one that had you know assessing we're looking at modern games modern applications and they're just so fancy command-line artists like I want you to be able to save your opera to file you know configure verbosity do other configuration values like maybe the maximum number of instructions to store at a time so if you score less instructions at a time that you know how quickly the tool is running like you might also kind of chop off you know the top of your your sequence you might you know not keep track of instructors that you need to track oh thanks so those sorts of things yeah testimonials kind of jokes like I had no idea that this
happened I just tagged my tool tip hub as using capstone and then I guess the guy who wrote pepsin and found it read about it which school also had like ten followers on github which possibly surprised bad for you let's go at the end questions
oh yeah definitely no question about let me go back so make sure I understand you're asking like does let's say this value here like this this address here continue this no opportunity so that's a good question so here's a value value column this is the value that is currently in ESI and then it does the the B table identification starting with this value but one two six nine and it finds that the value that's at this address and interpret you know the value in ESI is an address this is the value that's in that's currently located for this memory address which my school kids probably so ya know there's a direct 1:1 correspondence where if there's a
there's a value in the detail column it's because that is the value like the value would pass the address and the value column appears to be does that answer your question exactly yeah so so it failed that check oh you know because it look like doesn't have a say memory productions of the table kind of point to chain so that's a really expression you can see actually that most of the most of the objects most of the data structures traversed in this sequence we're virtual objects digitally you come across some that aren't virtual like I don't know whatever whatever's here is not virtual object yeah same with this we would probably not expect our you know coordinates in memory to be
a virtual object they might be you know I mean they are inside the virtual object but obviously you know the float value negative 254 is not Hwang's would be tabled so it left that like that question actually yeah yeah yeah so I think this book talks a little bit about when you're scanning yeah one of the things I actually already thought about was Nick Hannah all through the game happy book is bright in the memory scanner and C++ I thought this would be a good feature I haven't like reached out to them or anything like that but yeah becos like get up so anybody use it and when could I need to integrate it into the existing
tools new existing more fully featured tools that data starts as their present relationship even like they're calling you can say okay this looks like a linked list and you know typically this long versus a doubly linked list writing just kind of rock so are there tools out there that do that have you seen something that actually so the member of the memory scanner that Nakano is writing and give up the reading says it will attempt to determine list doctors and stuff like that yes sir I haven't used it but yeah let's see what I've seen it does that which I'm you know that's awesome functionality so the order doesn't matter you do need to have
you know you're gonna have a game running before you you know entering the process and you know the obvious from the game that you're interested in this actually might be ordered once you start the tools and just need to have the game running as soon as you enter in you know the prospect outraged at that point the tool will attach itself as to your target process and start doing its work
where does that somehow so alpha 2 doesn't do any sort of debugging detection or meditation like that so luckily I haven't had to do it here around that I know like I said a lot of modern use do that I guess that would be up to you whoever wants to use the tool to find a workaround for that but I just on the right side there's a lot of people who are gonna try to do that stuff out just so they can use like a regular debugger and you can figure out how do you get a regular department department working with a particular application does a lot and one thing you want to watch out for is if you try and
do something like this wouldn't give as an Tai Chi like BAC specifically if you even have installed
yeah so I've never worked like a battle pin so another you had to come across that book yeah that's good to know yeah yeah I guess it kind of depends it's like you know usually where I guess yeah
you know an oligo ideas compact like a pack that's doodle sawfish this is just if the instructions execute like it's gonna write record them to be able to analyze them so maybe some sort of like obfuscation instruction level would throughout caps on for you but ex deployment or capsule if you play through nine delay analysis logic bill
[Music]
Related talks
49:29
55:21
28:47
47:05
51:46
20:46