diff options
25 files changed, 520 insertions, 0 deletions
diff --git a/source/notes/mono_jit/main.cs b/source/notes/mono_jit/main.cs new file mode 100644 index 0000000..d87dc51 --- /dev/null +++ b/source/notes/mono_jit/main.cs @@ -0,0 +1,13 @@ +public static void Main(System.String[] args) { + Console.ReadLine(); + Console.WriteLine("asdf"); + for (int i = 0; i < 60; i++) { + Console.WriteLine("looping... " + i); + Console.ReadLine(); + mangler(); + } + mangler(); + Console.WriteLine("once..."); + mangler(); + Console.WriteLine("twice!"); +} diff --git a/source/notes/mono_jit/mono_jit.md b/source/notes/mono_jit/mono_jit.md new file mode 100644 index 0000000..1f6c073 --- /dev/null +++ b/source/notes/mono_jit/mono_jit.md @@ -0,0 +1,267 @@ +``` +(gdb) info address System_Console_ReadLine +Symbol "System_Console_ReadLine" is a function at address 0x7f9a3ce60f50. +``` + +ok, time to look for something close to `0x7f9a3ce60f50` on the stack as a return address. + +<div class="codebox"><pre> +(gdb) x/300xg $rsp +0x7ffd84d06930: 0x0000000000000000 0x0000000000603f21 +0x7ffd84d06940: 0x0000000002106908 0x32bfbbdd7b4d2300 +0x7ffd84d06950: 0x0000000000000004 0x0000000000000000 +0x7ffd84d06960: 0x00007f9a3ec0a150 0x0000000000000400 +0x7ffd84d06970: 0x00007ffd84d06a80 0x00000000005d7c20 +0x7ffd84d06980: 0x000000003cd61c3d 0x32bfbbdd7b4d2300 +0x7ffd84d06990: 0x0000000000000000 0x00007ffd84d06a60 +0x7ffd84d069a0: 0x00007f9a3ec0a150 0x0000000000000000 +0x7ffd84d069b0: 0x0000000000000400 0x0000000041951b2a +0x7ffd84d069c0: 0x0000000000000000 0x00007f9a3ec09ff8 +0x7ffd84d069d0: 0x00007f9a3ec0a150 0x0000000000000000 +0x7ffd84d069e0: 0x0000000000000400 0x00000000020b49b0 +0x7ffd84d069f0: 0x00007f9a3ec0a150 0x00007ffd84d06a60 +0x7ffd84d06a00: 0x00007ffd84d069c0 0x00007f9a3cd61b91 +0x7ffd84d06a10: 0x00007ffd84d06a80 0x0000000000000400 +0x7ffd84d06a20: 0x0000000000000000 0x00007f9a3ec0a150 +0x7ffd84d06a30: 0x00007f9a3ec0a068 0x00007f9a3ec0a118 +0x7ffd84d06a40: 0x00007f9a3ec0a170 0x0000000000000007 +0x7ffd84d06a50: 0x00007f9a3ec0a501 0x0000000000000400 +0x7ffd84d06a60: 0x0000000000000400 0x00007f9a3cd60348 +0x7ffd84d06a70: 0x0000000000000000 0x0000000000000400 +0x7ffd84d06a80: 0x00007f9a00000000 0x00007f9a3ec09ff8 +0x7ffd84d06a90: 0x00007f9a3ec0a068 0x00007f9a3ec0a150 +0x7ffd84d06aa0: 0x0000000000000400 0x00007f9a3cd5e517 +0x7ffd84d06ab0: 0x0000000000000400 0x00007ffd84d06d00 +0x7ffd84d06ac0: 0x00007f9a3ec09ff8 0x00007f9a3ec0a150 +0x7ffd84d06ad0: 0x0000000000000000 0x0000000000000400 +0x7ffd84d06ae0: 0x0000000000000400 0x00007f9a3cd5e382 +0x7ffd84d06af0: 0x00000000020f1e30 0x0000000000000000 +0x7ffd84d06b00: 0x00007f9a3ec00628 0x00007ffd84d06c38 +0x7ffd84d06b10: 0x00007f9a3ec0a0b0 0x0000000000000000 +0x7ffd84d06b20: 0x00007f9a3ec00628 0x00007f9a3cbcddc5 +0x7ffd84d06b30: 0x00000000020f1e30 0x00007ffd84d06d00 +0x7ffd84d06b40: 0x0000000000000000 0x00007f9a3ec00628 +0x7ffd84d06b50: 0x00007ffd84d06c38 0x00007f9a3ec0a0b0 +0x7ffd84d06b60: 0x00000000020f1e30 0x00007f9a3cbccc44 +0x7ffd84d06b70: 0x00000000020f1e30 0x0000000000000000 +0x7ffd84d06b80: 0x00007f9a3ec00628 0x00007f9a3ec00628 +0x7ffd84d06b90: 0x00007ffd84d06c38 0x00007f9a00000000 +0x7ffd84d06ba0: 0x00007ffd84d06b60 0x00007f9a3ce78294 +0x7ffd84d06bb0: 0x0000000000000000 0x0000000000000004 +0x7ffd84d06bc0: 0x00007f9a3ec272f8 0x00007ffd84d06c28 +0x7ffd84d06bd0: 0x00007f9a3ec08328 0x00007f9a3cc6f872 +0x7ffd84d06be0: 0x00007f9a3ec272f8 0x00007f9a3ce78a12 +0x7ffd84d06bf0: 0x00000000020f1e30 0x00007ffd84d06fe0 +0x7ffd84d06c00: 0x0000000000000000 0x00007f9a3ec08328 +0x7ffd84d06c10: 0x00007f9a3ec08328 0x0000000041952328 +0x7ffd84d06c20: 0x0000000041952315 0x0000000000000000 +0x7ffd84d06c30: 0x00007f9a00000000 0x00007f9a3ec07800 +0x7ffd84d06c40: 0x00007f9a3ec272f8 0x00007f9a3ce628c4 +<b>0x7ffd84d06c50: 0x00007f9a3ec08328 0x00007f9a3ce61027 <--- this is our winner</b> +0x7ffd84d06c60: 0x000000004194fe50 0x00007ffd84d06fe0 +0x7ffd84d06c70: 0x0000000000000005 0x000000004194fdca +0x7ffd84d06c80: 0x000000004194fd50 0x000000004194fd50 +0x7ffd84d06c90: 0x000000004194fd50 0x000000004194ff19 +0x7ffd84d06ca0: 0x000000000000001f 0x0000000000000000 +0x7ffd84d06cb0: 0x31c01d4184d06f90 0x0000000000000000 +0x7ffd84d06cc0: 0x0000000000000000 0x32bfbbdd7b4d2300 +0x7ffd84d06cd0: 0x00000000020908b0 0x00000000020f1e30 +0x7ffd84d06ce0: 0x00007ffd84d06f90 0x000000004194fe50 +0x7ffd84d06cf0: 0x0000000002091d30 0x0000000000000000 +0x7ffd84d06d00: 0x00007ffd84d06f90 0x00000000004266b8 +0x7ffd84d06d10: 0x00000000020ed240 0x000000000208df90 +0x7ffd84d06d20: 0x0000000000000000 0x00000000020f9c00 +0x7ffd84d06d30: 0x0000000000000025 0x0000000000000000 +0x7ffd84d06d40: 0x0000000000000000 0x0000000000000000 +0x7ffd84d06d50: 0x000000000209bfa8 0x00007f9a00000000 +0x7ffd84d06d60: 0x0000000000000000 0x00007f9a3f733b20 +0x7ffd84d06d70: 0x0000000000000026 0x0000000000000025 +0x7ffd84d06d80: 0x00007ffd84d06df4 0x00007f9a3f749c89 +0x7ffd84d06d90: 0x0000000000000000 0x00000000006366fe +0x7ffd84d06da0: 0x00007f9a401b4130 0x00000000020f1d80 +0x7ffd84d06db0: 0x00007ffd84d071f0 0x00007f9a3f3f398c +0x7ffd84d06dc0: 0x00007ffd84d071f0 0x00007f9a3f3f35d4 +0x7ffd84d06dd0: 0x00000000020af860 0x0000000000632060 +0x7ffd84d06de0: 0x00000000020f1d80 0x0000000000000000 +0x7ffd84d06df0: 0x0000000000000000 0x000000000208df90 +0x7ffd84d06e00: 0x00000000020f1d80 0x00000000020f1d80 +0x7ffd84d06e10: 0x00007f9a401b4130 0x00000000020f1d80 +0x7ffd84d06e20: 0x00007ffd84d071f0 0x00007f9a3f3f398c +0x7ffd84d06e30: 0x0000000000000000 0x32bfbbdd7b4d2300 +0x7ffd84d06e40: 0x00007ffd84d06eb0 0x000000000054537c +0x7ffd84d06e50: 0x00000000020f1d80 0x000000000208df90 +0x7ffd84d06e60: 0x00000000020f1d80 0x00000000020f1d80 +0x7ffd84d06e70: 0x00007f9a401b4130 0x32bfbbdd7b4d2300 +0x7ffd84d06e80: 0x0000000000000000 0x0000000002091d30 +0x7ffd84d06e90: 0x0000000002091d30 0x0000000000000000 +0x7ffd84d06ea0: 0x00007f9a401b4130 0x00000000020f1d80 +0x7ffd84d06eb0: 0x00007ffd84d071f0 0x00000000005452d9 +0x7ffd84d06ec0: 0x0000000000000000 0x0000000002091d30 +0x7ffd84d06ed0: 0x00000000020911c0 0x0000000002091350 +0x7ffd84d06ee0: 0x0000000000000040 0x00000000020f1d80 +0x7ffd84d06ef0: 0x00007ffd84d071f0 0x000000000055fec6 +0x7ffd84d06f00: 0x0000000000000040 0x0000000002091350 +0x7ffd84d06f10: 0x00007f9a3ec00388 0x32bfbbdd7b4d2300 +0x7ffd84d06f20: 0x00007f9a401b4130 0x0000000002091d30 +0x7ffd84d06f30: 0x00000000020911c0 0x0000000000000000 +0x7ffd84d06f40: 0x00007f9a401b4130 0x00000000005b910a +0x7ffd84d06f50: 0x000000000208df90 0x32bfbbdd7b4d2300 +0x7ffd84d06f60: 0x00007f9a401b4130 0x0000000002091d30 +0x7ffd84d06f70: 0x00007ffd84d06fe0 0x0000000000000000 +0x7ffd84d06f80: 0x00000000020f1d80 0x00007ffd84d071f0 +0x7ffd84d06f90: 0x0000000000000000 0x00000000005ac68d +0x7ffd84d06fa0: 0x000000000208df90 0x0000000002091d30 +0x7ffd84d06fb0: 0x0000000000000000 0x0000000000000000 +0x7ffd84d06fc0: 0x00007f9a401b4130 0x00000000005ae9cc +0x7ffd84d06fd0: 0x000000000208df90 0x0000000000000000 +0x7ffd84d06fe0: 0x00007f9a3ec00328 0x32bfbbdd7b4d2300 +0x7ffd84d06ff0: 0x00007ffd84d07484 0x000000000208df90 +0x7ffd84d07000: 0x0000000000000001 0x00000000020ed390 +0x7ffd84d07010: 0x0000000000000000 0x0000000000476967 +0x7ffd84d07020: 0x0000000000000000 0x00000000161169ff +0x7ffd84d07030: 0x0000000000000000 0x0000000000000000 +0x7ffd84d07040: 0x0000000000000000 0x0000000000000000 +0x7ffd84d07050: 0x0000000000000004 0x0000000000000000 +0x7ffd84d07060: 0x0000000000000000 0x0000000000000000 +0x7ffd84d07070: 0x0000000000000000 0x0000000000000000 +0x7ffd84d07080: 0x0000000000000002 0x0000000100000001 +0x7ffd84d07090: 0x0000000000639710 0x000000000208df90 +0x7ffd84d070a0: 0x00007ffd84d071e0 0x0000000000000002 +0x7ffd84d070b0: 0x0000000000000000 0x0000000000422c0e +0x7ffd84d070c0: 0x0000000000000001 0x32bfbbdd7b4d2300 +0x7ffd84d070d0: 0x0000000000000000 0x0000000000000000 +0x7ffd84d070e0: 0x0000000000639710 0x0000000000422e50 +0x7ffd84d070f0: 0x00007ffd84d071e0 0x0000000000000000 +0x7ffd84d07100: 0x0000000000000000 0x00007f9a3f390830 +0x7ffd84d07110: 0x0000000000000000 0x00007ffd84d071e8 +0x7ffd84d07120: 0x0000000240290ca0 0x0000000000422be0 +0x7ffd84d07130: 0x0000000000000000 0x42f8e52f22cfd5b5 +0x7ffd84d07140: 0x0000000000422e50 0x00007ffd84d071e0 +0x7ffd84d07150: 0x0000000000000000 0x0000000000000000 +0x7ffd84d07160: 0xbd03ec48eecfd5b5 0xbdcc9b9a033fd5b5 +0x7ffd84d07170: 0x00007ffd00000000 0x0000000000000000 +0x7ffd84d07180: 0x0000000000000000 0x0000000000639780 +0x7ffd84d07190: 0x00007f9a4007b8e0 0x00007f9a4007b5fb +0x7ffd84d071a0: 0x0000000000000000 0x0000000000000000 +0x7ffd84d071b0: 0x0000000000422e50 0x00007ffd84d071e0 +0x7ffd84d071c0: 0x0000000000000000 0x0000000000422e79 +0x7ffd84d071d0: 0x00007ffd84d071d8 0x000000000000001c +0x7ffd84d071e0: 0x0000000000000002 0x00007ffd84d0747f +0x7ffd84d071f0: 0x00007ffd84d07484 0x0000000000000000 +0x7ffd84d07200: 0x00007ffd84d0748e 0x00007ffd84d07499 +0x7ffd84d07210: 0x00007ffd84d074aa 0x00007ffd84d074bd +0x7ffd84d07220: 0x00007ffd84d074da 0x00007ffd84d074eb +0x7ffd84d07230: 0x00007ffd84d074fb 0x00007ffd84d07507 +0x7ffd84d07240: 0x00007ffd84d07519 0x00007ffd84d07529 +0x7ffd84d07250: 0x00007ffd84d07536 0x00007ffd84d07565 +0x7ffd84d07260: 0x00007ffd84d07aed 0x00007ffd84d07b1c +0x7ffd84d07270: 0x00007ffd84d07b33 0x00007ffd84d07e50 +0x7ffd84d07280: 0x00007ffd84d07e71 0x00007ffd84d07e81 +</pre></div> + +0x7ffd84d06c58: 0x00007f9a3ce61027 <-- this is a return address to the native code Console.ReadLine() + +which means slightly further up the stack: + +0x7ffd84d06c78: 0x000000004194fdca <-- this is a return address to the caller of Console.ReadLine() (this is main) + +Main(), for comparison: +<div class="codebox"> +```cs +#include main.cs +``` +</div> + +<div class="codebox"><pre> +(gdb) x/10i 0x000000004194fdca + 0x4194fdca: nop + 0x4194fdcb: callq 0x41953b10 <-- so this is the last statement in main - mangler() + 0x4194fdd0: inc %r15d <-- this is i++ in the loop on line 4 of main + 0x4194fdd3: cmp $0x3c,%r15d + 0x4194fdd7: jl 0x4194fd78 + 0x4194fdd9: xchg %ax,%ax + 0x4194fddb: callq 0x4194fe26 + 0x4194fde0: movabs $0x7f9a401a4158,%rdi + 0x4194fdea: movabs $0x4194fe1c,%r11 + 0x4194fdf4: callq *%r11 +</pre></div> + +this makes sense as a return address because we see the first thing after ReadLine(), which is mangler()! + +stepping back a little: + +<div class="codebox"><pre> +(gdb) x/30i 0x000000004194fdb0 + 0x4194fdb0: movabs $0x7f9a3ce609d0,%r11 <- pointer to native code System_Console_ReadLine() + 0x4194fdba: callq *%r11 + 0x4194fdbd: movabs $0x7f9a3ce60f50,%r11 <- pointer to native code System_Console_WriteLine() + 0x4194fdc7: callq *%r11 + 0x4194fdca: nop + 0x4194fdcb: callq 0x41953b10 <- mangler() + 0x4194fdd0: inc %r15d + 0x4194fdd3: cmp $0x3c,%r15d + 0x4194fdd7: jl 0x4194fd78 <- loop end + 0x4194fdd9: xchg %ax,%ax + 0x4194fddb: callq 0x4194fe26 <- also mangler()?? + 0x4194fde0: movabs $0x7f9a401a4158,%rdi <- ??? + 0x4194fdea: movabs $0x4194fe1c,%r11 <- ??? + 0x4194fdf4: callq *%r11 <- ??? + 0x4194fdf7: callq 0x4194fe26 + 0x4194fdfc: movabs $0x7f9a401a4180,%rdi + 0x4194fe06: movabs $0x4194fe1c,%r11 + 0x4194fe10: callq *%r11 + 0x4194fe13: mov (%rsp),%r15 + 0x4194fe17: add $0x18,%rsp + 0x4194fe1b: retq <- main's end, whew +</pre></div> + +looking at the weird mangler() call: +<div class="codebox"><pre> +(gdb) x/10i 0x4194fe26 + 0x4194fe26: callq 0x40ee3000 + 0x4194fe2b: add $0xf0,%al + 0x4194fe2d: lahf + 0x4194fe2e: lar %ax,%ebp + 0x4194fe31: lret + 0x4194fe32: xor %ebx,-0x1(%rcx) + 0x4194fe35: add $0xf0,%al + 0x4194fe37: cmp %cl,(%rdi) + 0x4194fe39: add %al,%ch + 0x4194fe3b: (bad) +</pre></div> + +the only part of this that makes sense is the callq 0x40ee3000 - the rest is... nonsense-y. long return, really??? maybe at the call site we'll see something useful... + +<div class="codebox"><pre> +(gdb) x/70i 0x40ee3000 + 0x40ee3000: mov %r11,-0xd0(%rsp) + 0x40ee3008: pop %r11 <------------ WHAT + 0x40ee300a: push %rbp + 0x40ee300b: mov %rsp,%rbp + 0x40ee300e: sub $0x160,%rsp + 0x40ee3015: sub $0x5,%r11 + 0x40ee3019: mov %r11,-0x10(%rbp) + 0x40ee301d: mov %rax,-0x128(%rbp) + 0x40ee3024: mov %rcx,-0x120(%rbp) + 0x40ee302b: mov %rdx,-0x118(%rbp) + 0x40ee3032: mov %rbx,-0x110(%rbp) + 0x40ee3039: mov %rsp,%r11 + 0x40ee303c: add $0x170,%r11 + 0x40ee3043: mov %r11,-0x108(%rbp) + 0x40ee304a: mov 0x0(%rbp),%rax + 0x40ee304e: mov %rax,-0x100(%rbp) + 0x40ee3055: mov %rsi,-0xf8(%rbp) + 0x40ee305c: mov %rdi,-0xf0(%rbp) + 0x40ee3063: mov %r8,-0xe8(%rbp) + 0x40ee306a: mov %r9,-0xe0(%rbp) + 0x40ee3071: mov %r10,-0xd8(%rbp) + 0x40ee3078: mov %r12,-0xc8(%rbp) + 0x40ee307f: mov %r13,-0xc0(%rbp) + 0x40ee3086: mov %r14,-0xb8(%rbp) + 0x40ee308d: mov %r15,-0xb0(%rbp) + 0x40ee3094: mov 0x8(%rbp),%r11 + 0x40ee3098: mov %r11,-0xa8(%rbp) + 0x40ee309f: movsd %xmm0,-0xa0(%rbp) +</pre></div> + +that pop pops the return address of this function, 0x4194fe2b, into r11, meaning we actually return to the *caller* of 0x4194fe26, back into main. so this method must use that pointer as information and probably is a 'patch-and-invoke' mechanism. the `sub $0x5, %r11` at 0x40ee3015 seals the deal, because that moves r11 back 5 bytes to point to the call here. diff --git a/source/notes/star_trek_armada/Armada.exe b/source/notes/star_trek_armada/Armada.exe Binary files differnew file mode 100644 index 0000000..8323e01 --- /dev/null +++ b/source/notes/star_trek_armada/Armada.exe diff --git a/source/notes/star_trek_armada/Armada.exe.bak b/source/notes/star_trek_armada/Armada.exe.bak Binary files differnew file mode 100644 index 0000000..18c24db --- /dev/null +++ b/source/notes/star_trek_armada/Armada.exe.bak diff --git a/source/notes/star_trek_armada/Armada.exe_pristine b/source/notes/star_trek_armada/Armada.exe_pristine Binary files differnew file mode 100755 index 0000000..cbc4a44 --- /dev/null +++ b/source/notes/star_trek_armada/Armada.exe_pristine diff --git a/source/notes/star_trek_armada/IGNORE_FILES b/source/notes/star_trek_armada/IGNORE_FILES new file mode 100644 index 0000000..ba52fcc --- /dev/null +++ b/source/notes/star_trek_armada/IGNORE_FILES @@ -0,0 +1,2 @@ +Armada.exe +Armada.exe.bak diff --git a/source/notes/star_trek_armada/armada.png b/source/notes/star_trek_armada/armada.png Binary files differnew file mode 100644 index 0000000..1428b81 --- /dev/null +++ b/source/notes/star_trek_armada/armada.png diff --git a/source/notes/star_trek_armada/armada_bug.exe.png b/source/notes/star_trek_armada/armada_bug.exe.png Binary files differnew file mode 100644 index 0000000..a1eaf5e --- /dev/null +++ b/source/notes/star_trek_armada/armada_bug.exe.png diff --git a/source/notes/star_trek_armada/armada_debug.exe.png b/source/notes/star_trek_armada/armada_debug.exe.png Binary files differnew file mode 100644 index 0000000..5019907 --- /dev/null +++ b/source/notes/star_trek_armada/armada_debug.exe.png diff --git a/source/notes/star_trek_armada/cd_check b/source/notes/star_trek_armada/cd_check new file mode 100644 index 0000000..ac096a5 --- /dev/null +++ b/source/notes/star_trek_armada/cd_check @@ -0,0 +1,10 @@ + [36m [0m[32m0x0044053b[0m [33m68[37mf8[37mac[33m5f[32m00[0m [35mpush[36m [33mstr.Track_verification__s.[0m[0m[31m ; 0x5facf8[31m ; "Track verification %s."[0m + [36m [0m[32m0x00440540[0m [31mff[37m15[33m78[36m7f[33m6d[32m00[0m [1;32mcall dword [sym.imp.MSVCRT.dll_printf][0m[31m ; 0x6d7f78[0m + [36m [0m[32m0x00440546[0m [37m83[37mc4[37m08[0m [33madd[36m esp[0m,[36m[36m [33m8[0m[0m[0m + [36m [0m[32m0x00440549[0m [37m85[37mf6[0m [36mtest[36m esi[0m,[36m[36m esi[0m[0m[0m + [36m [0m[32m0x0044054b[0m [37m0f[37m95[37mc0[0m [37msetne[36m al[0m[0m[0m + [36m [0m[32m0x0044054e[0m [37m84[37mc0[0m [36mtest[36m al[0m,[36m[36m al[0m[0m[0m + [36m [0m[32m0x00440550[0m [37m90[0m [34mnop[0m[0m[0m + [36m ,=< [0m[32m0x00440551[0m [37me9[37m8b[32m00[32m00[32m00[0m [32mjmp 0x4405e1[0m[0m + [36m | [0m[32m0x00440556[0m [37mbf[37ma4[37ma9[33m5f[32m00[0m [37mmov[36m edi[0m,[36m[36m [33mstr.Please_insert_Armada_CD[0m[0m[31m ; 0x5fa9a4[31m ; "Please insert Armada CD"[0m + [36m | [0m[32m0x0044055b[0m [37m83[37mc9[31mff[0m [36mor[36m ecx[0m,[36m[36m [33m0xffffffff[0m[0m[0m diff --git a/source/notes/star_trek_armada/find_cd_strcheck b/source/notes/star_trek_armada/find_cd_strcheck new file mode 100644 index 0000000..4d6a273 --- /dev/null +++ b/source/notes/star_trek_armada/find_cd_strcheck @@ -0,0 +1,4 @@ +0x0061a9b4 hit0_0 .-%03d :\ :\[33mPlease insert CD [0m"%s"armadaa. +0 69 6e 73 65 72 74 20 43 44 20 +Searching 17 bytes in [0x401000-0x708000] +
[ ] 0x00404f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00408f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0040cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00410f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00414f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00418f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0041cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00420f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00424f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00428f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0042cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00430f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00434f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00438f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0043cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00440f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00444f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00448f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0044cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00450f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00454f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00458f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0045cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00460f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00464f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00468f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0046cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00470f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00474f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00478f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0047cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00480f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00484f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00488f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0048cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00490f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00494f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00498f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0049cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x004a0f00 < 0x00708000 hits = 0
[# ]
[ ] 0x004a4f00 < 0x00708000 hits = 0
[# ]
[ ] 0x004a8f00 < 0x00708000 hits = 0
[# ]
[ ] 0x004acf00 < 0x00708000 hits = 0
[# ]
[ ] 0x004b0f00 < 0x00708000 hits = 0
[# ]
[ ] 0x004b4f00 < 0x00708000 hits = 0
[# ]
[ ] 0x004b8f00 < 0x00708000 hits = 0
[# ]
[ ] 0x004bcf00 < 0x00708000 hits = 0
[# ]
[ ] 0x004c0f00 < 0x00708000 hits = 0
[# ]
[ ] 0x004c4f00 < 0x00708000 hits = 0
[# ]
[ ] 0x004c8f00 < 0x00708000 hits = 0
[# ]
[ ] 0x004ccf00 < 0x00708000 hits = 0
[# ]
[ ] 0x004d0f00 < 0x00708000 hits = 0
[# ]
[ ] 0x004d4f00 < 0x00708000 hits = 0
[# ]
[ ] 0x004d8f00 < 0x00708000 hits = 0
[# ]
[ ] 0x004dcf00 < 0x00708000 hits = 0
[# ]
[ ] 0x004e0f00 < 0x00708000 hits = 0
[# ]
[ ] 0x004e4f00 < 0x00708000 hits = 0
[# ]
[ ] 0x004e8f00 < 0x00708000 hits = 0
[# ]
[ ] 0x004ecf00 < 0x00708000 hits = 0
[# ]
[ ] 0x004f0f00 < 0x00708000 hits = 0
[# ]
[ ] 0x004f4f00 < 0x00708000 hits = 0
[# ]
[ ] 0x004f8f00 < 0x00708000 hits = 0
[# ]
[ ] 0x004fcf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00500f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00504f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00508f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0050cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00510f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00514f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00518f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0051cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00520f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00524f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00528f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0052cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00530f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00534f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00538f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0053cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00540f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00544f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00548f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0054cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00550f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00554f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00558f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0055cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00560f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00564f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00568f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0056cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00570f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00574f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00578f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0057cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00580f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00584f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00588f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0058cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00590f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00594f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00598f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0059cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x005a0f00 < 0x00708000 hits = 0
[# ]
[ ] 0x005a4f00 < 0x00708000 hits = 0
[# ]
[ ] 0x005a8f00 < 0x00708000 hits = 0
[# ]
[ ] 0x005acf00 < 0x00708000 hits = 0
[# ]
[ ] 0x005b0f00 < 0x00708000 hits = 0
[# ]
[ ] 0x005b4f00 < 0x00708000 hits = 0
[# ]
[ ] 0x005b8f00 < 0x00708000 hits = 0
[# ]
[ ] 0x005bcf00 < 0x00708000 hits = 0
[# ]
[ ] 0x005c0f00 < 0x00708000 hits = 0
[# ]
[ ] 0x005c4f00 < 0x00708000 hits = 0
[# ]
[ ] 0x005c8f00 < 0x00708000 hits = 0
[# ]
[ ] 0x005ccf00 < 0x00708000 hits = 0
[# ]
[ ] 0x005d0f00 < 0x00708000 hits = 0
[# ]
[ ] 0x005d4f00 < 0x00708000 hits = 0
[# ]
[ ] 0x005d8f00 < 0x00708000 hits = 0
[# ]
[ ] 0x005dcf00 < 0x00708000 hits = 0
[# ]
[ ] 0x005e0f00 < 0x00708000 hits = 0
[# ]
[ ] 0x005e4f00 < 0x00708000 hits = 0
[# ]
[ ] 0x005e8f00 < 0x00708000 hits = 0
[# ]
[ ] 0x005ecf00 < 0x00708000 hits = 0
[# ]
[ ] 0x005f0f00 < 0x00708000 hits = 0
[# ]
[ ] 0x005f4f00 < 0x00708000 hits = 0
[# ]
[ ] 0x005f8f00 < 0x00708000 hits = 0
[# ]
[ ] 0x005fcf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00600f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00604f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00608f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0060cf00 < 0x00708000 hits = 0
[# ]
[ ] 0x00610f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00614f00 < 0x00708000 hits = 0
[# ]
[ ] 0x00618f00 < 0x00708000 hits = 0
[# ]
[ ] 0x0061cf00 < 0x00708000 hits = 1
[# ]
[ ] 0x00620f00 < 0x00708000 hits = 1
[# ]
[ ] 0x00624f00 < 0x00708000 hits = 1
[# ]
[ ] 0x00628f00 < 0x00708000 hits = 1
[# ]
[ ] 0x0062cf00 < 0x00708000 hits = 1
[# ]
[ ] 0x00630f00 < 0x00708000 hits = 1
[# ]
[ ] 0x00634f00 < 0x00708000 hits = 1
[# ]
[ ] 0x00638f00 < 0x00708000 hits = 1
[# ]
[ ] 0x0063cf00 < 0x00708000 hits = 1
[# ]
[ ] 0x00640f00 < 0x00708000 hits = 1
[# ]
[ ] 0x00644f00 < 0x00708000 hits = 1
[# ]
[ ] 0x00648f00 < 0x00708000 hits = 1
[# ]
[ ] 0x0064cf00 < 0x00708000 hits = 1
[# ]
[ ] 0x00650f00 < 0x00708000 hits = 1
[# ]
[ ] 0x00654f00 < 0x00708000 hits = 1
[# ]
[ ] 0x00658f00 < 0x00708000 hits = 1
[# ]
[ ] 0x0065cf00 < 0x00708000 hits = 1
[# ]
[ ] 0x00660f00 < 0x00708000 hits = 1
[# ]
[ ] 0x00664f00 < 0x00708000 hits = 1
[# ]
[ ] 0x00668f00 < 0x00708000 hits = 1
[# ]
[ ] 0x0066cf00 < 0x00708000 hits = 1
[# ]
[ ] 0x00670f00 < 0x00708000 hits = 1
[# ]
[ ] 0x00674f00 < 0x00708000 hits = 1
[# ]
[ ] 0x00678f00 < 0x00708000 hits = 1
[# ]
[ ] 0x0067cf00 < 0x00708000 hits = 1
[# ]
[ ] 0x00680f00 < 0x00708000 hits = 1
[# ]
[ ] 0x00684f00 < 0x00708000 hits = 1
[# ]
[ ] 0x00688f00 < 0x00708000 hits = 1
[# ]
[ ] 0x0068cf00 < 0x00708000 hits = 1
[# ]
[ ] 0x00690f00 < 0x00708000 hits = 1
[# ]
[ ] 0x00694f00 < 0x00708000 hits = 1
[# ]
[ ] 0x00698f00 < 0x00708000 hits = 1
[# ]
[ ] 0x0069cf00 < 0x00708000 hits = 1
[# ]
[ ] 0x006a0f00 < 0x00708000 hits = 1
[# ]
[ ] 0x006a4f00 < 0x00708000 hits = 1
[# ]
[ ] 0x006a8f00 < 0x00708000 hits = 1
[# ]
[ ] 0x006acf00 < 0x00708000 hits = 1
[# ]
[ ] 0x006b0f00 < 0x00708000 hits = 1
[# ]
[ ] 0x006b4f00 < 0x00708000 hits = 1
[# ]
[ ] 0x006b8f00 < 0x00708000 hits = 1
[# ]
[ ] 0x006bcf00 < 0x00708000 hits = 1
[# ]
[ ] 0x006c0f00 < 0x00708000 hits = 1
[# ]
[ ] 0x006c4f00 < 0x00708000 hits = 1
[# ]
[ ] 0x006c8f00 < 0x00708000 hits = 1
[# ]
[ ] 0x006ccf00 < 0x00708000 hits = 1
[# ]
[ ] 0x006d0f00 < 0x00708000 hits = 1
[# ]
[ ] 0x006d4f00 < 0x00708000 hits = 1
[# ]
[ ] 0x006d8f00 < 0x00708000 hits = 1
[# ]
[ ] 0x006dcf00 < 0x00708000 hits = 1
[# ]
[ ] 0x006e0f00 < 0x00708000 hits = 1
[# ]
[ ] 0x006e4f00 < 0x00708000 hits = 1
[# ]
[ ] 0x006e8f00 < 0x00708000 hits = 1
[# ]
[ ] 0x006ecf00 < 0x00708000 hits = 1
[# ]
[ ] 0x006f0f00 < 0x00708000 hits = 1
[# ]
[ ] 0x006f4f00 < 0x00708000 hits = 1
[# ]
[ ] 0x006f8f00 < 0x00708000 hits = 1
[# ]
[ ] 0x006fcf00 < 0x00708000 hits = 1
[# ]
[ ] 0x00700f00 < 0x00708000 hits = 1
[# ]
[ ] 0x00704f00 < 0x00708000 hits = 1
[# ][0K
hits: 1 diff --git a/source/notes/star_trek_armada/find_cdcheck b/source/notes/star_trek_armada/find_cdcheck new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/source/notes/star_trek_armada/find_cdcheck diff --git a/source/notes/star_trek_armada/generate_listings.sh b/source/notes/star_trek_armada/generate_listings.sh new file mode 100755 index 0000000..a2ac8b2 --- /dev/null +++ b/source/notes/star_trek_armada/generate_listings.sh @@ -0,0 +1,11 @@ +#! /bin/bash + +radare2 -q -c 'pd 20 @ 0x43ff4d' Armada.exe_pristine > sprintf_overflow +radare2 -q -c 'pd 38 @ 0x5005a0' Armada.exe_pristine > memory_check +radare2 -q -c '/ Please\x20insert\x20CD\x20' Armada.exe_pristine 2>find_cd_strcheck > find_cd_strcheck +# radare doesn't find the reference, gotta use olly +# right click on instructions, search for, all referenced text strings +# right click strings, search for; "Please insert CD " +# double click string to show instruction that reference is made +# that's about where CD check is done +radare2 -q -c 'pd 10 @ 0x0044053b' Armada.exe_pristine > cd_check diff --git a/source/notes/star_trek_armada/heresyourproblem.png b/source/notes/star_trek_armada/heresyourproblem.png Binary files differnew file mode 100644 index 0000000..6e86c8b --- /dev/null +++ b/source/notes/star_trek_armada/heresyourproblem.png diff --git a/source/notes/star_trek_armada/meminfo.png b/source/notes/star_trek_armada/meminfo.png Binary files differnew file mode 100644 index 0000000..5b5d440 --- /dev/null +++ b/source/notes/star_trek_armada/meminfo.png diff --git a/source/notes/star_trek_armada/meminfo_check.png b/source/notes/star_trek_armada/meminfo_check.png Binary files differnew file mode 100644 index 0000000..d557176 --- /dev/null +++ b/source/notes/star_trek_armada/meminfo_check.png diff --git a/source/notes/star_trek_armada/meminfo_check_fo_real.png b/source/notes/star_trek_armada/meminfo_check_fo_real.png Binary files differnew file mode 100644 index 0000000..5467569 --- /dev/null +++ b/source/notes/star_trek_armada/meminfo_check_fo_real.png diff --git a/source/notes/star_trek_armada/meminfo_fix.png b/source/notes/star_trek_armada/meminfo_fix.png Binary files differnew file mode 100644 index 0000000..d491074 --- /dev/null +++ b/source/notes/star_trek_armada/meminfo_fix.png diff --git a/source/notes/star_trek_armada/meminfo_nofix.png b/source/notes/star_trek_armada/meminfo_nofix.png Binary files differnew file mode 100644 index 0000000..9b467ad --- /dev/null +++ b/source/notes/star_trek_armada/meminfo_nofix.png diff --git a/source/notes/star_trek_armada/meminfo_struct.png b/source/notes/star_trek_armada/meminfo_struct.png Binary files differnew file mode 100644 index 0000000..ede2311 --- /dev/null +++ b/source/notes/star_trek_armada/meminfo_struct.png diff --git a/source/notes/star_trek_armada/memory_check b/source/notes/star_trek_armada/memory_check new file mode 100644 index 0000000..38e26aa --- /dev/null +++ b/source/notes/star_trek_armada/memory_check @@ -0,0 +1,38 @@ + [36m [0m[32m0x005005a0[0m [33m55[0m [35mpush[36m ebp[0m[0m[0m + [36m [0m[32m0x005005a1[0m [37m8b[37mec[0m [37mmov[36m ebp[0m,[36m[36m esp[0m[0m[0m + [36m [0m[32m0x005005a3[0m [37m83[37mec[33m20[0m [33msub[36m esp[0m,[36m[36m [33m0x20[0m[0m[0m + [36m [0m[32m0x005005a6[0m [37m8d[33m45[37me0[0m [37mlea[36m eax[0m,[36m [0m[[36mebp [0m-[36m[36m [33m0x20[0m][36m[0m[0m[0m + [36m [0m[32m0x005005a9[0m [33m50[0m [35mpush[36m eax[0m[0m[0m + [36m [0m[32m0x005005aa[0m [31mff[37m15[37m88[33m7b[33m6d[32m00[0m [1;32mcall dword [sym.imp.KERNEL32.dll_GlobalMemoryStatus][0m[31m ; 0x6d7b88[0m + [36m [0m[32m0x005005b0[0m [37me8[37mfb[37mfd[31mff[31mff[0m [1;32mcall 0x5003b0[0m[0m + [36m [0m[32m0x005005b5[0m [33m3d[33m66[37mfd[31mff[31mff[0m [36mcmp[36m eax[0m,[36m[36m [33m0xfffffd66[0m[0m[31m ; 4294966630[0m + [36m [0m[32m0x005005ba[0m [37ma3[37mc4[37mdb[33m67[32m00[0m [37mmov dword[36m [0m[[36m[33m0x67dbc4[0m][36m[0m,[36m[36m eax[0m[0m[31m ; [0x67dbc4:4]=-1[0m + [36m ,=< [0m[32m0x005005bf[0m [33m75[37m0c[0m [32mjne 0x5005cd[0m[0m + [36m | [0m[32m0x005005c1[0m [37mc7[37m05[37mc4[37mdb[33m67[32m00[37m.[0m [37mmov dword[36m [0m[[36m[33m0x67dbc4[0m][36m[0m,[36m[36m [33m0[0m[0m[31m ; [0x67dbc4:4]=-1[0m + [36m ,==< [0m[32m0x005005cb[0m [37meb[37m0f[0m [32mjmp 0x5005dc[0m[0m + [36m |`-> [0m[32m0x005005cd[0m [37m83[37mf8[31mff[0m [36mcmp[36m eax[0m,[36m[36m [33m0xffffffffffffffff[0m[0m[0m + [36m |,=< [0m[32m0x005005d0[0m [33m75[37m0a[0m [32mjne 0x5005dc[0m[0m + [36m || [0m[32m0x005005d2[0m [37mc7[37m05[37mc4[37mdb[33m67[32m00[37m.[0m [37mmov dword[36m [0m[[36m[33m0x67dbc4[0m][36m[0m,[36m[36m [33m0xc8[0m[0m[31m ; [0x67dbc4:4]=-1[0m + [36m ``-> [0m[32m0x005005dc[0m [37m8b[33m45[37me8[0m [37mmov[36m eax[0m,[36m dword [0m[[36mebp [0m-[36m[36m [33m0x18[0m][36m[0m[0m[0m + [36m [0m[32m0x005005df[0m [37m8b[33m4d[37mf4[0m [37mmov[36m ecx[0m,[36m dword [0m[[36mebp [0m-[36m[36m [33m0xc[0m][36m[0m[0m[0m + [36m [0m[32m0x005005e2[0m [33m3d[32m00[32m00[37mc0[37m01[0m [36mcmp[36m eax[0m,[36m[36m [33m0x1c00000[0m[0m[0m + [36m [0m[32m0x005005e7[0m [37ma3[37mc8[37mdb[33m67[32m00[0m [37mmov dword[36m [0m[[36m[33m0x67dbc8[0m][36m[0m,[36m[36m eax[0m[0m[31m ; [0x67dbc8:4]=-1[0m + [36m [0m[32m0x005005ec[0m [37m89[37m0d[37mdc[37mdb[33m67[32m00[0m [37mmov dword[36m [0m[[36m[33m0x67dbdc[0m][36m[0m,[36m[36m ecx[0m[0m[31m ; [0x67dbdc:4]=-1[0m + [36m ,=< [0m[32m0x005005f2[0m [33m7d[37m12[0m [32mjge 0x500606[0m[0m + [36m | [0m[32m0x005005f4[0m [37m81[37mf9[32m00[32m00[37me0[37m01[0m [36mcmp[36m ecx[0m,[36m[36m [33m0x1e00000[0m[0m[0m + [36m ,==< [0m[32m0x005005fa[0m [33m7d[37m0a[0m [32mjge 0x500606[0m[0m + [36m || [0m[32m0x005005fc[0m [33m6a[32m00[0m [35mpush[36m [33m0[0m[0m[0m + [36m || [0m[32m0x005005fe[0m [37me8[37mad[33m28[37mf4[31mff[0m [1;32mcall 0x442eb0[0m[0m + [36m || [0m[32m0x00500603[0m [37m83[37mc4[37m04[0m [33madd[36m esp[0m,[36m[36m [33m4[0m[0m[0m + [36m ``-> [0m[32m0x00500606[0m [37m8b[33m45[37m08[0m [37mmov[36m eax[0m,[36m dword [0m[[36mebp [0m+[36m[36m [33m8[0m][36m[0m[0m[31m ; [0x8:4]=4[0m + [36m [0m[32m0x00500609[0m [33m56[0m [35mpush[36m esi[0m[0m[0m + [36m [0m[32m0x0050060a[0m [33m57[0m [35mpush[36m edi[0m[0m[0m + [36m [0m[32m0x0050060b[0m [37mb9[37m08[32m00[32m00[32m00[0m [37mmov[36m ecx[0m,[36m[36m [33m8[0m[0m[0m + [36m [0m[32m0x00500610[0m [37mbe[37mc0[37mdb[33m67[32m00[0m [37mmov[36m esi[0m,[36m[36m [33m0x67dbc0[0m[0m[0m + [36m [0m[32m0x00500615[0m [37m8b[37mf8[0m [37mmov[36m edi[0m,[36m[36m eax[0m[0m[0m + [36m [0m[32m0x00500617[0m [37mf3[37ma5[0m [37mrep movsd dword[36m es:[0m[[36medi[0m][36m[0m,[36m dword ptr[36m [0m[[36mesi[0m][36m[0m[0m[0m + [36m [0m[32m0x00500619[0m [33m5f[0m [1;35mpop[36m edi[0m[0m[0m + [36m [0m[32m0x0050061a[0m [33m5e[0m [1;35mpop[36m esi[0m[0m[0m + [36m [0m[32m0x0050061b[0m [37m8b[37me5[0m [37mmov[36m esp[0m,[36m[36m ebp[0m[0m[0m + [36m [0m[32m0x0050061d[0m [33m5d[0m [1;35mpop[36m ebp[0m[0m[0m + [36m [0m[32m0x0050061e[0m [37mc3[0m [31mret[0m[0m[0m diff --git a/source/notes/star_trek_armada/snprintf_overflow b/source/notes/star_trek_armada/snprintf_overflow new file mode 100644 index 0000000..0f65342 --- /dev/null +++ b/source/notes/star_trek_armada/snprintf_overflow @@ -0,0 +1,20 @@ + [36m [0m[32m0x0043ff4d[0m [37m8d[37m85[37md0[37mfd[31mff[31mff[0m [37mlea[36m eax[0m,[36m [0m[[36mebp [0m-[36m[36m [33m0x230[0m][36m[0m[0m[0m + [36m [0m[32m0x0043ff53[0m [33m68[37m04[37m01[32m00[32m00[0m [35mpush[36m [33m0x104[0m[0m[0m + [36m [0m[32m0x0043ff58[0m [33m50[0m [35mpush[36m eax[0m[0m[0m + [36m [0m[32m0x0043ff59[0m [31mff[37m15[37m80[36m7f[33m6d[32m00[0m [1;32mcall dword [sym.imp.MSVCRT.dll__getcwd][0m[31m ; 0x6d7f80[0m + [36m [0m[32m0x0043ff5f[0m [37m83[37mc4[37m10[0m [33madd[36m esp[0m,[36m[36m [33m0x10[0m[0m[0m + [36m [0m[32m0x0043ff62[0m [37m85[37mc0[0m [36mtest[36m eax[0m,[36m[36m eax[0m[0m[0m + [36m ,=< [0m[32m0x0043ff64[0m [33m74[33m3c[0m [32mje 0x43ffa2[0m[0m + [36m | [0m[32m0x0043ff66[0m [33m68[33m6c[37maa[33m5f[32m00[0m [35mpush[36m [33mstr.PATH[0m[0m[31m ; 0x5faa6c[31m ; "PATH"[0m + [36m | [0m[32m0x0043ff6b[0m [31mff[37m15[37m84[36m7f[33m6d[32m00[0m [1;32mcall dword [sym.imp.MSVCRT.dll_getenv][0m[31m ; 0x6d7f84[31m ; "x\xb9-"[0m + [36m | [0m[32m0x0043ff71[0m [37m8d[37m8d[37md0[37mfd[31mff[31mff[0m [37mlea[36m ecx[0m,[36m [0m[[36mebp [0m-[36m[36m [33m0x230[0m][36m[0m[0m[0m + [36m | [0m[32m0x0043ff77[0m [37m8d[37m95[37md0[37mfd[31mff[31mff[0m [37mlea[36m edx[0m,[36m [0m[[36mebp [0m-[36m[36m [33m0x230[0m][36m[0m[0m[0m + [36m | [0m[32m0x0043ff7d[0m [33m51[0m [35mpush[36m ecx[0m[0m[0m + [36m | [0m[32m0x0043ff7e[0m [33m52[0m [35mpush[36m edx[0m[0m[0m + [36m | [0m[32m0x0043ff7f[0m [33m50[0m [35mpush[36m eax[0m[0m[0m + [36m | [0m[32m0x0043ff80[0m [37m8d[37m85[37md0[37mfb[31mff[31mff[0m [37mlea[36m eax[0m,[36m [0m[[36mebp [0m-[36m[36m [33m0x430[0m][36m[0m[0m[0m + [36m | [0m[32m0x0043ff86[0m [33m68[33m74[37maa[33m5f[32m00[0m [35mpush[36m [33mstr.PATH__s__s_AI__s_Missions_[0m[0m[31m ; 0x5faa74[31m ; "PATH=%s;%s\\AI;%s\\Missions;"[0m + [36m | [0m[32m0x0043ff8b[0m [33m50[0m [35mpush[36m eax[0m[0m[0m + [36m | [0m[32m0x0043ff8c[0m [31mff[37m15[37mdc[36m7f[33m6d[32m00[0m [1;32mcall dword [sym.imp.MSVCRT.dll_sprintf][0m[31m ; 0x6d7fdc[31m ; "v\xb8-"[0m + [36m | [0m[32m0x0043ff92[0m [37m8d[37m8d[37md0[37mfb[31mff[31mff[0m [37mlea[36m ecx[0m,[36m [0m[[36mebp [0m-[36m[36m [33m0x430[0m][36m[0m[0m[0m + [36m | [0m[32m0x0043ff98[0m [33m51[0m [35mpush[36m ecx[0m[0m[0m diff --git a/source/notes/star_trek_armada/sprintf_overflow b/source/notes/star_trek_armada/sprintf_overflow new file mode 100644 index 0000000..0f65342 --- /dev/null +++ b/source/notes/star_trek_armada/sprintf_overflow @@ -0,0 +1,20 @@ + [36m [0m[32m0x0043ff4d[0m [37m8d[37m85[37md0[37mfd[31mff[31mff[0m [37mlea[36m eax[0m,[36m [0m[[36mebp [0m-[36m[36m [33m0x230[0m][36m[0m[0m[0m + [36m [0m[32m0x0043ff53[0m [33m68[37m04[37m01[32m00[32m00[0m [35mpush[36m [33m0x104[0m[0m[0m + [36m [0m[32m0x0043ff58[0m [33m50[0m [35mpush[36m eax[0m[0m[0m + [36m [0m[32m0x0043ff59[0m [31mff[37m15[37m80[36m7f[33m6d[32m00[0m [1;32mcall dword [sym.imp.MSVCRT.dll__getcwd][0m[31m ; 0x6d7f80[0m + [36m [0m[32m0x0043ff5f[0m [37m83[37mc4[37m10[0m [33madd[36m esp[0m,[36m[36m [33m0x10[0m[0m[0m + [36m [0m[32m0x0043ff62[0m [37m85[37mc0[0m [36mtest[36m eax[0m,[36m[36m eax[0m[0m[0m + [36m ,=< [0m[32m0x0043ff64[0m [33m74[33m3c[0m [32mje 0x43ffa2[0m[0m + [36m | [0m[32m0x0043ff66[0m [33m68[33m6c[37maa[33m5f[32m00[0m [35mpush[36m [33mstr.PATH[0m[0m[31m ; 0x5faa6c[31m ; "PATH"[0m + [36m | [0m[32m0x0043ff6b[0m [31mff[37m15[37m84[36m7f[33m6d[32m00[0m [1;32mcall dword [sym.imp.MSVCRT.dll_getenv][0m[31m ; 0x6d7f84[31m ; "x\xb9-"[0m + [36m | [0m[32m0x0043ff71[0m [37m8d[37m8d[37md0[37mfd[31mff[31mff[0m [37mlea[36m ecx[0m,[36m [0m[[36mebp [0m-[36m[36m [33m0x230[0m][36m[0m[0m[0m + [36m | [0m[32m0x0043ff77[0m [37m8d[37m95[37md0[37mfd[31mff[31mff[0m [37mlea[36m edx[0m,[36m [0m[[36mebp [0m-[36m[36m [33m0x230[0m][36m[0m[0m[0m + [36m | [0m[32m0x0043ff7d[0m [33m51[0m [35mpush[36m ecx[0m[0m[0m + [36m | [0m[32m0x0043ff7e[0m [33m52[0m [35mpush[36m edx[0m[0m[0m + [36m | [0m[32m0x0043ff7f[0m [33m50[0m [35mpush[36m eax[0m[0m[0m + [36m | [0m[32m0x0043ff80[0m [37m8d[37m85[37md0[37mfb[31mff[31mff[0m [37mlea[36m eax[0m,[36m [0m[[36mebp [0m-[36m[36m [33m0x430[0m][36m[0m[0m[0m + [36m | [0m[32m0x0043ff86[0m [33m68[33m74[37maa[33m5f[32m00[0m [35mpush[36m [33mstr.PATH__s__s_AI__s_Missions_[0m[0m[31m ; 0x5faa74[31m ; "PATH=%s;%s\\AI;%s\\Missions;"[0m + [36m | [0m[32m0x0043ff8b[0m [33m50[0m [35mpush[36m eax[0m[0m[0m + [36m | [0m[32m0x0043ff8c[0m [31mff[37m15[37mdc[36m7f[33m6d[32m00[0m [1;32mcall dword [sym.imp.MSVCRT.dll_sprintf][0m[31m ; 0x6d7fdc[31m ; "v\xb8-"[0m + [36m | [0m[32m0x0043ff92[0m [37m8d[37m8d[37md0[37mfb[31mff[31mff[0m [37mlea[36m ecx[0m,[36m [0m[[36mebp [0m-[36m[36m [33m0x430[0m][36m[0m[0m[0m + [36m | [0m[32m0x0043ff98[0m [33m51[0m [35mpush[36m ecx[0m[0m[0m diff --git a/source/notes/star_trek_armada/star_trek_armada.md b/source/notes/star_trek_armada/star_trek_armada.md new file mode 100644 index 0000000..a4e03d0 --- /dev/null +++ b/source/notes/star_trek_armada/star_trek_armada.md @@ -0,0 +1,135 @@ +# Fixing Star Trek: Armada + +After a few weeks of DS9 brainwashing I felt like playing [Star Trek: Armada](https://en.wikipedia.org/wiki/Star_Trek:_Armada). A cool 20ish year old game, worked fine last time I played it on a Windows XP computer, should be fine, right? + +## Insufficient Memory + +![Not enough memory](not_enough_memory.png)\ + +Not good. This computer has 32gb, undoubtedly something somewhere overflowed. I really wanted to play, so I grabbed OllyDbg and started looking to fix the problem. + +Running under Olly let me debug at the point the message box is opened, and going up the stack a little eventually lead me to this interesting code: + +<div class="codebox"> +#eval cat memory_check | aha --no-header --stylesheet +</div> + +[`GlobalMemoryStatus`](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366586(v=vs.85).aspx) is a Windows API to retrieve memory information, so this is a reasonable place to start looking for why the game would think I have less than 50mb of memory. + +That function populates a `MEMORYSTATUS` struct: + +<div class="codebox"> +```c +typedef struct _MEMORYSTATUS { + DWORD dwLength; + DWORD dwMemoryLoad; + SIZE_T dwTotalPhys; + SIZE_T dwAvailPhys; + SIZE_T dwTotalPageFile; + SIZE_T dwAvailPageFile; + SIZE_T dwTotalVirtual; + SIZE_T dwAvailVirtual; +} MEMORYSTATUS, *LPMEMORYSTATUS; +``` +</div> + +and noting the MSDN page: + +> On computers with more than 4 GB of memory, the GlobalMemoryStatus function can return incorrect information, reporting a value of –1 to indicate an overflow. + +Having 32gb, this probably returns -1, and a signed comparison is being done against an expected value. + +Placing a breakpoint on `0x5005b0` and looking at what `eax` points at yields this: + +<div class="codebox"><pre> +0018F678|20 00 00 00|27 00 00 00| ...'... +0018F680|<b>FF FF FF FF</b>|<b>FF FF FF FF</b>|........ +0018F688|<b>FF FF FF FF</b>|<b>FF FF FF FF</b>|........ +0018F690|00 00 FE 7F|00 40 6F 7A|......oz +</pre></div> + +in bold, the values for `dwTotalPhys`, `dwAvailPhys`, `dlTotalPageFile`, and `dwAvailPageFile`. All of these are 0xFFFFFFFF, aka -1. The values for virtual memory are reasonable, just shy of 2GB. + +Confirming the issue, in the assembly above I can see those values are loaded into registers at `0x5005dc` and `0x5005df`, and compared against constants at `0x5005e2` and `0x5005f4`. + +The comparisons aren't terribly interesting, but the conditional branches they result in are: `0x5005f2` and `0x5005fa` are branches with `jge`, which interprets the flags `cmp` set as if they were for a **signed** comparison. + +This probably means the author of this code wrote these checks like: + +<div class="codebox"> +```c +MEMORYSTATUS* memInfo; +GlobalMemoryStatus(memInfo); +if ( + (int)(memInfo->dwTotalPhys) <= 28 * 1024 * 1024 && + (int)(memInfo->dwTotalPhys) <= 30 * 1024 * 1024 +) { + failMemCheck(); +} +``` +</div> + +where instead the constant should have been cast to `SIZE_T` (an unsigned type). + +This is easily fixable: instead of `jge`, use `jae`. Replacing `0x7d` at `0x5005fe` and `0x5005fa` with `0x73` and rerunning seems to convince the game all is fine. + +Except now it crashes at startup. + +## Crash at Start + +Occasionally, the game will resize the parent window (explorer.exe, for how I was running it) to fullscreen and move it to the top left, so there's some memory corruption happening. Probably passing the parent window's handle to Windows functions, rather than its own. + +Either this function was doing something important that I broke by changing the comparison, or something elsewhere is also buggy. + +Looking through functions that are called, there's a fair amount of sprintf, but enough to make me look elsewhere first. There are also calls to getenv, getcwd, and putenv, only one of each, so it's easy to verify if those are relevant or not. + +They get called in the function at `0x0043feb0`, in this region: + +<div class="codebox"> +#eval cat sprintf_overflow | aha --no-header --stylesheet +</div> + +This is promising. My `%PATH%` is fairly large for unrelated reasons, and the buffer that `sprintf` at `0x43ff8c` writes into is `ebp - 0x430`. The formatted string consists of `%PATH%;%CWD%\AI;%CWD%\Missions`, and if that ends up being larger than ~1kb, it begins arbitrarily corrupting the stack. + +The produced string might be important, but to verify this, I replaced the entire `sprintf` with `nop`: + +<div class="codebox"> +#eval cat sprintf_overflow_fix | aha --no-header --stylesheet +</div> + +And reran: + +![star trek armada main scren](armada.png)\ + +It starts successfully! + +Getting into a game shows other issues: + +![ingame graphics glitches](uh.png)\ + +At this point it's likely issues with D3D APIs I don't know so well, so I fiddled with compatibility settings in the hope that something would work. Disabling desktop composition did the trick: + +TODO: image of ingame + +Dunno what desktop composition does other than having to do with Windows Vista and later composing the display differently, so a fun followup might be fixing the game to not require this setting. + +## Bonus: "Please Insert CD" + +If I didn't have the iso of my disk mounted, I was greeted with a pop-up asking me, `Please insert CD`. If you were inclined to do something about that... + +radare: `/ Please\x20insert\x20CD` + +<div class="codebox"> +#eval cat find_cd_strcheck | aha --no-header --stylesheet +</div> + +Finding that string (or most of it) at `0x0061a9b4` + +Figuring out where the string gets used evades the combination of my skills with radare and time I was willing to put in, but Olly was easier: + +1. Right click on any instruction -> search for -> all referenced text strings +1. Right click on strings -> search for "Please insert CD " +1. Double click the highlighted string to show what instruction referenced it +1. That's approximately where the check is done + +Now I think normally there would be a conditional branch at `0x440551` that might show a dialog and close the game, but *for some reason* the test and branch are nop'd out to unconditionally never show me a "Please insert Armada CD" dialog...! diff --git a/source/notes/star_trek_armada/uh.png b/source/notes/star_trek_armada/uh.png Binary files differnew file mode 100644 index 0000000..162151e --- /dev/null +++ b/source/notes/star_trek_armada/uh.png |