You may have seen a similar article I wrote before, why do you have to repeat it? I just want to better help beginners understand virus reverse analysis and system security, and be more systematic without destroying the previous series. Therefore, I reopened this column to prepare systematically and in-depth study of system security, reverse analysis and malicious code detection. The "System Security" series of articles will be more focused, more systematic, and more in-depth. It is also the author's slow growth history. Changing majors is really difficult. Reverse analysis is also a hard part, but I also try to see how much I can learn from it in the next four years. The long journey is long and I tend to go to Hushan. Enjoy the process, come on together~
The author of the system security series will conduct in-depth research on malicious sample analysis, reverse analysis, offensive and defensive combat and Windows vulnerability exploitation, etc., and learn from bloggers through online notes and practical operations, hoping to make progress with you. The previous article popularized the basic usage of OllyDbg and the CrakeMe case; this article will explain in detail the reverse analysis usage of OllyDbg and Cheat Engine tools, and complete the game assistant of Plants vs. Zombies, including the two functions of modifying the sun value and automatically picking up the sun. Hope to get started Of classmates are helpful.
Without further ado, let us start a new journey! Your likes, comments, and favorites will be your greatest support to me. I am grateful to go all the way on the safe road. If there is any bad writing, you can contact me to modify it. Basic article, I hope it will be helpful to you. The author's purpose is to make progress with the safety people. Come on~
Article Directory
Author's github resources:
- System Security: https://github.com/eastmountyxz/SystemSecurity-ReverseAnalysis
- Network Security: https://github.com/eastmountyxz/NetworkSecuritySelf-study
Preamble analysis:
- [System Security] 1. What is reverse analysis, the basis of reverse analysis and the reverse of classic minesweeping games
- [System Security] 2. How to learn reverse analysis and Lü Buchuan game reverse case
- [System Security] III. IDA Pro disassembly tool first knowledge and reverse engineering decryption actual combat
- [System Security] 4. The basic usage of OllyDbg dynamic analysis tool and the reverse cracking of Crakeme
- [System Security] 5. OllyDbg and Cheat Engine tools reverse analysis of the Plants vs. Zombies game
Statement: I firmly oppose the use of teaching methods to commit crimes. All criminal behaviors will be severely punished. We need to maintain the green network together. It is recommended that you understand the principles behind them and better protect them.
1. VS memory address view
Before explaining the reverse analysis of the game by OllyDbg and Cheat Engine tools, I want to popularize the basic concepts of memory addresses and create a project to explain the relationship between memory, address, and value.
The first step is to open VS2019 to create an empty project "RE_ZWDZJS01", and then add the main.cpp source file.
As shown in the figure below, right-click the project, "Add" -> "New Item", and create the main.cpp file.
The second step is to add code as shown below. We try to view the location of the variable in memory.
Among them, %# indicates the output prompt mode, if it is octal, add 0 in front, if it is decimal, no characters are added, if it is hexadecimal, it will add 0x.
#include "stdio.h"
int main()
{
int x = 1000;
//内存中查看值得位置
printf("%#X\n", &x);
//暂停
getchar();
return 0;
}
We try to add a breakpoint and then run the program.
The third step, press F5 to debug, the output result is 0x12FFCDC.
- 0x12FFCDC
The fourth step, then we need to view this value in the memory, select "Debug" -> "Window" -> "Memory", and then choose a "Memory".
Enter the address "0x12FFCDC".
Then we turn on the programmer computer and we can see that the hexadecimal number corresponding to 1000 is 3E8, which is exactly the same as E8 03 00 00 above.
- E8 03 00 00
Note that only one byte is displayed here. If we right-click and select to convert to 4 bytes, the complete value can be displayed, as shown in the figure below.
- 0x000003e8
At this point, the VS simple method of viewing memory is introduced. The principle is analogous to:
- Memory --> Hotel
- Address --> House number
- Value --> Passenger A
So, how do we change "Passenger A" to "Passenger B"? This requires finding "Passenger A" in the hotel through the house number and then replacing it. However, the authority needs to be elevated before the subsequent operations can be carried out. Similarly, in the game, if we want to modify the value in the memory, we also access the value through the address and then modify it, and we need to elevate the permissions before modifying it. The specific operation mainly includes four steps:
- The first step is to find the game window
- The second step is to find the process ID through the window
- The third step is to open the process through the process ID
- The fourth step is to complete the content modification through the open process
After explaining this basic knowledge, let's start the reverse engineering of Plants vs. Zombies!
2. Cheat Engine reversely modify the sunlight value
Modifying the sunshine value is actually to modify the game score, energy, blood volume, attack power, etc. The principle is to modify the value in the memory through the address. The Cheat Engine tool is mainly used here.
The first step is to open the running Plants vs. Zombies game through the Cheat Engine tool.
The second step is to enter the number "100" and click "First Scan".
762 results were returned.
The third step is to play the game repeatedly and enter the corresponding number to "scan again", for example, enter the number "150" and click "Scan again".
In the end we got a result with the address:
- 0x207FB5A0
The fourth step is to open the task manager, then select the Plants vs. Zombies game, right-click and select the "Go to Details" button.
The display result is shown in the figure below, where the process ID of Plants vs. Zombies is obtained.
- PID:3256
After understanding the principle, the next step is to write code to modify the sunlight value.
The fifth step, before writing the C language code to modify the parameters of Yangguan, first explain the search window function and FindWindow function of Spy++.
We can see in VS that the FindWindow function includes two parameters, namely the type of window and the title of the window.
FindWindow(
lpClassName, {
窗口的类名}
lpWindowName: PChar {
窗口的标题}
);
Here we can use Spy++ to help explain.
Select the search window (the fifth from the left) button in the pop-up interface.
Then move to select the game window to view the corresponding information, which includes the window handle, as shown in the figure below. So next we can search by title and class.
- Title: Plants vs. Zombies Chinese Version
- Class: MainWindow
The sixth step is to write the core C language code to implement related game modification functions.
Find the process ID through the GetWindowThreadProcessld function.
DWORD GetWindowThreadProcessld(
HWND hwnd, //窗口句柄
LPDWORD lpdwProcessld //接收进程标识的32位值的地址
);
Open an existing process object through the OpenProcess function and return the handle of the process.
HANDLE OpenProcess(
DWORD dwDesiredAccess, //渴望得到的访问权限(标志)
BOOL bInheritHandle, //是否继承句柄
DWORD dwProcessId //进程标示符
);
Write the memory area of a process through the WriteProcessMemory function. Note that writing directly will cause an Access Violation error, so the entry area of this function must be accessible, otherwise the operation will fail.
BOOL WriteProcessMemory(
HANDLE hProcess, //由OpenProcess返回的进程句柄
LPVOID lpBaseAddress, //要写的内存首地址
LPVOID lpBuffer, //指向要写的数据的指针
DWORD nSize, //要写入的字节数
LPDWORD lpNumberOfBytesWritten
);
The complete code is as follows:
#include "stdio.h"
#include "windows.h"
int main()
{
//输入值作为修改阳光参数
int x;
scanf("%d", &x);
//进程ID
DWORD pid;
//1.找到游戏窗口 窗口类型、窗口标题
HWND hwnd = FindWindow(NULL,L"植物大战僵尸中文版");
//2.通过窗口找到进程ID
GetWindowThreadProcessId(hwnd,&pid);
//3.通过进程ip打开进程
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
//4.通过打开进程修改游戏内容
WriteProcessMemory(hProcess, (LPVOID)0x207FB5A0,
(LPVOID)&x,sizeof(x),&pid);
return 0;
}
In the seventh step, when we modify the value, our Plants vs. Zombies Sunshine can be modified accordingly.
Set it to "0" first, and the modification is successful as shown in the figure below, haha! Did you complete a simple game aid?
Then we modify it to 10086, if 360 prompts a warning (Identify remote thread injection), we click "Allow this modification", and finally successfully modify the sunshine value to "10086". We can finally play happily, mother no longer has to worry about my sunshine!
We can also modify the second level, but the window address will change at this time, it becomes 0x2099AE60, modify the core function:
- WriteProcessMemory(hProcess, (LPVOID)0x2099AE60, (LPVOID)&x,sizeof(x),&pid);
Note that if the game has address protection, we can try to inject to modify it. This series of articles only analyzes classic local games. As for online games, it is forbidden to modify or destroy. The principle is to popularize security protection.
The eighth step is to learn to solve the errors encountered in programming independently by Baidu and Google. This is a crucial ability improvement.
Note that if the error "error C4996:'scanf': This function or variable may be unsafe." is prompted, because VS considers the scanf function to be unsafe, you can perform the safety development life cycle SDL check setting.
3. OllyDbg automatically picks up sunlight in reverse
The key to automatic picking is to click the mouse, it will increase if you click on the sun. So we hope to trigger the click sunlight event when the sunlight falls, and then the sunlight address will increase. The preliminary prediction involves two CALL functions.
- The sun appears call
- Determine whether to click on the sun and increase the sun's call
In the first step, when we use Cheat Engine to locate the address of Sunshine, we can select the address and right click to set "Find out what changed this address".
First of all, the address of Plants vs. Zombies at this time is: 0x2099AE60; then right click to change the address and set "find out what changed this address".
- 0x2099AE60
In the second step, after waiting for the next sunlight to pick up, the newly generated value can be obtained in the window shown in the figure below, namely 0x00430A11. Then click the 0x00430A11 address to record the extended information to facilitate the subsequent automatic pickup function.
- 0x00430A11
At the same time, click "Show Disassembler" to form the effect diagram shown in the figure below.
The third step is to use OllyDbg software to open the "PlantsVsZombies.exe" game.
The fourth step, we have located the window address 0x00430A11 of Sunshine earlier, and then press Ctrl+G or right-click "Go to" -> "Expression", and then jump to the specified location.
Jump 0x00430A11 as shown in the figure below:
The fifth step is to press F2 to add a breakpoint and comment to it. The game will stop here when you click the sun to increase the value.
We can check the ECX value, it should be 19, corresponding to 25 in decimal, so guess here is to increase the Yangguan value.
Run the program until the sunlight is picked up, it will automatically stop to the breakpoint position, and the ECX is modified to 0x19, the corresponding sunlight value increases by 25 points. Observing the assembly code, it is found that it is an increase statement, that is, it is verified that it is an increase statement of sunshine.
- 0x00430A11 ADD DWORD PTR DS:[EAX+5560],ECX
The sixth step, click the "Debug" -> "Execute to Return" button (shortcut key Ctrl+F9).
Then jump to the 0x00430AB4 position, as shown in the figure below, pay attention to return to the 0x004314FD position.
- Return address: 0x004314FD
In the seventh step, press F7 at the RETN return point to execute a single step, and you will see that the CALL function is executed. It is not difficult to speculate that this function is a function of increasing sunlight.
- 0x004313F8 CALL PlantsVs.004309D0
Then we add a breakpoint to it, and then run the program again, click to pick up the sun, it will automatically locate the location.
The eighth step, select this sentence for nop operation.
The NOP instruction is equivalent to a null instruction, does not perform any action, and the corresponding hexadecimal byte code is 90. When our software has advertising pop-up windows, we can filter out the pop-up windows through the nop setting.
Then select the line 0x004313F8, right-click "Assembly", and then set it to nop in the pop-up window.
As shown in the figure below, the 0x004313F8 position becomes a NOP null instruction after setting. After setting the NOP of this sentence, we found that the click sunlight value does not increase, thus determining the increase function.
The ninth step, then right-click to undo the modification, and then analyze the assembly code JNZ operation.
At this time, you can see that there is a JNZ operation before the CALL function, which means that it may need to determine the value before entering the function of increasing sunlight. We breakpoint at this JNZ, and then enter the game and click on the sunlight.
- JNZ: jump if not zero, transfer if the result is not zero (or not equal).
After running the program several times and letting it go, we will find that when we click on the sun, the sun will go up. Only when the sun reaches the specified position (upper left corner), the call will be executed to increase the sun value, so we know that this JNZ is mainly Judge whether Yangguan is in place.
Note that you need to set a breakpoint at 0x004313F4 several times and then cancel the running game. After repeated operations, you will find that the sunlight will move to the upper left corner after the JNZ operation is implemented, otherwise it will stop. The author also touched the river a little bit, come on!
The tenth step, continue to execute the program positioning click function.
There is a jump before adding the CALL function of Sunshine (0x0043159B). This CALL will be added after JNZ is executed successfully. We set a breakpoint at JNZ to debug its execution flow.
When we set a breakpoint at JNZ, the running game will suddenly jump to the breakpoint and stop, as shown in the figure below, and there is no operation on the game screen. Then press F7 to run and find that the sun is about to appear.
Sunlight appears as shown in the figure below.
Since the JNZ breakpoint will make the game very stuck, then we cancel the breakpoint, and add a breakpoint to CALL at 0x0043159B. After executing the program, we will find that it will be broken when we click on the sun, so we judge it to be sunlight collection function. This is a typical if-else statement. If it is not clicked, it will always execute the animation CALL, if it is clicked, it will execute the CALL to increase the sunlight.
The eleventh step, the most important step appears, we change jnz to jmp to automatically pick up sunlight.
When we finish the modification, we will find that the sun will automatically increase as soon as it appears, and there is no need to manually click, and finally complete the auxiliary function. Similarly, we can try to write C language to realize related automatic modification, and we will not explain it here.
- JNZ: jump if not zero, transfer if the result is not zero (or not equal).
- JMP: Assemble unconditional jump instructions.
Note that CMP BYTE PTR DS:[EBX+50],0 is a sign to determine whether to collect sunlight, and then perform JNZ or JMP operations. When we click on a plant, the program stops and we can see that the value of 0 is assigned, and JNZ will not jump; when we click on the sunlight, the value of 1 will be assigned and the function is called to collect sunlight.
Four. Summary and study recommendations
At this point, the introduction of this article is complete, I hope it will be helpful to you, and finally I will make a brief summary.
- VS memory address view
- Cheat Engine reversely modify the sunlight value
- OllyDbg automatically picks up sunlight in reverse
After studying safety for a year, I have met many safety leaders and friends. I hope everyone can make progress together. If there are some shortcomings in this article, please ask Haihan. The author is slowly growing up as a beginner in network security! I hope to write related articles more thoroughly in the future. At the same time, I am very grateful to the security experts in the reference for sharing their articles. I know that I am very good and I have to work hard.
Many friends ask me how to learn reverse analysis?
The recommended learning route and safety books are given below. Software retrograde is actually moving bricks. What you need is willfulness and basic skills. The big guys may have a lot of skills, but I hope you can lay down those pits solidly, can understand the code, can write the code, and then use IDA and OD tools (Yitian Tulong) well, soak in the code every day , It will definitely work. You should learn like this:
- Type more code and pay attention to actual combat;
- The program is not written, but called;
- Do projects of a certain scale according to your own interests and market needs.
The following figure development and reverse engineering projects are highly recommended for you to complete. The development of remote control software will help you analyze the Trojan horse. CAD software can improve your C++ analysis ability. It is not so difficult to make a modulator or anti-debugging. Make a small operating system by yourself , Small compiler, task manager, perhaps the reverse principle can be understood.
There are no shortcuts to programming, and there are no shortcuts to reverse engineering. They are all about moving bricks. Whenever you rub the attacking opponent on the ground, you will win and you will gradually develop your own safety experience and skills. Come on, the boy hopes this route will help you and encourage each other.
The newly opened "Nazhang AI Security Home" on August 18, 2020 mainly focuses on Python big data analysis, cyberspace security, artificial intelligence, Web penetration, and offensive and defense technology to explain, while sharing the algorithm implementation of the paper. Nazhang’s House will be more systematic, and will reconstruct all the author’s articles, explain Python and security from scratch, and have written articles for nearly ten years. I really want to share what I have learned and felt. I would also like to invite you to give me your advice and sincerely invite your attention! Thank you.
(By: Eastmount 2020-12-23 Wednesday night in Wuhan https://blog.csdn.net/Eastmount )
References:
[1] Game Aided Development of C Language Reverse Engineering-C Language Plus
[2] Game Aided Production Core-Plants vs. Zombies Reverse Call of Zombies (9)
[3] Game Aided Production Core-Plants vs. Zombies Reversed Plant attack acceleration (6)
[4] Plants vs. Zombies automatically pick up sunlight-TD.Jia
[5] Game Reverse Chapter-Star Xiangrong
[6] [CE Game Reverse] Plants vs. zombies-Simpler_若离