Introductory Reverse Engineering via Flash Game

So I guess most of you have finished your lunch already, right? Actually I love cosplay a lot because you can find a lot of good stuffs here. Just let me adjust my my mic. Okay. So um okay. So today um I'm going to talk about um an introduction to reverse engineering uh via bash game. So um the talk was written by me and my colleagues Jackson. So you have C Jackson today right? If you don't haven't know if you don't know him then you have missed a very good talk today. Okay. And for my introduction so who am I? I am um member of black and one of the founding member of um US 500 and member of blah blah. you can

visit it and my my colleagues over at the back Jackson or you can um tell him you can you can name him as low. So um and advertiser. So actually on Saturday we are going to have a CTF um host by black B6A or black here. So um you guys are welcome to join our CTF and have a taste of what CTF is. Yes. And yes, all our teammates black c6 is at the back of the site. So yes, see if um I hope you enjoy the CDF game. If you are going to join it and on Saturday. So first of all, CPF not flash is flash is a very very old protocol, right? Very

very old stuff at the very beginning. Why are we why I want to and why I and my colleagues want to um crack some flash game is because um we have a very good old game called. So if you know what is production in flash then you are probably very old very senior I would say and there are some yes you see when I go to when I go to asia.com Asia dos you guys know what is Asia dos no yes some of the you say no some of actually is a um a website that is a compilation of all the old flash games and you see the you see the advertisement here, right? If you are if

you know what dos then you should be senior enough to yes have yeah just suggest by the app. Okay. So if you want to take a picture is a very very old game but um I would say hey they got a lot of good games in the old days. It's flash that yes is why is that is that in 2020? Um is that because it's is not designed for a um security reasons. It's just like a media. So why am I going to crack a flash? It's because flash games have some um very good properties or unique properties that other games don't have. It is very uh simple. Most of the flash games in the web is just a few

um 10 10 to 20 megabytes. So you can finish the game. It's very simple. You can reverse all the stuffs. You can finish the whole game in 2 hours or 3 hours. And because they are already old games so they are they have a lot of game walkthroughs in the web available. So if you not sure the steps you're doing it correct or not or the datas it has some mismatch you can always go to the game repair game walk through and see if you're in the right track and what's more splash is using action scripts. So I will explain this part later the action scripts most of the the action scripts are written in plain text

which means you can just open it up and re and see the code. You don't have to do a lot of compilation. One more. We have a a reverse workshop on Friday host by Boris. Is Boris here? Is Boris is a back. So um I hope if you you feel interested in in reversing you are probably also interested in joining Boris uh workshop tomorrow for C++ reverse. So for game reverse um I mean general reverse engineering you have some u points you have to know setting analysis what is setting analysis so you are just dissecting the code opening opening the code up try to understand what is the logic behind just like you are doing a

normal reverse right code reading but most of the time when you do set analysis the source code is not provided directly you have to review the source code in a special way like for sequences you have to decompile it but for action scripts it's good you can just open it up for that oh let me ask how many of you have experience in um reverse engineering I guess only a few right if you are not in the um offensives field or CDF field you probably don't need the kind this kind of skills in your in your life but yeah if if you know some of the concepts you you'll be likely to know a why the others can hack the game or why

they can do um know something that I don't know like in a games like Pokemon TCG why they know exactly what which stage they will release the new pack they doing this way and for dynamic analysis it's a different story that analysis you don't have to open the game I mean you don't have to execute the game you just open it up like a text file right but for dynamic analysis you have to run it um for general side you have to um set break points and see how the address or variables changes during the execution. And one more things sometimes for especially for game if you do game reverse you have you must have the same

file somewhere right. So how can we modify the files and for game for reverse engineering it may not be a safe file but sometimes the program will write some stuffs in your um in your storage. So how can we modify this mask? How can we modify the comic files? It kind of sucks. So it's very painful if you don't have uh you don't understand reverse engineering for basic knowledge. So um reverse engineering is have a very steep learning curve. So I hope in in this 45 minutes we'll try to do it as simple as possible and actually you can follow us. I have prepared some um materials. Yes. Um in real life, what is ava? What

is you have a lot of knowledge to know for for um symbolic execution? I don't I don't think a lot of people know symbolic execution, right? And hey, this why that's why learning reverse engineering is uh quite a torture. Okay, so um the next step, what is SF file? SF file you know flesh a lot right so the files that flesh will run it's called SF so SF have a file structure like this you can see that the header and following the headers um it will be every text and one plus sign is um if one tag is corrupted the flash player will know which which is the next starting tag so it will jump to an attack and try to ex

continue execution ution. So even when tech is roted, the file will be good to go. Yes. But SFM itself is actually a media file. Like if you go to the media player, it is just uh a compilation a file that contains how the objects in the file moves when what is the starting location how far it should move. So where's that um watch handling part? So you'll find that hey in the SF header there are nothing related on the logic part and by reviewing its manual you will see that from starting from SF um version 9 there is a tech do ABC so the dual ABC tech is allows a sprint 3.0 zero which is the AS3 to run. So if you

want to dissect the game, see it game logic, how is um how each buttons is correlated with each other, you probably to find out all the um logics in the UABC pack for the flash player um actually the flash player itself as I've just mentioned before is a media file. So for the logic part how is going to execute it? in flash player 9 start sorry start sorry start sorry start sorry start sorry start sorry start sorry start sorry start sorry start sorry from that there is a AVM so what's AVM is action script VM it's um it's a runtime for you to which allows the dual ABC text logic to be executed and if you are want if you know if you

want to know more about the SF subs you can go to the standard part and How ab SF as I mentioned SFF file itself contains u the action scripts logic which is bench called as ABC but in real life you won't see this part so ABC passer and for for interpret language which is you can open it up directly it is not compiled it this will put it in a git compiler just in time compiler it is translated into bio code while the execution while the file is running So you already know the basic structure of AVM. So you can you should probably write your own interpreter. Now it's that easy, right? I'm just kidding.

One more things for the S of file. SN file is handling every stuffs in frames. So and you can see that when you open it up through some weird tools or special tools you can see that every frame is um is extracted can be extracted one by one. So for the game it is adding the logics in every frame just like in just like a power port if you want to. Okay. So um I've mentioned it actually this is the game that we want to reverse. It's for government production and I probably there are some guys don't know Chinese. So I make a translation heroes of Zong too. But if you find try to find this words in in the web you

probably don't find it. You probably you will you should try to find the Chinese words. Okay. And why we are going to hack this game is because one we are very familiar with it. Second, there are some you you don't you are not intended to have all the abilities and items through the single game. There are some um abilities which is we call the attack movements will um contradict with each other like if you learn um move A, you can't move learn move B. Then how can we have a single save that learn all the stuff? This is the um achievement that we want to make instead of just um finish the game or um

finish the course. So in this game we have a just a minute before I go to the introduction. You can scan the QR code book if you want. Um the QR code the QR code book is the contain of the game and the tools we have. So you if you if you're interested you can go back home and try to play with it. But if you have computer today, you can join the slides. Have join join us and have the slides walk through. Okay. So I guess you if you're interested, you have scanned it already, right? Good. Then we have an introduction of the game interface first. So for every game like every game you have to create uh player

a character. So there are different um abilities that the game gamer will have or the player will have and all these numbers are randomized and I name it as the initialization part. How the abilities um how you initiate the character and how this ability is and oh the attribute points. So once you start the game, you enter the game, you can see that how your um characters look like, how your characters have the attribute points. For example, in this case, we will see that hey, um you means that you are better at using the sword. Okay? And like which is you are probably better at hitting others using your fist. And there are some attack moves that you

can learn, but at the very first of game, you don't have any moves. and uh asotic items which is like um helping you to increase your your abilities and equipments. I will skip this part. So once you have familiarized yourself with the game and and the basic interface we can start to dissect it. So what is set analysis? Let me go a bit deeper. So um sent analysis exams a game programs code or binary without executing it just like opening it up. Okay. So our aim is to understand the software's structure logic and the potential behavior like how your characters will behave and and how the event occurs or every functions how the functions um should be called.

So we have three techniques here. The first thing is we can uh disassemble oh I mean for assembly code this is like the C++ or compile the language. So you have you have to disassemble the binaries into assembly clone first or not I shouldn't put it this way let me see how can I how should I okay I should put it this way as code is the language that you are already trying to execute right is the basic structure of a of a program so you are trying to disassemble the binaries and then we do the compilation deco compilation um like either pro in your real life you're going trying to translate the assembly language assembly code into

something you can read the high level language or pseudo C code and then by analyzing the pseudo SQL you can you can analyze the control flow data flow and dependencies this is a a basic understanding of how compile the language and interpret language so interpret language is something like hey you don't have to compile is you what you type like hyper what you type you can be executed directly. So for this one we have just in the virtual machine here and for compile language let's see first you don't have a runtime you can just compile machine code and it is ready to run so which one is easier to read must be interpret language right you don't have

a step of compilation translating into machine code directly so you can for interpret language you can starting from you don't have this part of compounding. Okay. So if you really want to try to open the files, this is how it looks like. So do you think anyone will know how to read this? You you know yeah because there are some words right to some readable characters but actually it is very hard for normal humans to read. So that's why Notepad++ or using Notepad is not a proper way to open some executables. So how can you read it? And for reading it we have to understand how the file S7 file is passed. Although we know that it

is already a interpret language is in plain text but without the parser we we are not sure how um every variables or which tag is it. So I have found it um the official official document does not have any paraser I mean the GitHub does not have an official passer available. It just have a specification. So the passer here I provided is a an official implementation of it. But hey, what I'm trying to show is there are someone's already quite a pass.

So how are we going to execute the how how we going to run the SF file? Um you can still find some uh flash play available in web although the official size is already done but um for me I will use this one flash player 32 SA and you have the runtime with it. So how can we do the second analysis? We will um I I mean I and my colleagues use this one JPE compiler. This is a good component. Um, you can use this for nearly every flash you have.

Okay. Um so if you wonder how this game is is played or you don't you have no idea what this game is going going actually because when I before I come here to deliver this talk I've tried to um walk through this whole part how the Java reverse with them secondary school students but they don't know how to go out from some so that's why it may be a bit hard to to know what this game is going on so you may have to take a look at the walk through before you play. Okay, this is a JPEX decompiler. So you see that hey we have um some different section different sections here. This is

the SF. You can play with it if you have the runtime. And here this part this part is um the structure like a street structure right we can open any artifacts in it like how the logics they have many uh medias in it. So we have the run time. Now we have the tools to um us to view the source code. What is the next step? The next step is hey how what is what this course mean? What does this code mean? Okay. Um if you sometimes for the real life cases they will try to offscale the code. So you cannot get the meaning of the code directly. Okay. Um first of all we know

the relationship and second how the attributes affect the game. So hey you can see the initialization part right. There are lots of a lot of numbers here. How each numbers is affected and how they areffect affected like the defense or the hack move how they are related. And what's more, there are some special skills in the game that you don't you probably need a need of skills or a bit of luck to get which part is this skills is given or available. So this is the game we want. This is the aim we want to have. Like you already know where is the boss, where is the item, then you can just go to there directly and get the

item. You don't have to deal with the boss. You don't have to fight the boss. Okay. So, um for the next uh um afterwards I'm going to talk about how this game I will work and how the how this tool is used. So before we start um as I mentioned earlier for the old games you have a lot of walkthroughs right there is one walk through that's very important. how this is how all the variables is stored. So with this uh list I can directly go to the source code and and control F and search do a direct search. Hey what does like this one uh let me check. Oh yes this one like ML what is SF S_M

what does this mean? This means your HP how much HP you left. So I don't have to read every piece of source code and try to figure out all the relationship. I can just have a hack and try to get the value. And what's more actually when we try to um build this compare our results with with the uh workflow on the web, we found that there's something wrong actually especially for the experience calculation part. So we're going to pick a attack move try and try try to understand with it. So if yeah some guys you play with it. I don't think you anyone has played with it but it's a very short but hey if you

want to go back home and try to do your own analysis you can follow my all the steps here. I think the steps are um adequate to have a default. We choose 18 dragon sub which is in Chinese. This um this why we are choosing these skills is because the calculation of this part is uh this move have a very special uh move or how should I say? Okay, let me put it this way. In every game there is a a number that determine your cleverness of your uh character like how fast you can run the move right and how special is this is the more stupid you are the faster you can run this move okay so we're

trying to dissect hey how this calculation is made where is the calculation can we change it um so for the gate there is two variables that will affect um your attack um how should I say for every attack move there are two variables um related with it what is the level oh if you know ping that you know is set right or so this makes it much easier to dissect the game the level and experience this is what every game have right how you master the skills how how well you master skills okay and when we find it we found it the max level of one move is time and experience is um how how often you use the skills

and because we are too lazy I don't push the formula here you have to find it your but yes the most like your cleverness is below 50 you'll have a boost in the experience okay so how do we know this um where is this game where is this move in frame 55 initializ ization t how this is where you create your character in play 55 you will see this screen update when I press this button this logic is um run once again so at first you have they will disable all your skills you don't have any attack move um uh available and you will also see actually I can it will also determine all your um

attribute points. And when you go deeper in in in 355, we will also see that there are some very weird and variables. But actually if we have the hack already, so we know what it is. But in your real case, if you try to decide and dissect a game that you have never met, then these variables seems like aliens to you. you have no idea you know what this is unless you try to examine all the subs or do dynamic analysis. So how can we deal with the unknown variables? The best is read the menu, right? There are some guys prepared all the stuff for you. Then you can read it directly. You don't have to do it yourself. But if you

are that unlucky, you have to do it yourself. How can we do it? First, we do set analysis. We try out we try to find out all the possible code that you have and how these variables are affecting each other, which is a torture, right? Because you have to do it bit by bit. You have to read every source code. And do we have a hack? Yes, we can have a hack. We can use dynamic analysis. We can uh lock your scope to just one variable and observe how this variable changes throughout the game or throughout the execution. This is what we do called dynamic analysis like setting points that kind of stuff. And speaking of game hacking, so um you

have you already know that hey this is the initialization part, right? How can I make the game easier?

I can recompile the SF game so that I can have all the skills max when the game starts or we can do variable changes during the execution. And of course, we have the hack. We have the cheat sheet, right? That way you can just refer to the cheat sheet. I don't have to do any any more subs. Okay. So um through the initialization part you can see that there are every game move here right. So what I'm targeting is the I forgot the name. I really forgot the name. The aching dragon stops comes then I will try to lock at I will try to put my sight here the experience channel and level channel and for a very deep search I can find

that tape there is a frame in frame um 10,55 I can find that tape they are changing change the level of this move from zero to one. What does it mean? It means that you this skills you have is available. You can play with these skills. You can use the skills and once this game on this move is initialized or given to player, it will reset the experience to zero. Okay. So what does that mean? um for sub analysis you can just view the source code you don't have you can't make any you can't make any change throughout the game so this will help us to for the execution I already know this frame or I

will already know the ex the place where I will get the skills so I can just um place the jump to frame one um 105 557 and I can get the skills okay so the more understanding you have the quicker you can have you can achieve have full achievement of this game which is like the PlayStation right the platinum achievement right okay so this is another part I want to talk about oh let me let me see if I'm going to have a good um photo oh no oh yes okay in this photo it is for website but it is an illustr ation of of the game of the game. So when you trying to launch an attack

move, you have to choose the attack move here and there is a cool down here. Okay, what is what does the cool down mean? It means that you can't use your move um very fast. Once you play the attack move, you have to wait and this is tile means the CD how much you have to wait and it is like a five second cycle. Okay, the maximum is five should be five zero 1 2 3 4 which is 5 seconds. So there are some games that when uh when the god reach two you can play with it. There are some some move that you have must have to wait for the god bridge ball. So and what does it mean when this game

is played you will know that hey I have to wait a lot of time to launch this attack move and the dam and the damage uh equation. What is damage? Okay. So um when you play the game you probably don't um not that aware of the attack it it makes but when some hardcore players I have to do exact calculation how much moves I have to play to finish the course then you have to know this kind of formula okay so I see that damage equals to um this one the basic uh basic damage 155 at level one and plus random um string the electron string and the conjunct which is a punch times the

level. So you see that hey when you reach um level one is a 150 basic basic uh basic basic damage and with some plus you can calculate it this part and when you go to language two is 240 and times two which means your pro your attack move is not increased in linear way is it is it in linear way more than in linear Yes. So there are some exercise left for you. Um both of the skills is much more powerful at level 10. Why is this? It's because um the game the attack formula changes. So you can try to examine how it changes and and why it is the most powerful at level 10.

And what's more are there indications of the attributes like is it kept to 100 or is it kept at 300 you will you can try to analyze the code and see it and what's the hint is most of the attributes are kept at 100 but some of them are kept at 300 by doing analysis you can try to deal with it you play with it but I remember that you can actually do some hack it is not limited at 300 although there is a logic that would revert your um attribute points to 300. But what I said before is the SM file is stored in a um he define a variable as like in4. So actually the in4 should be

the um the limit the attribute.

So the second the second part is there are some special moves and we want to learn. So how special are they? They are some some of the moves are dependent on each other. Some of them we need to have some luck to play with it. Like we you're trying you're trying to do a 1D3 and some of the skills are mutually exclusive. So basically you can choose only one in two of them like this one. Let me put in the Chinese way. Um but some is a very strong move which um requires some lux to learn. What the lux means is they will try to row a random number 012 and only you have um two or I

forgot or only you have zero then you can get the skills you can we can show the examples later and so if you don't know about this part you can't understand why others when in how should I say in the walkthrough they will they will tell you hey before you get here before you get this book you probably want to save your file first otherwise you can't go back. Yes, this what we call safe life. If you if you if you enjoy the game a lot and the what the is um there is a very um unique move when only if your fun reach level five. So we are trying to examine this one. What why we are going

to examine this part is because this is the um this is the only one move that requires random number. Yes. And when we go to the W I expect you know Chinese right do I need to you have to actually I don't know the English. You have to clicking the mouse 100 times and then you can get the get by chance. by chance. So it's very ridiculous. So you can see that right that's why you have to do a safe and we can do code analysis like once again to make sure that how can we get the or how how this random logic is made. Okay. So as I mentioned before so we can uh what is uh

what is called tech what is the attack move. So we can see that hey we have why we have some part which is different category not attack but the experience of this one the left of this one you know that this is a tangle. Okay, this is called Ba and Ba as I mentioned before you have to go to level five, reach level five to uh master master this move. So this is the logic right? When you learn mean when you learn this um move more than five times uh learn these skills more than five times. I should put it this way when you have five master point of this this uh escort techniques you will turn it into

10. Okay. Okay. And you can see here, right? Okay. When you are going to the game, you have to click 100 times for the mouse. Okay. You will see that here is this random frame equals equals zero. What does it mean? You are trying to do a random move and throw a throw a dice and see the random number 012. Right? So there is 60% 66% a twoird of a chance that you can get the skills but one third of a chance you will lost. That's why you have to do the same. Okay, this is all by chance and there is one more criteria. If you didn't haven't learned this move then they will this move will

be learned otherwise you'll just like a no no way learn this is um different fail success just depend on luck this is the success part you can see right you can learn this skills learn this learn this learn this escort technique and learn this um attack move and if you feel it is frame what I for what 27 2 478 and when you play this it will go to 24 x0. This is what what is the last uh the screen of you don't know the skills. So it's nightmare because it have very high chance to loss. I have to high chance 60% 30% to loss. So that's why I have to remember that I have to make a

save whenever I enter this scene otherwise I have to replay the game from the start from the very beginning which is very caution especially when you don't have any skills in save editing and dynamic analysis very caution yes when I was more like in in the time was a primary school student I was playing this one so probably you you know how old am Right. Okay. And I have talked about one very special move and here's your turn. There is some more escort techniques like draw um d hand combing. Dumping is a very special move of this game. The specialtity is of it is you can make two attack move at the same time which is

doubling your attacks points. Okay. and where it is and how it affect the game and how the cleverness affects the speed of mastering one game. Okay, the last part we have is the dynamic analysis. Probably I'm not going to talk about the um safe editing today because if you have because I will be here on both s Friday and Saturday. So if you want to play with it and have questions, you can come to me and I'll explain to you if I know if I if I if I know how to help. Okay. Dynamic analysis it involves uh exam examining a program while it is running to observe its behavior. So in real life we will have response where we

will um observe how functions is executed. will have flow trust and try to force make some weird condition and try to see hey I should be executed in path a how can I make the program execute in path B like this kind of um yeah this kind of stuff so um for dynamic analysis we can know how the software interacts its environment and how the game behaves how do we do it um if you uh we will do process memory scanning, we will do memory editing, we will do port scanning, we'll do we can do code injection if you if you yes if you if you know how to change the code in real time

which boils down to what is this cheat engine is a very good tool which allows you to hook your game and find which variable belongs to which address which is which is which is the quant and you can change the value of that address how I should be change the value of the variable which belongs to that address and you'll probably see it is a mware but actually it's not but um cheat engine is doing very low level stuff that it may be flagged by your antivirus and another point is it have a lot of um not mware but advertisement uh bounce with this software that's why it quick actually I'm not going to talk

about chip engine today but as a P as a P I'm going to say that hey I'm trying to find out which variables uh the variables like the live your HP where does it belongs to which address is in okay So what I do is uh for the first part I have to before I've been attacked my HP was 67. Okay. So I'm pick a uh rip 67 and then there should be a lot of a lots of variables here and then I can make a second uh check. My life decreased to 34 now. So I can make a second check 34. So I found an eight address 19b8 blah blah blah it belongs which represent your life. If I found a

way to lock my HP lock this value here which is this suppress then I can have infinite HP right. Yes, but cheat engine have a uh not this is not the uh not the fault of cheat engine but if you close this game and execute it once again your um address changes. Do you know why? This is an exercise left for you. You you probably noticed hey the address has changed because of the protection mechanism. The OS don't want you to know know the exact location every time when the game starts. That's why it will have some randomization on it. So that's why when you kill the game, start the game, you hook it, it's changed.

So this is dynamic. It is not set. Okay. So for the game that um I want to taught some um junior or some uh secondary school students, I have to find a way that I to fix makes things more easy. Okay. So I choose this one. I make um make a lot of Google and I play find it like flash game master 3.3 flash game I see it which is unconted project. Okay. But it has a lot of advantages which is portable. It does not trigger antivirus. It a built-in runtime. So whenever I do some search is that I don't have to make a way to um lock the address. Okay. And if you already know engine then

it will be even easier for you to learn this one. Okay. I found this I have just a I've overrun a bit so I will be quick. Okay. So how I do the search? Um open the panel and then you can hey my line now is 8x29. So I can try to find hey ah29 and huh I can lock it to 999. Okay which is so you know that when they provide you uh I should put this way. This is how we can um change the variable change the memory. Okay. and lock some values and then I can hey whenever they attack me my pawns are some of my MP doesn't change my HP does not change

and for the following is just other techniques to do some search like hey if I already know the variable name of it then I can put a name um column and then I can do some direct search and the frame jumping is the most exciting part I would say because frame jumping um as I mentioned before flashing It's just like a PowerPoint. So if I can jump to that uh corresponding frame, I can execute the logic of that frame directly. So I don't have to play the game. I can just jump jump and then I can jump back to frame 56 and then start the whole game. Then I can have all the skills, all the moves being just

like a boss, right? And finish the game and like hey already know that friend 628 is um for your hand come back. Why I know because you will do the static analysis. So I'm not going to demonstrate it and before and after you can see hey my attack double nearly. Okay. So how can we do the special thing? So so sometimes you won't for reverse engineering you may not do reverse engineering fully. you may have to do static and dynamic analysis at the same time so that to soften your um reverse processing blah blah blah you can just um put the save file here and then you can edit it okay so this is the easiest part I'm not

going to talk about it so um so I hope that you have learned something today from um JavaScript not JavaScript from reverse engineering compress engineering And if you already know hey static analysis will have changed you can examine the code dynamic analysis hey I can do based on my static analysis finding I can change the var real time during the game then I hope you can have be more interested in the world of reverse engineering and if you are interested with it um please attend Boris's talks tomorrow which is PM session right PM PM session yes so it will be a good talk for C++ reverse engineering X68 also limit yeah also also limit is hard no I don't I don't

know I I better at X68 just yeah okay so um thank you for listening and one I want more just let me make improvements so our CDF team has some newsletter for you so if you yes at the back like this one so if you are interested in our CDF team you can probably take one and you can approach us and the team at the back to know more about CTF.