Facry3, Do Want!

A friend linked me to the promo video of Farcry3 this morning, and damn does it look good!

Yes, it looks like a pre-rendered video, but I am impressed nonetheless with the visual style and story hints. The shaky cam throughout the video puts me in mind of some of the scenes in dawn of the dead (the remake) and Cloverfield.

Hopefully it will live up to the hype, but as Farcry1 and Farcry2 have shown, Crytek have a great track history in pushing the boundaries of technology (they were one of the first software development companies to make good use of SSAO, etc).

Anyway, Video is here:

I have preordered already :F.

Can You Crack It?

cyber code challenge

Can You Crack It?

 

A little bird told me of an interesting looking challenge over at canyoucrackit.co.uk.

Basically, I've been looking at it and have a few leads already (go me!). Now I ask you, the readers, to get out there and crack it.

I love these kind of competitions, canyoucrackit reminds me of the many crackmes I have worked on in the past. For those not aware of what a crackme is, it is basically a program that is designed to be reverse engineered and cracked (the hint is in the name). Some of the ones I have worked on have been extremely challenging, using virtual machines inside virtual machines to obfuscate what is actually going on.

/Start Rant

Cracking is a controversial topic in the computer world, the terms black hat, white hat and grey hat are bandied for too much nowadays. In my opinion, it is all about the means to an end. For instance, if you legally have the right to run software on your machine, surely you should have the right to run it how and where you want, why would you have to be on the internet to run a single player game (I'm looking at you, Settlers 7! Australians are still having problems playing your game, and I have lost hours of game play as my internet connection drops and I am logged out without my progress being saved).

As long as you aren't actively enabling piracy, you should you not have the right to run your software without big-brother esque copy protection.

/End Rant

Anyway, long story short:

Show your reversing skills and crack canyoucrackit.co.uk

Sponsored Post

Viral video by ebuzzing

How to recruit in Eve Online?

Our corp is small. This suits us to some extent for small gang PvP, but we generally need to arrange roams and ops days in advance to ensure that participation is good. Currently, when we engage in PvP we use between 5 and 7 pilots (which is pretty much everyone who is active in the corp).

I want to be able to log in and have lots of people online to call for roams at the drop of a hat. So we have started recruiting…

But, recruiting in Eve (and every other MMO) is a pain in the ass. We have recruitment ads on the Forums, in game, and I have been advertising in the recruitment channel for days now, and we have picked up one (ONE!) new member. Our new member is great, nice guy, nice skills, knows what he’s doing etc, but for days of recruiting, one is not enough!

What can we do to recruit more? I have no idea :(.

Eve Small Gang PvP: Part 2

After our recent successes in FW complexes, we decided to go on another roam in our mighty Tristan and Destroyer gang. Our 3 Tristans, Catalyst and Thrasher departed from Villore towards Tama searching for targets.

 

After dodging a large pirate gate camp, consisting of 10 or so battleships, 5 guardians and various t3 ships including Lokis, we spotted a few war targets in an otherwise empty system. After bouncing between complexes for a while, we found a Rupture and Myrmidon that looked like they might be game for a brawl.

Not wanting to engage the Myrmidon in our smaller ships, we entered an FW complex which allowed T1 and T2 frigs and cruisers.  The Tristand and Catalyst entered the plex and I sat on the warp gate with my Thrasher. After a slight delay, the Rupture landed on the acceleration gate and I punched through hoping that the Rupture would take the bait…

He did, and as soon as his ship landed he was swamped by our gang. The Rupture sent his drones after our Catalyst, who was able to tank the low damage of 5 warrior II’s. The rupture started neuting my Thrasher and attempted to apply his Turret and Missile dps as well, but as the Thrasher moves at 1km/s, his guns were unable to track and my Thrasher shrugged off the pitiful light missile dps. His shields melted, followed soon after by his armour and structure. One rupture down, no losses for us.

Rupture Kill 

After scooping loot and depositing it in station, we headed further towards Tama on the look out for new targets.

After a few totally empty systems, we found a single wartarget and fellow militia member. We started to use our Directional Scanners to narrow down the war target and found him at one of the planets. After gang warping to the planet, we landed 90km away from a war target Vengeance which was engaged with a Friendly Wolf. Overheating our afterburners we zoomed towards our comrade and soon applied tackle and started to add DPS. Our Catalyst showed its worth yet again in this fight, being able to switch to long range ammo, our Catalyst started applying dps at 30km while the rest of the gang rushed into position.

After the Vengeance exploded and was podded, we recieved a little smack in local. Apparantly the Friendly Wolf was angry that we interupted his 1v1:

vickers> SDTOP
vickers> YOU DISHOUNERED MY 1v1
vickers> MUPET
Kellyl>MUPPETS HAVE MUCH HONOUR

Some protips for him: Don’t 1v1 at a planet :S.

Vengeance Kill

 

After scopping and depositing the loot, we resumed our journey to Tama. A hostile Dramiel was on Directional Scanner so we headed towards a small plex to fight the dramiel on our own terms. We didn’t have to wait long before the dramiel dropped ontop of us. After a slight mess up with initial tackle, the Dramiel closed enough for overheated scrams and webs to be applied. Once he was caught he died very quickly, we exchanged GF’s in local, scooped loot and headed home.

Dramiel Kill

Another succesful roam, proving once again that T1 Frigs and Destroyers are very good if you apply them correctly. Target selection is king, and Factional Warfare plexes are a great tool to help with this.

 

Stats:

Damage Done (ISK):150mil

Damage Taken (ISK): 0mil

Loot Acquired:

Serpentis 1mn MWD

Gistii B-Type 1MN Afterburner

Various T2 Module.

 

 

Eve Online: Small Gang PVP alive and kicking

 

After a recent hiatus from Eve Online due to work being super busy, I found the time to jump onto Eve for a quick gang roam with my buddys.

 

We have recently joined the Militia in an effort to recruit more players, so we plotted our destination from Old Man Star to Tama to see if there were any targets running around.

 

Our aim in the roam was to hang around in the small FW complexes, closing any opened by the Caldari Militia and giving our younger members some much needed operational experience.

 

The gang formation we chose to employ was 2 Tristans (Two of our younger members), a Catalyst (Fit for medium range DPS and flown by a high skilled pilot), and a Thrasher (Me, Another high skilled dps fit, 250DPS from this nifty ship).

 

The roam stated with a definite bang as a Sentinel EAF warped into s as we sat on a acceleration gate. He was quickly webbed and scrammed as he landed within 10k of our gang. After a few seconds his ship exploded, leaving some tasty loot.

Sentinel Killmail

An extremely pimped Sentinel, we stashed the loot in station to sell later :).

 

After the Sentinel pilot ran home in his pod an Arazu appeared, attempting to pull us off the warp gate, but a little creative manoeuvring allowed us to escape unharmed into the small plex (blocking his entry, as only T1 Frigates and Destroyers were allowed). We continued to close the plex keeping an eye on local for the Sentinel pilot in case he decided to come back for revenge.

 

Moving on from the first plex, we headed closer to Tama and started capturing a small Caldari Plex. Just as we finished off the last wave of NPC’s, 2 Dramiels entered the plex and held position 40km from us. After a slight hesitation on their part, they started to engage. My Thrasher was primaried and went down at the same moment as we took the first Dramiel out. Our tristans were doing an excellent job tackling the 2nd Dramiel as our Catalyst pilot applied railgun dps from just outside the Dramiels optimal (but well within his own), after a short fight, the 2nd Dramiel and both of our Tristans were down and warping from the battlefield. Unfortunately, a 3rd and 4th Dramiel had turned up at this point but our heroic Catalyst managed to escape the field with a mighty 15% structure remaining.

Dramiel 1

Dramiel 2

After kills were posted, we admired our good work, and laughed at the Sentinal pilot (who was also flying one of the Dramiels) for losing 400 mil ISK to a gang of T1 Frigs and Destroyers.

 

Final Totals

Damage Inflicted: 540 mil

Damage Taken: 25 mil

Loot sold: 85 mil

 

Who said Destroyers were weak?

 

World of Warcraft, the death of all other MMORPGS

 

I just received an email from Codemasters informing me that LOTRO (Lord of the Rings Online) is stopping its European service of the game, and moving all of the players to the American servers.

 

First let me say that I do not play the game anymore, I played it for a few months with some real life friends before we moved on to other games. That said though, if I was still playing I would be pretty mad right now, the game has been running for a good few years, but apparently does not have the population to support a European server anymore, and I blame Blizzard and World of Warcraft in particular for this.

 

World of Warcraft, as a game, is ok. It’s not great, it’s average. The one thing that it excels at however, is being ridiculously easy. Compared to most other MMORPG’s, wow is a stroll in the park; players are flooded with shiny items and rewards from the get go, removing any sense of progress.

 

Back in the day, I played Everquest religiously. A game where rewards were few and far between – obtaining a new magical item or achieving the next level was a real achievement because it was damn difficult, and took time and effort, worlds away from wow’s easy levelling system.

 

Perhaps it’s an outmoded view of games, but I strongly believe that a player should have to earn progress in a game, it should take skill and effort to actually be good at a game; which is why I haven’t played Wow properly since the first expansion was released (Level 60 raiding in wow actually required skill).

 

I believe that while world of Warcraft still exists, there is no point developing any other fantasy based MMORPGS, as players have become so spoiled by the constant ratification of rewards in wow that no one will play anything that has a minute amount of difficulty… except Eve Online.

 

Admittedly, Eve is targeted at an older market. It has the harshest penalties of an MMORPG since vanilla everquests corpse runs.

In Eve, if you lose your ship, you lose it. There’s no quick respawning with all of your items, you have to go out and buy a new ship, with money that you have toiled to earn; it gives meaning to the risk of PVP, true risk versus reward – Kill the enemy and takes his stuff, or die and lose your stuff – brilliant.

 

Using the Carrot and Stick metaphor, World of Warcraft feeds the player carrot after carrot, just by mashing buttons. Eve takes the stick and whips you into submission until you have the skill to take it and beat others with it.

 

TL;DR – Stop playing Wow, stop taking the easy road, and start giving money to developers that make games that actually challenge you.

 

Wurm Online, Java bytecode patching and arbitrary code execution

This brief tutorial will (hopefully) introduce you to a method of Java code injection. This tutorial is aimed at the free Java mmorpg Wurm Online. Its an mmorpg.

We will look at a simple example which will inject code into the games console, allowing us to intercept commands typed and call our own Java code.

You will need:

Ida pro
Java Bytecode Editor
Java decompiler 
Wurm Online

First. Wurm online is a JNLP app, so you run the JNLP file and it will download the client, storing its graphics and sound assets in the folder you choose.
We are not interested in these files, we are interested in to game client, which gets shoved in your Java temporary directory.

The first task is to locate the jar file containing the game client.

On windows 7, the Java client gets downloaded to somewhere in C:\Users\yourname\AppData\LocalLow\Sun\Java\Deployment\cache\

Check each of these folders until you find an file named something like 51d43a93-5922d81c that is around 1.1mb.
If you open it in your archive program of choice (it is a JAR[zip]) you will see the game client files.
You are looking for the one with wurm_banner.jpg, among other things.

Once you have found this file, have a look inside, particular the class folder. This contains the compiled, obfuscated Java class files.

Extract the bf.class file, this is the file that contains the console related code. Decompile it with Java Decompiler and disassemble it with Ida. Have a read.

We are interested in the huge if..elseif section at around line 190 in Java Decompiler.

If it’s not obvious, this peice of code checks the console input and calls appropriate functions based on what is typed.

First off, we will prove that we can modify the bytecode and have the game still run. To do this, we will remove the final else of the if..elseif to remove the message that appears when a command is not recognised.

Search for Unknown in ida pro, and you will land here:

getstatic java/lang/System.out Ljava/io/PrintStream;
new java/lang/StringBuilder
dup
invokespecial java/lang/StringBuilder.<init>()V
ldc “Unknown command: “
invokevirtual java/lang/StringBuilder.append(Ljava/lang/String;)Ljava/lan\
g/StringBuilder;
aload 9
invokevirtual java/lang/StringBuilder.append(Ljava/lang/String;)Ljava/lan\
g/StringBuilder;
invokevirtual java/lang/StringBuilder.toString()Ljava/lang/String;
invokevirtual java/io/PrintStream.println(Ljava/lang/String;)V

This is where the game prints the “Unknown command: x” to the console.

We want to go ahead and remove this.

As with x86 machine code, Java bytecode has a NOP instruction, which is a byte that tells the virtual machine to do nothing (No Operation).
In Java bytecode, NOP is 0×00 (it is 0×90 in x86 asm).

So theoretically, if we replace the above code with lots of NOPS we will remove the console print out without breaking the rest of the program.

Lets try it.

In Ida, highlight the first getstatic line and switch to hex view, note the file offset (2892). Now highlight the final invokevirtual line and notice the offset of the last byte (28AB).

We will nop this section of code. Open up bf.class in a hex editor and replace each byte between the two offsets with 0×00. Save it, and reopen it in Ida.

If you go to the same section of code in Ida, you will now see:

nop

nop

Cool. Now we need to put the class back into the Jar container.

NOTE: Jar files are case sensitive, but windows is not, which causes problems.

To put bf.class back into the Jar file, use Java’s JAR command from a command prompt:

Make a directory called class in the temp directory where the Jar file resides and copy bf.class into it.

Now run:

jar -uf 51d43a93-5922d81c class/bf.class

Verify that the file was replaced correctly by opening the jar file in an archive tool.

Now start the wurm client.

Open the console and type some gibberish, notice no “Unknown command” message.

Hooray.

Now that we know that our code changes will be used by the game, we can work on actually doing something useful.

It is important to have a basic understanding of the basic layout of a Java class file, in addition to compiled code, a class file contains a section known as the Constant Pool, which is a list of references to classes, methods, strings and other data types.

When the bytecode in a class calls a method in Java, it uses a reference to the method in the Constant Pool.

For example, we have a class Foo, with a method bar:
[code:c#]
public class Foo
{
  public static void bar()
  {
     System.out.println("Hello wurm");
  }
}

[/code]

To call this method, the constant pool needs 6 entries:
a utf8_info string “bar” – the method name;
a utf8_info string “()V” – the type info for the method (this one is no arguments, and void return type)
a NameAndType_info linking the above name and type
a utf8_info string “Foo” – the name of the class
a class_info linking to the above name
a methodref_info linking the class_info and NameAndType_info – Foo/bar()V

The methodref_info can now be used to call the method, in the above example using invokestatic. The bytecode for invokestatic is b8 followed by the two byte index of the methodref index in the constant pool.

To call this example method from our example code, we need to create the Constant Pool entries in bf.class. The easiest way to do this is with the Java Bytecode Editor app.

Open bf.class in the Java Bytecode Editor and add a methodref, this will create the other entries in the Constant Pool Table. Note the number of the methodref we added, we will need it later.

Now we have the constant pool entries added, we can change some of the nops to call the method in our example Foo class.

Go to the nops, and replace the first with B8 (this is invokestatic), then replace the next two bytes with the methodref index in HEX, mine was 02 E7. Save.

Open bf.class in Ida again, the old area of nops should now look like this:

invokestatic Foo.bar()V
nop
nop
nop

Replace the bf.class in the jar with the modified one.

Now compile the Foo.java, and add the Foo.class to the JAR:
jar -uf 51d43a93-5922d81c Foo.class

Make sure the class files are in the correct place.

Now run Wurm, open the console and type some gibberish.

Wurm replies with “Hello Wurm” in the console.

Pretty sweet.

Now, we could go on to add an argument to Foo.bar and pass the console command string in (shouldn’t be too hard).

The good thing about this approach, is that once you have your methods being called, you can code straight into Java anything that you want the game to execute, with a bit of investigation, it should be possible to do a lot with it.

Hope this was helpful.

Movie Battles v0 Hack (almost) complete

Pretty much as the title says really, I have finished porting my Movie battles hack to v0.

In addition to a few cleanups in the code, I changed the aimbot from aiming at the the models origin, to aiming at the chest bone (from the Ghoul2 animation system). This should make it a bit more accurate, as I am assuming that mb2 uses ghoul2 tracing for blaster bolt collision detection.

It also means that with a few changes, I can make the aimbot pick between shooting at different bones based on which ones are out in the open, by running a trace to the head, chest, hands, and feet. The bones that are not occluded will be aimed at based on priority of damage (Head first, then anything else), go headshotbot!.

 

Unfortunately, the lag compensation is still not 100% perfect (pings above 150ish through the accuracy of the ruptor off).

 

There is still no prediction for weapons, so the disruptor is the only gun it works with. I have plans to change this though, with a  bit of maths, it shouldn’t prove too hard to calculate the angle of interception based on the player direction, player speed, weapon speed, and distance. This would make for epic lols with close range pistol headshots/etc.

 

 

As to a release date:

I am being pestered a lot on servers by people that want me to release it. But I am still on the fence about the whole thing.

After releasing the last version of the hack, and seeing entire servers use it, I fear for what releasing this version would do to the MB2 community.

 

Unlike a larger game like Counter Strike, the MB2 community does not comprise of hundreds of thousands of players, so aimbotting and wallhacking is a lot more obvious (and harmful?).

 

Anyway, comment on this blog post with whether I should release it or not, and for what reasons.

Movie Battles 2 v0

I’ve finally got my pc set up in my new flat and adsl piped in from Sky, no sky tv though (damn rules against having a dish on the house).

 

After receiving a number of emails asking me if I have any plans to update my Movie Battles hack to work with the new v0 patch, I have decided that yes, I will.

 

After having a quick dabble into the new patch, it looks as if nothing much has changed. Which is good, as it should not take long to get a beta version up and running.

 

SAC on the other hand, will be harder to work around. Although from what I hear, no one uses it (and when I went online to look for servers, none were running it) so it may be a bit of a moot point.

 

Stay posted for progress updates.

New flats, Java and JoGL

I am currently on the tube to work. It’s 7:28 and I’ve been commuting for 30 minutes already, with 1:30 still left, ugh! (yay for notes on the iPhone)

I’ll be free of the curse of commuting for 2 hours at the end of the month however, as I will be moving into my new flat with my lovely girfriend who is moving down from Yorkshire to be with me in London. Awesome.

What is also awesome is that the flat is conveniently situated 10 mins from the tube station closest to my office, meaning a quick shuttle bus ride to work, and easy transport links into central London for evenings/weekends. Epic.

In non personal news, I have started to port my companies flagship product to OpenGL/Java to expand our Market to mac and Gnu/Linux in addition to Windows.

All this work with Java in the office got me interested in writing my own simple (at the moment) Java games engine, using JoGL as a binding for OpenGL. On Sunday I took my trusty hackintosh netbook to my favourite cafe, ordered a full English breakfast and got to work. 2 coffees later I had the basis of a 2d/3d engine written, currently supporting primitive rendering through a GLSL pipeline, woot. Next in the todo list is implementing a 3d model format, should be interesting.

I was surprised how quickly and easily a Java window can be created and OpenGL started up for rendering compared to c++ with directx. Much quicker, with a lot less overhead. We shall see what happens :).