thessium - readthedocs.org

ThessiumRelease 0.0.0

Jul 13, 2019

Contents

1 Networking 11.1 Calculating the checksum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Connection dataflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3 Count/Security Byte . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.4 Handshake & Session Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.5 Known MsgId’s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.6 Module identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.7 MsgID’s by ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.8 Types used in networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Engine 72.1 Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 Files 93.1 2D Graphics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.2 3D Graphics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.3 Map / Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.4 Shader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.5 Audio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.6 Container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

4 Reverse Engineering 194.1 Where to get info? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194.2 Giveaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

5 Recommended Tools 215.1 x64dbg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215.2 CheatEngine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215.3 ReClass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215.4 NTCore Explorer Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215.5 ResHacker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225.6 Interactive Disassembler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

i

CHAPTER 1

Networking

1.1 Calculating the checksum

1.1.1 Algorithm

The game’s checksum calculation is just a generic CRC32 checksum algorithm. It’s the fast implementation becauseit uses a pre-calculated table.

Usually, the table is generated from a fixed poly. In our case, the poly is selected by the server from a list of 256different polys. The selected index of the poly in the list is transmitted in the first handshake message.

1.1.2 Operation

• The checksum is generated before encryption.

• The checksum includes all bytes of the message.

• Since the checksum byte is part of the calculation, it’s treated as 0 for the calculation.

1.1.3 Trivia

• Properitary multi-connection endpoints will not reuse already generated tables

• Some third-party implementations just ship all 256 tables (65.536 bytes) pre-generated as code.

1.2 Connection dataflow

1.2.1 Establishing a connection

In order to establish a new connection, two major things must be done aside from opening a TCP connection.

1

Thessium, Release 0.0.0

Handshake

The HANDSHAKE (5000) exchanges security settings and parameters. The first packet is always send from the server-side and contains information about which securtiy settings to enable and which initial parameters to use. Depedingon which settings are enabled, a Diffie-Hellman keyexchange and a challenge are performed.

If the handshake was successful, the client-side sends the ESTABLISHED (9000) message. Any error will lead to animmediate termination of the TCP connection.

Read more in: Handshake & Session Control.

Identification

Once the session is established, the local and remote-side exchange their identities using IDENTIFICATION (2001).The server sends it’s identity first. The client has to answer with it’s identity. Any unexpected data or invalid identieswill lead to an immediate termination of the TCP connection.

Read more in: Module identification.

1.2.2 Maintaining a connection

Keeping a connection alive is easy. The client has to send a message at least every 5 seconds. It doesn’t matter whichmessage is. When no messages are received by the server for 5 seconds, the server will terminate the connection. Theserver will not try to keep the connection alive in any way. When the client has no message to send, it sends a PING(2002).

1.2.3 Closing a connection

There is no known message to end a connection properly (to be checked).

1.3 Count/Security Byte

Each message is stamped with a counter. This is done to avoid replay-attacks and message injection. Basicallyeach message gets an increasing number. All messages need to stay in order. If a number appears out of order, theconnection will be terminated.

To make it less obvious, the game uses a pseudo-random-number-generator algorithm. It’s seeded with an initial valueand will generate unobvious numbers. Security by obscurity was already a thing back then.

Sadly, the name of the used algorithm is still unknown. It’s operations have been reverse engineered, but its still a bigchunk of unreadable code.

TODO: Put code here

1.4 Handshake & Session Control

The very first messages after opening the TCP connection are the handshake. The server also describes these assession. That’s why this article is also titled Session Control. In order to communicate with a server or a client, weneed to open a session.

The server sends the first message after the TCP connection is established. Depending on the selected security features,the client has to send a proper answer.

2 Chapter 1. Networking


1.4.1 Initialze a session

Type BitNone 00000000Disabled 00000001Blowfish 00000010SecurityBytes 00000100Handshake 00001000HandshakeResponse 00010000

Remark: The three remaining bits are unused.

1.5 Known MsgId’s

1.5.1 Global

Name ResponseHANDSHAKE (5000) HANDSHAKE (5000), ESTABLISHED (9000)ESTABLISHED (9000)IDENTIFICATION (2001) IDENTIFICATION (2001)PING (2002)

1.5.2 SR_Client

1.6 Module identification

1.7 MsgID’s by ID

1.7.1 IDENTIFICATION (2001)

Used for telling the remote end the identity/purpose of our local end. The endpoint will also use this to verify that theother endpoints identity is compatible with its own. e.g. the GatewayServer will only talk to SR_Client’s on it’s publicport.

Invalid identities will lead to an immediate termination of the connection.

Size Type Name Desc* string Identity Type of the module1 bool IsLocal false = Machine to Machine, true = Module to Module

Valid identities are:

• SR_Client

• GatewayServer

• AgentServer

• etc.

1.5. Known MsgId’s 3


1.7.2 PING (2002)

Empty message. Send by the client after no message is send in 5 seconds.

1.7.3 HANDSHAKE (5000)

Size Type Name Desc1 byte security_options Enabled security options

If Blowfish 8 byte[] static_blowfish_key Static Blowfish keyIf SecurityBytes 1 byte crc_seed Poly of the CRC table generation

1 byte count_seed Initial seed for count byteIf Handshake 4 int dh_generator Diffie-Hellmann generator

4 int dh_prime Diffie-Hellmann prime4 int dh_shared_secret Diffie-Hellmann shared secret

Security Options

Type BitNone 00000000Disabled 00000001Blowfish 00000010SecurityBytes 00000100Handshake 00001000HandshakeResponse 00010000

1.7.4 ESTABLISHED (9000)

Empty message. Send by the client to confirm the established session.

1.8 Types used in networking

1.8.1 Simple types

Type Size Rangechar 1 -128 to 127byte 1 0 to 255short 2 –32,768 to 32,767ushort 2 0 to 6,535int 4 –2,147,483,648 to 2,147,483,647uint 4 0 to 4,294,967,295float 4 3.4E +/- 38 (7 digits)

See: https://msdn.microsoft.com/en-us/library/s3f49ktz.aspx


https://msdn.microsoft.com/en-us/library/s3f49ktz.aspx


1.8.2 Compound types

string

Size Type Name Desc2 ushort Length Length of the string* char Text Text of the string in ASCII

1.8. Types used in networking 5

CHAPTER 2

Engine

2.1 Landscape

The landscape is divided in two major types: Terrain and Dungeon. Terrain-landscapes are mainly supplied by theNavmesh (.nvm) for collision and Map Mesh (.m), Map Object (.o) and Map T (.t) for rendering. Usually all regionsthat have a sky are Terrain-typed. Dungeon-types are made of Dungeon (.dof). You may know the typical dungeonse.g. Donwhang Cave or Jangan Cave, but also Capture the Flag is a dungeon.

The client will show only two dimensional coordinates. But since this is a 3D game, it has to be handled different.Positioning on the map is split into regions and relative coordinates. It’s like having a usual map with these squaresused for roughly finding a location and using millimeters from the top and left to specify an exact location.

The region is mostly represented as one number, but it’s actually two different numbers. You need to display it inhexa-decimal notation, it wont make sense otherwise.

region = 0x6A35 would be region.X = 0x35 and region.Y = 0x6A.

The first bit of the region is reserved for choosing between Terrain and Dungeon type. The first bit is generally alsoknown as the sign bit as it tells if a number is negative. So if you see a negative number for the region, you can tell it’sinside a dungeon.

7


8 Chapter 2. Engine

CHAPTER 3

Files

Over the years, many of the properitary file formats have been reverse engineered. This is a collection of knowninformation.

3.1 2D Graphics

3.1.1 Window Description (NEW) (.2dt)

3.1.2 Bitmap (.dat)

These files are used as images in the launcher only. They are just renamed Bitmaps. Change the ending to .bmp andopen them in any Image Editor you like.

Renamed Bitmap, 24 Bit?, Alpha Color Key,

3.1.3 Direct Draw Image (.ddj)

This format is very simple. The whole file looks like this:

struct DDJ{

Header header;DDS dds_image;

}

The header is:

// Size = 20 bytesstruct Header{

char[12] magic;

(continues on next page)

9


(continued from previous page)

int unknown1;int unknown2;

}

Since the header does not contain useful information, you can just skip the first 20 bytes and load the remaining bytesas a Direct Draw Surface.

3.1.4 Window Description (OLD) (.txt)

3.2 3D Graphics

3.2.1 Compound (.cpd)

3.2.2 Animation (.ban)

Stores one animation of a resource.

Versions:

JMXVBAN 0102

Relevant for:

Region VersionVietnam 188

1 12 byte header;2 int unk;3 int unk ;4 string name; //name of the animation5 int duration;6 int framesPerSecond;7 int unk;8 int keyframeCount;9 int[keyframeCount] keyframes; // timings of the keyframes, so you can interpolate

→˓between two poses.10 int boneCount; // Amount of bones that have transformations that are

→˓diffrent from their bind poses.11 for(int i = 0; i < boneCount;i++)12 {13 string boneName;14 int count; // same as keyframeCount15 for(int p = 0; p < count;p++)16 {17 Quaternion rotation;18 Vector3 translation;19 //These two together give you the transformation

→˓Matrix relative to it's partent bone/joint.20 }21 }22 //End of file

10 Chapter 3. Files


3.2.3 Mesh (.bms)

Stores one (partial) mesh of a resource. Due to vertice count limitations, a mesh may be split into multiple separatedmesh-files.

JMXVBMS_0110

Region VersionUnknown Open Beta

3.2.4 Material (.bmt)

3.2.5 Skeleton (.bsk)

Skeleton of an object. Basically a weighted mapping of vertices to bones.

JMXVBSK 0101


3.2.6 Resource (.bsr)

A resource combines Animation (.ban), Mesh (.bms), Material (.bmt) and Skeleton (.bsk) to an usable ingame object.

JMXVRES 0109


Trivia

• The resource loader of the server requires all data files, not just the ones required for collision detection.

3.2.7 Particle (.efp)

3.3 Map / Environment

3.3.1 Navmesh (.nvm)

Contains terrain collision mesh.

Versions:

3.3. Map / Environment 11


JMXVNVM 1000

Relevant for:


3.3.2 AINavData (.dat)

3.3.3 Dungeon (.dof)

Versions:

0101

1 // File structure for: Dungeon File(*.dof)2 // Created by: DaxterSoul - 20143 // Encoding: Windows Codepage: 949 (Korean) as some of the roomObjectName, entryNames

→˓or pointNames are Korean.4

5 12 byte[] Header //JMXVDOF 0101 supported→˓only

6 4 uint pointerRoomObjects7 4 uint pointerObjectConnections8 4 uint pointerLinks9 4 uint pointerObjectGroups

10 4 uint pointerIndexNames11 4 uint pointerUnk5 // Has been 0 in every

→˓file...12 4 uint pointerUnk6 // Has been 0 in every

→˓file...13 4 uint pointerDungeonBoundingBoxes14 2 ushort unk_ushort0 // Has been 0xFFFF in

→˓every file...15 2 ushort unk_ushort1 // Has been 0x0400 in

→˓every file...16 2 ushort dungeonNameLength17 * string dungeonName // Has been "Noname" in

→˓every file... -> used as projectName in MapEditor.18 4 uint unk_uint0 // Has been 0xFFFFFFFF in

→˓every file...19 4 uint unk_uint1 // Has been 0xFFFFFFFF in

→˓every file...20 2 ushort regionID // Used in packets and

→˓database for whole Dungeon. Used in minimap_d as center- or origin-region (stores _→˓default_).

21

22 //pointerDungeonBoundingBoxes will get you here23 24 float[] dungeon_AABB // width = AABB[3] -

→˓AABB[0], height = AABB[4] - AABB[1], length = AABB[5] - AABB[2]24 24 float[] dungeon_OOBB // width = OOBB[3] -

→˓OOBB[0], height = OOBB[4] - OOBB[1], length = OOBB[5] - OOBB[2]25

26 //pointerRoomObjects will get you here


12 Chapter 3. Files



27 4 uint roomObjectCounter28 for (int roomObjectIndex = 0; roomObjectIndex < roomObjectCounter; roomObjectIndex++)29 {30 2 ushort roomObject.PathLength31 * string roomObject.Path32

33 2 ushort roomObject.NameLength34 * string roomObject.Name35

36 4 float roomObject.unk_floot0 // Has been 0 in every→˓file...

37 4 float roomObject.X38 4 float roomObject.Z39 4 float roomObject.Y40 4 float roomObject.YAW // Google it... and use

→˓this: 57.2957795 for calculation41 4 float roomObject.PITCH // Google it... and don't

→˓ask for missing roll, this is no flight simulator...42 24 float[] roomObject.AABB // width = aabb[3] -

→˓aabb[0], height= aabb[4] - aabb[1], length = aabb[5] - aabb[2]43 4 float roomObject.unk_float12 // Seems fixed to -2,

→˓848866E+3844 4 float roomObject.unk_float13 // Seems fixed to -2,

→˓288091E+3845 4 float roomObject.unk_float14 // Example: -15046 4 float roomObject.unk_float15 // Example: 145647 4 float roomObject.unk_float16 // Example: 0,00148

49 1 byte roomObject.extraFlagA50 if(roomObject.extraFlagA == 0x01)51 {52 4 float roomObject.ExtraA.unk_float0 // Example: 75053 4 float roomObject.ExtraA.unk_float1 // Example: 68054 4 float roomObject.ExtraA.unk_float2 // Example: 5055 4 float roomObject.ExtraA.unk_float3 // Example: 0,0856 }57

58 1 byte roomObject.extraFlagB59 if(roomObject.extraFlagB == 0x02)60 {61 4 float roomObject.ExtraB.unk_float0 // Example: 0,187120762 4 float roomObject.ExtraB.unk_float1 // Example: 063 4 float roomObject.ExtraB.unk_float2 // Example: -0,880333964 4 float roomObject.ExtraB.unk_float3 // Example: 065 4 float roomObject.ExtraB.unk_float4 // Example: 2,93215366 4 float roomObject.ExtraB.unk_float5 // Example: 067 4 float roomObject.ExtraB.unk_float6 // Example: 3,503246E-4268 }69

70 4 uint roomObject.unk_uint0 // Has been 0 in every→˓file...

71 4 uint roomObject.roomIndex // Used for roomNames72 4 uint roomObject.floorIndex // Used for floorNames73

74 4 uint roomObject.connectedObjectCount //List of directly-→˓connected objects. Example: 70, 146

75 for (int i = 0; i < roomObject.connectedObjectCount; i++)(continues on next page)




76 {77 4 uint objectIndex78 }79

80 4 uint roomObject.indirectConnectedObjectCount //List of indirectly-→˓connected objects. Example: 70, 4, 146, 80

81 for (int i = 0; i < roomObject.indirectConnectedObjectCount; i++)82 {83 4 uint objectIndex84 }85

86 4 uint roomObject.entryCounter87 4 uint roomObject.unk_uint1 //Either 0 or 188 for (int entryIndex = 0; entryIndex < roomObject.entryCounter; entryIndex++)89 {90 //Contains Flames, Stones, Jewelry, Water, and other stuff...91 2 ushort entry.NameLength92 * string entry.Name93

94 2 ushort entry.PathLength95 * string entry.Path96

97 4 float entry.X98 4 float entry.Z99 4 float entry.Y

100

101 4 float entry.Roll102 4 float entry.Yaw103 4 float entry.Pitch104

105 4 float entry.ScaleWidth106 4 float entry.ScaleHeight107 4 float entry.ScaleLength108

109 4 uint entry.extraFlag // I've seen this as 0x00→˓for Flames (Torch & Lamps), 0x02 for Stones (impassable), 0x04 for Water

110 if(entry.extraFlag == 0x04) //Water...111 {112 4 uint waterExta113 }114

115 4 uint entry.ID116 4 float entry.unk_float0117 //1962.75232 for out_obj_stone118 //902.9495 for out_obj_door119 //-3.18711172E+38 and similar for water120 }121

122 4 uint roomObject.pointCounter123 for (int pointIndex = 0; pointIndex < roomObject.pointCounter; pointIndex++)124 {125 2 ushort point.NameLength126 * string point.Name127

128 4 float point.X129 4 float point.Z130 4 float point.Y


14 Chapter 3. Files



131

132 4 float point.Roll133 4 float point.Yaw134 4 float point.Pitch135

136 4 float point.Width137 4 float point.Height138 4 float point.Length139

140 4 float point.float09 // also Roll141 4 float point.float10 // also Yaw142 4 float point.float11 // also Pitch143 4 float point.float12 // Example: 0,8144 4 float point.float13 // Example: 0,007145 4 float point.float14 // Example: 3E-05146 }147 }148

149 //pointerLinks will get you here150 4 uint unk_uint2151 4 uint unk_uint3152 4 uint unk_uint4153 4 uint linkCounter154 for (int linkIndex = 0; linkIndex < linkCounter; linkIndex++)155 {156 4 uint link.ID157 4 uint link.connectionCount158 for (int i = 0; i < link.connectionCount; i++)159 {160 4 uint objectIndex161 }162 }163

164 //pointerObjectConnections will get you here165 4 uint objectConnectionCounter //Always equal to

→˓roomObjectCounter?166 for (int objectIndex = 0; objectIndex < objectConnectionCounter; objectIndex++)167 {168 4 uint connectedObjectCount169 for (int i = 0; i < connectedObjectCount; i++)170 {171 4 uint connectedObjectIndex172 }173 }174

175 //pointerIndexNames will get you here176 4 uint roomCounter177 for (int roomIndex = 0; roomIndex < roomCounter; roomIndex++)178 {179 //Some of them might be empty but thats no problem...180 2 ushort roomNameLength181 * string roomName182 }183 4 uint floorCounter184 for (int floorIndex = 0; floorIndex < roomCounter; floorIndex++)185 {186 //Some of them might be empty but thats no problem...





187 2 ushort floorNameLength188 * string floorName189 }190

191 //pointerObjectGroups192 4 uint objectGroupCounter193 for (int i = 0; i < objectGroupCounter; i++)194 {195 2 ushort group.NameLength196 * string group.Name197 4 uint group.Flag //0 or 1 -> Service?198 4 uint group.objectCount199 for (int ii = 0; ii < group.objectCount; ii++)200 {201 4 uint objectIndex202 }203 }204 //EOF

3.3.4 Object Information / Index

Indexed list of object filenames. Maps numbers used in other files to strings / paths.

Versions:

JMXVOBJI1000


CSV-style list with spaces (' ') as separator. Strings need to be encapsulated in double quotes ("my string")

JMXVOBJI1000// <Number of lines>// <First line>// <Second line>// ...// <nth line>

Example

JMXVOBJI10001600000 0x00000001 "res\bldg\china\cj_ferry\cj_ferry_buil.bsr"00001 0x00000000 "res\bldg\china\cj_ferry\cj_ferry_warehou.bsr"00002 0x00000000 "res\bldg\china\cj_ferry\cj_ferry_dam02.bsr"00003 0x00000000 "res\bldg\china\dunhuang\ferry\naruter_buil.bsr"00004 0x00000000 "res\bldg\china\cj_ferry\cj_ferry_stone01.bsr"00005 0x00000000 "res\bldg\china\cj_ferry\cj_ferry_box.bsr"00006 0x00000000 "res\bldg\china\cj_ferry\cj_ferry_wagon.bsr"00007 0x00000001 "res\bldg\china\cj_ferry\cj_ferry_enter.bsr"00008 0x00000000 "res\bldg\china\cj_ferry\cj_ferry_tombstone.bsr"00009 0x00000000 "res\bldg\china\cj_ferry\cj_ferry_buil02.bsr"


16 Chapter 3. Files



00010 0x00000000 "res\bldg\china\cj_ferry\cj_ferry_bottle.bsr"00011 0x00000001 "res\bldg\china\dunhuang\ferry\naruter_fish01.bsr"00012 0x00000000 "res\nature\china\dunhuang\ferry\w_cd_budawal.bsr"00013 0x00000001 "res\nature\china\dunhuang\ferry\w_cd_stonwal04.bsr"00014 0x00000000 "res\nature\china\dunhuang\ferry\w_cd_stonwal11.bsr"00015 0x00000000 "res\nature\china\dunhuang\ferry\w_cd_small_stonwal.bsr"

3.3.5 Map Mesh (.m)

Versions:

JMXVMAPM1000


3.3.6 Map Object (.o)

3.3.7 Map T (.t)

3.4 Shader

3.4.1 Pixel Shader (.psh)

3.4.2 Vertex Shader (.vsh)

3.5 Audio

3.5.1 Ogg (.ogg)

Format, Version, Bitrate?, etc.

3.6 Container

3.6.1 Joymax Pak File (.pk2)

Abstract

Joymax Pak File is used to store the games data files. The format is fragmented; index data and content data are storedin no specific location. Index data is stored in blocks of X entries and is encrypted using Blowfish (LINK). The contentdata is neither encrypted nor compressed in any way.

3.4. Shader 17


Format

Magic

Header

Index data

Data

Nothing special. Data is stored without protection or encryption.

Trivia

• Joymax’s implementation does not support defragmentation. Pak Files can only grow.

• Joymax’s implementation uses a “plain text password” instead of the plain blowfish key. The blowfish key isgenerated from the password.

•

• https://www.elitepvpers.com/forum/sro-coding-corner/1992824-wip-silkroad-file-formats-bsr-bms-bmt-bsk-ban.html

• https://www.elitepvpers.com/forum/sro-coding-corner/3854560-release-filestructure-jmxvdof-0101-a.html

18 Chapter 3. Files

https://www.elitepvpers.com/forum/sro-coding-corner/1992824-wip-silkroad-file-formats-bsr-bms-bmt-bsk-ban.html

https://www.elitepvpers.com/forum/sro-coding-corner/1992824-wip-silkroad-file-formats-bsr-bms-bmt-bsk-ban.html

https://www.elitepvpers.com/forum/sro-coding-corner/3854560-release-filestructure-jmxvdof-0101-a.html

CHAPTER 4

Reverse Engineering

Reversing a new executable from scratch can be a tough challenge. The community around the game has become veryclosed regarding information. This page is for sharing offsets.

4.1 Where to get info?

1. Look on the net. There is plenty of info in existing code.

2. Look at the binary. Many debug strings can tell you what the code does.

3. Look at the binary, again. Some may contain runtime type information (RTTI). This will tell you class names,inheritance and (virtual) member functions.

4. Ask. Just ask. If you form a polite, well asked question, you will most-likeley get an answer.

5. If you’re really desperate: Compile a test-binary with the same compiler and stdlib and use tools like K4m1n0to find similarities.

6. Still no luck? . . . dig deep into the binary . . . some functions may remain unknown for days, weeks, evenmonths.

4.2 Giveaways

4.2.1 Offsets

Some addresses to start off.

19


Offset Description Type Client0xDEADBEEF Example data offset that does nothing data VSRO 1880x008311C0 WndProc code VSRO 1880x008328C0 WinMain code VSRO 1880x009EC570 CNavigationDeadreckon::MoveToCoords(short, struct D3DVECTOR *) code VSRO 1880x009D87C0 CICPlayer::Render code VSRO 1880x00BAD750 CGFXVideo3d::EndScene code VSRO 1880x00BAED40 CGFXVideo3d::BeginScene code VSRO 188

4.2.2 Structures

Some reverse engineered structures to play around in ReClass.

1 // This camera class is a demonstration, it's not the real one2 struct CCamera3 {4 D3DVECTOR position;5 D3DVECTOR rotation;6 }

20 Chapter 4. Reverse Engineering

CHAPTER 5

Recommended Tools

5.1 x64dbg

Website: https://x64dbg.com/

A great debugger and disassembler. Has some bugs here and there but is really powerful.

5.2 CheatEngine

Website: https://www.cheatengine.org/

Classic tool for memory scanning. Alternatives?

5.3 ReClass

Website: many

There are many flavors of ReClass. Pick the one that fits your needs. If you’re unsure which one to choose, just pickthe original one.

5.4 NTCore Explorer Suite

Website: https://ntcore.com/?page_id=388

NTCore got a great set of tools. CFF Explorer is really useful for making changes to the PE Header.

21

https://x64dbg.com/

https://www.cheatengine.org/

https://ntcore.com/?page_id=388


5.5 ResHacker

Website: many

Oldschool Resource Editor. The resources of a portable executable are underestimated. Aside from the applicationicon, resources can also contain strings, images, forms or even large binary objects.

5.6 Interactive Disassembler

Website: https://www.hex-rays.com/

IDA is a really powerful binary analysis tool. It’s definitely the right tool for the job, even if it has some flaws. IDAv7.0 was released as a freeware recently, with some limitations of course, so give it a try.

22 Chapter 5. Recommended Tools

https://www.hex-rays.com/

thessium - readthedocs.org

Documents