Can You Crack It?

cyber code challenge

Can You Crack It?

 

A little bird told me of an interesting looking challenge over at canyoucrackit.co.uk.

Basically, I've been looking at it and have a few leads already (go me!). Now I ask you, the readers, to get out there and crack it.

I love these kind of competitions, canyoucrackit reminds me of the many crackmes I have worked on in the past. For those not aware of what a crackme is, it is basically a program that is designed to be reverse engineered and cracked (the hint is in the name). Some of the ones I have worked on have been extremely challenging, using virtual machines inside virtual machines to obfuscate what is actually going on.

/Start Rant

Cracking is a controversial topic in the computer world, the terms black hat, white hat and grey hat are bandied for too much nowadays. In my opinion, it is all about the means to an end. For instance, if you legally have the right to run software on your machine, surely you should have the right to run it how and where you want, why would you have to be on the internet to run a single player game (I'm looking at you, Settlers 7! Australians are still having problems playing your game, and I have lost hours of game play as my internet connection drops and I am logged out without my progress being saved).

As long as you aren't actively enabling piracy, you should you not have the right to run your software without big-brother esque copy protection.

/End Rant

Anyway, long story short:

Show your reversing skills and crack canyoucrackit.co.uk

Sponsored Post

Viral video by ebuzzing

Wurm Online, Java bytecode patching and arbitrary code execution

This brief tutorial will (hopefully) introduce you to a method of Java code injection. This tutorial is aimed at the free Java mmorpg Wurm Online. Its an mmorpg.

We will look at a simple example which will inject code into the games console, allowing us to intercept commands typed and call our own Java code.

You will need:

Ida pro
Java Bytecode Editor
Java decompiler 
Wurm Online

First. Wurm online is a JNLP app, so you run the JNLP file and it will download the client, storing its graphics and sound assets in the folder you choose.
We are not interested in these files, we are interested in to game client, which gets shoved in your Java temporary directory.

The first task is to locate the jar file containing the game client.

On windows 7, the Java client gets downloaded to somewhere in C:\Users\yourname\AppData\LocalLow\Sun\Java\Deployment\cache\

Check each of these folders until you find an file named something like 51d43a93-5922d81c that is around 1.1mb.
If you open it in your archive program of choice (it is a JAR[zip]) you will see the game client files.
You are looking for the one with wurm_banner.jpg, among other things.

Once you have found this file, have a look inside, particular the class folder. This contains the compiled, obfuscated Java class files.

Extract the bf.class file, this is the file that contains the console related code. Decompile it with Java Decompiler and disassemble it with Ida. Have a read.

We are interested in the huge if..elseif section at around line 190 in Java Decompiler.

If it’s not obvious, this peice of code checks the console input and calls appropriate functions based on what is typed.

First off, we will prove that we can modify the bytecode and have the game still run. To do this, we will remove the final else of the if..elseif to remove the message that appears when a command is not recognised.

Search for Unknown in ida pro, and you will land here:

getstatic java/lang/System.out Ljava/io/PrintStream;
new java/lang/StringBuilder
dup
invokespecial java/lang/StringBuilder.<init>()V
ldc “Unknown command: “
invokevirtual java/lang/StringBuilder.append(Ljava/lang/String;)Ljava/lan\
g/StringBuilder;
aload 9
invokevirtual java/lang/StringBuilder.append(Ljava/lang/String;)Ljava/lan\
g/StringBuilder;
invokevirtual java/lang/StringBuilder.toString()Ljava/lang/String;
invokevirtual java/io/PrintStream.println(Ljava/lang/String;)V

This is where the game prints the “Unknown command: x” to the console.

We want to go ahead and remove this.

As with x86 machine code, Java bytecode has a NOP instruction, which is a byte that tells the virtual machine to do nothing (No Operation).
In Java bytecode, NOP is 0×00 (it is 0×90 in x86 asm).

So theoretically, if we replace the above code with lots of NOPS we will remove the console print out without breaking the rest of the program.

Lets try it.

In Ida, highlight the first getstatic line and switch to hex view, note the file offset (2892). Now highlight the final invokevirtual line and notice the offset of the last byte (28AB).

We will nop this section of code. Open up bf.class in a hex editor and replace each byte between the two offsets with 0×00. Save it, and reopen it in Ida.

If you go to the same section of code in Ida, you will now see:

nop

nop

Cool. Now we need to put the class back into the Jar container.

NOTE: Jar files are case sensitive, but windows is not, which causes problems.

To put bf.class back into the Jar file, use Java’s JAR command from a command prompt:

Make a directory called class in the temp directory where the Jar file resides and copy bf.class into it.

Now run:

jar -uf 51d43a93-5922d81c class/bf.class

Verify that the file was replaced correctly by opening the jar file in an archive tool.

Now start the wurm client.

Open the console and type some gibberish, notice no “Unknown command” message.

Hooray.

Now that we know that our code changes will be used by the game, we can work on actually doing something useful.

It is important to have a basic understanding of the basic layout of a Java class file, in addition to compiled code, a class file contains a section known as the Constant Pool, which is a list of references to classes, methods, strings and other data types.

When the bytecode in a class calls a method in Java, it uses a reference to the method in the Constant Pool.

For example, we have a class Foo, with a method bar:
[code:c#]
public class Foo
{
  public static void bar()
  {
     System.out.println("Hello wurm");
  }
}

[/code]

To call this method, the constant pool needs 6 entries:
a utf8_info string “bar” – the method name;
a utf8_info string “()V” – the type info for the method (this one is no arguments, and void return type)
a NameAndType_info linking the above name and type
a utf8_info string “Foo” – the name of the class
a class_info linking to the above name
a methodref_info linking the class_info and NameAndType_info – Foo/bar()V

The methodref_info can now be used to call the method, in the above example using invokestatic. The bytecode for invokestatic is b8 followed by the two byte index of the methodref index in the constant pool.

To call this example method from our example code, we need to create the Constant Pool entries in bf.class. The easiest way to do this is with the Java Bytecode Editor app.

Open bf.class in the Java Bytecode Editor and add a methodref, this will create the other entries in the Constant Pool Table. Note the number of the methodref we added, we will need it later.

Now we have the constant pool entries added, we can change some of the nops to call the method in our example Foo class.

Go to the nops, and replace the first with B8 (this is invokestatic), then replace the next two bytes with the methodref index in HEX, mine was 02 E7. Save.

Open bf.class in Ida again, the old area of nops should now look like this:

invokestatic Foo.bar()V
nop
nop
nop

Replace the bf.class in the jar with the modified one.

Now compile the Foo.java, and add the Foo.class to the JAR:
jar -uf 51d43a93-5922d81c Foo.class

Make sure the class files are in the correct place.

Now run Wurm, open the console and type some gibberish.

Wurm replies with “Hello Wurm” in the console.

Pretty sweet.

Now, we could go on to add an argument to Foo.bar and pass the console command string in (shouldn’t be too hard).

The good thing about this approach, is that once you have your methods being called, you can code straight into Java anything that you want the game to execute, with a bit of investigation, it should be possible to do a lot with it.

Hope this was helpful.

Movie Battles v0 Hack (almost) complete

Pretty much as the title says really, I have finished porting my Movie battles hack to v0.

In addition to a few cleanups in the code, I changed the aimbot from aiming at the the models origin, to aiming at the chest bone (from the Ghoul2 animation system). This should make it a bit more accurate, as I am assuming that mb2 uses ghoul2 tracing for blaster bolt collision detection.

It also means that with a few changes, I can make the aimbot pick between shooting at different bones based on which ones are out in the open, by running a trace to the head, chest, hands, and feet. The bones that are not occluded will be aimed at based on priority of damage (Head first, then anything else), go headshotbot!.

 

Unfortunately, the lag compensation is still not 100% perfect (pings above 150ish through the accuracy of the ruptor off).

 

There is still no prediction for weapons, so the disruptor is the only gun it works with. I have plans to change this though, with a  bit of maths, it shouldn’t prove too hard to calculate the angle of interception based on the player direction, player speed, weapon speed, and distance. This would make for epic lols with close range pistol headshots/etc.

 

 

As to a release date:

I am being pestered a lot on servers by people that want me to release it. But I am still on the fence about the whole thing.

After releasing the last version of the hack, and seeing entire servers use it, I fear for what releasing this version would do to the MB2 community.

 

Unlike a larger game like Counter Strike, the MB2 community does not comprise of hundreds of thousands of players, so aimbotting and wallhacking is a lot more obvious (and harmful?).

 

Anyway, comment on this blog post with whether I should release it or not, and for what reasons.

Movie Battles 2 v0

I’ve finally got my pc set up in my new flat and adsl piped in from Sky, no sky tv though (damn rules against having a dish on the house).

 

After receiving a number of emails asking me if I have any plans to update my Movie Battles hack to work with the new v0 patch, I have decided that yes, I will.

 

After having a quick dabble into the new patch, it looks as if nothing much has changed. Which is good, as it should not take long to get a beta version up and running.

 

SAC on the other hand, will be harder to work around. Although from what I hear, no one uses it (and when I went online to look for servers, none were running it) so it may be a bit of a moot point.

 

Stay posted for progress updates.

New flats, Java and JoGL

I am currently on the tube to work. It’s 7:28 and I’ve been commuting for 30 minutes already, with 1:30 still left, ugh! (yay for notes on the iPhone)

I’ll be free of the curse of commuting for 2 hours at the end of the month however, as I will be moving into my new flat with my lovely girfriend who is moving down from Yorkshire to be with me in London. Awesome.

What is also awesome is that the flat is conveniently situated 10 mins from the tube station closest to my office, meaning a quick shuttle bus ride to work, and easy transport links into central London for evenings/weekends. Epic.

In non personal news, I have started to port my companies flagship product to OpenGL/Java to expand our Market to mac and Gnu/Linux in addition to Windows.

All this work with Java in the office got me interested in writing my own simple (at the moment) Java games engine, using JoGL as a binding for OpenGL. On Sunday I took my trusty hackintosh netbook to my favourite cafe, ordered a full English breakfast and got to work. 2 coffees later I had the basis of a 2d/3d engine written, currently supporting primitive rendering through a GLSL pipeline, woot. Next in the todo list is implementing a 3d model format, should be interesting.

I was surprised how quickly and easily a Java window can be created and OpenGL started up for rendering compared to c++ with directx. Much quicker, with a lot less overhead. We shall see what happens :).

iPhone Eve Online fitting tool, part 2: Open Toolchain and Cygwin

As my hackintosh laptop is still in Huddersfield, I have been looking into alternatives to  XCode on the Mac for iPhone development.

As a proud owner of a Jailbreak’ed iPhone 3gs, I have the ability to execute custom binaries compiled with the iPhone Open Toolchain. The Open Toolchain is basically a set of tools to build iPhone apps without using XCode. After a few hours of tinkering around, I have the Open Toolchain compiled and working in Cygwin on windows, with the ability to compile and deploy binaries to my iPhone across wifi. Yay!

Using the Open Toolchain I have been prototyping some UI ideas for the iPhone fitting tool. Next on the list of tasks is to parse the CCP Eve data exports into an SQLite database, for access on the iPhone, and to write some basic logic to get the ship categories and item types showing up in the app… then I can worry about writing the rest of the logic to power an actual ship fitter app.

iPhone Eve Online fitting tool

There isn’t one and there should be. I have been looking into starting development once my real life work gets a bit less hectic.

Currently available fitting apps for the desktop Pc include EFT, closed source; Python Fitting Assistant, open source but written in Python; and a few others built into bigger apps like EveHQ.

Basically, I have option of programming a app from scratch (fun but long), or trying to port Pyfa.

Porting Pyfa may be possible, although Apple have an annoying policy discouraging the use of interpreters in the appstore… although this doesn’t stop me from using py2objc and targeting jailbreak devices through the cydia app store equivalent.

I think I will start to prototype an app store variant, written from the ground up in objc, should be a fun project, although it might be hard to find the spare time require ;-).

Eve online killboard metagaming, with libcurl and regex

A few days ago in Eve Online, the alliance which I am a member of was declared war on (a pretty common occurence in the game). 
Taking a quick look at the killboard of this warring corp got me thinking about a project i previously added to the “program it later” pile (a pile that is growing at an alarming rate). Anyway, looking at the prevalence of eve dev killboards (open source php and mysql, I host one myself here http://owenworley.co.uk/eve/kb), my idea was to knock up a little app which grabs the killboard homepage of a specified corp, grabs all killmail links, grabs these pages and parses the name, corp, (alliance), location and ship of everyone involved in the kill.

The net result: a full list of members, what ships they like to fly, and where… very useful.

The technical side, if anyone is interested, would be using libcurl to pull the main page, and regular expressions (i am using boost::regex) ti detect appropriate names and links.

Work is progressing at speed, with the basic functionality implemented,all that is left now is to pretty print the results.

Also, as libcurl and regex are both available in php, an interesting side project would be to port it over, allowing it to be used from a website (as opposed to .exe download). php would also allow for easier formatting of the output data (portraits of characters and ships).

Stay tuned for the full app, which will be posted when it is complete :-).