Environment...
*local installation is Windows Server 2008 SP1 x64
*remote installation is Windows Vista x86
Tools...
http://www.hex-rays.com/idapro/idadown.htm (4.9_freeware)
http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm#download
Acquire game files...
*use an existing Windows Vista installation:
-for this guide, VMWare with Vista x86 guest OS was used
-you can use another installation (on another machine)
-or post a comment, so I can send you the package
*copy the following files from Vista to your machine:
-%ProgramFiles%\Windows Games (whole folder)
-%WinDir%\System32\CardGames.dll
-%WinDir%\System32\XInput9_1_0.dll
General information...
*first try the games to see if (by chance) they work directly
*there are two common problems:
-XInput9_1_0.dll is missing
-the game has stopped working (info box)
DLL Missing...
*copy XInput9_1_0.dll
-into \system32 (\SysWOW64)
-or into current game folder
*for card games copy CardGames.dll
-into \system32 (\SysWOW64)
-or into current game folder
Game crashing...
*open IDA Pro
*open game EXE file for dissasembly
-answer yes to use microsoft symbol files (important)
*search (Alt+T) for
-'; int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd)'
*when found, go to the end of the function
*there should be an unconditional jmp instruction (screenshot)
*select the address of this instruction's row
*now go to Hex View (next tab - screenshot)
*remember the two bytes that are selected there (screenshot)
*copy them with at least 8 more bytes around them
*close IDA Pro
*open XVI and open the same game EXE
*search (Ctrl+F) for the copied bytes
*when found, try to search again
-to be sure that the combination is unique
*if it occurs only once, find the bytes you remembered
-modify them both to '90' (nop instruction)
*save the file
Conclusion...
*emulated vista environment with DLLs
*nop-ped jmp, because of wrong Windows
Remarks...
*the copy bytes/search bytes is lame
-couldn't find edit in IDA and
-the address in IDA doesn't correspond to the same in XVI
*using IDA for JIT Debug
-you can find the "crashing" jmp for yourself
*the environment that is used here is not strict
*post comments for help
20090920
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment