Kevin Fisher

tales from a .net programmer

Read this first

Creating an Extensible Packet Manipulation System for an Online Game

Introduction

Many reverse engineers get their first taste of reverse engineering by tinkering with video games. Games make fun targets because they have such a wide range of possible exploits and modification opportunities.

The most common way to modify a game’s behavior is by editing the binary directly. Usually, a debugger is employed to observe a particular routine with some sort of check that the user wishes to eliminate. As an example, perhaps a game checks if a user has a sufficient amount of mana power before allowing the player to cast a skill. Much of the time, this boils down to a compare and a conditional jump on the binary level. By modifying the code, the check can be modified in a way that always lets the player use the skill.

These sort of patches can be powerful, but are also limited in the scope of possible exploits. It becomes difficult to do much more than modify...

Continue reading →


Exploitation of Windows DEP to Implement Stealth Breakpoints

Note: The method described in this post only applies to 32-bit targets.

Background

The ability to live debug is a key to reverse engineering a binary sample. However, most malware implement measures to detect debuggers and the breakpoints that they use.

While analyzing a sample, I ran into this problem. The sample contained various methods to eliminate the use of virtually all types of breakpoints that I could find. I was able to implement breakpoints using data execution prevention, a security feature in modern processors.

Software breakpoints are usually implemented by placing an interrupt opcode (0xCC) at the location a debugger wants to breakpoint. When executed, this throws an exception that the debugger is able to catch and handle. The debugger can then replace the interrupt with the instructions that were present before the breakpoint was placed. This method of creating...

Continue reading →