issuhub.com

Reverse Engineering for Beginners

(avery) #1

CHAPTER 75. COLOR LINES GAME PRACTICAL JOKE CHAPTER 75. COLOR LINES GAME PRACTICAL JOKE
So let’s see, is it be possible to find the random generator and do some trick with it. IDAquickly recognize the standard
_randfunction inballtrix.exeat0x00403DA0.IDAalso shows that it is called only from one place:


.text:00402C9C sub_402C9C proc near ; CODE XREF: sub_402ACA+52

.text:00402C9C ; sub_402ACA+64 ...

.text:00402C9C

.text:00402C9C arg_0 = dword ptr 8

.text:00402C9C

.text:00402C9C push ebp

.text:00402C9D mov ebp, esp

.text:00402C9F push ebx

.text:00402CA0 push esi

.text:00402CA1 push edi

.text:00402CA2 mov eax, dword_40D430

.text:00402CA7 imul eax, dword_40D440

.text:00402CAE add eax, dword_40D5C8

.text:00402CB4 mov ecx, 32000

.text:00402CB9 cdq

.text:00402CBA idiv ecx

.text:00402CBC mov dword_40D440, edx

.text:00402CC2 call _rand

.text:00402CC7 cdq

.text:00402CC8 idiv [ebp+arg_0]

.text:00402CCB mov dword_40D430, edx

.text:00402CD1 mov eax, dword_40D430

.text:00402CD6 jmp $+5

.text:00402CDB pop edi

.text:00402CDC pop esi

.text:00402CDD pop ebx

.text:00402CDE leave

.text:00402CDF retn

.text:00402CDF sub_402C9C endp

We’ll call it “random”. Let’s not to dive into this function’s code yet.

This function is referred from 3 places.

Here are the first two:

.text:00402B16 mov eax, dword_40C03C ; 10 here

.text:00402B1B push eax

.text:00402B1C call random

.text:00402B21 add esp, 4

.text:00402B24 inc eax

.text:00402B25 mov [ebp+var_C], eax

.text:00402B28 mov eax, dword_40C040 ; 10 here

.text:00402B2D push eax

.text:00402B2E call random

.text:00402B33 add esp, 4

Here is the third one:

.text:00402BBB mov eax, dword_40C058 ; 5 here

.text:00402BC0 push eax

.text:00402BC1 call random

.text:00402BC6 add esp, 4

.text:00402BC9 inc eax

So the function has only one argument. 10 is passed in first two cases and 5 in third. We can also notice that the board has a

size of 10*10 and there are 5 possible colors. This is it! The standardrand()function returns a number in the0..0x7FFF

range and this is often inconvenient, so many programmers implement their own random functions which returns a random

number in a specified range. In our case, the range is 0 ::n− 1 andnis passed as the sole argument of the function. We can

quickly check this in any debugger.

So let’s fix the third function call to always return zero. First, we will replace three instructions (PUSH/CALL/ADD) byNOPs.

Then we’ll addXOR EAX, EAXinstruction, to clear theEAXregister.

.00402BB8: 83C410 add esp,010

.00402BBB: A158C04000 mov eax,[00040C058]

.00402BC0: 31C0 xor eax,eax

.00402BC2: 90 nop
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.