Thessium - readthedocs.org
Transcript of Thessium - readthedocs.org
ThessiumRelease 0.0.0
Jul 13, 2019
Contents
1 Networking 11.1 Calculating the checksum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Connection dataflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3 Count/Security Byte . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.4 Handshake & Session Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.5 Known MsgId’s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.6 Module identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.7 MsgID’s by ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.8 Types used in networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Engine 72.1 Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3 Files 93.1 2D Graphics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.2 3D Graphics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.3 Map / Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.4 Shader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.5 Audio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.6 Container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4 Reverse Engineering 194.1 Where to get info? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194.2 Giveaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5 Recommended Tools 215.1 x64dbg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215.2 CheatEngine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215.3 ReClass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215.4 NTCore Explorer Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215.5 ResHacker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225.6 Interactive Disassembler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
i
ii
CHAPTER 1
Networking
1.1 Calculating the checksum
1.1.1 Algorithm
The game’s checksum calculation is just a generic CRC32 checksum algorithm. It’s the fast implementation becauseit uses a pre-calculated table.
Usually, the table is generated from a fixed poly. In our case, the poly is selected by the server from a list of 256different polys. The selected index of the poly in the list is transmitted in the first handshake message.
1.1.2 Operation
• The checksum is generated before encryption.
• The checksum includes all bytes of the message.
• Since the checksum byte is part of the calculation, it’s treated as 0 for the calculation.
1.1.3 Trivia
• Properitary multi-connection endpoints will not reuse already generated tables
• Some third-party implementations just ship all 256 tables (65.536 bytes) pre-generated as code.
1.2 Connection dataflow
1.2.1 Establishing a connection
In order to establish a new connection, two major things must be done aside from opening a TCP connection.
1
Thessium, Release 0.0.0
Handshake
The HANDSHAKE (5000) exchanges security settings and parameters. The first packet is always send from the server-side and contains information about which securtiy settings to enable and which initial parameters to use. Depedingon which settings are enabled, a Diffie-Hellman keyexchange and a challenge are performed.
If the handshake was successful, the client-side sends the ESTABLISHED (9000) message. Any error will lead to animmediate termination of the TCP connection.
Read more in: Handshake & Session Control.
Identification
Once the session is established, the local and remote-side exchange their identities using IDENTIFICATION (2001).The server sends it’s identity first. The client has to answer with it’s identity. Any unexpected data or invalid identieswill lead to an immediate termination of the TCP connection.
Read more in: Module identification.
1.2.2 Maintaining a connection
Keeping a connection alive is easy. The client has to send a message at least every 5 seconds. It doesn’t matter whichmessage is. When no messages are received by the server for 5 seconds, the server will terminate the connection. Theserver will not try to keep the connection alive in any way. When the client has no message to send, it sends a PING(2002).
1.2.3 Closing a connection
There is no known message to end a connection properly (to be checked).
1.3 Count/Security Byte
Each message is stamped with a counter. This is done to avoid replay-attacks and message injection. Basicallyeach message gets an increasing number. All messages need to stay in order. If a number appears out of order, theconnection will be terminated.
To make it less obvious, the game uses a pseudo-random-number-generator algorithm. It’s seeded with an initial valueand will generate unobvious numbers. Security by obscurity was already a thing back then.
Sadly, the name of the used algorithm is still unknown. It’s operations have been reverse engineered, but its still a bigchunk of unreadable code.
TODO: Put code here
1.4 Handshake & Session Control
The very first messages after opening the TCP connection are the handshake. The server also describes these assession. That’s why this article is also titled Session Control. In order to communicate with a server or a client, weneed to open a session.
The server sends the first message after the TCP connection is established. Depending on the selected security features,the client has to send a proper answer.
2 Chapter 1. Networking
Thessium, Release 0.0.0
1.4.1 Initialze a session
Type BitNone 00000000Disabled 00000001Blowfish 00000010SecurityBytes 00000100Handshake 00001000HandshakeResponse 00010000
Remark: The three remaining bits are unused.
1.5 Known MsgId’s
1.5.1 Global
Name ResponseHANDSHAKE (5000) HANDSHAKE (5000), ESTABLISHED (9000)ESTABLISHED (9000)IDENTIFICATION (2001) IDENTIFICATION (2001)PING (2002)
1.5.2 SR_Client
1.6 Module identification
1.7 MsgID’s by ID
1.7.1 IDENTIFICATION (2001)
Used for telling the remote end the identity/purpose of our local end. The endpoint will also use this to verify that theother endpoints identity is compatible with its own. e.g. the GatewayServer will only talk to SR_Client’s on it’s publicport.
Invalid identities will lead to an immediate termination of the connection.
Size Type Name Desc* string Identity Type of the module1 bool IsLocal false = Machine to Machine, true = Module to Module
Valid identities are:
• SR_Client
• GatewayServer
• AgentServer
• etc.
1.5. Known MsgId’s 3
Thessium, Release 0.0.0
1.7.2 PING (2002)
Empty message. Send by the client after no message is send in 5 seconds.
1.7.3 HANDSHAKE (5000)
Size Type Name Desc1 byte security_options Enabled security options
If Blowfish 8 byte[] static_blowfish_key Static Blowfish keyIf SecurityBytes 1 byte crc_seed Poly of the CRC table generation
1 byte count_seed Initial seed for count byteIf Handshake 4 int dh_generator Diffie-Hellmann generator
4 int dh_prime Diffie-Hellmann prime4 int dh_shared_secret Diffie-Hellmann shared secret
Security Options
Type BitNone 00000000Disabled 00000001Blowfish 00000010SecurityBytes 00000100Handshake 00001000HandshakeResponse 00010000
1.7.4 ESTABLISHED (9000)
Empty message. Send by the client to confirm the established session.
1.8 Types used in networking
1.8.1 Simple types
Type Size Rangechar 1 -128 to 127byte 1 0 to 255short 2 –32,768 to 32,767ushort 2 0 to 6,535int 4 –2,147,483,648 to 2,147,483,647uint 4 0 to 4,294,967,295float 4 3.4E +/- 38 (7 digits)
See: https://msdn.microsoft.com/en-us/library/s3f49ktz.aspx
4 Chapter 1. Networking
Thessium, Release 0.0.0
1.8.2 Compound types
string
Size Type Name Desc2 ushort Length Length of the string* char Text Text of the string in ASCII
1.8. Types used in networking 5
Thessium, Release 0.0.0
6 Chapter 1. Networking
CHAPTER 2
Engine
2.1 Landscape
The landscape is divided in two major types: Terrain and Dungeon. Terrain-landscapes are mainly supplied by theNavmesh (.nvm) for collision and Map Mesh (.m), Map Object (.o) and Map T (.t) for rendering. Usually all regionsthat have a sky are Terrain-typed. Dungeon-types are made of Dungeon (.dof). You may know the typical dungeonse.g. Donwhang Cave or Jangan Cave, but also Capture the Flag is a dungeon.
The client will show only two dimensional coordinates. But since this is a 3D game, it has to be handled different.Positioning on the map is split into regions and relative coordinates. It’s like having a usual map with these squaresused for roughly finding a location and using millimeters from the top and left to specify an exact location.
The region is mostly represented as one number, but it’s actually two different numbers. You need to display it inhexa-decimal notation, it wont make sense otherwise.
region = 0x6A35 would be region.X = 0x35 and region.Y = 0x6A.
The first bit of the region is reserved for choosing between Terrain and Dungeon type. The first bit is generally alsoknown as the sign bit as it tells if a number is negative. So if you see a negative number for the region, you can tell it’sinside a dungeon.
7
Thessium, Release 0.0.0
8 Chapter 2. Engine
CHAPTER 3
Files
Over the years, many of the properitary file formats have been reverse engineered. This is a collection of knowninformation.
3.1 2D Graphics
3.1.1 Window Description (NEW) (.2dt)
3.1.2 Bitmap (.dat)
These files are used as images in the launcher only. They are just renamed Bitmaps. Change the ending to .bmp andopen them in any Image Editor you like.
Renamed Bitmap, 24 Bit?, Alpha Color Key,
3.1.3 Direct Draw Image (.ddj)
This format is very simple. The whole file looks like this:
struct DDJ{
Header header;DDS dds_image;
}
The header is:
// Size = 20 bytesstruct Header{
char[12] magic;
(continues on next page)
9
Thessium, Release 0.0.0
(continued from previous page)
int unknown1;int unknown2;
}
Since the header does not contain useful information, you can just skip the first 20 bytes and load the remaining bytesas a Direct Draw Surface.
3.1.4 Window Description (OLD) (.txt)
3.2 3D Graphics
3.2.1 Compound (.cpd)
3.2.2 Animation (.ban)
Stores one animation of a resource.
Versions:
JMXVBAN 0102
Relevant for:
Region VersionVietnam 188
1 12 byte header;2 int unk;3 int unk ;4 string name; //name of the animation5 int duration;6 int framesPerSecond;7 int unk;8 int keyframeCount;9 int[keyframeCount] keyframes; // timings of the keyframes, so you can interpolate
→˓between two poses.10 int boneCount; // Amount of bones that have transformations that are
→˓diffrent from their bind poses.11 for(int i = 0; i < boneCount;i++)12 {13 string boneName;14 int count; // same as keyframeCount15 for(int p = 0; p < count;p++)16 {17 Quaternion rotation;18 Vector3 translation;19 //These two together give you the transformation
→˓Matrix relative to it's partent bone/joint.20 }21 }22 //End of file
10 Chapter 3. Files
Thessium, Release 0.0.0
3.2.3 Mesh (.bms)
Stores one (partial) mesh of a resource. Due to vertice count limitations, a mesh may be split into multiple separatedmesh-files.
JMXVBMS_0110
Region VersionUnknown Open Beta
3.2.4 Material (.bmt)
3.2.5 Skeleton (.bsk)
Skeleton of an object. Basically a weighted mapping of vertices to bones.
JMXVBSK 0101
Region VersionUnknown Open Beta
3.2.6 Resource (.bsr)
A resource combines Animation (.ban), Mesh (.bms), Material (.bmt) and Skeleton (.bsk) to an usable ingame object.
JMXVRES 0109
Region VersionUnknown Open Beta
Trivia
• The resource loader of the server requires all data files, not just the ones required for collision detection.
3.2.7 Particle (.efp)
3.3 Map / Environment
3.3.1 Navmesh (.nvm)
Contains terrain collision mesh.
Versions:
3.3. Map / Environment 11
Thessium, Release 0.0.0
JMXVNVM 1000
Relevant for:
Region VersionUnknown Open Beta
3.3.2 AINavData (.dat)
3.3.3 Dungeon (.dof)
Versions:
0101
1 // File structure for: Dungeon File(*.dof)2 // Created by: DaxterSoul - 20143 // Encoding: Windows Codepage: 949 (Korean) as some of the roomObjectName, entryNames
→˓or pointNames are Korean.4
5 12 byte[] Header //JMXVDOF 0101 supported→˓only
6 4 uint pointerRoomObjects7 4 uint pointerObjectConnections8 4 uint pointerLinks9 4 uint pointerObjectGroups
10 4 uint pointerIndexNames11 4 uint pointerUnk5 // Has been 0 in every
→˓file...12 4 uint pointerUnk6 // Has been 0 in every
→˓file...13 4 uint pointerDungeonBoundingBoxes14 2 ushort unk_ushort0 // Has been 0xFFFF in
→˓every file...15 2 ushort unk_ushort1 // Has been 0x0400 in
→˓every file...16 2 ushort dungeonNameLength17 * string dungeonName // Has been "Noname" in
→˓every file... -> used as projectName in MapEditor.18 4 uint unk_uint0 // Has been 0xFFFFFFFF in
→˓every file...19 4 uint unk_uint1 // Has been 0xFFFFFFFF in
→˓every file...20 2 ushort regionID // Used in packets and
→˓database for whole Dungeon. Used in minimap_d as center- or origin-region (stores _→˓default_).
21
22 //pointerDungeonBoundingBoxes will get you here23 24 float[] dungeon_AABB // width = AABB[3] -
→˓AABB[0], height = AABB[4] - AABB[1], length = AABB[5] - AABB[2]24 24 float[] dungeon_OOBB // width = OOBB[3] -
→˓OOBB[0], height = OOBB[4] - OOBB[1], length = OOBB[5] - OOBB[2]25
26 //pointerRoomObjects will get you here
(continues on next page)
12 Chapter 3. Files
Thessium, Release 0.0.0
(continued from previous page)
27 4 uint roomObjectCounter28 for (int roomObjectIndex = 0; roomObjectIndex < roomObjectCounter; roomObjectIndex++)29 {30 2 ushort roomObject.PathLength31 * string roomObject.Path32
33 2 ushort roomObject.NameLength34 * string roomObject.Name35
36 4 float roomObject.unk_floot0 // Has been 0 in every→˓file...
37 4 float roomObject.X38 4 float roomObject.Z39 4 float roomObject.Y40 4 float roomObject.YAW // Google it... and use
→˓this: 57.2957795 for calculation41 4 float roomObject.PITCH // Google it... and don't
→˓ask for missing roll, this is no flight simulator...42 24 float[] roomObject.AABB // width = aabb[3] -
→˓aabb[0], height= aabb[4] - aabb[1], length = aabb[5] - aabb[2]43 4 float roomObject.unk_float12 // Seems fixed to -2,
→˓848866E+3844 4 float roomObject.unk_float13 // Seems fixed to -2,
→˓288091E+3845 4 float roomObject.unk_float14 // Example: -15046 4 float roomObject.unk_float15 // Example: 145647 4 float roomObject.unk_float16 // Example: 0,00148
49 1 byte roomObject.extraFlagA50 if(roomObject.extraFlagA == 0x01)51 {52 4 float roomObject.ExtraA.unk_float0 // Example: 75053 4 float roomObject.ExtraA.unk_float1 // Example: 68054 4 float roomObject.ExtraA.unk_float2 // Example: 5055 4 float roomObject.ExtraA.unk_float3 // Example: 0,0856 }57
58 1 byte roomObject.extraFlagB59 if(roomObject.extraFlagB == 0x02)60 {61 4 float roomObject.ExtraB.unk_float0 // Example: 0,187120762 4 float roomObject.ExtraB.unk_float1 // Example: 063 4 float roomObject.ExtraB.unk_float2 // Example: -0,880333964 4 float roomObject.ExtraB.unk_float3 // Example: 065 4 float roomObject.ExtraB.unk_float4 // Example: 2,93215366 4 float roomObject.ExtraB.unk_float5 // Example: 067 4 float roomObject.ExtraB.unk_float6 // Example: 3,503246E-4268 }69
70 4 uint roomObject.unk_uint0 // Has been 0 in every→˓file...
71 4 uint roomObject.roomIndex // Used for roomNames72 4 uint roomObject.floorIndex // Used for floorNames73
74 4 uint roomObject.connectedObjectCount //List of directly-→˓connected objects. Example: 70, 146
75 for (int i = 0; i < roomObject.connectedObjectCount; i++)(continues on next page)
3.3. Map / Environment 13
Thessium, Release 0.0.0
(continued from previous page)
76 {77 4 uint objectIndex78 }79
80 4 uint roomObject.indirectConnectedObjectCount //List of indirectly-→˓connected objects. Example: 70, 4, 146, 80
81 for (int i = 0; i < roomObject.indirectConnectedObjectCount; i++)82 {83 4 uint objectIndex84 }85
86 4 uint roomObject.entryCounter87 4 uint roomObject.unk_uint1 //Either 0 or 188 for (int entryIndex = 0; entryIndex < roomObject.entryCounter; entryIndex++)89 {90 //Contains Flames, Stones, Jewelry, Water, and other stuff...91 2 ushort entry.NameLength92 * string entry.Name93
94 2 ushort entry.PathLength95 * string entry.Path96
97 4 float entry.X98 4 float entry.Z99 4 float entry.Y
100
101 4 float entry.Roll102 4 float entry.Yaw103 4 float entry.Pitch104
105 4 float entry.ScaleWidth106 4 float entry.ScaleHeight107 4 float entry.ScaleLength108
109 4 uint entry.extraFlag // I've seen this as 0x00→˓for Flames (Torch & Lamps), 0x02 for Stones (impassable), 0x04 for Water
110 if(entry.extraFlag == 0x04) //Water...111 {112 4 uint waterExta113 }114
115 4 uint entry.ID116 4 float entry.unk_float0117 //1962.75232 for out_obj_stone118 //902.9495 for out_obj_door119 //-3.18711172E+38 and similar for water120 }121
122 4 uint roomObject.pointCounter123 for (int pointIndex = 0; pointIndex < roomObject.pointCounter; pointIndex++)124 {125 2 ushort point.NameLength126 * string point.Name127
128 4 float point.X129 4 float point.Z130 4 float point.Y
(continues on next page)
14 Chapter 3. Files
Thessium, Release 0.0.0
(continued from previous page)
131
132 4 float point.Roll133 4 float point.Yaw134 4 float point.Pitch135
136 4 float point.Width137 4 float point.Height138 4 float point.Length139
140 4 float point.float09 // also Roll141 4 float point.float10 // also Yaw142 4 float point.float11 // also Pitch143 4 float point.float12 // Example: 0,8144 4 float point.float13 // Example: 0,007145 4 float point.float14 // Example: 3E-05146 }147 }148
149 //pointerLinks will get you here150 4 uint unk_uint2151 4 uint unk_uint3152 4 uint unk_uint4153 4 uint linkCounter154 for (int linkIndex = 0; linkIndex < linkCounter; linkIndex++)155 {156 4 uint link.ID157 4 uint link.connectionCount158 for (int i = 0; i < link.connectionCount; i++)159 {160 4 uint objectIndex161 }162 }163
164 //pointerObjectConnections will get you here165 4 uint objectConnectionCounter //Always equal to
→˓roomObjectCounter?166 for (int objectIndex = 0; objectIndex < objectConnectionCounter; objectIndex++)167 {168 4 uint connectedObjectCount169 for (int i = 0; i < connectedObjectCount; i++)170 {171 4 uint connectedObjectIndex172 }173 }174
175 //pointerIndexNames will get you here176 4 uint roomCounter177 for (int roomIndex = 0; roomIndex < roomCounter; roomIndex++)178 {179 //Some of them might be empty but thats no problem...180 2 ushort roomNameLength181 * string roomName182 }183 4 uint floorCounter184 for (int floorIndex = 0; floorIndex < roomCounter; floorIndex++)185 {186 //Some of them might be empty but thats no problem...
(continues on next page)
3.3. Map / Environment 15
Thessium, Release 0.0.0
(continued from previous page)
187 2 ushort floorNameLength188 * string floorName189 }190
191 //pointerObjectGroups192 4 uint objectGroupCounter193 for (int i = 0; i < objectGroupCounter; i++)194 {195 2 ushort group.NameLength196 * string group.Name197 4 uint group.Flag //0 or 1 -> Service?198 4 uint group.objectCount199 for (int ii = 0; ii < group.objectCount; ii++)200 {201 4 uint objectIndex202 }203 }204 //EOF
3.3.4 Object Information / Index
Indexed list of object filenames. Maps numbers used in other files to strings / paths.
Versions:
JMXVOBJI1000
Region VersionUnknown Open Beta
CSV-style list with spaces (' ') as separator. Strings need to be encapsulated in double quotes ("my string")
JMXVOBJI1000// <Number of lines>// <First line>// <Second line>// ...// <nth line>
Example
JMXVOBJI10001600000 0x00000001 "res\bldg\china\cj_ferry\cj_ferry_buil.bsr"00001 0x00000000 "res\bldg\china\cj_ferry\cj_ferry_warehou.bsr"00002 0x00000000 "res\bldg\china\cj_ferry\cj_ferry_dam02.bsr"00003 0x00000000 "res\bldg\china\dunhuang\ferry\naruter_buil.bsr"00004 0x00000000 "res\bldg\china\cj_ferry\cj_ferry_stone01.bsr"00005 0x00000000 "res\bldg\china\cj_ferry\cj_ferry_box.bsr"00006 0x00000000 "res\bldg\china\cj_ferry\cj_ferry_wagon.bsr"00007 0x00000001 "res\bldg\china\cj_ferry\cj_ferry_enter.bsr"00008 0x00000000 "res\bldg\china\cj_ferry\cj_ferry_tombstone.bsr"00009 0x00000000 "res\bldg\china\cj_ferry\cj_ferry_buil02.bsr"
(continues on next page)
16 Chapter 3. Files
Thessium, Release 0.0.0
(continued from previous page)
00010 0x00000000 "res\bldg\china\cj_ferry\cj_ferry_bottle.bsr"00011 0x00000001 "res\bldg\china\dunhuang\ferry\naruter_fish01.bsr"00012 0x00000000 "res\nature\china\dunhuang\ferry\w_cd_budawal.bsr"00013 0x00000001 "res\nature\china\dunhuang\ferry\w_cd_stonwal04.bsr"00014 0x00000000 "res\nature\china\dunhuang\ferry\w_cd_stonwal11.bsr"00015 0x00000000 "res\nature\china\dunhuang\ferry\w_cd_small_stonwal.bsr"
3.3.5 Map Mesh (.m)
Versions:
JMXVMAPM1000
Region VersionUnknown Open Beta
3.3.6 Map Object (.o)
3.3.7 Map T (.t)
3.4 Shader
3.4.1 Pixel Shader (.psh)
3.4.2 Vertex Shader (.vsh)
3.5 Audio
3.5.1 Ogg (.ogg)
Format, Version, Bitrate?, etc.
3.6 Container
3.6.1 Joymax Pak File (.pk2)
Abstract
Joymax Pak File is used to store the games data files. The format is fragmented; index data and content data are storedin no specific location. Index data is stored in blocks of X entries and is encrypted using Blowfish (LINK). The contentdata is neither encrypted nor compressed in any way.
3.4. Shader 17
Thessium, Release 0.0.0
Format
Magic
Header
Index data
Data
Nothing special. Data is stored without protection or encryption.
Trivia
• Joymax’s implementation does not support defragmentation. Pak Files can only grow.
• Joymax’s implementation uses a “plain text password” instead of the plain blowfish key. The blowfish key isgenerated from the password.
•
• https://www.elitepvpers.com/forum/sro-coding-corner/1992824-wip-silkroad-file-formats-bsr-bms-bmt-bsk-ban.html
• https://www.elitepvpers.com/forum/sro-coding-corner/3854560-release-filestructure-jmxvdof-0101-a.html
18 Chapter 3. Files
CHAPTER 4
Reverse Engineering
Reversing a new executable from scratch can be a tough challenge. The community around the game has become veryclosed regarding information. This page is for sharing offsets.
4.1 Where to get info?
1. Look on the net. There is plenty of info in existing code.
2. Look at the binary. Many debug strings can tell you what the code does.
3. Look at the binary, again. Some may contain runtime type information (RTTI). This will tell you class names,inheritance and (virtual) member functions.
4. Ask. Just ask. If you form a polite, well asked question, you will most-likeley get an answer.
5. If you’re really desperate: Compile a test-binary with the same compiler and stdlib and use tools like K4m1n0to find similarities.
6. Still no luck? . . . dig deep into the binary . . . some functions may remain unknown for days, weeks, evenmonths.
4.2 Giveaways
4.2.1 Offsets
Some addresses to start off.
19
Thessium, Release 0.0.0
Offset Description Type Client0xDEADBEEF Example data offset that does nothing data VSRO 1880x008311C0 WndProc code VSRO 1880x008328C0 WinMain code VSRO 1880x009EC570 CNavigationDeadreckon::MoveToCoords(short, struct D3DVECTOR *) code VSRO 1880x009D87C0 CICPlayer::Render code VSRO 1880x00BAD750 CGFXVideo3d::EndScene code VSRO 1880x00BAED40 CGFXVideo3d::BeginScene code VSRO 188
4.2.2 Structures
Some reverse engineered structures to play around in ReClass.
1 // This camera class is a demonstration, it's not the real one2 struct CCamera3 {4 D3DVECTOR position;5 D3DVECTOR rotation;6 }
20 Chapter 4. Reverse Engineering
CHAPTER 5
Recommended Tools
5.1 x64dbg
Website: https://x64dbg.com/
A great debugger and disassembler. Has some bugs here and there but is really powerful.
5.2 CheatEngine
Website: https://www.cheatengine.org/
Classic tool for memory scanning. Alternatives?
5.3 ReClass
Website: many
There are many flavors of ReClass. Pick the one that fits your needs. If you’re unsure which one to choose, just pickthe original one.
5.4 NTCore Explorer Suite
Website: https://ntcore.com/?page_id=388
NTCore got a great set of tools. CFF Explorer is really useful for making changes to the PE Header.
21
Thessium, Release 0.0.0
5.5 ResHacker
Website: many
Oldschool Resource Editor. The resources of a portable executable are underestimated. Aside from the applicationicon, resources can also contain strings, images, forms or even large binary objects.
5.6 Interactive Disassembler
Website: https://www.hex-rays.com/
IDA is a really powerful binary analysis tool. It’s definitely the right tool for the job, even if it has some flaws. IDAv7.0 was released as a freeware recently, with some limitations of course, so give it a try.
22 Chapter 5. Recommended Tools