From 254e5affeb387f63fc74913f7806b3e144d0e4f6 Mon Sep 17 00:00:00 2001 From: iximeow Date: Wed, 3 Jan 2018 04:30:20 -0800 Subject: add star trek armada notes --- source/notes/star_trek_armada/Armada.exe | Bin 0 -> 2502701 bytes source/notes/star_trek_armada/Armada.exe.bak | Bin 0 -> 2502701 bytes source/notes/star_trek_armada/Armada.exe_pristine | Bin 0 -> 2502701 bytes source/notes/star_trek_armada/IGNORE_FILES | 2 + source/notes/star_trek_armada/armada.png | Bin 0 -> 269571 bytes source/notes/star_trek_armada/armada_bug.exe.png | Bin 0 -> 24182 bytes source/notes/star_trek_armada/armada_debug.exe.png | Bin 0 -> 153251 bytes source/notes/star_trek_armada/cd_check | 10 ++ source/notes/star_trek_armada/find_cd_strcheck | 4 + source/notes/star_trek_armada/find_cdcheck | 0 source/notes/star_trek_armada/generate_listings.sh | 11 ++ source/notes/star_trek_armada/heresyourproblem.png | Bin 0 -> 12596 bytes source/notes/star_trek_armada/meminfo.png | Bin 0 -> 2069 bytes source/notes/star_trek_armada/meminfo_check.png | Bin 0 -> 6501 bytes .../star_trek_armada/meminfo_check_fo_real.png | Bin 0 -> 106420 bytes source/notes/star_trek_armada/meminfo_fix.png | Bin 0 -> 6661 bytes source/notes/star_trek_armada/meminfo_nofix.png | Bin 0 -> 1540 bytes source/notes/star_trek_armada/meminfo_struct.png | Bin 0 -> 8153 bytes source/notes/star_trek_armada/memory_check | 38 ++++++ source/notes/star_trek_armada/snprintf_overflow | 20 +++ source/notes/star_trek_armada/sprintf_overflow | 20 +++ source/notes/star_trek_armada/star_trek_armada.md | 135 +++++++++++++++++++++ source/notes/star_trek_armada/uh.png | Bin 0 -> 184483 bytes 23 files changed, 240 insertions(+) create mode 100644 source/notes/star_trek_armada/Armada.exe create mode 100644 source/notes/star_trek_armada/Armada.exe.bak create mode 100755 source/notes/star_trek_armada/Armada.exe_pristine create mode 100644 source/notes/star_trek_armada/IGNORE_FILES create mode 100644 source/notes/star_trek_armada/armada.png create mode 100644 source/notes/star_trek_armada/armada_bug.exe.png create mode 100644 source/notes/star_trek_armada/armada_debug.exe.png create mode 100644 source/notes/star_trek_armada/cd_check create mode 100644 source/notes/star_trek_armada/find_cd_strcheck create mode 100644 source/notes/star_trek_armada/find_cdcheck create mode 100755 source/notes/star_trek_armada/generate_listings.sh create mode 100644 source/notes/star_trek_armada/heresyourproblem.png create mode 100644 source/notes/star_trek_armada/meminfo.png create mode 100644 source/notes/star_trek_armada/meminfo_check.png create mode 100644 source/notes/star_trek_armada/meminfo_check_fo_real.png create mode 100644 source/notes/star_trek_armada/meminfo_fix.png create mode 100644 source/notes/star_trek_armada/meminfo_nofix.png create mode 100644 source/notes/star_trek_armada/meminfo_struct.png create mode 100644 source/notes/star_trek_armada/memory_check create mode 100644 source/notes/star_trek_armada/snprintf_overflow create mode 100644 source/notes/star_trek_armada/sprintf_overflow create mode 100644 source/notes/star_trek_armada/star_trek_armada.md create mode 100644 source/notes/star_trek_armada/uh.png (limited to 'source/notes/star_trek_armada') diff --git a/source/notes/star_trek_armada/Armada.exe b/source/notes/star_trek_armada/Armada.exe new file mode 100644 index 0000000..8323e01 Binary files /dev/null and b/source/notes/star_trek_armada/Armada.exe differ diff --git a/source/notes/star_trek_armada/Armada.exe.bak b/source/notes/star_trek_armada/Armada.exe.bak new file mode 100644 index 0000000..18c24db Binary files /dev/null and b/source/notes/star_trek_armada/Armada.exe.bak differ diff --git a/source/notes/star_trek_armada/Armada.exe_pristine b/source/notes/star_trek_armada/Armada.exe_pristine new file mode 100755 index 0000000..cbc4a44 Binary files /dev/null and b/source/notes/star_trek_armada/Armada.exe_pristine differ diff --git a/source/notes/star_trek_armada/IGNORE_FILES b/source/notes/star_trek_armada/IGNORE_FILES new file mode 100644 index 0000000..ba52fcc --- /dev/null +++ b/source/notes/star_trek_armada/IGNORE_FILES @@ -0,0 +1,2 @@ +Armada.exe +Armada.exe.bak diff --git a/source/notes/star_trek_armada/armada.png b/source/notes/star_trek_armada/armada.png new file mode 100644 index 0000000..1428b81 Binary files /dev/null and b/source/notes/star_trek_armada/armada.png differ diff --git a/source/notes/star_trek_armada/armada_bug.exe.png b/source/notes/star_trek_armada/armada_bug.exe.png new file mode 100644 index 0000000..a1eaf5e Binary files /dev/null and b/source/notes/star_trek_armada/armada_bug.exe.png differ diff --git a/source/notes/star_trek_armada/armada_debug.exe.png b/source/notes/star_trek_armada/armada_debug.exe.png new file mode 100644 index 0000000..5019907 Binary files /dev/null and b/source/notes/star_trek_armada/armada_debug.exe.png differ diff --git a/source/notes/star_trek_armada/cd_check b/source/notes/star_trek_armada/cd_check new file mode 100644 index 0000000..ac096a5 --- /dev/null +++ b/source/notes/star_trek_armada/cd_check @@ -0,0 +1,10 @@ +  0x0044053b 68f8ac5f00 push str.Track_verification__s. ; 0x5facf8 ; "Track verification %s." +  0x00440540 ff15787f6d00 call dword [sym.imp.MSVCRT.dll_printf] ; 0x6d7f78 +  0x00440546 83c408 add esp, 8 +  0x00440549 85f6 test esi, esi +  0x0044054b 0f95c0 setne al +  0x0044054e 84c0 test al, al +  0x00440550 90 nop +  ,=< 0x00440551 e98b000000 jmp 0x4405e1 +  | 0x00440556 bfa4a95f00 mov edi, str.Please_insert_Armada_CD ; 0x5fa9a4 ; "Please insert Armada CD" +  | 0x0044055b 83c9ff or ecx, 0xffffffff diff --git a/source/notes/star_trek_armada/find_cd_strcheck b/source/notes/star_trek_armada/find_cd_strcheck new file mode 100644 index 0000000..4d6a273 --- /dev/null +++ b/source/notes/star_trek_armada/find_cd_strcheck @@ -0,0 +1,4 @@ +0x0061a9b4 hit0_0 .-%03d :\ :\Please insert CD "%s"armadaa. +0 69 6e 73 65 72 74 20 43 44 20 +Searching 17 bytes in [0x401000-0x708000] + [ ] 0x00404f00 < 0x00708000 hits = 0 [# ] [ ] 0x00408f00 < 0x00708000 hits = 0 [# ] [ ] 0x0040cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00410f00 < 0x00708000 hits = 0 [# ] [ ] 0x00414f00 < 0x00708000 hits = 0 [# ] [ ] 0x00418f00 < 0x00708000 hits = 0 [# ] [ ] 0x0041cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00420f00 < 0x00708000 hits = 0 [# ] [ ] 0x00424f00 < 0x00708000 hits = 0 [# ] [ ] 0x00428f00 < 0x00708000 hits = 0 [# ] [ ] 0x0042cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00430f00 < 0x00708000 hits = 0 [# ] [ ] 0x00434f00 < 0x00708000 hits = 0 [# ] [ ] 0x00438f00 < 0x00708000 hits = 0 [# ] [ ] 0x0043cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00440f00 < 0x00708000 hits = 0 [# ] [ ] 0x00444f00 < 0x00708000 hits = 0 [# ] [ ] 0x00448f00 < 0x00708000 hits = 0 [# ] [ ] 0x0044cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00450f00 < 0x00708000 hits = 0 [# ] [ ] 0x00454f00 < 0x00708000 hits = 0 [# ] [ ] 0x00458f00 < 0x00708000 hits = 0 [# ] [ ] 0x0045cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00460f00 < 0x00708000 hits = 0 [# ] [ ] 0x00464f00 < 0x00708000 hits = 0 [# ] [ ] 0x00468f00 < 0x00708000 hits = 0 [# ] [ ] 0x0046cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00470f00 < 0x00708000 hits = 0 [# ] [ ] 0x00474f00 < 0x00708000 hits = 0 [# ] [ ] 0x00478f00 < 0x00708000 hits = 0 [# ] [ ] 0x0047cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00480f00 < 0x00708000 hits = 0 [# ] [ ] 0x00484f00 < 0x00708000 hits = 0 [# ] [ ] 0x00488f00 < 0x00708000 hits = 0 [# ] [ ] 0x0048cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00490f00 < 0x00708000 hits = 0 [# ] [ ] 0x00494f00 < 0x00708000 hits = 0 [# ] [ ] 0x00498f00 < 0x00708000 hits = 0 [# ] [ ] 0x0049cf00 < 0x00708000 hits = 0 [# ] [ ] 0x004a0f00 < 0x00708000 hits = 0 [# ] [ ] 0x004a4f00 < 0x00708000 hits = 0 [# ] [ ] 0x004a8f00 < 0x00708000 hits = 0 [# ] [ ] 0x004acf00 < 0x00708000 hits = 0 [# ] [ ] 0x004b0f00 < 0x00708000 hits = 0 [# ] [ ] 0x004b4f00 < 0x00708000 hits = 0 [# ] [ ] 0x004b8f00 < 0x00708000 hits = 0 [# ] [ ] 0x004bcf00 < 0x00708000 hits = 0 [# ] [ ] 0x004c0f00 < 0x00708000 hits = 0 [# ] [ ] 0x004c4f00 < 0x00708000 hits = 0 [# ] [ ] 0x004c8f00 < 0x00708000 hits = 0 [# ] [ ] 0x004ccf00 < 0x00708000 hits = 0 [# ] [ ] 0x004d0f00 < 0x00708000 hits = 0 [# ] [ ] 0x004d4f00 < 0x00708000 hits = 0 [# ] [ ] 0x004d8f00 < 0x00708000 hits = 0 [# ] [ ] 0x004dcf00 < 0x00708000 hits = 0 [# ] [ ] 0x004e0f00 < 0x00708000 hits = 0 [# ] [ ] 0x004e4f00 < 0x00708000 hits = 0 [# ] [ ] 0x004e8f00 < 0x00708000 hits = 0 [# ] [ ] 0x004ecf00 < 0x00708000 hits = 0 [# ] [ ] 0x004f0f00 < 0x00708000 hits = 0 [# ] [ ] 0x004f4f00 < 0x00708000 hits = 0 [# ] [ ] 0x004f8f00 < 0x00708000 hits = 0 [# ] [ ] 0x004fcf00 < 0x00708000 hits = 0 [# ] [ ] 0x00500f00 < 0x00708000 hits = 0 [# ] [ ] 0x00504f00 < 0x00708000 hits = 0 [# ] [ ] 0x00508f00 < 0x00708000 hits = 0 [# ] [ ] 0x0050cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00510f00 < 0x00708000 hits = 0 [# ] [ ] 0x00514f00 < 0x00708000 hits = 0 [# ] [ ] 0x00518f00 < 0x00708000 hits = 0 [# ] [ ] 0x0051cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00520f00 < 0x00708000 hits = 0 [# ] [ ] 0x00524f00 < 0x00708000 hits = 0 [# ] [ ] 0x00528f00 < 0x00708000 hits = 0 [# ] [ ] 0x0052cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00530f00 < 0x00708000 hits = 0 [# ] [ ] 0x00534f00 < 0x00708000 hits = 0 [# ] [ ] 0x00538f00 < 0x00708000 hits = 0 [# ] [ ] 0x0053cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00540f00 < 0x00708000 hits = 0 [# ] [ ] 0x00544f00 < 0x00708000 hits = 0 [# ] [ ] 0x00548f00 < 0x00708000 hits = 0 [# ] [ ] 0x0054cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00550f00 < 0x00708000 hits = 0 [# ] [ ] 0x00554f00 < 0x00708000 hits = 0 [# ] [ ] 0x00558f00 < 0x00708000 hits = 0 [# ] [ ] 0x0055cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00560f00 < 0x00708000 hits = 0 [# ] [ ] 0x00564f00 < 0x00708000 hits = 0 [# ] [ ] 0x00568f00 < 0x00708000 hits = 0 [# ] [ ] 0x0056cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00570f00 < 0x00708000 hits = 0 [# ] [ ] 0x00574f00 < 0x00708000 hits = 0 [# ] [ ] 0x00578f00 < 0x00708000 hits = 0 [# ] [ ] 0x0057cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00580f00 < 0x00708000 hits = 0 [# ] [ ] 0x00584f00 < 0x00708000 hits = 0 [# ] [ ] 0x00588f00 < 0x00708000 hits = 0 [# ] [ ] 0x0058cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00590f00 < 0x00708000 hits = 0 [# ] [ ] 0x00594f00 < 0x00708000 hits = 0 [# ] [ ] 0x00598f00 < 0x00708000 hits = 0 [# ] [ ] 0x0059cf00 < 0x00708000 hits = 0 [# ] [ ] 0x005a0f00 < 0x00708000 hits = 0 [# ] [ ] 0x005a4f00 < 0x00708000 hits = 0 [# ] [ ] 0x005a8f00 < 0x00708000 hits = 0 [# ] [ ] 0x005acf00 < 0x00708000 hits = 0 [# ] [ ] 0x005b0f00 < 0x00708000 hits = 0 [# ] [ ] 0x005b4f00 < 0x00708000 hits = 0 [# ] [ ] 0x005b8f00 < 0x00708000 hits = 0 [# ] [ ] 0x005bcf00 < 0x00708000 hits = 0 [# ] [ ] 0x005c0f00 < 0x00708000 hits = 0 [# ] [ ] 0x005c4f00 < 0x00708000 hits = 0 [# ] [ ] 0x005c8f00 < 0x00708000 hits = 0 [# ] [ ] 0x005ccf00 < 0x00708000 hits = 0 [# ] [ ] 0x005d0f00 < 0x00708000 hits = 0 [# ] [ ] 0x005d4f00 < 0x00708000 hits = 0 [# ] [ ] 0x005d8f00 < 0x00708000 hits = 0 [# ] [ ] 0x005dcf00 < 0x00708000 hits = 0 [# ] [ ] 0x005e0f00 < 0x00708000 hits = 0 [# ] [ ] 0x005e4f00 < 0x00708000 hits = 0 [# ] [ ] 0x005e8f00 < 0x00708000 hits = 0 [# ] [ ] 0x005ecf00 < 0x00708000 hits = 0 [# ] [ ] 0x005f0f00 < 0x00708000 hits = 0 [# ] [ ] 0x005f4f00 < 0x00708000 hits = 0 [# ] [ ] 0x005f8f00 < 0x00708000 hits = 0 [# ] [ ] 0x005fcf00 < 0x00708000 hits = 0 [# ] [ ] 0x00600f00 < 0x00708000 hits = 0 [# ] [ ] 0x00604f00 < 0x00708000 hits = 0 [# ] [ ] 0x00608f00 < 0x00708000 hits = 0 [# ] [ ] 0x0060cf00 < 0x00708000 hits = 0 [# ] [ ] 0x00610f00 < 0x00708000 hits = 0 [# ] [ ] 0x00614f00 < 0x00708000 hits = 0 [# ] [ ] 0x00618f00 < 0x00708000 hits = 0 [# ] [ ] 0x0061cf00 < 0x00708000 hits = 1 [# ] [ ] 0x00620f00 < 0x00708000 hits = 1 [# ] [ ] 0x00624f00 < 0x00708000 hits = 1 [# ] [ ] 0x00628f00 < 0x00708000 hits = 1 [# ] [ ] 0x0062cf00 < 0x00708000 hits = 1 [# ] [ ] 0x00630f00 < 0x00708000 hits = 1 [# ] [ ] 0x00634f00 < 0x00708000 hits = 1 [# ] [ ] 0x00638f00 < 0x00708000 hits = 1 [# ] [ ] 0x0063cf00 < 0x00708000 hits = 1 [# ] [ ] 0x00640f00 < 0x00708000 hits = 1 [# ] [ ] 0x00644f00 < 0x00708000 hits = 1 [# ] [ ] 0x00648f00 < 0x00708000 hits = 1 [# ] [ ] 0x0064cf00 < 0x00708000 hits = 1 [# ] [ ] 0x00650f00 < 0x00708000 hits = 1 [# ] [ ] 0x00654f00 < 0x00708000 hits = 1 [# ] [ ] 0x00658f00 < 0x00708000 hits = 1 [# ] [ ] 0x0065cf00 < 0x00708000 hits = 1 [# ] [ ] 0x00660f00 < 0x00708000 hits = 1 [# ] [ ] 0x00664f00 < 0x00708000 hits = 1 [# ] [ ] 0x00668f00 < 0x00708000 hits = 1 [# ] [ ] 0x0066cf00 < 0x00708000 hits = 1 [# ] [ ] 0x00670f00 < 0x00708000 hits = 1 [# ] [ ] 0x00674f00 < 0x00708000 hits = 1 [# ] [ ] 0x00678f00 < 0x00708000 hits = 1 [# ] [ ] 0x0067cf00 < 0x00708000 hits = 1 [# ] [ ] 0x00680f00 < 0x00708000 hits = 1 [# ] [ ] 0x00684f00 < 0x00708000 hits = 1 [# ] [ ] 0x00688f00 < 0x00708000 hits = 1 [# ] [ ] 0x0068cf00 < 0x00708000 hits = 1 [# ] [ ] 0x00690f00 < 0x00708000 hits = 1 [# ] [ ] 0x00694f00 < 0x00708000 hits = 1 [# ] [ ] 0x00698f00 < 0x00708000 hits = 1 [# ] [ ] 0x0069cf00 < 0x00708000 hits = 1 [# ] [ ] 0x006a0f00 < 0x00708000 hits = 1 [# ] [ ] 0x006a4f00 < 0x00708000 hits = 1 [# ] [ ] 0x006a8f00 < 0x00708000 hits = 1 [# ] [ ] 0x006acf00 < 0x00708000 hits = 1 [# ] [ ] 0x006b0f00 < 0x00708000 hits = 1 [# ] [ ] 0x006b4f00 < 0x00708000 hits = 1 [# ] [ ] 0x006b8f00 < 0x00708000 hits = 1 [# ] [ ] 0x006bcf00 < 0x00708000 hits = 1 [# ] [ ] 0x006c0f00 < 0x00708000 hits = 1 [# ] [ ] 0x006c4f00 < 0x00708000 hits = 1 [# ] [ ] 0x006c8f00 < 0x00708000 hits = 1 [# ] [ ] 0x006ccf00 < 0x00708000 hits = 1 [# ] [ ] 0x006d0f00 < 0x00708000 hits = 1 [# ] [ ] 0x006d4f00 < 0x00708000 hits = 1 [# ] [ ] 0x006d8f00 < 0x00708000 hits = 1 [# ] [ ] 0x006dcf00 < 0x00708000 hits = 1 [# ] [ ] 0x006e0f00 < 0x00708000 hits = 1 [# ] [ ] 0x006e4f00 < 0x00708000 hits = 1 [# ] [ ] 0x006e8f00 < 0x00708000 hits = 1 [# ] [ ] 0x006ecf00 < 0x00708000 hits = 1 [# ] [ ] 0x006f0f00 < 0x00708000 hits = 1 [# ] [ ] 0x006f4f00 < 0x00708000 hits = 1 [# ] [ ] 0x006f8f00 < 0x00708000 hits = 1 [# ] [ ] 0x006fcf00 < 0x00708000 hits = 1 [# ] [ ] 0x00700f00 < 0x00708000 hits = 1 [# ] [ ] 0x00704f00 < 0x00708000 hits = 1 [# ] hits: 1 diff --git a/source/notes/star_trek_armada/find_cdcheck b/source/notes/star_trek_armada/find_cdcheck new file mode 100644 index 0000000..e69de29 diff --git a/source/notes/star_trek_armada/generate_listings.sh b/source/notes/star_trek_armada/generate_listings.sh new file mode 100755 index 0000000..a2ac8b2 --- /dev/null +++ b/source/notes/star_trek_armada/generate_listings.sh @@ -0,0 +1,11 @@ +#! /bin/bash + +radare2 -q -c 'pd 20 @ 0x43ff4d' Armada.exe_pristine > sprintf_overflow +radare2 -q -c 'pd 38 @ 0x5005a0' Armada.exe_pristine > memory_check +radare2 -q -c '/ Please\x20insert\x20CD\x20' Armada.exe_pristine 2>find_cd_strcheck > find_cd_strcheck +# radare doesn't find the reference, gotta use olly +# right click on instructions, search for, all referenced text strings +# right click strings, search for; "Please insert CD " +# double click string to show instruction that reference is made +# that's about where CD check is done +radare2 -q -c 'pd 10 @ 0x0044053b' Armada.exe_pristine > cd_check diff --git a/source/notes/star_trek_armada/heresyourproblem.png b/source/notes/star_trek_armada/heresyourproblem.png new file mode 100644 index 0000000..6e86c8b Binary files /dev/null and b/source/notes/star_trek_armada/heresyourproblem.png differ diff --git a/source/notes/star_trek_armada/meminfo.png b/source/notes/star_trek_armada/meminfo.png new file mode 100644 index 0000000..5b5d440 Binary files /dev/null and b/source/notes/star_trek_armada/meminfo.png differ diff --git a/source/notes/star_trek_armada/meminfo_check.png b/source/notes/star_trek_armada/meminfo_check.png new file mode 100644 index 0000000..d557176 Binary files /dev/null and b/source/notes/star_trek_armada/meminfo_check.png differ diff --git a/source/notes/star_trek_armada/meminfo_check_fo_real.png b/source/notes/star_trek_armada/meminfo_check_fo_real.png new file mode 100644 index 0000000..5467569 Binary files /dev/null and b/source/notes/star_trek_armada/meminfo_check_fo_real.png differ diff --git a/source/notes/star_trek_armada/meminfo_fix.png b/source/notes/star_trek_armada/meminfo_fix.png new file mode 100644 index 0000000..d491074 Binary files /dev/null and b/source/notes/star_trek_armada/meminfo_fix.png differ diff --git a/source/notes/star_trek_armada/meminfo_nofix.png b/source/notes/star_trek_armada/meminfo_nofix.png new file mode 100644 index 0000000..9b467ad Binary files /dev/null and b/source/notes/star_trek_armada/meminfo_nofix.png differ diff --git a/source/notes/star_trek_armada/meminfo_struct.png b/source/notes/star_trek_armada/meminfo_struct.png new file mode 100644 index 0000000..ede2311 Binary files /dev/null and b/source/notes/star_trek_armada/meminfo_struct.png differ diff --git a/source/notes/star_trek_armada/memory_check b/source/notes/star_trek_armada/memory_check new file mode 100644 index 0000000..38e26aa --- /dev/null +++ b/source/notes/star_trek_armada/memory_check @@ -0,0 +1,38 @@ +  0x005005a0 55 push ebp +  0x005005a1 8bec mov ebp, esp +  0x005005a3 83ec20 sub esp, 0x20 +  0x005005a6 8d45e0 lea eax, [ebp - 0x20] +  0x005005a9 50 push eax +  0x005005aa ff15887b6d00 call dword [sym.imp.KERNEL32.dll_GlobalMemoryStatus] ; 0x6d7b88 +  0x005005b0 e8fbfdffff call 0x5003b0 +  0x005005b5 3d66fdffff cmp eax, 0xfffffd66 ; 4294966630 +  0x005005ba a3c4db6700 mov dword [0x67dbc4], eax ; [0x67dbc4:4]=-1 +  ,=< 0x005005bf 750c jne 0x5005cd +  | 0x005005c1 c705c4db6700. mov dword [0x67dbc4], 0 ; [0x67dbc4:4]=-1 +  ,==< 0x005005cb eb0f jmp 0x5005dc +  |`-> 0x005005cd 83f8ff cmp eax, 0xffffffffffffffff +  |,=< 0x005005d0 750a jne 0x5005dc +  || 0x005005d2 c705c4db6700. mov dword [0x67dbc4], 0xc8 ; [0x67dbc4:4]=-1 +  ``-> 0x005005dc 8b45e8 mov eax, dword [ebp - 0x18] +  0x005005df 8b4df4 mov ecx, dword [ebp - 0xc] +  0x005005e2 3d0000c001 cmp eax, 0x1c00000 +  0x005005e7 a3c8db6700 mov dword [0x67dbc8], eax ; [0x67dbc8:4]=-1 +  0x005005ec 890ddcdb6700 mov dword [0x67dbdc], ecx ; [0x67dbdc:4]=-1 +  ,=< 0x005005f2 7d12 jge 0x500606 +  | 0x005005f4 81f90000e001 cmp ecx, 0x1e00000 +  ,==< 0x005005fa 7d0a jge 0x500606 +  || 0x005005fc 6a00 push 0 +  || 0x005005fe e8ad28f4ff call 0x442eb0 +  || 0x00500603 83c404 add esp, 4 +  ``-> 0x00500606 8b4508 mov eax, dword [ebp + 8] ; [0x8:4]=4 +  0x00500609 56 push esi +  0x0050060a 57 push edi +  0x0050060b b908000000 mov ecx, 8 +  0x00500610 bec0db6700 mov esi, 0x67dbc0 +  0x00500615 8bf8 mov edi, eax +  0x00500617 f3a5 rep movsd dword es:[edi], dword ptr [esi] +  0x00500619 5f pop edi +  0x0050061a 5e pop esi +  0x0050061b 8be5 mov esp, ebp +  0x0050061d 5d pop ebp +  0x0050061e c3 ret diff --git a/source/notes/star_trek_armada/snprintf_overflow b/source/notes/star_trek_armada/snprintf_overflow new file mode 100644 index 0000000..0f65342 --- /dev/null +++ b/source/notes/star_trek_armada/snprintf_overflow @@ -0,0 +1,20 @@ +  0x0043ff4d 8d85d0fdffff lea eax, [ebp - 0x230] +  0x0043ff53 6804010000 push 0x104 +  0x0043ff58 50 push eax +  0x0043ff59 ff15807f6d00 call dword [sym.imp.MSVCRT.dll__getcwd] ; 0x6d7f80 +  0x0043ff5f 83c410 add esp, 0x10 +  0x0043ff62 85c0 test eax, eax +  ,=< 0x0043ff64 743c je 0x43ffa2 +  | 0x0043ff66 686caa5f00 push str.PATH ; 0x5faa6c ; "PATH" +  | 0x0043ff6b ff15847f6d00 call dword [sym.imp.MSVCRT.dll_getenv] ; 0x6d7f84 ; "x\xb9-" +  | 0x0043ff71 8d8dd0fdffff lea ecx, [ebp - 0x230] +  | 0x0043ff77 8d95d0fdffff lea edx, [ebp - 0x230] +  | 0x0043ff7d 51 push ecx +  | 0x0043ff7e 52 push edx +  | 0x0043ff7f 50 push eax +  | 0x0043ff80 8d85d0fbffff lea eax, [ebp - 0x430] +  | 0x0043ff86 6874aa5f00 push str.PATH__s__s_AI__s_Missions_ ; 0x5faa74 ; "PATH=%s;%s\\AI;%s\\Missions;" +  | 0x0043ff8b 50 push eax +  | 0x0043ff8c ff15dc7f6d00 call dword [sym.imp.MSVCRT.dll_sprintf] ; 0x6d7fdc ; "v\xb8-" +  | 0x0043ff92 8d8dd0fbffff lea ecx, [ebp - 0x430] +  | 0x0043ff98 51 push ecx diff --git a/source/notes/star_trek_armada/sprintf_overflow b/source/notes/star_trek_armada/sprintf_overflow new file mode 100644 index 0000000..0f65342 --- /dev/null +++ b/source/notes/star_trek_armada/sprintf_overflow @@ -0,0 +1,20 @@ +  0x0043ff4d 8d85d0fdffff lea eax, [ebp - 0x230] +  0x0043ff53 6804010000 push 0x104 +  0x0043ff58 50 push eax +  0x0043ff59 ff15807f6d00 call dword [sym.imp.MSVCRT.dll__getcwd] ; 0x6d7f80 +  0x0043ff5f 83c410 add esp, 0x10 +  0x0043ff62 85c0 test eax, eax +  ,=< 0x0043ff64 743c je 0x43ffa2 +  | 0x0043ff66 686caa5f00 push str.PATH ; 0x5faa6c ; "PATH" +  | 0x0043ff6b ff15847f6d00 call dword [sym.imp.MSVCRT.dll_getenv] ; 0x6d7f84 ; "x\xb9-" +  | 0x0043ff71 8d8dd0fdffff lea ecx, [ebp - 0x230] +  | 0x0043ff77 8d95d0fdffff lea edx, [ebp - 0x230] +  | 0x0043ff7d 51 push ecx +  | 0x0043ff7e 52 push edx +  | 0x0043ff7f 50 push eax +  | 0x0043ff80 8d85d0fbffff lea eax, [ebp - 0x430] +  | 0x0043ff86 6874aa5f00 push str.PATH__s__s_AI__s_Missions_ ; 0x5faa74 ; "PATH=%s;%s\\AI;%s\\Missions;" +  | 0x0043ff8b 50 push eax +  | 0x0043ff8c ff15dc7f6d00 call dword [sym.imp.MSVCRT.dll_sprintf] ; 0x6d7fdc ; "v\xb8-" +  | 0x0043ff92 8d8dd0fbffff lea ecx, [ebp - 0x430] +  | 0x0043ff98 51 push ecx diff --git a/source/notes/star_trek_armada/star_trek_armada.md b/source/notes/star_trek_armada/star_trek_armada.md new file mode 100644 index 0000000..a4e03d0 --- /dev/null +++ b/source/notes/star_trek_armada/star_trek_armada.md @@ -0,0 +1,135 @@ +# Fixing Star Trek: Armada + +After a few weeks of DS9 brainwashing I felt like playing [Star Trek: Armada](https://en.wikipedia.org/wiki/Star_Trek:_Armada). A cool 20ish year old game, worked fine last time I played it on a Windows XP computer, should be fine, right? + +## Insufficient Memory + +![Not enough memory](not_enough_memory.png)\ + +Not good. This computer has 32gb, undoubtedly something somewhere overflowed. I really wanted to play, so I grabbed OllyDbg and started looking to fix the problem. + +Running under Olly let me debug at the point the message box is opened, and going up the stack a little eventually lead me to this interesting code: + +
+#eval cat memory_check | aha --no-header --stylesheet +
+ +[`GlobalMemoryStatus`](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366586(v=vs.85).aspx) is a Windows API to retrieve memory information, so this is a reasonable place to start looking for why the game would think I have less than 50mb of memory. + +That function populates a `MEMORYSTATUS` struct: + +
+```c +typedef struct _MEMORYSTATUS { + DWORD dwLength; + DWORD dwMemoryLoad; + SIZE_T dwTotalPhys; + SIZE_T dwAvailPhys; + SIZE_T dwTotalPageFile; + SIZE_T dwAvailPageFile; + SIZE_T dwTotalVirtual; + SIZE_T dwAvailVirtual; +} MEMORYSTATUS, *LPMEMORYSTATUS; +``` +
+ +and noting the MSDN page: + +> On computers with more than 4 GB of memory, the GlobalMemoryStatus function can return incorrect information, reporting a value of –1 to indicate an overflow. + +Having 32gb, this probably returns -1, and a signed comparison is being done against an expected value. + +Placing a breakpoint on `0x5005b0` and looking at what `eax` points at yields this: + +
+0018F678|20 00 00 00|27 00 00 00| ...'...
+0018F680|FF FF FF FF|FF FF FF FF|........
+0018F688|FF FF FF FF|FF FF FF FF|........
+0018F690|00 00 FE 7F|00 40 6F 7A|......oz
+
+ +in bold, the values for `dwTotalPhys`, `dwAvailPhys`, `dlTotalPageFile`, and `dwAvailPageFile`. All of these are 0xFFFFFFFF, aka -1. The values for virtual memory are reasonable, just shy of 2GB. + +Confirming the issue, in the assembly above I can see those values are loaded into registers at `0x5005dc` and `0x5005df`, and compared against constants at `0x5005e2` and `0x5005f4`. + +The comparisons aren't terribly interesting, but the conditional branches they result in are: `0x5005f2` and `0x5005fa` are branches with `jge`, which interprets the flags `cmp` set as if they were for a **signed** comparison. + +This probably means the author of this code wrote these checks like: + +
+```c +MEMORYSTATUS* memInfo; +GlobalMemoryStatus(memInfo); +if ( + (int)(memInfo->dwTotalPhys) <= 28 * 1024 * 1024 && + (int)(memInfo->dwTotalPhys) <= 30 * 1024 * 1024 +) { + failMemCheck(); +} +``` +
+ +where instead the constant should have been cast to `SIZE_T` (an unsigned type). + +This is easily fixable: instead of `jge`, use `jae`. Replacing `0x7d` at `0x5005fe` and `0x5005fa` with `0x73` and rerunning seems to convince the game all is fine. + +Except now it crashes at startup. + +## Crash at Start + +Occasionally, the game will resize the parent window (explorer.exe, for how I was running it) to fullscreen and move it to the top left, so there's some memory corruption happening. Probably passing the parent window's handle to Windows functions, rather than its own. + +Either this function was doing something important that I broke by changing the comparison, or something elsewhere is also buggy. + +Looking through functions that are called, there's a fair amount of sprintf, but enough to make me look elsewhere first. There are also calls to getenv, getcwd, and putenv, only one of each, so it's easy to verify if those are relevant or not. + +They get called in the function at `0x0043feb0`, in this region: + +
+#eval cat sprintf_overflow | aha --no-header --stylesheet +
+ +This is promising. My `%PATH%` is fairly large for unrelated reasons, and the buffer that `sprintf` at `0x43ff8c` writes into is `ebp - 0x430`. The formatted string consists of `%PATH%;%CWD%\AI;%CWD%\Missions`, and if that ends up being larger than ~1kb, it begins arbitrarily corrupting the stack. + +The produced string might be important, but to verify this, I replaced the entire `sprintf` with `nop`: + +
+#eval cat sprintf_overflow_fix | aha --no-header --stylesheet +
+ +And reran: + +![star trek armada main scren](armada.png)\ + +It starts successfully! + +Getting into a game shows other issues: + +![ingame graphics glitches](uh.png)\ + +At this point it's likely issues with D3D APIs I don't know so well, so I fiddled with compatibility settings in the hope that something would work. Disabling desktop composition did the trick: + +TODO: image of ingame + +Dunno what desktop composition does other than having to do with Windows Vista and later composing the display differently, so a fun followup might be fixing the game to not require this setting. + +## Bonus: "Please Insert CD" + +If I didn't have the iso of my disk mounted, I was greeted with a pop-up asking me, `Please insert CD`. If you were inclined to do something about that... + +radare: `/ Please\x20insert\x20CD` + +
+#eval cat find_cd_strcheck | aha --no-header --stylesheet +
+ +Finding that string (or most of it) at `0x0061a9b4` + +Figuring out where the string gets used evades the combination of my skills with radare and time I was willing to put in, but Olly was easier: + +1. Right click on any instruction -> search for -> all referenced text strings +1. Right click on strings -> search for "Please insert CD " +1. Double click the highlighted string to show what instruction referenced it +1. That's approximately where the check is done + +Now I think normally there would be a conditional branch at `0x440551` that might show a dialog and close the game, but *for some reason* the test and branch are nop'd out to unconditionally never show me a "Please insert Armada CD" dialog...! diff --git a/source/notes/star_trek_armada/uh.png b/source/notes/star_trek_armada/uh.png new file mode 100644 index 0000000..162151e Binary files /dev/null and b/source/notes/star_trek_armada/uh.png differ -- cgit v1.1