Page 1 of 2 12 LastLast
Results 1 to 15 of 25

Thread: high score table manipulation

  1. #1
    Naked2
    Guest

    high score table manipulation

    I am having difficulties in attempting to manipulate the high score table of a certain game.

    The exe is packed and I am running the process through OllyDbg. I have tried opening up the saved game data in hex editors in search of any 'score' related data but the strings have provided as useless; heavy encryptions beyond my know-how/understanding.

    My goal is to pause the debugger just before the game is set to transmit the scored data to the server for encryption. The resulting information of the pause immediately after I press enter was non encrypted data, and I was able to locate the name I entered (Naked2) followed by my score and level data of that game through a memory dump.

    I have tried everything I know of, including memory access and write breakpoints to 'intercept' the data between pauses and replace it manually but it never actually saves to the high score table. After going through several breakpoint pauses and analysis's of each one, I still cant even find at which point the data has been written to the table. I have noted certain strings where I believe the data is written to but I usually get an error saying that 'the breakpoint cannot be made between 029000 and 029010 binary addresses. (They are not the exact addresses.)

    So my ultimate goal is to somehow intercept the data and modify it before it hits the score table. Ideally, as soon as the debugger resumes, it would submit the modified data to the table.

    I have attached an image of the process in OllyDbg so you can see exactly what I am doing. Any help or pointers you might have would be greatly appreciated.

    http://i64.photobucket.com/albums/h173/naked_07/ollydbg.jpg
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    ...before the game is set to transmit the scored data to the server...
    What kind of game is it? What kind of server? If the game is played through any interaction with the server, chances are that the server keeps track of the score itself, to prevent you from cheating by manipulating the client side of it, like you mention doing.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #3
    Naked2
    Guest
    The game is similar to Tetris, am I allowed to title it? I didn't want to chance it because of the possible legalities surrounding my intentions.

    I think the server is HTTP Apache. The high score table already shows evidence of hacking.

    The only interaction with the server is to transmit scores to a high score table.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Messing with high-score tables... one of the things I used to enjoy doing when I was bored

    Two words (actually three...):

    Proxomitron
    HTTP Log

    This looks like a very simple system. The program sends an HTTP GET request to a PHP script on the server with the following parameters, from what I can see

    name[1]=Naked2&score[1]=250&level[1]=1&avgtime[1]=0&gameguid[1]={...}

    ...and further parameters, including what looks like three Unix-type timestamps and some additional nearly self-explanatory parameters (&action=addscore).

    Find the name of the PHP and the server to which it's sending the data to, pause the game at that point where you can read the parameter string, and just try hitting that URL with your Browser. If you can even get a score submitted, then try changing some of the parameters and repeat. Etc.

    Edit: Send me a PM with the necessary non-public information, as per the FAQ, and I'll see if I can get my name up there

  5. #5
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    About the name, no need to mention it, all that is/was needed is a technical description (and you also practically already identified it with that screenshot ).

    And just like LLXX says, I'd attack it on a communication-level too, most likely no need at all to reverse the binary client. Sniff and analyze the communication, then manipulate/imitate it.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  6. #6
    Quote Originally Posted by LLXX View Post
    Two words (actually three...):
    Proxomitron
    HTTP Log
    It's amazing how long that little app has been around. I still use it on my XP SP2 system in front of Opera, IE, Firefox...whatever. I turn off their popup killers and just use Prox. Every once in a while I pop some nasty URL in Prox's kill filter.

    I heard that the author, Scott Lemmon, passed away in May 2004. He was a pretty smart dude.

  7. #7
    Naked2
    Guest
    EDIT: Upon following the instructions given, and contrary to this being as simple as first thought, the table data had already been encrypted. The following information is what I intercepted:

    POST /XxxLeaderBoard1Servlet/XxxLeaderBoard1Servlet HTTP/1.1
    Accept: */*
    Content-Type: application/x-www-form-urlencoded
    User-Agent: HIP
    Host: tryx.srvx.hx.leaderboards.xxxxxxx.com
    Content-Length: 255
    Pragma: no-cache
    action=decrypt&type=hipenc1&key=0&data=yckjprisilwdmhhdsuoiwudqhzdzplwqbsmddcshpsmqknmswvorbnshwsirh iwhohyshsmhzamskdhazvmnpiplihzhilwdmhhsbcdddiodysstxtlnoqszidglxsxsmhszgublgjwdhvwqgtlslqztlaihscktl rlrgueslrzdlcztgvlfztyrwlbswudzpsshmlgadlzvlrkdknhlgvxq
    Last edited by Naked2; November 21st, 2006 at 19:31.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Naked2
    Guest
    See above post for update. I am a bit backwards today.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Ok, assuming that the encryption is strong enough not to be worth attacking in itself, I'd next suggest you intercept the APIs used to send this data to the server, and work your way backwards from there. This would have quite a good chance of quick success. What kind of binaries does this game depend on? Native stand-alone x86 executable?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  10. #10
    Naked2
    Guest
    Yes, it appears to be a stand alone executable. The file is packed and it seems to be self modifying. I have managed to set hardware breakpoints (dword, word or byte)? on the seemingly repetitive addresses where my name and score info show up in the memory dump. Upon entering a unique user name in the text box before pressing submit, I pause Olly and scan the dump. This name shows up only once, which I think is located in the precache memory buffer.

    I take note of this address and set a hardware access breakpoint on the first byte of that address. Next, I begin a run trace to search of my username. I do not understand run-trace in its entirety, or the commands associated with it so may some instructions or pointers on how do accomplish my goal using it?

    Ultimately this is how I see tackling this:

    After setting the hardware break point, but before pressing the 'submit score' button, I would like to begin a trace and somehow set it up to trace over every instruction related to my name and score with the 'fake' replaced information. Wouldn't this guarantee every initial instruction is modified according to my specifications? Thus, leaving no room marginal error and modifying every string before the final data hits the table?

    I have traced through so many instructions to just get a glimpse of how the process works and I have actually seen the table data encrypted string by string in front of my eyes in ASCII. I am sure the main problem lies within my limited experience of Olly. At one point yesterday, I felt as if I was on the verge of succeeding but it wound up turning into a 4 hour progressive failure.

    EDIT: I may have found the sweet spot; see the image. It appears as though I have located the string that encrypts the name/scoring info before it has actually written the data into the struct? The username is: "Meatball"

    http://i64.photobucket.com/albums/h173/naked_07/olly3.jpg
    Last edited by Naked2; November 22nd, 2006 at 20:04.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    I suggest you PNG your images instead of JPG'ing them. JPG is for photos and other images with smooth gradients, not sharp contrasts. You'll get better compression and no compression artifacts (noise). It also yields better results when OCR'd.

    I don't think that's the encryptor, as it does not appear to be doing any encrypting, only determining how many bytes to copy based on a strange criteria. Here is the loop reproduced and annotated:

    Code:
    loop_1: (there is an instruction here that I don't know, two bytes in length)
     add edi, 4
     dec ecx ; some sort of counter (LOOP would've saved a byte here)
     jz ^ (can't see destination in your image)
     mov edx, 7efefeffh
     mov eax, [esi] ; get 4 bytes
     add edx, eax ; add constant 7efefeffh to it
     xor eax, 0ffffffffh ; same as NOT EAX - inverts all bits
     xor eax, edx ; xor with same constant again
     mov edx, [esi] ; get 4 bytes again
     add esi, 4 ; advance to next 4 bytes
     test eax, 81010100h ; eax = ~*esi^(*esi+0x7efefeff)
     jz loop_1 ; jump only if those bits were not 1.
     test dl, dl
     jz ^ (can't see destination in your image, probably to store 1 byte)
     test dh, dh
     jz loc_2 ; store two bytes
     test edx, 0xx0000 (couldn't read the digits, looks like 0ff0000 to me)
     jz loc_3 ; store three bytes
     test edx, 0ff000000
     jnz loop_1
     mov [edi], edx ; store four bytes
     ...
     ret
    loc_3: ; store three bytes (and null terminator?)
     mov [edi], dx
     xor edx, edx
     ...
     mov [edi+2], dl ; 0
     ...
     ret
    loc_2: ; store two bytes
     mov [edi], dx
     ...
     ret
    As you repeatedly mention that the executable is packed, why haven't you unpacked and IDA'd it yet? It is obviously a very simple packer if it doesn't contain any antidebug code, as you seem to be doing fine tracing through with OllyDbg.

  12. #12
    Naked2
    Guest
    Photobucket automatically converts my files to jpg's, as though it seems.

    There are random debug checks however I have managed to mask Olly and prevent this from occurring.

    'EXCEPTION_DATATYPE_MISALIGNMENT' is the packer's way of kicking you out when it discovers debugging.

    I have attempted to IDA it but it gave all sorts of problems and error upon execution.

    Furthernore, I had someone else with more experience analyze the exe and was told that it was not necessary to unpack it just to modify the struct before it is used. I just can't figure out which struct I need to modify.

    I sense this may be going in circles so if you can't help I understand. Otherwise, please specify any other info you may need in order to help me.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    You say you have defeated the debugger checks. Then continue my strategy above, breakpointing the communication APIs, and working backwards from these.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  14. #14
    Quote Originally Posted by Naked2 View Post
    Furthernore, I had someone else with more experience analyze the exe and was told that it was not necessary to unpack it just to modify the struct before it is used.
    I wonder how much experience that 'someone else' exactly has, since anything that's been packed should be unpacked first and subject to further analysis.

    You will often miss many interesting points in the code by tracing through it in the debugger, as your mind becomes focused only on the execution flow. Reading calmly through the disassembler listing is much more relaxing too

  15. #15
    In other words, if you want to examine what's in a suitcase, you either need a special x-ray machine, or you actually need to open the suitcase. Once it is open, it certainly is much easier to determine what's inside.

    Regards,
    JMI

Similar Threads

  1. Olly use high CPU when Google Chrome is running to?
    By TikElentrik in forum OllyDbg Support Forums
    Replies: 1
    Last Post: July 11th, 2010, 14:19
  2. Any high cusomizable exe protector?
    By Hero in forum The Newbie Forum
    Replies: 2
    Last Post: March 17th, 2009, 08:51
  3. Dynamical byte manipulation of win32 executables
    By Harakiri in forum Advanced Reversing and Programming
    Replies: 24
    Last Post: April 6th, 2006, 11:56
  4. can't run softice in high color mode
    By jth in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: August 12th, 2001, 21:03
  5. Reversing high-level language sources
    By Lord_Soth in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: November 14th, 2000, 17:44

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •