a few questions for Fr3DBr & kLabMouse

Forum closed. All further discussion to be discussed at https://github.com/OpenKore/

Moderator: Moderators

Message
Author
User avatar
kLabMouse
Administrator
Administrator
Posts: 1301
Joined: 24 Apr 2008, 12:02

Re: a few questions for Fr3DBr & kLabMouse

#21 Post by kLabMouse »

Technology
Can you Cooperate with Fr3DBr on the bRO Problem?
I don't think that he will be able to continue for long.

Because, Last time I've seen such situation was 4~5y ago with rRO and pRO.
Back Then the ServerType packages where developed, and also we developed the technique to fight back on packet ID changes.
But that where continuing for a long period (about once in 4 days for 6mo).
So I think, that Fr3DBr could be exhausted from this in rly short time.

Technology
Super Moderators
Super Moderators
Posts: 801
Joined: 06 May 2008, 12:47
Noob?: No

Re: a few questions for Fr3DBr & kLabMouse

#22 Post by Technology »

kLabMouse wrote:Technology
Can you Cooperate with Fr3DBr on the bRO Problem?
I don't think that he will be able to continue for long.

Because, Last time I've seen such situation was 4~5y ago with rRO and pRO.
Back Then the ServerType packages where developed, and also we developed the technique to fight back on packet ID changes.
But that where continuing for a long period (about once in 4 days for 6mo).
So I think, that Fr3DBr could be exhausted from this in rly short time.
The thing is, got A) no RE skills and B) exams.
B) will be over in a few weeks and A) I want to learn, but I have no idea where to start so thats why I asked.
So, to increase this problem's bus number, I propose there could be provided some kind of walktrough example as a starting point in learning the basics of RE. I'm sure other devs would be interrested in such walktrough example as well?
One ST0 to rule them all? One PE viewer to find them!
One ST_kRO to bring them all and in the darkness bind them...

Mount Doom awaits us, fellowship of OpenKore!

User avatar
kLabMouse
Administrator
Administrator
Posts: 1301
Joined: 24 Apr 2008, 12:02

Re: a few questions for Fr3DBr & kLabMouse

#23 Post by kLabMouse »

Technology wrote:So, to increase this problem's bus number, I propose there could be provided some kind of walktrough example as a starting point in learning the basics of RE. I'm sure other devs would be interrested in such walktrough example as well?
You mean. Finding Stuff inside Client? OR how new RE features work?

Technology
Super Moderators
Super Moderators
Posts: 801
Joined: 06 May 2008, 12:47
Noob?: No

Re: a few questions for Fr3DBr & kLabMouse

#24 Post by Technology »

kLabMouse wrote:
Technology wrote:So, to increase this problem's bus number, I propose there could be provided some kind of walktrough example as a starting point in learning the basics of RE. I'm sure other devs would be interrested in such walktrough example as well?
You mean. Finding Stuff inside Client? OR how new RE features work?
I mean like, providing an example that explains every step (the list you made) in great detail from start (you get the client aka. the black box) to end (a working prototype that contains the extracted essence of the encryption algo and mimics what the client does without actually using the client; I dunno how you do this, I thought maybe by extracting relevant ASM code and attempting to run it in isolation from the client? Because you said there was an ASM coded implementation that you compared against the perl one? Or just understand the relevant ASM and code in perl directly?) and how/why it this was done. (possibly in the style of the wireshark connectivity guide)

I believe that trough associative learning, it will help a lot of devs in the right direction (which will translate to kore running on more servers).
(like, every attempt to crack another anti-bot to me now looks like a variation on the method you used here no?
ex. kr105/renjfk/... also said they needed to look for the network functions when they provided the proof of concept C code for: vanguard/elecom/gamefort/dunno_which_one_it_was, which I merely translated to a kore plugin)

Btw, feel free to correct me if I made a mistake somewhere here, because as you know, I know nothing about this RE stuff.

From your list of followed steps I'm interrested to learn how step 1 to 5 were done in greater detail.

Basically, I want to learn how to get to the point where I could describe the used encryption method like this.
One ST0 to rule them all? One PE viewer to find them!
One ST_kRO to bring them all and in the darkness bind them...

Mount Doom awaits us, fellowship of OpenKore!

Fr3DBr
Developers
Developers
Posts: 60
Joined: 05 Oct 2011, 09:21
Noob?: No
Location: Brazil

Re: a few questions for Fr3DBr & kLabMouse

#25 Post by Fr3DBr »

Technology i have to point a few things here.

Reverse Engineering is less about a method, and more about a talent lol.

I can do things, which i don't know many of the times how i manage to accomplish then but it happens, you find a slighest pattern, a string or something that gives you a ray of light...
then you start following it (and there is where you need asm knowledge and debugging attempts) to try to understand what the desired code is doing, this is the part i am not so talented like our friend kLabMouse, he just pwnz in that area... :)

Still there are some small things i can do, to get hints or discover some things, like backtracing methods, or emulating a small piece of asm code to check how it works, even maybe making small injection blocks and so on to modify something...

But this do not have a manual, book or even a predefined logic, each application and each compiler have its instrisics and its own ways to deal with, its a really big subworld or in another way to say it, its just a multiverse, with many alternatives and different routes to follow.

User avatar
kLabMouse
Administrator
Administrator
Posts: 1301
Joined: 24 Apr 2008, 12:02

Re: a few questions for Fr3DBr & kLabMouse

#26 Post by kLabMouse »

Fr3DBr wrote:Technology i have to point a few things here.

Reverse Engineering is less about a method, and more about a talent lol.

I can do things, which i don't know many of the times how i manage to accomplish then but it happens, you find a slighest pattern, a string or something that gives you a ray of light...
Well. That one is True. But the Actual .PDB files (Seen only twice for Client side code) help more then just naming functions Randomly.

I sart by finding something that I can glue to. Some String, some HEX pattern, and other thing that could or should look the same across various versions.
Then, I check what function is using it, and how it should be named, and whatever it's the same function, or it got inlined (I never pick as starting point some function that are less then 500 bytes long, because if they are less, then they could be inlined by compiler).

Then I go around the code that Call the function I just found, or that function calls and map them (give names). I also look for known places or places that are similar to previous compilation.

The "Talent" here is something that helps a lot. It's more like practice and understanding of the code flaw itself. For the first time, you will see a lot of differences, even if it's the same code. As the time passes and you gain knowledge, You will be able to read it like a book concentrating your attention only on Necessary places (Like reading between lines themselves).

Technology
Super Moderators
Super Moderators
Posts: 801
Joined: 06 May 2008, 12:47
Noob?: No

Re: a few questions for Fr3DBr & kLabMouse

#27 Post by Technology »

Fr3DBr wrote:Technology i have to point a few things here.

Reverse Engineering is less about a method, and more about a talent lol.

I can do things, which i don't know many of the times how i manage to accomplish then but it happens, you find a slighest pattern, a string or something that gives you a ray of light...
then you start following it (and there is where you need asm knowledge and debugging attempts) to try to understand what the desired code is doing, this is the part i am not so talented like our friend kLabMouse, he just pwnz in that area... :)

Still there are some small things i can do, to get hints or discover some things, like backtracing methods, or emulating a small piece of asm code to check how it works, even maybe making small injection blocks and so on to modify something...

But this do not have a manual, book or even a predefined logic, each application and each compiler have its instrisics and its own ways to deal with, its a really big subworld or in another way to say it, its just a multiverse, with many alternatives and different routes to follow.
Yea, actually I already expected to get an answer like this...

But instead of talent I believe you mean experience, because talent is something people are born with (which may accelerate the acquirement of knowledge and experience though)
Let me tell you a story about a russian chess player Kasparov, an undoubted smart guy. (having talent)
But talent alone didn't instantaneously make him a good chess player.
He went trough a few stages.
His parents, chess players teached him the basics of chess. (knowing the basics)
They then set him up with a chess problem to solve. (being challenged)
He started to study chess on his own and proposed a solution to the problem. (determination to gather knowledge and motivation to succeed)
Then he went to a chess school. (gathering more knowledge from experienced people)
Think about all the games he must have played by now (building up experience)
He later became the greatest chess player of all time. (because he built up enough a-posteriori-knowledge)
(a-posteriori-knowledge = knowledge that you build up from your own experience when nobody is at your level to learn any useful knowledge from anymore)

Fr3DBr, I realize that one can reach the point where experience becomes as important or even more important than knowledge.
From what I've observed kLab is talented, likes challenges, is motivated to crack any official antibot and has tons of RE experience.
It amazes me, he told me exactly how the kRO login password was encrypted, I later implemented (which is imo, the easy part) that and was baffled that it just worked exactly how kLab predicted.
You probably know your way around RE too, Fr3DBr.
But look at it from my point of view. I don't even know the basics and where to start, what tools to use and how to use them.

I still believe that we can all learn from kLab doing what he does best, as his RE skill level exceeds ours. (we can learn knowledge from people with experience)
All that is needed is 1 example. Where I could learn the basics from, and others maybe to improve their knowledge.
If he could just repeat the steps he took to get crack 1 antibot and document them, that would be very useful.
I know not all anti-bots are the same, but there are certainly similarities in the used techniques
(like while not all chess games are the same, there are similar stances, techniques, tactics and strategies).
While the path you follow trough the code might be different, the techniques used are the same.

Btw, I learned perl from reading, debugging and adding features in kore's codebase which also sometimes is spaggetti-like multiverse (like asm). But I doubt I can do the same with the RO client's "asm code", its just too big. I've used IDA a few times to extract some strings, but that is all I can do really.
So to start learning these techniques, I think I'm better off writing small C app's and try to RE them (with IDA i suppose)?
One ST0 to rule them all? One PE viewer to find them!
One ST_kRO to bring them all and in the darkness bind them...

Mount Doom awaits us, fellowship of OpenKore!

Fr3DBr
Developers
Developers
Posts: 60
Joined: 05 Oct 2011, 09:21
Noob?: No
Location: Brazil

Re: a few questions for Fr3DBr & kLabMouse

#28 Post by Fr3DBr »

You could start first learning off some assembly, to don't be lost with the first method you find out hehe.

Then yes, IDA Pro is good to go, and yes writing applications and RE'ing then is nice too, i did this many times.

Technology
Super Moderators
Super Moderators
Posts: 801
Joined: 06 May 2008, 12:47
Noob?: No

Re: a few questions for Fr3DBr & kLabMouse

#29 Post by Technology »

kLabMouse wrote:
Fr3DBr wrote:Technology i have to point a few things here.

Reverse Engineering is less about a method, and more about a talent lol.

I can do things, which i don't know many of the times how i manage to accomplish then but it happens, you find a slighest pattern, a string or something that gives you a ray of light...
Well. That one is True. But the Actual .PDB files (Seen only twice for Client side code) help more then just naming functions Randomly.

I sart by finding something that I can glue to. Some String, some HEX pattern, and other thing that could or should look the same across various versions.
Then, I check what function is using it, and how it should be named, and whatever it's the same function, or it got inlined (I never pick as starting point some function that are less then 500 bytes long, because if they are less, then they could be inlined by compiler).

Then I go around the code that Call the function I just found, or that function calls and map them (give names). I also look for known places or places that are similar to previous compilation.

The "Talent" here is something that helps a lot. It's more like practice and understanding of the code flaw itself. For the first time, you will see a lot of differences, even if it's the same code. As the time passes and you gain knowledge, You will be able to read it like a book concentrating your attention only on Necessary places (Like reading between lines themselves).
Ok, you explained how to do it in a, to me (atm), very abstract fashion which would make perfect sense to someone that knows how to RE.
(this is natural, hell, even language is an abstraction over thoughts, which allows us to communicate efficiently, but never completely)
Which means, I can look at this text and say "hey this makes sense" or "hey I understand the terminology used here", but still I wouldn't know how to do it myself.
To learn the basics I kinda need to see how it is done in a concrete fashion.
Which means, how the tools are used to accomplish this, explaining every step and leaving nothing to the imagination.
Kinda like this:
I do this "action in IDA" (=concrete) now, because "rationale" (=abstract)
(also screenshots or a video would be nice)

Btw, do you actually run any code here? Like live debugging of the RO client?

Anyhow, I don't want you to feel obligated to do this.
I respect that you have other things to do with your time.
However please consider it, It would mean a lot to me and could mean a lot to other devs too and ofcourse ultimately help Openkore a lot.
One ST0 to rule them all? One PE viewer to find them!
One ST_kRO to bring them all and in the darkness bind them...

Mount Doom awaits us, fellowship of OpenKore!

Technology
Super Moderators
Super Moderators
Posts: 801
Joined: 06 May 2008, 12:47
Noob?: No

Re: a few questions for Fr3DBr & kLabMouse

#30 Post by Technology »

Fr3DBr wrote:You could start first learning off some assembly, to don't be lost with the first method you find out hehe.

Then yes, IDA Pro is good to go, and yes writing applications and RE'ing then is nice too, i did this many times.
Good to know that the "write code myself & RE it" thought wasn't completely crazy :D
I suppose becoming intermediate-advanced in C also helps a lot, since it is pretty close to the metal?
Need to sleep now, cu guys. (is what i would have said if I actually was in the IRC channel :) )
One ST0 to rule them all? One PE viewer to find them!
One ST_kRO to bring them all and in the darkness bind them...

Mount Doom awaits us, fellowship of OpenKore!

Locked