Thanks for being here! I hope you enjoy and get something out of this video. I will be posting any edits/updates/corrections to this pinned comment. The mistakes I've found already in post have already been marked in the video, aside from one: It was a mistake to leave making my intro for last + making it in the middle of the night such that it became the fever dream that you see today. If any other mistakes or updates are identified, I'll post them here - Thanks for watching! 1. H/T to Antoine Neuenschwander for explaining that the ‘&’ I talk about appearing in some strings at 58:36 in the video denotes which key to press when holding “Alt” to highlight or select an option. Thank you! 2. Not an error, but an update: A classmate of mine saw this video and was able to provide the name of the real Professor Brian! False Brian is reacting as you’d expect to the news…
Yes I will! Sorry about that. I probably need to bump it up in the debugger as well - I was noticing I didn’t do the same adjustment in x64dbg, and it’s needed there too. Thank you for the feedback!
@@jeFF0Falltrades hey, great work! two things: using dark mode would be nice! and second, xref doesn't appear on the score string, any ideas why? I tried looking it up but didnt find it
@@o1-preview Thanks for watching and for the follow-ups! 1. I did start using dark mode in my later videos; Just took me a while to finally switch that on in my recordings. 2. You won’t see any Xrefs to strings loaded with “LoadStringW” because they are loaded by *ID*, not by address - so when a disassembler like Ghidra does the disassembling, it doesn’t recognize any cross-reference to the string address because there is no reference to the address itself; Instead the string is loaded by its resource ID.
Really high quality content here... probably the best video on this platform for a beginner (me)... please continue making this kind of videos Jeff... Love from Italy
Grazie mille, Gianbattista - You are too kind. I’m so glad to hear you enjoyed and I plan on making more content soon! Already have some ideas in mind for next time :-) Happy New Year!
I think this is the video that makes me finally understand. I like that this video is slower and explains each step plus the reasoning behind it, a lot of videos I've watched seem to just expect me to understand _why_ without explanation. Thank you so much!
So good to hear! That’s why I started doing this series: I always had a hard time finding tutorials that took it slow and built upon concepts, so I’m at least trying to get something like that going in these. Thanks for watching!
This is a really good introduction to reverse engineering. After other tutorials I was always feeling lost and overwhelmed. Yours has really clear explanations and walk-through of the entire process. Thank you for your work. I am excited to learn more.
From your experience, I myself am a beginner, how would you recommend me to start learning reverse engineering by myself. Should I first learn C or assembly or any other topics?
At 58:36 those ampersand characters are used to denote access keys shortcut. In the dialog, press the "Alt" key to reveal the access keys (underlined characters) and type "a" to switch to Standard mode.
Hey ,just viewed your tutorial at work :). I think your teacher (Brian) would be proud of you. I ve been struggling to learn RE for years, always kept it for later. I cant tell you, how much I appreciate that you found time for beginners like me, and explained it perfectly. Thanks !:)
Listen to me.... After 5 months of publishing this treasure of infos. And after about 10months for me learning.... 8 can say that u are walking in same road of your teacher.... God bless u both ❤❤ This channel should be my source Now
Haha I’m glad you think so! I’ve found that some people really like the long form, and some people don’t, so I try to mix it up - I like doing these longer vids because I know if I was starting over again, I would want someone to walk me through step-by-step. So I hope you enjoy, and don’t feel like you have to tackle it all at once ;-). Thanks for watching!
@@moviezbuzz77 The ideas are there! I have a few things in the chute that I just need to find time to put together. More is coming though :-). Thanks for watching!
Absolutely the best intro to RE'ing I've ever seen! Directly thanks to you I've been able to crack some long-forgotten niche software my Dad uses on a regular basis. Cannot let abandoned software go to waste :) Thank you so much!
Outstanding job!!! Thanks so much for the kind words, and if you enjoy learning more, I have new vid planned for release hopefully by the end of this month/beginning of next :-). Thanks for watching!
I am incredibly grateful for the good reverse engineering tutorials you create. Your detailed and slow-paced approach to teaching is really helpful. Please know that your work is highly appreciated, and I eagerly await each new tutorial. Keep up the fantastic work! Thank you!
Thank you so much! Please take your time with it - As someone who had to watch through multiple times in post, it's best enjoyed in pieces ;-). I hope you enjoy!
1:37:39 well that's easy: all you really had to do was so set up a WRITE breakpoint on the SCORE (its address you did figure out and that was a hard part), so the timer would decrease the SCORE and hit your breakpoint on doing so.
Hope to be back soon! Started researching the next vid a couple of months back but work/life (and some issues with YT that have since been resolved) have gotten in the way. I’ll be back soon enough though ;-) Thanks for watching!
Hey, I'm a fourth year comp sci student and just wanted to say that I loved the series and the videos were really helpful. We used ARMv8 so I wasn't a beginner by any means, but I thought that your explanations were great and fit in well with my current knowledge base. You also really broke down the use of the tool chain well which allowed me to experiment on my own with your crackme challenge. This actually was a great exercise because it allowed me to see where my knowledge gaps were when I was trying it on my own and in turn i could go back and reference the video. I must admit that ghidra has some quarks compared to watching others use IDA, but 5k for the pro version that comes with a decompiler is too much for educational exploration. Thank you so much for this.
Thanks so much for this incredible feedback! So glad to hear you enjoyed this one (I also really enjoyed making this one - it was a ton of fun), and I wish you all the best as a fellow CS grad. Hope some of the other videos here and future videos we do will also help along, and never hesitate to ask questions if you have them. Lastly: Very agreed on the IDA pricing and why I pretty much switched to being all in for Ghidra and (occasionally) IDA free :-)
The score_base_minus_0x30 is probably a pointer to a struct if I had to take a guess. And the score field is stored 48 bytes into the struct, hence adding 0x30. I believe Ghidra has the ability to handle structs if you tell it that something is a struct.
Yep, that makes sense - I don’t think I had seen the auto-variable rename like that in Ghidra before, but I like it! Thanks for that clarification and thanks for watching!
Thank you so much for sharing! I love hearing this because this is the reason I enjoy making these videos - So glad to hear the video helped and hope you enjoy this one too! Thanks for the kind words and motivation.
@@jeFF0Falltrades I appreciate that, one day youtube will choice your videos and showing them to people who interested in reverse eng and Binary analysis and I'm sure they will be happy as me :)
A useful tool for you to add to your arsenal might be Cheat Engine (A memory scanner). Can really aid in finding how various values are stored, what code they're accessed by, etc. Great video
Thanks so much, John! Very familiar with Cheat Engine, and I would also recommend it to anyone wanting a smooth intro to patching/RE. I’ve thought about including it in some future videos, but I’ve had issues with YT flagging videos for any mention of it previously. I’ll say here though: A great tool for beginners (when used for good)!
After building the DLL i keep getting 0x7b error. Couldn't find out why and was slowly losing it. Pulled it into ghidra and found out it was a 64bit. Builed again with MinGW x86 and succsefully got rick rolled . Finally, i was sane again. Thank you for this wonderful course.
"Successfully got rick rolled. Finally, I was sane again" - The universe in balance once again. Haha, thanks so much for watching and so glad you enjoyed! Great troubleshooting, too.
They’d be going a lot better if stupid Diane Sweeney wasn’t taking attention away from my beautiful gourds with her glow-in-the-dark pumpkins - It’s nothing but a party trick, but people are too busy gawking over that spectacle to notice the quality of these gourds!
Thanks so much for the kind words! I’m so happy to have you here. Hoping to push out another one here in the next month or two (if things go to plan) :-). Thanks for watching and I hope it helped you.
Hey, just throwing this out since you mentioned the confusion with the '&' inside of some of the strings. Having done development with Windows forms, which are like a complex wrapper for low-level C++ GUI development, the '&' is a symbol used by Windows for shortcut keys. I'm not sure when this feature was used the most, but you can still use it today by pressing Alt in a program, and then looking at the menu items that have a character with an underscore. The underscored characters are hints for what menu item you want, if you press the same letter as the underscored character, it will open that menu item.
Thank you! Yes a few others chimed in to explain that and I appreciate it - I hadn’t seen that syntax before, but it’s kind of a neat way to denote shortcut keys! Thanks so much and thanks for watching!
@@jeFF0Falltrades No problem. Love the videos. I actually found the usage in the strings to be a little funny as I didn't know that C++'s Windows GUI API used the same syntax for that feature. I thought it was a quirk with the C# Windows Forms, so it was entertaining to see it 😄
@@bug1083 Hahaha yeah, I’ve really had a laugh at some of the things that come out as happening “under the hood” when reversing software - Lots of “Wait…*that’s* how they made that work?” moments 😆
@@jeFF0Falltrades Yeah haha. I only recently discovered your channel, and not sure how much you dabble in languages and asm optimization, but it might be cool to see you reverse engineer code relating to some of the more lesser known assembly calls, big ones being "vmovupd", "vmaxpd", and "vzeroupper" which are robust vector calls. I'm actually curious how often those keywords appear out in the wild with modern programs today, and what exactly they do in the context they appear in. They are more complicated and require a lot of work on my part when using GCC, you have to almost directly tell the compiler to use them when optimizing sometimes, so it's be interesting to see.
Yes! I saw another comment about this and you are correct; I made an edit to the pinned comment to reflect this. That makes perfect sense in hindsight. Thanks for watching!
Really impressive! Thanks for this HUGE info. I'm/was looking for info to reverse engineer an old Fortran program of 140kb. Those programs might help a lot.
So glad you enjoyed! Debugging software for Macs is tricky - I think the only GUI debugger that works on Mac and comes close to x64dbg is gdbgui. Others may have different options, but that’s the one I’ve seen used most often.
this is a really great video but near the end i thought you were going todo something like, an exe that if you launch it apply the patches to the game but don't make permanent changes to the original exe. i don't know if you already have a video on your channel but it would be great for modding
Yeah I think I get what you’re saying - we didn’t do that as much in this video/script, but if you check out my RollerCoaster Tycoon videos, those scripts do exactly that - take patches and apply them to a copy of the original EXE while leaving the original intact. This one just happened to be more focused on the DLL injection. Thanks for the feedback and for watching!
So I took on my first reverse engineering project to reverse a bootloader. I'm proud to say I'm very successful in my project! It's shockingly fun too haha
58:40 The '&' in the strings are probablly accelerator key markers. Those are the underlined letters in the menu, for example 'F' for File, E for Edit,...
Yep - I marked it in the pinned comment as well, but as others have said - it actually designates which character in the string will be used for keyboard shortcuts/access keys (which are the same ones that are underlined)! Which made a ton of sense in retrospect. Thanks for watching!
You make great ghidra tuts 45:50 this exception you get when patching in ghidra, i think is because you are overwriting with longer string and the data is static thus constant space and what you did with hex editor is basically fixed you mistake.
Thanks so much! And yes, I think you’re right - You would think Ghidra could detect that and print an error to let you know the same, but idk - maybe it’s a more difficult problem to account for than I think. Thanks for watching!
@@b213videoz Nej det vill du inte 😉😂 There are much better Swedish teachers, I’ll just stick to my machine languages thanks 😆 Thanks for watching as always!
Thank you! I'm learning a lot. I wanted to ask, how the functions addresses in ghidra and in the x32dbg are the same? The addresses are predefined in build time?
This can depend on if your system has ASLR enabled and a few other factors - Most executables have a preferred base address, which is what Ghidra goes off of, and - if ASLR is not enabled - x32dbg will also load the PE at that preferred address. And that base address can indeed be set at compile time, but it may not be respected by the OS (that’s why it’s called “preferred”). Hope that helps!
1:59:40 Teacher, here how did you know that you had to perform *OR*. I was just adding the hexadecimal bytes. I didn't even get the hint that i need to perform*OR*. What's the reason for that here ? Please clear this up sir, or i won't sleep peacefully tonight. 2:01:31 yeah last night it actually did throw me off. I like to translate asm to cpp code. So i remember, i actually found that the asm code includes a structure, i successfully managed to get the fields, int, int and char. What threw me off that the structure was allocated 12 bytes. So i was confused for maybe 10 15 min again translating the asm code to see if i did wrong. But in the end, i vaguely predicted, that it maybe compiler optimization to insert padding bytes. Cause i read somewhere that our machines prefer even alignment. You might have also seen some weird nop sometimes, well they are just for paddings to have the program even aligned in the multiple of 8. Stack is although 16 bytes aligned. 2:16:34 i thought we were going for code caves, but anyways dll hijacking simple and cool.
Fantastic question! You are the first to ask, but I should have elaborated as those who are new to programming may not know about this concept: Bit Flags You can read more here: docs.revenera.com/installshield27helplib/helplibrary/BitFlags.htm But in short, it’s a very common practice in programming is to use bit flags, which usually use one byte to hold multiple potential values of a flag by combining values using a bitwise OR operation - using OR ensures we can combine one or more flags without overwriting a previous flag - in other words, the addition of a new flag will never create an ambiguous flag value when combined with an existing flag value, which could happen if you just added them together with addition - e.g. if you have flags 1, 2, and 3 and try to combine 1 and 2, they’ll add up to 3, and so your program will think you’re actually specifying flag 3, not flags 1 and 2 combined. Hope that makes sense and thanks for the great question!
great video. I've decided to watch other videos (like this one) of yours after finishing the x86 assembly class you recently uploaded. I have one question though, why do you use PascalCase for variables and function names?
@@jeFF0Falltrades I'm talking about the labels you assign to local variables and parameters of functions in ghidra. For example, you set the variable of the score mode, to "ScoreMode" (PascalCase), instead of "scoreMode" (camelCase) or "score_mode" (snake_case)
@@Proferk Ahhh I see. TBH, I have no idea hahaha. I didn’t even realize I was using a different style in Ghidra vs VS Code until you pointed it out. I probably started doing it to differentiate my named variables vs Ghidra’s or something and it just stuck. Usually I prefer snake case for vars and functions and PascalCase for class names. Good spot haha
If I understand correctly, you’re trying to export a PE from the original sol.exe? If that’s the case, then “original file” is what you want, since sol.exe should also be a PE.
Very good video. I love it. But unfortunately the internet archive doesn´t work right now and I don´t think it will ever get online again. Do you know another source such as the internet archive?
@@DeineRöhre-s6j Thank you so much! And if it’s any consolation, Internet Archive will be back up soon - They actually suffered a cyber breach recently and are recovering from it still, so they had to take down a lot of the links for now. There are several sites on Google that claim to have the original XP solitaire, but I cannot vouch for them as legitimate - If you don’t want to wait for the archive to come back up, I’d look around Reddit or some forums where you can get real human feedback on links, and if you do find a file you’re unsure of, upload it to VirusTotal and check out the scores. I unfortunately don’t have access to my versions anymore either :-( Thanks so much for watching, though, and if you do find a good link, please feel free to share and I’ll pin it!
@@jeFF0FalltradesSorry, I got excited because I was able to contribute something I knew that you didn't... not very common when you're watching something like a training video. I was already familiar with reversing and cracking generically, but I enjoyed watching your specific breakdown vis-à-vis Solitaire and I definitely don't know everything, so there's always something to be learned by observing others. Thanks for the content.
The & symbol you are asking about in "st&andard" means that the next letter in this case a will be underlined and if you press a on your keyboard it will select that item. So it provides a quick way to navigate the menu with the keyboard. Although I see it doesn't seem to underline on your end. That said pressing a inside that menu should still work but it could be broken. Select vegas first so the submenu is active, it only works within an active menu so this isn't global. You don't seem to use windows very often which is a good thing I suppose, to refresh the registry or any window for that matter just press F5. 😉
Really enjoying this course. I’m trying to apply it to an old application (Delta Force 2 Mission Editor), and I started very similarly with trying to patch a string in the About dialog. However, I hit a weird roadblock where I would change the string and export the program, but the text in the application didn’t change. I later found that the app actually uses text from a text.bin file, so I can change the text there and see the result in the app. I’m curious why the text shows up in a Ghidra search of the .exe file if it’s read in from an external file at runtime. Is that a pattern you’re familiar with?
Nice job! As far as the text, when you search it in Ghidra, where exactly is it showing - i.e. what section is it showing in? Knowing that can help shed some light on what exactly is going on.
In the case I’m talking about in the video, it was a course taught by an adjunct professor at the university I went to, but these days, I know of several university computer science departments who now offer reverse engineering courses (at least in the US) - a friend of mine has his own course lectures on the topic online for free at class.malware.re if you’re interested !
You can RE just about anything! But it probably wouldn’t gain much in the way of winnings or anything but knowledge of how the machine works. Would be really fun to do - most modern ones work similarly and are pretty much just based in stats and probability.
@@jeFF0Falltrades i was thinking about the russian hacker dude who did it on older ish machines still prng. had his phone buzz before payouts after filming twenty or so spins. as well as this video ua-cam.com/video/JyIWQIdxaOA/v-deo.htmlsi=9Apc9MAR9z_NgSL8 that machines have to leave the factory paying out exact amount and that the seed is constantly changing every second but somehow someone figured out when and programmed it into a phone. it just interested me if i could figure out when it hits postive payouts or a minigame but not further . im not smart enough to understand the prngs yet though.
The game state is only tracked per game, so you could potentially predict the result of the game for the *current* game based on moves (some games of Solitaire actually do this and end the game when it is unwinnable), but I do not think you could do any prediction based on past games’ results in this case.
Hey, how do you do that the x32dbg when dragged sol.exe on it opens the actual game window, on my side nothing happens. The process itself (the solitaire game) exists within x32dbg's process but there is no window for it.
Hey! Make sure that your debugger is not stopping on a breakpoint (check the bottom-left corner of the debugger which will say “Paused”). If it is Paused, hit the “Run” button or press F9 to get the program to proceed; That should pop up the game window and let the program proceed, assuming there are no other breakpoints or exceptions taking place (the debugger will let you know in the bottom-left and bottom pane if there are any breakpoints or exceptions). Hope this helps, and if not, let me know so we can troubleshoot further
Nice video! I wonder why the proxied dll (@2:40:!3) suddenly get that big from merely 352kb to a whopping 2,3 MB. Is there anything we can do to keep it small or it's just an inevitable proxy side effect?
Keep in mind the cards.dll file that was 352kb was the original one (that was packaged with solitaire) so there are a number of reasons it could have been that much smaller (e.g. it was made for compatibility with a far older OS and so used much more memory efficient code/compilation flags) - we could work at reducing the size of our proxied DLL by toying with a few efficiency flags in gcc or using a packer to have it “blend in” a bit better - good spot and good question!
@@jamesbossingham9694 Interesting concept! Something like that comes down to how alike the underpinnings are of the games: Do they use the same engine? If not, this becomes significantly more challenging unless you translate code/assets from one engine to the other manually. This is essentially the same as borrowing “concepts” from one game, and reimplementing those concepts yourself in a different engine (like when people remake classic Ninentdo games in Unreal Engine. If the games use the same engine, on the other hand, you’d still have a significant challenge in reverse engineering the parts of the game you want to cut/paste over to another game unless you have access to the source code of the game. Hopefully that helps shine some light on this interesting concept!
@jeFF0Falltrades ok so let me make sure I'm reading correctly I would have to copy all the game code paste it into a game engine like unity and then copy and paste the code fron the other game i want.
@ Simplified - yes. The problem becomes: * Most game code is not openly accessible and would have to be reverse engineered to understand (though there are some open-source versions of games published online) * You’d have to check the applicable terms and conditions attached to both games to sort out the legality of reversing the games (usually, if you’re not selling any part of the result, and simply using it for education, you should be okay but IANAL :-))
I dont know English very well and I spent a lot of time learning these and Im tired Thank you very much for your video very nice video :} but can you briefly hack a simple game as a tutorial? I really need this 1:37:56 - How did you find the timer in this part? I cant find it if it were me and I want to learn about it, but unfortunately I couldn't understand it.
@@TuoiLevan-n4iThe initial learning curve is tough, but I promise it’s not insurmountable :-) It just takes practice and willingness to keep trying and seeking answers, even if you get stuck.
Same I did as the other bytes in that section! Just put 00 in for their values as opposed to any other value, and you have a null byte. If you have questions on how to modify the bytes in general or if I can explain better, let me know! EDIT: And to be clear, I added the extra null bytes to make the string size the same as it was before we modified it, to ensure the modification wouldn’t cause issues elsewhere.
@@gabrielJustGabe Hm, one thing to watch out for is what text encoding is being used - in the video, this is a Unicode string, so each character is 2 bytes - so in order to make a null char, both bytes need to be 0 (so 00 00 is one null char, in other words). Not sure if you are looking at the same program or a different one, but that is the first place I would check. If that isn’t it, let me know and we can chat more.
Heya JeFF! This tutorial is a real gem! you helped me get better at my hobby and that is modding :). I have a couple advanced questions. I have a game injected with a DLL file by replacing existing one - just like the way you do it this tutorial. When the injection is loaded i want to run a code that make code of the binary between two addresses become NOPs. I created this function: void SetNop(const char* address, const int length) { char* startAddress = address; const int numNops = length; for (int i = 0; i < numNops; i++) { *(startAddress + i) = 0x90; // Set the byte to the NOP opcode } INFO
Nice!!! One place to start to look is to see if the memory is writeable - typically it won’t be by default. You can get around this by using a function like VirtualProtect() or WriteProcessMemory() to set the permissions on the section where the code you’re trying to modify is to be writeable.
Thank you Jeff! With my newly acquired knowledge i was thinking how much can be accomplished in terms of migrating my assembly patches to the DLL injection and i got some design questions in mind. If you have any tips regarding them it will be great. Questions: 1. In the video above you impersonate the existing DLL by bypassing it. However the bypass requires the original DLL 4 functions to be defined in the export file so they are still available for the binary to use. What if the original exe had 400 functions? Do you have to define them all manually or there is another approach? 2. I do noticed that you can do the following type of patches quite easily the DLL injection: - change existing binary variables - complete rewrite of existing binary functions But what if there is function that is very large in size and i want to modify just part of it? What will be the most common-sense way approach that? Will I have to use assembly again or there is a better way to modify in C++? What if i want to add the function code ? With normal assembly a jump is done to a empty space at the end of the binary where the new code resides, then after it is executed it goes back to the function. Is there a better approach with the DLL injection where the new code is kept at the DLL instead? 3. What are your thoughts on going around Windows 10 D.E.P. ? As the game we mod gets more (and more complex) patches, player with D.E.P. enabled had their game crashing and even refusing to start. This behaviour is of course based on pure assembly patching with hooks. Will the DLL injection method help me go around that issue? May be questions are not defined really well. :)
I could have used WSL, but I wanted to try to account for folks who probably didn’t want to set WSL up if they hadn’t already just for the tutorial, so MSYS2 seemed like a lightweight solution for Windows users who don’t have WSL already ready to go to quickly follow the build process without configuring a bunch of options.
You didn't waste your time, it's cool for different reasons than you said, you don't sell you acting jokes very well, they're bad to begin with. I can't believe people still think rick rolling is a thing in 2023. See ya round!
Nice! I should have known to enlist another Brian in his search…a classmate of mine also saw this vid and let me know the day after it was published, too. Thanks to you both for that, so I can find him and let him know just how much he inspired me (and hope he never watches the other insanity of my videos…). Thanks for watching!
Hello, I really liked your video although I'm not experienced at all in RE, but I'm certainly willing to learn more about it! Quick question, could you reverse a game dll file? It's needed for modding a game called Duke Nukem: Manhattan Project, because it's really restricted now. The file is called "duke_base.dll". Would really appreciate it if you could help in any way.
I would be suprised if [User/System]32 has a key mask for the registry functions at all... its bad practice to use the registry for storing non-persistent user space values like that... a better way to do this would be to use a binary encoded (most likely a .cfg or .ini) file to store the settings. that way you don't need to run it with elevated perms. Or at least it wouldn't if you don't have it installed in the system files [I think that when it came with windows it was installed in the C:\windows\[games\] folder..] but even then I think that they could've saved to %appdata%\games\solitaire which you would have ring 3 write access [as that is the reason for the %appdata% file after all]..... now that I think of it IDK if fopen can resolve path envar ejections [ie the %% in "%appdata%\games\solitaire"] though I think that User32 has a function for that if it doesn't do it on fopen call... working with system32 in general is kina stupid because there is 2 versions of each function an ascii version (as denoted by the "A" postfix on the system call) and the 16 bit Unicode version (as denoted by the "W" [standing wide because it it uses WCHAR_t (aka short) as its string type] postfix on the system call)
hiii i need help is there i way to change a game that isn't been made in my language (italian), this is a word game that has ofc english vocabulary, i just want to put the italian vocabulary to play in italian. I dont care if the graphic is in english, just want to put italian words... is that possible with ghidra... the game is Bookworm Adventures deluxe... pls if you dont how to do it PLS can you give me a contact of a person that can teach me how to do it.... o am trying this form 4 years.... thanks... :(
![Chris Langan - The Interview THEY Didn't Want You To See - CTMU [Full Version; Timestamps]](/img/n.gif)
Thanks for being here! I hope you enjoy and get something out of this video.
I will be posting any edits/updates/corrections to this pinned comment.
The mistakes I've found already in post have already been marked in the video, aside from one:
It was a mistake to leave making my intro for last + making it in the middle of the night such that it became the fever dream that you see today.
If any other mistakes or updates are identified, I'll post them here - Thanks for watching!
1. H/T to Antoine Neuenschwander for explaining that the ‘&’ I talk about appearing in some strings at 58:36 in the video denotes which key to press when holding “Alt” to highlight or select an option. Thank you!
2. Not an error, but an update: A classmate of mine saw this video and was able to provide the name of the real Professor Brian! False Brian is reacting as you’d expect to the news…
Hi , can you please make also the font bigger for the decompiler (this on the right side, with source code) next time :) ?
Yes I will! Sorry about that. I probably need to bump it up in the debugger as well - I was noticing I didn’t do the same adjustment in x64dbg, and it’s needed there too. Thank you for the feedback!
Mdvo8y
@@jeFF0Falltrades hey, great work! two things: using dark mode would be nice! and second, xref doesn't appear on the score string, any ideas why? I tried looking it up but didnt find it
@@o1-preview Thanks for watching and for the follow-ups!
1. I did start using dark mode in my later videos; Just took me a while to finally switch that on in my recordings.
2. You won’t see any Xrefs to strings loaded with “LoadStringW” because they are loaded by *ID*, not by address - so when a disassembler like Ghidra does the disassembling, it doesn’t recognize any cross-reference to the string address because there is no reference to the address itself; Instead the string is loaded by its resource ID.
Really high quality content here... probably the best video on this platform for a beginner (me)... please continue making this kind of videos Jeff...
Love from Italy
Grazie mille, Gianbattista - You are too kind. I’m so glad to hear you enjoyed and I plan on making more content soon! Already have some ideas in mind for next time :-)
Happy New Year!
I think this is the video that makes me finally understand.
I like that this video is slower and explains each step plus the reasoning behind it, a lot of videos I've watched seem to just expect me to understand _why_ without explanation.
Thank you so much!
So good to hear! That’s why I started doing this series: I always had a hard time finding tutorials that took it slow and built upon concepts, so I’m at least trying to get something like that going in these.
Thanks for watching!
This is a really good introduction to reverse engineering. After other tutorials I was always feeling lost and overwhelmed. Yours has really clear explanations and walk-through of the entire process. Thank you for your work. I am excited to learn more.
So happy to hear as this is what I strive for - so glad you are enjoying it and I hope you continue to learn!
From your experience, I myself am a beginner, how would you recommend me to start learning reverse engineering by myself. Should I first learn C or assembly or any other topics?
At 58:36 those ampersand characters are used to denote access keys shortcut. In the dialog, press the "Alt" key to reveal the access keys (underlined characters) and type "a" to switch to Standard mode.
demo: ua-cam.com/video/yu-aR3qZpMI/v-deo.html
AHHH! Thank you so much! That makes perfect sense. I’m going to add this to the pinned comment as a correction. Thank you!
thanks just beginning reverse engineering hope this would be helpful wish me luck guys
@@dummydummy-o7g Wishing you all the luck in your learning journey! Keep at it!
Hey ,just viewed your tutorial at work :). I think your teacher (Brian) would be proud of you. I ve been struggling to learn RE for years, always kept it for later.
I cant tell you, how much I appreciate that you found time for beginners like me, and explained it perfectly. Thanks !:)
That is so nice of you to say! I truly hope it was helpful and so glad you enjoyed, Patrick!
Listen to me.... After 5 months of publishing this treasure of infos. And after about 10months for me learning.... 8 can say that u are walking in same road of your teacher.... God bless u both ❤❤
This channel should be my source Now
Aw thank you! That is so kind of you to say and I’m glad you’re enjoying these!
3 hours... this is a gift... thank you
Haha I’m glad you think so!
I’ve found that some people really like the long form, and some people don’t, so I try to mix it up - I like doing these longer vids because I know if I was starting over again, I would want someone to walk me through step-by-step.
So I hope you enjoy, and don’t feel like you have to tackle it all at once ;-). Thanks for watching!
@@jeFF0Falltrades Please upload more videos
@@moviezbuzz77 The ideas are there! I have a few things in the chute that I just need to find time to put together. More is coming though :-). Thanks for watching!
Yup, it's a gift, and in video format
that's what she said
Absolutely the best intro to RE'ing I've ever seen! Directly thanks to you I've been able to crack some long-forgotten niche software my Dad uses on a regular basis. Cannot let abandoned software go to waste :) Thank you so much!
Outstanding job!!! Thanks so much for the kind words, and if you enjoy learning more, I have new vid planned for release hopefully by the end of this month/beginning of next :-). Thanks for watching!
I am incredibly grateful for the good reverse engineering tutorials you create. Your detailed and slow-paced approach to teaching is really helpful. Please know that your work is highly appreciated, and I eagerly await each new tutorial. Keep up the fantastic work! Thank you!
Thank you so much and I’m so glad you enjoy!! More to come soon! Thank you for the kind words.
I loved the Rollercoaster Tycoon video! Will definitely watch this one too when I have some time :)
Thank you so much! Please take your time with it - As someone who had to watch through multiple times in post, it's best enjoyed in pieces ;-). I hope you enjoy!
Thank you so much for taking the time to put this excellent resource together. You have a fantastic teaching style and my brain feels larger :)
Thanks for taking the time to watch it! So glad you got something out of it!
1:37:39 well that's easy: all you really had to do was so set up a WRITE breakpoint on the SCORE (its address you did figure out and that was a hard part), so the timer would decrease the SCORE and hit your breakpoint on doing so.
We need you back dude.
Great work!
Thanks a lot for sharing your knowledge.
I highly appreciate that.
Hope to be back soon! Started researching the next vid a couple of months back but work/life (and some issues with YT that have since been resolved) have gotten in the way. I’ll be back soon enough though ;-) Thanks for watching!
Very good descrition. Now I understand much more about assembler. Thank you very much! Very long Video. I have seen the whole... 😀
@@hexpirator So glad you not only enjoyed, but learned from it ❤️ Thank you for taking the time to watch!
Thank you so much for your time in making this video. It's priceless!
Thanks so much for watching and so glad you enjoyed!
Hey, I'm a fourth year comp sci student and just wanted to say that I loved the series and the videos were really helpful. We used ARMv8 so I wasn't a beginner by any means, but I thought that your explanations were great and fit in well with my current knowledge base. You also really broke down the use of the tool chain well which allowed me to experiment on my own with your crackme challenge. This actually was a great exercise because it allowed me to see where my knowledge gaps were when I was trying it on my own and in turn i could go back and reference the video. I must admit that ghidra has some quarks compared to watching others use IDA, but 5k for the pro version that comes with a decompiler is too much for educational exploration. Thank you so much for this.
Thanks so much for this incredible feedback! So glad to hear you enjoyed this one (I also really enjoyed making this one - it was a ton of fun), and I wish you all the best as a fellow CS grad.
Hope some of the other videos here and future videos we do will also help along, and never hesitate to ask questions if you have them.
Lastly: Very agreed on the IDA pricing and why I pretty much switched to being all in for Ghidra and (occasionally) IDA free :-)
The score_base_minus_0x30 is probably a pointer to a struct if I had to take a guess. And the score field is stored 48 bytes into the struct, hence adding 0x30.
I believe Ghidra has the ability to handle structs if you tell it that something is a struct.
Yep, that makes sense - I don’t think I had seen the auto-variable rename like that in Ghidra before, but I like it!
Thanks for that clarification and thanks for watching!
Before I start watching that video I would like to thank you for Rollercoaster Tycoon video I learned a lot Keep going bro :)
Thank you so much for sharing! I love hearing this because this is the reason I enjoy making these videos - So glad to hear the video helped and hope you enjoy this one too! Thanks for the kind words and motivation.
@@jeFF0Falltrades I appreciate that, one day youtube will choice your videos and showing them to people who interested in reverse eng and Binary analysis and I'm sure they will be happy as me :)
Thank you, my friend - That means a lot :-)
A useful tool for you to add to your arsenal might be Cheat Engine (A memory scanner). Can really aid in finding how various values are stored, what code they're accessed by, etc.
Great video
Thanks so much, John!
Very familiar with Cheat Engine, and I would also recommend it to anyone wanting a smooth intro to patching/RE.
I’ve thought about including it in some future videos, but I’ve had issues with YT flagging videos for any mention of it previously.
I’ll say here though: A great tool for beginners (when used for good)!
i didn't know that this was what i wanted. entertaining. goodish pace (i don't know what i would want different). thanks. very much NOW MOAR DO IT NAO
Hahaha so glad you enjoyed! More to come, but probably not right now, right now - got 2 videos in the works soon though… 👀
Thanks for watching!
After building the DLL i keep getting 0x7b error. Couldn't find out why and was slowly losing it. Pulled it into ghidra and found out it was a 64bit. Builed again with MinGW x86 and succsefully got rick rolled . Finally, i was sane again.
Thank you for this wonderful course.
"Successfully got rick rolled. Finally, I was sane again" - The universe in balance once again. Haha, thanks so much for watching and so glad you enjoyed! Great troubleshooting, too.
Thanks Jeffo, I hope your Fall Trades go well!
They’d be going a lot better if stupid Diane Sweeney wasn’t taking attention away from my beautiful gourds with her glow-in-the-dark pumpkins - It’s nothing but a party trick, but people are too busy gawking over that spectacle to notice the quality of these gourds!
Thanks for the mini course I learned a lot :D
@@iorusoul It makes me so happy to hear that! I can’t wait to make some more and so glad you enjoyed!
Wow, I've just stumbled accross your channel. Def needs more views, it's insanely good!
Thx for the great content:)
Thanks so much for the kind words! I’m so happy to have you here.
Hoping to push out another one here in the next month or two (if things go to plan) :-). Thanks for watching and I hope it helped you.
Your channel is awesome! Hope there will be more videos :)
You’re awesome! Thanks so much - and yes, on the tail end of a new one now, in fact. Stay tuned ;-)
This is really quality content. Thanks so much for putting it together. Subbed and looking forward to more tutorials like this!
So glad to hear you enjoyed! I look forward to making more soon! I think I already have a good subject for the next one :-)
Very high quality and interesting, thank you
Thanks so much for the kind words!
Very cool, there were a lot of good tips in there. Thanks!
So glad you enjoyed!
Hey, just throwing this out since you mentioned the confusion with the '&' inside of some of the strings. Having done development with Windows forms, which are like a complex wrapper for low-level C++ GUI development, the '&' is a symbol used by Windows for shortcut keys. I'm not sure when this feature was used the most, but you can still use it today by pressing Alt in a program, and then looking at the menu items that have a character with an underscore. The underscored characters are hints for what menu item you want, if you press the same letter as the underscored character, it will open that menu item.
Thank you! Yes a few others chimed in to explain that and I appreciate it - I hadn’t seen that syntax before, but it’s kind of a neat way to denote shortcut keys! Thanks so much and thanks for watching!
@@jeFF0Falltrades No problem. Love the videos. I actually found the usage in the strings to be a little funny as I didn't know that C++'s Windows GUI API used the same syntax for that feature. I thought it was a quirk with the C# Windows Forms, so it was entertaining to see it 😄
@@bug1083 Hahaha yeah, I’ve really had a laugh at some of the things that come out as happening “under the hood” when reversing software - Lots of “Wait…*that’s* how they made that work?” moments 😆
@@jeFF0Falltrades Yeah haha. I only recently discovered your channel, and not sure how much you dabble in languages and asm optimization, but it might be cool to see you reverse engineer code relating to some of the more lesser known assembly calls, big ones being "vmovupd", "vmaxpd", and "vzeroupper" which are robust vector calls. I'm actually curious how often those keywords appear out in the wild with modern programs today, and what exactly they do in the context they appear in. They are more complicated and require a lot of work on my part when using GCC, you have to almost directly tell the compiler to use them when optimizing sometimes, so it's be interesting to see.
@@bug1083 That’s a good idea! I’ll have to see what kind of programs I can find (or make) that would be good for something like that.
Hey ! Thanks for the video, I think the ampersand is for keyboard shortcut
Yes! I saw another comment about this and you are correct; I made an edit to the pinned comment to reflect this. That makes perfect sense in hindsight. Thanks for watching!
Really impressive! Thanks for this HUGE info. I'm/was looking for info to reverse engineer an old Fortran program of 140kb. Those programs might help a lot.
That’s awesome! Would love to hear you how make out with that Fortran program - that sounds like fun
Thanks a lot!
This is a very clear and easy-to-understand explanation.
Is there any x32debugger alternatives for mac?
So glad you enjoyed!
Debugging software for Macs is tricky - I think the only GUI debugger that works on Mac and comes close to x64dbg is gdbgui. Others may have different options, but that’s the one I’ve seen used most often.
this is a really great video but near the end i thought you were going todo something like, an exe that if you launch it apply the patches to the game but don't make permanent changes to the original exe. i don't know if you already have a video on your channel but it would be great for modding
Yeah I think I get what you’re saying - we didn’t do that as much in this video/script, but if you check out my RollerCoaster Tycoon videos, those scripts do exactly that - take patches and apply them to a copy of the original EXE while leaving the original intact. This one just happened to be more focused on the DLL injection. Thanks for the feedback and for watching!
Thanks for the video, I really enjoyed it!!
So glad to hear, Hans!
Great Video on Reverse Engineering
Thank you! So glad you enjoyed!
So I took on my first reverse engineering project to reverse a bootloader. I'm proud to say I'm very successful in my project! It's shockingly fun too haha
That’s awesome!!! Many wouldn’t think it, but RE can be a blast under the right circumstances. Thanks for watching!
58:40 The '&' in the strings are probablly accelerator key markers. Those are the underlined letters in the menu, for example 'F' for File, E for Edit,...
Thanks! Someone else also pointed this out and I’ve added a note in the pinned comment - nice spot.
Nice content, thank you for sharing
Thank you for watching!
The ampersand may mark the next character to be underlined when text is printed
Yep - I marked it in the pinned comment as well, but as others have said - it actually designates which character in the string will be used for keyboard shortcuts/access keys (which are the same ones that are underlined)! Which made a ton of sense in retrospect.
Thanks for watching!
You cannot import as PE, and export as PE. You have to import as RAW, then export as PE. At least in my case I had no PE option when exporting.
You make great ghidra tuts
45:50 this exception you get when patching in ghidra, i think is because you are overwriting with longer string and the data is static thus constant space and what you did with hex editor is basically fixed you mistake.
Thanks so much! And yes, I think you’re right - You would think Ghidra could detect that and print an error to let you know the same, but idk - maybe it’s a more difficult problem to account for than I think.
Thanks for watching!
I wonder if you have Svenska classes, Jeff.
The way you explain I might even get it 😊
@@b213videoz Nej det vill du inte 😉😂 There are much better Swedish teachers, I’ll just stick to my machine languages thanks 😆
Thanks for watching as always!
58:30 -ish the ampersand (&) is used to tell the window system that it should listen for that key as a shortcut for the menu option
Correct - I edited my pinned comment to reflect this as others have pointed it out, and that makes perfect sense. Thank you!
Thank you! I'm learning a lot.
I wanted to ask, how the functions addresses in ghidra and in the x32dbg are the same?
The addresses are predefined in build time?
This can depend on if your system has ASLR enabled and a few other factors - Most executables have a preferred base address, which is what Ghidra goes off of, and - if ASLR is not enabled - x32dbg will also load the PE at that preferred address. And that base address can indeed be set at compile time, but it may not be respected by the OS (that’s why it’s called “preferred”). Hope that helps!
1:59:40 Teacher, here how did you know that you had to perform *OR*. I was just adding the hexadecimal bytes. I didn't even get the hint that i need to perform*OR*. What's the reason for that here ? Please clear this up sir, or i won't sleep peacefully tonight.
2:01:31 yeah last night it actually did throw me off. I like to translate asm to cpp code. So i remember, i actually found that the asm code includes a structure, i successfully managed to get the fields, int, int and char. What threw me off that the structure was allocated 12 bytes. So i was confused for maybe 10 15 min again translating the asm code to see if i did wrong. But in the end, i vaguely predicted, that it maybe compiler optimization to insert padding bytes. Cause i read somewhere that our machines prefer even alignment. You might have also seen some weird nop sometimes, well they are just for paddings to have the program even aligned in the multiple of 8. Stack is although 16 bytes aligned.
2:16:34 i thought we were going for code caves, but anyways dll hijacking simple and cool.
Fantastic question! You are the first to ask, but I should have elaborated as those who are new to programming may not know about this concept: Bit Flags
You can read more here: docs.revenera.com/installshield27helplib/helplibrary/BitFlags.htm
But in short, it’s a very common practice in programming is to use bit flags, which usually use one byte to hold multiple potential values of a flag by combining values using a bitwise OR operation - using OR ensures we can combine one or more flags without overwriting a previous flag - in other words, the addition of a new flag will never create an ambiguous flag value when combined with an existing flag value, which could happen if you just added them together with addition - e.g. if you have flags 1, 2, and 3 and try to combine 1 and 2, they’ll add up to 3, and so your program will think you’re actually specifying flag 3, not flags 1 and 2 combined.
Hope that makes sense and thanks for the great question!
great video. I've decided to watch other videos (like this one) of yours after finishing the x86 assembly class you recently uploaded.
I have one question though, why do you use PascalCase for variables and function names?
Thank you! And to your question - Where do you mean? Because I usually use snake case for functions and variables when writing my own stuff?
@@jeFF0Falltrades I'm talking about the labels you assign to local variables and parameters of functions in ghidra. For example, you set the variable of the score mode, to "ScoreMode" (PascalCase), instead of "scoreMode" (camelCase) or "score_mode" (snake_case)
@@Proferk Ahhh I see. TBH, I have no idea hahaha. I didn’t even realize I was using a different style in Ghidra vs VS Code until you pointed it out. I probably started doing it to differentiate my named variables vs Ghidra’s or something and it just stuck. Usually I prefer snake case for vars and functions and PascalCase for class names. Good spot haha
Why does my Ghidra export sol.exe not have PE in the format selection box when I try to export sol.exe? I have "original file."
If I understand correctly, you’re trying to export a PE from the original sol.exe?
If that’s the case, then “original file” is what you want, since sol.exe should also be a PE.
Very good video. I love it. But unfortunately the internet archive doesn´t work right now and I don´t think it will ever get online again. Do you know another source such as the internet archive?
@@DeineRöhre-s6j Thank you so much!
And if it’s any consolation, Internet Archive will be back up soon - They actually suffered a cyber breach recently and are recovering from it still, so they had to take down a lot of the links for now.
There are several sites on Google that claim to have the original XP solitaire, but I cannot vouch for them as legitimate - If you don’t want to wait for the archive to come back up, I’d look around Reddit or some forums where you can get real human feedback on links, and if you do find a file you’re unsure of, upload it to VirusTotal and check out the scores.
I unfortunately don’t have access to my versions anymore either :-(
Thanks so much for watching, though, and if you do find a good link, please feel free to share and I’ll pin it!
ur a really good teacher
Thank you, and thank you for watching!
great job keep going
Thanks for the kind words!
& is used to denote the shortcut key in Windows menus. It converts to an underlined character when displayed.
Yep, exactly - others have pointed out the same, so I updated the pinned comment to denote this. Thanks, and thanks for watching!
@@jeFF0FalltradesSorry, I got excited because I was able to contribute something I knew that you didn't... not very common when you're watching something like a training video. I was already familiar with reversing and cracking generically, but I enjoyed watching your specific breakdown vis-à-vis Solitaire and I definitely don't know everything, so there's always something to be learned by observing others. Thanks for the content.
@@Salsuero Not a problem at all! You should be excited 😃 Thanks for sharing that knowledge forward!
The & symbol you are asking about in "st&andard" means that the next letter in this case a will be underlined and if you press a on your keyboard it will select that item. So it provides a quick way to navigate the menu with the keyboard. Although I see it doesn't seem to underline on your end. That said pressing a inside that menu should still work but it could be broken. Select vegas first so the submenu is active, it only works within an active menu so this isn't global. You don't seem to use windows very often which is a good thing I suppose, to refresh the registry or any window for that matter just press F5. 😉
Thanks! Others have mentioned that and I updated the pinned comment with the correction - makes perfect sense in retrospect!
Hermit status ftw!
What VS Code theme do you use? I really like the bloom effect going on
That would be Robb Owen’s “Synthwave ‘84”! And I don’t know if I’ll ever be able to switch from it because I love it so much.
@@jeFF0Falltrades Thanks! I'll look it up
Really enjoying this course. I’m trying to apply it to an old application (Delta Force 2 Mission Editor), and I started very similarly with trying to patch a string in the About dialog. However, I hit a weird roadblock where I would change the string and export the program, but the text in the application didn’t change.
I later found that the app actually uses text from a text.bin file, so I can change the text there and see the result in the app. I’m curious why the text shows up in a Ghidra search of the .exe file if it’s read in from an external file at runtime. Is that a pattern you’re familiar with?
Nice job!
As far as the text, when you search it in Ghidra, where exactly is it showing - i.e. what section is it showing in?
Knowing that can help shed some light on what exactly is going on.
University offers Reverse Engineering courses? Where is that? Which one? I’m interested.
In the case I’m talking about in the video, it was a course taught by an adjunct professor at the university I went to, but these days, I know of several university computer science departments who now offer reverse engineering courses (at least in the US) - a friend of mine has his own course lectures on the topic online for free at class.malware.re if you’re interested !
Best video on YT
Thank you 🙏 And thank you for watching!
1:42:02, It is being called from 6 sides, could get a little **dicey** lmao, unintended pun?
HA! How did I manage to miss this - I would have ridden the high of making that pun all throughout the rest of the video.
can you reverse engineer a slot machine if you know how much its programmed to pay out and know the seed is constantly changing for time of day
You can RE just about anything! But it probably wouldn’t gain much in the way of winnings or anything but knowledge of how the machine works. Would be really fun to do - most modern ones work similarly and are pretty much just based in stats and probability.
@@jeFF0Falltrades i was thinking about the russian hacker dude who did it on older ish machines still prng. had his phone buzz before payouts after filming twenty or so spins. as well as this video ua-cam.com/video/JyIWQIdxaOA/v-deo.htmlsi=9Apc9MAR9z_NgSL8 that machines have to leave the factory paying out exact amount and that the seed is constantly changing every second but somehow someone figured out when and programmed it into a phone. it just interested me if i could figure out when it hits postive payouts or a minigame but not further . im not smart enough to understand the prngs yet though.
Sir can we predict the result of game by previous results in card games
The game state is only tracked per game, so you could potentially predict the result of the game for the *current* game based on moves (some games of Solitaire actually do this and end the game when it is unwinnable), but I do not think you could do any prediction based on past games’ results in this case.
Can you help me to predict game result
And can you teach me how to predict the result please
I don't have the Portable Executable format. Could someone help me?
You figure it out Im having the same issue
Hey, how do you do that the x32dbg when dragged sol.exe on it opens the actual game window, on my side nothing happens. The process itself (the solitaire game) exists within x32dbg's process but there is no window for it.
Hey! Make sure that your debugger is not stopping on a breakpoint (check the bottom-left corner of the debugger which will say “Paused”).
If it is Paused, hit the “Run” button or press F9 to get the program to proceed; That should pop up the game window and let the program proceed, assuming there are no other breakpoints or exceptions taking place (the debugger will let you know in the bottom-left and bottom pane if there are any breakpoints or exceptions).
Hope this helps, and if not, let me know so we can troubleshoot further
@@jeFF0Falltrades Thanks, it worked. But still pretty weird that i got some entry breakpoint and 1 exception.
Thanks ❤
Thanks for watching!
Nice video! I wonder why the proxied dll (@2:40:!3) suddenly get that big from merely 352kb to a whopping 2,3 MB. Is there anything we can do to keep it small or it's just an inevitable proxy side effect?
Keep in mind the cards.dll file that was 352kb was the original one (that was packaged with solitaire) so there are a number of reasons it could have been that much smaller (e.g. it was made for compatibility with a far older OS and so used much more memory efficient code/compilation flags) - we could work at reducing the size of our proxied DLL by toying with a few efficiency flags in gcc or using a packer to have it “blend in” a bit better - good spot and good question!
👏👏👏
I would like to know how to take parts of one game and at it to another game
@@jamesbossingham9694 Interesting concept! Something like that comes down to how alike the underpinnings are of the games: Do they use the same engine? If not, this becomes significantly more challenging unless you translate code/assets from one engine to the other manually. This is essentially the same as borrowing “concepts” from one game, and reimplementing those concepts yourself in a different engine (like when people remake classic Ninentdo games in Unreal Engine.
If the games use the same engine, on the other hand, you’d still have a significant challenge in reverse engineering the parts of the game you want to cut/paste over to another game unless you have access to the source code of the game.
Hopefully that helps shine some light on this interesting concept!
@jeFF0Falltrades ok so let me make sure I'm reading correctly I would have to copy all the game code paste it into a game engine like unity and then copy and paste the code fron the other game i want.
@ Simplified - yes. The problem becomes:
* Most game code is not openly accessible and would have to be reverse engineered to understand (though there are some open-source versions of games published online)
* You’d have to check the applicable terms and conditions attached to both games to sort out the legality of reversing the games (usually, if you’re not selling any part of the result, and simply using it for education, you should be okay but IANAL :-))
@jeFF0Falltrades I'm just looking to add part of Rocksmith2014 to tone lib jam for my own use
I dont know English very well and I spent a lot of time learning these and Im tired
Thank you very much for your video very nice video :}
but can you briefly hack a simple game as a tutorial?
I really need this
1:37:56 - How did you find the timer in this part?
I cant find it if it were me and I want to learn about it, but unfortunately I couldn't understand it.
It's too difficult for me to study all my life and not even know it.
@@TuoiLevan-n4iThe initial learning curve is tough, but I promise it’s not insurmountable :-) It just takes practice and willingness to keep trying and seeking answers, even if you get stuck.
How did you add nullbytes in 45:46?
Same I did as the other bytes in that section! Just put 00 in for their values as opposed to any other value, and you have a null byte.
If you have questions on how to modify the bytes in general or if I can explain better, let me know!
EDIT: And to be clear, I added the extra null bytes to make the string size the same as it was before we modified it, to ensure the modification wouldn’t cause issues elsewhere.
@@jeFF0Falltrades I dont think I understood, when I try to add 00 in the byte edit window, it becomes another value in the program...
@@gabrielJustGabe Hm, one thing to watch out for is what text encoding is being used - in the video, this is a Unicode string, so each character is 2 bytes - so in order to make a null char, both bytes need to be 0 (so 00 00 is one null char, in other words).
Not sure if you are looking at the same program or a different one, but that is the first place I would check. If that isn’t it, let me know and we can chat more.
@@jeFF0Falltrades Thanks, that actually helped me to understand! Im following along with same software.
@@gabrielJustGabe Excellent! If you have any other questions, feel free to let me know! Hope you enjoy!
Heya JeFF! This tutorial is a real gem! you helped me get better at my hobby and that is modding :). I have a couple advanced questions. I have a game injected with a DLL file by replacing existing one - just like the way you do it this tutorial.
When the injection is loaded i want to run a code that make code of the binary between two addresses become NOPs.
I created this function:
void SetNop(const char* address, const int length) {
char* startAddress = address;
const int numNops = length;
for (int i = 0; i < numNops; i++) {
*(startAddress + i) = 0x90; // Set the byte to the NOP opcode
}
INFO
Nice!!! One place to start to look is to see if the memory is writeable - typically it won’t be by default. You can get around this by using a function like VirtualProtect() or WriteProcessMemory() to set the permissions on the section where the code you’re trying to modify is to be writeable.
@@jeFF0Falltrades it took many hours, sweat and blood... but i did it. Thank you so much! :)
@@jordankostov7581 Congratulations on persisting! You should be proud!
Thank you Jeff!
With my newly acquired knowledge i was thinking how much can be accomplished in terms of migrating my assembly patches to the DLL injection and i got some design questions in mind. If you have any tips regarding them it will be great.
Questions:
1. In the video above you impersonate the existing DLL by bypassing it. However the bypass requires the original DLL 4 functions to be defined in the export file so they are still available for the binary to use.
What if the original exe had 400 functions? Do you have to define them all manually or there is another approach?
2. I do noticed that you can do the following type of patches quite easily the DLL injection:
- change existing binary variables
- complete rewrite of existing binary functions
But what if there is function that is very large in size and i want to modify just part of it? What will be the most common-sense way approach that? Will I have to use assembly again or there is a better way to modify in C++?
What if i want to add the function code ? With normal assembly a jump is done to a empty space at the end of the binary where the new code resides, then after it is executed it goes back to the function. Is there a better approach with the DLL injection where the new code is kept at the DLL instead?
3. What are your thoughts on going around Windows 10 D.E.P. ? As the game we mod gets more (and more complex) patches, player with D.E.P. enabled had their game crashing and even refusing to start. This behaviour is of course based on pure assembly patching with hooks. Will the DLL injection method help me go around that issue?
May be questions are not defined really well. :)
the god is back
Nic Cage never left us ❤️
sorry, but why did you use msys2 instead of wsl?
I could have used WSL, but I wanted to try to account for folks who probably didn’t want to set WSL up if they hadn’t already just for the tutorial, so MSYS2 seemed like a lightweight solution for Windows users who don’t have WSL already ready to go to quickly follow the build process without configuring a bunch of options.
Show the intro to professor true brian
You didn't waste your time, it's cool for different reasons than you said, you don't sell you acting jokes very well, they're bad to begin with. I can't believe people still think rick rolling is a thing in 2023. See ya round!
You didn't patch out the -100 after explaining that it was hard-coded.
At which timestamp?
@@jeFF0Falltrades1:49:32
I spent 30 seconds searching: Brian Deep
Nice! I should have known to enlist another Brian in his search…a classmate of mine also saw this vid and let me know the day after it was published, too. Thanks to you both for that, so I can find him and let him know just how much he inspired me (and hope he never watches the other insanity of my videos…).
Thanks for watching!
Hello, I really liked your video although I'm not experienced at all in RE, but I'm certainly willing to learn more about it!
Quick question, could you reverse a game dll file? It's needed for modding a game called Duke Nukem: Manhattan Project, because it's really restricted now. The file is called "duke_base.dll". Would really appreciate it if you could help in any way.
I would be suprised if [User/System]32 has a key mask for the registry functions at all... its bad practice to use the registry for storing non-persistent user space values like that... a better way to do this would be to use a binary encoded (most likely a .cfg or .ini) file to store the settings. that way you don't need to run it with elevated perms. Or at least it wouldn't if you don't have it installed in the system files [I think that when it came with windows it was installed in the C:\windows\[games\] folder..] but even then I think that they could've saved to %appdata%\games\solitaire which you would have ring 3 write access [as that is the reason for the %appdata% file after all]..... now that I think of it IDK if fopen can resolve path envar ejections [ie the %% in "%appdata%\games\solitaire"] though I think that User32 has a function for that if it doesn't do it on fopen call... working with system32 in general is kina stupid because there is 2 versions of each function an ascii version (as denoted by the "A" postfix on the system call) and the 16 bit Unicode version (as denoted by the "W" [standing wide because it it uses WCHAR_t (aka short) as its string type] postfix on the system call)
Thanks for video but the XP solitaire sourcecode is in the leaked XP sources available from internet.
Im not promoting it but just telling the fact
hiii i need help is there i way to change a game that isn't been made in my language (italian), this is a word game that has ofc english vocabulary, i just want to put the italian vocabulary to play in italian. I dont care if the graphic is in english, just want to put italian words... is that possible with ghidra... the game is Bookworm Adventures deluxe... pls if you dont how to do it PLS can you give me a contact of a person that can teach me how to do it.... o am trying this form 4 years.... thanks...
:(