2022-04-11 20:27:15 +02:00
|
|
|
{% extends "konami.html" %}
|
2022-01-17 23:10:57 +01:00
|
|
|
{% block title %}Following along{% endblock %}
|
|
|
|
{% block body %}
|
|
|
|
<h1>Following along</h1>
|
|
|
|
<p>I'd highly recommend following along with the details on these pages yourself. While my aim is to document as much as
|
|
|
|
I can to the best of my ability, there will be things I miss, get wrong, or that are out-right newer than these
|
|
|
|
pages! Knowing where the information here came from is key to being able to reproduce the findings yourself. It's
|
|
|
|
also just generally quite fun, and a useful skill.</p>
|
|
|
|
<p>With that out of the way, you might then ask <i>how</i> to follow along. We're going to be getting nitty and gritty
|
|
|
|
with some games, bemani specifically, so the very first step is to get your hands on one of those. Because we're
|
|
|
|
going to want to poke around, we need a version of the game running on our PC (or in a VM), rather than on a
|
|
|
|
cabinet. If you feel like starting with a real cabinet, <a href="https://mon.im/2017/12/konami-arcade-drm.html">mon
|
|
|
|
has a great blog post</a> about that.</p>
|
|
|
|
<p>The majority of direct references to code are based on Sound Voltex 4. The specific build I'm using in most snippets
|
|
|
|
is KFC-2019020600; no need to be on private websites to be able to make use of that information.</p>
|
|
|
|
<hr>
|
|
|
|
<p>Depending on what you have, you may be staring at a working game at this point, or a big network error. Either way,
|
|
|
|
you're sorted.</p>
|
|
|
|
|
|
|
|
<h2>Static vs dynamic analysis</h2>
|
|
|
|
<p>Quick detour here. In reverse engineering (what we're doing!) you'll often hear these two terms used.</p>
|
|
|
|
<p>Static analysis is when we have a copy of the content, be that custom file formats, executable files, you name it,
|
|
|
|
and we aim to identify how they work without running them. This can be very powerful, as it allows us to reverse
|
|
|
|
engineer things we either can't or don't want to run. For example, we can perform static analysis of <i>any</i>
|
|
|
|
program on a modern desktop PC, even a program written for an old games console. If you're sat staring at a network
|
|
|
|
error right now, that's also a great example of the sorts of problems static analysis allows us to work around.</p>
|
|
|
|
<p>Dynamic analysis, as you may now have guessed, is when we start the program in question, and poke around while it's
|
|
|
|
running. This poking can vary wildly; you might be curious about the values in memory during the execution of a
|
|
|
|
function identified during static analysis, maybe you want to look at network traffic being created while the
|
|
|
|
program runs, or maybe you just want to use the program normally to understand how it's intended to function.</p>
|
|
|
|
<p>We're going to be doing a lot of both, so strap in!</p>
|
|
|
|
|
|
|
|
<h2>Setting up our workspace</h2>
|
|
|
|
<p>There are a few essential tools every reverse engineer should have in their toolbox:</p>
|
|
|
|
<ul>
|
|
|
|
<li>A <dfn title="Interprets machine code, converting it to human-readable assembly">disassembler</dfn></li>
|
|
|
|
<li>A <dfn title="Allows reading of binary files">hex editor</dfn></li>
|
|
|
|
<li>A <dfn title="Able to connect to a running program and show us internal information about it">debugger</dfn>
|
|
|
|
</li>
|
|
|
|
<li>A <dfn
|
|
|
|
title="Takes assembly from a disassembler, and attempts to guess what the original source code may have looked like">decompiler</dfn>
|
|
|
|
(incredibly useful but not essential)</li>
|
|
|
|
</ul>
|
|
|
|
<p>I'm going to be using:</p>
|
|
|
|
<ul>
|
|
|
|
<li><a href="https://ghidra-sre.org/">Ghidra</a>: Disassembler and decompiler</li>
|
|
|
|
<li><a href="https://hex-rays.com/ida-pro/">IDA</a>: Decompiler (for a second opinion; the decompiler isn't in the
|
|
|
|
free version)</li>
|
|
|
|
<li><a href="http://www.flexhex.com/">FlexHex</a>: Hex editor (there are <i>so</i> many free options here, so shop
|
|
|
|
around)</li>
|
|
|
|
<li><a href="https://visualstudio.microsoft.com/vs/community/">Visual Studio</a>: Debugger</li>
|
|
|
|
<li><a href="https://www.wireshark.org/">Wireshark</a>: Network captures</li>
|
|
|
|
</ul>
|
|
|
|
<p><small><i>(Ghidra has a debugger now, but I'm yet to play around with it enough to ditch VS)</i></small></p>
|
|
|
|
|
|
|
|
<h2>Setting up Ghidra</h2>
|
|
|
|
|
|
|
|
<p>When you start Ghidra for the very first time, you will be presented with an empty screen. You'll need to create a
|
|
|
|
new project; the name and location aren't especially important, but try and keep them sensible. After that, you can
|
|
|
|
drag a file (libavs-win32.dll from your game is a good choice here) into the window. It will ask a series of
|
|
|
|
questions; just acccept the defaults for everything. Once it's loaded, double click on the file to open the code
|
|
|
|
browser. You will be asked if you would like Ghidra to automatically analise the file for you. Yes!</p>
|
|
|
|
<p>The interface can be pretty intimiading to start with, but there are a few important parts to note. Your window
|
|
|
|
likely looks different to mine here, but the general layout will be roughly the same.</p>
|
|
|
|
|
|
|
|
<img src="{{ROOT}}/images/ghidra.png">
|
|
|
|
|
|
|
|
<p>Everything in the interface is a draggable window, and can be popped out of the main window, so don't be afraid to
|
|
|
|
move things around if that helps. For example, I added the bookmarks window below my disassembler and decompiler,
|
|
|
|
because I use it quite frequently.</p>
|
|
|
|
|
|
|
|
<h3>Key things to know in Ghidra:</h3>
|
|
|
|
<ul>
|
|
|
|
<li>Double click on any label, function, or address to jump to that item. Alt+left and alt+right navigate through
|
|
|
|
your location history.</li>
|
|
|
|
<li>Middle click on any item to highligh all occurances of it (can be rebound to left click if you prefer it as
|
|
|
|
default)</li>
|
|
|
|
<li><code>L</code> will rename the item the cursor is over, and <code>Ctrl+L</code> will change the type of the item
|
|
|
|
(in the decompiler).</li>
|
|
|
|
<li><code>G</code> will open the jump popup. You can type an address, function name, label, etc. here</li>
|
|
|
|
<li><code>S</code> to open search. If at first you aren't seeing results, you may need to switch to searching
|
|
|
|
<code>All Blocks</code>.
|
|
|
|
</li>
|
|
|
|
<li>There are a bunch of useful tools in the <code>Window</code> dropdown at the top! Have a play around; you can't
|
|
|
|
break anything.</li>
|
|
|
|
<li><code>;</code> allows you to add a comment to any line</li>
|
|
|
|
<li>In the disassembly: <code>T</code> to change the type of the data at the cursor, <code>D</code> to disassemble
|
|
|
|
at the cursor, <code>F</code> to create a function at the cursor, <code>Del</code> to delete a function, and
|
|
|
|
<code>C</code> to clear the selected data, returning it back to unknown bytes.
|
|
|
|
</li>
|
|
|
|
</ul>
|
|
|
|
|
|
|
|
<h2>Setting up Wireshark</h2>
|
|
|
|
<p>While less conventional as a dynamic analysis tool, Wireshark is an invaluable tool when working with network-related
|
|
|
|
tasks.</p>
|
|
|
|
<p>Either by editing <code>prop/ea3-config.xml</code>, or using spicecfg, pick a totally bogus service URL, with a
|
|
|
|
distinct port. I'm going to use <code>http://127.0.0.1:54321</code>. Now start Wireshark, click once on the "adapter
|
|
|
|
for loopback traffic capture", then in the capture filter enter <code>port 54321</code> (edit as required). Hit
|
|
|
|
enter, and you'll start capturing. When you now start the game, some things will pop up but because we didn't have
|
|
|
|
anything listening on that port (hopefully!) every attempt at communication was an error.</p>
|
|
|
|
<p>To rememdy this, let's run something on that port! It can be quite literally anything. <code>nc -lvp 54321</code>
|
|
|
|
will do, if you have netcat. With wireshark still running, restart the game. This time something interesting should
|
|
|
|
appear! If all went to plan, a green <code>HTTP</code> packet should show up.</p>
|
|
|
|
<img src="{{ROOT}}/images/wireshark.png">
|
|
|
|
<p>Clicking on it, we can see additional details. If we expand the blue HTTP section, and then the <code>Data</code>
|
|
|
|
section at the bottom of that, we can view the raw data that was included in this HTTP POST request.</p>
|
|
|
|
<p>Wireshark is surprisingly flexible. Notice how in my screenshot the packet was identified as <code>XRPC</code>? I
|
|
|
|
wrote a relatively simple protocol dissector, which allows me to view the contents of XRPC packets directly within
|
|
|
|
Wireshark. While I might share it if I clean it up, it only took an hour or so in an evening to write; my aim is
|
|
|
|
that these documents provide everything you could ever need to be able to quickly write your own too.</p>
|
|
|
|
<img src="{{ROOT}}/images/wireshark2.png">
|
|
|
|
|
|
|
|
<h2>Setting up Visual Studio</h2>
|
|
|
|
<p>Saved the worst for last, I'm afraid. Once visual studio starts, drag the exe you use to start the game into it. Odds
|
|
|
|
are this is <code>spice.exe</code>. Visual Studio, in stark contrast to Ghidra, is totally barren.</p>
|
2022-04-11 20:40:28 +02:00
|
|
|
<img src="{{ROOT}}/images/vs.png" class="graphic">
|
2022-01-17 23:10:57 +01:00
|
|
|
<p>When you press the start button, VS will likely ask you to restart it in elevated mode; go ahead and do that.</p>
|
2022-04-11 20:40:28 +02:00
|
|
|
<img src="{{ROOT}}/images/vs2.png" class="graphic">
|
2022-01-17 23:10:57 +01:00
|
|
|
<p>Wow. That's a lot more stuff, but it all seems a bit empty? As a debugger, VS only allows you to poke around while
|
|
|
|
the program is paused. We can manually pause using the pause icon at the top, which would normally be sufficient.
|
|
|
|
Unforunately, in our case, we're looking at a far bigger project. Odds are when you pause the program you will get a
|
|
|
|
message that it's running "external" code, or you end up somewhere totally random.</p>
|
|
|
|
<p>To solve this, we can setup VS to automatically pause for us.
|
|
|
|
<code>Debug -> New Breakpoint -> Function Breakpoint</code> is the option we use to do this. VS will then
|
|
|
|
allow us to enter a... function name? Aah. The expectation being made here is that we are debugging our own program,
|
|
|
|
and have the full source code. Thankfully, we can instead enter an address here, by prefixing its address with
|
|
|
|
<code>0x</code>. This is where both static and dynamic analysis work together.
|
|
|
|
</p>
|
|
|
|
<p>If you run the program again now (stop it if it's still running) Visual Studio will know to automatically pau- not so
|
|
|
|
fast. The addresses we can see listed in Ghidra are the addresses we would expect, if the program was being loaded
|
|
|
|
into memory at its "normal" location. Unfortunately for us, that can make genuinely malicious code easier, so a
|
|
|
|
system called <a href="https://en.wikipedia.org/wiki/Address_space_layout_randomization">ASLR</a> is used to
|
|
|
|
randomise the addresses the program will use. This reallly sucks for dynamic analysis.</p>
|
|
|
|
<p>Thankfully, we don't need to turn it off for our whole computer. We're going to use a tool called <a
|
|
|
|
href="https://petoolse.github.io/petools/">PE Tools</a>. After starting the program, drag the DLL we're curious
|
|
|
|
about onto it, <code>libavs-win32.dll</code>, for example. We need to lie to Windows that this DLL is not
|
|
|
|
actually able to handle having its addresses randomised, which involves turning off <code>DLL can move</code>. This
|
|
|
|
is going to directly edit the DLL file, so if you happen to be seeding it, consider this your warning to copy
|
|
|
|
everything over to a different folder before continuing.</p>
|
|
|
|
<img src="{{ROOT}}/images/petools.png">
|
|
|
|
<p>At this point, we can return to Visual Studio and add our breakpoint as previously. If you've been following along,
|
|
|
|
<code>0x1000A920</code> is a good breakpoint to test. It's quite likely however that the breakpoint won't be hit.
|
|
|
|
This is, to the best of my knowledge, an issue in VS. Delete the breakpoint, and this time start the program then
|
|
|
|
hit the pause button immediatly. Only once paused, re-add the breakpoint, then continue execution.
|
|
|
|
</p>
|
2022-04-11 20:40:28 +02:00
|
|
|
<img src="{{ROOT}}/images/vs3.png" class="graphic">
|
2022-01-17 23:10:57 +01:00
|
|
|
<p>The breakpoint should be hit almost right away. This is because that address is one of the logging functions :). In
|
|
|
|
the bottom left, a list of registers are shown. This particular function takes its values via the stack, so paste
|
|
|
|
the ESP register's value into the address box of the memory viewer. Right clicking, we can switch to
|
|
|
|
<code>4-byte</code> mode, and can now see the stack clearly. The second number you see (ESP+0x04) is, in this case,
|
|
|
|
the first argument to the function. Jumping to that value, we can see what it was about to log. In my case it was
|
|
|
|
simply <code>ea3-boot</code>, but expect it to be different for you.
|
|
|
|
</p>
|
|
|
|
|
|
|
|
{% endblock %}
|