Wanting to understand Restunts source code structure

llm · October 10, 2022, 02:12:01 PM

Quote from: Daniel3D on October 10, 2022, 01:43:11 PMSo to make a symbolic offset out of it you must first find the correct byte offset and locate it in the assembly code?

thats why people using IDA or Ghidra for reversing - they keep the assembler source view and and the binary code in sync - so you can easier see what an offset could target

Quote from: Daniel3D on October 10, 2022, 01:43:11 PMLooking at your example i guess it is not very difficult for you. But i understand why they are not all done.

it could be difficul because sometimes offsets are calculated using serveral lines of assembler code
which could be also some sort of 3d point calculation - its not always easy to differ

Quote from: Daniel3D on October 10, 2022, 01:43:11 PMIf i find more (i now have an idea of what they look like) and they are not commented as such I'll make a note of it.

great

llm · October 10, 2022, 02:18:11 PM

for example

Code Select

mov di, 55CAh
is

Code Select

mov di, offset word_40D3A
should produce the very same executable (binary equal)

from IDA-Editor:

Code Select

dseg:55C8                 db 0FFh
dseg:55C9                 db    0
dseg:55CA word_40D3A      dw 0                    ; DATA XREF: end_hiscore+638␘w
dseg:55CA                                         ; end_hiscore+656␘r start+6A␘o
dseg:55CC word_40D3C      dw 0                    ; DATA XREF: end_hiscore+63E␘w
dseg:55CC                                         ; end_hiscore+6C1␘r
dseg:55CE word_40D3E      dw 0                    ; DATA XREF: end_hiscore+644␘w

more or less easy in IDA Pro - but first you need to know that this is really a offset value
and which segment the offset targets - in this case seeable by looking at the code above
seems to be dseg - so its a offset to a variable in the data segment (some copy/init operation is done)

IDA always shows the binary information (offsets, opcodes) in parallel to the disassembly: https://imgur.com/fsUvtVI
thats the primary reason for using a professional tool for reverse engineering, thats also the reason for using a IDA script
to produce the asm code - any finding can result in multiple changes over the asm files - for example you finding a common type
and start using it in IDA - IDA will use that information to extend other parts of the disassembly, resolving more and more
that is not easy with dead end assembler code - and a huge part of the reversing process

IDA Pro is not an assembler editor (you can't change anything in the assembler-code) is just a tool to help reverse engineering - so
cross references, graphs, deep analysis etc., you can add types, structs and annotated the found functions, giving IDA more infos
how to disassemble stuff he didn't understand by itself

Daniel3D · October 10, 2022, 07:22:24 PM

That is very cool. Way to advanced for me at this point in time.
Like you, time is limited.
But i have my strengths(perseverance

) . So i will make an effort to locate the non symbolic offsets.

There will be false positives.

llm · October 11, 2022, 08:02:20 AM

Quote from: Daniel3D on October 10, 2022, 07:22:24 PMThere will be false positives.

if you change a non-symbolic offset to an symbolic one and compare the exe before/after no bit should have changed - then could it be still wrong but still does not can harm the gameplay because the exe is not changed, doing such changes without checking before/after is like playing roulett for earning bugs without any need

Daniel3D · October 11, 2022, 08:15:07 AM

Quote from: llm on October 11, 2022, 08:02:20 AM
Quote from: Daniel3D on October 10, 2022, 07:22:24 PMThere will be false positives.

if you change a non-symbolic offset to an symbolic one and compare the exe before/after no bit should have changed - then could it be still wrong but still does not can harm the gameplay because the exe is not changed, doing such changes without checking before/after is like playing roulett for earning bugs without any need

I only intend to catalogue them.
I don't have an ida, and probably not the knowledge to verify without a doubt.

I'll see what I can find in a few hours.
With why I think it is one or why not.

If i am right often ill continue. If not I'll leave it to the pro's.. 😅

llm · October 11, 2022, 09:04:12 AM

Quote from: Daniel3D on October 11, 2022, 08:15:07 AMI only intend to catalogue them.

this regex finds most of magic-values numbers, that could be offsets, and only global offsets are relevant

(\,|\-|\+)\s*((0[a-fA-F0-9]*|[1-9][a-fA-F0-9]*)h|[0-9])

im using that with Notepad++ (but other editors with regex support should also work)
searching all asmorig asm-files

removing all "add or sub sp,VALUE" + defines reduces the list to ~13.000, but most of the findings
are value-sets or something

as usual - a huge mess of assembler code

Daniel3D · October 11, 2022, 10:32:27 AM

Quote from: llm on October 11, 2022, 09:04:12 AM
Quote from: Daniel3D on October 11, 2022, 08:15:07 AMI only intend to catalogue them.

this regex finds most of magic-values numbers, that could be offsets, and only global offsets are relevant

(\,|\-|\+)\s*((0[a-fA-F0-9]*|[1-9][a-fA-F0-9]*)h|[0-9])

im using that with Notepad++ (but other editors with regex support should also work)
searching all asmorig asm-files

removing all "add or sub sp,VALUE" + defines reduces the list to ~13.000, but most of the findings
are value-sets or something

as usual - a huge mess of assembler code

indeed over 18.000 hits in notepad++
many are clearly not an offset or already defined (i say after viewing about 50

)
But I'll have a look anyway.. thanks for the regex..

Daniel3D · October 11, 2022, 10:42:57 AM

First line of interest..

seg000 Line 607: mov ax, 0FFFFh

Code Select

_ask_dos:
    sub     ax, ax
    push    ax
    push    ax
    push    dialogarg2
    mov     ax, 0FFFFh
    push    ax
    push    ax
    mov     ax, offset aDos ; "dos"
    push    ax

if this is one there are 85 other hits on "ax, 0FFFFh"

Daniel3D · October 11, 2022, 10:47:13 AM

seg000 Line 1060: mov ax, 0AC74h

Code Select

    mov     ax, offset aGsta; "gsta"
    push    ax
    push    [bp+var_38]
    push    [bp+var_3A]
    call    locate_shape_alt
    add     sp, 6
    push    dx
    push    ax
    mov     ax, 0AC74h
    push    ax
    call    copy_string
    add     sp, 6
    push    word_407D6
    push    word_407D4
    mov     ax, 4Ch ; 'L'

if this is one there are 13 other hits on "ax, 0AC74h"

Daniel3D · October 11, 2022, 10:51:24 AM

This is the last for now. Enough to test if I am finding them correctly .. And to see if it is useful..
(I will make more compact logs of others I find when useful to continue. I did it this way, so you can easily see if I make obvious mistakes)
seg000 Line 1795: mov ax, 0FFFEh

Code Select

    call    shape3d_load_all
    mov     ax, 0C8h ; 'È'
    push    ax
    mov     ax, 140h
    push    ax
    mov     ax, 28h ; '('
    push    ax
    push    ax
    call    set_projection
    add     sp, 8
    mov     ax, 0FFFEh
    push    ax
    call    init_game_state
    add     sp, 2
    call    sprite_copy_wnd_to_1
    push    skybox_grd_color
    call    sprite_clear_1_color

if this is one there are 3 other hits on "ax, 0FFFEh"

llm · October 11, 2022, 11:11:00 AM

Quote from: Daniel3D on October 11, 2022, 10:42:57 AMFirst line of interest..
seg000 Line 607: mov ax, 0FFFFh
Code Select Expand
_ask_dos: sub ax, ax push ax push ax push dialogarg2 mov ax, 0FFFFh push ax push ax mov ax, offset aDos ; "dos" push axif this is one there are 85 other hits on "ax, 0FFFFh"

that is very likly just -1, in assembler everything is unsiged, but that does not
mean that a value IS unsigned, -1 isn't very likely an offset

see online-conversion:
https://cryptii.com/pipes/integer-converter
https://imgur.com/BiCqyoI

llm · October 11, 2022, 11:15:47 AM

Quote from: Daniel3D on October 11, 2022, 10:47:13 AMseg000 Line 1060: mov ax, 0AC74h
Code Select Expand
mov ax, offset aGsta; "gsta" push ax push [bp+var_38] push [bp+var_3A] call locate_shape_alt add sp, 6 push dx push ax mov ax, 0AC74h push ax call copy_string add sp, 6 push word_407D6 push word_407D4 mov ax, 4Ch ; 'L'if this is one there are 13 other hits on "ax, 0AC74h"

0AC74h is very likely an offset into the data segment, to some string or something
you need to analyse copy_string - in IDA you would annotate the parameter of copy_string so IDA can infere further

llm · October 11, 2022, 11:19:20 AM

Quote from: Daniel3D on October 11, 2022, 10:51:24 AMThis is the last for now. Enough to test if I am finding them correctly .. And to see if it is useful..
(I will make more compact logs of others I find when useful to continue. I did it this way, so you can easily see if I make obvious mistakes)
seg000 Line 1795: mov ax, 0FFFEh
Code Select Expand
call shape3d_load_all mov ax, 0C8h ; 'È' push ax mov ax, 140h push ax mov ax, 28h ; '(' push ax push ax call set_projection add sp, 8 mov ax, 0FFFEh push ax call init_game_state add sp, 2 call sprite_copy_wnd_to_1 push skybox_grd_color call sprite_clear_1_colorif this is one there are 3 other hits on "ax, 0FFFEh"

0FFFEh is not a valid looking offset - just too big, and 0FFFEh as signed is -2 - so its maybe some sort
of parameter or really the value 65534

you need to understand hex/dec, signed/unsigned and type-size very well do get a "feeling" what that number could be - combined with knowledge about the called functions

llm · October 11, 2022, 11:37:50 AM

just to give you a feeling what the code does in one of your examples:

Code Select

seg000:053A _ask_dos:                              ; CODE XREF: stuntsmain+43D␘j
seg000:053A  sub    ax, ax
seg000:053C  push    ax  ; show_dialog param 9
seg000:053D  push    ax  ; show_dialog param 8
seg000:053E  push    dialogarg2  ; show_dialog param 7
seg000:0542  mov    ax, 0FFFFh
seg000:0545  push    ax  ; show_dialog param 6
seg000:0546  push    ax  ; show_dialog param 5

seg000:0547      mov    ax, offset aDos ; "dos"
seg000:054A      push    ax ; locate_text_res param 3
seg000:054B      push    word ptr mainresptr+2 ; locate_text_res param 2
seg000:054F      push    word ptr mainresptr ; locate_text_res param 1
seg000:0553      call    locate_text_res
seg000:0558      add    sp, 6 -> 6 bytes removed from strack (du to the previous 3 pushes 'a 2 bytes)

seg000:055B  push    dx  ; show_dialog param 4
seg000:055C  push    ax  ; show_dialog param 3
seg000:055D  mov    ax, 1
seg000:0560  push    ax  ; show_dialog param 2
seg000:0561  mov    ax, 2
seg000:0564  push    ax  ; show_dialog param 1
seg000:0565  call    show_dialog
seg000:056A  add    sp, 12h ; 12h  = 18 bytes bytes on stack removed (due to the previus 9 pushes)

this is the C-port of that asm-code

Code Select

  locate_text_res(mainresptr.offset, mainresptr.segment, "dos"); // sets dx and ax (could be a ptr)
  show_dialog(2, 1, ax, dx, -1, -1, dialogarg2, 0, 0);

Daniel3D · October 11, 2022, 12:38:31 PM

Quote from: llm on October 11, 2022, 11:15:47 AM
Quote from: Daniel3D on October 11, 2022, 10:47:13 AMseg000 Line 1060: mov ax, 0AC74h
Code Select Expand
mov ax, offset aGsta; "gsta" push ax push [bp+var_38] push [bp+var_3A] call locate_shape_alt add sp, 6 push dx push ax mov ax, 0AC74h push ax call copy_string add sp, 6 push word_407D6 push word_407D4 mov ax, 4Ch ; 'L'if this is one there are 13 other hits on "ax, 0AC74h"

0AC74h is very likely an offset into the data segment, to some string or something
you need to analyse copy_string - in IDA you would annotate the parameter of copy_string so IDA can infere further

Ok. This was the one i had a good feeling about. The other two felt to tidy, to deliberate..
I'm not starting with ida. I'm just going to try and find them all.
It's up to you and other pros to double check and change them.

Stunts Forum

News:

Wanting to understand Restunts source code structure

llm

llm

Daniel3D

llm

Daniel3D

llm

Daniel3D

Daniel3D

Daniel3D

Daniel3D

llm

llm

llm

llm

Daniel3D