Copy Link
Add to Bookmark
Report
NULL mag Issue 04 17 SaveFile Reverse Engineering
__ _ __ _ _ __
______\ \_\\_______________________\///__________________________//_/ /______
\___\ /___/
| .__ __ |
| | ___ __________/ |________ |
| \ \/ / ____/\ __\_ __ \ |
; > < <_| | | | | | \/ ;
: /__/\_ \__ | |__| |__| :
. \/ |__| .
. .
: H/Q Another Droid BBS - andr01d.zapto.org:9999 :
; ;
+ --- -- - . - --- --- --- - . - -- --- +
: :
| Savefile reverse enginnering |
: :
` --- -- - . - --- --- --- - . - -- --- '
i created a new mod and wanted to be able to export a phonebook file in
the format of Netrunner. Unfortunately, Netrunner is close-source
software, so its not possible to get the code or the record type for the
structure of the phonebook file. One option, is to ask the developer and
perhaps he would be willing to share the structure... but in that case, i
wouldn't have the idea to write down this tutor on reverse engineering a
save file :) of any type.
So for this example i will use Netrunner, a tool to check differences
between binary files called vbindiff (install it with apt-get) a
calculator, paper and pen :)
First thing in reverse engineering... its not 100% accurate! keep that in
mind. When you don't have the code for something, you only make guesses or
in some point you will have to make a guess... and guesses are not
accurate :) When you rev.eng a file, code, a machine, you may figure out
98-99.999% of it, but always something will be missing, cause sometimes
things are not obvious or can be done in various ways... anyway... lets
start.
Remove your old phonebook file and start netrunner. NR will tell you that
the phonebook doesn't exist and create a new one, which will be about
70kb. First clue! NR creates the complete file, as if it had a filled
phonebook. In other case the file would be very small and everytime you
saved a new record it would increase in size.
Open the file netrunner.phn with vbinhexx. Navigate inside the file and
take a look. We only see some text in top of the file like "NetRunner
Phone Book" and a few characters... also we see that in some points the
name of the capture file is mentioned, by default netrunner.cap. Not too
many info to proceed. So open NR and create a phonebook record. In each
field put a number and fill the whole field. For example in Sys.Name type
11111111111111111111 in Address 222222222222222222222222222, in sysop
33333333333333333333 etc. Fill all fields but don't touch anything else.
Save the file.
Reopen netrunner.phn file with vbinhexx and look the file again. Now we
have more info to proceed. Its obvious that we can get the position of the
fields we filled out very easy. You will notice that in the beginning of
each field there is one more character. This is the length of the field,
cause the record structure and Netrunner is written in Pascal code. But
how i know that is written in Pascal? I know it, because i know that the
author uses Pascal for his programs... but even if i didn't know that, i
checked the executable file of netrunner with a hex editor and found some
code and strings that are used under FreePascal (ex. TIniFile).
So before each field we have the length of it, written in hex. Use your
calculator to convert that in decimal and write that down to your paper.
Note each field and its corresponding length. With just this move, we
almost have the record structure, but now the hard part begins. Text
fields are easy to find, but in the phonebook editor of NR, we also saw
some other fields like StatuBar,Emulation,Backspace and more. Those fields
are not using text, but bytes, perhaps even bits. How do we find those
values?
If you remember, i told you not to touch any other fields, except the text
ones. Go to NR directory and make a copy of the new phonebook file we
created (netrunner.cop). Now, change the value of StatusBar field and save
it. Here, we will need the program we download earlier, vbindiff. We are
going to compare the two files netrunner.cop and netrunner.phn with
vbindiff. Give this command:
vbindiff netrunner.cop netrunner.phn
The program will start. Press once the Enter key and you will see that one
value in the files being displayed is in magenta color. Now we know that
this is the value for the StatusBar option. When it says "ON" inside
Netrunner the value is 01 and when it says "OFF" its 00... simple? Its
simple, because this option/field has only two states, its a boolean
variable. But if you check the Emulation field, you will notice that it
has three states: VT102, NONE, ANSI-BBS. How do we find those? With the
same way. You change once the value and compare it with the old one in the
original file. But we only change one option/field each time!!! You don't
want to change ex. StatusBar and Emulation options together, because then,
we will not be able to know which one is, in the phonebook file.
We have to do that for each field and value of that particular field, so
we know the exact location in the file and also, what values it gets. Do
that and after, come to continue the tutor..................
Finished?
Are you sure? cause i am getting the filling that you are lying... :p
So, by now we know the values and positions (almost) of each field. There
is one more thing to do. As we saw in the beginning, in the beginning of
the file there is a small header... The "Netrunner Phone Book" text. But a
header could contain more info and not only that text. We need to know the
format of the header and also the length of it. Headers in general are
tricky.
In your working phonebook file, create one more record. Fill only the
Sysname (or any other text field, but only ONE field). Open the phonebook
with a hex editor (vbindiff also does the job) and check the text of the
field (sysname) of the first record and the second record. If you count
the bytes between the start of Sysname, in the first record and the start
of Sysname in the second record, this number/difference is the size of the
phonebook record/entry. If you add the bytes of the structure (you should
all ready have found :p ) and compare it with this number, they should
match.
Compare those two files again with vbindiff. vbindiff will shows as some
differences, because we added one more record. Immediately will see that
in position 2F we have a difference. THis is the number of records we have
in our phone book file. We are lucky because, this value is next to the
byte that holds the text for the Sys.Name value. So now we know, that the
header for the phone book file, ends at 2F!
Header can contain any sort of info/data, so its not always possible to
figure them out. In some cases, may contain checksums, dates, file size
etc. So in order to figure them out, we need to do a lot of testing in
various ways.
For example, create two new phonebook files, one after another. No need to
create any records. Compare those two files and you will see that bytes
from 21-24hex have changed. With no other bytes changed, we can assume that
those four bytes are containing a date value, in some type of format. In
our case is a Pascal DateTime value.
Now we reached a point that we can't figure the other bytes of the
header... we have a text string, a date, a number for the count of records
and also a version number (the 1 00 string). When we reach at a point of
this, we can try to use a copy of a header, from an existing file to our
own file, that we create with code and check if it works, or something
wrong is going. So we could copy the header from a valid phonebook file
and see if, for example, the program crashes, records are not appearing
etc. Info like that, can give us ideas in what to search next and how.
But we can stop right here, as for our purposes we don't want the header.
We can make a conversion utility, from Netrunner to Syncterm, by just
knowing the record structure, so we are happy with that.... :)
With the same process we can reverse engineer save game files, from games
and create cheats/patches that will give us more credits, lives, gold etc
in the game. Its just trial and error... ;)
+ --- -- - . - --- --- --- - . - -- --- '
_____ _ _ ____ _ _
| _ |___ ___| |_| |_ ___ ___ | \ ___ ___|_|_| | 8888
| | | . | _| | -_| _| | | | _| . | | . | 8 888888 8
|__|__|_|_|___|_| |_|_|___|_| |____/|_| |___|_|___| 8888888888
8888888888
DoNt Be aNoTHeR DrOiD fOR tHe SySteM 88 8888 88
8888888888
/: HaM RaDiO /: ANSi ARt! /: MySTiC MoDS /: DooRS '88||||88'
/: NeWS /: WeATheR /: FiLEs /: SPooKNet ''8888"'
/: GaMeS /: TeXtFiLeS /: PrEPardNeSS /: FsxNet 88
/: TuTors /: bOOkS/PdFs /: SuRVaViLiSM /: ArakNet 8 8 88888888888
888 8888][][][888
TeLNeT : andr01d.zapto.org:9999 [UTC 11:00 - 20:00] 8 888888##88888
SySoP : xqtr eMAiL: xqtr@gmx.com 8 8888.####.888
DoNaTe : https://paypal.me/xqtr 8 8888##88##888